I trust that Craig isn't hoping to be receiving many Christmas cards this year from either Cisco or their customers. While I can fully appreciate the rationale behind this action, releasing this code (assuming it works) would be utter irresponsible because it effectively guarantees that hacks may occur in the wild rather than they potentially will.
Disagree. If Cisco hasn't fixed the problem despite warnings, there is no guarantee that this action will actually force them to fix it, plus you are then reliant upon them managing to get every impacted product in circulation updated. All this does is greatly increase the risk of a successful attack to customers and I fail to see how this can be a "good thing". As I said, I understand the rationale behind this but I do think this practice is fundamentally flawed, plus it sounds like a publicity stunt to boot.
Sorry, but I think this action is wrong. Security researchers are a fairly dubious bunch at the best of times (how many of them are ex-hackers?) and this one is definitely stepping beyond what is acceptable. It's almost hacking by proxy.
@Kelmon The exploit has been public for a couple years now. Cisco still hasn't done anything about it. Doing it this way is a guarantee that every news group will have a blurb about it. Kinda like the iPhone SMS exploit last year.
Define "has been public for a couple years now". Are there exploits for this in the wild today that are actively being used to hack into people's Cisco routers?
OK, at the risk of sounding like a complete idiot, if this exploit has been in the public domain for the past 3-years, what's Craig going to be releasing at this event that isn't already known? Or is this an attempt to bring the spotlight back onto the fact that the flaw has not been fixed yet?
The N9 has arrived. What we can say from our first experience is that we're in the presence of a fantastically designed device with a gorgeous AMOLED screen and some highly responsive performance.
The most commented posts on Engadget over the past 24 hours.
Now that we've thrown 'em off the trail, use the form below to get in touch with the people at Engadget. Please fill in all of the required fields because they're required.
I trust that Craig isn't hoping to be receiving many Christmas cards this year from either Cisco or their customers. While I can fully appreciate the rationale behind this action, releasing this code (assuming it works) would be utter irresponsible because it effectively guarantees that hacks may occur in the wild rather than they potentially will.
@Kelmon sadly sometimes you can warn people and warn them and they do nothing so making it public is the only way.
Of course this exploit may already be in use by proper criminals so a bit of publicity might help close this door to them.
@LordBrian
Disagree. If Cisco hasn't fixed the problem despite warnings, there is no guarantee that this action will actually force them to fix it, plus you are then reliant upon them managing to get every impacted product in circulation updated. All this does is greatly increase the risk of a successful attack to customers and I fail to see how this can be a "good thing". As I said, I understand the rationale behind this but I do think this practice is fundamentally flawed, plus it sounds like a publicity stunt to boot.
Sorry, but I think this action is wrong. Security researchers are a fairly dubious bunch at the best of times (how many of them are ex-hackers?) and this one is definitely stepping beyond what is acceptable. It's almost hacking by proxy.
@Kelmon The exploit has been public for a couple years now. Cisco still hasn't done anything about it. Doing it this way is a guarantee that every news group will have a blurb about it. Kinda like the iPhone SMS exploit last year.
@barry99705
Define "has been public for a couple years now". Are there exploits for this in the wild today that are actively being used to hack into people's Cisco routers?
@Kelmon
Top hit when googling "dns rebinding" gets you http://crypto.stanford.edu/dns/ timeline indicates vendors notified 3 years ago.
@RM
OK, at the risk of sounding like a complete idiot, if this exploit has been in the public domain for the past 3-years, what's Craig going to be releasing at this event that isn't already known? Or is this an attempt to bring the spotlight back onto the fact that the flaw has not been fixed yet?
@Kelmon
I have no idea. Until now I had not even heard of this exploit, so perhaps bring the spotlight back on it?