Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Jan 2018 13:13:43 +0000
From:      Dave B <g8kbvdave@googlemail.com>
To:        Daniel Feenberg <feenberg@nber.org>
Cc:        Ed Maste <emaste@freebsd.org>, freebsd-questions@freebsd.org
Subject:   =?UTF-8?Q?Re:_32_bit_fix=3f_=28Was_Re:_Meltdown_=e2=80=93_Spectre?= =?UTF-8?Q?=29?=
Message-ID:  <ec0be3da-7bed-9604-c9d3-1c6ea9fc7ecb@googlemail.com>
In-Reply-To: <alpine.LRH.2.21.1801100728550.7115@sas1.nber.org>
References:  <mailman.94.1515499202.64522.freebsd-questions@freebsd.org> <2e86bfd9-9141-2872-1946-0e9d26326433@googlemail.com> <CAPyFy2Ce+=tZpDMo6kUdpYXAw-=8CRYUFNtinUeGe-Lnp=tYsA@mail.gmail.com> <6523f352-c895-e488-8006-76495907745a@googlemail.com> <alpine.LRH.2.21.1801100728550.7115@sas1.nber.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi.

Many of those appliances are marketed as being able to make your files
available to you, even when you're not at home.  (Music, photos etc.) 
They come with crude mobile app's (among other things, to monetize the
user) and the security/authentication varies from so so, to nil.  
(Guess what most users opt for, because "it's difficult" to do it
securely.)   Remember, we're talking about Joe Public, not a sysadmin!

That, and they either punch holes in the router using UPnP, or people (I
know one) place them in a DMZ, again, because it's easy, and "it just
works."   What else is then exposed, who knows?

The rest as they say, one day will be history.   Using Shodan, it is not
difficult to find admin login pages on the public internet, for all
sorts of bits of equipment and other gadgetry.

Take care.

Dave B


On 10/01/18 12:37, Daniel Feenberg wrote:
>
>
> On Wed, 10 Jan 2018, Dave B via freebsd-questions wrote:
>
>> Hi Ed.
>>
>> Understood.   There's "a lot" of FreeBSD based kit out there, running on
>> 32 bit hardware.  A lot of NAS's for one.   (I don’t suppose any of
>> those commercial "appliances" will ever be updated though.)
>>
>
> Are NAS's a worry? Wouldn't the typical NAS login have root already?
> Why would anyone other than the system admin have a login on the NAS
> box at all? If the NAS isn't used as a web browser or MUA, how would
> the malware get to be run by an unprivileged user?
>
> I understand that the vulnerability can be demonstrated in Javascript,
> but this would be an attack on the client running with the privileges
> of the web browser. That isn't something that would happen on the
> typical system services appliance such as a NAS box, switch, or router.
>
> daniel feenberg
> NBER




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?ec0be3da-7bed-9604-c9d3-1c6ea9fc7ecb>