uhm no. The security risk is there, whether you create it or not.Aveamantium wrote: Lastly, the security risk is there if you create it.
Some of you folks - despite ALL the evidentiary posts supporting this notion - are in denial that ORDINARY folks will KNOW what poses a threat and what doesn't. If they don't know what poses a threat, then there is a very good chance that they are going to accidentally trigger such a threat. This is EXACTLY why things like trojans, worms, all forms of malware etc are propagated - through UNSUSPECTING AND OTHERWISE CLUELESS EVERYDAY FOLKS.
Take ANY router for example, it has built-in security rules which, even if you enable the DMZ, you have some level of protection. With Ooma, NO SUCH THING EXISTS. If you enable it and configure it improperly - as most have seemingly done and many are more than likely to - then ANYONE on the outside world can gain access to your Ooma config page and subsequently your network (or standalone machine) ports.
The Ooma device IS NOT A ROUTER. So there is NO REASON why it should act like one. But in config option 2A, that is exactly what they're suggesting. Which - apart from being horrified that the Ooma interface had no security settings (username+password) - is what led me to write up this thread EXPLAINING the threat.
But some folks here are making light of it and treating this like it was some false alarm. It is not.
So I have filled out a threat report and submitted to three security sites that I work with. So there, you folks in denial will probably put more stock into this once this is propagated across the Net.
And lets not even go into the fact that by promoting 2A, folks are literally telling people to bypass their othewise robust and capable router and router/modem devices - with ALL their built-in security - in exchange for the half-a$$ed crap that Ooma passes off as a router. And UNPROTECTED one at that.
For the record, I am a 30+ year IT veteran with several published products and works and have worked in all fields you can possible think of in technology. So when I see a device such as this providing access to a router and internal network and WITHOUT so much as a SIMPLE security (username+password) interface, alarm bells start ringing. Which is why I decided to probe during installation to see just how serious the threat was.
Listen, I've said this before, if you feel that I'm wrong, fine - I don't care. People who have one iota of common sense will read what I have written and decide for themselves. Those who don't understand it are the ones who will end up making an uninformed decision and most likely end up compromising their system.
The funniest - and most ludicrous thing I've read thus far about this is coming from people who say that if you're worried about security, you should turn off your net access. How can you POSSIBLY take such (or any comment for that matter) people seriously.
The information is there, do what you want with it because it is of no consequence to me. What I take issue to is people trying to pass off what I've written as if it were nonsense or a false alarm.