this is what happens when you let the intern write code.

Поділитися
Вставка
  • Опубліковано 11 гру 2024

КОМЕНТАРІ • 1,2 тис.

  • @LowLevelTV
    @LowLevelTV  26 днів тому +160

    you know what else is unforgivable? not checking out lowlevel.academy (and getting a DISCOUNT?)

    • @felix8452
      @felix8452 26 днів тому +2

      I would buy a good ghidra course.

    • @CrittingOut
      @CrittingOut 26 днів тому +1

      "I can't believe a company isn't held legally responsible" XD

    • @skiiwars8991
      @skiiwars8991 26 днів тому

      Any chance you will be offering student discounts in the future? I’ve started doing picoCTF and hackthebox challenges for a school club and think that the courses would be great learning resources for building applications with c but the price feels a bit too prohibitive

    • @liquathrushbane2003
      @liquathrushbane2003 26 днів тому +5

      How long do you expect a company to support their software after EoS/EoL?

    • @cyberwarfare-yt1wq
      @cyberwarfare-yt1wq 26 днів тому +1

      bro. you have the style, you have the knowledge, and you have the courage. I liked your talk, your analysis, damn how I love these videos...keep going.

  • @Exilum
    @Exilum 26 днів тому +2291

    The guy who wrote the safe_system code is definitely a different person from the one who wrote account. I can't believe it is any other way

    • @kapstersmusic
      @kapstersmusic 26 днів тому +449

      Exactly. The person who wrote safe_system probably got into arguments with the person who wrote account, who told them to not to worry about it. Some manager then told them to ship it and move on. Then the manager got their bonus for delivering on time.

    • @Exilum
      @Exilum 26 днів тому +173

      @kapstersmusic I would assume the person who wrote safe_system never saw what the one who wrote account did. That would be gross negligence to not replace these 4 lines with their better, ready-made equivalents. Safe string processing is part of the standard, and safe_system is just there. Even without changing the string processing, just using safe_system to make sure the exploitable buffer overflow isn't literally ready to use as-is would be 2 seconds well spent. The security researcher would have maybe spent hours instead of minutes to get a working exploit.

    • @rufmeister
      @rufmeister 26 днів тому +82

      The problem is not one programmer not being up to the task of writing safe code; or people talking to each other... the problem is quality assurance and testing. A company should never assume that a person doesn't make mistakes, it's about validation and testing. And D-Link apparently doesn't care enough about the quality of their products.

    • @svaira
      @svaira 26 днів тому +20

      @@Exilum I would guess safe_system is from some sort of library, and the call to it was copy-pasted, but the account program was new and written by someone trying to only use the C standard library or sth like that, maybe because they didn't know how the Posix API worked, would be my guess.

    • @ehsnils
      @ehsnils 26 днів тому +22

      @@svaira Or the other way around where the account software was from an older era some 30 years ago where things like this didn't really matter since it was executed from the root prompt.

  • @End0fst0ry
    @End0fst0ry 26 днів тому +2601

    It's not a bug, it's a low effort backdoor

    • @no_name4796
      @no_name4796 26 днів тому

      The CIA was too busy trying to kill fidel castro...

    • @himothaniel
      @himothaniel 26 днів тому +46

      Semantic arguments are fun, but that's all they are. Backdoors target vulnerabilities. Vulnerabilities are bugs.

    • @bolivianPsyOp
      @bolivianPsyOp 26 днів тому +215

      I think they’re implying it was intentional

    • @RaquelFoster
      @RaquelFoster 26 днів тому +120

      @@himothanielCondescending responses to comments you don't understand are fun, but that's all they are.

    • @himothaniel
      @himothaniel 26 днів тому +31

      You can read condescension into my comment if you like, but there wasn't any there. A small joke went over my head. I can acknowledge that.

  • @ArchaeanDragon
    @ArchaeanDragon 26 днів тому +1793

    "Buy another NAS", definitely won't be a D-Link, I can tell you that for nothing.

    • @FrankEBailey
      @FrankEBailey 26 днів тому +80

      QNAP or Synology should use this as free advertising for their newest kit

    • @dieSpinnt
      @dieSpinnt 26 днів тому

      @@FrankEBailey WTF are you?
      Buy the stuff and install firmware, that can be called that way:
      OpenWRT !!!

    • @adammontgomery7980
      @adammontgomery7980 26 днів тому +32

      ​@@FrankEBaileyI think Synology had a zero day like 2 weeks ago

    • @dancom6030
      @dancom6030 26 днів тому +9

      ​@@adammontgomery7980 was the zero day as stupid as this one?

    • @df23
      @df23 26 днів тому

      @@dancom6030 its not the first...

  • @kaleycrum6350
    @kaleycrum6350 26 днів тому +1042

    This is actually a genius level move by D-Link:
    They not have to fix *past* bugs because they deem their hardware antiquated.
    Also!
    They also don't have to fix *future* bugs because they just scared away their entire customer base

    • @ditrypand8273
      @ditrypand8273 26 днів тому +22

      they are just playing multi-dimansional chess 😆

    • @aieverythingsfine
      @aieverythingsfine 26 днів тому +11

      XD 200 iq

    • @KoRNeRd
      @KoRNeRd 26 днів тому

      @@dave7244 but the bug was present on day 1.

    • @robhulluk
      @robhulluk 26 днів тому

      @@dave7244 The 340L was released in 2015, and according to the dLink website "This product was phased out on: 29/10/2017", so maybe they were available for sale until then (and maybe even after that date from some retailers).

    • @PMA65537
      @PMA65537 25 днів тому

      @@dave7244 Are you using D-Link's suggested NTP server?
      en.wikipedia.org/wiki/D-Link#Server_misuse

  • @nomore6167
    @nomore6167 26 днів тому +589

    "D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".

    • @stephenkolostyak4087
      @stephenkolostyak4087 19 днів тому +6

      //"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".//
      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    • @GoatZilla
      @GoatZilla 16 днів тому

      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^6

    • @wrathofainz
      @wrathofainz 15 днів тому

      I agree.

    • @temp50
      @temp50 15 днів тому +11

      " replace it with a different brand". Why? To have a bug from a different company? A bug which will be there for a decade, discovered only by hackers?
      Never buy a 'NAS'. Use your old PC, install TrueNAS on it, put it into its own VLAN and call it a day.

    • @lunoxis8371
      @lunoxis8371 15 днів тому +18

      @@temp50 Most companies do emergency patches when these kinds of bugs pop up. Even microsoft does that.

  • @danmac_au
    @danmac_au 26 днів тому +607

    The funny thing for me is the vulnerability means you could recompile the account command to use safe_system and then use the vulnerability to download the patched account binary to the NAS, fixing the hole.

    • @michaelwaters1358
      @michaelwaters1358 26 днів тому +142

      Now this is bug fixing

    • @snowSecurityneeded
      @snowSecurityneeded 26 днів тому +142

      lol that is amazing maliciously fixing bugs its like bethesda game modders.

    • @justincondello
      @justincondello 26 днів тому +14

      Might as well install a webshell while you are at it.

    • @HelloWorld5985
      @HelloWorld5985 26 днів тому +44

      Great idea. Shame its a read only file system.
      Shouldnt be upto the fbi or whitehats to fix easy fixes like this.

    • @JohnDoe-bd5sz
      @JohnDoe-bd5sz 26 днів тому +16

      That was my initial thought as well.
      Seems this could be fixed rather easily, even by "hackers".
      The guy running this channel could probably make the patch, Linksys refuses to do, in a matter of minutes.

  • @steveftoth
    @steveftoth 26 днів тому +548

    This is what happens when you have 2 teams not talking to each other. One team did it right, the other not so much.

    • @richcole157
      @richcole157 26 днів тому +11

      Even if they audited the code they wrote who’s to say the unix utilities calling were audited. The usernames etc should have been sanitized to remove any non alphanumeric characters, so their safe system is anything but safe. Anyway it was a great video. Even with input sanitation, the fact it is calling other programs makes it a crapshoot.

    • @IvanToshkov
      @IvanToshkov 26 днів тому +7

      @@richcole157 It looks like the vulnerability can be triggered through the `pw` field and it is much harder to sanitize it in the way you suggest for `name`.

    • @memyshelfandeye318
      @memyshelfandeye318 26 днів тому +23

      Do you really think they have _teams_ working on that? More likely one part of the code was written by one overworked guy at one time, the other part written by another overworked unqualified guy at another time, and all copy-pasted together by an unpaid intern later ...

    • @IvanToshkov
      @IvanToshkov 26 днів тому +13

      @@memyshelfandeye318 Well, that's like 2 teams right there! :D

    • @richcole157
      @richcole157 25 днів тому +2

      @@IvanToshkov good point.

  • @crusaderanimation6967
    @crusaderanimation6967 26 днів тому +225

    HOT TAKE:
    If vendor stops supporting product because if it's out of live even with such security critical cases, we as society should stop supporting copyrights related to it.
    Granted here there's probably not that much to protect, but if there's any copyright protection on that code, it should vanish, reverse engineering ? Producer orphaned it, we're not gonna prevent people to adopt this child.
    Re distributing binaries ? If it's not worth for you to fix it it's not worth to us to chase people that copied it.

    • @tyrannosaurus_x
      @tyrannosaurus_x 25 днів тому +47

      That should not be hot take at all. If aren't making money on your copyrighted thing, what are you protecting it for? Kind of same with games. Your game is not officially available for purchase? People get to crack it and share it freely without consequences.

    • @crusaderanimation6967
      @crusaderanimation6967 25 днів тому +11

      ​@@tyrannosaurus_x Yea honestly that take developed because of stop killing games initiative in the first place.
      And not even about "Me wants to play games that aren't available" thing ( be it it's still valid approach) or that company isn't making money anyway, i mean questioning how system works in much broader way.
      We as society agreed to protect data, (art work code, design so on) (which i'm not against to be clear, my problem starts and ends with how system work currently not with existence of system) and at this point we agreed to do so at ridiculous time frame, Mickey Mouse famously entered public domain in 2024, a artwork from between world wars period, i'm from Poland, in our calendar that's like two invasions ago, neither of my parent's were alive when it came out, and they had me at ridiculous old age, they grew up in different world, telephones were rare, cars too, country was still firm in grip of USSR and iron curtain divided Europe, i grew up in free Poland, wit ability to free travel across Europe because of shengen, with internet access since i could remember, YT raised me as much as mu parents did, it gave me skills to get job as programmer. My father born in 1945, after Mickey was created, and died in 2018 before it entered public domain. I tell you all this to hammer point how long time frame we're talking about, and how much of commitment society gives to copyrighted work.
      Even if it was out of print for years, even if original company isn't supporting it since decades, last entry in IP was made before my country in it's current form was established, it stil will be protected.
      In return(and i'm talking mostly about video games, but somewhat applies to software in general), they mercifully allow us to rent their software for unspecified amount of time, for usually not so small sums of money, and usually with right to take said license away at a whim without a reason.
      Again, not for abolishing copyright entirely.
      But i think in current situation "tail is wiggling the dog", and either copyright retention shorten, new causes for artwork entering public domain established or both.
      (Perhaps it should work a bit trade mark, if you don't use it, you louse it.)

    • @veryCreativeName0001-zv1ir
      @veryCreativeName0001-zv1ir 25 днів тому +2

      it's a 14 year old NAS

    • @crusaderanimation6967
      @crusaderanimation6967 25 днів тому

      @veryCreativeName0001-zv1ir and you're point is ?

    • @thezouave7636
      @thezouave7636 24 дні тому +1

      This is a great idea! Added to the list of things I'd want to change.

  • @aieverythingsfine
    @aieverythingsfine 26 днів тому +250

    Imagine how chuffed the guy was finding this bug, like "yeah im definitley getting a payout, they will be so glad i found it!", just to be told to feck off and that the fix was buy their new products XD
    Poor bloke

    • @bmanpura
      @bmanpura 26 днів тому +15

      Nah, said bloke can scour the internet for eol products to hack. Win win.

    • @aieverythingsfine
      @aieverythingsfine 26 днів тому

      @@bmanpura maybe, it would certainly teach them a lesson, but if your a genuine pen tester/bug bounty hunter your risking your career doing shit like that. The amount of attribution and tracking sites these days is insane.
      One example, I wrote a little article on footprinting Imap/POP3 mail servers last week.
      I googled the article the next day to find that id been entered into an International cyber threat database. The bot armys are real af bro. They had entire maps and models of endpoints and systems just from my write up.

    • @hmartinlb
      @hmartinlb 24 дні тому +14

      Now he's mining bitcoin on your NAS, so whatever.

    • @Rider.404
      @Rider.404 23 дні тому

      😂

  • @ParkourGrip
    @ParkourGrip 26 днів тому +150

    The team that wrote the "account" program assumed that their program is only going to be used by users that are already authenticated inside the machines shell. The team that wrote the HTTP server thought that the "account" program is safe to execute with parameters controlled by the unauthenticated user.

    • @xjjfjfdjdh9993bbhhhh5hjjjjd
      @xjjfjfdjdh9993bbhhhh5hjjjjd 25 днів тому +42

      You probably hit the most likely explanation. Unfortunately, the bigger problem is D-Link unwilling to update it or at least send out a crisis report to news agencies to let customers know.
      I did see someone hint at mandatory open sourcing for deprecated software. I think that would definitely help, because the person who finds the bug could patch it. Maybe we need to promote open source routers now?

    • @prophetzarquon
      @prophetzarquon 23 дні тому +11

      Open source radio transmitters have a remarkably hard time getting FCC approval... Qualcomm isn't the _only_ reason Qualcomm radio chips continue to use closed-source code.
      It's really annoying; the efforts to block true direct mobile-to-mobile LTE, were so coordinated, one could almost be forgiven for mistaking those efforts as good-faith "interference prevention".
      Open wireless is anathema to regulation; it's been stomped on, one product launch after another, my whole life or more.

    • @absurdengineering
      @absurdengineering 13 днів тому +4

      @@prophetzarquonThat’s not an accident. Lobbyists love regulatory capture. It’s all by design that OSS firmware cannot be used on RF systems. By design of the companies that have vested interest in selling us new stuff all the time.

    • @MikkoRantalainen
      @MikkoRantalainen 8 днів тому +4

      I maintain multiple servers and my go-to rule with even throwaway shell scripts is that all input must be considered unsafe. Always encode data as data regardless of the programming language you use and all injection attacks immediately vanish everywhere.

  • @mikaay4269
    @mikaay4269 26 днів тому +377

    "Fuck you, pay me" is a genius strategy when most of your customers do not have consumer protection laws

    • @afjer
      @afjer 26 днів тому +40

      And any attempt to pass consumer protection would be lobbied (read: "bribed") away by the powerful corporations that would be impacted by it.

    • @mikaay4269
      @mikaay4269 26 днів тому

      @afjer this is why people become cyber criminals, stupidity

    • @Joe3D
      @Joe3D 26 днів тому +8

      No consumer protection law protects your from end of life products. In fact in Europe it's only 3 years warranty for a new product. Some pro or enterprise products get 5 or 10 years warranty but then consumer laws don't apply because the buyer acts as a company not individual.

    • @KillerQ13
      @KillerQ13 26 днів тому

      Reminds me of a time a car dealership sent me lottery thing in the mail. Said I won a $50 gift card. Had a number to verify. Verified as valid. Walked into the car dealership and it was a "raffle" with the winning numbers already picked. Mine was not one of those numbers. Told them fuck you and that I'm never coming there again. The kind of idiot that looks at and buys a car after that is next level stupid.

    • @Bill_Bacon
      @Bill_Bacon 26 днів тому +2

      Neither does the Mafia - thanks for the Goodfellas quote.

  • @dynad00d15
    @dynad00d15 26 днів тому +471

    D-Link has been a security liability since the 2000's. :)

    • @BotDetector-44
      @BotDetector-44 26 днів тому +10

      As long as you keep using EoL devices, that's on you buddy

    • @dynad00d15
      @dynad00d15 26 днів тому +40

      @@BotDetector-44 what are you taking about?

    • @sootikins
      @sootikins 26 днів тому +76

      @@dynad00d15 Just ignore him - he's a D-Link salesman!

    • @cooperised
      @cooperised 26 днів тому +22

      @@dynad00d15 I'm assuming that was sarcasm. I'm _hoping_ that was sarcasm...

    • @BotDetector-44
      @BotDetector-44 26 днів тому +1

      @@sootikins Right, because manufacturers update their software after 14 years from their initial release date. You guys might be some retards or a bit clueless how things work when producing hardware and software components but hey, I'm a salesman, you got me

  • @play-good
    @play-good 26 днів тому +233

    New vulnerability found in D-Link NAS devices
    D-Link : It's not my problem, it's yours

    • @92sieghart
      @92sieghart 26 днів тому +6

      @@play-good "sorry,we sold it to you,so your problem now"

    • @GashimahironChl
      @GashimahironChl 26 днів тому +20

      @@92sieghart D-Link, the last big company around that still respects ownership 🤣🤣

    • @dieSpinnt
      @dieSpinnt 26 днів тому

      .oO( Who did buy that s. in the first place? ... ROTFL )

    • @MelroyvandenBerg
      @MelroyvandenBerg 26 днів тому +2

      at least open source this sht

    • @user-zu1ix3yq2w
      @user-zu1ix3yq2w 4 дні тому

      Kind of true, yeah

  • @EpicLPer
    @EpicLPer 26 днів тому +124

    Synology could do the funniest PR thing and give your a 10% discount buying one of their products when you own one of those exploitable NASes

    • @jay.jarosz
      @jay.jarosz 25 днів тому +18

      Synology has it's own security issues unfortunately. Their security settings page forces you to give a phone number for 2FA setup, but SMS 2FA is easily exploitable.

    • @gearboxworks
      @gearboxworks 24 дні тому +6

      Synology give up 10% margin? Who are you kidding?!? 🤔

  • @hereticerik
    @hereticerik 26 днів тому +203

    As a person that has programmed for 30+ years, that is absolutely insane. The incompetency is astounding. If D-link can't fix things like this, then don't buy D-link products, it's that simple. They clearly don't care about their customers.

    • @nullvoid3545
      @nullvoid3545 26 днів тому +11

      But D-link is just A subsidiary of netgear, which own A good majority of home routers currently distributed.

    • @nomore6167
      @nomore6167 26 днів тому +3

      Yes, it is truly astounding. I've done some PHP programming for myself and some friends, and did some professionally a number of years ago. One of the first things I did was write a shell command to read all PHP files and find all instances of "if X = Y", and I used that shell command during and after each programming session to ensure that I never accidentally assigned a value when I intended to query it. Checking for calls to system() would be similar (I never used system calls, so I never needed to do such checks, but it would have been simple to check for them). If I -- a single individual -- could do some simple checking and validation to prevent problems, then surely a corporation such as D-Link could have done so.

    • @SergeantExtreme
      @SergeantExtreme 26 днів тому

      @@nullvoid3545 What? No it's not. D-Link is a subsidiary of the Taiwanese Steel Group. They have no affiliation to Netgear. Why would you post blatantly false information like that?

    • @null-0x
      @null-0x 26 днів тому +3

      @@nullvoid3545 this is what happens when a company is a monopoly (or almost one).

    • @RandomAcronyms
      @RandomAcronyms 25 днів тому

      ​@@nullvoid3545Netgear and D-Link are unrelated companies.

  • @monad_tcp
    @monad_tcp 21 день тому +20

    1:42 They are right about that, buy another NAS, but NOT FROM D-LINK

  • @xmine08
    @xmine08 26 днів тому +118

    So a common, old-school Shell Injection vulnerability. The Bobby Tables of system("command").

    • @russellstyles5381
      @russellstyles5381 26 днів тому +7

      For clueless - xkcd reference. Someone embedded a "Drop table" command in child's name. Deleted main database at school.

    • @aieverythingsfine
      @aieverythingsfine 26 днів тому +2

      Like a day 1 training scenario lol

    • @gearboxworks
      @gearboxworks 24 дні тому

      @xmine08 - That is "Little" Bobby Tables to you. 😂

  • @RaquelFoster
    @RaquelFoster 26 днів тому +71

    It's hard to imagine a scenario where this is an isolated incident. At any competent organization, the first time something similar happened, the dev-sec-ops team would've forced all kinds of commit/deploy hooks checking for system calls and requiring the lead/PO to sign off that they weren't doing something stupid. This makes all D-Link hardware sketchy. They're not a new company, and they're not small, and they're not new to making routers.

    • @BTrain-is8ch
      @BTrain-is8ch 26 днів тому +8

      Exactly how many "competent" organizations do you think exist now? Three? Four?

    • @GamesFromSpace
      @GamesFromSpace 26 днів тому

      Before the first time, hopefully.

    • @Alan.livingston
      @Alan.livingston 24 дні тому +2

      Took their development queues off Crowdstrike.

  • @sundhaug92
    @sundhaug92 26 днів тому +49

    D-Link once made a router where the web-server ran in kernel-mode and had debug-commands

    • @jorelplay8738
      @jorelplay8738 25 днів тому +10

      I had once a dlink router, and it was losing connection about once a day, so I had to unplug and plug it again. I decided to update the firmware, in the hope that it would be fixed. After the update, the connection was dropping every 20-30 mins. Horrible experience. I installed de-wrt (which fixed everything) and never got a dlink device ever again.

    • @Daniel15au
      @Daniel15au 25 днів тому +7

      This server is running as root (or the CGI binaries are setuid) if it can add users via a web request.

  • @cheetah2003-z5w
    @cheetah2003-z5w 26 днів тому +66

    A new form of forced obsolesce? Activate all the security flaws after a specific date and refuse to patch them.

    • @JessicaFEREM
      @JessicaFEREM 26 днів тому +8

      Id believe it. Like immediately after some companies want you to upgrade they say "hey there's a backdoor you should stop using the product or your product is gonna be 15% slower"
      Spectre and meltdown, windows XP, apple battery health, etc are ideas that come to mind.

    • @bmanpura
      @bmanpura 26 днів тому +10

      Microsoft refusing to patch critical vulneralibity is how Windows 7 got abandoned. The idea have been around.. _Activating them is a new level of evil_

    • @theRPGmaster
      @theRPGmaster 23 дні тому +5

      1. Push a "security patch"
      2. The patch actually contains vulnerabilities, on purpose
      3. Profit

    • @prophetzarquon
      @prophetzarquon 23 дні тому

      Ah yes, the μTorrent v≥3.0 approach

    • @WhiteG60
      @WhiteG60 17 днів тому

      Forced obsolescence? They were obsolete before this disclosure. They're 14 year old devices. On top of that, one should NEVER use a consumer branded anything for anything actually sensitive or mission critical. These devices don't have redundant power or controllers. Those interfaces/ports/protocols shouldn't be exposed to the internet anyway. If you actually put one of these open to the internet, that's on you, not D-Link. If it's NOT exposed to the internet, in order to exploit it, you'd need to be on the local network already, in which case, you've already been compromised and you're fucked. This is something that should absolutely be fixed in any still supported devices, but end of life means end of life.

  • @rikschaaf
    @rikschaaf 26 днів тому +40

    Prob a junior tech that was tasked to write the account script. This is why you need THOROUGH PR reviews and things like sonar to check for code smells like system and sprintf calls.

    • @rikschaaf
      @rikschaaf 26 днів тому +10

      @speedweasel yup, a junior tech should never be blamed for something like this. If a junior dev is accidentally able to get such a bug into production, then a senior dev with bad intentions DEFINITELY would be capable of doing that as well. It's up to your pipeline engineers to make sure that CAN'T happen.

    • @defter6800
      @defter6800 23 дні тому

      @@rikschaaf There is no such thing as code review in Chinese software development world in many places)) Nobody looks code, they just make it work, do some stuff to pass manual and automatic tests and this all. And because there was no code review for years they can't start doing it effectively because everyone is more incompetent and can't spot other people bugs just by looking code (this is separate skill which require not just technical knowledge but also able fast understand code and see whats can goes wrong) Also code review would kill they productivity and increase cost, so for them there is no reason to introduce some "bad" practices from financial perspective)

  • @JellyLancelot
    @JellyLancelot 26 днів тому +116

    As a Junior, I was terrified of making mistakes like this. As a Lead, I now realise how most of the world runs on software that people go out of their way to make utter s**t. Ask a locksmith and they'd always rather have software locks, ask a software dev and they'd always rather have physical locks. When you know, you know how bad things are lmao

    • @MyAmazingUsername
      @MyAmazingUsername 26 днів тому +25

      Dude, the physical locks thing is so true. When I found out about lockpicking, I took a thin, flat piece of metal and just raked my apartment lock. In 30 seconds it was unlocked. Most locks are a joke. 😐

    • @aieverythingsfine
      @aieverythingsfine 26 днів тому +18

      I do both (locksmith/safesmith and pentesting). None of it works XD

    • @capturedflame
      @capturedflame 24 дні тому +6

      ​@@aieverythingsfinethat's a terribly unfair thing to say... lockpicks and cracks work perfectly

    • @aieverythingsfine
      @aieverythingsfine 24 дні тому +2

      @@capturedflame XD

    • @prophetzarquon
      @prophetzarquon 23 дні тому +6

      I was in disbelief about the "cut off a Bic pen & wobble it around in the keyhole" method for circular keys, so I tried it: Took me ~12 minutes the first time,

  • @MissionFreiheit
    @MissionFreiheit 22 дні тому +8

    Oh yeah, D-Link. I'm a dev as well as an IT consultant. Got hired for a project because a company was facing issues where their entire network went down intermittently. Turned out they were using D-Link switches everywhere in their network. These switches had a vulnerability that could trigger a packet storm. There was no firmware update or fix. I replaced every single piece of network equipment that was made by D-Link with its CISCO equivalent. This was 5 years ago and their network has been working reliably ever since. D-Link is a total mess.

  • @replicadse
    @replicadse 26 днів тому +82

    When does incompetence become sabotage?

    • @ffwast
      @ffwast 24 дні тому +4

      When they refuse to fix it.

  • @PXAbstraction
    @PXAbstraction 26 днів тому +17

    As someone who has worked in both residential and corporate IT for over 20 years now, I'll never go near D-Link. Garbage products made by a company that does not care. Nothing about this situation surprises me.

  • @collin4555
    @collin4555 26 днів тому +21

    Holy moly, if I can get how bad it is without rewinding, it's a really stupid bug

  • @reluctantadv
    @reluctantadv 3 дні тому +3

    Don't blame interns.
    Don't recall who said it, but "if an intern can break production, you as a company have failed."

  • @diogocruzdiniz3186
    @diogocruzdiniz3186 26 днів тому +32

    I'm loving the channel name exploration in every video

  • @rvft
    @rvft 26 днів тому +7

    03:25 I appreciate the heads up, but sadly, I failed to contain myself.

  • @joshuaonly
    @joshuaonly 24 дні тому +10

    I like collar-shirt Ed. He said "You shouldn't have your NAS with its, like, butt, in the ether-net port, facing out into the internet..." omg. I lol too hard at the mental picture that paints.

  • @jenslink9861
    @jenslink9861 26 днів тому +109

    But isn't connecting your NAS to the Internet an advertised feature? "Run your own cloud!"

    • @flarebear5346
      @flarebear5346 26 днів тому +35

      Not like this. If you are going to do that then you should have security measures that can authenticate and restrict what can connect to it.

    • @jenslink9861
      @jenslink9861 26 днів тому

      @@flarebear5346 Yes, I know. But which end user knows this. And now the vendor name is in the press again an they can start their next product.
      Always remember, "The S in IoT is for security" (Need to find this T-Shirt for next week it must be somewhere. )

    • @Rovsau
      @Rovsau 26 днів тому +1

      lmfao

    • @newskybox
      @newskybox 26 днів тому

      You shouldn't have the nas open to the public internet, especially not your admin console. You'd want to have an authentication layer in front of any requests to the applications on your system, or better yet, only allow access to your system through a secure VPN. In the case of this bug, you wouldn't be able to send a request to (target IP)/cgi-bin... if it wasn't already open to the public internet (which again, it shouldn't be), but if it was or say you're connected to the same network, then your whole machine is wide open.

    • @QWERTIOX
      @QWERTIOX 26 днів тому +8

      Just run everything on the local network and have wireguard to connect to it

  • @Cobinja
    @Cobinja 25 днів тому +7

    German home router manufacturer AVM handled a security flaw in 2023 completely different. They even patched a model that had been EOL 7 years earlier.

  • @bparker06
    @bparker06 26 днів тому +61

    I've never in 30 years heard of CGI "typically being a bash script or an ELF"

    • @snake3837
      @snake3837 26 днів тому +19

      @@bparker06 well it was. Even PHP worked/works like that.

    • @ClockDev
      @ClockDev 26 днів тому +20

      In your defence, I've seen more Perl scripts as CGI than bash ones :-)

    • @MorbidEel
      @MorbidEel 26 днів тому +5

      That is probably the case for these sorts of "UI glue for small devices"

    • @cancername
      @cancername 26 днів тому +7

      C, Bash, and Perl are the typical ones.

    • @tin2001
      @tin2001 26 днів тому

      I used to have a shell script to redial the internet set up as a CGI. Anyone on the LAN could reconnect the internet as needed that way. We paid per call back then for local calls, so doing it this way made it convenient, but saved calls at night when no one was using it. There was a 4 hour session limit on our ISP.

  • @LonkinPork
    @LonkinPork 22 дні тому +3

    I'm honestly astounded at how easy your videos are to understand and follow. My only background in coding was one course that used Python in uni, and a little introductory C++ in high school, but I'm mostly able to keep up with what you're putting down.
    Good vids, is what I mean to say

  • @nwsome
    @nwsome 25 днів тому +5

    Security goes against D-Link's core values. They have a reputation to uphold.

  • @eLBehmo
    @eLBehmo 2 дні тому +1

    it's pretty simple why this happens: Developer thought that you can only reach this, when you are an authenticated good guy

  • @wolcek
    @wolcek 26 днів тому +20

    D-link? You mean the company unable to understand how email works? Whatever they did, I'm not surprised.

  • @MichaelOfRohan
    @MichaelOfRohan 26 днів тому +7

    Bad code is always dangerous, but dangerous code is not always an accident.

  • @WiteNite867
    @WiteNite867 26 днів тому +7

    I love watching these kinds of videos, it helps me see deeper into how the devices really work.... and that stupidity really knows no bounds....

  • @Lurker-dk8jk
    @Lurker-dk8jk 22 години тому +1

    To be fair to D-Link, the affected devices are over 12 years old. I would replace internet-facing equipment at 5 years or sooner. There will always be new vulnerabilities around the corner.

  • @thetaphi
    @thetaphi 26 днів тому +3

    I had to pause at 2:11, scream a little, grab a coffee, calm down and resume 5-10min later. ... turns out I was not done screaming. HOW DID THAT GET WORSE

  • @leok42
    @leok42 26 днів тому +7

    8:36 that's what I call a well organized home dir!

    • @dan-nutu
      @dan-nutu 24 дні тому

      Lol!

    • @alecodes
      @alecodes 7 днів тому

      i like the todo dir
      probably more exploits explained right there for one to just try

  • @Timberius
    @Timberius 24 дні тому +3

    Some companies one should just never deal with.
    This is literally the opposite of the kind of support we have been used to from companies like IBM for example.

  • @markykid8760
    @markykid8760 5 днів тому +2

    You make a great point at the start that EOL is decided by manufacturer itself. When you put it that way, it should be legally mandated to support for 20 years

  • @nagi603
    @nagi603 24 дні тому +5

    Dlink basically "F U pay me *again*!" surely inspires customer confidence in their products.

  • @tomnussbaumer
    @tomnussbaumer 25 днів тому +2

    I have abandoned using any D-LINK devices decades ago (around 2005-6) for exactly these kind of practices (and bugs). It's almost unbelievable they are still doing these things after all these years and are still part of the market ...

  • @Eyevou
    @Eyevou 25 днів тому +3

    when i saw it calling sprintf and system my jaw hit the floor. i then exclaimed "excuse me?!"

  • @privateness.network
    @privateness.network 24 дні тому +2

    I was particularly impressed by your mastery to size up the thing and communicate in relevant-human-readable. Coding is a dark art already (which is a compliment).

  •  26 днів тому +6

    First mistake they made was buying a D-link. If I see d-link device on customer’s network it has immediately to go out.

    • @WhiteG60
      @WhiteG60 17 днів тому

      Dumb switches are one thing. No one should be using D-Link for anything more than that. There's plenty of much better stuff available in the NAS or higher end consumer networking market for not much more money. I'd rather get a TP-Link setup and a Synology or QNAP NAS, but if you just need a 8 or 16 port gigabit switch? Buy whatever is cheapest because it'll work fine.

  • @jeehoonlee5150
    @jeehoonlee5150 20 днів тому +2

    Thanks D-Link for your statement on EoL products so we can avoid buying any of your products in the future! Nice one!

  • @MyAmazingUsername
    @MyAmazingUsername 26 днів тому +7

    Wow thanks. Never buying D-Link (or their parent Netgear), ever. This passed code review?!

    • @marsovac
      @marsovac 26 днів тому +1

      You think they did code reviews? Dlink in 2012 probably didn't even use a code repository, let alone agile development.

  • @T33K3SS3LCH3N
    @T33K3SS3LCH3N 14 днів тому +2

    Using "safe_system" to just call "system" anyway is awesome.
    It's like storing the key of the storage that holds your valuables in a bank vault for safety, but the storage with the actual valuables inside is just a cardboard box with a padlock.

  • @maosenlin4170
    @maosenlin4170 26 днів тому +3

    I've seen more than once maintainers of very active, open source, self-hosted applications saying "our average user does not need enterprise level security features" when they refuse to implement things like mTLS support in their mobile client. Or sometimes they tell you to use treafik as your reverse proxy when you expose the service to wan, while traefik requires the docker socket in a container that is supposed to be facing internet. Absolutely unforgivable.

  • @HaveYouTriedGuillotines
    @HaveYouTriedGuillotines 26 днів тому +1

    12:23
    "How is nobody held accountable?" Because it's a free market. Businesses are allowed to 'do what they want,' and this is what they do.

  • @bentomo
    @bentomo 26 днів тому +3

    I absolutely lost it when you described an open port facing WAN as the NAS's butt exposed to the internet

    • @justincondello
      @justincondello 25 днів тому

      Queue penetration joke?

    • @bmanpura
      @bmanpura 23 дні тому +1

      Gives code injection a whole new context innit

  • @mrlithium69
    @mrlithium69 26 днів тому +1

    you're one of the most competent coders im watching on youtube if not THe best. Good job breaking this down for all the up and coming wizards

  • @TheInternetLord
    @TheInternetLord 26 днів тому +3

    As a Gen-Zer even if I hated the collared shirt, that fire jacket makes up for it.

  • @Aranimda
    @Aranimda 3 дні тому +1

    In the end all internet connected devices will end up being public domain computers.

  • @Necropheliac
    @Necropheliac 24 дні тому +3

    This would be incredibly easy for them to patch this. It’s a one line fix. They just don’t want to do it.

  • @Zaurthur
    @Zaurthur 5 днів тому +1

    I've known people with this train of thought. Where once you do the safe thing everything afterwards is magically safe.

  • @apedanticpeasant1447
    @apedanticpeasant1447 26 днів тому +4

    I will never again in my life buy D-Link equipment and will encourage all of my clients to do the same.

    • @apedanticpeasant1447
      @apedanticpeasant1447 26 днів тому +2

      Anyone who doesn’t take security seriously has no business being a vendor. Samsung and SONOS I’m looking at you.

  • @TheOneAndOnlyNeuromod
    @TheOneAndOnlyNeuromod 19 годин тому

    I’m glad we have people like you who dig into and white hat this stuff. What the hell…never going with D-Link. They should be held responsible for patching this *regardless* of EOL. I mean, arcane hacks are one this, but this vulnerability is blatant and moronic - they should have to provide a fix for this…not force people to buy a new router.

  • @satoshimanabe2493
    @satoshimanabe2493 26 днів тому +14

    According to Wikipedia: "In 2022, D-Link obtained the TRUSTe Privacy seal, certification of ISO/IEC 27001:2013 and BS 10012."
    Certifications truly mean nothing!

    • @Daniel15au
      @Daniel15au 25 днів тому +3

      This device is way older than 2022 so I'm not sure what your point is.

    • @greggoog7559
      @greggoog7559 3 дні тому +2

      Well I mean the certification is called "BS xxxxxx" for a reason 😃

  • @eon-hp5vv
    @eon-hp5vv 23 дні тому

    As primarily a sysadmin with basic programming knowledge, I really appreciate the way you explained the code. Nice and easy to follow and your enthusiasm is very engaging.

  • @tambow44
    @tambow44 26 днів тому +9

    I've heard of people getting dismissed for lesser bugs. this is SUCH a rookie mistake.
    TY for the content

  • @user-fk5di4me9c
    @user-fk5di4me9c 24 дні тому +2

    i'm an swe student and i still don't see myself a good coder programmer I don't understand a lot of concepts and I wasn't passionate about computers in general before entering college. i only know the theoretical concepts but these videos are really making me love the field and wanting to learn more and make me curious more and more!

  • @JTCF
    @JTCF 19 днів тому +3

    I think I used a very similar exploit to de-bloat my xiaomi router, using arbitrary command injection through an http request, to put a busybox binary and flash openwrt on it. The openwrt firmware doesn't have the vulnerability. So I suggest owners of that EOL hardware to try OpenWRT or some linux distro instead. I don't know much about the hardware, but there are distros themed arouns NASes and if it's arm or small x86 Armbian should work just fine (ofc I have to shill for the distro I help maintain)

  • @cau8777
    @cau8777 26 днів тому +1

    This channel is soooo good
    You are saving the future of the internet my friend, thanks

  • @zakaryan2004
    @zakaryan2004 26 днів тому +22

    this video literally had "no views" as he said "this video is gonna get no views"

  • @KingZarathus
    @KingZarathus 26 днів тому +2

    It's Little Johnny ;DROP TABLES; but it's your NAS 😂

  • @rz2374
    @rz2374 26 днів тому +35

    is nobody going to talk about how those sprintfs probably are a buffer overflow vulnerability as well

    • @steveftoth
      @steveftoth 26 днів тому +42

      He did mention that in the video too but the low hanging fruit is the system call. I mean both need to be fixed and are right next to each other. Not sure how people are going to do that though, if at all.

    • @mirror1766
      @mirror1766 26 днів тому +1

      @@steveftoth by buying a new device - D-Link

    • @-Jakob-
      @-Jakob- 26 днів тому +5

      Please place your checkmark and then try again.
      [ ] I watched the whole video

    • @EdubSi
      @EdubSi 25 днів тому

      No one cares. Probably there are s lot more spots to cover in the firmware. Why would you want a buffer overflow if you have system calls at your hand

  • @chiubobo4955
    @chiubobo4955 19 днів тому

    Love this guy immediately when he explain all the detail for beginner in such a short time

  • @shellcatt
    @shellcatt 26 днів тому +4

    Like your attitude here! :) Also the colors are so fresh ;)

  • @TomStorey96
    @TomStorey96 24 дні тому +2

    In the early 2000s I used to have a D-Link DSL-504 ADSL router. If you enabled SNMP to e.g. graph traffic statistics, you could walk the device and retrieve the username and password of the attached broadband service, in plain text.
    Am I really surprised that D-Link equipment still has such egregious errors? They've been at it since the early 2000s. Old habits die hard I guess.

  • @flyviawall4053
    @flyviawall4053 24 дні тому +3

    IMO this is not a bug but a design flaw.
    I can't say it's intended but definitely never thought of it in security perspective(or just abandoned the security scope).
    This is not "fixable", this just shouldn't exist in the first place.
    If you say something EOL so no more security update, OK.
    But if you put something known with flaw(at least we all known), that's not security update. It's just a garbage be advertised as something useful. It should be RECALL.
    Can Tesla say their car has a known risk to explode if you press certain button before EOL but now it's EOL so they won't fix? Elon Musk will be put in jail if so.

  • @110jmartin011
    @110jmartin011 24 дні тому +1

    could not stop laughing at 11 minutes, was not expecting this, looks like a mistake I would make, mind you I am very very bad at coding.
    Thanks for the video, almost as comical as self reflection, but without all the pain that comes alongside it.

  • @johnberkers434
    @johnberkers434 26 днів тому +3

    And no mention was made anywhere about requiring authentication to access the CGI... So even if you could not run arbitrary commands, you could likely still create accounts.

  • @plaidchuck
    @plaidchuck 4 дні тому +2

    Imagine a millennial judging gen zs fashion sense, pot meet kettle

  • @NetBandit70
    @NetBandit70 26 днів тому +5

    oh you mean that 'computing appliances' aren't like toasters, and are really just computers that need constant updates forever? but I bough this 'appliance' because it is cute and single purpose like a toaster that needs no updates ever

  • @sleepymincy
    @sleepymincy 26 днів тому +2

    "Gen Z hates collars."
    I mean.. Depends on what kind.

  • @Rovsau
    @Rovsau 26 днів тому +5

    D-LINK. As in the grade.

  • @dwightsmith5174
    @dwightsmith5174 День тому

    As a 71 y. o. Techie - Much respect for good programmers. It's really is rocket science!

  • @alfos.192
    @alfos.192 26 днів тому +3

    0:04 > This video is gonna get no views because I'm wearing a colored shirt and apparently, like, Gen Z hates colors.
    What?

    • @Chris-on5bt
      @Chris-on5bt 26 днів тому +1

      Collared

    • @temp50
      @temp50 15 днів тому +1

      @@Chris-on5bt Yeah but still, the question remains: What? :D

  • @antondahlen
    @antondahlen 26 днів тому +2

    This is why the best "NAS" is just your last used computer with FreeBSD and ZFS.

  • @cudatox
    @cudatox 25 днів тому +7

    D-Link has a history of doing this. When I was in university, I found a couple of significant bugs in DIR-601 routers that could lead to RCE in many cases. The first bug was a command injection in the router's diagnostics page that let me inject arbitrary shell commands. This page normally requires that the user be authenticated as an administrator to access it. Unfortunately, that authentication was flawed and due to an API endpoint in the router not being properly authenticated, it was possible for a user authenticated as a regular user to generate and download a configuration backup. The administrator password was stored as plain text in this backup. I can imagine most people would not change the default user password, since it isn't privileged.
    I attempted to report this, but every email I sent bounced with an inbox full error. No idea if it was ever patched.

  • @carl00s01
    @carl00s01 25 днів тому

    I was so invested in the investigation process from the half of the video that I had to put it in fullscreen.

  • @corvusnocturne
    @corvusnocturne 26 днів тому +39

    if your worried about not getting views put on a choker it'll work, trust me

    • @drgabi18
      @drgabi18 26 днів тому +5

      🤨📸

    • @corvusnocturne
      @corvusnocturne 26 днів тому +4

      @@drgabi18 its a proven fact, thats why so many streamers wear them and why so many vtubers have them on their models

    • @drgabi18
      @drgabi18 26 днів тому +1

      @@corvusnocturne Kai Saikota and Fauna are the only vtubers I know that have one, except them, I have never seen anyone with one
      Eric Parker has kitty headphones, so Low Level could learn from him

    • @pavlinggeorgiev
      @pavlinggeorgiev 20 днів тому

      Stop it.
      Get some help

  • @MikeHarris1984
    @MikeHarris1984 23 дні тому +1

    That's pretty standard for a vendor to not cover a patch no matter the severity for end of life devices. If you have a Naz that is 10 plus years old, the hardware itself went end of Life 3 years ago and the vendor puts wine in the sand after so many years that they can no longer allocate resources to still patch and create firmware for devices that are so old and probably only have a very small percentage of users still using it. I would be interested in seeing if D-Link has the ability to see how many users are using their NAS with a phone home feature or something like that so they can say that this vulnerability only happens in 5% of users utilizing their equipment and most of the other product has been retired thrown away or trash to recycled.
    Very rarely will accompany actually create a patch for a end of life device. And it usually comes down to the amount of users still using that device and how bad the vulnerability is. Very few times have I actually seen a vendor cover and patch of vulnerability that is end of life The last big one that I remember seeing was Microsoft and Intel and AMD whenever specter and meltdown were announced and since it affected every CPU created in the last 20 years It made sense for them to create code updates in microcode updates and even OS updates to help patch these issues even friend of life hardware and software.

  • @RandomGeometryDashStuff
    @RandomGeometryDashStuff 26 днів тому +4

    02:35 where base64?

    • @showmeyourcritz321
      @showmeyourcritz321 26 днів тому

      There is, but you've become so good at reading it in your head that you can't tell anymore 😂😂😂
      Go test if it works with assembly as well 😊😂

    • @RandomGeometryDashStuff
      @RandomGeometryDashStuff 26 днів тому

      @@showmeyourcritz321where anything related to base64 happens?

    • @jyothishkumar3098
      @jyothishkumar3098 25 днів тому

      Mc0Ca

    • @RandomGeometryDashStuff
      @RandomGeometryDashStuff 25 днів тому

      ​@@jyothishkumar3098"McOCa" is 5 characters
      base64 encoding length is divisible by 4
      5 is not divisible by 4

    • @globomantic
      @globomantic 23 дні тому

      It’s not base64 encoded, it’s url encoded. He was just wrong.

  • @LBCreateSpace
    @LBCreateSpace 23 дні тому

    Always learn a lot from you with this stuff. You explain it so well! Keep it up

  • @federicodidio4891
    @federicodidio4891 26 днів тому +3

    That was fun... 😂 I know you know, but I'll pointing out that at 2:34 it is just URL-encoding of plain ASCII, no Base64, so %27 is a single quotation mark and %20 is a space. I would expect the exploit to be a little bit different in the quotation style, by looking at 11:13... is it done on purpose to fool the skids? 🤔Am I blind? 😆Or maybe there was some string replacement along the way...? The stuff is pretty basic nonetheless, LOL 😁

    • @pyaehtetaung
      @pyaehtetaung 26 днів тому

      Place holder for uname n pass

  • @thepaaji
    @thepaaji 26 днів тому

    Dude Its my first time watching your video and this video just forced me to subscribe to you, just from a single video I got to learn hell a lot. Thanks Man!!

  • @Uvuv6969
    @Uvuv6969 26 днів тому +10

    At thjs point we need to make cyber security flaws illegal. Theres not really another way to force these companies to actually be responsible

    • @someonespotatohmm9513
      @someonespotatohmm9513 26 днів тому +6

      The EU kinda did, atleast they force a minimum ammount of years of updates for things like vulnerabilities now.

    • @Jodlkacke
      @Jodlkacke 26 днів тому

      @@someonespotatohmm9513 yeah we did... on smartphones as long as they are guarantee cases. so 2 years more or less. the d-link stuff mentioned here is EoL since 2017. not really fair to blame somebody to not have updated their old ass fk. anybody here mad at Microsoft for not patching Vista anymore? no? exactly the same thing.

  • @Loronline
    @Loronline День тому

    You say its the interns fault. But 9/10 it's the exhausted full time dev who tried to take a short cut to save time.

  • @mallninja9805
    @mallninja9805 26 днів тому +6

    This is the rare occasion I'm actually sort of on D-Links side. They're not even in the NAS business any more. I'm sure there are lots of 0-days lurking in the mountains of EOL hardware & software out there. At some point using old stuff becomes "use at your own risk"

    • @ShiltoCrarpo
      @ShiltoCrarpo 25 днів тому +1

      I don't like D-Link, at all, but I completely agree. For all we know, their engineers discovered this among other things, and that's WHY they killed the product. Corpo's would never call an end of life without immense pressure from the engineers, not while there's still any free milk left to squeeze.

    • @xjjfjfdjdh9993bbhhhh5hjjjjd
      @xjjfjfdjdh9993bbhhhh5hjjjjd 25 днів тому +2

      It's not an excuse to not inform the public if the info was made known and not allowing for the community to fix the bug on their own.
      If anything, they should write that on the product box with the warranty. If the product is out of warranty, you are at risk of your devices being hacked and the company will not make any further patches to protect you. This is not apparent to any consumer, because we don't know the End Of Life ahead of time and no public announcements are made.
      Maybe this more of a legislative issue regarding packaging, like food expiration dates.

  • @74Gee
    @74Gee 26 днів тому +1

    It's D-Link. Whenever I see their equipment hanging on walls I'm thinking let's have a poke around in there.

  • @TankR
    @TankR 26 днів тому +4

    Aaaaaand that is another final nail in the coffin for D-link anything now. I mean, on top of the surprise d-link is even a thing anymore still.... But yeah, that kind of reply, without say....releasing some source so the community can support the products they refuse to....has done exactly what they want but not how they want it. Yeah, Ill replace EVERY d-link device with NOT d-link now. Good job on the PR front d-link....morons....

    • @dieSpinnt
      @dieSpinnt 26 днів тому

      Stop it ... stop it!
      Take the hardware and install your own firmware.
      Or ... are you some kind of child? Not?!:)
      OpenWRT

    • @BartonChittenden
      @BartonChittenden 24 дні тому

      D-Link coffins are made of quarter inch balsa wood and three inches of coffin nails.

  • @leonkernan
    @leonkernan 26 днів тому +1

    D-Link has had these problems forever. The same thing was going on 10 years ago. Oh wait, it’s the same bloody devices!!

  • @30p87
    @30p87 26 днів тому +4

    > Gen-Z hates collars
    Not true, I have multiple collars! One even has my name :3