[20256] in bugtraq
Re: multiple vulnerabilities in Alcatel Speed Touch DSL modems
daemon@ATHENA.MIT.EDU (Tom Perrine)
Tue Apr 17 05:26:31 2001
Message-ID: <200104162116.OAA18737@lart>
Date: Mon, 16 Apr 2001 14:16:52 -0700
Reply-To: Tom Perrine <tep@SDSC.EDU>
From: Tom Perrine <tep@SDSC.EDU>
X-To: mark@ZANG.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200104161114.EAA27684@zang.com> (mark@ZANG.COM)
>>>>> On Mon, 16 Apr 2001 04:14:05 -0700, "Mark (Mookie)" <mark@ZANG.COM> said:
Mark> Weren't these issues actually discovered by Renaud Deraison in November 2000?
Mark> He added code to his Nessus program to check for the problems and didn't
Mark> consider it worth an advisory since the exploit depended on the IP 10.0.0.138
Mark> being spoofable, possible on some ISPs who do VPNs that way but generally
Mark> a lower risk than the full internet range.
He found the null default password, see below.
Mark> You'd think the normal process of informing the manufacturer to provide a
Mark> window to have a patch available would be followed. Instead a few people
Mark> were told, then the press and then CERT, sounds more like a PR stunt to me.
The manufacturer was notified before the French press got hold of the
story, from the French computer underground, while we were writing the
advisory, after I had sent a note to Alcatel.
Mark> The value add tools are useful but the manuafacturer could have offered a
Mark> better fix than binary patching etc. Sounds like too much time was spent on a
Mark> nowhere issue.
Read the redacted text in the Alcatel media release for fun :-)
http://morons.org/articles/1/188
(Thanks to Jericho for pointing this out to me.)
Mark> Mark.
Mark> All your japboy are belong to us.
Aside from the personal attacks, perhaps you should check the facts. I
did.
The nearly-identical post (yours?) on slashdot
(http://slashdot.org/comments.pl?sid=01/04/11/1249209&cid=69) posted
at Wednesday April 11, @09:20AM EST was almost immediately refuted by
Renaud Deraison himself:
http://slashdot.org/comments.pl?sid=01/04/11/1249209&threshold=1&commentsort=0&mode=thread&pid=110#111
posted at Wednesday April 11, @10:40AM EST
I verified this information with Renaud, receiving a reply to my
message at Thu, 12 Apr 2001 00:04:07 +0200. He said he posted the
note on Slashdot, but said it was moderated too low for people to
easily see.
It seems a little strange to be posting this rumor, 4 days after it
was proven false, but I see no reason to question your motives.
--tep
p.s. I *still* *like* the Alcatel Speed Touch Home. It is still
connecting my home network, despite being offered other devices since
the advisory went out.
They just need to fix a few problems. Just like *every* other vendor.
