I'm feeling paranoid - with good reason.

Nigel Henry cave.dnb at tiscali.fr
Sat Feb 4 18:03:39 GMT 2006 

On Saturday 04 February 2006 15:44, Basil Fowler wrote:
> Following the hint in John's message below, I checked my replacement
> SpeedTouch 510 modem with Shieldup at grc.com.  All my ports were closed,
> but pings were acknowledged.  This was not the case with old 530 modem,
> which gave all clear.

Hi Basil. I had the same when I installed my Smoothwall Express2. All ports 
were closed, but had to manually select either dropping or rejecting ICMP 
packets. Also there is the option to enable syn cookies, which if I read it 
correctly helps to prevent you being flooded with connection requests. I also 
gave John another address for a web based portscan of your firewall.
http://www.auditmypc.com . Also good perhaps, to get a second opinion. There 
are more sites, and I found them at Linuxquestions.org in the security forum, 
and in the thread labelled "Sticky: Security references" .Think it's about 3 
posts down in it, and has about 10 sites on the list. 
>
> I went into the command line interface to read the rules.  There was a rule
> that stated "accept icmp echo-request".  This I changed to "drop".  The
> modem is now fully stealthed.
>
> BUT it had a backdoor.  The suppliers
>
> DSL Shop
> Net Lynk Limited
> Roman Park, Roman Way,
> Coleshil, Birmingham, B46 1HG
> England.
>
> had placed a rule in the modem firewall that it was to accept any incoming
> packages from 217.196.1.140.  This I traced back via reverse DNS lookup to
> the firm that suppled the modem.

My Smoothwall sends back data to the Smoothwall folks. Not config stuff, but 
for the continued development of the project, and they notify you of 
available updates, which show up on the web based interface. But at least 
they make you aware of this when you install it. What you're saying here is 
similar to the Sony/DRM/Rootkit fiasco. You have been "sold" a piece of 
hardware, but in effect have been given the hardware free of charge, and 
instead, without knowing it, have been sold a licence to use it, but with the 
manufacturer retaining all rights, by means of a backdoor (which they 
conveniently don't even tell you about), to mess with this "licenced" 
hardware in anyway that they like. Perhaps I'm just droning on, but it does 
sound a bit sickening, that you sort of can't trust anyone these days.
>
> I shall apprise the firm later that I have discovered the backdoor and the
> have placed the fact on record.  Perhaps other readers could spread the
> word to other more appropriate lists.
>
> As far as I know, no attempt has been made by dslshop to contact my
> computer. There is no trace in the logs from the secondary firewall.
>
> Thanks for the hint John!
>
> Basil Fowler

If this discussion continues, perhaps we should move it to a security forum, 
as it's seriously off any KDE topics, and can't quite remember how it got 
here in the first place. How do you start a new thread on a new forum/mailing 
list, when nobody knows what came first?  Nigel.

ps: Is there a Linux mailing list for security issues?
>
> On Thursday 02 Feb 2006 19:06, John wrote:
> > I know this is ot but.
> > I strongly urge anybody that uses any sort of modem router to visit
> > shields up at grc.com and see if their ports 254 and 255 are open. A
> > search on the web will show that there is a problem on lots of them in
> > this area. It seems that that most of them carried on shipping like that
> > for a long time so it's probably a chip set problem. The zoom modem use a
> > texas instruments chip set. Any sort of firewall is useless as the unit
> > itself is at risk - mine definitely had it's firmware and or settings
> > reprogrammed. Zoom also admitted that the firmware update does not
> > prevent the open port. My current router does have a capability for
> > remote adim but it can be turned off. (I hope) I ditched a Sagem adsl
> > unit some time ago (years) as it was open to the same problem. They made
> > them like that so that isp's can tweak them for their users etc.
> > regards
> > John
>
> ___________________________________________________
> This message is from the kde mailing list.
> Account management:  https://mail.kde.org/mailman/listinfo/kde.
> Archives: http://lists.kde.org/.
> More info: http://www.kde.org/faq.html.
___________________________________________________
This message is from the kde mailing list.
Account management:  https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.

More information about the kde mailing list