Dear Asus Router User: All Your Cloud Are Belong To Us 148
New submitter Trax3001BBS writes "Ars is running an article about a vulnerability of Asus routers that are becoming very popular at the moment for connecting USB devices to the Internet. From the article: 'An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend — a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used ... The guerilla-style hacking disclosure comes eight months after a security researcher publicly disclosed the underlying vulnerability that exposed the hard drives of ... Asus router users. ... According to Lovett, the weakness affects a variety of Asus router models, including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Asus reportedly patched the vulnerabilities late last week...' And this old news, come new again: The Asuswrt Merlin ROM took care of this vulnerability months ago (defect #17)."
Open Source is better. (Score:4, Insightful)
Re:Hard drive? (Score:2, Insightful)
Shit, man - I can do that with a Raspberry Pi, a copy of FreeBSD, a multi-GB MicroSD stick, and I'd get an infinitely more secure solution to boot. :/
Re:Best way to let someone know something's amiss (Score:5, Insightful)
Which works until you use this method to "advise" the wrong person, who contacts the cops and you end up arrested for computer trespassing. Too often we hear stories about people intending to do good are blamed for the message they bring.
Unfortunately, there doesn't seem to be any "right" way to bring these problems to the attention of the user or the developer since the laws all seem to be unfairly balanced against the whistleblower. There is an automatic assumption that anyone providing the information could only have come upon the data because they were intending to do something malicious.
Having said that, there are many the times I've been tempted to rename the SSIDs of wireless networks that still use WEP in some vain attempt to knock some sense into the user's head. Never gave into that impulse, but boy, sometimes it was quite a struggle.
Re:and this is why smart peiple don't touch window (Score:5, Insightful)
You realize that open FTP servers used to be the norm? You realize that the RFC itself requires PORT to be open so that you can do a bounce attack?
Please don't be an idiot. This stupidity has nothing to do with windows, and is clearly the fault of Asus and not anything OS related.
Re:Best way to let someone know something's amiss (Score:4, Insightful)
Having said that, there are many the times I've been tempted to rename the SSIDs of wireless networks that still use WEP in some vain attempt to knock some sense into the user's head. Never gave into that impulse, but boy, sometimes it was quite a struggle.
There are legitimate reasons for using WEP.
I still use WEP on my home network, because I still have a few devices that simply won't reliably do anything better. I figure that this is largely ok because:
1. Everything I do over the wireless network internally is using encrypted protocols anyway, and I wouldn't be using non-encrypted protocols for transporting sensitive data externally anyway.
2. There are a bunch of my neighbours' completely unsecured APs visible from my house so I figure if someone is interested in cracking a wireless network, they're probably going to go for the easy option and use one of those networks rather than cracking my WEP key.
Whilst I'm of the opinion that if an AP is left completely open, it should be legal to treat it as a public hotspot, I do still think that if you're having to crack some kind of security, however weak, in order to gain access then you need to be arrested and punished because you're clearly stepping over the line. (And yes, cracking someone's WEP key and router password in order to change their SSID counts as stepping over the line).