>>>>> On Mon, 16 Apr 2001 04:14:05 -0700, "Mark (Mookie)" <[EMAIL PROTECTED]> said:
Mark> Weren't these issues actually discovered by Renaud Deraison in November 2000?
Mark> He added code to his Nessus program to check for the problems and didn't
Mark> consider it worth an advisory since the exploit depended on the IP 10.0.0.138
Mark> being spoofable, possible on some ISPs who do VPNs that way but generally
Mark> a lower risk than the full internet range.
He found the null default password, see below.
Mark> You'd think the normal process of informing the manufacturer to provide a
Mark> window to have a patch available would be followed. Instead a few people
Mark> were told, then the press and then CERT, sounds more like a PR stunt to me.
The manufacturer was notified before the French press got hold of the
story, from the French computer underground, while we were writing the
advisory, after I had sent a note to Alcatel.
Mark> The value add tools are useful but the manuafacturer could have offered a
Mark> better fix than binary patching etc. Sounds like too much time was spent on a
Mark> nowhere issue.
Read the redacted text in the Alcatel media release for fun :-)
http://morons.org/articles/1/188
(Thanks to Jericho for pointing this out to me.)
Mark> Mark.
Mark> All your japboy are belong to us.
Aside from the personal attacks, perhaps you should check the facts. I
did.
The nearly-identical post (yours?) on slashdot
(http://slashdot.org/comments.pl?sid=01/04/11/1249209&cid=69) posted
at Wednesday April 11, @09:20AM EST was almost immediately refuted by
Renaud Deraison himself:
http://slashdot.org/comments.pl?sid=01/04/11/1249209&threshold=1&commentsort=0&mode=thread&pid=110#111
posted at Wednesday April 11, @10:40AM EST
I verified this information with Renaud, receiving a reply to my
message at Thu, 12 Apr 2001 00:04:07 +0200. He said he posted the
note on Slashdot, but said it was moderated too low for people to
easily see.
It seems a little strange to be posting this rumor, 4 days after it
was proven false, but I see no reason to question your motives.
--tep
p.s. I *still* *like* the Alcatel Speed Touch Home. It is still
connecting my home network, despite being offered other devices since
the advisory went out.
They just need to fix a few problems. Just like *every* other vendor.
