×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

154 comments

Comcast routers (5, Informative)

onix (990980) | about a year and a half ago | (#41963945)

Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.

Re:Comcast routers (3, Informative)

Anonymous Coward | about a year and a half ago | (#41963973)

All of them using the exact same SSID and WPA (hardcoded) or each device has it's unique SSID and WPA hardcoded, big diff there.

Re:Comcast routers (3, Interesting)

ppanon (16583) | about a year and a half ago | (#41964047)

You think that a company that is going to hardcode the SSID/WPA password into firmware updates (instead of keeping your current settings) would go to the trouble of customizing a different firmware file for each user so that they can get a high security hardcoded default? Really?

Re:Comcast routers (2)

DarwinSurvivor (1752106) | about a year and a half ago | (#41964121)

Shaw does.

Re:Comcast routers (0)

Anonymous Coward | about a year and a half ago | (#41965025)

are you sure it's in the firmware (what's your source, you're a Shaw techie?)? I'd guess just it's just a nvram_config, not firmware (EEPROM).

Re:Comcast routers (2)

green1 (322787) | about a year and a half ago | (#41964179)

Most residential broadband routers are factory configured with their own unique SSID/WPA key, this information is typed on the sticker on the bottom of the router, and is more or less unique to that specific router. Some companies have a habit of resetting everything to factory defaults when they do firmware upgrades, hence wiping out any custom SSID/WPA key and resetting to the one printed on the bottom of the device.

Personally I recommend to most customers that if they aren't comfortable messing with the settings on the router on a regular basis they are much better off just using the ones printed on the router. They're mostly as secure as your own settings, and you don't have to worry about what happens if the thing gets reset. It also has the added bonus that when they forget it (and yes, people do regularly forget the ones they set themselves) it is printed right on the bottom of the device.

Re:Comcast routers (0)

Anonymous Coward | about a year and a half ago | (#41964301)

The problem with that, as with many fairpoint routers, is that the passphrase (usually WEP) is able to be easily figured out by the SSID, but not as if hacking WEP is hard anyways, but still a bad practice.

Re:Comcast routers (4, Insightful)

Shavano (2541114) | about a year and a half ago | (#41964013)

Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.

That's a little different. If Comcast changes my SSID and password, the first thing I'm going to notice is my wireless devices are no longer connected to the network. Where's the security problem in that?

Re:Comcast routers (1)

wvmarle (1070040) | about a year and a half ago | (#41964343)

Average security-illiterate consumer that just wants stuff to work: "I want to connect to my WiFi. Let's check the manual... oh that's network 'mycomcastrouter' and key 'mycomcastkey' as written on a sticker on the bottom of the device. That's easy." Selects network, enters key, connects to his WiFi router, and is happy.

Note the absence of the "sets up a WiFi password" in the above sequence.

Re:Comcast routers (0)

Anonymous Coward | about a year and a half ago | (#41965473)

Would that be any different to having no wifi password by default?

Re:Comcast routers (1)

ardor (673957) | about a year and a half ago | (#41965115)

What if the router gets upgraded, but since you aren't using WiFi much (perhaps because you only enabled it for your someone else's laptop), you don't notice the SSID and WPA key got reset?

Re:Comcast routers (-1)

Anonymous Coward | about a year and a half ago | (#41964099)

No one serious about security would use Comcast anyway. I don't know anyone in the tech field that uses them. Here in Seattle, CenturyLink is so reliable that they own the market for professionals. I used Comcast for a while, but the 200+ msec ping made SSH unusable so I, like everyone else that needs a reliable connection, gave up on them years ago. They don't try and don't care.

Re:Comcast routers (4, Interesting)

WaffleMonster (969671) | about a year and a half ago | (#41964449)

No one serious about security would use Comcast anyway.

Like your choice of ISP magically changes the reality of Internet being a fully untrusted and untrustworthy network.

Always assume your pipe is compromised and use end-to-end security if you care about the confidentiality and integrity of any data you transmit over the Internet.

I don't know anyone in the tech field that uses them

LOL I know of many network engineers who work for first and second tier operators who use comcast at home.

CenturyLink is so reliable that they own the market for professionals. I used Comcast for a while, but the 200+ msec ping made SSH unusable

YMMV... my pings are about 30ms to google and 20ms when using comcast as a WAN link to our corporate office.

like everyone else that needs a reliable connection, gave up on them years ago. They don't try and don't care.

These comments are pointless. If you look for it there will always be someone saying megaco x is horrible because y happened or megaco a is great because b happened. Our personal experiences mean squat. You would be on better footing by citing the results of a customer satisfaction survey.

Re:Comcast routers (1)

ziggit (811520) | about a year and a half ago | (#41964597)

It seems to be a regional thing. I've heard of people getting fantastic results from Comcast, while CenturyLink in my home town is so shoddy, you're almost better off using something like a MiFi (And I hate using those with a burning passion).

Re:Comcast routers (1)

Wandering Voice (2267950) | about a year and a half ago | (#41964709)

Yes Century Link cares, only as far as receiving your payment, however. I had Qwest when I first moved into Denver area. A month later, Century Link took over and disregarded the install payment plan we had arranged with Qwest, and received a disconnection notice as our first contact from Century Link.

I made a payment with the credit card over the phone for $100, and said I can pay the other $30 with my next bill. OK says the CSR, and 10 days later my net and phone are disconnected. Finally finding a payphone, I call and am told that that there was no payment plan agreement and if there was, $100 paid and $30 next cycle is not acceptable, and service will not return until it is paid in full. They also said that phone service should not have been interrupted, but I guess that may have been due to the telco box on my building missing its cover and having a trash bag taped on with electrical tape, which facing west into the wind, the bag is shredded, leaving all wires exposed. A year later, and the box is still vulnerable. Oh, and I am with Comcast now, and have refused to pay Century Link another dime. I'll take the hit on my credit score.

Re:Comcast routers (0)

Anonymous Coward | about a year and a half ago | (#41965687)

In my area, pings are under 15ms to Comcast's peering location 50 miles away.

Re:Comcast routers (5, Insightful)

Drakonblayde (871676) | about a year and a half ago | (#41964563)

Full Disclosure: I am a network engineer for Comcast. They are indeed hardcoded, but they are unique to each device. When you're deploying customer CPE, it's a damned if you do, damned if you don't situation. Either we provide the same defaults, and no one ever changes them, which leads to an increase in the amount of security incidents, or we don't set them and the customer chooses their own and then forgets them and complains to our support about it because we don't know their passwords. Or they can be hardcoded, with the option to let the customer change them. Most folks don't and just go with the defaults. Since they're unique defaults, this cuts down on the amount of security incidents, and since it's hardcoded, if the customer ever forgets their password, it's as simple as resetting the device to factory default and telling them to look for the sticker (if they did change them) or telling them to just look at the sticker (if they didn't).

Sounds like a reasonable way to proceed (2)

golodh (893453) | about a year and a half ago | (#41965421)

Explained this way (the hard-coded password device-specific and printed on a sticker inderneath it), what you sketch here sounds practical and thoroughly reasonable (something you couldn't possibly guess from the usual Slashdot headlines though).

Re:Comcast routers (1)

L4t3r4lu5 (1216702) | about a year and a half ago | (#41965553)

Unique != Secure. If the two are in any way related (Key = base 16 encoded SHA1 of SSID + salt, for example) then the key can be broken trivially.

Basically, I don't trust you (the company) to not be lazy^Wcost-effective in your key generation procedure. There are numerous sites listing tables of default keys for brands of router, ripe for abuse. Those could only have been leaked by an insider (which means you've kept a copy of all of the keys, for some reason) or they weren't truly random, and therefore insecure.

Re:Comcast routers (1)

mattr (78516) | about a year and a half ago | (#41964873)

Wonder why Comcast is not in trouble for hacking if they change the password you set yourself...

Re:Comcast routers (0)

Anonymous Coward | about a year and a half ago | (#41964915)

Full disclosure: I am not an engineer at Comcast, but a lowly technician. When a firmware update goes through, it resets defaults on everything. Thats how hardware works.

Also: my captcha is unionize. Don't do that when I type the word comcast, it makes me think big brother is looking.

Re:Comcast routers (1)

r1348 (2567295) | about a year and a half ago | (#41965067)

Funny, last week I updated the firmware of my Fritz!Box and it magically kept all the custom settings I made, including my wireless password...

Re:Comcast routers (0)

Anonymous Coward | about a year and a half ago | (#41965307)

Wonder why Comcast is not in trouble for hacking if they change the password you set yourself...

Because it's not your device, it's theirs.

Easy fix (2, Interesting)

Artea (2527062) | about a year and a half ago | (#41964001)

Chances are this is the remote admin password for easy customer service. The devices are probably just rebranded Netgears or Belkins. Flash the firmware from the Vendor's support site, and clear off the Telstra "customer friendly" version of the firmware and this becomes a non-issue. I recall even manually adding a variable into the url enabled "advanced mode" to change this stuff without flashing the firmware.

Re:Easy fix (1)

Artea (2527062) | about a year and a half ago | (#41964023)

After bothering to Read TFA, these are Netcomm mobile broadband modems. So disregard nearly everything except the vendor firmware bit I guess.

Re:Easy fix (1)

Hal_Porter (817932) | about a year and a half ago | (#41965119)

Hey! He read the TFA! We'll have to keep and eye on him and put a bullet in his brain when he turns

Re:Easy fix (1)

green1 (322787) | about a year and a half ago | (#41964225)

What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)

Re:Easy fix (4, Insightful)

WaffleMonster (969671) | about a year and a half ago | (#41964539)

What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)

Welcome to the global good luck alchemy network (GGLAN) where we turn your bad luck into good luck. Glum? Tired? Board? We can help! To get started

<A HREF="http://192.168.1.100/does+something+really+bad">Click here</A>

Re:Easy fix (2)

Wandering Voice (2267950) | about a year and a half ago | (#41964757)

Reminds me of when a spam email went around in the late 90s or early 00s which informed people of a virus infection and if you had an AOL icon on your desktop, you were infected. Hahah. AOL was flooded that day with tech support calls from many who were not able to dial in. Post a similar threat warning on Facebook (fAOLbook?) and we'll have come nearly full circle again.

Re:Easy fix (0)

Anonymous Coward | about a year and a half ago | (#41965893)

people still capitalize html tags?

Re:Easy fix (1)

kiddygrinder (605598) | about a year and a half ago | (#41964685)

it *looks* like (shitty article) that you can bypass unique wireless passwords with a default admin password.

More the reason ... (2)

lsllll (830002) | about a year and a half ago | (#41964027)

... for Open Source. Compile it yourself if you want to, or download it from a reputable place and trust it.

Re:More the reason ... (3, Insightful)

Cimexus (1355033) | about a year and a half ago | (#41964071)

Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

Also, people should be avoiding Telstra as a matter of principle anyway :)

Re:More the reason ... (3, Insightful)

mjwx (966435) | about a year and a half ago | (#41964369)

Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

This. Most ISP's including good ISP's like iinet and Internode (now part of the iiborg) sell the finest, cheapest Belkin for about twice what you'd pay outright for them. I think an ISP sold Fritzboxes for a while (but they may have become part of the iiborg by now). If you want a quality ADSL modem/router for use with an Oz ISP you need to buy it yourself. Chances are it'll be cheaper than going through an ISP anyway. (you can take my Linksys WRT54G from my cold dead hands, I'd probably die of old age long before it did).

Also, people should be avoiding Telstra as a matter of principle anyway :)

To be fair, Telstra Mobile pre-paid is not bad these days for price, speed and coverage. VHA and Optus both have terrible networks, plus I refuse to do business with Optus on principal. However I'd happily avoid Telstra's other services.

Re:More the reason ... (1)

Midnight Thunder (17205) | about a year and a half ago | (#41964097)

... for Open Source. Compile it yourself if you want to, or download it from a reputable place and trust it.

For the non-tech that's akin to doing brain surgery, so that changes nothing. For the average tech, downloading a precompiled firmware is still preferable in many cases. Having the source available will allow more eyes on it and the chance to improve it, but still an easy option to 'make firmware' and be done is appealing.

If you have a MAC... (1)

Nutria (679911) | about a year and a half ago | (#41964045)

Step 1 of 3: Install the BigPond Elite Network Gateway on a Windows computer by using the installation USB stick that came with your kit.

WTF are these people thinking?

Re:If you have a MAC... (5, Funny)

crafty.munchkin (1220528) | about a year and a half ago | (#41964083)

You should've seen the installation tech who came to install Bigpond Cable at our office. He needed a PC to activate it, I brought out my linux laptop - I've never seen anyone so confused. He asked for Internet Explorer, I told him he could have Firefox or Chrome. I think he nearly cried.

Re:If you have a MAC... (2)

DarwinSurvivor (1752106) | about a year and a half ago | (#41964137)

We have a friend that works for HP, so we got him as our rep for maintaining our business line computer. We were having an issue and he decided the best thing would be to update the firmware (it was fairly out of date). That was when we both realized he had no idea how to do it from a non-windows computer. Turns out all you have to do to "reimage" an hp printer is *litterally* print the firmware file from any computer!

HP printer firmware upgrade via print ? (3, Interesting)

johnjones (14274) | about a year and a half ago | (#41964721)

are you serious ?

so your telling me that I can screw your entire print service and DOS it by sending it a print job ?

is this only over USB or Networked as well ?

(this is not a bad solution to upgrade the firmware but I bet they dont sign their firmware only use a magic hexcode to initiate the upgrade )

regards

John

Re:HP printer firmware upgrade via print ? (3, Interesting)

dbIII (701233) | about a year and a half ago | (#41965045)

so your telling me that I can screw your entire print service and DOS it by sending it a print job ?

That sounds like HP all right. A simple nmap portscan kills their Jetdirect cat5 to parallel boxes dead. Not factory reset dead, but desolder a chip and replace it with a new one dead.

Re:HP printer firmware upgrade via print ? (1)

azalin (67640) | about a year and a half ago | (#41965217)

fun times. That reminds me of the (far less lasting) joke of sending a raytracer written in postsrcipt to the printer. Took about half an hour for the single page to print.

Re:HP printer firmware upgrade via print ? (1)

girlinatrainingbra (2738457) | about a year and a half ago | (#41965895)

Is that kind of problem the reason that they invented PDF format so that PS programs that might run for too long got truncated into known-to-stop printing commands?

Re:HP printer firmware upgrade via print ? (1)

DarwinSurvivor (1752106) | about a year and a half ago | (#41965673)

It's a network printer and yes, I was amazed at how rediculously insecure it was as well. Even if they DID sign it, and I'm certain they don't, all it takes is for HP to release 1 buggy version, which would be signed, for someone to screw up a printer. BTW, you can also print (and update the firmware) over an unprotected FTP port which is enabled by default.

In other words, thou shalt firewall thine printers!

Re:If you have a MAC... (5, Interesting)

green1 (322787) | about a year and a half ago | (#41964211)

I install ADSL service for a Largish telco. I am always THRILLED when someone brings out a computer that isn't running windows. The reason? Windows machines support our company's software install, which is mandatory, can't be skipped, and takes 15 mins+ to install the first time you open a browser. However, if you are using a Mac, or Linux, or various other devices, the software install fails right away, gives you a warning telling you that your system doesn't meet our minimum requirements, and then without further ado activates the connection so everything works. Net benefit is that it saves me 15+ minutes, and the customers are happier because they don't have 4 more programs installed on their desktop!

Re:If you have a MAC... (0)

Anonymous Coward | about a year and a half ago | (#41964229)

Imagine if it was a server without X/vnc.
Lynx, emacs, or nothing!

Re:If you have a MAC... (1)

crafty.munchkin (1220528) | about a year and a half ago | (#41965935)

Well, that WAS an option, but I was hoping to actually complete the install, rather than have him crying in a corner and reporting it couldn't be done... ;)

Re:If you have a MAC... (2)

wvmarle (1070040) | about a year and a half ago | (#41964357)

The last few times I had Internet installed at either office or home, the tech always took their own laptop to set it up. So at least he has all the tools he needs at hand. I really don't understand that Bigpond Cable tech didn't carry his own laptop...

Re:If you have a MAC... (-1)

Anonymous Coward | about a year and a half ago | (#41964105)

LoL -- I'd guess that they're making the reasonable assumption that if you bought an Apple product, you're too retarded to do any of the subsequent steps anyway.

-AC

Re:If you have a MAC... (0)

Anonymous Coward | about a year and a half ago | (#41964511)

Lmao -- so, a -1 eh? That's a bit self-congratulatory, since anyone WITH a brain knows that Apple's ENTIRE MARKETING SCHTICK has been derivations of "Hey, we' know y'all are WAAY to stupid to use REAL computers, but that's okay, because we dumbed-the-shit WAY WAAAY DOWN for you! -- AND we're even happy to treat y'all like the nigh-retarded-school-children y'are to boot! All of which will ONLY cost you a 25% premium on the price! (and a 90% reduction of autonomy)" ...to which Apple users all loudly cheer, and carry on with their mindless idiotic ways... (usually going and getting back in line at the Apple store for whatever the iShit is that'll be released tomorrow, and which makes the iShit they bought yesterday obsolete)...

-AC :)

Re:If you have a MAC... (2)

SeaFox (739806) | about a year and a half ago | (#41964309)

Forget the platform restrictions. Since when does one need to "install" a piece of hardware that's supposed to function independently of a computer.

Anytime I see instructions saying I need to install software for a router to work I mentally add "so we can install our spyware on your computer" to the step.

Re:If you have a MAC... (0)

Nutria (679911) | about a year and a half ago | (#41964379)

Those are *completely* absurd statements that indicate an *utter* lack of comprehension as to how computer and peripherals actually are and how they work.

Besides being stupidly paranoid.

Re:If you have a MAC... (1)

Maow (620678) | about a year and a half ago | (#41964917)

Those are *completely* absurd statements that indicate an *utter* lack of comprehension as to how computer and peripherals actually are and how they work.

Besides being stupidly paranoid.

Then explain why a router would need any software on a PC to make the router run?

DHCP should be all that's needed, and it ought to be part of a base install of all systems out there.

Re:If you have a MAC... (0)

Anonymous Coward | about a year and a half ago | (#41964983)

Router software (if provided) is basically a config file that sets up permissions etc. A good one can save lots of work.

Re:If you have a MAC... (1)

SeaFox (739806) | about a year and a half ago | (#41965361)

They could.

I know from personal experience that they generally are not good, and are more work than just telling the user how to access the web-based admin interface.
Is there any reason this easy setup wizard couldn't be just part of the web admin? Nope.

Re:If you have a MAC... (1)

Nutria (679911) | about a year and a half ago | (#41965475)

You need to re-read the OP.

The Windows-only software is needed to install updated router firmware. The firmware that comes factory-installed on the router doesn't need Windows.

(That's still an incompetent updating method; other routers have had browser-based updating for 10 years.)

Re:If you have a MAC... (1)

oobayly (1056050) | about a year and a half ago | (#41965091)

Don't ascribe to malice ...

One of our [self employed] brokers called me over to have a look at his laptop - BT (UK ISP) help centre wanted to update. Out of morbid curiousity I ran it. All it was was an program that launched a URL in Internet Explorer (not the default browser) and took you to their help website (no activex etc). What the fuck did it need to be updated for? All they needed to do is create a http shortcut on the desktop or start menu, but no, some dimwit decided they needed an executable to do the job. Probably because they got a splash screen.

Not surprised at all. (5, Interesting)

crafty.munchkin (1220528) | about a year and a half ago | (#41964063)

Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this [whirlpool.net.au] for one of their latest privacy blunders...

Re:Not surprised at all. (1)

SirAdelaide (1432553) | about a year and a half ago | (#41964251)

...and for this reason, if someone chooses them as their ISP, then having a backdoor to their network probably IS necessary, as they are the type of person who will forget their password and lock themselves out of their router, and not be able to find the factory reset. Telstra were just being proactive in their service offering. For this same reason, noone that cares about security was affected.

Re:Not surprised at all. (3, Funny)

mjwx (966435) | about a year and a half ago | (#41964389)

Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this [whirlpool.net.au] for one of their latest privacy blunders...

Never blame malice for what can easily be blamed for stupidity.

Telstra's consumer level staff are notoriously incompetent. Their linesmen are generally OK (thanks to the union pushing for training) but their helpdesk/home support is an insult to trained monkeys everywhere.

Re:Not surprised at all. (1)

crafty.munchkin (1220528) | about a year and a half ago | (#41964521)

I agree re helpdesk, and I'd like to agree with you re linesmen, however at my former employer, it took 13 visits by linesmen to get 6 lines installed at new premises, over the course of 3 months. It was an absolute disaster.

Re:Not surprised at all. (1)

mjwx (966435) | about a year and a half ago | (#41964865)

I agree re helpdesk, and I'd like to agree with you re linesmen, however at my former employer, it took 13 visits by linesmen to get 6 lines installed at new premises, over the course of 3 months. It was an absolute disaster.

Were they Telstra linesmen or contractor linesmen?

The old Telstra employed ones were good, the contractors are shite. A lot like Aus Post, the old posties used to be decent, the contractors throw parcels out the window of their van, you're lucky if it hits near your front door.

Unfortunately, shite contractors are what happens when you farm work out to the cheapest contractors.

I feel like this post should end with a stern warning for young people to vacate my greenery.

Re:Not surprised at all. (1)

crafty.munchkin (1220528) | about a year and a half ago | (#41965261)

They were Telstra linesmen for almost all of the visits. The contractors actually bothered to contact me when they were coming - the Telstra tech's just turned up, did the work incorrectly, and then left. The last one who came was a contractor, and he fixed up the patching to the MDF from the building sub-exchange on all six lines. Even he couldn't believe how badly it had been botched. Crossed pairs, pairs tagged incorrectly, and since Telstra only issued one job for one line at a time, this had meant so many different visits.

To be fair the building sub-exchange was a confusing point for them all. After the 8th visit turned out to not have any tags at the MDF, I put up a sign on the sub-exchange door [akamaihd.net] . As to the following 5 visits, well, who knows what those morons were smoking.

Re:Not surprised at all. (2)

tlhIngan (30335) | about a year and a half ago | (#41964589)

Never blame malice for what can easily be blamed for stupidity.

Telstra's consumer level staff are notoriously incompetent. Their linesmen are generally OK (thanks to the union pushing for training) but their helpdesk/home support is an insult to trained monkeys everywhere.

Actually, in this case, it's probably the manufacturer of the router. Basically the ISP says "I want a modem+router for CPE (customer premises equipment), and I'll pay you $20 per unit". Yes, CPE is built down to a price because the ISP doesn't want to pay much for it. So shortcuts are always taken to meet the requirement - cheap processors barely able to keep up, low features, barely the minimum amount of RAM, etc. Which is why these routers will flop if you try to push any traffic more demanding that websurfing through them. No ISP cares about what it does - as long as it lets traffic through.

The only way to get things properly done is get a modem only if you can, get it set to bridge mode if you can't (or supply your own if it's an option - this isn't necessarily the case). Use your own router, because the router they give you will be crap, and there's a reason why routers sell for $20 and $200.

Re:Not surprised at all. (1)

kiddygrinder (605598) | about a year and a half ago | (#41964785)

heh, their help desk is hilarious, had to get a dsl password reset, after 30 mins on the line to one of their staff from Papua New Guinea (i believe they actually give them english lessons to get them into the role) and them attempting to sms me the new randomised password 5 times and receiving nothing we were at an impasse. i gave up for the night, called back the next day to get one of their remaining australian staff, he reset the password and told me it over the phone and i was rolling. about a week later one of the sms came through with my new *email* password. efficient.

Re:Not surprised at all. (1)

asifyoucare (302582) | about a year and a half ago | (#41965323)

I can vouch for the low quality of Telstra (big pond) internet help desk staff. The one I got couldn't really speak English, and she could barely cope even if everything stuck to the script. Unfortunately she seems to have been assigned to my case so it was she who rang me on my mobile number every time. She always wanted to speak to my wife, in whose name the phone was connected, and I was unable to communicate to her that she should ring my wife's number to speak to my wife.

We had the phone in my wife's name and the cable TV in my name, and we wanted to bundle the two, as offered by Telstra when they rang me ( so they already knew about the two accounts). I eventually had to get the phone changed over to my name to prevent their script/staff seg-faulting.

I lodged a complaint with Telstra, but of course I have heard nothing back. It probably went to the same person I was dealing with.

I also deal with Telstra's corporate staff a bit and they're generally quite good. Consumer level, not so much ...

Re:Not surprised at all. (1)

oztiks (921504) | about a year and a half ago | (#41965327)

Funny story about Telstra. Wife called them up concerned that she couldn't find the latest Twilight movie on TBox. Sufficed to say the "accented man" Filipino / Indian guy gave her a bittorrent address and told her she can download the movie from there :)

Re:Not surprised at all. (1)

cowstaker (883895) | about a year and a half ago | (#41965681)

FYI I work for Telstra. Telstra carries secure networks for foreign governments, defense departments and large corporations. There is a large difference between an enterprise product and one for a consumer. Given the size and scope of the company, and the inevitable nature of dealing with customers and employees, situations like this simply happen. Judge the company on the response not on the issue itself, especially considering that our routers are sourced from an external company. I guess this is a case of we sold you the rope with which you hang us. At some point every carrier in Australia uses our plant or equipment ranging from fully provisioned data networks to rack space and so on. I would object to the label of dodgy when clearly we have a transatlantic network that is sufficient for you to post on slashdot with.

So what are they? (2)

Xtifr (1323) | about a year and a half ago | (#41964139)

Don't be coy. What are these passwords? :)

Re:So what are they? (0)

Anonymous Coward | about a year and a half ago | (#41964263)

Id wager it is:
123456
or
admin

Re:So what are they? (1)

Anonymous Coward | about a year and a half ago | (#41964573)

Here you go:

Hard-coded credentials and command-injection vulnerabilities on BigPond 3G21WB

ADVISORY INFORMATION
Title: Hard-coded credentials and command-injection vulnerabilities
          on BigPond 3G21WB
Discovery date: 17/09/2012
Release date: 11/10/2012
Credits: Roberto Paleari (roberto@greyhats.it, @rpaleari)

VULNERABILITY INFORMATION
Class: Authentication bypass, command-injection

AFFECTED PRODUCTS
We confirm the following device models to be affected:
      * BigPond 3G21WB

Similar routers are probably vulnerable to these very same issues.

VULNERABILITY DETAILS
The firmware running on the affected routers is subject to multiple security
issues that allow an unauthenticated attacker to gain administrative access to
the device and execute arbitrary commands. In the following paragraphs we
describe the details of the vulnerabilities we identified.

a) Hard-coded credentials
      A user can authenticate to the web server running on the device using the
      credentials "Monitor:bigpond1". These credentials are hard-coded, and cannot
      be changed by a normal user.

b) Command-injection vulnerability
      The "ping.cgi" web page is subject to a command-injection vulnerability, as
      the server-side script does not properly validate user-supplied input.

      The following URL exploits this issue, executing the "ls /" command:
      http:///ping.cgi?DIA_IPADDRESS=;%20cat%20/etc/passwd

REMEDIATION
We are not aware of an updated firmware that corrects the issues described in
this advisory. We suggest users to disable web access on the WAN side.

DISCLOSURE TIME-LINE
        * 17/09/2012 - Initial vendor contact.

        * 18/09/2012 - Vendor replied asking for details.

        * 19/09/2012 - The author replied and asked for a technical
                                      contact. Disclosure date set to October 10th, 2012 (3
                                      weeks).

        * 19/09/2012 - Vendor replied, providing the phone contact number of the
                                      Technical Support Department.

        * 20/09/2012 - The author replied, asking to keep all the communication
                                      through e-mail, in order to keep track of the whole
                                      conversation.

        * 24/09/2012 - No response from the vendor. The author re-sent the last
                                      e-mail.

        * 04/10/2012 - No response from the vendor. The author re-sent the last
                                      e-mail (again).

        * 11/10/2012 - Still no response from the vendor. Disclosure.

DISCLAIMER
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.

What's the IP block for D'OH! (1)

Chas (5144) | about a year and a half ago | (#41964193)

You'd think these people would learn.

But NOOOOOOOOO!

Why not just pre-infect the fucking things and sell them to a damn botnet...

Idiots...

Merely a time saving measure (3)

Grayhand (2610049) | about a year and a half ago | (#41964213)

Just image all the man hours of hacker's time think saved! If only other companies were as forward thinking.

No problem (4, Funny)

slazzy (864185) | about a year and a half ago | (#41964223)

This is why I always change my password to "secret" right away.

Re:No problem (1)

dcrisp (267918) | about a year and a half ago | (#41965011)

Damn right!.. I use that one as well. Everybody[1] keeps telling us that the password must be secret. So I made it secret.
[1] The Royal Everybody.

A flaw, really? (2)

JayTech (935793) | about a year and a half ago | (#41964233)

Just a simple flaw? That's what they want you to believe. Hard-coded passwords are NOT a flaw, they are an intention back door for... company engineers... company spies... the government... Just sayin'!

Re:A flaw, really? (1)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#41964325)

Just a simple flaw? That's what they want you to believe. Hard-coded passwords are NOT a flaw, they are an intention back door for... company engineers... company spies... the government... Just sayin'!

It isn't an either/or.

Hard-coded credentials are a backdoor, whether covert or just buried in fine print; but they are a flawed backdoor because they are far too trivial for malicious 3rd parties to exploit on top of the intended malicious users.

Something like, say, an SSH client with a hardcoded public key, to which The Man holds the matching private key, is a non-flawed intentional backdoor; because it keeps unintended 3rd party malice to a minimum, while still letting the backdoor users in.

Neither is desirable, from the user point of view; but they are very different things.

Re:A flaw, really? (1)

bmo (77928) | about a year and a half ago | (#41964401)

>Something like, say, an SSH client with a hardcoded public key, to which The Man holds the matching private key, is a non-flawed intentional backdoor; because it keeps unintended 3rd party malice to a minimum, while still letting the backdoor users in.

Until the private key gets leaked.

Key escrow is always bad.

--
BMO

Re:A flaw, really? (0)

Anonymous Coward | about a year and a half ago | (#41965377)

Key escrow is great if you're the guy who wants to create a backdoor. Remember that to "The Man", as the GP puts it, perfect security is a flaw in itself. The ideal situation for him is that he has a copy of every private key, and nobody else does. That's pretty much key escrow.

If The Man's copy of private key gets leaked then security is lost, but that's true however many people had it to begin with.

Re:A flaw, really? (1)

JayTech (935793) | about a year and a half ago | (#41964469)

I used a little hyperbole to make a point about the passwords being a backdoor. Your argument is valid, absolutely; but that assumes The Man is efficient and crafty - none of which are generally equated with governments these days. This is a lazy man's backdoor, through a gate that appears to be normal both inside and out. On the other hand, a black hat implementing your proposed covert SSH backdoor would fit right in line with their known weapons of fear, surprise, and ruthless efficiency.

Re:A flaw, really? (0)

Anonymous Coward | about a year and a half ago | (#41965039)

Now I fear that the Spanish Inquisition is behind all this.

Aussie cousins to NSA/CIA? (0)

Anonymous Coward | about a year and a half ago | (#41964271)

A family member works for Comcast (I won't say what his position is). The person commented that, "In the United States, that'd be the sort of thing the NSA and CIA would use for access. They have back-doors into everything."

Sasktel is the same (2)

xQuarkDS9x (646166) | about a year and a half ago | (#41964457)

I found out last year when me and my girlfriend moved into this apartment together that Sasktel (DSL internet provider for Saskatchewan Canada) apparantly also uses 2wire Routers/gateways and this one was literally screwed into the wall with a mounting bracket. Also disturbing was just doing a quick google search and sure enough in under 30 seconds I found default passwords for 2wire routers/gateways... what a suprise.

As I have been an Access Communications customer for years with a cable modem and my own router currently using a Linksys WRT400N and before that a Linksys WRT54GS that I donated to my sister a couple years ago I basically said screw sasktel called up Access and they setup my VOIP phone server and internet access.

Funny thing is you use any wi-fi device to look for routers nearby and you see about 20-25 2wire(3 digit number here) routers then my router that I named "2 Girls 1 Router" just to be different and hopefully give some people a laugh. :)

Re:Sasktel is the same (1)

xQuarkDS9x (646166) | about a year and a half ago | (#41964483)

Meant to say VOIP phone service and also meant to add that man oh man do they ever try to shove sasktel down your throat when we moved in... if you didn't know about Access Communications which competes with them in this province especially if you moved in from out of province or from a different country you'd probably get suckered into Sasktel and their crown corporation garbage.

Re:Sasktel is the same (0)

Anonymous Coward | about a year and a half ago | (#41965021)

Yes but does that default password do anything from the wan side? Does the default password get you onto the network? Or is that the password to login to administer the router once you're already inside the secure lan?

Not to worry. (-1)

Anonymous Coward | about a year and a half ago | (#41964933)

It's only some place called "Australia", so only Australians and Slashdot "editors" give a fuck.

Telstra-Microsoft Sales Conspiracy? (1)

Anonymous Coward | about a year and a half ago | (#41964955)

Seems Telstra's upgrade page has a small sales conspiracy to get users away from Macs. From the upgrade instructions:

If you have a MAC

Step 1 of 3: Install the BigPond Elite Network Gateway on a Windows computer by using the installation USB stick that came with your kit.
Step 2 of 3: Follow the upgrade instructions for Windows users above.
Step 3 of 3: Once you've upgraded your device, you can continue using your device on your Mac as normal

Isn't that common practice? (2)

aaaaaaargh! (1150173) | about a year and a half ago | (#41965237)

In Portugal, the passwords of the routers of the biggest telecom (TMN) are available and easy to find on the Net, and each router doesn't have just one but usually several admin and root accounts. I guess they think that as long as you can access it only from LAN and via "official channels" that's secure enough.

username admin : password admin (0)

Anonymous Coward | about a year and a half ago | (#41965851)

I have worked for telstra in the past in tech support for their broadband department (BigPond). The default username and password for most routers provided by tesltra is admin/admin. It has been this way for years over multiple incarnations of router. Their own troubleshooting guides list these passwords and usernames and recommend that if the customer cannot gain access to their router they factory default the router which will re-set the username/password and the ssid/wpa keys (These are unique to each device and printed on a sticker attached to each device at the base).
It is a trivial matter to gain access to any telstra customers router if one has physical access to the router and slightly more difficult but still possible to gain remote access via wifi and reset the router remotely via SSH. The scariest part is that some lines of telstra supplied modems including the latest releases, have the firewall disabled by default, the vast majority never change this, and the router/modem allows remote login via the internet (This 'feature' is also used by support to enable easy set-up of new installs remotely). There is no way for a telstra customer to properly 'secure' their wifi and router without using SSH and a complex set of commands that is well beyond the understanding of the majority of telstra customers and there is absolutly no way to secure a telstra supplied modem from someone who has physical access.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...