North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Broadband routers and botnets - being proactive

  • From: Sean Donelan
  • Date: Sun May 13 14:08:48 2007


On Sun, 13 May 2007, Florian Weimer wrote:
Fortunately, there is a simple solution to this kind of problem: ISPs
are very likely liable if they fail to alert customers about security
problems, and do not provide updates in a timely manner.  After a few
painful incidents, the ISPs will learn, and either ship better
software (unlikely) or implement some kind of patch management.  With
a bit of luck, the latter does not just shift back liability back to
the customer, but also helps to parly solve the problem (in the sense
that CPE attacks are less attractive).

It won't solve the problem. ISPs will simply stop distributing CPE, and
tell customers to buy CPE from their nearest electronics store (Best Buy, Radio Shack, or the equivilent in other countries). If you thought it
was hard getting ISPs to patch CPE, try getting electronics stores to
patch the CPE. Look at the ancient bugs in D-Link, Linksys, Netgear boxes
that consumers haven't figured out how to patch for years.


You really need to identify the sources and fix it there.