On Tue, 29 Dec 2009 02:23:24 PST, Cilia Pretel Gallo said: > Also, connections on ports 23 and 80, from any IP address, will access the > modem configuration options. Last year that could be done only from private > IP addresses (i.e. 192.168.0/24), but now it can be done, as I said, from > anywhere. Apparently somebody forgot to do regression testing on the distributed config file, because they *used* to do it at least semi-right. The annoying part is that it's a real pain in the butt for the ISP to fix correctly. You need to first use the hole you created to get the current config, and verify whether or not *anything* has been changed from the as-shipped defaults. It's only safe to automagically push a new config if the user hasn't screwed around with it. If anything's been changed, you need to do a setting-by-setting audit to tell if there's any way they could *possibly* interact - and it's not always obvious. If the user has changed the default password, it *may* indicate that he uses access from the "outside" to check the modem status at home when he's at the office or on the road. So changing the allowed address ranges might hose the user. At that point, you pretty much bought a support call for every single user you aren't able to automagically migrate, either to talk to the user beforehand, or they call you when you break their config. >From the admin side of the boat, trying to push an update to 50,000 users is *always* a scary prospect. You have to realise that at many ISPs, the profit margin per subscriber is actually so slim that if they call the support desk *once* in a year, the resulting costs can easily wipe out any profit they've made on that user. It doesn't take much - if you're paying a guy $7/hour for level 1 tech support, the encumbered cost paying for the seat he's sitting in, the office space, benefits (Social Security and unemployment at least), etc means an encumbered cost of $10 to $15 hour. If you're billing this guy $30/mo and making $1/mo profit, that means if the guy calls in and has a problem that takes an hour to resolve, you're starting to lose money on that user. (This is why most support desks try to get rid of you as fast as they can, whether or not your problem is actually fixed). So there's a real dis-incentive for the ISP to spend a lot of effort and money to fix the problem - at best, making sure new modems they deploy are set correctly might happen. Adding to that is the fact that it usually doesn't cost the ISP anything if a customer gets pwned, unless the pwner then starts sucking down bandwidth like crazy. And if the ISP charges "$30/mo for first 50G, and $1 for each G after", then there's *no* incentive for the ISP to actually fix it. This probably won't get fixed unless somebody finds a way to make it actually *cost* the ISP. In the US, a class-action lawsuit for reckless endangerment might work. Don't know about Columbia.
Attachment:
pgpXPUwxm4oI8.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/