[101758] in North American Network Operators' Group
Re: (broadband routers) PC World: Flash Attack Could Take Over Your
daemon@ATHENA.MIT.EDU (Sean Donelan)
Thu Jan 17 12:13:37 2008
Date: Thu, 17 Jan 2008 12:01:58 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.62.0801161208050.17353@linuxbox.org>
Errors-To: owner-nanog@merit.edu
On Wed, 16 Jan 2008, Gadi Evron wrote:
> Props to Jeff Chan who I saw it from.
>
> Yes, I still believe these ISP distributed machines called broadband routers
> are a network operators issue. But not all may agree on that.
I doubt many ISP security or customer care folks are fans of UPnP.
The distribution channel (consumer electronics retail store, discount
mail order company, etc) is less important than working with the CPE
vendors. I worked with a few CPE vendors for several years since 2003 to
improve some things. You may be able to figure out which CPE vendors,
because they have UPnP off by default (or don't have UPnP), and other
nice things such as automatic security patch loading. CPE owners take even
less care of the CPE than even PCs.
But even though a few other large ISPs copied some of my requirements for
their RFPs, a lot of CPE is distributed through many channels. I'm a bit
suspicious of some security researcher's statistics about UPnP gateway
configurations in different markets.
If you just want to rant at network operators go ahead. But it will
probably be more productive working with CPE vendors and ISPs on a few
constructive things.
What specifications can consumer electronics stores and ISPs include in
the RFPs to consumer CPE vendors? What can consumer CPE vendors include
at the price-points for the market for consumer CPE? Is the Carterphone
era over, and consumers just can't handle managing CPE anymore?
