BolehVPN: Freedom Through Security

I just came across this article recently and was really shocked to find out that:

1. Unifi installs a user account in the router that allows remote access by TM staff
2. This remote access login was the same for ALL Unifi users (now rectified). This basically means that anybody with the login, could potentially gain access to your router
3. This was not made known to TM users.
4. You can actually use your own router if you know how to configure it. The reason why they require you to get THEIR router is so they have this remote access user installed.

The ramifications of these are serious and possibly if this was done in any developed nation, there would have already been legal suits:

1. Turn your router into a proxy, if he commits any crimes online it will be traced back to you instead and you will take the fall for it
2. Use your 10/20mbps Unifi account so he doesn’t have to pay for his
3. Use up your bandwidth quota (once quotas are implemented) as much as he wants and you will pay for it
4. ‘Spy’ on your Internet connection and view every site you are visiting
5. Forward all connections to your home PC using DMZ, making your home PC completely vulnerable to Internet attacks.. if you have an open NAS (network attached storage) on your home network, he will be able to access all your files

TM has now posted an announcement on this where they have given everyone a unique password for the remote access login instead of having the same password throughout but yet still recommends that remote access remain enabled for ‘technical support issues’.

Telekom Malaysia Berhad (TM) wishes to clarify the concerns raised by various parties with regards to the remote accessibility of UniFi routers which are part of the customer premises equipment (CPE) for all UniFi subscribers.

TM would like to assure all concerned parties that the only reason the UniFi router setting for remote access is enabled is for remote access troubleshooting purposes for the express use of our technical support personnel. In the event there is a technical support issue with any of our UniFi subscribers; at the first level of troubleshooting, TM’s network operation centre (NOC) can immediately remotely diagnose the problem before sending a support team on-site.

TM takes note of the security concerns that have been raised, and we have taken these issues to heart.

TM also acknowledges that there is a need to balance the public’s level of comfort with regards to security and privacy and TM’s own commitment to faster support turnaround time. As such, TM would like to maintain the higher level of service enabled by remote access management on customer routers, and in recognition of that TM will immediately change  every UniFi customers’ router management password into a high security, unique one (which will be only known to the customer and TM). TM will notify all our Unifi customers of this change accordingly.

This is simply despicable and utterly unacceptable behaviour. Take heed and disable your remote access management accordingly.

You can do so by unticking remote management and if you have a firewall on it, block all the ports (TCP 22/23/80/8080/443) from WAN access.

Thanks to rizvanrp and everyone else who brought this issue to light.

0 0 0 0

In a recent Twitter post, TM has removed the bandwidth cap on HSBB @ UniFi for now. With so much invested in making available HSBB and TM eager to get new subscriptions it is of course worried when the general feedback from the public was outrage at the bandwidth caps. After all, how are they going to get new subscribers if there’s so much negative press? There have been some calls that this was due to the power of social media, but I also have a feeling that it has a lot to do with the press’ decision to vocalize these opinions (see TheStar’s report).

However I suspect that this is not the end of the issue. TM is the company that installed P2P throttling devices despite public outcry. The fact is that there wasn’t a valid alternative provider and that’s why they could afford to do that. Its loss in revenue from pissed off customers (who probably couldn’t afford to cancel in any case) were offset by the massive savings in bandwidth. Now who’s to say they won’t slap the bandwidth cap back on once HSBB has a higher take-up rate and you’re already bound with your 12-24 months with them? What are you going to do? Not pay and  be internet-less in protest? Good luck with that.

It’s also worth nothing that TM can’t even get their UniFi site together. It refuses to display on Firefox despite updating to the latest Flash player.

Note the additional 's' at the bottom

Even on IE8, although it loads, it shows a code error and clicking in the Packages does not seem to do anything!

Love the boy's expression

Launch day wasn’t that much better:

Let’s see a year or two down the line how this pans out. For now, I’ll be still trying to get my damn 4mbps…

0 0 0 0

Check this out…looks like unlimited broadband for Malaysian users might be a thing of the past with the new HSBB @ UniFi plans imposing a bandwidth limit. Somehow an unlimited 4 mbps Streamyx connection despite the higher price seems to be a better proposition for the heavy downloaders.

Now the big question is whether they would still throttle P2P on top of the bandwidth caps? We welcome users who have HSBB/Unifi to give us some feedback on this.

As for Hypp.TV (with the a lame tagline of ‘It’s a Yoonic experience’ or is Yoonic the actual product name?), channel selection is poor and doesn’t look like it’s going to replace Astro anytime soon.

0 0 0 0

Just went to the TM site and noticed a countdown happening:

Clicking on it brings you to the HSBB teaser site which really doesn’t tease much since it’s just a bunch of text but lends us to believe that either HSBB is going to be launched then OR that HSBB’s details will be finalized then:

0 0 0 0