The question isn't IF routers have security vunerabilities, but whether Gadi has an example he can demonstrate now of installing a root kit on an IOS router NOW or not.
That's not really the question. In fact, there are two questions. First, are routers really embedded devices running a software operating system? Secondly who can you trust in regards to security of your routers. On the first question, I don't think anyone will argue that routers are not capable of being compromised by software. Some may argue that compromising the software from the public Internet is virtually impossible and statistically unlikely, but most organizations now realize that hard shell security is a fantasy. The real danger is an insider who has enable on the router and who takes money to install a trojan, or the reseller who sells you a router with trojans already installed. Let's face it, if the NSA now believes there is a serious risk of counterfeit hardware that has been modified to contain hardware trojans, then the much easier to achieve software trojans should be a greater risk, and therefore worthy of attention. But the second question is the more interesting one in the context of NANOG. Can we trust Gadi? Can we trust the people who pop up and try to smear Gadi in some way? I haven't a clear answer here except to say that Gadi is a well-known person whose biases and possible motives (consultancy work) are well known. Same thing could be said about Cisco or Microsoft and this may make Gadi (or Cisco) more trustable about some things and less trustable about others. But everybody on this list deals with certainties like this every day. It's the people who pop up and smear Gadi that I really wonder about. There seems to be no good reason for this, unless possibly they are blackhats of some sort. I remember a few years ago when William Leibzon posted about his work which eventually became completewhois.com and several blackhats popped up and tried to smear him. So when people attack Gadi or anyone else with no substantive facts to justify those attacks, I always assume that they are part of the criminal gangs who drive network abuse in the 21st century. Of course they may just be harmless fools who think that they will become better network operators if they can become part of the in group. Who knows... Personally, I am not particularly disturbed that security vulnerabilities are announced with few substantive details. That's just the way things are normally done in the real world. --Michael Dillon