Vulnerability Development mailing list archives
Re: DOCSIS vulnerability
From: Dave Ahmad <da () securityfocus com>
Date: Tue, 12 Mar 2002 10:09:13 -0700 (MST)
Matthew,
I did not approve your post because I was still deciding
whether or not it belonged on Bugtraq. It's neat, but is it appropriate for the
list? I was leaning towards 'NO' but had not had the chance to reply to
you yet (in fact, an incomplete message to you was sitting in my
'postponed' box).
(Note: this post to VULN-DEV was not the one sent to Bugtraq, a different
message was sent to Bugtraq which basically read 'do this to remove the
bandwidth restrictions!'. I have attached it.)
You were describing how to evade their service restrictions ("how to
commit fraud"). Not sure what the benefit was to the community. Who
is at risk if the information is not made public? You're probably putting
yourself at risk for legal action (doubt they have a case, but it
would not be pleasant).
You could argue that they were not listening, so the only way
to get the information out is to make it public and embarass them. That
is a fine argument if you and other people are at risk because of this
vulnerability, but you're not really.. unless you're concerned that the
kid down the street is stealing the neighbourhood bandwidth. Also, your
post did not give me the feeling that this was your intention (to warn the
world about the ability of people to steal bandwidth).
Let's look at what has been approved on the list in the past that could be
considered similar. We have approved cross-site scripting vulnerabilities
(in websites) and reports of holes in online banking services. Who is at
risk in those situations? The users of the websites and the users of the
online services. If the operators of the affected services were not doing
anything about it, the public should be aware and advised not to use their
services (or use them with caution). I don't see that same justification
for making this public.
If you had posted this particular message to Bugtraq it would have been
approved. This post to vuln-dev was less about removing the bandwidth cap
and more about describing the problems with the firmware configurations.
That's a description of security vulnerabilities, and OK for the list.
Step-by-step instructions on how to steal from cable companies is not.
Regards,
Dave Ahmad
SecurityFocus
www.securityfocus.com
On Mon, 11 Mar 2002, Matthew S. Hallacy wrote:
Hi, Apparently this isn't bugtraq worthy (my posts weren't rejected, they were simply deleted), so I'll send it here.
Attachment:
cable-modem.txt
Description:
Current thread:
- DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- RE: DOCSIS vulnerability Chris Chandler (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- Re: DOCSIS vulnerability Mark (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- Re: DOCSIS vulnerability Dave Ahmad (Mar 12)
- Re: DOCSIS vulnerability Laurence Brockman (Mar 12)
- <Possible follow-ups>
- RE: DOCSIS vulnerability Rense Buijen (Mar 12)
- RE: DOCSIS vulnerability Justin Ellison (Mar 12)
- Re: DOCSIS vulnerability Rob Koliha (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 13)
- RE: DOCSIS vulnerability Justin Ellison (Mar 12)
- Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- RE: DOCSIS vulnerability Chris Chandler (Mar 12)
- Re: DOCSIS vulnerability dana shetterly (Mar 19)
- Re: DOCSIS vulnerability Siegfried Loeffler (Mar 20)
- Re: DOCSIS vulnerability Adam Wheeler (Mar 21)
- Wireless device vulnerability? Meritt James (Mar 22)