>>>>> On Mon, 16 Apr 2001 04:14:05 -0700, "Mark (Mookie)" <markat_private> said: Mark> Weren't these issues actually discovered by Renaud Deraison in November 2000? Mark> He added code to his Nessus program to check for the problems and didn't Mark> consider it worth an advisory since the exploit depended on the IP 10.0.0.138 Mark> being spoofable, possible on some ISPs who do VPNs that way but generally Mark> a lower risk than the full internet range. He found the null default password, see below. Mark> You'd think the normal process of informing the manufacturer to provide a Mark> window to have a patch available would be followed. Instead a few people Mark> were told, then the press and then CERT, sounds more like a PR stunt to me. The manufacturer was notified before the French press got hold of the story, from the French computer underground, while we were writing the advisory, after I had sent a note to Alcatel. Mark> The value add tools are useful but the manuafacturer could have offered a Mark> better fix than binary patching etc. Sounds like too much time was spent on a Mark> nowhere issue. Read the redacted text in the Alcatel media release for fun :-) http://morons.org/articles/1/188 (Thanks to Jericho for pointing this out to me.) Mark> Mark. Mark> All your japboy are belong to us. Aside from the personal attacks, perhaps you should check the facts. I did. The nearly-identical post (yours?) on slashdot (http://slashdot.org/comments.pl?sid=01/04/11/1249209&cid=69) posted at Wednesday April 11, @09:20AM EST was almost immediately refuted by Renaud Deraison himself: http://slashdot.org/comments.pl?sid=01/04/11/1249209&threshold=1&commentsort=0&mode=thread&pid=110#111 posted at Wednesday April 11, @10:40AM EST I verified this information with Renaud, receiving a reply to my message at Thu, 12 Apr 2001 00:04:07 +0200. He said he posted the note on Slashdot, but said it was moderated too low for people to easily see. It seems a little strange to be posting this rumor, 4 days after it was proven false, but I see no reason to question your motives. --tep p.s. I *still* *like* the Alcatel Speed Touch Home. It is still connecting my home network, despite being offered other devices since the advisory went out. They just need to fix a few problems. Just like *every* other vendor.
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 02:33:59 PDT