Today, Slashdot posted a story to the front page regarding a widespread SMC 8014 router/modem vulnerability, allowing access to administrative functions.  I would link to the original blog post, but it seems to be slashdotted. (Edit: no longer. I also indulged myself with a comment on the slashdot story and the blog post, both came late in the game. No, I’m not selling anything nor do I get ad revenue.)  In any case, this is nothing new.  These and similar SMC routers are common in New York and are identifiable in their use of a four digit hex SSID.  Naturally, all APs broadcast their Wifi adapters’ MAC address in the clear, allowing for identification of the manufacturer (barring spoofing).

These SMC routers were ordered in bulk with a custom firmware, with some “features” that were put in place to (presumably) assist in over the phone tech support.  The firmware enables WEP encryption with a preset key on the network and uses Javascript to disable more advanced features, including choosing WPA.  If that wasn’t problematic enough, the WEP key is derivable from the MAC address.  Let me repeat that point as clearly as I can.

The preset WEP key is derivable from the MAC address that is broadcast in the clear.

That last part is trivial, and I’m not going to give out (what I hesitate to call) the algorithm.

But wait, there’s more.  One of the advanced features disabled by the Javascript hack is the ability to change the WEP key.  I was not vulnerable to this (I use a different service with my own hardware), but a friend was -which allowed me to do a bit of work on these routers and their deployment.  We were told (July 2008) by a customer service rep that changing the WEP key was not supported for the end user – even after I asked my friend to claim that she thought someone had her “network password” (which was technically true).

Ironically, the vulnerability mentioned in the Slashdot article is the means to secure the router: by using various techniques (disabling Javascript, Greasemonkey, etc.)  you can restore these functions: changing the mode of encryption, the key, and the administrative values.

SMC is not the only company to have sold these gelded all-in-one routers to bulk telecom customers; nor is Time Warner the only customer to deploy them.  In a private discussion sharing these findings with some westcoasters at Defcon in Aug 2008, I was told there was an L.A. telecom doing exactly the same things – mass deployed routers with predictable keys and a broken firmware that prevented a fix.

Thanks /., I had never read this.  Now I know natural language searches are evil.

A Logic Named Joe

It is a curious effect of copy and paste, of quote and translation.  Today, one can easily find fifteen minutes of fame, in the most literal of senses.  This is not news.

The oddity is that you can find that you were famous months after the fact.

Back in February, when Facebook was considering some controversial TOS changes, I was (apparently) early in joining one of the the Facebook protest groups.  Now admittedly, I did care about the TOS issue: I posted items and used my status message to try and raise awareness.  I made one or two wall posts in said protest group.  Mostly, I wanted to clarify that the TOS wasn’t seizing copyright ownership, but the distribution license had onerous consequences.  I then said that in response, I deleted my uploaded photographs, save a profile picture or two.

Now, mind you, I have no precise idea what I said : after Facebook abandoned the proposed terms, I quit the group.  With many such Facebook groups having been formed, and hundreds of thousands of users joining them, and in turn, generating thousands of posts and threads, my original is sufficiently misplaced.

None of this would be of any interest to me – or to any right thinking individual – but for the curious addendum.  A couple of weeks ago, I googled variants of my name to see where this site was showing up.  Lo and behold, by page three, nearly all the links were in Spanish.  This was of particular curiosity to me, as my Spanish aptitude never progressed beyond some Fs and Ds in high school classes.  (Immersion methods do not work well with me, unfortunately, it took me years to figure this out and learn what does.  Another story for another time.)  Apparently, some tech writer for the EFE news service needed a quote for his piece on the TOS changes – and the user response – and quoted me.  In turn, this article was reposted and quoted by aggregators and blogs across the Latinternet.  This happens, nothing special.  However, since the original quoting was translated into a language I don’t speak or read, I had no idea until May, despite the EFE being the fourth largest news agency in the world.

Now, I cannot be certain why the original author quoted me (and I should point out, that while I don’t recall the precise wording, the translation entirely correlates with  my recollection of what I wrote) but I suspect it is because:

• I wrote with a reserved, educated tone.
• I separated my understanding of the situation from my response.
• I sounded like I knew what I was talking about.
• I am from New York.

To invoke a bit of Cialdini, the first two strike me as social liking through identification.  The first point results in a tone similar to modern journalism, and not only garners the sympathy of a writer accustomed to the style, but in using a similar style, it fits smoothly into a newspaper piece.  Similarly, the second is akin to an editorial response or, more liberally, the conclusions of a reporter.

Coupled with the a writing style, (I’m glad the reporter kept the “permissive and perpetual” bit in Spanish – I liked it enough to remember) simply sounding like I had read the new TOS and was capable of calmly correcting others probably secured me a air of authority.  Finally simply being from New York (my primary Facebook network), which the reporter did specify in the quote attribution, is both identifiable and desirable from a global perspective.  This is certainly liking and authority at play – a well spoken, informed, urbane “expert” from an international city says… – but also maintains a smooth flow for the reader who already has some idea where New York is, as opposed to stopping to wonder what or where Buffalo is.

Still, this story is just a an anecdote, a curiosity of a google search, and the subsequent analysis somewhat facile and obvious.  The lesson is not:  if you choose to write with a certain style, you will “speak” louder than others in a written medium.  Make sure that you want those words repeated: if you write well-formed drivel or masterful and erroneous prose, you may find the echo much louder than expected and the ringing criticism deafening.

This is the burden of educated speech, whether educated in fact or in tone: if you write with care, have a care with what you write.

Ok, every Jewish kid has heard the story of some high school couple who manage to “accidentally” do the nissuin thing and end up needing a get.  Maybe it’s happened before (and maybe it will happen again*), maybe not.  But now, in this Brave New Intarweb, you can point to a Google search to show that it has:

14-year-old girl becomes Israel’s youngest-ever divorcee – Haaretz

I picked the Haaretz coverage because it covered the best detail – not the consummation of the marriage – but the 10,000 NIS payoff by the groom’s family to get the girl to go away.

* Good bye, BSG.  You were the show I would have made.

For fuck’s sake, it’s bad enough you wreck the KJV, but seriously?
I mean, Jews go through the bother of making these wonderful texts, some nice goyim translate them reasonably well, and then the evil goyishe masses have to ruin them.

Well maybe Prussian Blue can put it in song form. Oh, wait…

a list too long-
but I remember now to include mania

too soon will I remember its cost,
a forgotten malaise

and the her, unhad.

Despite my problems with Wikipedia and the “wisdom of the masses,” xkcd is entirely correct that List of problems solved by MacGyver is a wonderful article.

(If you don’t know what I am talking about, even after following the link, allow your mouse to hover over the comic image to display the alt text. As of FF3, the text is no longer truncated. Yay. Now go back and re-read all of xkcd.)

I know I hardly post any more, but this was too cool to forget.

Wow. I never thought I’d blog one of these, but this is a really great Slashdot post.

The one button mouse is Intelligent Design.
The multi button mouse is Evolution.

Which do you prefer?