I had assumed that he either swiped the customer list (ie stolen the key to the house in my analogy) or had exploited the vulnerability itself to ship the mails.

Given this information, IMHO he still screwed up, big-time - at the least for spamming (or possibly harrassment), at the most for outright hacking. In either case, he had no business or right to do either.

Personally, if a company won't fix the hole and I'd left because of it? I'd still rather enjoy sitting back to wait for the first script kiddie to come along. Post the vuln to bugtraq, and when some script kiddie embarrassed the ISP, I'd take great pleasure in saying "I told you so you dipsh*ts!"

/P

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/179/21725#21725