You'd need to exploit the browser in such a way that you can POST to the modem with a custom user agent set, that'd be a pretty serious exploit, and I'd be more worried about that. You could then use the modem to try and trick around with DNS to get on other machines, but it'd be hard to do transparently. It would all have to be pretty well tailored.

Anyway I'm not saying this isn't a security hole that needs to be fixed, but that the idea that this shows the need for increased regulation is nonsense.

How about this one from a month ago?

You can also compare Apple's 2095 vulnerabilities for 97 products to D-Link's 43 vulnerabilities for 40 products.

I'd be more worried about your level of reading comprehension being recorded for posterity.. "If you have a serious amount of money riding on your $100 modem/router/wifi being secure from within your own network then no amount of legislation is going to help you."

• This bug is only exploitable if you enable WAN administration
• All internet traffic involving money / confidential data should be (and pretty much always is) encrypted
• If you are sending important unencrypted data over the wire you can just listen to the wire
• Do you really want to pay for the routers you buy to go through a bureaucratic process to establish whether the software (including third party software) has been thoroughly tested? Should that include the component parts like the processors, thttpd, linux? What would that legislation look like? How would it be enforced for overseas companies?

You'd probably get equally indignant if such legislation actually passed based on your knee-jerk reaction and US router prices shot up. ("But what about the starving family with only $100 budgeted for their router?")

Yup Apple's wifi kit would never allow unfiltered IPv6 traffic into your internal network by default, or expose filenames of attached disk drives to unauthenticated users.

You should definitely be feeling pretty smug.

And even if they could access his router you would hope confidential business info would be encrypted anyway.. If he was transmitting commercially valuable info unencrypted via his modem and his competitors resorted to spying they could just listen in on the cable leaving the building.

From d-link.com executive team page: "Born in 1952, Roger Kao graduated from Tamkang University with a degree in Electrical Engineering. He went on to earn his Master’s Degree in Electrical Engineering and Computer Science from National Chiao Tung University where he also served as an Associate Professor."

Really though if you don't know whether third party software embedded in a few of your huge range of products contains a hidden backdoor when a rarely used feature is activated what kind of CEO are you?

Oh yeah, hell hath no fury like a D-Link customer scorned; when they find out their cheap disposable routers have a flaw in them they'll need to send in the army.

Yes government should get involved in the design of routers, and write laws about software code vetting. After all the huge extra costs would be absorbed by the shareholders, not us.

If you have a serious amount of money riding on your $100 modem/router/wifi being secure from within your own network then no amount of legislation is going to help you.

Great point. You win.

Then again since anyone can be a tor node, and there are never enough tor nodes, and tor nodes are more likely to be used for shady activity, it just takes a decent percentage of tor nodes to be compromised and you can pretty quickly build a picture of who common clients are and who they are talking to. For a server it can't be too difficult, with government resources, to track someone down through tor nodes. I'd say with a decent sized botnet and enough time you'd be able to chip away at anonymity without much difficulty.

They probably just descramble the firewall....

I'd say it's a big sign of a certain OSS developer's immaturity.

I really hope people aren't taking that comment literally by the way..

Catching the people who injured 170 people and killed 3 in a terrorist attack.

I meant affected in a non-trivial way. My life has been "affected" by reading about it, and someone who was advised to stay indoors while they caught the suspects was "affected", but to say your life has been affected by it in a way that can be counted against someone who had a leg blown off is an insult.

Civil panic being "Please stay indoors while we finish chasing down the other person who did this to your loved ones" ? I guess in that situation you would probably have places you need to be though, and who cares if having everyone moving around while an armed chase plays out makes casualties/hostage taking/escape more likely?