@boots in all seriousness, we're pretty hard on stuff like this in firmware because @rachel and the rest of us have been working on our own platform for this kind of stuff... that actually takes into security into consideration.

hope we have the spoons to work on it more soon !

@boots I don't know what to say to that.

Well fuck?

@boots

Is there an API method to turn on remote management, too?

Because if so, you might want to get in touch with people who can make sure critical level cert advisories get published...

@ghedipunk well, not if you're outside the network, because youd have to be able to access it to do it

@boots

*I* don't have to be inside of your network to get your browser to execute arbitrary Javascript to send POST requests to your router.

I don't even have to get you to visit my site; I just put the code in an ad, and let the ad networks pwn the Belkin owners for me.

@ghedipunk well, i dont know if it has anti-csrf, but...

@boots Do you have to be inside the network for this to work, though?

@mdm noooope

@boots What port is it over? That should be closed to the outside by default, right.

@mdm it is, 8080
remote management is not on by default, but the router settings imply it's fine if you have an admin password set

@boots Ah -- I knew I hated remote management for a reason. :P

@mdm honestly, oem router firmware is just
always bad
like, i dont know any oem firmware that isn't the worst