> -----Original Message----- > From: David Pipe [mailto:David_Pipe@xxxxxxxxxxx] > Sent: Friday, June 04, 2004 2:42 PM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: The Linksys WRT54G "security problem" doesn't exist Considering the harse tone of your email, my initial reaction is to treat it as hostile. If I react incorrectly, please let me know. > This clearly works properly on my Linksys WRT54G. No access of > administrative site on the WAN side when it's turned off. Period. Turn off your firewall. Test again. And make sure that your ISP does not block http and https between your testing point and your router. > 1) No one has been able to confirm this problem. Isn't that right? Probably. Since LinkSys posted an updated firmware which specifically addresses it, it was more than likely a all a bad dream. > 2) The "Independent consultant" did not say he tried with > more than one > router, and it appears that he did not ask anyone else if they would > check this out on their routers before he decided the sky was falling. Read my follow-up posts. To my dismay, my original post was jumped on by several security lists and Internet news outlets, COMPLETELY ignoring the discussion which followed said post, and completely ignoring my additional information. Oh, and how many of these Internet news outlets contacted me before running their stories? NONE. Only Maggie Reardon of C|Net made the effort to spend time on the phone with me to confirm and straighten out the finer details. I did what so many others have done on BugTraq: I reported my findings on a product based upon, admittedly dated, results of my own testing. As has many times before, answers came and discussions ensued. Then I took additional effort to produce additional data using personal funds to purchase new products for more recent testing. I will admit that I underestimated the impact of that post. I never expected that the post would be spread as it did, taken at face-value without confirmation. I do not recall any BugTraq post in the past three years I have been on the list making it to the media so quickly. The speed at which it hit the air made me look like an absolute ass, and indeed gave the impression that the "sky was falling;" completely not my decision. > 3) Thousands and thousands of these things have been sold for > months an no > one has reported this error before. Just because no one else ever reports a problem does not mean it does not exist. > 4) Certainly such an aggregious error would have been > discovered before > now, as hackers routinely bang away at IP addresses and find > this stuff. Right. > 5) Does he really think that Cisco/Linksys would not test > such a basic > basic basic aspect of this router's security? Yes. How many times have "basic basic basic" aspects of security gone untested, or flaws gone unnoticed? How long was port 1900 open on my SMC Barricade? How many "basic basic basic" aspects of security has Microsoft, various Linux distros, Sun, and even MacOS X violated? > 6) How did this get on to InternetWeek? Does anyone actually > check these > things out before publishing them? See my comment above. I emailed Ryan after I found his article, after it was Slashdotted. His response is that he was inundated with emails linking to my amendments and that he planned a follow-up to clarify. My last email from him pointed to the firmware page which now has the v2.02.8_BETA which addresses the issue. To my knowledge, however, said update to his article has yet to be released. > Please, prove me wrong on all points. Can anyone reproduce this? I have received a couple of dozen reponses, many which said they could not right out of the box. Some which said they could. Dammit, I am not crazy, I *know* what I saw on the original units, but like I told Maggie, just one person saying a unit exactly as I tested did not show my described behavior sent me out for more units. Only one of my original units is still in service, and it has been flashed, re-configured, and just mangled beyond being a reliable data source for OTS/OOB behavior. LinkSys never responded to my first email about this; I even sent screen shots. No one else with whom I spoke locally was installing these. I had the results of testing on two units right out of the box. I made my report. And that, as they say, is that. I do not have results of the new v2.02.8_BETA firmware available, and I am now in communication with the WRT54G product manager at LinkSys/Cisco. -- Alan W. Rateliff, II : RATELIFF.NET Independent Technology Consultant : alan2@xxxxxxxxxxxx (Office) 850/350-0260 : (Mobile) 850/559-0100 ------------------------------------------------------------- [System Administration][IT Consulting][Computer Sales/Repair]
