Full Disclosure mailing list archives
Re: EE BrightBox router hacked - bares all if you ask nicely
From: gold flake <ptinstructor () gmail com>
Date: Thu, 16 Jan 2014 15:35:20 +0530
May be off-topic but your rant got me wondering as to way suddenly nationalities are brought into picture when bad coding/security practices, etc, are being discussed. Is it really the culture of these countries (you mentioned India, Pakistan and China) that encourages slip-shod, corner-cutting work methodology that is to blame or is it something else? If something else, then why bring nationalities into the secure development debate? Or do we reserve Britishers to be labeled only as pedophiles<http://www.bbc.co.uk/news/world-asia-25746859>and very good programers (just as an example)? I think what you are trying to say is that it is the fault of the industry to push bad products on a public that does not know enough to care about. On Thu, Jan 16, 2014 at 3:02 PM, Źmicier Januszkiewicz <gauri () tut by> wrote:
Absolutely shocking lack of security considerations.Is it, really? I've got a feeling that companies don't give a s--t about your data, your privacy, and so on (proved by numerous examples out there), unless absolutely required to do so by law, and there is a good reason behind that. It is not a charity fund, you see; a company is all about money, even if they state otherwise via their "motto" or "mission", and as we all know, a dollar saved is a dollar earned... So they try to get it working by hiring 1-2 Chinese/Indian/Pakistan/Younameit techies (not because they are bad at what they do, but because they are cheap), and squeeze them until the stuff is working somewhat. And that's it! Then those who made it work are fired, and another group with even thinner payslip is hired for "support". Note that at no point any emphasis on security of the product is made -- a company is not interested in spending more money, and workers are not interested in spending their life without any compensation. Why a company is not interested? Just some simple calculations anyone can do: having a working device/service/whatever brings in paying customers, having a secure device/service/whatever brings in expenses. So, we get the usual "sorry, we have no budget for that!" reply even if one asks for a security review. And then, see, even if your company manages to produce a "highly secure" device/service by hiring N brilliant minds and paying a 5-digit/mo each of them, then magic happens -- the cost of the end product is so high nobody buys it! Surprise! Will you pay 300 pounds more for something that does the same, but claims to be "secure"? No. Will a punter pay 300 pounds more for that? Hell no. Just as simple as that. I do find it amusing as people get "shocked" by such a simple thing... 2014/1/16 Dan Ballance <tzewang.dorje () gmail com>:What a great write up and what an appalling mess for a UK ISP to be in in 2014. Absolutely shocking lack of security considerations. Thanks for sharing this. I've just followed you on Twitter as well, cheers, Dan. On 15 January 2014 20:28, Scott Helme <scotthelme () hotmail com> wrote:The BrightBox router is the standard equipment issued by UK ISPEverythingEverywhere (EE) to its subscribers. The device not only leaks sensitive data but is remotely exploitabletoo.An attacker even has the ability to take control of your account as the router leaks your ISP account credentials. You can read the full article here: https://scotthelme.co.uk/ee-brightbox-router-hacked/ Scott. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- EE BrightBox router hacked - bares all if you ask nicely Scott Helme (Jan 15)
- Re: EE BrightBox router hacked - bares all if you ask nicely Dan Ballance (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Źmicier Januszkiewicz (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely gold flake (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Źmicier Januszkiewicz (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Dan Ballance (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Źmicier Januszkiewicz (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Dan Ballance (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Valdis . Kletnieks (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Dan Ballance (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Źmicier Januszkiewicz (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Dan Ballance (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Valdis . Kletnieks (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Dan Ballance (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Jeffrey Walton (Jan 16)
- Re: EE BrightBox router hacked - bares all if you ask nicely Dan Ballance (Jan 16)