I fear this thread is in danger of falling into a debate of opinions ... and I may be guilty of fueling some of it
puterboy:
I appreciate your concerns, they are quite valid and should be eventually addressed in a f/w release by D-Link engineering - and QA tested prior to distribution. That said, I don't feel that they are critical enough to warrant D-Link engineering to rush out a f/w release for the sake of addressing these issues immediately as the tone of your posts seem to suggest.
Most folks that purchase the DNS series device, for the most part, do not even bother to update the f/w to the latest version posted on the D-Link support site. Most folks take the unit home, plug it in, and start using it until a problem occurs that necessitates a support call to D-Link. Every unit i've purchased to date ships with the original f/w.
I also had a look on the box regarding the sales/marketing quote you noted ... have a look at the (*) text that's on the end of the box
SilentException:
You made mention of the 'fun_plug' in one of your posts. I assume that you have validated the vulnerabilities on a non-"fun_plugged" DNS device to ensure that the issues were indeed reproduceable. I also assume you documented how to reproduce the issues and forwarded the information to D-Link engineering so as to have these exposures addressed.
If not, I would encourage you to send those off to D-Link as soon as you can so that they can review the exposures, address the coding deficiencies, and provide the steps-to-reproduce to their validation group for QA purposes.
fordem/D-Link Multimedia:
I completely agree with your view point; this is a consumer device and not an enterprise device. Yes, the vulnerabilities need to be addressed but not at the cost of quality assurance. The last thing D-Link would need is to release a f/w that effectively *bricks* a device or worst yet, makes the filesystem unreadable resulting in complete loss of data - I would not want to be the support desk person if that happened.
Additionally, as you have both pointed out - and rightly so - security is both physical & virtual. The physical security in most homes is poor at best and anyone that enters the perimeter of the home has pretty much unrestricted access.
As for virtual security, which is really what we are posting about here, it's less obvious. Again as you both indicated, most users would not place their DNS device on the Internet ... it' just not best practice for those who can and definitely not something the remaining users would do - they simply wouldn't know how.
In summary, yes; the issues posted here should eventually addressed - it makes good sense to do so. However, those who think that will resolve everything should:
1) Read up on TCP/IP and encryption of wire traffic - ex: wiretapping, wiresharking, airsniffing
2) Take time to fully understand how to secure confidential data - ex: passwords for backups
Cheers,
Author
Topic: web interface (in)security (Read 21030 times)