

One Packet and it all Falls Down (Youtube) - Prefect
http://www.youtube.com/watch?v=ydo945gSnms

======
unwind
This is a dupe of
<[http://news.ycombinator.com/item?id=1038701>](http://news.ycombinator.com/item?id=1038701>).

------
kuda
Wow, I hope Juniper can fix that soon.

~~~
milkshakes
apparently, they did:

 _In short, we fixed this particular problem about 350 days ago._

[http://forums.theregister.co.uk/forum/1/2010/01/07/juniper_c...](http://forums.theregister.co.uk/forum/1/2010/01/07/juniper_critical_router_bug/)

~~~
Groxx
The message now being "upgrade your damn hardware('s firmware)". Security /
stability upgrades are made _for a reason_. Use them, or possibly suffer the
consequences.

~~~
colonelxc
Easier said than done. In the ideal network, sure, you'd have extra network
hardware to test the update on, to make sure it didn't break your
configuration. You might also have failover network equipment so that the
network would stay up while you upgraded it in pieces.

Of course even with few resources, you should still strive to make updates,
maybe during the middle of the night (hope your customers don't need to access
your network until morning), and be prepared to roll back if things don't go
according to plan.

That is, if you even knew there was an update. Unlike Windows, your router
isn't going to keep popping up little bubbles to tell you to update.

So yes, it is your responsibility as an IT admin to keep the network secure,
but there are still a lot of obstacles that means that overloaded admins will
forget or procrastinate. I don't know much about the vuln, but it appears to
affect telnet. If that was the only thing patched in that update (or I didn't
care about the other features that were being patched at the same time), I
would just make sure telnet was closed and leave it be.

EDIT: Ok, looked more into the vuln, apparently any open ports make it
vulnerable, as it is a problem with how they handled the tcp headers. Only
reasonable solution here is to patch.

~~~
Groxx
"That is, if you even knew there was an update. Unlike Windows, your router
isn't going to keep popping up little bubbles to tell you to update."

And if your company values its security at all, they should be certain that
their IT people are checking for such things. They know the hardware, so they
know the websites where exploits / updates are listed. Have a folder of
bookmarks, and check it once a week, and you wouldn't be caught off-guard by
(relatively) ancient exploits. The alternative is equivalent to a company
using the oldest version of XP, expecting there to be no security problems
because they aren't _looking_ , and don't want to risk updating to a more
secure system. Bring on the viruses / script kiddies!

I'll agree that upgrades can cause troubles, sometimes extreme, but they
should be _expected_ at some point in the future. Expecting otherwise is
expecting your hardware / software to be eternally flawless, which is
ludicrous. Even something as simple as a light switch sometimes needs to be
repaired / replaced, and that's just a physical switch, almost literally as
simple as it can be. If you continued using a light switch that sparked and
smoked every time you switched it _for a year_ , and your house burns down,
you really only have yourself to blame. Sure, replacing it means calling in an
electrician, or doing it yourself, both of which bring their own dangers, but
when the alternative is relatively _likely_ catastrophic failure eventually,
it's probably worth it.

