* Suresh Ramasubramanian:
As frequent as Gadi is with his botnet posts, insecure and wide open CPE getting deployed across a large provider is definitely operational.
And if Gadi's examples are not scary enoug for you, there are far more relevant vulnerabilities. It seems that the organization that assembles most of the firmware on those CPEs just takes the Sourceforge project with the smallest footprint they can find to implement a particular task. Not even a cursory code review takes place. As most of the software is GPLed, not just the firmware provider, but also the hardware manufacturer and the ISP itself could stop the deployment until the most egregious bugs have been fixed. Of course, you could argue that if Microsoft and Debian don't do this, why should ISPs? To me, the answer is that shipping vulnerable software is state of the art, but only if there is some kind of patch management appendix. Fortunately, there is a simple solution to this kind of problem: ISPs are very likely liable if they fail to alert customers about security problems, and do not provide updates in a timely manner. After a few painful incidents, the ISPs will learn, and either ship better software (unlikely) or implement some kind of patch management. With a bit of luck, the latter does not just shift back liability back to the customer, but also helps to parly solve the problem (in the sense that CPE attacks are less attractive).