Menu
Reply
  • 9.37K
  • 362
  • 2.31K
Superuser
Superuser
1,653 Views
Message 11 of 39
Flag for a moderator

Re: Virgin super hub 3 firmware


Sephiroth wrote:

It's totally unreasonable.  If VM know full well that there is a vulnerability, it is their duty to fix it quickly. Firmware versions come out very rarely and that would be inconsistent with the need for quick fixes due to vulnerabilities.   Everyone else, like Microsoft & Apple manage to get fixes out weekly or monthly - because it is correct practice.
Seph, have to disagree here. Security exploits are fixed pretty promptly by VM. One particular exploit was fixed in around a week and before the information was available in the public domain. If only they prioritised and fixed other issues as quickly.

 

0 Kudos
Reply
  • 34
  • 0
  • 3
Hamrag
On our wavelength
1,640 Views
Message 12 of 39
Flag for a moderator

Re: Virgin super hub 3 firmware

My point here was if there is a security vulnerability that puts users at risk, it's not unreasonable to keep quiet about the exact details until an urgent fix has been pushed out. I think it is reasonable however to say there is a vulnerability, but not to expose the details (otherwise nasty people will exploit that vulnerability). Not all users have the same hardware, so it's not necessarily one patch that's required.

A second issue that for any users with hardware that allows them to choose when they update, those users will remain vulnerable until they do update. So it would be wise to notify them of the urgency or force it upon them, but keep the details hidden.

0 Kudos
Reply
  • 9.37K
  • 362
  • 2.31K
Superuser
Superuser
1,629 Views
Message 13 of 39
Flag for a moderator

Re: Virgin super hub 3 firmware


Hamrag wrote:

My point here was if there is a security vulnerability that puts users at risk, it's not unreasonable to keep quiet about the exact details until an urgent fix has been pushed out. I think it is reasonable however to say there is a vulnerability, but not to expose the details (otherwise nasty people will exploit that vulnerability).

That's not how telecoms companies think or work. 99% of users are not capable of understanding the extent of a security vulnerability and how it does or does not impact them. So mentioning anything without the details is often detrimental and just leads to unnecessary panic and further questions. The conspiracy theorists then have a field day.

Personally I would rather there was an open process of exploit notifications, however my experience is that the majority of users would worry unnecessarily about such notifications.

Not all users have the same hardware, so it's not necessarily one patch that's required.

It is often one patch that's required (when talking about VM hardware), because exploits generally do not apply to all models, especially when models are from different brands.

A second issue that for any users with hardware that allows them to choose when they update, those users will remain vulnerable until they do update.

Virgin do not operate equipment where the user can control the firmware update process.

So it would be wise to notify them of the urgency or force it upon them, but keep the details hidden.


VM operate the automatic firmware update method.

0 Kudos
Reply
  • 20.52K
  • 541
  • 3.16K
Sephiroth
Alessandro Volta
1,622 Views
Message 14 of 39
Flag for a moderator

Re: Virgin super hub 3 firmware


MUD_Wizard wrote:


<SNIP>  Som

VM operate the automatic firmware update method.


... and that is for their support convenience and not for the users'benefit.  If you can't roll back/forward when you hit a firmware bug, then it's bad practice by the vendor.

VM are very poor in their support practices - at least as far as broadband is concerned. (See offshore for details). An insider once told me that they keep offshore because it is cheap and they have 95% fix statistics.  Who keeps/makes the statistics??!!??

 

Seph - ( DEFROCKED - My advice is at your risk)

0 Kudos
Reply
  • 542
  • 41
  • 84
DavidJWalker
Rising star
1,617 Views
Message 15 of 39
Flag for a moderator

Re: Virgin super hub 3 firmware

i have this

Standard specification compliant : DOCSIS 3.0
Hardware version : 10
Software version : 9.1.116V

is this the new one if it is go to chat and ask for line reset this maybe being in this update

Using VIVID 350 Optical Fibre, Player TV, Talk Weekends



Just another VM user trying to help out so my answers may be wrong.
If you do like my answer please mark it as helpful; it may help others
0 Kudos
Reply
  • 34
  • 0
  • 3
Hamrag
On our wavelength
1,607 Views
Message 16 of 39
Flag for a moderator

Re: Virgin super hub 3 firmware


MUD_Wizard wrote:

Hamrag wrote:

My point here was if there is a security vulnerability that puts users at risk, it's not unreasonable to keep quiet about the exact details until an urgent fix has been pushed out. I think it is reasonable however to say there is a vulnerability, but not to expose the details (otherwise nasty people will exploit that vulnerability).

That's not how telecoms companies think or work. 99% of users are not capable of understanding the extent of a security vulnerability and how it does or does not impact them. So mentioning anything without the details is often detrimental and just leads to unnecessary panic and further questions. The conspiracy theorists then have a field day.

Well that comes down to how it's presented, if 99% of people cannot understand the vulnerability then it's being presented very badly. After 30 years in hardware and IT, I am well aware of how unprofessional vendors can be.

They cannot say "a users hub can be remotely controlled by anyone, after pinging it with 192.168.123.123". But they could say "An urgent firmware upgrade is required in order to fix a vulnerability where the hub could potentially be remotely controlled".

If you look at security updates from the major software vendors, that's how they state it i.e. reporting the vulnerability without giving hackers the details.

Personally I would rather there was an open process of exploit notifications, however my experience is that the majority of users would worry unnecessarily about such notifications.

Not all users have the same hardware, so it's not necessarily one patch that's required.

It is often one patch that's required (when talking about VM hardware), because exploits generally do not apply to all models, especially when models are from different brands.

It's also often not too. I have experience of an attack that could compromise more than one item of hardware. That was an attack on my company network to do with a default setting rather than a functional issue. It was where different brands of equipment were all setup with a particular setting that defaulted to "off" and represented a vulnerability. I could flip that switch to "on", but a firmware update was made for each type of equipment to set it as "on", although the user could then chose to revert it to "off".

A second issue that for any users with hardware that allows them to choose when they update, those users will remain vulnerable until they do update.

Virgin do not operate equipment where the user can control the firmware update process.

You sure about that?, the D-Link router (DIR615) I got from VM has a firmware upgrade button on the GUI. Many people re-flashed theirs with open source DD-WRT.

0 Kudos
Reply
  • 9.37K
  • 362
  • 2.31K
Superuser
Superuser
1,601 Views
Message 17 of 39
Flag for a moderator

Re: Virgin super hub 3 firmware


Sephiroth wrote:

MUD_Wizard wrote:


<SNIP>  Som

VM operate the automatic firmware update method.


... and that is for their support convenience and not for the users'benefit.  If you can't roll back/forward when you hit a firmware bug, then it's bad practice by the vendor.

VM are very poor in their support practices - at least as far as broadband is concerned. (See offshore for details).

Agreed.

An insider once told me that they keep offshore because it is cheap and they have 95% fix statistics.  Who keeps/makes the statistics??!!??

You don't need to ask an insider to realise that.

It's like those god awful telephone menu's every company uses. 

Can't wait for the artificially intelligent phone menus with a bad attitude.

 


 

0 Kudos
Reply
  • 9.37K
  • 362
  • 2.31K
Superuser
Superuser
1,599 Views
Message 18 of 39
Flag for a moderator

Re: Virgin super hub 3 firmware


Hamrag wrote:

Well that comes down to how it's presented, if 99% of people cannot understand the vulnerability then it's being presented very badly. After 30 years in hardware and IT, I am well aware of how unprofessional vendors can be.

Agreed, however most VM users are not power users.

They cannot say "a users hub can be remotely controlled by anyone, after pinging it with 192.168.123.123". But they could say "An urgent firmware upgrade is required in order to fix a vulnerability where the hub could potentially be remotely controlled".

Ahem, yes.

 

I have experience of an attack that could compromise more than one item of hardware.

Indeed, I did say 'generally'.

Virgin do not operate equipment where the user can control the firmware update process.

You sure about that?, the D-Link router (DIR615) I got from VM has a firmware upgrade button on the GUI. Many people re-flashed theirs with open source DD-WRT.


Virgin don't operate that equipment, the user does. The D-Link routers haven't been supplied by VM for years and did they ever support them?

I was excluding 3rd party hardware (like powerline homeplugs) that can be purchased from VM and just talking about Hubs.

0 Kudos
Reply
  • 30
  • 0
  • 3
awalos
On our wavelength
1,325 Views
Message 19 of 39
Flag for a moderator

Re: Virgin super hub 3 firmware

What this is about?

After the change to SuperHub 3....

5865437835.png

Earlier on SuperHub 2ac...

 

0 Kudos
Reply
  • 30
  • 0
  • 3
awalos
On our wavelength
1,325 Views
Message 20 of 39
Flag for a moderator

Re: Virgin super hub 3 firmware

What this is about?

After the change to SuperHub 3....

5865437835.png

Earlier on SuperHub 2ac...

08.12.2016.png

 

0 Kudos
Reply