Re: WebRamp M3 Perceived Bug

[kragen () POBOX COM (Kragen Sitaker)]

On Wed, 3 Feb 1999, Robert Ward wrote:
> We designed this box with being able to access the CLI or HTTP interface
> from the WAN in mind.  This feature allows for remote management and trouble
> shooting of the WebRamp, and has proved to be an essential tool to our
> support department.  If security is a concern change the Administrative
> password on your WebRamp, and do so frequently.

IMHO, when you ship someone a preconfigured machine of some kind, and
they don't express any particular interest or knowledge about the
possibilities of that machine being controlled remotely, the default
should be for that machine not to be controllable remotely -- not for
anyone in the world to be able to control that machine remotely.

> 2)  This is true for every M3/M3t/M3i/300 user who is not using Visible
> Computers or telnet Local Servers.  I would approximate this number to be in
> the 90% or higher range.  The number of customers who have actively tried to
> disable incoming telnet sessions that we are aware of is much lower than 1%.

This is probably a good rule of thumb.  99% or more of the people out
there won't even think about security.  It's a betrayal, a fraud, an
injustice to put backdoors into your products by default, then give
people the ability to turn them off -- knowing that more than 99% of
them will never use it.

Imagine getting a new car.  Like more than 99% of car owners, you don't
read the owner's manual.  After six months, the car's brakes stop
working in traffic; it kills your wife and kids, along with the
occupants of several dozen other cars of the same model in that city
block.  You call the manufacturer to complain.  "Didn't you read the
manual?" they say.  "On page 66, it explains that the car is rigged to
disable the brakes when it receives a particular radio signal, but you
can turn it off with a switch inside the glove compartment.  It's not
our fault if terrorists use this feature to blow up buildings, and if
you didn't bother to read the manual.  We put it in to help our
mechanics when the brake pedals get stuck."

> 3)  There are workarounds readily available.

. . . which, as you point out, more than 99% of your customers don't
even know about, and therefore more than 99% of your customers are wide
open.

I hope you get your irresponsible sorry asses hauled into court for
this, you pathetic slimeballs.

--
<kragen () pobox com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
Computers are the tools of the devil. It is as simple as that. There is no
monotheism strong enough that it cannot be shaken by Unix or any Microsoft
product. The devil is real. He lives inside C programs. -- philg () mit edu