Today, Slashdot posted a story to the front page regarding a widespread SMC 8014 router/modem vulnerability, allowing access to administrative functions. I would link to the original blog post, but it seems to be slashdotted. (Edit: no longer. I also indulged myself with a comment on the slashdot story and the blog post, both came late in the game. No, I’m not selling anything nor do I get ad revenue.) In any case, this is nothing new. These and similar SMC routers are common in New York and are identifiable in their use of a four digit hex SSID. Naturally, all APs broadcast their Wifi adapters’ MAC address in the clear, allowing for identification of the manufacturer (barring spoofing).

These SMC routers were ordered in bulk with a custom firmware, with some “features” that were put in place to (presumably) assist in over the phone tech support. The firmware enables WEP encryption with a preset key on the network and uses Javascript to disable more advanced features, including choosing WPA. If that wasn’t problematic enough, the WEP key is derivable from the MAC address. Let me repeat that point as clearly as I can.

The preset WEP key is derivable from the MAC address that is broadcast in the clear.

That last part is trivial, and I’m not going to give out (what I hesitate to call) the algorithm.

But wait, there’s more. One of the advanced features disabled by the Javascript hack is the ability to change the WEP key. I was not vulnerable to this (I use a different service with my own hardware), but a friend was -which allowed me to do a bit of work on these routers and their deployment. We were told (July 2008) by a customer service rep that changing the WEP key was not supported for the end user – even after I asked my friend to claim that she thought someone had her “network password” (which was technically true).

Ironically, the vulnerability mentioned in the Slashdot article is the means to secure the router: by using various techniques (disabling Javascript, Greasemonkey, etc.) you can restore these functions: changing the mode of encryption, the key, and the administrative values.

SMC is not the only company to have sold these gelded all-in-one routers to bulk telecom customers; nor is Time Warner the only customer to deploy them. In a private discussion sharing these findings with some westcoasters at Defcon in Aug 2008, I was told there was an L.A. telecom doing exactly the same things – mass deployed routers with predictable keys and a broken firmware that prevented a fix.

When a Math/Compsci Professor comes to your apartment, peeks his head around a corner and exclaims

- with sarcasm, suprise, and a hint of disgust -

“Oh look. Another computer.”

The UAL story – as a parable – is too good to be true. (As fact, it seems patently unfair to UAL.)

As a cautionary tale, it got even better – expanding on the chaotic complexity of interacting state machines:

Single Web Hit Led to UAL Glitch, Tribune Says – WSJ.com

How did I miss this?!!? Miami is ASSUR!!

…because the page is fairly ugly, poorly categorized (tabs… controls… stupidity? These are not like things) and dated navigation tools.  Still, not nearly as bad as the examples contained in the Interface Hall of Shame – Controls.   Perhaps the irony is intentional?

But I can’t, nor can I be bothered to figure out how to do so. Let me point out one simple fact… If that character defines the set of people who find you acceptable, likable – or rather, you believe this to be so – you carry the small, small soul of a politician, and must deal with the simple fact that I am the backwards E that is bringing your shit down.

Moreover, if you did not understand the above paragraph, nor did you engage in the five minutes of consultation with Google or Wikipedia, or lord forgive us, a book, that might cure you of ignorance – ignorance not being a crime, sin, or disease, but the total inability to remedy it being all three – if you did not understand, than you are simply the type that I care to offend, the burden on goodness which allows me to say, “Well Lord, I am not much, but at least I am not that.”

More on this later.

For now, a mere thought that has been bothering me. Many people write. Some even have some skill. A select few are truly good. Whether I belong to the ultimate or penultimate class, I care enough to edit, to read aloud, to avoid reuse – you know, the basic artisanry of writing. So why is it, that the bulk of personal writing that even I am willing to put out into the world, is the horrid, horrid, shit that fills many a tower of blog? Yes, I apologize – this blog’s content is tepid, the prose unedited – and not in a good (i.e. avoid the NC-17) way. Isn’t it odd that I am not unique in that; of all the things we commit to paper or Word format or HTML, why is it that we choose the least of it to disseminate to the world?

That the answer is clear makes it no less disheartening.

A last point: some TV shows are really good enough to make me consider going outside, buying a pack of smokes, and relighting the habit. Californication seems to be one of those shows – I can’t remember laughing so hard, naturally. It deserves some time and a chance.