[mstromb]

"Rapid7 strongly recommends disabling UPnP on all external-facing systems," reads a little differently than "disable UPnP now"

Don't expose services to the internet that you're not willing to make public. Duh? What I got from this article is that some devices that people connect to the internet are configured poorly, probably came out of the box like that, and that maybe I should go double check that my router isn't misbehaving. Note that they have lists of vulnerable devices at the end of the paper, which I'll link here.

libupnp: https://docs.google.com/spreadsheet/ccc?key=0ApUaRDtAei07dFd...

miniupnp: https://docs.google.com/spreadsheet/ccc?key=0ApUaRDtAei07dDh...

soapapi: https://docs.google.com/spreadsheet/ccc?key=0ApUaRDtAei07dGx...

The discussion of libupnp is kind of terrifying on its own: "There are no less than seven unique buffer overflows in version 1.3.1 of this code." Which sounds pretty bad until you notice that by "this code" they're referring to a single function.

The paper itself is much better than the Ars article, by the way.

[eropple]

> "Rapid7 strongly recommends disabling UPnP on all external-facing systems," reads a little differently than "disable UPnP now"

Ars Technica has been on a lowest-common-denominator kick as of late. Titles like this get more pageviews.

[Camillo]

If the smart audience weren't so hell-bent on using Adblock, maybe Ars wouldn't have to go after the dumb one for page views.

[SCdF]

I don't think it's that.

They've been fairly vocal in forums and random discussions about how page views are what's most important to them (when people complained about the site redesign the answer was invariably "page views are going up so it must be working").

So I think that's the direction they're heading in. Changing the format of the slug to be shorter and snappier improves page views. Following Kim Dotcom stories, holding reverence for anonymous and being pro-piracy gets them page views.

I do wish them all the best, and they are a business, but I do wish they were more interested in pleasing their '10,000 fans' deeply instead of everyone shallowly, since it's so hard to find that kind of thing these days.

(disclaimer, I used to pay money for Ars until the site design. Now I check it every day but read about a 10th of the articles I used to. Sad times.)

[vy8vWJlco]

"Following Kim Dotcom stories, holding reverence for anonymous and being pro-piracy gets them page views."

A difference of opinion isn't always pandering. (I find those stories pretty interesting actually, and I've been reading them for a long time too.)

[thedrbrian]

On the other hand how many of the smart audience actually click on or buy something through an advert? How many things do you buy on a whim due to a shiney advert? Being on the Internet I am only a quick google away from tens of reviews of practically anything and I'll factor that into a purchase decision more than a neat advert full of marketing fluff.

[chii]

or they could've gone the route of the new yorker and have a paywall. serving ads isn't the only source of revenue possible.

[hackinthebochs]

Yeah I really don't get the alarmism in the article, or in the white paper. Is there any legitimate reason to have UPNP exposed to the internet? If its exposed on a public network, why bother with a buffer overflow when the protocol itself is designed to open whatever ports you want.