Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NetGear Also Has Remote Access Wide Open

CowboyNeal posted more than 10 years ago | from the hotspot-back-doors dept.

Wireless Networking 215

Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."

cancel ×

215 comments

No backdoors with BSD! (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9344010)

Is it any wonder people think Linux [debian.org] users are a bunch of flaming homosexuals [lemonparty.org] when its fronted by obviously gay losers [nylug.org] like these?! BSD [dragonflybsd.org] has a mascot [freebsd.org] who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks [hope-2000.org] and gorgeous babes [hope-2000.org] then maybe it would be able to compete with BSD [openbsd.org] ! Hell this girl [electricrain.com] should be a model!

Linux [gentoo.org] is a joke as long as it continues to lack sexy girls like her [dis.org] ! I mean just look at this girl [dis.org] ! Doesn't she [dis.org] excite you? I know this little hottie [dis.org] puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox [spilth.org] . As you can see, no man can resist this sexy [spilth.org] little minx [dis.org] . Don't you wish the guy in this [wigen.net] pic was you? Are you telling me you wouldn't like to get your hands on this ass [dis.org] ?! Wouldn't this [electricrain.com] just make your Christmas?! Yes doctor, this uber babe [electricrain.com] definitely gets my pulse racing! Oh how I envy the lucky girl in this [electricrain.com] shot! Linux [suse.com] has nothing that can possibly compete. Come on, you must admit she [imagewhore.com] is better than an overweight penguin [tamu.edu] or a gay looking goat [gnu.org] ! Wouldn't this [electricrain.com] be more liklely to influence your choice of OS?

With sexy chicks [minions.com] like the lovely Ceren [dis.org] you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD [netbsd.org] if she [dis.org] told you to? Personally I know I would give my right arm to get this close [dis.org] to such a divine beauty [czarina.org] !

Don't be a fag [gay-sex-access.com] ! Join the campaign [slashdot.org] for more cute [wigen.net] open source babes [wigen.net] today!

$Id: ceren.html,v 7.0 2004/01/01 11:32:04 ceren_rocks Exp $

Re:No backdoors with BSD! (0, Offtopic)

djsmiley (752149) | more than 10 years ago | (#9344074)

tbh half those gurlz aint hot anyway ^_^

How about, go out, to a club, pub, party, friends back garden....

And try pulling, best line i could think of was "why do you come back and try my new kernal on..."...

Try it... its called living.

Peace out! \o/

Re:No backdoors with BSD! (5, Funny)

Trigun (685027) | more than 10 years ago | (#9344093)

best line i could think of was "why do you come back and try my new kernal on...

You should try my pick-up line: Excuse me miss, but does this rag smell like chloroform?

Works every time.

Topic Change? (0, Offtopic)

deutschemonte (764566) | more than 10 years ago | (#9344021)

From the I-always-feel-like-somebody's-watching-me department

TRINITY DIES IN THE NEW HARRY POTTER MOVIE (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9344023)

SPOILER IN SUBJECT!

huh? (4, Insightful)

schroet (244506) | more than 10 years ago | (#9344024)

you can turn off the external web interface on those things right? I guess that doesn't help if you're worried about crackers on your LAN but still, it may not be as bad as it sounds.

Undocumented = bad though,

Re:huh? (4, Informative)

RidiculousPie (774439) | more than 10 years ago | (#9344055)

This vulnerability can be exploited by any person which is able to reach the webinterface of the device with a webbrowser.
It would appear that if the webinterface is disabled, the device cannot be compromised.

Don't you mean.. (5, Funny)

Sadiq (103621) | more than 10 years ago | (#9344027)

"The backdoor seems to have been created by the vendor that used to package devices for NetGear"

Re:Don't you mean.. (0, Funny)

Anonymous Coward | more than 10 years ago | (#9344060)

Yeah, really. What kind of morons would put something like this in a security product? I guess this is what happens when you contract programming out to the lowest-priced bidder--you'll end up with idiot programmers in third-world countries with no common sense and who are so brain-dead they have to hard-code a password into the product because they can't remember the one they are testing it with.

You get what you pay for.

Unbelievable. Seriously f'in unbelievable.

Fixed in new firmware, available here: (5, Informative)

Anonymous Coward | more than 10 years ago | (#9344034)

http://kbserver.netgear.com/support_details.asp?dn ldID=735

remove space in URL (0)

Anonymous Coward | more than 10 years ago | (#9344078)

to use link

Re:remove space in URL (0)

gumpish (682245) | more than 10 years ago | (#9344109)

How about just taking the extra 10 seconds to type in a proper link?

Comments with plain text URLs should be modded Overrated.

Re:remove space in URL (-1)

Anonymous Coward | more than 10 years ago | (#9344153)

screenscrape and kwitcherebitchen

Re:remove space in URL (2, Interesting)

eyeye (653962) | more than 10 years ago | (#9344239)

Nah, plain text urls not wrapped in other tags should be converted to html links.
Its surprising that slashdot hasnt already added this basic feature.

Re:remove space in URL (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9344352)

It's not suprising.

With all of the dumb motherfuckers that can't type a proper href--that alone weeds about half of the links that go to tub girl, goatse, penis bird, or worse.

I, for one, am glad that this feature exists.

We're all supposed to be geeks here. 10 extra fucking keystrokes. Big Fucking Deal

Re:Fixed in new firmware, available here: (3, Interesting)

abscondment (672321) | more than 10 years ago | (#9344092)

That's all nice and well, but the average user isn't going to upgrade at all. A good deal of them never even set the admin password in the first place.

Take the guy in my apartment, for instance. I'm using his wireless. His AP is totally open--default SSID and all. I know he doesn't care, but what if he were a business? There's no way he's going to upgrade firmware if he can't even set a simple password.

Awesome! (5, Funny)

SuperBanana (662181) | more than 10 years ago | (#9344104)

Fixed in new firmware, available here:

Super! Now I just have to downlo
[CONNECTION DROPPED, REMOTE SIDE 0WN3D]

linked properly for the lazy (5, Informative)

Anonymous Coward | more than 10 years ago | (#9344106)

Re:Fixed in new firmware, available here: (2, Informative)

gbjbaanb (229885) | more than 10 years ago | (#9344112)

Helps if the URL doesnt have a space in it. Hmm.. slashdot seems to be mangling it. Note: there should be no space in the following URL.
http://kbserver.netgear.com/support_details.asp?dn ldID=735
"WG602 Firmware Version 1.7.14

Bug Fixes

Fixed: Lost connections during heavy traffic
Improved system reliability under heavy traffic
Fixed illegal user access the WEB configuration utility.
Known Bugs and Feature Limitations

WPA is not supported.
Wireless Bridging and repeating functions are not supported. "

It's a feature, not a bug. (5, Informative)

gumpish (682245) | more than 10 years ago | (#9344126)

The URL is "mangled" for people browsing with mobile devices. The space is added so tiny displays can word wrap the text. (And also so crapflooders can't make your horizontal scroll bar appear.)

Personally I think the number of people using such browsers is probably so small that there is no justification for this "feature", but since Slashdot isn't likely to change, URLs should be submitted as proper links and not just plan text.

Re:It's a feature, not a bug. (2, Informative)

Trigun (685027) | more than 10 years ago | (#9344150)

There is a justification for this feature. Put an eicar test signature into a comment, and watch some realtime virus scanners go nuts.

Re:It's a feature, not a bug. (1)

Neophytus (642863) | more than 10 years ago | (#9344190)

Whenever del c:\*.* is mentioned in a file it is picked up as a "quickformat virus".

Re:It's a feature, not a bug. (0)

Anonymous Coward | more than 10 years ago | (#9344324)

Ummm, it's not just foy tiny displays. Trolls also like to see if they can discover new ways to push the screen width ultra-wide by putting thousands of characters and codes in a row.

Re:Fixed in new firmware, available here: (4, Funny)

I confirm I'm not a (720413) | more than 10 years ago | (#9344210)

Thanks, just downloaded and upgraded.

(Off topic: was anyone else disappointed that the "super" login didn't make the web control panel reveal easter eggs? I mean, you just had to try it while you were upgrading, right?)

Re:Fixed in new firmware, available here: (1)

eggboard (315140) | more than 10 years ago | (#9344436)

That update has disappeared -- the URL redirects to the main support site, and looking for upgrades for this model provides only one that's six weeks old.

One wonders what the internal policies are ... (4, Insightful)

xmas2003 (739875) | more than 10 years ago | (#9344035)

I think everyone can agree that backdoor passwords are a BAD idea - makes one wonder what the internal policies are at these companies - and what happens when they do a source code audit after these are found and track down the programmers who put 'em in.

Re:One wonders what the internal policies are ... (1)

mrseigen (518390) | more than 10 years ago | (#9344046)

Not to mention this one appears to be hard-coded.

Re:One wonders what the internal policies are ... (3, Insightful)

djsmiley (752149) | more than 10 years ago | (#9344049)

they are normally there for the company to protect them selfs.

Stupid user messes up the router.

They phone tech support "i can't get onto my routers access page, i changed and lost the password"...

"two seconds sir, prove this is your ip"

they run some tests to check its whos on the phone..

"there you go sir, your new password is ******, you may now change the settings again"....

You ever tried to talk to a noob thru flashing the firmware on their router over the phone?

Re:One wonders what the internal policies are ... (4, Insightful)

AntiOrganic (650691) | more than 10 years ago | (#9344072)

This is absolutely idiotic. All routers have a default username/password combination that is restored when using the firmware reset button typically hidden on the back of the router. There is no reason to create an administrative backdoor for this purpose when there's a readily-accessible password reset feature built into the device.

Re:One wonders what the internal policies are ... (4, Interesting)

Fulcrum of Evil (560260) | more than 10 years ago | (#9344204)

There is no reason to create an administrative backdoor for this purpose when there's a readily-accessible password reset feature built into the device.

Sure there is. The reset button will nuke the configuration, the logs, and whatever else state is there, thus confounding debugging by the tech support. A single password is stupid, though. What's needed is something that requires the router s/n, the router's idea of the date, and a passcode generator from cisco. Give the aforementioned info to cisco TS and they can generate a 1 or 2 hour passcode for your router. You could also add a switch to enable this feature on the router itself, but that may not be practical.

Re:One wonders what the internal policies are ... (2, Interesting)

John Starks (763249) | more than 10 years ago | (#9344408)

Confounding debugging by tech support? First of all, we're talking about a consumer product here. Tech support is not going to be logging in to see why RADIUS authentication is not working or to troubleshoot some advanced routing issues. In fact, when users call in having forgot their password, I suspect tech support will just tell them to use the reset feature; it's far easier than trying to find out a consumer's IP address.

No, you cannot justify this. Even if there was some kind of two-hour password, it would be a huge security problem. For example, if I'm using one of these to protect my network, and you have a couple thousand bucks lying around, I'm sure you could convince someone at Netgear to give you a two-hour password without a problem. A single password is even more heinous.

Yes, I will no longer be buying Netgear products.

Re:One wonders what the internal policies are ... (1)

dsanfte (443781) | more than 10 years ago | (#9344424)

IF you can lift it off the desk, you should have access to it. The router's password should be it's S/N, period. No fancy measures or bells and whistles.

Re:One wonders what the internal policies are ... (5, Funny)

Trigun (685027) | more than 10 years ago | (#9344051)

There's a backdoor in the software auditing software. The programmer is safe.

Re:One wonders what the internal policies are ... (3, Informative)

BigHungryJoe (737554) | more than 10 years ago | (#9344063)

Everyone but the vendors knows it's a bad idea. Cisco recently made the same mistake [cisco.com] .

Re:One wonders what the internal policies are ... (1)

kfg (145172) | more than 10 years ago | (#9344101)

. . .what happens when they do a source code audit after these are found and track down the programmers who put 'em in.

I believe that's "give them a bonus and a company car."

These back doors are not trojans installed by disgruntled employees, but there by company policy.

KFG

How very timely... (1, Informative)

Atrax (249401) | more than 10 years ago | (#9344043)

I was going to buy a Netgear wireless access point/router this week.

I initially went for it because my experience with their wired products has been good. A swift rethink would seem to be required.

Re:How very timely... (1)

Neophytus (642863) | more than 10 years ago | (#9344116)

New firmware was released a day after the information was disclosed.

Re:How very timely... (1)

Atrax (249401) | more than 10 years ago | (#9344195)

Well, that's something, I guess.

Re:How very timely... (0)

Anonymous Coward | more than 10 years ago | (#9344263)

I was going to buy a Netgear wireless access point/router this week.

I can see why this might deter you, but I'm still pretty happy with my WGR614. It does both 802.11b and g and has some RJ-45 ports so it does all the routing for my wired network, too. All in all, worth every penny (and more) of the $80 I dropped on it a year ago.

(And no, the backdoor password doesn't work on it.)

Re:How very timely... (3, Informative)

Homology (639438) | more than 10 years ago | (#9344268)

I was going to buy a Netgear wireless access point/router this week.

If 11Mbps is sufficient for your needs, you could by a 802.11b wireless card that uses the Prism 2.5 chipset. This chipset can function in hostAP mode. At home I use Netgear MA311 in an older Dell functioning as my wireless access point, internet gateway and firewall. Instead of WEP, I use IPSec, and only authorized IPSec traffic is allowed (and thus no leaching from my Kazaa loving neighbour).

You might need to flash the firmware, though, which you can find here [star-os.com] .

If you want a secure, easy and hassle free gateway, just install OpenBSD [openbsd.org] .

Just another reason (2, Insightful)

Anonymous Coward | more than 10 years ago | (#9344047)

why outsourcing(esp. when security should be a key component of your product) can be a bad idea. The article states that the password is the phone # of the place in Taiwan that develops and manufactures the device.
They never thought to check this before distributing it, and now they suffer because of poor quality control. Is the outsourcer going to suffer? Maybe, or maybe they will just move on to the next contract. We shall see.

Re:Just another reason (4, Insightful)

kfg (145172) | more than 10 years ago | (#9344165)

This isn't outsourcing in the sense that IBM outsources its programing and support staff. It's oursourcing in the sense that your Raleigh bicycle is actually a Giant with a Raleigh sticker on.

It isn't even really outsourcing in the sense that Dell oursources its video cards to ATI, its cpus to Intel and its CD drives to LG, which is all perfectly legitimate. Would you really expect Dell to make its cpus and capacitors?

You buy stuff and market it.

z-com is the actual manufacturer and they sell their products to marketers. Netgear just buys the stuff and resells it.

Just like you could go to z-com and have them slap some stickers on stuff for you to resell. Or Giant. Or whoever makes Levis and Calvin Klien jeans in China. Or. . .

This isn't about "outsourcing." This about a marketing firm getting stuck with some bad product.

KFG

Re:Just another reason (2, Insightful)

crazy blade (519548) | more than 10 years ago | (#9344284)

You hve a point. But I still wouldn't take them off the hook so fast. This seems to indicate that NetGear should require a "no backdoors inside" guarantee on such contracts.

Re:Just another reason (2, Interesting)

kfg (145172) | more than 10 years ago | (#9344438)

I still wouldn't take them off the hook so fast.

Who said anything about taking them off the hook? As the marketer it is Netgear that is directly responsible to their customers.

As the manufacturer it is z-com that is responsible to its customers, in this case, Netgear. There is a hierarchy of customers here in which Netgear in in the middle. The man in the middle is often the one to get squashed.

This seems to indicate that NetGear should require a "no backdoors inside" guarantee on such contracts.

Yes, it would, wouldn't it? And I'm sure in future it will, at least in essence, but is it not always the case that you find out what your contract should have said after it goes bad on you somehow?

But look at it this way. What if you were going into the white box business about the time of release for the Pentium II chip, would your "contract" with Intel have a "no floating point calculation errors" clause, or would it more likely be a simple receipt for the deliver of and payment for 1000 cpus?

And when the bug hit the public and people demanded a fix from you wouldn't you have considered it Intel's error and Intel's problem?

And what would you put into your "contract" with Intel on your next cpu purchase to protect you from the next, and currently unknown, issue?

When you buy your next car will you demand a "won't blow up on me" clause to your contract, or do you simply consider that issue part of the already extant express and implied guaruntee that attaches to the car? The latter is certainly the way the courts view it.

You buy stuff. You get a receipt.That stuff has certain express and implied guaruntees attached to it just like anything else. You resell it with express and implied guaruntees. If the stuff turns out to be bad in some way your customers bitch to you and you have to make good. You are also a customer, of your supplier, so you bitch to them and they have to make good.

That's just the way the buying and selling business works.

KFG

Re:Just another reason (1)

crazy blade (519548) | more than 10 years ago | (#9344270)

They'll probably (and in my opinion must) sue. Otherwise this simply makes NetGear look bad three-fold:

  1. It is THEIR product that is delivered to consumers faulty. I hold THEM responsible.
  2. They don't take who they work with seriously and therefore people they work with are not serious about it.
  3. They'd rather not give much press to the fact to not make them look bad instead of making sure others think twice before heading down this road.

The problem of convinience (5, Insightful)

luvirini (753157) | more than 10 years ago | (#9344056)

This is a general problem when you buy ready made solutions in the form of "boxes" , you cannot be fully sure of anything inside so it is basically a question of trust.

For example firewalls:

Question 1: how do you know the box firewall you bought is secure and no backdoors?

Answer: normally you do not.

Question 2: Why do majority ofpeople buy those instead of making their own?

Answer: Because it is a lot more convinient

So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.

Re:The problem of convinience (4, Insightful)

Temporal (96070) | more than 10 years ago | (#9344177)

Question 1: How do you know the CPU you bought is secure and has no code-modifying backdoors?

Answer: Normally you do not.

Question 2: Why do the majority of people buy those instead of manufacturing their own?

Answer: Because it is a lot more convenient.

Any piece of hardware can have a backdoor in it, really. If anything, you're probably safer buying the system all in one piece, because:

1) A packaged system built by a respected company is likely to be far better reviewed and tested than something you assemble/install yourself.

2) If it has a hole, you know exactly whom to blame (and perhaps sue for damages, if exploited).

Re:The problem of convinience (2, Insightful)

evilviper (135110) | more than 10 years ago | (#9344285)

Question 2: Why do majority ofpeople buy those instead of making their own?


Answer: Because it is a lot more convinient

I have a better answer... Because 99.9% don't realize there could be a security problem with it. I don't worry about security when I buy a washing machine or a TV, and that's about how most people view "box" devices.

Also, I would add that it's more than convience, since most people wouldn't be able to configure a computer to be a firewall if their life depended upon it. Maybe a custom OpenBSD distro is in order... One that will configure a firewall on it's own, and use good defaults for everything, so it needs no configuration for most people. But then again, you don't really know that software isn't back-doored either... You've got to trust somebody...

Re:The problem of convinience (2, Insightful)

Jay9333 (749797) | more than 10 years ago | (#9344304)

Question 1: how do you know the box firewall you bought is secure and no backdoors?

Answer: normally you do not.

Question 2: Why do majority ofpeople buy those instead of making their own?

Answer: Because it is a lot more convinient

So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.

No one has the time to examine every line of every piece of software (or hardware/firmware) they use that could potentially contain a vulnerability. It is impossible. That is why you only use software that has been in the community (open-source or closed) long enough to where it is generally trusted by experts and laymen alike. That is no guarantee, but that is the best one possible. Shit happens.

taiwan, eh? (5, Funny)

abscondment (672321) | more than 10 years ago | (#9344057)

A search on Google revealed that "5777364" is actually the phonenumber of z-com Taiwan which develops and offers WLAN equipment for its OEM customers.

This number, surprisingly enough, is also the total amount of wooden furniture shipped from Malaysia [mtc.com.my] to Bahrain in 1998. Conpsiracy! Conspiracy!

Re:taiwan, eh? (2, Funny)

AbbyNormal (216235) | more than 10 years ago | (#9344337)

Also my luggage combination....MUha ha ha ha ha.

Oh, nevermind.

Re:taiwan, eh? (1)

OneDeeTenTee (780300) | more than 10 years ago | (#9344394)

Google returns a result for "5777364 john kerry", but none for "5777364 george bush".

Hmmm......

Possibilities. (5, Interesting)

alexatrit (689331) | more than 10 years ago | (#9344058)

It's possible that that this goes on a whole lot more than we'd like to admit. Just yesterday I was talking to a friend who called Dell technical support about her BIOS password on an Inspiron 5000. She had forgotten it, and couldn't access her settings. Unlike the old days where you'd crack open the box and to the BIOS jumper switch, Dell provided her with a 6 character BIOS password that magically unlocked her system.

Re:Possibilities. (1, Informative)

Hangtime (19526) | more than 10 years ago | (#9344081)

With the automation Dell has in terms of its manufacturing process, I would not be surprised if that password is unique to the Dell Tag number itself instead of just a wide open tag for anyone to use.

Re:Possibilities. (1)

TarlCabbot (778401) | more than 10 years ago | (#9344121)

That is true, it is based on the tag number

Re:Possibilities. (5, Informative)

alexatrit (689331) | more than 10 years ago | (#9344125)

I stand corrected, here.

"The only way to clear the BIOS password is with a Master Reset Password provided by Dell for that Model No. and they will not give you the master unless you can give them the name. address and telephone of the registered owner. However the password is universal for all laps with the same model no., so if you know someone who is a registered owner, you can call Dell and get the master."

Reference [experts-exchange.com] here. That being said, the master for an Inspiron 5000 is BLVJCH. Booyah!

Re:Possibilities. (2, Interesting)

evilviper (135110) | more than 10 years ago | (#9344262)

That's not good, but it's far better than the other extreme. IBM claims there is no way to clear a BIO password on their laptops, so lots of people on ebay or other sites are buying expensive IBM paperweights. Now, I know for a fact that the password can be recovered and/or resetted easily with some basic equipment, but IBM continues to insist that only a motherboard replacement will due, and they charge you the full-price of a mobo just because of a stupid BIOS password. One has to wonder if they are charging you, then resetting the password on your original mobo and selling it again to someone else...

Re:Possibilities. (0)

Anonymous Coward | more than 10 years ago | (#9344216)

I have a between half and one inch thick stack of fanfold printout with the bios override passwords for various motherboards, computer brands, etc on it, one per line, 8 point single spaced font, minimal margins.

And it's only current to the age of P2-500's.

This is not new (or surprising to me) at all.

Re:Possibilities. (1, Funny)

Anonymous Coward | more than 10 years ago | (#9344143)

I had a motherboard with AMI bios that had a backdoor password... Three letters, guess what? :)

No, please, don't... (0, Funny)

Anonymous Coward | more than 10 years ago | (#9344062)

Please, trolls, pretty please...
Don't show us just HOW wide open the hole is.

Re:No, please, don't... (-1, Troll)

zoloto (586738) | more than 10 years ago | (#9344179)

As wide open as, perhaps, a goat [hick.org] ?

Ha! (1)

RecoveredMarketroid (569802) | more than 10 years ago | (#9344065)

So who wants to make fun of my cheap SMC box now?... (When the hole is discovered, it will be posted here too, right?)

Micro$oft... (0)

Anonymous Coward | more than 10 years ago | (#9344079)

Was the vendor Micro$oft?

Vendor will soon have legal problems. (0)

cemaco (665884) | more than 10 years ago | (#9344085)

"The backdoor seems to have been created by the vendor that packaged the device for NetGear" If the above quote is correct, and NetGear did not approve it...

Re:Vendor will soon have legal problems. (2, Interesting)

MrMr (219533) | more than 10 years ago | (#9344422)

Don't worry, the vendor is probably a few thouasnd miles outside US jurisdiction.
If I were a cynical bastard I might add that Netgear benefits twice from outsourcing its production...

I have a Netgear router. (0)

Cytlid (95255) | more than 10 years ago | (#9344087)

But I figured out a little while back [slashdot.org] that it comes from Sercomm. Hmmm...
glad I didn't go out and jump on the wireless G bandwagon just yet!

Re:I have a Netgear router. (1)

spacefight (577141) | more than 10 years ago | (#9344148)

Happy Birthday :-)

My Router (0)

dicepackage (526497) | more than 10 years ago | (#9344088)

Thank god I bought a D-Link. I was thinking about getting a Netgear or Lynksis wireless router but the D-Link just looked like it outperformed each one.

Re:My Router (0)

Anonymous Coward | more than 10 years ago | (#9344193)

Oh yes...thank you Lord for this bit of good fortune. Just think what would have happened if you'd bought a WRT54G and flashed it with a custom Linux rev rendering it one of the most secure and functional WiFi routers on the planet. Shew...that was a close one.

Re:My Router (1)

dicepackage (526497) | more than 10 years ago | (#9344251)

I don't like flashing my firmware with unsupported third party firmware. Is that really that big of a crime on Slashdot. Linux is great don't get me wrong but is there even any need for a lot of the features on this.

Lesson: Don't Buy Lame Hardware (-1, Flamebait)

fire-eyes (522894) | more than 10 years ago | (#9344090)

The lesson here is not to buy lame hardware.

I've been bitten by this myself, owning a linksys WAP. Though it is not the one that has been talked about.

It just so happens that it one day stopped responding to my host when it tries to bring up it's web config interface. The weird thing is that it only does it to me. NO MATTER WHAT NIC I USE. No matter what IP I use. It's not a firewall in the way. It's not a proxy. It doesn't make sense.

I can connect to it from any other machine, just not mine.

I found out that this is common with linksys WAP's, and that there is nothing you can do about it.

So I learned my lesson: don't buy shitty consumer grade junk like linksys and netgear.

Packaged network boxes (2, Interesting)

swb (14022) | more than 10 years ago | (#9344094)

I've used a couple of the Netgear FVS318 firewall/vpn boxes; they're cheap, sturdily constructed, easy to configure and pretty reliable, but I'm always a little hinky about the unconfigurable software options as much as I am about the backdoors.

My FVS318 does NTP to a hard-coded destination, and there's no way to turn this off or change the NTP sync server that I've found. I've always kind of wondered what else it does or was capable of doing.

Re:Packaged network boxes (1, Informative)

Anonymous Coward | more than 10 years ago | (#9344346)

Sorry for the AC reply...

You can change your NTP Server setting on this router with some of the more up to date firmwares. I'm using A2.4 and there is an option to set the NTP server of your choice under the "Schedule" Menu.

Makes those old 486 machines running Linux.. (3, Insightful)

the_rajah (749499) | more than 10 years ago | (#9344096)

routers look better all the time. At least you have some control over it....if you're a geek anyway.

Which ones of the consumer products are safe? I'm running a D-Link wireless right now.Yes the encryption is on.

"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain

Netgear WG302 (3, Informative)

the eric conspiracy (20178) | more than 10 years ago | (#9344102)

Well. at least this username/password doesn't work with a WG302 with firmware 1.5.

WGR614 (3, Informative)

Rinisari (521266) | more than 10 years ago | (#9344114)

NetGear WGR614 is not affected by this bug. I'm going to try to get its firmware and follow the same procedure listed in that Bugtraq report to see what I can find.

Too easy (3, Funny)

SuperBanana (662181) | more than 10 years ago | (#9344118)

All your basestation are belong to us?

Man, takes all the fun out of these jokes when it's so easy.

Re:Too easy (0, Offtopic)

evilviper (135110) | more than 10 years ago | (#9344242)

Man, takes all the fun out of these jokes when it's so easy.

No, that's not what took the fun out of it, I'm sure of that...

More like the billions of times it was repeated over the course of 2 months, and the fact that absolutely no thought is put into all the infinite different variations.

It's about as funny as "first post", and "imagine a beowulf cluster of these". It's about as funny as seeing someone peeing into the pool you're swimming in... Why they still get moderated up, I just don't know. I suppose /. still gets new users regularly, and it's still new to a couple of them..

At least a little bit of thought has to be put into the "1,2,3 Profit" jokes, although it seems to be less and less thought lately... Step 1 used to always be a full sentence or paragraph, now people are just whoring and putting 3 words with no humor to them at all.

funny mods != karma (0, Offtopic)

SuperBanana (662181) | more than 10 years ago | (#9344429)

More like the billions of times it was repeated over the course of 2 months, and the fact that absolutely no thought is put into all the infinite different variations.

That was actually exactly my point. How ironic that it was lost on you.

Step 1 used to always be a full sentence or paragraph, now people are just whoring and putting 3 words with no humor to them at all.

I was under the impression that funny mods resulted in no karma points. If I've been earning karma points for my funny posts, at least I've been clueless about it.

Personally, i think you're just pissed off because I get modded up more than you do. Of course, you post 5 times as much as I do, at least.

Take my advice (4, Informative)

Q2Serpent (216415) | more than 10 years ago | (#9344152)

I know this is a huge problem for the general public, but for those of us with a linux machine, do what I do and save yourself some trouble: put two network cards in the linux machine. Connect one to the internet and the other to your wireless router's normal ethernet ports (don't use the port that is supposed to be for the internet). Then, just set up your linux firewall/NAT, and you get all the benefits of wireless and a wired hub on the inside, with a linux machine doing the routing/firewalling for security from the outside. Since the router isn't on the net, no one can even touch it.

Can't they then access it via radio? /nt (0)

Anonymous Coward | more than 10 years ago | (#9344218)

Oops, /nt doesn't work here.

Re:Take my advice (0)

Anonymous Coward | more than 10 years ago | (#9344419)

No one can even touch it? Anyone nearby with a wireless card can touch it!!

Good grief... (4, Interesting)

zoloto (586738) | more than 10 years ago | (#9344155)

I tried this recently on my own unit. Works like a charm. Now that I'm really pissed, it looks like I'll might have to really complain through the courts by filing a motion with the intent to sue. Not only that, but get that old 500mhz p3 out of the closet and turn it into a router/NFS/SAMBA server and sell the POS netgear router on eBay.

That was the last straw. No more firmware based routers unless I make them myself, or use exsisting ones as wireless switch and really try to lock it down or use third party firmware. /end_rant

learning how to make a linux router / NFS will be handy anyhow

Re:Good grief... (1, Insightful)

Peyna (14792) | more than 10 years ago | (#9344174)

What are you going to sue about? The maybe $50 you spent on the router? You haven't incurred any loss or harm yet, just the potential for it.

Re:Good grief... (1)

zoloto (586738) | more than 10 years ago | (#9344199)

negligence, possibly willful.
a motion with intent to file claim is just to let the defendant know, or for lack of a better term, Get their attention on the matter.

I didn't realize there was an update at the time of my origional post. Either way, a /rant is a /rant

Re:Good grief... (1, Troll)

evilviper (135110) | more than 10 years ago | (#9344213)

Well, I'm sure he could sue on some sort of false advertising, or some other of the billions of vague premises that corporations often like to use to get their way against individuals.

Re:Good grief... (0)

Anonymous Coward | more than 10 years ago | (#9344311)

Suing is probably not an appropriate action. Instead, he should complain to his local trading standards authority on two counts:

1. The product is not "fit for purpose". Letting absolutely anybody mess with your settings is unacceptable.

2. Netgear are falsely advertising. Netgear claim "you can rest assured that your wireless network communications are private" on their website *. When absolutely anybody can mess with your router, you have no reasonable expectation that anything available to that router is private.

* They claim it here [netgear.com] . Stupid crappy popups that make me hunt for the URL...

Re:Good grief... (3, Informative)

Gojira Shipi-Taro (465802) | more than 10 years ago | (#9344315)

Look into Smoothwall. I'm using it on an old PPro 200 as a firewall/router. It supports 3 networks at the moment (red/external, Green/internal, Orange/restricted (wlan for instance). I have an older netgear router that I keep as a spare (the old PPro 200 has to die sometime...), but even with that, the Smoothwall config can be dumped to floppy and moved to a completely different machine easily.

Good grief... INDEED! (2, Insightful)

Saeed al-Sahaf (665390) | more than 10 years ago | (#9344357)

99.99999% of the "deadenders" who sputter and spew "I... I'm gonna SUE!!!!" will not, and really have no clue about what it would tak or even if they have any real legal basis to "SUE!!!!"

It's cheap consumer electronics. Return it and get one that does not have this issue, then resume your life. No story here, move along.

Well, at least it's only an access point (4, Insightful)

the eric conspiracy (20178) | more than 10 years ago | (#9344162)

These things usually sit behind a firewall, so you aren't in quite as bad shape as if it offering it's private parts to the general internet like the Linksys.

Re:Well, at least it's only an access point (1)

AbbyNormal (216235) | more than 10 years ago | (#9344354)

So nobody could get on your network if they are nearby?

they published the password? (3, Interesting)

pedantic bore (740196) | more than 10 years ago | (#9344227)

Gadzooks, could they have made it any easier for script kiddies to exploit this? Might as well just power down your netgear box until a new firmware patch comes out (assuming the firmware can be patched).

I don't believe in security through obscurity, but I also don't believe in publishing backdoor passwords. It's not like it has any educational value (unlike looking at some exploits, which helps programmers learn how to write code that's not vulnerable).

Can you believe it? (2)

cccemper (694964) | more than 10 years ago | (#9344229)

I am amazed.... I just wonder how many DOS or DDOS attacks were made based on this wonderful backdoor... and btw: shall all the NetGear Users now dump their devices ?!? no way... if this thing is really un-patchable, then I suspect this leak to be open for many years from now, as the device is one of the most current ones... wow - just before I bought it :-)

WG602v2 with firmware 2.0rc5 (3, Informative)

thewiz (24994) | more than 10 years ago | (#9344234)

Just checked my WG602v2 and the factory firmware upgrade 2.0rc5 and they do not have the backdoor.

Whew!

Man... (3, Interesting)

222 (551054) | more than 10 years ago | (#9344250)

ok, this is bad... but what i see as a far worse problem is that most oems dont bother setting passwords on windows xp installs.
i've even seen this happen on a thinkpad, and i would have thought ibm of all people to know better. i've seen this on a few venders before but i cant remember exactly which ones, has anyone else seem this happen before?

Provides convenient excuse for content access (3, Funny)

noidentity (188756) | more than 10 years ago | (#9344309)

Come on! These backdoors provide a convenient excuse when you're charged with breaking the law by accessing illegal content over your connection. If the vendor told you of their presence, you wouldn't be able to use them as a defense. Er wait, if you didn't know of them... hmmm...

All Your AP Bases Are Belong to Us (0)

Anonymous Coward | more than 10 years ago | (#9344316)

All Your AP Bases Are Belong to Us.

Easter Eggs (1)

$exyNerdie (683214) | more than 10 years ago | (#9344433)

On a similar note, many developers leave easter eggs in software they write for fun or for whatever reason...Imagine Windows Server 2003 easter eggs allowing admin level login!
I was shocked when I heard of easter eggs in my Handspring/PalmOne Treo 600 phone! Characters suddenly start appearing on the phone display by pressing a combination of keys...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...