[linux-elitists] Are we Dead Yet? (or "For every sprinkle I find, I shall kill you!)

[Rick Moen]

Quoting Karsten Self (kmself@ix.netcom.com):

> But if you'll look over the vulnerability notices for Linksys, you'll
> note that it offers (public-side) remote administration capabilities,
> which have had several security issues.  It's also typically running the
> kernel, Apache, and SNMP, at least two of which (kernel & SNMP) have had
> remote exploits in recent memory.  Plus, by its very nature, the box
> _lives_ on public-facing nets.

To repeat:  Abuse of unmaintained/vulnerable systems without root
compromise is probably a useful discussion -- but it's not the same as
this one.

> Um.  Is TiVo connectivity Internet or dialup?  I thought it phoned
> home nightly for brainwashing.

Either.  Default network capability depends on model.  FYI:  The
dial-up, last I heard, was into UUNet's PPP connections:  There is
security exposure, there.

> Which doesn't mean you can't:
> 
>   - Load something into RAM.  So long as it runs, you're golden.
> 
>   - Subject the device to a DDoS (as my yarn shows).

To repeat:  Abuse of unmaintained/vulnerable systems without root
compromise is probably a useful discussion -- but it's not the same as
this one.

> Well....  It's rather hard to tell.  The "user interface" of such
> systems consists of a web-based tool.  Yes, it's possible to tweak the
> system to get shell, I haven't played that game yet, and the typical
> owner is unlikely to.  One of the vulnerabilities allowed remote admin:

To repeat:  Abuse of unmaintained/vulnerable systems without root
compromise is probably a useful discussion -- but it's not the same as
this one.

> Googling 'linksys "root exploit"' doesn't turn up any likely hits in the
> first few pages, so the platform may not have suffered same yet.  Still,
> as an inert, widely deployed, household appliance, there's a high risk
> of poorly maintained systems.  Blaming the user isn't appropriate here.

To repeat:  Abuse of unmaintained/vulnerable systems without root
compromise is probably a useful discussion -- but it's not the same as
this one.

> Thread drift happens.  Get used to it.
 
Feel free to enjoy your different discussion.  With someone else.  

(Your error seems to lie in assuming I didn't mean what I said.  Oh
well.)

> Um.  I was attributing yourself and Martin Poole.  What did I miss?

Ah, you're right.  False alarm on that.