[101772] in North American Network Operators' Group
Re: (broadband routers) PC World: Flash Attack Could Take Over Your
daemon@ATHENA.MIT.EDU (Gadi Evron)
Thu Jan 17 20:41:14 2008
Date: Thu, 17 Jan 2008 19:32:27 -0600 (CST)
From: Gadi Evron <ge@linuxbox.org>
To: Sean Donelan <sean@donelan.com>
cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.64.0801171135460.13234@clifden.donelan.com>
Errors-To: owner-nanog@merit.edu
On Thu, 17 Jan 2008, Sean Donelan wrote:
> On Wed, 16 Jan 2008, Gadi Evron wrote:
>> Yes, I still believe these ISP distributed machines called broadband
>> routers are a network operators issue. But not all may agree on that.
>
> What specifications can consumer electronics stores and ISPs include in the
> RFPs to consumer CPE vendors? What can consumer CPE vendors include
> at the price-points for the market for consumer CPE? Is the Carterphone
> era over, and consumers just can't handle managing CPE anymore?
>
Thanks for putting the discussion in focus, Sean. These are splendidly
good questions! And cosumers may be able to handle CPE, but not most of
the ones on broadband providers. "Anymore" ?
The questions you raise are very good, and I don't intend to attack their
validity. My purpose here is to say that: yes, vendors should do better
and it is good to form relationships with them, but currently there are
millions of customers who consider these "modems" plug and play,
regardless of technology.
The recursive DNS servers, linux machine, default passwords and whatever
else may be on that CPE device is outside their realm of care. I'd be
happy if Windows Update is turned on for even some of them, which is in
their realm of care.
These devices are on the client end, and are not under client care. I
believe this needs to be re-emphasized. I do not believe spreading gospel
on how to secure them to end users is what we need, but rather the other
part you mentioned, which is working with vendors.
Working with vendors aside (as you mentioned, can be frustrating) network
operators need to realize these are in fact their problem, as the vendors
are not quite up to scratch yet, are they?
These devices are:
1. Botnets waiting to happen.
2. Sniffers waiting to infringe on user privacy.
3. Recursive DNS servers waiting to be abused.
I believe the main points of interest are #1 and #3. I've worked with a
few ISPs on this in the past couple of years, but it is obvious the issue
remains un-noticed for most.
Flash and UPnP I am honestly not that interested in.
Gadi.
