Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3


4649 posts

Uber Geek
+1 received by user: 470

Trusted

  Reply # 1202055 22-Dec-2014 14:05
Send private message

cbrpilot: NZtechfreak Not trying to sound defensive, but I would suggest that you raise a complaint via a formal channel (i.e. not Geekzone) if you feel that we have failed to live up to our obligations in regards to privacy and security of your information.  That way the issue can be formally looked into in an appropriate setting.



That's already done, thanks. I've never felt that encouraging people to complain was defensive, in fact encouraging people who are upset with the treatment they've received is generally good practice.




Twitter: @nztechfreak
Blogs: HeadphoNZ.org


752 posts

Ultimate Geek
+1 received by user: 33


  Reply # 1202177 22-Dec-2014 16:17
Send private message

lxsw20: I think they may be able to access their own routers via the WAN interface.


Can we have some official clarification on this one please?

Meow
7620 posts

Uber Geek
+1 received by user: 3703

Moderator
Trusted
Lifetime subscriber

  Reply # 1202213 22-Dec-2014 16:59
5 people support this post
Send private message

Maybe the daughter asked how to reset the password and they said "by the reset button at the back" - she didn't ask for any account details or anything but this is a flaw with most routers. Technically Spark did nothing wrong as this information is also freely available on the internet.

Since Spark use line auth the modem will work "as-is" but to better protect it you're best to fill the reset hole with hot glue and change the passwords on it. If the password resets back then you know Spark have sent the reset command to the modem but I highly doubt they will do that.

The amount of times I've seen parents blame their ISP's for things like this is ridiculous - the child will hardly ever own up to how they did it.




4956 posts

Uber Geek
+1 received by user: 1318

Trusted
Microsoft

  Reply # 1202215 22-Dec-2014 17:02
One person supports this post
Send private message

One of the 10 immutable laws of computer security is physical security as pointed out

4433 posts

Uber Geek
+1 received by user: 834

Trusted
Lifetime subscriber

  Reply # 1202217 22-Dec-2014 17:06
Send private message

The only way to 'secure' the router is to physically put it in a steel cage with multiple padlocks.

If you can reset it, then you can access it readily by using the manuals available online.





Mad Scientist
18703 posts

Uber Geek
+1 received by user: 2381

Trusted
Lifetime subscriber

  Reply # 1202229 22-Dec-2014 17:17
Send private message

NZtechfreak:
joker97: Don't blame spark completely. Teens are the least secure bit. If spark didn't tell her she could have figured it out herself


See above post, she's left high school to move to Oz in the hopes of getting a part in The GC 2. I'm serious. Of course Telecom isn't completely to blame here, but if they held up their end they'd at least have made the outcome rest on her intellect.


Maybe she flirted and then lied convincingly? Or evaded questions pretending to be a demented woman? Just putting it out there you know. People are different than you and me

125 posts

Master Geek
+1 received by user: 32

Lifetime subscriber

  Reply # 1202232 22-Dec-2014 17:23
Send private message

fahrenheit:
lxsw20: I think they may be able to access their own routers via the WAN interface.


Can we have some official clarification on this one please?


http://en.wikipedia.org/wiki/TR-069

21296 posts

Uber Geek
+1 received by user: 4297

Trusted
Subscriber

  Reply # 1202270 22-Dec-2014 18:17
5 people support this post
Send private message

If someone called and asked how to reset a password on a certain type of spark supplied modem I would not expect any ID checks to be done as they are not asking about information on the account.

That spark have a record of the call is troubling, as that means they asked or some details and should have assesed who was asking that information.

We only have one side of the story, we will probably only ever have one side of the story as spark have to honor privacy terms even when the other side of the story is able to put all the misinformation and conclusions they have jumped to out on the internet for all to read.




Richard rich.ms

4956 posts

Uber Geek
+1 received by user: 1318

Trusted
Microsoft

  Reply # 1202273 22-Dec-2014 18:23
One person supports this post
Send private message

Cool story bro

There are seldom technical solutions to people problems

4025 posts

Uber Geek
+1 received by user: 1076

Trusted

  Reply # 1202301 22-Dec-2014 18:59
Send private message

MrTomato:
fahrenheit:
lxsw20: I think they may be able to access their own routers via the WAN interface.


Can we have some official clarification on this one please?


http://en.wikipedia.org/wiki/TR-069

 

Once you've read that, look up the defcon talks on it, its good fun! :D



4649 posts

Uber Geek
+1 received by user: 470

Trusted

  Reply # 1202328 22-Dec-2014 20:59
One person supports this post
Send private message

richms: If someone called and asked how to reset a password on a certain type of spark supplied modem I would not expect any ID checks to be done as they are not asking about information on the account.

That spark have a record of the call is troubling, as that means they asked or some details and should have assesed who was asking that information.

We only have one side of the story, we will probably only ever have one side of the story as spark have to honor privacy terms even when the other side of the story is able to put all the misinformation and conclusions they have jumped to out on the internet for all to read.


Not sure how much of the call detail was noted down, the person I spoke to said that the log only said that the person who called requested a password change and it was done. I don't think you can make any case that they shouldn't have assessed whether the person on the line was entitled to make that request, given the nature of the request.

The fact that the modem wasn't physically secured here is a distraction, that doesn't make what happened acceptable - it's akin to saying 'well what was she doing out that late at night, and wearing those clothes?'.




Twitter: @nztechfreak
Blogs: HeadphoNZ.org


1494 posts

Uber Geek
+1 received by user: 559


  Reply # 1202376 22-Dec-2014 23:57
Send private message

How hard is it to stick a pin in a hole and hold it for 15 seconds?

As pointed out, if the adversary has physical access, consider that device pwned.

6434 posts

Uber Geek
+1 received by user: 1571


  Reply # 1202378 23-Dec-2014 00:08
Send private message

NZtechfreak:
richms: If someone called and asked how to reset a password on a certain type of spark supplied modem I would not expect any ID checks to be done as they are not asking about information on the account.

That spark have a record of the call is troubling, as that means they asked or some details and should have assesed who was asking that information.

We only have one side of the story, we will probably only ever have one side of the story as spark have to honor privacy terms even when the other side of the story is able to put all the misinformation and conclusions they have jumped to out on the internet for all to read.


Not sure how much of the call detail was noted down, the person I spoke to said that the log only said that the person who called requested a password change and it was done. I don't think you can make any case that they shouldn't have assessed whether the person on the line was entitled to make that request, given the nature of the request.

The fact that the modem wasn't physically secured here is a distraction, that doesn't make what happened acceptable - it's akin to saying 'well what was she doing out that late at night, and wearing those clothes?'.


You don't need to prove Id to give instructions on how to reset a modem, since there is no info given away that could be considered private. There is no privacy breach here imho.



4649 posts

Uber Geek
+1 received by user: 470

Trusted

  Reply # 1202386 23-Dec-2014 00:57
One person supports this post
Send private message

NonprayingMantis: You don't need to prove Id to give instructions on how to reset a modem, since there is no info given away that could be considered private. There is no privacy breach here imho.


That wasn't what was asked for though, even according to Telecom's logs of the call - the request was for a password change. That isn't quite the same as asking how to reset the modem, I would think that a request of the kind that was made would warrant checks. It's not a privacy breach here, it is a network breach facilitated by the ISP, who failed in their duty to credential a caller adequately.




Twitter: @nztechfreak
Blogs: HeadphoNZ.org


122 posts

Master Geek
+1 received by user: 59


  Reply # 1202388 23-Dec-2014 01:20
Send private message

Sort of on topic...

One of the first things I did when I got my new shiny Orcon modem was to change the SSID, change the default Admin name and password, and turn off WAN access.
So when I shifted and they tried to access it they said they couldn't access it to check some things to help an issue I was having

It turned out to be an account name - would have been easily solved had the help desk techs actually said what they were looking for and saved me three days of frustration!!!
Could they simply look at the logs and see the same user trying to log in and see the denied access login?

So they wanted remote access to my internal network, I said no. Simple enough.

Anyhow it got sorted.

As for the security of the router - Definitely turn off the WAN access of your own router and change all the passwords (don't forget them. :-)
I have my router in the ceiling (its fairly easy for me to get access to it, not for the kids though...

1 | 2 | 3
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.