Home | Today's Headlines | Contact | New Sites | Job Centre | Investment Centre

Reader Comments on Aardvark Daily 20 June 2002

Note: the comments below are the unabridged submissions of readers and do
not necessarily reflect the opinions of the publisher.

 



From: Craig Whitmore
For : The Editor (for publication)
Subj: Router Problems

I consider the problem is that the manufacuters of the DSL
Router don't give good enough instructions on how to set
them up. I know at least 5 of the DSL Routers
Telepermitted which have New Zealand specific setup
instructions make the DSL Router open to the net for
people to get into if you follow them to the letter.

A user is not going to read the 50+ page verbose manual
just to figure out that how to change the password (and
even that you have to)

They should make sure that the Quick Setup instructions
instuct people to change passwords, security risks etc if
they don't.

If a person is worried about their setup, any ISP (for
free) should be able to quickly check if their DSL Router
is correctly setup.

Craig Whitmore
New Zealand DSL Information
http://www.nzdsl.co.nz




From: Andrew Hooper
For : The Editor (for publication)
Subj: Informing People

I find that often it is better to ignore vulnerabilities
when you discover them. Many will remember the long
running court case of Regis VS Garrett. Well that is
exactly what happened there.
If you find a problem with someone computer it’s not worth
either fixing it or informing the person as you may face
criminal charges.
And the fact that you may work for the person brings you
no protection, in the same case Garrett was working for an
ISP as system administrator. He was convicted of 2 counts
or reproducing the password of a couple of its customers.

So rule of thumb should be.

Never inform someone that they have a security issue.
Never fix it for them.
If you are a Sys Admin never write down a username or
password or record it in any way.
Never ask for money for fixing security problems.
In fact Judge Harvy has made ruling that even sending
email to someone could easily be classified as wilful
damage.




From: Jared Yates
For : The Editor (for publication)
Subj: security through obscurity

is NO security at all....

from my experience on the internet, if you discover some
exploit, chances are, the hackers and script kiddies have
known about it for a while.

By keeping this quiet and only telling the 500 he could
find, what happens to the other ADSL users who he didnt
find? ie. maybe they had their routers switched off at the
time.

You even said so yourself, this isnt a new problem...
however if everyone had known about it, they could have
taken steps to fix the problem and we wouldnt still be
making a big deal about it.  Plus lots of (negative) media
coverage ususally encourages manufacturers to fix 'faulty'
products. In this case, it may encourage the Modem/Router
Makers, ISP's and Telecom to be a little more pro-active in
promoting security etc.

Personally i secured my Dynalink router the day after I got
it and discovered I could connect to the web
interface/telnet config from work.  My own fault as I had
actually removed the 'strange looking' pinholes in the
router config.  The documentation about this wasnt the
best, in fact, it was kind of non-existant, and it took an
email or two to the Dynalink Tech Support peeps to work out
what was going on.

I havent received the email from John, but i have seen a
copy of it on the NZ ADSL mailing list.  I can understand
why he did it, (being a good samaritan etc), but the 'small
fee' bit was probably not a good idea.

Unsolicited, Commercial email... hmmm what do we call that
again?

IMHO, you should publish all you know, as John should have
done in the first place.



Hit Reload For Latest Comments

Now Have Your Say

Home | Today's Headlines | Contact | New Sites | Job Centre | Investment Centre