So... while working on an issue for an employee who is trying to access the corporate network remotely from a hotel out of state, a co-worker mentioned that while he was on vacation recently, he noticed that they were using a very old and somewhat insecure DSL router.

He tried -- and succeeded -- in logging into the router as the router admin, using the factory default password, which he happened to know.

He then updated their security level and made some other minor "improvements" for performance & security reasons.

He never got around to telling them what he'd done.

So I said to him, "So you hacked their router?"

He says "No! I didn't hack it, I just accessed it!"

Obviously we disagree on this point, so let me ask you...

I say that even though he did it with the best of intentions, he did access the router and make changes without prior authorization or permission. Therefore, he hacked the router.

Am I correct? Yes or no?

...and no, I don't know where this alleged router is, and no, I'm not telling on him... I'm not a Gym Teacher, after all...

NAh. If he had the password, default or otherwise, and "accessed" the router to insure the best security available for the router, I'd give him a pat on the back and say "well done, I should have thought of that myself. And then, forget about. I'm sure there are more important things that require your, and his, attention.

I understand why you did it.
Maybe the owner isn't clever enough to do it himself, or maybe he just let it for reasons we don't know.
Changing the parameters need his/her permission, if i leave the front door open it still is no invitation to enter my house.

NAh. If he had the password, default or otherwise, and "accessed" the router to insure the best security available for the router, I'd give him a pat on the back and say "well done, I should have thought of that myself. And then, forget about. I'm sure there are more important things that require your, and his, attention.
You didn't answer the question.

I understand why you did it.
Maybe the owner isn't clever enough to do it himself, or maybe he just let it for reasons we don't know.
Changing the parameters need his/her permission, if i leave the front door open it still is no invitation to enter my house.
You didn't answer the question either.

Which action that you may take would uphold your reputation with your reputation with your employer? It's not a right or wrong or agree or disagree situation.

Legally it's unauthorized computer access according the the Computer Fraud and Abuse Act and it's amendments.

If you are an IT person... it would be a good idea to read the law.

Don't do it. If the router is not yours or yours to control...

Use an endpoint firewall and real time AV

Just like you should on any "public network", FFS

DuH? Remember... Don't touch it, you broke it

You didn't answer the question.

You didn't answer the question either.

I think I did. Nah=no.

Since he plays for the same team as you (right), all I would say about it is on first blush, no. Looking at it technically, perhaps. But Micheal brought up a good point too.

I suppose that's why I'm not an IT guy.

Fhwew

Legally it's unauthorized computer access according the the Computer Fraud and Abuse Act and it's amendments.

If you are an IT person... it would be a good idea to read the law.

winner winner chicken dinner

winner winner chicken dinner
Actually, with no disrespect to Bob Prince, the phrase is now "Winner Winner Catfish Dinner"

Legally it's unauthorized computer access according the the Computer Fraud and Abuse Act and it's amendments.

If you are an IT person... it would be a good idea to read the law.
That, essentially, was my point to him.

I'm sure that the management of the establishment (which from his description appears to be clueless) either hasn't noticed or has called in their IT consultant (owner's nephew or something like that, from the sounds of it) to undo it. And no harm was intended. So no harm, no foul.

It's just the principle of the thing. Even if it's ethical hacking, IMHO, it's still hacking.

That, essentially, was my point to him.

I'm sure that the management of the establishment (which from his description appears to be clueless) either hasn't noticed or has called in their IT consultant (owner's nephew or something like that, from the sounds of it) to undo it. And no harm was intended. So no harm, no foul.

It's just the principle of the thing. Even if it's ethical hacking, IMHO, it's still hacking.

Way back in the day I had a server 2000 hacked and turned into a distribution point for cracked DVDs.

Considering the activity on the server, I contacted the FBI computer crimes division in Chicago. The conversations I had with them were chilling.

Essentially if your IP or MAC address ends up associated with a computer crime it can become very inconvenient. Especially if it's a child porn or national security issue.

I do not advocate for "white hat hacking". Though if someone wants to engage in that kind of activity they should at least use an onion routing arraignment (TOR/I2P). But messing with a router in a hotel... not a good idea. You're logged. Along with every other idiot in the hotel.

In short.... NEVER do anything on a network without an affirmative defense. When hired for penetration testing, get a signed authorization for the work, make sure the organization who hired you has the authority for such testing, and document document document.

Upgrading router firmware in a hotel on a lark- if stoopit.

My apologies. I didn't read the post correctly the first time, or second for that matter. I didn't get that the router was owned by the hotel, and since it was, I would have to retract my original position.

Since he plays for the same team as you (right), all I would say about it is on first blush, no. Looking at it technically, perhaps. But Micheal brought up a good point too.

I suppose that's why I'm not an IT guy.

Fhwew

Well shit, apparently I don't know squat. Please ignore me on this topic. And I don't know how to spell Michaels name either. I didn't read it correctly either the first time so yes, I guess it is hacking.

Im going away now....

OKAY NOW all you simpletons that cannot read and comprehend....................move to the left, over here with me.

move over would ya?

Can I get a hug or something?

sure, c'mere

Can I get a hug or something?
Sad to say:

If you want someone to give you unquestionable, undeniable, undemanding love... get a dog.

Sad to say:

If you want someone to give you unquestionable, undeniable, undemanding love... get a dog.

I already have two dogs... I asked for a hug. Dogs can't hug. WTF?

Woof

Grrrr

Shoulda hacked that mother and turned it into a Russian spambot. Fuck ethics.

Legally, yes.

Morally? Well, he secured their router for them.

I would have to say what he did was wrong but not malicious. He had no business changing their settings without permission, even if their settings sucked, However, I don't know if "hacked" is the correct word. In any event he accessed it (got in as root) and changed a few settings. I would say that what he did was wrong, you don't just go accessing and changing things without permission from the person(s) in charge. At the same time no real harm was caused, if anything he left things more secure than they were. However that still doesn't make his actions correct. What amazes me is that to this date there are many businesses that still run things in a completely insecure configuration, never bothering o tighten things up even a bit. :(

I would have to say what he did was wrong but not malicious. He had no business changing their settings without permission, even if their settings sucked, However, I don't know if "hacked" is the correct word. In any event he accessed it (got in as root) and changed a few settings. I would say that what he did was wrong, you don't just go accessing and changing things without permission from the person(s) in charge. At the same time no real harm was caused, if anything he left things more secure than they were. However that still doesn't make his actions correct. What amazes me is that to this date there are many businesses that still run things in a completely insecure configuration, never bothering o tighten things up even a bit. :(
OK, I'll concede that "hack" may have been a little strong... given the current interpretation. Back when the curmudgeons yelled at ME to get off THEIR lawn, being a hacker was a badge of honor, not an implication of someone up to mischief.

But you do agree that what he did was, technically, wrong. So at least I know I wasn't off base in that aspect.

He & I will just have to discuss ethics over pizza at lunchtime (ownership is buying pizza for everyone who didn't take the day off).

OK, I'll concede that "hack" may have been a little strong... given the current interpretation. Back when the curmudgeons yelled at ME to get off THEIR lawn, being a hacker was a badge of honor, not an implication of someone up to mischief.

But you do agree that what he did was, technically, wrong. So at least I know I wasn't off base in that aspect.

He & I will just have to discuss ethics over pizza at lunchtime (ownership is buying pizza for everyone who didn't take the day off).

Well being a hacker had a different meaning. There wasn't much in the way of malicious unauthorized activity going on "back in the day". Sure there were phone phreaks. But nothing like Mitnick until 1995 or so.

I remember when any number of government systems were unpassworded and telnetable. It was surprising that no one tried to mess with those systems back then.

It's a different world now.

Well being a hacker had a different meaning. There wasn't much in the way <snip> back then.

It's a different world now.

Science Fiction became reality ... once again.

OK, I'll concede that "hack" may have been a little strong... given the current interpretation. Back when the curmudgeons yelled at ME to get off THEIR lawn, being a hacker was a badge of honor, not an implication of someone up to mischief.

But you do agree that what he did was, technically, wrong. So at least I know I wasn't off base in that aspect.

He & I will just have to discuss ethics over pizza at lunchtime (ownership is buying pizza for everyone who didn't take the day off).

Yes, technically wrong, because he went beyond helpfulness, and caused action without permission/authorization. It is now a legal liability issue. Right intentions, wrong methods. This is not a technical situation, it is a process/method problem, that could lead to legal implications. There are boundaries for a reason, and it is the matter to explain why, and for his own protection, and that of the company that employs him.