> -----Original Message-----
> From: Matthew Caron [mailto:matt (at) mattcaron (dot) net [email concealed]]
> Sent: Monday, May 31, 2004 5:19 PM
> To: Alan W. Rateliff, II
> Cc: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Re: LinkSys WRT54G administration page availble to WAN
>
> Isn't that the Linksys product that runs Linux and all these
> folks have
> been making custom firmware for? If so, can't one of those folks fix
> this bug if Linksys it taking too long?

Perhaps, but the points still remain that LinkSys is distributing a
vulnerable product through all channels, retail stores are blowing this item
out with rebates, and Joe Average User isn't going to upgrade to a custom
Linux-based firmware because chances are he or she is not aware of it.

Also, I have received a shit-storm of auto-replies from my original post.
Hey, people, DON'T SUBSCRIBE TO A LIST USING AN ADDRESS WITH
AUTO-RESPONDERS!!

After wading through 30-or-so of these auto-responses, I found three valid
emails. The general answer is that I had an open dialogue with LinkSys
support (case #AEV-14523-534, which refers to #KNU-66355-624,) the problem
was originally noted to them on 04/28/04, and because of my open dialogue
with LinkSys support I did not send an email to any other address or
department at LinkSys.

In regards to the last part, I do now feel somewhat remiss for not having
done so, however at the same time a proven security issue should be properly
communicated from support to the appropriate department. That seems to not
be the case, and assumption is the evil of all root.

--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 (at) rateliff (dot) net [email concealed]
(Office) 850/350-0260 : (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]

[ reply ]