Vulnerability Development mailing list archives
Re: DOCSIS vulnerability
From: Dave Ahmad <da () securityfocus com>
Date: Tue, 12 Mar 2002 10:09:13 -0700 (MST)
Matthew, I did not approve your post because I was still deciding whether or not it belonged on Bugtraq. It's neat, but is it appropriate for the list? I was leaning towards 'NO' but had not had the chance to reply to you yet (in fact, an incomplete message to you was sitting in my 'postponed' box). (Note: this post to VULN-DEV was not the one sent to Bugtraq, a different message was sent to Bugtraq which basically read 'do this to remove the bandwidth restrictions!'. I have attached it.) You were describing how to evade their service restrictions ("how to commit fraud"). Not sure what the benefit was to the community. Who is at risk if the information is not made public? You're probably putting yourself at risk for legal action (doubt they have a case, but it would not be pleasant). You could argue that they were not listening, so the only way to get the information out is to make it public and embarass them. That is a fine argument if you and other people are at risk because of this vulnerability, but you're not really.. unless you're concerned that the kid down the street is stealing the neighbourhood bandwidth. Also, your post did not give me the feeling that this was your intention (to warn the world about the ability of people to steal bandwidth). Let's look at what has been approved on the list in the past that could be considered similar. We have approved cross-site scripting vulnerabilities (in websites) and reports of holes in online banking services. Who is at risk in those situations? The users of the websites and the users of the online services. If the operators of the affected services were not doing anything about it, the public should be aware and advised not to use their services (or use them with caution). I don't see that same justification for making this public. If you had posted this particular message to Bugtraq it would have been approved. This post to vuln-dev was less about removing the bandwidth cap and more about describing the problems with the firmware configurations. That's a description of security vulnerabilities, and OK for the list. Step-by-step instructions on how to steal from cable companies is not. Regards, Dave Ahmad SecurityFocus www.securityfocus.com On Mon, 11 Mar 2002, Matthew S. Hallacy wrote:
Hi, Apparently this isn't bugtraq worthy (my posts weren't rejected, they were simply deleted), so I'll send it here.
Attachment:
cable-modem.txt
Description:
Current thread:
- DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- RE: DOCSIS vulnerability Chris Chandler (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- Re: DOCSIS vulnerability Mark (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- Re: DOCSIS vulnerability Dave Ahmad (Mar 12)
- Re: DOCSIS vulnerability Laurence Brockman (Mar 12)
- <Possible follow-ups>
- RE: DOCSIS vulnerability Rense Buijen (Mar 12)
- RE: DOCSIS vulnerability Justin Ellison (Mar 12)
- Re: DOCSIS vulnerability Rob Koliha (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 13)
- RE: DOCSIS vulnerability Justin Ellison (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- RE: DOCSIS vulnerability Chris Chandler (Mar 12)
- Re: DOCSIS vulnerability dana shetterly (Mar 19)
- Re: DOCSIS vulnerability Siegfried Loeffler (Mar 20)
- Re: DOCSIS vulnerability Adam Wheeler (Mar 21)
- Wireless device vulnerability? Meritt James (Mar 22)