Ok, here is a wierd question, but first a bit of background. I just moved into an apartment complex and dont have an internet connection yet. So i pulled out the wireless equipment and did a bit of searching. I found an open access point at a business accross the way and just started using it for an internet connection. (first question...what are the legality issues with doing this?) I was bored the other day so i scanned the network to see what was on it and came accross a RedHat server that is running their web/email services. The webserver is running Apache 1.3.22 which is vurnable to the Chunked Memory Corruption exploit and was wondering what is the best way to let the business know that their server is not secure without going to jail. I have heard of too many stories where somebody finds a server like this and then approaches the business and the business turns them over to police. I do not want this to happen, but at the same time i want to help them secure their server. So what do i do?

You are illegally stealing someone else's property. Stop stealing and go tell
the business what you've done, and explain how to secure their server from
you and other crackers. Then go turn yourself in to the police. I'd do it for
you if I could, as I hate thiefs, but I'm not in the same country as you and don't
really want to spend my time tracking you down.

Furthermore, the Rules which you agreed
to obey when you signed up at LQ state:

Do not post any messages that are obscene, vulgar, sexually-orientated, hateful, threatening, or otherwise violative of any laws.

I hope someone does go to the trouble of tracking you down and prosecuting you!!!

You're an immature person who just posted this to say, "Look how smart I am..."

Ok, first im not stealing anything. Just borrowing their internet connection until i can get my own. I dont sniff their traffic or hack their machines. I just so happened to see that their production webserver isn't secure and want to help them out. Is that so bad... if it is, then i'll quit my actions and somebody can enjoy a simple hack.

EDIT:

And this isn't a "look at me, im so cool" post. Its a simple question. I do not know the legality issues of this, so i asked. Why dont you just say, that what im doing is illegal and should stop. And i will. Thats what forums are for, to ask questions that you dont know the answers to.

I changed my mind, kid. I'm pursuing you, and when I find out who you are
and where you are, I'll personally see to it that the police come get you. I'm
getting all your data even as we speak. Have a nice fine or jail term...

bash-2.05b$ whois X.X.X.X
Cox Communications Inc. COX-ATLANTA (NET-68-0-0-0-1)
68.0.0.0 - 68.15.255.255
Cox Communications Inc. PHRDC-68-2-0-0 (NET-68-2-0-0-1)
68.2.0.0 - 68.3.255.255

Why do you want to do this. Because i asked a question? wow! guess i wont ask anymore questions.

Remember this from your thread "paybacks are a bitch...arn't they!?"

Whell the chinees have a saying:
"Before going on revenge you first dig two graves"

Check out my location kid...

Please forgive the troller

Chinaman: Why are you being such a troll? I used to respect you. You seem to be the immature one

@shmude: The best way is to send there IT guys a e-mail via a throw-away yahoo address.

If I had an unsecure server, I would want to know.

-Joey

Thanks for the tip. I will do just that!

Wow, people can be very imature. shmude wasn't doing the straight line of things, but he wasn't hurting anyone and then he turns around and wants to fix something that could be terrible for a company. And all i see from most of the posts are scoffs, and insults and saying that he is wrong.
This is a forum and i thought that we learn here. Who in their right mind walks the straight arrow 100% of the time? (if you say that you are, you are ignorant and taht is fact). Personally like he could be in big trouble for what he did but he wasn't doing anything and not hurting anyone and I feel that in that case why not let things be? The reason that we punish people like that (who are hurting nobody) is that there is a handful that makes it nessary to do so. But through this forum i felt that he was trying to help, if he was going to do something bad, you wouldn't have read this forum, a company would jsut be shutdown and people would blame the hackers, but since this guy going out of the kindness of his heart (remember that he is taking a great great risk *JAIL TIME* to help someone else. That to me is something that we should look up to and try to be) not nessiarly breaking the rules but makeing it so the rules don't need to be there. Isn't this a free world? Or is it just on your O/S? (Your linux)
Thank you for reading,
Bryon

The company has TWO things they need to know about. Obviously they need to fix/patch/upgrade their web servers but they also desperately need to upgrade their WiFi so the whole neighborhood doesn't have access to the INSIDE of their DMZ. The most secure applicatons in the world don't help if some script kiddie next door can sniff and possibly spoof your internal traffic.

Please forgive me if this was all obvious but I'm a newcomer to this forum.

@scmude: "borrowing" someone elses bandwidth by piggy-backing off their wireless AP is against the law and is considered "theft of services". What that means in terms of actually getting in trouble or having an ISP come after you is hard to say (I'm not a lawyer). As far as notifying the vulnerable company, try anonymous snail mail (leave return address off).

@chinaman: You've made several un-necessary personal attacks and threats as well, so I would appreciate it if you could leave the moderation up to the mods and leave the vigilante justice alone. Thanks.

//Moderator note: Any more personal attacks from anyone and this thread WILL be closed, so let's keep it civil and on topic.

Actually, so far as I know the courts have not found that "borrowing" open WiFi service is illegal. If there is no password required, it's generally not considered a "restricted system". In fact "wardriving" is legal (although probably not ethical).

Obviously you should let their IT department know, but on the other hand you do not want to bring unnecessary pain on yourself. I wouldn't use a Yahoo! address, because they don't have any kind of confidentiality guarantee. I would use a Hushmail.com auto-generated account. In your e-mail, be specific as possible, but I wouldn't mention that you live in the neighborhood. Make up some story about driving through with your PDA on or something like that. Of course, after you warn them you'll have to stop using the access because they'll most likely start monitoring logons.

Now the above advice might sound strange coming from a security professional. Unfortunately, many modern companies would prefer to litigate at the drop of the hat, whether they're right or not. They know they can cause you a lot of pain and they have a lot more money than you, so they can afford to drag you through the courts just because they'red pissed off at being caught with horrible security. Is it right? No. Is it right for you to anonymously submit a report using what are basically hacker tactics? No, but unfortunately that's necessary if you want to report it without being prosecuted.

I haven't heard of any court rulings, but someone was recently arrested in Canada and one of the counts was "theft of telecommunications" (though Canada's laws a bit more clear on the subject). There also was an FBI letter circulating around a number of wireless sites which would seem to suggest they think the statues do exist. Hypothetically, you could make a pretty convincing argument if you had someone with a monthly bandwidth cap, where you decide to download 100Mb of goat-porn on the first of the month off their connection and they can't use their internet connection for the next 30 days.

I think you'd also get a lot of arguements from the wardriving community that wardriving itself doesn't imply accessing others bandwidth.

Now do I think it's a crime, well that's a little different story...