Reader Comments on Aardvark Daily 20 June 2002
Note: the comments below are the unabridged
submissions of readers and do
not necessarily reflect the opinions of the publisher.
From: Craig Whitmore For : The Editor (for publication) Subj: Router Problems I consider the problem is that the manufacuters of the DSL Router don't give good enough instructions on how to set them up. I know at least 5 of the DSL Routers Telepermitted which have New Zealand specific setup instructions make the DSL Router open to the net for people to get into if you follow them to the letter. A user is not going to read the 50+ page verbose manual just to figure out that how to change the password (and even that you have to) They should make sure that the Quick Setup instructions instuct people to change passwords, security risks etc if they don't. If a person is worried about their setup, any ISP (for free) should be able to quickly check if their DSL Router is correctly setup. Craig Whitmore New Zealand DSL Information http://www.nzdsl.co.nz From: Andrew Hooper For : The Editor (for publication) Subj: Informing People I find that often it is better to ignore vulnerabilities when you discover them. Many will remember the long running court case of Regis VS Garrett. Well that is exactly what happened there. If you find a problem with someone computer it’s not worth either fixing it or informing the person as you may face criminal charges. And the fact that you may work for the person brings you no protection, in the same case Garrett was working for an ISP as system administrator. He was convicted of 2 counts or reproducing the password of a couple of its customers. So rule of thumb should be. Never inform someone that they have a security issue. Never fix it for them. If you are a Sys Admin never write down a username or password or record it in any way. Never ask for money for fixing security problems. In fact Judge Harvy has made ruling that even sending email to someone could easily be classified as wilful damage. From: Jared Yates For : The Editor (for publication) Subj: security through obscurity is NO security at all.... from my experience on the internet, if you discover some exploit, chances are, the hackers and script kiddies have known about it for a while. By keeping this quiet and only telling the 500 he could find, what happens to the other ADSL users who he didnt find? ie. maybe they had their routers switched off at the time. You even said so yourself, this isnt a new problem... however if everyone had known about it, they could have taken steps to fix the problem and we wouldnt still be making a big deal about it. Plus lots of (negative) media coverage ususally encourages manufacturers to fix 'faulty' products. In this case, it may encourage the Modem/Router Makers, ISP's and Telecom to be a little more pro-active in promoting security etc. Personally i secured my Dynalink router the day after I got it and discovered I could connect to the web interface/telnet config from work. My own fault as I had actually removed the 'strange looking' pinholes in the router config. The documentation about this wasnt the best, in fact, it was kind of non-existant, and it took an email or two to the Dynalink Tech Support peeps to work out what was going on. I havent received the email from John, but i have seen a copy of it on the NZ ADSL mailing list. I can understand why he did it, (being a good samaritan etc), but the 'small fee' bit was probably not a good idea. Unsolicited, Commercial email... hmmm what do we call that again? IMHO, you should publish all you know, as John should have done in the first place.Hit Reload For Latest Comments
Now Have Your Say
Home | Today's Headlines | Contact | New Sites | Job Centre | Investment Centre