"Linksys (...) devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin (...)"

It reminds me that scary graph where half a dozen companies control almost all the stuff you see on supermarket shelves.
I remember reading nice fairy tales in school about open markets, and fair and diverse competition being paramount to the western economic model...

That fairy tale stopped existing once companies could buy the laws they need to create barriers to entry.

People that don't want to give any money to a cable company and want to give as little money as possible to the AT&T monopoly, and would rather have their money go to a friendly CLEC [sonic.net]. I gave up my 50mbit Comcast cable internet connection for a 14mbit DSL connection because several times a week, packet loss would go through the roof and throughput would slow to a crawl on the Comcast connection, while the DSL provider has been rock solid.

Excuse me, but accepting commands and executing scripts received on an unusual port is not a bug. That is code that is there 100% intentional. In the UK, I'd call it defective; it would be pretty obvious that it was defective as sold, so you can return it to the shop where you bought it for a reasonable time (maybe 2 years).

If you can already infect inside computers, do you really need to hack the router?

To add to the above, I see the WNDR3700 is specifically reported as not being vulnerable to the open port he found on some of the older models. I know for a fact (because I owned one), that the WNDR3700 is one of the models that requires the magic packet to open the telnet port, further leading me to believe he found a poorly documented (but not unknown) feature that should have been much more visible and better protected by default, rather than something more akin to a backdoor (after all, you have to be on the LAN side to use it).

Oh wow. Your inside network doesn't touch the outside network? You don't visit websites? You do not run javascript on your browsers? You personally scan each piece of javascript to make sure it cannot get your IP address (yes it can), your gateway (yes it can) and send packets to your gateway (yes it can)?

Seriously, if you don't know what you're talking about, lurk and learn.

And default username/passwords means that malicious javascript can be very very simple indeed.

Your kind of thinking is why we have so much insecurity on the Internet. Please update and upgrade your skills.

Oh. There's a problem with your market? Sounds like the job for The Invisible Hand! Invisible Hand will fix it!

Sorry, the Invisible Hand is unavailable for comment. It's been bound, gagged (handcuffed?), indefinitely detained and sent to Gitmo for questioning by the State.

The free dictionary:
http://www.thefreedictionary.com/back+door [thefreedictionary.com]

Oxford:
http://www.oxforddictionaries.com/us/definition/american_english/back-door [oxforddictionaries.com]

So obviously it does not matter if it was a "published interface" or even if it was on purpose. It still qualifies as a backdoor. Frankly it does not sound like an accident either so I wouldn't even classify it as a bug. I certainly dont think it is unintended, a mistake, or an error. That means it does not fit your definition.

Note: Bold was added by me, and I did search other online dictionaries, most did not have definition that was technical in nature. Most referred to Back-door deals. Ones I checked were Miriam-Websters, Cambridge, and Oxford. If anyone does find a better definition I welcome being corrected.

Which part of "Made in the USA" did you not understand?

You understand that most of the botnets out there are the result of someone clicking on a link and visiting a site that had malicious code embedded in it (ActiveX/JavaScript)?

While JavaScript might not natively be able to send a hand crafted magic packet, it can *take over your system* - which then allows it to download and install rootkits and other stuff - one of which can doing the magic packet tickling.

You said:

*AND YOU ARE VERY VERY WRONG* I want to say this in the nicest way I can - if you are propagating wrong information, you should be stopped. If you think you are correct, you need to be corrected. If you think this is being a dick, I apologize, but you are still wrong, and you are still spreading bad information. Learn and improve your knowledge. Think things through.

Think about it - the programmers who should know better thought the same as you. And as a result, now millions of routers are vulnerable, and open to being exploited. Every week, we see tons of news about basic infrastructure being insecure. Because no one said "that's a fucking stupid idea, don't do it" because saying that means they're being a dick.

Dear lord, I hate it when neckbeards such as yourself talk about how a full PC running OpenBSD or Linux is somehow the "cheap" option compared to a goddamn $40 home router. You make the entire IT profession seem like a bunch of blithering idiots.

Most civilized people don't have Alphas, SPARCs or even old PCs lying around. They'll end up paying more than $40 to acquire such a system, too.

Since most people have several devices on their home network these days, including wireless devices, they'll again need to buy several cabled network cards and at least one wireless network card. You're looking at $100 or more, depending on the type and number of network cards you need to buy.

Then they'll have to waste time setting up this system. If they don't already have experience with installing and configuring OpenBSD and Linux, they'll waste even more time. Good luck getting the wireless network card working! That can be a real battle under Linux, and absolute hell under OpenBSD, even for experienced sysadmins. Anyone with a real job paying a real salary or billing rate will be out hundreds of dollars.

If they manage to get this far, probably spending several hundred dollars getting the equipment in the first place, and then potentially spending at least a day (but likely far more) setting it up, then they'll have to actually start using it. This involves leaving a full computer running 24/7, likely consuming a large amount of power (especially if it's the outdated workstation or PCs that you're advocating). Electricity is quite expensive in many areas.

Way to go, neckbeard. Your "cheap" option only costs $600 or more, just to do the same job that a $40 home router can do. And that's ignoring the ongoing cost of running the system, which depending on local electricity rates can cost a few hundred dollars more per year. The $40 home router will consume a comparatively insignificant amount of electricity, likely costing less than $10 a year even in areas with extremely high electricity prices.

It's so hard to take you seriously when you advocate spending 10 or 20 times as much on some custom Linux or OpenBSD router than it'd cost to buy a cheap home router.

These back doors may exist in new devices, but any older device is likely to have a back door. If the vendor updates the devices at all, they usually stop doing that shortly after they stop sales of the device. Your perfectly fine WiFi router or DSL box will most likely have vulnerabilities on it that make it just as insecure as these new devices.

I actively check my DSL router and I know my ISP and several security minded customers do the same. Any WiFi router in my home runs a modified Linux distribution like Tomato, openWRT or DD-WRT that is actively maintained. While it's bad that A-brand companies evidently don't do this this the stuff they buy from other vendors, most devices in the field are just as vulnerable as these boxes are, simply because they don't get updates.

Burning vendors for selling insecure devices is good practice to get this problem solved. Burning them for not being responsible for their sale and updating or liberating the devices they sold should be just as normal as burning them for new equipment. You can't expect people to buy a new device every year simply because the vendor refuses responsibility once it's left their factory.

UHHH...You DO know that is still 3-5 times more than an Atom or Bobcat, yes? Or that the amount of useful work per watt is several orders of magnitude higher with the Atom and Bobcat, yes? And that most of the parts that go with that P3 are gonna be horribly inefficient because power usage was just not a concern, right?

I mean if you just hate to throw that old P3 in the dumpster and want to repurpose it, sure I can see that, but you are gonna be wasting more juice over the long run than if you just grabbed one of those $69 Bobcats and stuck it in the same case. And that isn't even taking into account the fact that both the Atom and the Bobcat are dual cores so can do twice as much work per watt and if you were to benchmark that P3 the amount of useful work you are getting when its balls out at 30w would be less than what you get from the Bobcat or Atom at 6w.

Sorry friend but the old stuff? Just wasn't real good when it came to power. you are just lucky its a P3, if it would have been a P4 the only thing it would have been good for is a space heater.