RE: The Linksys WRT54G "security problem" doesn't exist

["Alan W. Rateliff, II" <lists () rateliff net>]

> -----Original Message-----
> From: David Pipe [mailto:David_Pipe () bio-rad com] 
> Sent: Friday, June 04, 2004 2:42 PM
> To: bugtraq () securityfocus com
> Subject: The Linksys WRT54G "security problem" doesn't exist

Considering the harse tone of your email, my initial reaction is to treat it
as hostile.  If I react incorrectly, please let me know.

> This clearly works properly on my Linksys WRT54G.  No access of 
> administrative site on the WAN side when it's turned off.  Period.

Turn off your firewall.  Test again.  And make sure that your ISP does not
block http and https between your testing point and your router.

> 1) No one has been able to confirm this problem.  Isn't that right?

Probably.  Since LinkSys posted an updated firmware which specifically
addresses it, it was more than likely a all a bad dream.

> 2) The "Independent consultant" did not say he tried with 
> more than one 
> router,  and it appears that he did not ask anyone else if they would 
> check this out on their routers before he decided the sky was falling.

Read my follow-up posts.  To my dismay, my original post was jumped on by
several security lists and Internet news outlets, COMPLETELY ignoring the
discussion which followed said post, and completely ignoring my additional
information.  Oh, and how many of these Internet news outlets contacted me
before running their stories?  NONE.  Only Maggie Reardon of C|Net made the
effort to spend time on the phone with me to confirm and straighten out the
finer details.

I did what so many others have done on BugTraq: I reported my findings on a
product based upon, admittedly dated, results of my own testing.  As has
many times before, answers came and discussions ensued.  Then I took
additional effort to produce additional data using personal funds to
purchase new products for more recent testing.

I will admit that I underestimated the impact of that post.  I never
expected that the post would be spread as it did, taken at face-value
without confirmation.  I do not recall any BugTraq post in the past three
years I have been on the list making it to the media so quickly.  The speed
at which it hit the air made me look like an absolute ass, and indeed gave
the impression that the "sky was falling;" completely not my decision.

> 3) Thousands and thousands of these things have been sold for 
> months an no 
> one has reported this error before.

Just because no one else ever reports a problem does not mean it does not
exist.

> 4) Certainly such an aggregious error would have been 
> discovered before 
> now, as hackers routinely bang away at IP addresses and find 
> this stuff.

Right.

> 5) Does he really think that Cisco/Linksys would not test 
> such a basic 
> basic basic aspect of this router's security?

Yes.  How many times have "basic basic basic" aspects of security gone
untested, or flaws gone unnoticed?  How long was port 1900 open on my SMC
Barricade?  How many "basic basic basic" aspects of security has Microsoft,
various Linux distros, Sun, and even MacOS X violated?

> 6) How did this get on to InternetWeek?  Does anyone actually 
> check these 
> things out before publishing them?

See my comment above.  I emailed Ryan after I found his article, after it
was Slashdotted.  His response is that he was inundated with emails linking
to my amendments and that he planned a follow-up to clarify.  My last email
from him pointed to the firmware page which now has the v2.02.8_BETA which
addresses the issue.  To my knowledge, however, said update to his article
has yet to be released.

> Please, prove me wrong on all points.  Can anyone reproduce this?

I have received a couple of dozen reponses, many which said they could not
right out of the box.  Some which said they could.  Dammit, I am not crazy,
I *know* what I saw on the original units, but like I told Maggie, just one
person saying a unit exactly as I tested did not show my described behavior
sent me out for more units.  Only one of my original units is still in
service, and it has been flashed, re-configured, and just mangled beyond
being a reliable data source for OTS/OOB behavior.

LinkSys never responded to my first email about this; I even sent screen
shots.  No one else with whom I spoke locally was installing these.  I had
the results of testing on two units right out of the box.  I made my report.
And that, as they say, is that.

I do not have results of the new v2.02.8_BETA firmware available, and I am
now in communication with the WRT54G product manager at LinkSys/Cisco.

-- 
       Alan W. Rateliff, II        :       RATELIFF.NET
 Independent Technology Consultant :    alan2 () rateliff net
      (Office) 850/350-0260        :  (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]