Hacked routers - what to do?

Hello. I have found a major security bug that easily allows for rooting of one of the largest American ISP's default routers that they supply their residential customers.

I did a subnet scan on only one of their 60+ /14s. I got at least 4,500 susceptible clients that can be rooted in only ONE of their /14s.

So my question is, what should I do? I have the possibility of having a very fucking huge botnet, all for free, and all off very fast residential connections (which would not be legal, nor would I ever do; I am just stating that is "an option"). Or, the ISP could fix the problem if I harass them enough about it.

I already contacted the ISP 3 times - one 6 months ago, another 4 weeks ago, and again last night.
The main guy at their NOC basically stated that the customer needs to "protect their own security", and that it is not "the ISP's job to secure the users".

What should I do?! I want this problem fixed, but I also do not want all their customers to have fucked up Internet (if I release the bug, everyone will slurp it up and fuck up the people's routers, etc)

Thanks in advance for any suggestions on what I should do.

If it were me I'd go the full disclosure route, but I'm a dick like that.

Send the "Sussman" signal.

Just make your botnet and then leave it alone. Nobody will know it's you.

>>4
He shouldn't have posted in here if he wanted to do that.

My opinion? Do whatever you want. Your options:
1) Disclose it if you want improved security for everyone and a lot of skiddies hacking routers.
2) Keep it private to be forgotten or maybe used some day when you need it.
3) Abuse the hell out of it. Probably a bad idea, since if you wanted to do that, you wouldn't have posted about it in here, or given any details.

>>1
The main guy at their NOC basically stated that the customer needs to "protect their own security", and that it is not "the ISP's job to secure the users".
If they don't care, make them care. >>2

>not "the ISP's job to secure the users".
Leave it to the free market. The worst that could happen, a small botnet on very large internet.

>>1
Make a botnet which will archive all of 4chan （´∀`）

build botnet
rent botnet to spammers
????
profit

the only solution: turn every router into a tor exit node

>>10
Oh man, that would be an awesome idea. Sadly, Tor will not run on the limited hardware the routers are.

Post details here, along with affected router and ISP details. I'm sure somebody will take care of the rest.

Assuming you want to do no evil yourself kinda like Google and the people responsible don't care (btw shouldn't that be the router manufacturer and not the ISP? ISPs don't give a fuck), the only reasonable route is anonymous disclosure. If you put your name they might want to get you plus you end looking like a dick even if they don't.

I'd do it just out of spite to annoy them. I don't think it'll make that much of a difference, chances are 90% of the PCs behind the routers are infestated already anyway. Also maybe somebody else found it and is exploiting it already, you do big service by making it more public.

infestated
http://usingenglish.com/

>>14
It's like ``orientated.''

>>14
It's like ``obligated.''

>>16
It's like ``being trolled.''

disclose the vulnerability, wait a day or so, and then (through tor) brick all the routers. since the vulnerability is public there's nothing to indicate that it was you who bricked the routers.
no more vulnerable routers, and the ISP will take vulnerabilities like this more seriously after they have to give out thousands of new routers for free.

http://content.4chan.org/img/mystery.gif

profit from it. >>9

THANK

>>17
It's like ``Is the standard! ed!''