I'm leaning more towards incessant rule follower.

You should really try challenging authority. It's very liberating and it gives you a far better understanding of why the "rules" were made in the first place.

Consider this a lesson about the evolutionary failing of lemmings.

The other day I was on a website that wouldn't let you access it without an account, so I just removed the thing that was blocking the content.

I've also seen sites that calculate shipping in javascript and pass it to the server. Free shipping!

First off, the dsl service belongs to his roomate. Not to him, not to that address, but to him. Why do people think that just because they call in and say "my roomate moved so this belongs to me"? No. it doesn't. the dsl company has a contract with that individual. no one but that person has the authority to cancel it or make changes. Should a company cancel *your* phone service/cable/ or anything else that belongs to you because *I* say to do it? No? Then how it is right for this guy to take the roomates name off the bill without the roomate saying it's ok?

the roomate has the right to move his dsl to his new address. there may be a cancellation fee for cancelling before a contract date is up. It's not likely in this particular case, but jsut because someone moves out ir doesn't necesarily mean they want the service cancelled or don't want the service in their name. I've seen spouses move out and keep service in their name so they have control. I've seen parents have services for their adult kids in their name so they have control.

When you put something into your name, usually a brand new account is created. this may involved a credit check or a request for a security deposit depending on the service we're talking about. There may be a contract for the new individual. For some services the company is legally not allowed to simply "change the name". they may have to close the account, terminate of service, and then establish a brand new account.

Bottom line: changing a name on an account is NOT just changing a few letters in the address field. It has all sorts of ramifications for both the company, the old party and the new party. The service being provided isn't yours and you have no right to it, even if you are married to the other bill name. The company had a contact with them not you.

PS this guy is a lucky he's not being arrested for hacking into their systems (though it was so unbeliveably easy it hardly counts as a hack, bit technically it is)

//rant off

And ISP? Wow. Makes me sick :(

[www.timesonline.co.uk]
[www.timesonline.co.uk]
[www.betanews.com]

Yep, I'm one of those technologists who makes a distinction between "hacking" and "cracking". There's certainly overlap, but hacking mostly involves modifying things (most commonly, computer code, but it can apply to modifying devices to serve a purpose other than intended). Cracking is, more specifically, the circumvention or outright breaking of a security measure.

No, this guy didn't crack anything, he just used a trivial hacking tool to leave the path, look around, and perform actions that the website (obviously) wasn't intended to allow. Definitely a hacker.

59 Australian dollars = 44.3975 U.S. dollars

@plamoni: Yeah. certainly nothing was hacked "in to". All data was served to the local computer and modified on that end. It was a simple matter of editing data in the greyed out field. The same thing probably could have been done by changing the url to have a SQL statement in it, or possibly editing a cookie on the local PC, depending on how variables are defined.

That would put WAY toooo many cooks in the kitchen.

It's stupid code on the ISP's site side that is accepting data from a field without validating whether they "can be" changed. They do a check when the form is generated, (that's why they start as read only) but not when the data is accepted. This is hardly hacking. Hacking would be changing data that he did not have inherent access to change - for example, another customer's information.

Now if he specified SQL code in his form inputs to change things by injection, that'd be totally different. But this is hardly hacking.

Australian dollars 59 = 44.

As for what this guy did, he found it without really doing anything overtly aggressive against the company infrastructure. He just found that it was extremely bad design that allowed him to do what he did.

Media coverage of "hackers" and "hacks" has been almost entirely negative. They never talk about a good hacker. They never refer to something positive as a "hack." And therefore, most of the public things that all hacking is bad and that all hackers are criminals and that anything good can't possibly be a "hack."

There are many examples of useful hacking. I'm glad to see Consumerist stepping up to the plate and calling this what it was: a hack.

That said, there is no reason why the couldn't have changed the tag on the input to something editable.

It's like logging into your shared email account (with wife/husband) and changing the 'from' field to say 'from ben and that skank'. Yes, you have the permission to, but it doesn't make the act OK.

The website used a form submission for the name. He submitted the form with the proper values.

Also why after 2 months did he not call back to dispute the insane fee he paid when they obviously didnt even make the change!?

He didnt hack anything, he exploited a flaw in the website design that there was no check in place for. He had already authenticated to the site with valid credentials, so all he did was change something on his record that they had simply disabled. Now, if he was able to do this without first authenticating, or was able to do it to someone elses account without authenticating, it would be a hack. The actual risk associated with this bug is very low since the only person who can access it is the owner (or somone who knows the ownsers) credentials, and if that info is known, they would be able to call and probabaly get the person on the phone to make the change anyway.

But good for him, I hope they refund the name change charge, and I also hope they dont press charges against him for unauthorized access to electronic information.

I thought every country had some kind of homeland security these days...with the Brits having the worst "nanny state".

@Saboth: since when does Australia have homeland security?