Breaking the Terms and Conditions - Your Views Welcome

[James67]

Quote:

Originally Posted by TSx

James, nice to see that you're famous

I haven't been this chuffed since I got mentioned on the front page of the local newspaper.

[RupertTHEbare]

Quote:

Originally Posted by James67

I haven't been this chuffed since I got mentioned on the front page of the local newspaper.

As well you might for doing the 'right thing' Sir James. Hmmm, that sounds good. Maybe there's even a knighthood in it for you down the line.

What is perhaps more worrying than either the arrogance of the Sky spokesperson or incompetence of the team that dreamed up the router's release configuration, is the whole issue about the security (sic) of WEP per se.

With claims that a 64bit can be broken in minutes, I don't see why any router manufacturer/ISP wouldn't want to see, as standard, a "WPA-PSK [TKIP] + WPA2-PSK [AES]" key set up, say, with an automatic 64bit random key generator button right there on the interface.

Of course that wouldn't make everyone use the security afforded, but it might make the few that do a little safer and certainly Sky wouldn't be open to the charge of crass ignorance and willful neglect of a duty of care, as they are now.

RTB.

[James67]

Yeah, I was unimpressed with Sky's response.

Quote:

We pre-configure all our routers with security settings so that customers' bandwidth is protected from day one.

The whole point is that it is not secure from day one. The only way to make the router less secure would be to disable networking altogether.

I'm in a terrible bind here. It seems like the only way to get Sky to admit that there's a genuine issue would be to publish the details of the algorithm.

If I publish, then it would expose anything up to a million Sky Broadband customers to the risk of being hacked, but it would hopefully be enough to force Sky to take appropriate action to secure their customers' wireless networks.

If I don't publish, then I won't be directly responsible for exposing a million Sky Broadband customer to the risk of being hacked, but Sky will carry on saying that everything's just fine the way they are now, and if someone else works out how to crack the router (if they haven't already), those customers will be vulnerable to being hacked.

The proper outcome of this is that Sky need to recognised the issue and respond to it in an appropriate way.

[James67]

After digging around the Sky website, I eventually found this, and I noticed that an entry in the Sky Broadband FAQ claiming that the router is secure has now been removed. Not exactly a comprehensive response really, and doesn't really match up well with theire comment saying "By default, our routers’ wireless security is “on” - which is not the standard practice from most Broadband providers. We do this because your Broadband security is very important to us."

[RupertTHEbare]

Quote:

Originally Posted by James67

If I publish, then it would expose anything up to a million Sky Broadband customers to the risk of being hacked

Whether you publish or not, YOU will not be responsible for exposing users who are already exposed due to the actions, lack of action or ignorance of others.

What you have to do now is follow (carefully and correctly), what must be in existence by now (a little research needed here), a methodology for informing any manufacturer, developer and the Internet community at large of a security defect or obvious exploit.

It happens every day to Microsoft, so why not Sky?

RTB.

[RupertTHEbare]

Quote:

Originally Posted by James67

"We do this because your Broadband security is very important to us."

ROTFLMFSO.

[Undecided Adrian]

contact news@newscientist.com as these guys will most likely to publish it, and if it does usually the papers and TV will follow suit as they all steal science based NewScientist stories.

[billbhellend]

good work you could get at least a 7 figure salary for exposing that lol