Open FTP by default in some of Asus routers

Generic discussions with the emphasis on technology
Post Reply
User avatar
gR!ns
Posts: 500
her blog
Joined: 10 Mar 2012, 09:28
Location: 2nd reality

Open FTP by default in some of Asus routers

Post by gR!ns »

As the article writer mentioned and I agree with him that this is not vulnerability. What it shows is that how important it is always check the options with care when installing or starting to use new hardware/software. It's not best choice from the manufacturer to put too slack options by default. Especially on the cost of the security, because there are always people which these things aren't obvious.
http://thehackernews.com/2014/01/asus-w ... rage.html#
gaoesa
Site Admin
Posts: 1520
Joined: 05 Apr 2010, 15:02
Location: Finland
Contact:

Re: Open FTP by default in some of Asus routers

Post by gaoesa »

That article didn't include enough information to decide one or the other. It is vulnerability if applying non default configuration that would prevent this, is trickier then what the large majority of the users would be able to do intuitively. In other words, when enabling, does the configuration tool ask and warn about this or does it even make it apparent that it is exposed. For me, such a storage would intuitively be exposed only to the internal network unless explicitly enabled to the outside.

PS.
If it would be viable to blame users for every piece of bad software, there wouldn't be bad software at all. Everything could be replaced by self made programs if users just wouldn't be too dumb for it. [smilie=to_pick_ones_nose_eat.gif]
He hoped and prayed that there wasn't an afterlife. Then he realized there was a contradiction involved here and merely hoped that there wasn't an afterlife.
- Douglas Adams

silEnT development
http://mygamingtalk.com/
User avatar
TheSilencerPL
Posts: 386
Joined: 11 Apr 2010, 00:26
Location: Krakow,, Poland
Contact:

Re: Open FTP by default in some of Asus routers

Post by TheSilencerPL »

As for me, the default settings should be secure. User should be able to make a deliberate decision upon switching it on/off. Conclusion: the way it currently is is a vulnerability.
Image
"The world is moving so fast these days that the man who says it can't be done is generally interrupted by someone doing it."
-- E. Hubbard
User avatar
gR!ns
Posts: 500
Joined: 10 Mar 2012, 09:28
Location: 2nd reality

Re: Open FTP by default in some of Asus routers

Post by gR!ns »

Yes of cource it depends how the network is made. If the router is behind ADSL/Cable modem, then it should be exposed only for internal network if it's not configured from the edge device to be accessible via internet.

It would be worse if this kind of option would be on by default on the edge device. I actually didn't check those models, if there are modems included on that list.

I think that in this case it can be vulnerability or not. Depends how you define vulnerability.

When majority of the users would like to have things working like a charm without putting too much effort for it, the manufacturer have to make right choices that which options are automatically on and which should be off. Of cource there are also different needs from different users aswell. So it might not be easy task.

But also, I would like to whip users too. Modern times the security is more and more important and my opinion is that people should wake up and educate themselves a bit. After all, even you would have closed environment and how protected, the greatest security risk is the user itself.

I'm not saying that I would be the most aware about the security things, but I do my best :)
gaoesa
Site Admin
Posts: 1520
Joined: 05 Apr 2010, 15:02
Location: Finland
Contact:

Re: Open FTP by default in some of Asus routers

Post by gaoesa »

When majority of the users would like to have things working like a charm without putting too much effort for it, the manufacturer have to make right choices that which options are automatically on and which should be off. Of cource there are also different needs from different users aswell. So it might not be easy task.
This all in general sense. Users want programs and solutions that enable them to do what they actually want to do. Rather then reading manuals and trying to figure if there is a way to use the program/hardware for something usefull. Computers and programs should be seen as tools rather then having the purpose of just existing. Obviously, less common actions can't be made automatic and users may need to invest some time to learn those tasks or related background. The less time users have to spend figuring out stuff, the more powerfull they become with the products and their real intended use.
It would be worse if this kind of option would be on by default on the edge device. I actually didn't check those models, if there are modems included on that list.
It's a router. I don't see any reason to think it would be "correctly" installed behind a hardware firewall.
But also, I would like to whip users too. Modern times the security is more and more important and my opinion is that people should wake up and educate themselves a bit. After all, even you would have closed environment and how protected, the greatest security risk is the user itself.
I agree. Users should demand for better security from the vendors and take a close look at which vendors are good at it. If people don't care, there is no reason for companies to care about it either. That is about all the education a normal user should be required to do. I can hardly imagine people without specific backgrounds discussing about ARP poisoning or other technical security related topics.
He hoped and prayed that there wasn't an afterlife. Then he realized there was a contradiction involved here and merely hoped that there wasn't an afterlife.
- Douglas Adams

silEnT development
http://mygamingtalk.com/
Post Reply