lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 31 May 2004 18:58:54 -0400
From: "Alan W. Rateliff, II" <lists@...eliff.net>
To: <bugtraq@...urityfocus.com>
Subject: RE: LinkSys WRT54G administration page availble to WAN


> -----Original Message-----
> From: Matthew Caron [mailto:matt@...tcaron.net] 
> Sent: Monday, May 31, 2004 5:19 PM
> To: Alan W. Rateliff, II
> Cc: bugtraq@...urityfocus.com
> Subject: Re: LinkSys WRT54G administration page availble to WAN
> 
> Isn't that the Linksys product that runs Linux and all these 
> folks have 
> been making custom firmware for? If so, can't one of those folks fix 
> this bug if Linksys it taking too long?

Perhaps, but the points still remain that LinkSys is distributing a
vulnerable product through all channels, retail stores are blowing this item
out with rebates, and Joe Average User isn't going to upgrade to a custom
Linux-based firmware because chances are he or she is not aware of it.

Also, I have received a shit-storm of auto-replies from my original post.
Hey, people, DON'T SUBSCRIBE TO A LIST USING AN ADDRESS WITH
AUTO-RESPONDERS!!

After wading through 30-or-so of these auto-responses, I found three valid
emails.  The general answer is that I had an open dialogue with LinkSys
support (case #AEV-14523-534, which refers to #KNU-66355-624,) the problem
was originally noted to them on 04/28/04, and because of my open dialogue
with LinkSys support I did not send an email to any other address or
department at LinkSys.

In regards to the last part, I do now feel somewhat remiss for not having
done so, however at the same time a proven security issue should be properly
communicated from support to the appropriate department.  That seems to not
be the case, and assumption is the evil of all root.

-- 
       Alan W. Rateliff, II        :       RATELIFF.NET
 Independent Technology Consultant :    alan2@...eliff.net
      (Office) 850/350-0260        :  (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]

Powered by blists - more mailing lists