ARRIS, one of the country’s largest suppliers of cable modems, is under scrutiny after a security researcher discovered not one, but two secret “backdoors” potentially affecting more than 600,000 of the company’s installed cable modems/home gateways that could allow hackers access to a customer’s equipment and home network.

Bernardo Rodrigues published a report of the exploits on his blog, which affect ARRIS cable modem models including TG862A, TG862G, and DG860A. Rodrigues reports only ARRIS and your local cable company can fix the security problems, and neither seem to be in much of a hurry.

The ARRIS Touchstone 860, which can be identified by its model number depicted on the front lower right of the modem.

“Securing cable modems is more difficult than other embedded devices because, on most cases, you can’t choose your own device/firmware and software updates are almost entirely controlled by your ISP,” Rodrigues writes. Indeed, very few cable modems allow users to self-update their equipment with the latest firmware. To guarantee uniformity, that privilege is given exclusively to the cable company providing service, even if a customer owns their own modem outright.

“ARRIS SOHO-grade cable modems contain an undocumented library (libarris_password.so) that acts as a backdoor, allowing privileged logins using a custom password,” Rodrigues writes. “The backdoor account can be used to enable Telnet and SSH remotely via the hidden HTTP Administrative interface “http://192.168.100.1/cgi-bin/tech_support_cgi” or via custom SNMP MIBs.”

While exploring the potential security damage that backdoor could permit, Rodrigues stumbled on a second, open to additional exploitation by hackers.

“The undocumented backdoor password is based on the last five digits from the modem’s serial number,” Rodrigues wrote. “You get a full busybox shell when you log on the Telnet/SSH session using these passwords.”

ARRIS TG862

In plainer language, one or both backdoors will allow a hacker to bypass the modem’s usual security protections and provide the intruder with full remote access to the affected cable modem. Hackers have likely already identified the security lapse and have exploited it, with some suspecting access key generators are already available allowing the user to automate attempts to reach affected modems on a significant scale.

Unfortunately for consumers, neither ARRIS or cable operators appear to be rushing to update the affected firmware to eliminate the backdoors, having waited more than two months just to acknowledge Rodrigues’ report.

For now, customers using these devices exclusively as cable modems are least likely to suffer a serious security lapse. More at risk are consumers relying on these three models as both a cable modem and home gateway providing Wi-Fi access around the home. Theoretically, hackers could use one or both exploits to gain access to your home network. Consumers using one of the affected models should contact their local cable company and ask them to replace the device with an alternative, preferably from a different manufacturer.

At least one cable company reported they are working with ARRIS to correct the flawed firmware, but early efforts have not been successful. It may be prudent for some security-conscious customers not to wait.

Comcast is inviting controversy launching a new live streaming TV service targeting cord-cutters while exempting it from its own data caps.

Comcast’s Stream TV is comparable to Comcast’s Limited Basic lineup, only instead of using a set-top box, Stream TV delivers online video over the Internet to Comcast’s broadband customers in Massachusetts, New Hampshire, Maine and the Greater Chicago area. For $15 a month, Stream TV offers a large package of local over the air stations, broadcast networks, and HBO, along with thousands of on-demand titles and cloud DVR storage. In Boston, the lineup includes:

WGBH (PBS), HSN. WBZ (CBS), NECN, WHDH (NBC), Community Programming, BNN-Public Access, WWDP-Evine Live, WLVI (CW), WSBK (MyTV), WGBX (PBS), WBIN (Ind.), WBPX (Ion), WMFP (Ind.), The Municipal Channel, Government Access, WFXT (FOX), WCEA (MasTV), WUNI (Univision), EWTN, C-SPAN, CatholicTV, POP, QVC, WYDN (Daystar), WUTF (UniMas), WNEU (Telemundo), Jewelry TV, XFINITY Latino, WGBH World, WGBH Kids, Trinity Broadcasting Network, WGBH Create, Leased Access, WBIN-Antenna TV, WBIN-GRIT TV, WNEU-Exitos, WLVI-BUZZR, WCVB (Me-TV), WFXT-MOVIES!, WHDH-This TV, WFXZ-CA, WUNI-LATV, WFXZ (Mundo Fox), WBZ-Decades, and WFXT-Laff TV + HBO. The package also qualifies the customer as an authenticated cable TV subscriber, making them eligible to view TV Everywhere services from many cable networks.

Comcast is offering the first month of Stream TV for free with no commitment to its broadband customers subscribed to at least XFINITY Performance Internet (or above). Up to two simultaneous streams are allowed per account and some channels may not be available for viewing outside of the home. Comcast claims it will expand Stream TV to Comcast customers nationwide in 2016. Comcast will not be selling the service to customers of other cable or phone companies, limiting its potential competitive impact.

Competitors like Sling TV offer their own alternatives to bloated cable TV subscriptions at a similar lower price, and they will sell to anyone with a broadband connection. Sling alone is partly responsible for Comcast’s loss of hundreds of thousands of cable TV customers who don’t want to pay for hundreds of channels many never watch. That Comcast might want to launch its own alternative online video package to retain customers is not a surprise. But Comcast’s decision to exempt Stream TV from the company’s data caps while leaving them in place for competitors is sure to spark a firestorm of controversy.

Comcast claims it is reasonable to exempt Stream TV from its 300GB data cap being tested in a growing number of markets.

“Stream TV is a cable streaming service delivered over Comcast’s cable system, not over the Internet,” wrote Comcast in its FAQ. “Therefore, Stream TV data usage will not be counted towards your Xfinity Internet monthly data usage.”

More precisely, Comcast claims it relies on its own internal IP network to distribute Stream TV, not the external Internet competitors use to reach ex-Comcast cable TV subscribers. Comcast’s premise is it is less costly to deliver content over its own network while Internet traffic comes at a premium. Critics will argue Comcast has found an end run around Net Neutrality by relying on usage caps to influence customer behavior.

For the moment, Netflix is reserving comment after being contacted by Ars Technica. But Sling TV and other services that depend on Comcast’s broadband to reach customers will likely not remain silent for long.

Comcast could effectively deter consumers from using competing online video services with the threat of overlimit fees if customers exceed their usage allowance. The cable company could even use the fact its services don’t count against that allowance as a marketing strategy.

Stop the Cap! has warned our members about that prospect for years. Preferential treatment of certain content over others by playing games with usage caps and overlimit fees could have a major impact on emerging online video competition. Since Comcast owns both the broadband lines and the online video service, it can engage in anti-competitive price discrimination. Competitors will also argue that Comcast’s internal IP network is off-limits to them, making it impossible to deliver content on equal terms over a level playing field.

The next move will likely come from the FCC in response to complaints from Comcast’s competitors. As Ars Technica notes, the Federal Communications Commission’s Net Neutrality rules allow for complaints against so-called zero-rating schemes, with the commission judging on a case-by-case basis whether a practice “unreasonably interferes” with the ability of consumers to reach content or the ability of content providers to reach consumers.

With Comcast’s usage caps and overlimit fees, the only reaching will be for your wallet. Consumers need not wait for Sling TV and others to complain to the FCC. You can also share your own views about Comcast’s usage caps by filing a complaint with the FCC here.

Since Verizon Wireless stopped selling unlimited data plans and turned data into a precious commodity usually worth about $10 per gigabyte, the company can afford to give some of it away to their loyal customers.

This holiday season, Verizon Wireless is handing out up to 3GB of wireless data a month, but only to those who ask. As part of Verizon’s Thanksgiving promotion targeting holiday travelers, customers can get a free gigabyte for use immediately and another gigabyte to use next month just by clicking on a link. The offer can only be redeemed once per account on qualifying plans and is shared by all lines on an account.

Users who want even more free data can snag an extra 2GB a month for three months by downloading Verizon’s Go90 online video app (for iOS and Android) and registering for an account. Your confirmed registration will trigger an immediate gift of 2GB of wireless data for your current month’s data plan and an extra 2GB for the next three billing cycles as well. If Go90 proves uninteresting, you can uninstall it and still get free data during the length of the promotion.

This promotion is only good if you have a More Everything or Verizon Plan. It is not available if you use prepaid service, a different grandfathered plan, or do not keep your account in good standing. National and government accounts also do not qualify. Go90 videos are disabled for jailbroken or rooted devices, although you may still register and participate in the promotion if you use such a device.

Among Verizon’s other Thanksgiving promotions customers can grab on Wednesday, Nov. 25:

• A free $5 iTunes Gift card while supplies last;
• An unspecified number of free eBooks, music, movies, TV an app downloads from Amazon.com;
• A free 30-day trial of Pandora One;
• Up to $20 off a Lyft ride, where available;
• Free airport Wi-Fi from Boingo;
• Free 30-minute Gogo Wi-Fi session on select airlines.

Verizon’s website offers an option to send yourself a reminder to participate when the promotions become active next week.

Time Warner Cable customers who purchased their own cable modems to avoid the company’s $8 monthly rental fee will effectively be forced to indirectly pay those fees once again if Charter Communications wins approval to buy the cable operator.

A major modem manufacturer, Zoom Telephonics, has asked the Federal Communications Commission to reject Charter’s buyout of Time Warner Cable and Bright House Networks because it will hurt cost-conscious consumers that invested in their own equipment to avoid costly modem rental fees.

Zoom’s argument is that Charter builds modem fees into the price of its broadband service and offers no discounts to consumers that own their own equipment. At least 14% of Time Warner Cable customers have purchased their own modems and are not charged the $8 rental fee. Charter has promised not to charge separate modem fees for three years after its acquisition deal is approved, but that also means the company is building the cost of that equipment into the price of broadband service.

Zoom has an interest in the outcome because Charter has yet to approve any Zoom cable modem model for use on its network. Time Warner Cable has certified at least one Zoom model in the past. Assuming the buyout is approved, consumers would have a disincentive to buy Zoom cable modems (or those manufactured by anyone else) because the equipment will be provided with the service.

Zoom has tangled with Charter before, most recently in the summer of 2014 when it criticized Charter’s policy forbidding new customers from using their own modems with Charter’s service. From June 26, 2012 until Aug. 22, 2014, Charter’s website stated, “For new Internet Customers and customers switching to our New Package Pricing, we will no longer allow customer owned modems on our network.”

Zoom claims Charter modified that policy three days before a key FCC filing deadline that could have eventually brought regulator attention on the cable operator. But Zoom remains unhappy with how Charter deals with the issue of customer-owned equipment.

“Charter has still not adopted certification standards that are open to Zoom and other cable modem producers, nor has Charter yet made a commitment for timely certifications under this program,” Zoom claimed in the summer of 2014. “Of the 17 cable modems Charter shows as qualified for customer attachment to its network, not one is stocked by leading cable modem retailers Walmart, Staples, and Office Depot and not one has 802.11ac wireless capability. Charter still does not separately list the cost of its leased modems on customer bills, and Charter does not offer a corresponding savings to all customers who buy a qualified cable modem and attach it to the Charter network.”

Zoom wants Charter to be required to offer consumers that own their own equipment a tangible monthly discount for broadband service as a condition of any merger approval.

“The Communications Act says that cable companies should sell cable modem leases and Internet service separately,” Andrew Jay Schwartzman, a professor at Georgetown University Law Center who is representing Zoom, told the Los Angeles Times. “By combining the prices, Charter’s customers are deprived of the ability to purchase advanced cable modems and save the cost of monthly rental fees.”

Charter argues the Act only covers set-top boxes used for cable television service, not modem fees. Charter also claims its introductory prices are lower than what most cable companies charge, modem fee or not.

“Customers will benefit from Charter’s pro-customer and pro-broadband model with transparent billing policies,” Tamara Smith, a Charter spokeswoman, told the newspaper. “It features straightforward, nationally uniform pricing with no data caps, no usage-based pricing, no modem fees, no early termination fees and does not pass on federal or state Universal Service Fund fees to customers.”

But Charter is only guaranteeing those customer-friendly policies for three years, after which it can raise prices and add fees at will.

Less than a week after ISIS-connected terrorists is Paris allegedly killed at least 129 people in a coordinated attack, false reports continue to be spread through news services and social media. It’s enough to make you cringe.

On Sunday, media outlets began turning their attention to a “contributor” piece appearing on Forbes‘ website that suggested terrorists may have used a popular game console connected to the Internet to discuss and plan the attack:

The hunt for those responsible (eight terrorists were killed Saturday night, but accomplices may still be at large) led to a number of raids in nearby Brussels. Evidence reportedly turned up included at least one PlayStation 4 console.

Belgian federal home affairs minister Jan Jambon said outright that the PS4 is used by ISIS agents to communicate, and was selected due to the fact that it’s notoriously hard to monitor. “PlayStation 4 is even more difficult to keep track of than WhatsApp,” he said.

After nearly 500,000 views of the Forbes article, the author admitted to a gaming publication that he got his story wrong. It has since been edited to remove several serious factual errors. How could Forbes have gotten the story so wrong?

Phillip Dampier

Forbes does not strictly edit the content of its large base of online contributors, which increasingly resembles the publishing model of the Huffington Post. As a result, Forbes‘ disavows (in small print) any editorial connection to their writers, claiming their opinions do not represent the venerable business publication. But few in the media seemed to pick up that disclaimer suggested some skepticism might be appropriate. Instead, the story spread unquestioned like wildfire.

By Monday, Kotaku attempted to set the record straight, verifying Jambon’s comments were actually delivered on Nov. 10, three days before the Paris attack and only from the context of Belgium’s generally perceived security weaknesses. Claims that a PlayStation 4 was allegedly seized from an attacker’s apartment have now been declared “an editing error,” and the author has backed even further away from his inference it was used to help coordinate the attack. That is a charitable way of saying the central thesis of the Forbes‘ story about the events in Paris was entirely wrong.

“This was actually a mistake that I’ve had to edit and correct,” Forbes‘ writer Paul Tassi told Kotaku on Monday. “I misread the minister’s statement, because even though he was specifically saying that PS4 was being used by ISIS to communicate, there is no public list of evidence list of what was found in the specific recent raids. I’ve edited the post to reflect that, and it was more meant to be about discussing why or how groups like ISIS can use consoles. It’s my fault, as I misinterpreted his statement.”

The idea that ordinary Internet-connected game consoles can be used to quietly coordinate major terror attacks proved irresistible catnip for cable news. CNN and MSNBC both discussed the implications of terrorists enabled with game consoles, while Fox News further amplified the claim to suggest government agencies might not be monitoring these communications, opening a national security risk. Fox News even coined the Paris attack a “Joystick Jihad,” removing one sentence from its initial report to correct claims of a seizure of the game console, but left the rest of its story intact:

“There is no doubt that terrorists and other underground networks are using PlayStation and other non-traditional means to communicate with each other,” said Paul Martini, CEO of cyber security specialist iboss Cybersecurity, in a statement emailed to FoxNews.com. The CEO noted that the languages and protocols that PlayStation uses to communicate over the Internet are much different from those used in web browsers and other apps. “They are typically encrypted communication channels that are built on custom-designed languages built for speed and security – since PlayStation involves multi-player Internet connected users, it’s very distributed, high speed and difficult to track and monitor,” Martini added.

Videogame network or terrorist digital meeting spot?

Friday evening’s attacks are being used by a variety of interest groups to push various agendas, ranging from promoting military intervention in Syria to stopping Syrian refugees from entering the United States. But privacy groups also fear Forbes‘ story will be used to argue for extended government surveillance beyond telephone calls, text messaging, and Internet traffic, into third-party private encrypted networks like Sony’s PlayStation Network. In 2013, whistleblower Edward Snowden claimed the NSA and CIA were already there.

British newspaper The Telegraph suggested Sony’s private network has hardly proven itself an impenetrable digital Fort Knox:

Sony doesn’t exactly have a great reputation for security. A hack of PSN in 2011 saw 77 million users affected by personal data theft, and a hack emerged in December last year that saw many personal details of celebrities and other public figures leaked.

Media critics complain there is a danger that the demand for immediate news results in reporting information before it can be sufficiently sourced and verified. Elements of stories later proven wrong can remain a part of a story’s narrative, even when quickly discredited or changed as a result of newly obtained information. Examples of this are especially common on social media. Less serious examples include sharing photographs on Twitter and Facebook purporting to be from Paris that were actually taken months earlier. In other cases, depictions of solidarity with Paris from around the world were often misconstrued from other unrelated events. More serious are the false narratives that can damage a brand’s reputation, prod policy changes, or even fuel new laws, such as efforts to further extend surveillance.

While the corrections are helpful and appropriate, the rush to print first and verify later is becoming more common than ever. The Forbes’ author claimed he made a “reporting mistake” because he rushed to judgment connecting Jambon’s earlier statements to the Paris attacks. But that does not explain or justify his more important claim that a PlayStation 4 console was found as a result of the raid and his suggestion it was used to plan and coordinate a terrorist attack.

So our advice to Forbes‘ authors is simple. A story about a game console being used by terrorists was never just going to be treated as an interesting story angle. It would be used by the media, pundits, and officials to debate and discuss whether national security is at risk unless surveillance improves. Some will go as far to suggest controls on game consoles or new government authority to monitor the games and those playing them. Before we have that debate, let’s at least get the story right. We’ve seen the results of public policy changes based on flawed intelligence and erroneous media reports too often. Let’s not do that again.

Correction: Original story referenced “Kontaku,” which has been corrected to reflect the site’s actual name – Kotaku. Thanks to Mark E. for spotting the error.