Who can tell? The WSJ article doesn't even say whether TP-Link hardware or software is the problem, which would seem to me to be extraordinarily important in reporting on this issue.
To be a little more charitable, I don’t think the average non-technical newspaper reader knows or cares about the difference.
Most non-tech people I know treat a router as a black box system - you plug it in, and then when you have issues, you turn it on and off again. If it keeps happening you get a new one. The word firmware will draw blank stares.
Some people read things as a source of information, others read them as a source of opinion. For the former, this link is fine because they don't care what the NY Post wants them to think. For people who prefer to receive their opinion along with their information, they should maybe consult a more personalized outlet, or their pastor.
APs are going to be the great new app platform, but also a very clear security problem. They have now grown so much spare capacity they can host a lot of extra interesting services. The noises from China suggest some people in companies like Xiaomi worked this out a while ago.
Fundamentally we need to move to a home networking model that involves isolating all clients completely (especially cameras and smart TVs), and using AP hosted services to mediate interaction between them and the Internet at large. This will involve needing to trust the AP, but will have the advantage of being able to deploy slightly less trustworthy devices at the very edge.
Can you ensure this level of assurance without requiring an independent review of router firmware? If it is managing security boundaries, how do you know if you trust it? And how do you ensure that trust is maintained over device lifetime as firmware updates are shipped? Hard problem to solve by building and maintaining long run "people, process, tech" systems.
That's kind of my point - it's inevitable that we will end up having to take the security of the AP enormously more seriously than we have. The AP will end up needing cellphone style updates and chain of trust integrity checks for the firmware.
The reason this is inevitable is the alternative hasn't worked. Cloud based IoT has been a disaster in both the atrocious edge device security and cloud service bait and switch burning customer confidence in the whole concept. Most people are not going to deploy dedicated servers in their house, but an AP absolutely. The HomeAssistant and Frigate ecosystems demonstrate the demand for functionality is there, but they are very much enthusiast type tools.
Strongly agree, I just don't see evidence there is any appetite for spending the resources needed to accomplish this. I would very much like there to be, but, you know. No one likes to spend until the place is already on fire. If this is the fire ("never let a crisis go to waste"), we should try to spend what's required to do what is needed.
(a component of my work is software supply chain security)
> Strongly agree, I just don't see evidence there is any appetite for spending the resources needed to accomplish this.
Yeah, that is the problem, and I gave up on waiting for it, so kicked off an exploration of the problem space https://github.com/atomirex/umbrella (Hitting video handling first because it is one of the major headaches).
I come from the intersection of embedded/mobile/games and saw what a dumpster fire that was, and am under no illusions this will be solved either fast or by any existing group.
I like the idea of isolating every client, or certain clients at least, but I don't see why this needs special apps or services. Just treat these clients as existing on their own VLAN segments and either get rid of the GTK (forcing broadcast/multicast to go through the AP) or generate a different one for each such segment (separating the broadcast domains).
Clients shouldn't connect to the Internet by default, and when they do it should be domain/IP whitelisted only.
For example, an IoT lightswitch in your home should only talk to what looks like an MQTT broker in the AP. It doesn't need to have any concept what that topic it publishes to does. Similarly, the receiving light doesn't need to know what caused it. This way those devices literally never need any external network access at all.
I started working on this idea by playing with OpenWrt hosted video relays, and learned that it works, and am now extending it: https://github.com/atomirex/umbrella
Right now I am on HN procrastinating when I should be producing a video of ingesting from a TP Link security camera (really) into a webrtc SFU on the AP, sending it to another SFU, and watching the result.
I like this vision, but I'm not optimistic about it coming to fruition. IoT vendors want their devices phoning home over the Internet, it gives them traceability and platform lock-in.
> ...when they do it should be domain/IP whitelisted only.
In practice, this will work very poorly. Your whitelist will end up looking like "All of Azure, GCP, AWS, and CloudFlare, plus some one-offs"... which doesn't really stop anything.
I work at a BigCo that tries to do what you're proposing and it works so, so badly. Thankfully, we can turn off the "security" software that does this on our workstations. Unfortunately, cannot do the same for our software that runs on datacenter-hosted hardware that IT manages.
> Clients shouldn't connect to the Internet by default...
I have a couple of VLANs on my LAN that don't provide Internet access just for this reason.
* A huge-ass slice of the things hosted on The Internet are hosted in or behind one or more of Azure, GCP, AWS, and CloudFlare.
* Recording the set of "cloud provider"-provided IP addresses spoken to by a piece of client software is a bit of a fool's errand. The nature of those services is that one can change the IP address assigned to one's deployed software at a whim... and it's often cheaper to set things up so that one doesn't have an IP address for one's services that survives a VM reboot.
I think what's being said here is that if we're going to talk about what "needs" to be done about security (especially if government regulation is to be involved), and if we're going to ban something, then it ought to be devices that need to talk to "the cloud". Saying we "need" APs to segment VLANs is missing the point. The cloud servers are known to be malicious (e.g. that company that intentionally bricked people's inverters the other day). As you say, it's impossible to have reasonable filters when everything wants to talk to the entire world. What we "need" is for IoT devices to communicate through purely local networks and have no Internet access. e.g. mandate a standard to discover a local MQTT broker (which the router may also provide). In that world, there's no reason for a device to ever talk to anything other than e.g. 192.168.1.1, so filtering is easy and can be made default.
Malicious software is malicious regardless of whether it's running as a VM on Someone Else's Server, or a Linux process on personally-owned bare metal.
> Saying we "need" APs to segment VLANs is missing the point.
> What we "need" is for IoT devices to communicate through purely local networks and have no Internet access. [They will do this via a mechanism using MQTT where they're required to declare if they're bad.]
a) Who said anything about APs? While I do have WiFi Access Points (that I did not mention), I also have hard-wired VLAN segmentation. [0]
b) From a network design perspective, it's a lot easier and more efficient to provide a VLAN that doesn't have Internet egress than to attempt to sort out which of a mess of hosts are permitted to talk to the Internet from which aren't, and ALSO prevent MAC- and/or IP-address spoofing to evade any such filtering.
c) I have no idea why you're invoking MQTT (specifically), but any scheme that requires a potentially-untrusted host running potentially-untrusted hardware and software to declare whether or not it's to be trusted is doomed to failure right off the bat.
[0] Sure, I'm a power user. But, a "VLAN-isolated network for untrusted machines" feature shouldn't be something that only power users get. This SHOULD be a baseline feature in consumer-grade WiFi APs and switches. (The race-to-the-bottom feature of the "market" for consumer gear is very sad.)
Most people have a single combo box for their router/switch/firewall/AP, and maybe modem. For most people, those things are synonymous.
The point is isolating devices from each other isn't what people need. They need their devices to accept commands from each other or their computer/phone. What they don't need is their devices to talk to half the Internet.
My htpc talks to exactly one machine, for example (my NAS). It's trivial to audit and would work fine if I blocked Internet access or gave it a whitelist. For people that use home assistant, again their devices should need to talk to a broker and that's it.
A reasonable device only talks to a handful of locations because you didn't ask it to do anything else. The world where Android and Windows and IoT devices chat all day to thousands of servers is what's the problem. Restricting such devices to only talk to the Internet is exactly the wrong solution. You could lock things down once there's an ecosystem in place for local control, but doing it now just ossifies the existing dumpster fire.
If one were to suggest regulation is needed for security (and governments are starting to do so), then what's needed is to ban cloud devices.
When talking about these things in a tech-savvy forum, you'd do well to separate the components (switch, WiFi AP, router) out, rather than thinking them as one indivisible unit. It helps for clarity of conversation and thinking. You have some misconceptions that might arise from this muddling you're doing.
> The point is isolating devices from each other isn't what people need. They need their devices to accept commands from each other or their computer/phone. What they don't need is their devices to talk to half the Internet.
When did I suggest isolating these devices from anything other than the Internet?
The whole point of having a router tied into the various VLANs on your network is so that you can program the router to decide what off-subnet traffic goes where. If you want to have a fully-isolated VLAN, you can... but I never mentioned any isolation other than from Internet egress.
> A reasonable device only talks to a handful of locations because you didn't ask it to do anything else.
If you purchase devices that are hard-coded to talk to machines hosted on someone else's servers, and you don't want to reverse-engineer and take ongoing maintenance responsibility for the software running in those devices, then your only choice in the matter if the manufacturer chooses to "host" those servers in GCP, AWS, or similar is to prevent the devices from talking to the Internet at all.
You might also review this conversation I had regarding the infeasibility of making a whitelist for typical devices and clients that demand Internet access: <https://news.ycombinator.com/item?id=42455401>
Right, I suppose I missed that you didn't mention full isolation. That was further upthread.
In that case I suppose the point is that what's desirable as an end-state from a security perspective is that none of these devices access the Internet (ideally with a firewall rule enforcing that). In the usual home scenario where there is only 1 networking device, VLANs and subnets both seem to me like their main purpose would be to isolate clients from each other, which for mass-market purposes is currently counterproductive (as it basically makes cloud servers a requirement for non-experts). You could use them to make your firewall rules simpler, but then you need routing an multicast forwarding rules. What you really want is to get to a place where your firewall says that your PC/phone can access the Internet and nothing else can.
Basically the infeasibility of making a whitelist for typical devices is exactly the problem to solve/issue to regulate.
No, that was in all of my replies. I've been consistent about this.
> You could use [VLANs] to make your firewall rules simpler, but then you need routing an multicast forwarding rules.
If you're not going to be running your multicast software on a machine that is wired in to all relevant VLANs (like your edge router), then yeah, if you need cross-VLAN multicast you would need to have multicast forwarding set up on such a machine. You'd need to do the same for broadcast, which is "just" all-nodes multicast.
> In the usual home scenario where there is only 1 networking device, VLANs and subnets both seem to me like their main purpose would be to isolate clients from each other...
Then you're confused about how VLANs and subnetting are typically used.
I can think of three ways to do what I think you're envisioning.
1) Use the "client isolation" feature of WiFi APs. I think this uses something OTHER than VLANs, given that clients get allocated IP addresses from the same subnet as each other.
2) Create a subnet and VLAN per client and program your router to not permit traffic originating from these special subnets to go anywhere other than direct to the router or out to the Internet.
3) Have one or more fairly fancy switches that are programmed to only permit packets to flow from each client port to the router port. (I'm pretty sure that this is conceptually what the often-present WiFi "client isolation" feature is.)
I know that you cannot prevent clients in the same subnet and VLAN from talking to one another unless you have direct intervention by a wireless or wired switch. This is because clients in the same subnet trying to talk to each other don't bother talking to the router and just use ARP (or ND) to find their conversation partners.
I'm not CERTAIN, but I think that if you try to have clients in the same subnet, but on different VLANs, it will work poorly (or not at all) because the router will have a hard time with route selection for incoming traffic, as well as traffic originating on the router to the client subnet.
Because less than 5% of the population knows what a VLAN is yet alone how to set one up for their IOT devices.
Ideally Apple will resurrect the Airport and make it easy to have privacy and security in the home. An Airport-HomePod combo could do a lot of neat AI things in-house / on-prem.
I wouldn't expect the average person to set anything up. I'd expect the AP to isolate all devices by default. Most of these devices and their corresponding apps are just reaching out to "the cloud" anyway. It's not like they actually treat the LAN they're on as a LAN.
That having been said, I don't know for sure that most generally available consumer devices would actually work under this arrangement.
Client isolation (whether wireless, by broadcast domain, IP filtering) is in conflict with ubiquitous device casting/streaming/detection features common in apps, which often do expect the ability to find each other on a LAN.
I think throwing those features out is a tough sell for the home consumer market, but makes sense in the SMB and above area.
That's why you replace those features with things like a local mqtt broker. That way devices communicate only via the local services. I tried doing real time video first because it's widely assumed to be the hardest.
Multicast is widely exploited for fingerprinting by smart TVs, unfortunately, much as I think mdns is a beautifully elegant idea.
I've never gotten local streaming to work, but that might just be down to the age of my "smart" TV though (which is now disconnected from the network due to lack of updates). But I have noticed that setting up a network printer is a lot easier than it used to be, and I assume that's because of LAN-based discovery, though I haven't dug that deeply into how it works.
> fundamentally we need to move to a home networking model that involves isolating all clients completely (especially cameras and smart TVs)
That is currently solved by using separate SSID's on individual VLANs (i.e. main, guest, iot) and firewall rules "mediate" the connection between the VLANs.
I'm handrolling this with OpenWRT on APs and main router (NanoPI R5C) with ISP cable router is in bridge mode. Can't say it was easy to set up though
I've found the opposite. The TP-link router I had was frustratingly unreliable, even when setup to reboot every night. Their firmware updates were slow to arrive. I tossed both the router and the TP-link PoE devices I had into the dumpster. My dad bought some TP-link devices and also complained about reliability issues. We've both vowed not to buy that junk again. Switched to ASUS a couple of years ago running ASUSwrt-merlin and haven't looked back.
It seems a little unfair (and wasteful) that you didn't consider simply using decent third-party software on the TP-Link hardware you already owned, but rather bought new hardware and then started using third-party software. ASUS consumer networking hardware is no higher quality than TP-Link consumer networking hardware, and neither of them (nor anyone else operating in the consumer networking hardware market) provides high-quality software out of the box.
I have to agree here. I've had multiple TP-Link routers and all of them had regular random dropouts that would require reboots. They may work if you have 5 devices connected, but they are simply unreliable with even a moderate amount of devices and traffic. TP-Link is on my list of, "Not worth it at any price."
The one I used for 4 or 5 years was very reliable with dd-wrt on it. I usually just reset once every few months when I updated dd-wrt or felt it seemed to be going a little slow. That said I am not a heavy user, typical videos a couple linux servers (1 is a NAS), a couple of laptops in the household. I've since moved over to another company
I thought this was true. However after buying and trying to use one of their mesh products, I gave up and got rid of it. I bit the bullet and went with Ubiquiti, and I'll never buy anything else again. Worth the extra cost imo.
There's that nagging feeling that they're not concerned about security but banning anything that works well, is inexpensive and isn't made by an US company...
Anecdote: once I bought the cheapest router I could find online. The idea was to test connecting to a crap AP. Unfortunately the cheapest was a TP-Link and it worked absolutely perfectly, ruining my test plan.
The margin is not 0. there is a lot of $$$ in low margin disposable products (think toilet paper). However it takes great management to make money building such things and few companies are that good.
Their firmware is absolutely riddled with flaws and exploitable vulnerabilities.
Unless you are willing to re-flash their hardware with third-party firmware such as DD-WRT or OpenWRT, I would always encourage anyone to go with a company that keeps their firmware up to date, like Ubiquity.
It’s not their hardware. It’s their firmware which is the problem.
Ubiquity has already attempted to make their customers dependent on the "cloud" once. I believe there was some pushback and they just made it annoying to not use their online services, but I'd still like to know what they need my personal data for...
Perhaps the ban / tariff / regulation should be applied to companies making networking hardware that's riddled with flaws and exploitable vulnerabilities, rather than by naming specific companies or countries of origin.
I would be fully open to the FTC/CRTC or whatever network/ISP regulator that exists in your country be the determiner of what should be exposed to world+dog. Let them do remote vulnerability scans once a day on all IP addresses assigned to domestic ISPs or locations physically in-country, then flag the IPs that have vulnerable routers.
From there, they can force ISPs to contact their clients to demand the issue be resolved. If the client does not respond to the ISP, the ISP is forced to suspend the connection until the client can demonstrate a fix has been implemented. In all cases, that vulnerability vanishing has the ISP updated so the client is no longer in danger of being pestered.
If the product is still being sold in stores, or is not very far past EoL, and there is no manufacturer patch available, those manufacturers must take their hardware back for a 100% MSRP refund, or provide an equivalent router without those exploits.
It’s only if the product has been no longer manufactured for a minimum set period of time - say, 7 years - that it is deemed “too far past EoL” for the responsibility for patching/replacing to fall on manufacturers, and responsibility finally falls to the consumer to replace/upgrade.
In all cases, a customer can “fix” their router with third-party firmware such as OpenWRT or DD-WRT, but this also requires laws to be written that forces manufacturers to not hardware-lock their routers, and force them to meet the minimum storage/driver-availability specs these third-party firmwares need.
Even with the WRTs, the firmware is probably built by the manufacturer. Try finding the provenance of who wrote the source code and where they live. AFAIK, that's not possible.
So you have a router built with Chinese components (all of the ones anyone here can afford) with closed and "open" firmware built by them. I bought one of those GL.inet "open" routers and the WRT packages bricked it, so I have a choice of reverting or flashing from the factory (which appears to be a link to HK).
That's probably 99.99% of use cases. They're in your base and they always have been.
Just because you cherry-pick Russian informational sites doesn’t mean that third-party firmwares have any connection to Russia whatsoever.
Third-party firmwares are open-source projects, worked on by tens of thousands of volunteers from around the planet, and frequently have ZERO CONNECTION to any one hardware manufacturer.
There are some collaboration efforts, when a particular manufacturer decides to adopt an open-source firmware as the exclusive firmware for their own hardware, but that simply means the hardware is fully unlocked for any third-party firmware that wants to be adapted for that hardware. These manufacturers just decided that they had no desire to f**k over the consumer by locking them into custom-made firmware.
For example, I believe Turris https://www.turris.com/ takes a stock, latest copy of OpenWRT and makes a few tweaks to extend its capabilities for additional, server-like features.
One slight correction/clarification: "firmware" in this context can sometimes be referring specifically to the firmware that runs on the WiFi radios, rather than the whole Linux OS running on the application processor. The WiFi firmware is closed-source and comes from the silicon vendor rather than the router OEM: Qualcomm, Broadcom, or Mediatek, not TP-Link, ASUS, Netgear, etc. Even when running OpenWRT, you're still relying on that closed-source WiFi firmware to have a working radio. (The closest thing to an exception: https://www.candelatech.com/ath10k.php)
WiFi NIC firmware is a much smaller attack surface than the whole Linux OS.
> "firmware" in this context can sometimes be referring specifically to the firmware that runs on the WiFi radios
Congrats, you have just identified DD-WRT and OpenWRT.
> The WiFi firmware is closed-source and comes from the silicon vendor rather than the router OEM: Qualcomm, Broadcom, or Mediatek, not TP-Link, ASUS, Netgear, etc.
Never heard of the term “driver”, have you? Look it up. It’s wild. Windows uses them, and so does Linux and other operating systems like DD-WRT and OpenWRT.
> Congrats, you have just identified DD-WRT and OpenWRT.
> Never heard of the term “driver”, have you? Look it up. It’s wild. Windows uses them, and so does Linux and other operating systems like DD-WRT and OpenWRT.
Please don't post with this kind of attitude, especially when you're so thoroughly wrong.
Look up the term "application processor"; I mentioned it previously but you must not have recognized that it was a concept you are unfamiliar with. This is the ARM (or formerly MIPS) processor that in a router will be running Linux, or on a phone would be running Android or iOS. The AP's CPU cores are not the only processor cores that will be found in the system. Separate from the AP and often at the far end of a PCIe link (and hopefully also an IOMMU) are the WiFi NICs, which have their own embedded processor cores. These embedded cores are not running Linux and instead are running proprietary firmware that is closely tied to the specific hardware. (In a phone, the cellular baseband will have its own processor core(s) running separate code from the AP's OS.)
Linux has its drivers for the WiFi NICs, and those drivers run on the AP cores. Typically, the first responsibility of the Linux driver is to retrieve the correct firmware from storage and transmit it over PCIe to the WiFi NIC so that the processor cores embedded in that NIC can boot up and start running that firmware on cores and a memory address space that is completely separate from what the Linux OS on the AP can directly interact with. The firmware must be uploaded to the NIC by the AP because the NIC typically doesn't have flash memory to store its own firmware, only volatile RAM, and because the firmware version usually must be precisely matched to the driver version running on the AP. This is in contrast to eg. SSDs, which store their own firmware (because they naturally have plenty of non-volatile storage) and expose standard interfaces for drivers to interact with rather than having tight version coupling.
Exactly what the firmware running on the WiFi NIC does will vary between devices. It can often be inferred by inspecting the Linux driver to see what it doesn't do on the AP. Common functionality handled by firmware running on the NIC includes selecting transmission rates and power levels, and handling frame aggregation.
You can readily inspect the filesystem of an OpenWRT image and you'll find the binary blobs that are the firmware which will be sent to the NICs as part of the Linux driver initializing. What you won't find is that binary blob code executing on the AP in any userspace process or kernel thread.
And if you're still arrogantly confused: the WiFi firmware is not the same thing as the Linux driver. In all WiFi hardware that uses firmware running on the NIC (which includes all WiFi hardware supporting anything newer than 802.11n), the WiFi NIC's firmware is closed-source. This is independent of whether or not the Linux driver is closed-source, because the Linux driver is a different piece of code running on a different processor.
All WiFi devices that have received the Free Software Foundation's "Respects your Freedom" certification are limited to 802.11n because those are the newest devices that don't run proprietary blobs on their own processor cores. OpenWRT has looser requirements and tolerates proprietary blobs as long as they don't need to run on the AP as part of the Linux system. The typical setup for an OpenWRT device is an open-source Linux driver communicating over PCIe with closed-source code running on the WiFi NIC.
The Candela Technologies page I linked to is an example of closed-source firmware to run on the WiFi NIC, paired with an open-source Linux driver to run on the AP. This is one of the few examples of the closed-source firmware not coming directly from the creator of the WiFi chip. Both the WiFi firmware and the Linux driver had to be modified in order to add the ...
I love cheap and reliable TP-Link routers as much as the next guy, but it's definitely also a security issue. The CCP almost certainly has a backdoor. Maybe a respectable one in the form of an undisclosed bug or the ability to lean on an update provider, but the point stands: it's absolutely a security issue and denying this is cope.
Routers are going to be a bit more expensive and a bit less reliable for a while. We'll live.
Probably a better approach than the futile attempt to excise all routers with backdoors or bugs would be to continue the ongoing efforts to make network security router agnostic.
i had the opposite experience. i got a tp link that refused to work if i didnt register it. i tried to get customer service and there were so many dark patterns in their customer service queue (fake "you have X minutes in the queue" numbers, etc)
Eventually i got through to a human that said you can't run it without registering it. it did NOT say that on the box.
shit like this is what the ftc should crack down on
I've been researching a new Wi-Fi router and heard lots of complaints that TP-Link doesn't provide many firmware updates? Is that not true? ASUS is not that much better but I do have an option of using the AsusWRT-Merlin open source alternative on their router.
Another thing I've noticed is companies tend to still sell their models which are close to EOL on their website. Something needs to be done about that.
That's true, TP-Link isn't great about keeping their consumer product firmware secured or updated. ASUS isn't much better but when it comes to network gear, you kind of do get what you pay for.
Selling models close to EOL or trying to hold hardware makers responsible for firmware security has been an issue for decades.
Are there manufacturers that are consumer focused that are good about security and updates? Some of the ASUS models are not particularly cheap, raising the question of why not go with business oriented models.
> That's true, TP-Link isn't great about keeping their consumer product firmware secured or updated. ASUS isn't much better but when it comes to network gear, you kind of do get what you pay for.
If this is actually the case then you should contact the FTC because Asus under an order to pay attention to security:
I have an Asus RT-AC68U that I bought ages ago that's still getting regular first-party firmware updates (plus the ones from Merlin). Currently using ISP-provided hardware, but given my past experience I'd definitely look at Asus as an option if I needed a new router.
I have an Asus RT-AC1200, released in 2019 that hasn't had a firmware update since 2021/05 which is the reason why I bought the TP-Link. I do see Asus has a Nov 2024 firmware for that RT-AC68U on their site.
As far as my TP-Link router, I think I remember it being stuck on a 2022/09 firmware until at least 2023/09, and I wound up flashing it with OpenWRT earlier this year.
The RT-AC68U was released in 2013, but I realized that the AC1200 is the consumer tier below the AC68 and related series, so that explains the closer importance on better hardware, easier updating of firmware and development.
I think it was argued that the reason TP-Link was singled out is because of their pattern of vulnerabilities across their entire product lines going back perhaps a decade(?). The same could probably be said of other brands as well though, if not, more.
It depends on your use, but generally anything that runs OpenWRT should be good. Fairly inexpensive GL.iNet GL-MT6000(Flint 2) seems pretty good for a decent price. Comes with a Chinese fork of OpenWRT but you should be able to easily flash upstream.
Another option is the recently released official OpenWRT One.
Mikrotik maybe? I don't know if they're any good but they have a statement on the bottom of the page indicating software updates to either end of product life or minimum of 5 years after purchase date.
I'm happy with my Mikrotik, but do expect to be reading their wiki/googling a fair bit while setting it up. It does come with quick set defaults to get a basic secure config up n running.
I do like that I can export my config as a script. Haven't had to reboot it yet, excluding firmware updates of course.
It's absolutely true, I have a graveyard of fairly high-end consumer routers that were thrown in the pile as soon as they stopped getting updates, they range from Asus, TP-Link to Belkin.
I switched to Ubiquiti EdgeRouters for a while but they went the way of the dodo too, so now I use a Protectcli box running Coreboot and OPNSense; it's essentially just a PC with nice Intel NICs that play nice for networking in a small fanless form-factor that you can install a routerOS on (pfSense, OPNSense etc) and always be up to date.
The manufacturers should release "firmware" updates; they update the software in the router and fix vulnerabilities or add features.
Your D-Link router from 2014 likely stopped receiving updates within 2-4 years of its manufacture so updating now will still leave you quite outdated, if the manufacturer released any updates at all (and if they did, they may even have pulled them offline as we're now 10 years after the fact).
If you're concerned about the security, you can check if your router is supported by an open-source OS like OpenWRT and flash that over the factory software, or upgrade to a newer model (bearing in mind another consumer router will only get you a few short more years of updates).
If you're really cautious (like I am) you buy something that you can install a router OS on that you know will always be updated; pfSense, OPNSense, OpenWRT, Vy etc.
There are always new security vulnerabilities found on these network devices and they directly face the internet. Most of these companies tend to EOL them after a few years and often continue to sell that close to or after the EOL date.
I am not a US citizen, nor I live there. However, I trust the Chinese goverment much less than the US one. So I get the banning if they really believe they could have a trojan horse. What I don't get is, what guarantees you that there is not a trojan jorse on any electronic device they produce?
I suppose the issue is really the risk; attacks on infrastructure need to route over networks; even a completely vulnerability ridden machine isn't a risk if it isn't reachable from the net (inbound or outbound).
Routers as the gateways into all sorts of networks, and they see/control all of the traffic in and out and often between devices on the network; they're a critical junction.
If the US was serious about this or TikTok, they would create security and privacy rules that applied to everyone. Instead they are targeting individual companies, which means it has little to do with security or privacy.
If they did that, it would mean the "good" spy agencies wouldn't have platforms. This is selective so they can just ban the platforms of "bad" spy agencies.
>There's that nagging feeling that they're not concerned about security but banning anything that works well, is inexpensive and isn't made by an US company..
Two things can hold true at the same time. A US company selling US equipment and US software can have US law enforcement agents show up and point US guns at them for non-compliance.
But that in turns sets up a captive market where the US players in the market are more likely to perform collusion and raise prices.
> There's that nagging feeling that they're not concerned about security but banning anything that works well, is inexpensive and isn't made by an US company...
The FTC went after (Taiwan-based) Asus for security reasons:
> After a public comment period, the Federal Trade Commission has approved a final order resolving the Commission’s complaint against ASUSTeK Computer, Inc., charging that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk.
Can we start banning hardware companies __after__ we have banned the selling of user data to the highest bidder (which might as well be Chinese companies)?
Fuck no. There is NO effort at all here to go after surveillance capitalism, I don't give a shit what their press releases say about "protecting American's privacy." It's straight horseshit. The biggest offenders to American's privacy are squarely in Silicon Valley, and the only companies that ever end up in the Government's crosshairs are the big scary Chinese ones that are gonna use their algorithms to turn you into a communist or whatever the fuck.
And FWIW to anyone in power who happens to read this, I was plenty radicalized by my own experiences and those of my friends under capitalism. China didn't do shit.
This is a pretty poor take. Whoever is getting the information is going to use it for their benefit. The Chinese government is a scary government, this does not take away from or add to the US government being a scary government.
You're correct, and banning TikTok and/or TP-Link is not going to stem the flow of user data to the companies who sell it, not even a little bit. Hence my comment: this is not about protecting anyone's privacy, it's about keeping American tech companies on top.
I wouldn't be surprised if some (American) corporate lobbying was performed for this to be pushed through this way but given the numerous stories of how the CCP have practically _bullied_ their way into our markets with cheap(er) goods and/or services through state-sponsored subsidies, I would imagine that this is becoming the global response to a long-winded draw-down on the lessons of repercussions and self-reliance.
They commit genocide, don't support the same values as I do, and are hostile to the government of the country I live in, as well as many of the organizations within it. And a bunch of other things.
generally speaking when a country is #1 in the world order and another country is hellbent on claiming that spot, the latter is a threat to the former. china has repeatedly pushed us militarily, economically, and diplomatically. we must regard with animosity any nation with conflicting values and a desire to outstrip us in power and influence. America is not safe until the current regime is deposed and the strength of china is crippled.
Oh good, more international interventions on the horizon. Because those have worked out so bloody well the past... I dunno, 12 times or so?
And good fucking luck "crippling" the strength of a nation who's population comprises 17% of the world's population, and who is basically a stand-in for "overseas manufacturing" due the sheer ubiquity of it.
do you honestly expect Americans to do well in a world where we aren't the preeminent military and economic power? we wouldn't. it's therefore the moral responsibility of the US federal government to ensure that world doesn't come to pass by any means necessary.
the point of overseas interventions isn't usually to win, it's to make the other guy lose or spend more. our military is finally moving in the direction of attritability - it took those last 12 interventions to learn, i guess - but we should be able to more effectively bleed china dry. she can have as large a population as she wants, she can be the world's factor for cheap garbage, the concern is ensuring she can't have an advanced economy.
i'm not saying this will come without some level of pain for America. the nineties clinton "end of history" types were buffoons to think china was anything but a malignancy on the international order and should have cut her out from the start. but it's too late for that now, the cancer has spread and this means global economic chemo. it will hurt, but it's massively less bad than what our people would experience in the alternative situation.
>do you honestly expect Americans to do well in a world where we aren't the preeminent military and economic power? we wouldn't. it's therefore the moral responsibility of the US federal government to ensure that world doesn't come to pass by any means necessary.
You do raise an interesting thought experiment. A word that has passed the US by. It is so difficult to fathom. The Chinese people seem to be producing wonders as evidenced by this recent interview with Asianomoetry[1]: https://youtu.be/pE3KKUKXcTM?t=2019
They took an old node and managed to squeeze more out of it than any of the western firms could do. This is some serious talent and skill. Its also making me think the sanctions are backfiring in some regard.
However the Chinese system is on shaky ground. Their demographics are horrendous and immigration to plug the gaps is not likely. Furthermore can their system really tolerate failure and embarrassment? This is one aspect where the USSR really fell short and the US shines. Accepting Failure is tolerated, its part of the US culture whereas the USSR was obsessed with saving face. China seems to really understand rapid iteration well though. They studied and learned from the mistakes of the USSR.
>i'm not saying this will come without some level of pain for America. the nineties clinton "end of history" types were buffoons to think china was anything but a malignancy on the international order and should have cut her out from the start. but it's too late for that now, the cancer has spread and this means global economic chemo. it will hurt, but it's massively less bad than what our people would experience in the alternative situation.
Is it really even possible to keep the 17.7% of the world population from aspiring to be at the top while trying to preserve the wealth of 4% of the worlds population? That dam was going to break regardless of whatever the neoliberals did in the 90s.
Hell the global south are the majority and they are kept from reaching to the top quintile. Its just seems inevitable.
you're right, the system is on somewhat shaky ground. many semi- or fully-developed nations face demographic challenges but china is in a much worse position to handle them than we are. but that doesn't mean it's the time to get complacent. now is the time to push harder, knock out a few more legs out from under the chinese system, do that every year until it falls over.
they can aspire all they want. the issue is when they attempt to do so to the detriment of Americans. there are some scarce resources that will only ever be enjoyed by the people in that top quintile. it is both the practical and moral obligation of the U.S. government to ensure we, not they, remain in that top quintile and secure scarce resources for our own people before any others. the global south may contain the majority of sets of hands, but the west continues to control the lion's share of human capital, wealth, and military equipment. we ought to continue using those to maintain them.
there's no issue with the wealth of everyone growing as the world improves. but we must continue to secure those critical scarce resources for our own first, and that requires that even if the south grows in wealth, we exert all available power and influence to ensure we grow faster.
second place sucks. since there will always be a second place, it's our job to avoid it at all costs.
> do you honestly expect Americans to do well in a world where we aren't the preeminent military and economic power? we wouldn't.
As we act now? No I strongly suspect not, because standard American foreign policy of the last roughly eighty years has been swinging our massive dick around and screwing over every other nation on planet Earth, economically, financially, militarily, or some combination of the three.
Let me posit an opposing question: What right does America, one fucking country, in one part of the world, that isn't particularly large, have to basically dictate world geopolitic as we have for decades at this point? What right does America have to say China cannot have an "advanced economy"? Who appointed us? Who elected us? Most importantly, who are we accountable to and who must be justify those kinds of statements to? Or is it literally just down to the fact that we have the biggest bombs on the planet? I don't know, genuinely, what the consequences are of a world that is not headed by the United States, but to get really honest here, the US is not doing a great job in that regard anyway. Would I want North Korea at the helm? Obviously not. But I don't ascribe even remotely that level of hostility to the state of China.
And to continue to be blunt, ARE Americans doing so well as your question presupposes? Because I kinda think we're getting screwed in a lot of ways, and I grant, not as hard as people elsewhere in many cases, but also uniquely hard to other people of other developed nations in specific ways. I, personally, would much prefer that instead of lighting trillions of defense dollars on fire year over year to continue inflating the aforementioned massive dick that we wave around the world all the time, be put instead towards fixing... hell, any of the major problems America actually HAS. And like, take your pick. Healthcare, Infrastructure, Education, Poverty, just to name the four biggest that immediately come to mind. Hell maybe we just give up new tanks for one year and make sure everyone in Flint, Michigan can have WATER without any goddamn lead in it.
I am exhausted of the narrative that the world, the whole WORLD, will topple over dead if America isn't in charge. America has BEEN in charge, defacto, since the end of World War 2. LOOK AROUND!!!
there is generally someone who is king of the hill. the ascendancy of china with her current policies is proof that the "end of history" dream of every nation cooperating within a democratic international order is no better than a pipe dream of xanadu.
we are accountable to the American people. and yes, a huge chunk of influence is due to us having the biggest bombs. other parts are due to continual largesse, from the Marshall plan post-wwii to the continued support of the IMF and World Bank today.
i agree Americans aren't doing as well as we could be. my question is not whether America at the head of the world is doing a perfect job, it's whether specifically Americans will do better under a different system. the chinese one freaking sucks. it's anti-liberty. mainland chinese have no rights to free speech, to bear arms, to equal protection and due process. there is only the party.
flint's water has been clean for four years btw. we spend the balance of our budget on non-military matters. defense is less than one-quarter of our spend. perhaps you should examine why we are lighting so much money on fire, primarily to provide outsized levels of healthcare to people who choose to live poorly and to subsidize the old people who already own most of the wealth in the country. perhaps instead, we means-test social security. surely we can wait until boomers have spent down the value of their million-dollar homes before we start cutting them checks each month.
the world, the whole world, is a hell of a lot better than it was post-wwii. America has led the world, and most importantly, ourselves, to an age of prosperity that has never before existed. if we want to keep our wealth, our liberty, our way of life, it is essential we use any means necessary to keep any other nation from ever surpassing us in power.
I'm not a cheerleader of China by any means but the attitude you have towards China is scary. Why does the US have to control the world in order to be safe?
because if we do not, we are falling on the mercy of foreigners who cannot be trusted. China's value system is basically contradictory to ours - most nations' are - so the world will not go our way unless we, or one of a few close allies, are the foremost power.
America has better values than most countries. And Americans should generally trust America more than foreign countries and certainly more than the chinese government.
here are some civilian deaths within china:
- land reform killed 1-4.7 million
- campaign to suppress counterrevolutionaries killed 712k-2mm
- three-anti and five-anti campaigns killed at least 100k
- sufan movement killed ~53k
- anti-rightist campaign killed 550k-2mm
- '59 tibetan uprising killed 87k
- violence in the great chinese famine killed 2.5mm
that's just a sample. this doesn't show the ongoing genocides, the economic colonization of SE asia and africa, the abuses of chinese-supported states (DPRK, burmese junta, naval intervention in libya, etc.)
objectively the American system seems to work out much better and is based on vastly superior principles.
all that aside, I am an American and place the interests of my people ahead of those of foreigners. as such, I will support a world order led by the government most likely to maximize our welfare and very nearly any means needed to preserve that.
> all that aside, I am an American and place the interests of my people ahead of those of foreigners. as such, I will support a world order led by the government most likely to maximize our welfare and very nearly any means needed to preserve that.
The last sentence you said explained what you said above, it also explained many other *Amerikkans* minds
Interestingly, even the most loyal and fervent American imperialists have to find some ridiculous moral excuses.
Despise your hypocrisy, but appreciate your honesty.
Not a question to you personally, but I find it interesting that US Companies were so eager for short term profitability that they basically handed China an obvious manufacturing win for a good few decades.
China is the powerhouse it is today because it was essentially funded by US greed.
It's actually pretty funny (if I look at it like a movie script rather than real life - which is a coping mechanism) watching the US tying itself into pretzel shapes around things like free speech and general values of "freedom" that it's espoused for it's couple of centuries because it's chickens (bats?) have come home to roost, and they're shitting everywhere making people unhealthy.
Apologies, Jingoistic nonsense that parrots talking points about actual problems that need solutions, in this case, reigning in user data collection in service of protectionism for precious American companies to continue their unethical behavior makes me puke.
Apologies, Jingoistic nonsense that parrots talking points about actual problems that need solutions, in this case, reigning in user data collection in service of protectionism for precious American companies to continue their unethical behavior makes me puke.
It could be a GIRD or acid reflux condition. Civil discussions online shouldn't cause vomiting. You should probably see a doctor about that.
ToucanLoucan's message has some great discussion points but the half of the thread doing something useful with them only got there by managing to ignore the "fuck no shit horseshit fuck shit" portions. Even if one labels that as an aesthetic choice over one core to what promotes quality online conversation, fulmination isn't a requirement of conveying passion.
Can we start banning hardware companies __after__ we have banned the selling of user data to the highest bidder (which might as well be Chinese companies)?
No. Do both. Why would we wait to fix one problem when we have two problems?
This just seems like distracting from the router issue, and taking the discussion off-topic.
I'm currently upgrading my home network, trying various options, and one of the headaches is provenance of the equipment.
By provenance, I mean where it's designed, where it's manufactured, who has brand oversight of it, who controls the firmware, who runs the IoT phoning-home servers, etc.
(I don't have high security requirements for home, but I pay attention to such things out of curiosity.)
The closest I've been able to get is to buy a Protectli box, replace the AMI with Coreboot that you can compile yourself, and install OPN/PFSense.
It's still Chinese hardware, but it's warrantied by Protectcli and you have control over the bits you can change.
My first move out of the consumer "junk" was Ubiquiti EdgeRouters but their software quality declined a few years back, and my models got no more updates, then my main router died. My overkill i3 6-port Protectcli box has been running great ever since; first with pfSense now OPNSense; I'll only replace it when it dies or I want 10GbE routing.
What solution do you use for wireless access points? That’s generally my problem, you can find plenty of solid hardware to run pfSense on but as soon as you look at access points everything seems to be proprietary something or from questionable sources.
I currently use a bunch of Unifi APs, not got full-house coverage yet, but I have key areas and run their management software on a Raspberry Pi.
They've mostly been solid, and aren't too expensive. I did replace the one in the hall (on the ceiling) outside my living room recently though, upgrading it from an AP-AC-Pro to an U6-Pro and the range is significantly worse on the same WiFi spec, making the living room TV basically unusable for streaming, despite being flawless on the older AP.
I'm going to try the newer U7 Pros and if that doesn't work out, I'll start looking at alternatives, but I suspect anything acceptable will be more expensive. I run ethernet almost everywhere so WiFi is just for our mobiles/laptops/tablets/IoT, but the TV in the living room currently has no easy way to get cables to so that AP is critical.
Try to get something that runs OpenWRT (or can run it) and isn't like super tight on flash space. Although I'm having some issues with my latest batch of access points; I have a few clients that seem to have more trouble staying associated, and I was hoping to use 802.11r, k and v and DAWN, but I had to turn all of them off because too many subsets of the clients wouldn't work with some of those.
I'm coming to the realization that mixed 2.4 ghz/5ghz access points aren't a great idea. If I wanted consistent 5 ghz coverage, I'd need a lot more access points, but I'd want to turn the 2.4ghz radios off on most of them because 2.4ghz goes too far.
I use Mikrotik access points at home. They're not the simplest to configure, but they aren't daunting to someone who has been futzing around with networking for awhile. I like that they allow me to implement whatever weird stuff I can dream up, and that I can generally implement that weird stuff all in the GUI.
The hardware is relatively inexpensive and seems to be rather stable, the company is based in Latvia, and the manufacturing (or at least the board-stuffing and injection-molding) seems to primarily be done in Europe. Some of their stuff is pretty flexible about what kinds of PoE is can work with.
All of the Mikrotik stuff I'm aware of runs their Linux-based RouterOS. This means they all get the same user interface -- the same for a "switch," for an "access point," and for a "router."
I like that this blurs the lines between different device classes. For instance, my access points have two Ethernet ports on them, and two radios. I can use them as simple access points, or as routers, or as switches... or all of this at the same time. Whatever I want to do with them is fine: It's just a highly-configurable device with n hardware interfaces available on it.
I could replace the separate switch and OpenWRT router that I have on a shelf in the basement with a singular Mikrotik switch that did both jobs if I wanted to. (I probably would not, and it probably would never make sense to do so, but their software allows me to do as many nonsensical things as I choose. That's a good thing.)
It really depends. Coreboot is open source and you can review the code, it's also much lighter (though fewer things can be tweaked), vs AMI which we don't know/can't check what it contains.
For me, wanting as much open source in the stack as possible, it gives me peace of mind, but it really depends on the individual.
All I can really suggest, is to take a look at the Coreboot site[0] and see if it sounds like something you'd want.
FWIW I thought my EdgeRouter X died a few years back, power light would blink but wouldn't boot up - turned out to be a dying wall wart. Swapped it out for one I had lying around that happened to match voltage/current/connector and that was maybe 3 years ago.
>I'm currently upgrading my home network, trying various options, and one of the headaches is provenance of the equipment.
If you're concerned about provenance (or even if you're not), I suggest using a general purpose device and rolling your own ala pfSense[0]/OPNSense[1], etc, or just use one of the BSDs or Linux and use native tools or one of the many router/firewall distros[2]
One of the things I learned while building such a server-based box is that eBay is awash in counterfeit high-end Intel NICs.
Regarding pfSense and OPNsense, I recently built and used a nice OPNsense box, including IPS, but decided to go back to OpenWrt for home use, because OpenWrt actually worked a bit better for the things I needed.
I might use pfSense (or maybe OPNsense) router for a startup office of more than several people, though (until we can cost-justify a dedicated IT infra&support specialist). With OpenWrt on the WiFi APs.
>One of the things I learned while building such a server-based box is that eBay is awash in counterfeit high-end Intel NICs.
Assuming you mean NUCs[0] and not NICs, I'm sure you're correct. That said, there are many other fanless miniPCs which are both less expensive and, as such, much less likely to be counterfeited.
>Regarding pfSense and OPNsense, I recently built and used a nice OPNsense box, including IPS, but decided to go back to OpenWrt for home use, because OpenWrt actually worked a bit better for the things I needed.
A fair point. The device I use as a router/firewall came pre-installed with OPNSense, which I immediately wiped and replaced with a vanilla Linux install and customised it to my own taste.
I mentioned OPN/pfSense not because I use them, but because they offer a fairly complete solution without having strong networking knowledge. Rolling your own is, IMNSHO, definitely superior to those, as well as to OpenWRT.
As for WiFi, I restrict my APs to just bridging to my wired network and have implemented strong egress filtering to control outbound access.
>I might use pfSense (or maybe OPNsense) router for a startup office of more than several people, though (until we can cost-justify a dedicated IT infra&support specialist). With OpenWrt on the WiFi APs.
That's not a bad idea at all. Although you might also consider one or more of the other distros/packages in the Wikipedia link[1] I included in my previous comment. Good luck!
I mean Ethernet NICs. For example, various PCIe quad-port models.
(I used industrial NUC PCs as part of factory stations for a startup a few years ago, and they were nice. I looked into NUCs for home routers/firewalls, but I didn't like their NIC options.)
The one time I tried to use the quickset page was to set up an AP and it did. I was rather surprised that it didn’t configure an IP address to access the admin page afterwards…
It's a hard problem because when you start asking questions about what an unqualified home user needs it's easy to say just one more thing.
port forwarding? ofcourse how else can the kid have a minecraft server with friends
dynamic dns? then the friends don't need to search "what's my ip" every time
parental controls? to schedule how much time they can play minecraft...
I like Mikrotik but for anyone trying to go beyond the barebones default firewall/router/ap on the quickset page you need to be prepared to learn. i.e. To make a DHCP reservation, you go through the menus until you click IP, then you realise you don't click on DHCP client to set up a DHCP client you go into DHCP server and try to give a device a reservation which requires the step of making it static first then seperately setting it's IP.
The complaint basically boils down to: they have all the options there and available and the least common task is just as easy to do as the 2nd most common (after initial basic setup), and if a task touches multiple parts of the config you need to touch each of those parts. Great for someone who knows what they're doing but for a home user it would be great to have more quickset pages for the 2nd to 10th most common tasks (as intagible as that list is).
Their software It's incredibly powerful, but also quite opaque to someone not into hardcore networking. I setup a small private WISP using their gear and configuring it was pretty rough for a non networking nerd. It's not running Linux, but a custom OS. The quickset is handy, but as soon as you want to do something slightly different, you're up to your neck in low level config. Still great HW and if you know how it can do everything you need. Ubiquity gear has a friedlier interface.
Mikrotik gear absolutely runs Linux. It just uses a custom userland.
Ubiquity gear is structured the same way: It, too, absolutely runs Linux, and it uses a custom userland.
One of these userlands is friendlier than the other, but they're both still Linux.
It's a tale as old as the hills, or at least as old as the OG Linksys WRT54G
-- which was my own first foray into owning dedicated routing hardware ~20 years ago (which was -- guess what -- Linux with a custom userland). (Previous to that, I used Linux with the userland of my choosing on my desktop PC.)
The biggest life changer to me back when I worked with Mikrotik gear was learning that the '?' character was an immediate "Show me all of the commands I can get to from the current prompt", and then appending '?' to existing commands would show all of the sub commands available etc.
From that point I found the CLI to be relatively discoverable as a way to configure the devices.
Makes sense. I guess the UI experience, including the terminal was so alien I assumed routerOS was an actual low level OS but, in retrospect, I was an idiot and of course it is Linux under the hood!
I love Mikrotik too and the price point, but it's for people who know network engineering or need a particularly rare type of gear (like a small inexpensive 10G SFP switch).
I tell people to jump into Ubiquiti's (ui.com) ecosystem which is much more accessible for power users who occasionally wrestle with concepts like wireless,
VLANs, subnets, and traffic rules.
This is what makes me concerned about ever needing to upgrade from my PC Engines APU2. It's about as open as a piece of hardware can get, including using coreboot, but now that they've wound down, there's not a lot of good options that occupy the same niche.
PC Engines was a Swiss company with Taiwan manufacturing.
Since APU2 schematics are open, rebooting PC Engines as a US company could be initiated by US leadership requesting AMD to restart production of the AMD GX-412TC SoC, until AMD can ship a Ryzen Embedded alternative with comparable power efficiency. The lack of a replacement SoC forced the end of APU2 and PC Engines.
National policy tools are not limited to banning negative examples, they can also encourage scaling of positive existence proofs.
"By provenance, I mean where it's designed, where it's manufactured, who has brand oversight of it, who controls the firmware, who runs the IoT phoning-home servers, etc."
Arguably the most important area of "provenance" is who controls the software ("firmware"). (Perhaps the hardware owner should control the software, e.g., compile and install OpenWRT.) The report on which this submission appears to be based mentions "command injection" as the vulnerability being exploited.
I got a solar panel that I can control with an app on a smartphone.
I still don't understand why because it's not fully installed.
I thought this was just a DC generator plugged into a DC-to-AC converter (an "inverter") and nature did its thing to autobalance the flow of electricity. I'm excited to find out what the app does and why these panels need a WiFi password.
Put a (Deciso or other) opnsense router in front of everything and use that to control exactly what can talk to what and what can talk to the outside world.
I guess you’re also evaluating/replacing your ISP’s modem and router. I just changed my plan with my optical internet provider, and didn’t occur there was an option.
So what are my options here now? I run an omada system - do I move over to ubiquiti or DIY with opnsense ? if firmware is the issue then an entirely open system is what makes sense here.
I upgraded to Deco mesh (2 nodes) about a year ago. They perform well, but the settings have been dumbed down quite a bit. I'm using them as APs and have a small box running pfSense connected to my cable modem. The Deco AP should be unreachable from the Internet but still have full access to the Internet.
In theory no black hat should be able to access them from the Internet but they could call out and ask for commands if they are so programmed.
I have two Kasa light strips (KL400) and anecdotally I’ve noticed that its performance degrades every other day or so to the point where it stops responding to change commands.
The fix? Blocking all inbound and outbound WAN (internet) traffic to it. Now works flawlessly, just like you think a light strip would. I only ever want to issue commands locally anyway, and why it should be talking to the broader internet in that case is beyond me.
Exactly this. I don't want my source of hardware to dry up, but I'd love if ISPs wouldn't allow the stock firmware to connect to their networks.
I bought a pair of TP-Link units specifically because OpenWRT ran well on them. If I had to get something more expensive, I might not decide to keep a cold spare.
Yes, but if they did that, they would have to enforce the same rule on routers of US companies. So the net advantage for the US companies would be zero (which I believe is the point - the "hacking fears" is just a smokescreen).
I'm wondering if this suspicion should apply to TP-Link wifi range extenders as well as they should be just layer 2 devices. I tried installing OpenWRT on my TP-Link extender, everything was supposed to be compatible, but it did not work.
> TP-Link wifi range extenders as well as they should be just layer 2 devices
Nope. Any device that has a wired Ethernet port and an antenna cannot be just a layer 2 device; WiFi is not just a wireless Ethernet. Also, any device that you can ping by IP address and configure over the network rather than over a serial cable is operating above layer 2 for at least the control plane.
This is not correct, a wifi range extender is a layer 2 forwarder (aka bridge). It does not function as layer 3 forwarder (aka router), only as host, and that host function is theoretically optional.
WiFi in fact goes to great lengths to behave as wireless Ethernet, putting all its complexity on layers below carrying Ethernet frames.
> It does not function as layer 3 forwarder (aka router), only as host, and that host function is theoretically optional.
Set aside the theory and look at how any of the real devices are implemented. These devices are all running Linux, and that Linux OS is managing a minimum of two separate NICs with the full software networking stack. They incorporate all of the software complexity of a full-blown router, and none of the simplicity and security/privacy advantages of an unmanaged Ethernet switch which is a purely L2 device. There's no separation of control plane and data plane; no hardware-accelerated forwarding between Ethernet and WiFi to allow packets to skip a trip through the CPU cores. In fact, it is often the case that the only meaningful difference between a consumer WiFi router and a WiFi extender is that the latter omits the Ethernet switch chip and consequently only has one or two Ethernet ports rather than 5+ ports. Presuming that a WiFi extender is less likely to be nefarious than a WiFi router by analogy to a layer 2 unmanaged Ethernet switch (with at most kilobytes of RAM and likely only an 8-bit or 16-bit microcontroller for a processor core) is entirely wrong.
I have a nation state interest in getting wealthy and trading our comparative advantage. Not paranoid delusions and one-sided brinksmanship.
China can produce things cheaper than we can. “Industrial policy” to make a wealthy nation like the US a competitive low-cost manufacturing hub are delusional. Let us focus on what we are good at and other countries focus on what they are good at.
Realpolitik is making our country wealthier and rationally approaching emerging risks, not banning cheap cars and solar panels because other countries are too good at making them. Let alone engaging in trade wars with our allies and banning acquisitions from Japan.
We have to have a dependable supply chain. We found out during Covid we couldn't obtain the goods we needed. It doesn't matter how cheap goods are if they can't be purchased. China is a predatory, mercantilist economy. That cares more about providing its citizens with jobs than profit. They can ship goods under cost and drive competitors out of business. When it comes to cars I'll bet our tariffs haven't been anything like for example European tariffs on US cars. It's not a fair game with China. They'll supply us with hardware for our grid, but won't use our hardware in their grid. China blocks our internet.
“investigators believe that TP-Link routinely fails to address vulnerabilities in its products that are shipped to customers who use the routers for both home and business purposes” good luck finding someone which is able to adress this issue and can deliver the same amount of devices in the price range.
Sounds like they want to apply pressure to TP-Link so they start to fix more and faster.
Wirecutters top two router recommendations are both TP-Link. Near the top of the review they praise "Hitting the sweet spot between price and performance" but then bury the disclosure that you have to pay extra for security, including "most protection."
"TP-Link also offers a $5-per-month or $36-per-year plan for Security+ network protection and IoT security. If you don’t pay, you still get some basic functionality such as the ability to block websites and to manually toggle internet access on your kids’ devices, but advanced settings, automatic timed internet control, most protection, and reporting are disabled after the one-month free trial. That said, the Archer AX3000 Pro will continue to provide solid Wi-Fi connectivity even if you don’t sign up for the added plans."
This report is a great example of why it's a bad deal to trade away security for a lower price. Wirecutter should have been leading the way in pointing this out, instead of just steering people to the cheapest fast thing, YOLO style (anyone can make that kind of recommendation).
What is a good recommendation for replacing a TP-Link Omada AP? I have the Wifi6 AP and it performs great. But if I do need to replace it with something more secure, what are my choices?
I know Ubiquity is a choice, but the reason I chose Omada over Ubiquity is that I can host the Omada controller locally and not be forced to use a cloud product.
This in itself is a nightmare. I recently hacked for a client their Unifi controller db on a network. It had been setup 5 years ago and the company that did the setup didn't hand over any admin passwords. 5 companies and 4 years of problems later they almost turned their accommodation business into a wifi free off grid experience because they couldn't get the system working correctly without admin access. Nightmare stuff.
Any system so heavily reliant on a single point of failure with such difficulty to replace is a no go for me. Never in half a decade have I seen such a problem whilst rolling out mikrotik hardware.
> ... It had been setup 5 years ago and the company that did the setup didn't hand over any admin passwords. ...
> Any system so heavily reliant on a single point of failure with such difficulty to replace is a no go for me.
Not to shill for Ubiquiti here, but none of that sounds like a problem with UniFi or the idea of centrally-managed APs.
UniFi APs don't stop working if the UniFi server fails. You can't make configuration changes, but you can SSH into the AP, reset it, and associate it with another UniFi server.
Oh don't get me wrong. UniFi and central management can be great if your on actively managed IT infrastructure. That is to say, you pay someone a monthly fee to keep your stuff configured, monitored and working. But where I live, most of these installs are at rural businesses or properties where IT only gets called when things go wrong. These are exactly the wrong place to put managed infrastructure. It can be years between problems and rarely are the same techs even in the area when the next call comes around. Which is exactly why I was able to crack the DB in the first place, it was an out of date V6 install of the controller using a unsecured mongodb. Took me about 20 minutes of googling to find out how to do it when I used the right key words/after I'd figured out what was wrong (someone plugged in a router with DHCP enabled upstream of all the p2p wifi nodes but downstream from the unifi security gateway, the router got flagged as trying to provide/hijack dhcp and unifi blocked that port it seems, killing all the p2p wifi with it, honestly not a bad response from unifi hardware but a nightmare for your joe blog tech who doesnt really have much experience with network problem solving).
I advocate certain clients towards centrally managed systems, but for most of these clients who aren't interested in a regular checkup or business agreement with an IT provider I generally put them on un-managed setups with at least 2x USB devices with copies of config on-site and a printout of what the setup and network layout is. This is in-case I'm not here the next time they need work done or in case I do come back and don't want to spend a day deciphering their setup again. All cloud services are disable, no external log-in from outside of the site allowed. I leave the main modem/ISP connected router ideally up to the ISP they are getting internet services from and build everything downstream from that. Auto-update set to on. I've got multiple p2p and p2mp wireless networks at properties all around the region that haven't had a tech on-site for 4+ years and they won't until something breaks or the protocol their operating on gets too slow for user requirements which I would expect is another 4+ years at least because mikrotik wifi is rock solid when its setup manually and correctly.
Security is less of a worry. I mean honestly if your willing to drive out to the middle of nowhere to war-drive and crack the passwords and get into their network...hell you probably deserve to get some internet and check ya emails for the effort you've put in. They'll probably see your vehicle while your doing it and invite you in for a cuppa and give you the password anyways.
All my UniFi stuff is hosted locally. You don’t need their cloud product and their NVR saves video locally too.
If you want to access your controller(s) on the go then just setup a VPN on UniFi. Turn on your VPN, manage from the unifi app, and then turn the VPN off if needed.
It might be the right move. I’ve noticed a lot of oddities with my top of the line TP Link Mesh routers. Limited ability to configure it compared to past routers (not many advanced settings). Forced use of a very sanitized app instead of a browser based panel. Forced updates with no ability to use the admin panel without accepting the update. And so on. It works and is high quality in a way, but I also don’t trust it. Unfortunately a lot of these issues aren’t visible until after you buy it.
Are those Omada based routers? For the price, I've been very impressed with the Omada based APs from TP-Link. All of my equipment is configurable through a web based interface that's served by a Windows app (or through an available hardware controller).
260 comments
[ 2.2 ms ] story [ 276 ms ] threadThere’s also that famous photo of NSA “upgrading” Cisco routers, of course. https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa...
https://www.wsj.com/politics/national-security/us-ban-china-...
Most non-tech people I know treat a router as a black box system - you plug it in, and then when you have issues, you turn it on and off again. If it keeps happening you get a new one. The word firmware will draw blank stares.
Fundamentally we need to move to a home networking model that involves isolating all clients completely (especially cameras and smart TVs), and using AP hosted services to mediate interaction between them and the Internet at large. This will involve needing to trust the AP, but will have the advantage of being able to deploy slightly less trustworthy devices at the very edge.
The reason this is inevitable is the alternative hasn't worked. Cloud based IoT has been a disaster in both the atrocious edge device security and cloud service bait and switch burning customer confidence in the whole concept. Most people are not going to deploy dedicated servers in their house, but an AP absolutely. The HomeAssistant and Frigate ecosystems demonstrate the demand for functionality is there, but they are very much enthusiast type tools.
(a component of my work is software supply chain security)
Yeah, that is the problem, and I gave up on waiting for it, so kicked off an exploration of the problem space https://github.com/atomirex/umbrella (Hitting video handling first because it is one of the major headaches).
I come from the intersection of embedded/mobile/games and saw what a dumpster fire that was, and am under no illusions this will be solved either fast or by any existing group.
For example, an IoT lightswitch in your home should only talk to what looks like an MQTT broker in the AP. It doesn't need to have any concept what that topic it publishes to does. Similarly, the receiving light doesn't need to know what caused it. This way those devices literally never need any external network access at all.
I started working on this idea by playing with OpenWrt hosted video relays, and learned that it works, and am now extending it: https://github.com/atomirex/umbrella
Right now I am on HN procrastinating when I should be producing a video of ingesting from a TP Link security camera (really) into a webrtc SFU on the AP, sending it to another SFU, and watching the result.
In practice, this will work very poorly. Your whitelist will end up looking like "All of Azure, GCP, AWS, and CloudFlare, plus some one-offs"... which doesn't really stop anything.
I work at a BigCo that tries to do what you're proposing and it works so, so badly. Thankfully, we can turn off the "security" software that does this on our workstations. Unfortunately, cannot do the same for our software that runs on datacenter-hosted hardware that IT manages.
> Clients shouldn't connect to the Internet by default...
I have a couple of VLANs on my LAN that don't provide Internet access just for this reason.
Why?
* A huge-ass slice of the things hosted on The Internet are hosted in or behind one or more of Azure, GCP, AWS, and CloudFlare.
* Recording the set of "cloud provider"-provided IP addresses spoken to by a piece of client software is a bit of a fool's errand. The nature of those services is that one can change the IP address assigned to one's deployed software at a whim... and it's often cheaper to set things up so that one doesn't have an IP address for one's services that survives a VM reboot.
Malicious software is malicious regardless of whether it's running as a VM on Someone Else's Server, or a Linux process on personally-owned bare metal.
> Saying we "need" APs to segment VLANs is missing the point.
> What we "need" is for IoT devices to communicate through purely local networks and have no Internet access. [They will do this via a mechanism using MQTT where they're required to declare if they're bad.]
a) Who said anything about APs? While I do have WiFi Access Points (that I did not mention), I also have hard-wired VLAN segmentation. [0]
b) From a network design perspective, it's a lot easier and more efficient to provide a VLAN that doesn't have Internet egress than to attempt to sort out which of a mess of hosts are permitted to talk to the Internet from which aren't, and ALSO prevent MAC- and/or IP-address spoofing to evade any such filtering.
c) I have no idea why you're invoking MQTT (specifically), but any scheme that requires a potentially-untrusted host running potentially-untrusted hardware and software to declare whether or not it's to be trusted is doomed to failure right off the bat.
[0] Sure, I'm a power user. But, a "VLAN-isolated network for untrusted machines" feature shouldn't be something that only power users get. This SHOULD be a baseline feature in consumer-grade WiFi APs and switches. (The race-to-the-bottom feature of the "market" for consumer gear is very sad.)
The point is isolating devices from each other isn't what people need. They need their devices to accept commands from each other or their computer/phone. What they don't need is their devices to talk to half the Internet.
My htpc talks to exactly one machine, for example (my NAS). It's trivial to audit and would work fine if I blocked Internet access or gave it a whitelist. For people that use home assistant, again their devices should need to talk to a broker and that's it.
A reasonable device only talks to a handful of locations because you didn't ask it to do anything else. The world where Android and Windows and IoT devices chat all day to thousands of servers is what's the problem. Restricting such devices to only talk to the Internet is exactly the wrong solution. You could lock things down once there's an ecosystem in place for local control, but doing it now just ossifies the existing dumpster fire.
If one were to suggest regulation is needed for security (and governments are starting to do so), then what's needed is to ban cloud devices.
When talking about these things in a tech-savvy forum, you'd do well to separate the components (switch, WiFi AP, router) out, rather than thinking them as one indivisible unit. It helps for clarity of conversation and thinking. You have some misconceptions that might arise from this muddling you're doing.
> The point is isolating devices from each other isn't what people need. They need their devices to accept commands from each other or their computer/phone. What they don't need is their devices to talk to half the Internet.
When did I suggest isolating these devices from anything other than the Internet?
The whole point of having a router tied into the various VLANs on your network is so that you can program the router to decide what off-subnet traffic goes where. If you want to have a fully-isolated VLAN, you can... but I never mentioned any isolation other than from Internet egress.
> A reasonable device only talks to a handful of locations because you didn't ask it to do anything else.
If you purchase devices that are hard-coded to talk to machines hosted on someone else's servers, and you don't want to reverse-engineer and take ongoing maintenance responsibility for the software running in those devices, then your only choice in the matter if the manufacturer chooses to "host" those servers in GCP, AWS, or similar is to prevent the devices from talking to the Internet at all.
You might also review this conversation I had regarding the infeasibility of making a whitelist for typical devices and clients that demand Internet access: <https://news.ycombinator.com/item?id=42455401>
In that case I suppose the point is that what's desirable as an end-state from a security perspective is that none of these devices access the Internet (ideally with a firewall rule enforcing that). In the usual home scenario where there is only 1 networking device, VLANs and subnets both seem to me like their main purpose would be to isolate clients from each other, which for mass-market purposes is currently counterproductive (as it basically makes cloud servers a requirement for non-experts). You could use them to make your firewall rules simpler, but then you need routing an multicast forwarding rules. What you really want is to get to a place where your firewall says that your PC/phone can access the Internet and nothing else can.
Basically the infeasibility of making a whitelist for typical devices is exactly the problem to solve/issue to regulate.
No, that was in all of my replies. I've been consistent about this.
> You could use [VLANs] to make your firewall rules simpler, but then you need routing an multicast forwarding rules.
If you're not going to be running your multicast software on a machine that is wired in to all relevant VLANs (like your edge router), then yeah, if you need cross-VLAN multicast you would need to have multicast forwarding set up on such a machine. You'd need to do the same for broadcast, which is "just" all-nodes multicast.
> In the usual home scenario where there is only 1 networking device, VLANs and subnets both seem to me like their main purpose would be to isolate clients from each other...
Then you're confused about how VLANs and subnetting are typically used.
I can think of three ways to do what I think you're envisioning.
1) Use the "client isolation" feature of WiFi APs. I think this uses something OTHER than VLANs, given that clients get allocated IP addresses from the same subnet as each other.
2) Create a subnet and VLAN per client and program your router to not permit traffic originating from these special subnets to go anywhere other than direct to the router or out to the Internet.
3) Have one or more fairly fancy switches that are programmed to only permit packets to flow from each client port to the router port. (I'm pretty sure that this is conceptually what the often-present WiFi "client isolation" feature is.)
I know that you cannot prevent clients in the same subnet and VLAN from talking to one another unless you have direct intervention by a wireless or wired switch. This is because clients in the same subnet trying to talk to each other don't bother talking to the router and just use ARP (or ND) to find their conversation partners.
I'm not CERTAIN, but I think that if you try to have clients in the same subnet, but on different VLANs, it will work poorly (or not at all) because the router will have a hard time with route selection for incoming traffic, as well as traffic originating on the router to the client subnet.
Ideally Apple will resurrect the Airport and make it easy to have privacy and security in the home. An Airport-HomePod combo could do a lot of neat AI things in-house / on-prem.
That having been said, I don't know for sure that most generally available consumer devices would actually work under this arrangement.
I think throwing those features out is a tough sell for the home consumer market, but makes sense in the SMB and above area.
Multicast is widely exploited for fingerprinting by smart TVs, unfortunately, much as I think mdns is a beautifully elegant idea.
Anecdote: once I bought the cheapest router I could find online. The idea was to test connecting to a crap AP. Unfortunately the cheapest was a TP-Link and it worked absolutely perfectly, ruining my test plan.
Unless you are willing to re-flash their hardware with third-party firmware such as DD-WRT or OpenWRT, I would always encourage anyone to go with a company that keeps their firmware up to date, like Ubiquity.
It’s not their hardware. It’s their firmware which is the problem.
The nefarious, evil purpose of the cloud service is…just lock in. And being easy to configure.
From there, they can force ISPs to contact their clients to demand the issue be resolved. If the client does not respond to the ISP, the ISP is forced to suspend the connection until the client can demonstrate a fix has been implemented. In all cases, that vulnerability vanishing has the ISP updated so the client is no longer in danger of being pestered.
If the product is still being sold in stores, or is not very far past EoL, and there is no manufacturer patch available, those manufacturers must take their hardware back for a 100% MSRP refund, or provide an equivalent router without those exploits.
It’s only if the product has been no longer manufactured for a minimum set period of time - say, 7 years - that it is deemed “too far past EoL” for the responsibility for patching/replacing to fall on manufacturers, and responsibility finally falls to the consumer to replace/upgrade.
In all cases, a customer can “fix” their router with third-party firmware such as OpenWRT or DD-WRT, but this also requires laws to be written that forces manufacturers to not hardware-lock their routers, and force them to meet the minimum storage/driver-availability specs these third-party firmwares need.
So you have a router built with Chinese components (all of the ones anyone here can afford) with closed and "open" firmware built by them. I bought one of those GL.inet "open" routers and the WRT packages bricked it, so I have a choice of reverting or flashing from the factory (which appears to be a link to HK).
That's probably 99.99% of use cases. They're in your base and they always have been.
Say you know nothing about router firmware without saying you know nothing about router firmware.
OpenWRT and DD-WRT and other open-source third-party firmwares are THIRD PARTY firmwares. They have no connection with the manufacturer whatsoever.
> WikiDevi URL: https://wikidevi.wi-cat.ru/TP-LINK_Archer_C2_v3.x
Every one had a .ru domain. How do you know, exactly, who built it? GL.inet builds their own WRT package. It's a "feature".
Brand-new to the Internet, are ya?
Just because you cherry-pick Russian informational sites doesn’t mean that third-party firmwares have any connection to Russia whatsoever.
Third-party firmwares are open-source projects, worked on by tens of thousands of volunteers from around the planet, and frequently have ZERO CONNECTION to any one hardware manufacturer.
There are some collaboration efforts, when a particular manufacturer decides to adopt an open-source firmware as the exclusive firmware for their own hardware, but that simply means the hardware is fully unlocked for any third-party firmware that wants to be adapted for that hardware. These manufacturers just decided that they had no desire to f**k over the consumer by locking them into custom-made firmware.
For example, I believe Turris https://www.turris.com/ takes a stock, latest copy of OpenWRT and makes a few tweaks to extend its capabilities for additional, server-like features.
WiFi NIC firmware is a much smaller attack surface than the whole Linux OS.
Congrats, you have just identified DD-WRT and OpenWRT.
> The WiFi firmware is closed-source and comes from the silicon vendor rather than the router OEM: Qualcomm, Broadcom, or Mediatek, not TP-Link, ASUS, Netgear, etc.
Never heard of the term “driver”, have you? Look it up. It’s wild. Windows uses them, and so does Linux and other operating systems like DD-WRT and OpenWRT.
> Never heard of the term “driver”, have you? Look it up. It’s wild. Windows uses them, and so does Linux and other operating systems like DD-WRT and OpenWRT.
Please don't post with this kind of attitude, especially when you're so thoroughly wrong.
Look up the term "application processor"; I mentioned it previously but you must not have recognized that it was a concept you are unfamiliar with. This is the ARM (or formerly MIPS) processor that in a router will be running Linux, or on a phone would be running Android or iOS. The AP's CPU cores are not the only processor cores that will be found in the system. Separate from the AP and often at the far end of a PCIe link (and hopefully also an IOMMU) are the WiFi NICs, which have their own embedded processor cores. These embedded cores are not running Linux and instead are running proprietary firmware that is closely tied to the specific hardware. (In a phone, the cellular baseband will have its own processor core(s) running separate code from the AP's OS.)
Linux has its drivers for the WiFi NICs, and those drivers run on the AP cores. Typically, the first responsibility of the Linux driver is to retrieve the correct firmware from storage and transmit it over PCIe to the WiFi NIC so that the processor cores embedded in that NIC can boot up and start running that firmware on cores and a memory address space that is completely separate from what the Linux OS on the AP can directly interact with. The firmware must be uploaded to the NIC by the AP because the NIC typically doesn't have flash memory to store its own firmware, only volatile RAM, and because the firmware version usually must be precisely matched to the driver version running on the AP. This is in contrast to eg. SSDs, which store their own firmware (because they naturally have plenty of non-volatile storage) and expose standard interfaces for drivers to interact with rather than having tight version coupling.
Exactly what the firmware running on the WiFi NIC does will vary between devices. It can often be inferred by inspecting the Linux driver to see what it doesn't do on the AP. Common functionality handled by firmware running on the NIC includes selecting transmission rates and power levels, and handling frame aggregation.
You can readily inspect the filesystem of an OpenWRT image and you'll find the binary blobs that are the firmware which will be sent to the NICs as part of the Linux driver initializing. What you won't find is that binary blob code executing on the AP in any userspace process or kernel thread.
And if you're still arrogantly confused: the WiFi firmware is not the same thing as the Linux driver. In all WiFi hardware that uses firmware running on the NIC (which includes all WiFi hardware supporting anything newer than 802.11n), the WiFi NIC's firmware is closed-source. This is independent of whether or not the Linux driver is closed-source, because the Linux driver is a different piece of code running on a different processor.
All WiFi devices that have received the Free Software Foundation's "Respects your Freedom" certification are limited to 802.11n because those are the newest devices that don't run proprietary blobs on their own processor cores. OpenWRT has looser requirements and tolerates proprietary blobs as long as they don't need to run on the AP as part of the Linux system. The typical setup for an OpenWRT device is an open-source Linux driver communicating over PCIe with closed-source code running on the WiFi NIC.
The Candela Technologies page I linked to is an example of closed-source firmware to run on the WiFi NIC, paired with an open-source Linux driver to run on the AP. This is one of the few examples of the closed-source firmware not coming directly from the creator of the WiFi chip. Both the WiFi firmware and the Linux driver had to be modified in order to add the ...
Some TP-Links are not great -- get a first gen C7, IIRC.
Routers are going to be a bit more expensive and a bit less reliable for a while. We'll live.
Eventually i got through to a human that said you can't run it without registering it. it did NOT say that on the box.
shit like this is what the ftc should crack down on
Another thing I've noticed is companies tend to still sell their models which are close to EOL on their website. Something needs to be done about that.
Selling models close to EOL or trying to hold hardware makers responsible for firmware security has been an issue for decades.
If this is actually the case then you should contact the FTC because Asus under an order to pay attention to security:
* https://www.ftc.gov/news-events/news/press-releases/2016/07/...
I have an Asus RT-AC68U that I bought ages ago that's still getting regular first-party firmware updates (plus the ones from Merlin). Currently using ISP-provided hardware, but given my past experience I'd definitely look at Asus as an option if I needed a new router.
As far as my TP-Link router, I think I remember it being stuck on a 2022/09 firmware until at least 2023/09, and I wound up flashing it with OpenWRT earlier this year.
* https://wikidevi.wi-cat.ru/ASUS_RT-AC1200_series
The V2 seems to be exactly the same except for some minor chip revisions (e.g., -DAN vs -AN), perhaps due to OEM part availability.
OpenWRT also supports (supported?) the V2:
* https://openwrt.org/toh/asus/rt-ac1200_v2
* https://youtu.be/ZCdZaSu68Kk?si=C7qumnao_bfvGvUo&t=138
* https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tp-link
Google and Amazon are full of spyware. I feel I have nowhere to run!
Another option is the recently released official OpenWRT One.
https://openwrt.org/toh/openwrt/one
I do like that I can export my config as a script. Haven't had to reboot it yet, excluding firmware updates of course.
I switched to Ubiquiti EdgeRouters for a while but they went the way of the dodo too, so now I use a Protectcli box running Coreboot and OPNSense; it's essentially just a PC with nice Intel NICs that play nice for networking in a small fanless form-factor that you can install a routerOS on (pfSense, OPNSense etc) and always be up to date.
I own one dlink router I bought in 2014. Has been running since then. 0 updates.
What "update" should I give my router ?
Forgive my ignorance
Your D-Link router from 2014 likely stopped receiving updates within 2-4 years of its manufacture so updating now will still leave you quite outdated, if the manufacturer released any updates at all (and if they did, they may even have pulled them offline as we're now 10 years after the fact).
If you're concerned about the security, you can check if your router is supported by an open-source OS like OpenWRT and flash that over the factory software, or upgrade to a newer model (bearing in mind another consumer router will only get you a few short more years of updates).
If you're really cautious (like I am) you buy something that you can install a router OS on that you know will always be updated; pfSense, OPNSense, OpenWRT, Vy etc.
This link is from a quick query on dlink routers.
https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabili...
Just like any other computer, it can be exploited if vulnerabilities are found and in 10 years it's likely some have been found.
Unfortunately, it's likely that dlink stopped providing updates for your product which leaves you with three options:
1. Ignore the problem
2. Install something like OpenWRT if your hardware is supported
3. Purchase new hardware
Old version works fine.
Routers as the gateways into all sorts of networks, and they see/control all of the traffic in and out and often between devices on the network; they're a critical junction.
Two things can hold true at the same time. A US company selling US equipment and US software can have US law enforcement agents show up and point US guns at them for non-compliance.
But that in turns sets up a captive market where the US players in the market are more likely to perform collusion and raise prices.
The FTC went after (Taiwan-based) Asus for security reasons:
> After a public comment period, the Federal Trade Commission has approved a final order resolving the Commission’s complaint against ASUSTeK Computer, Inc., charging that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk.
* https://www.ftc.gov/news-events/news/press-releases/2016/07/...
So 'legitimate' security concerns have been a thing in the past.
Ebay, aliexpress, reshipper, friend in europe...there is always a way
And FWIW to anyone in power who happens to read this, I was plenty radicalized by my own experiences and those of my friends under capitalism. China didn't do shit.
And good fucking luck "crippling" the strength of a nation who's population comprises 17% of the world's population, and who is basically a stand-in for "overseas manufacturing" due the sheer ubiquity of it.
the point of overseas interventions isn't usually to win, it's to make the other guy lose or spend more. our military is finally moving in the direction of attritability - it took those last 12 interventions to learn, i guess - but we should be able to more effectively bleed china dry. she can have as large a population as she wants, she can be the world's factor for cheap garbage, the concern is ensuring she can't have an advanced economy.
i'm not saying this will come without some level of pain for America. the nineties clinton "end of history" types were buffoons to think china was anything but a malignancy on the international order and should have cut her out from the start. but it's too late for that now, the cancer has spread and this means global economic chemo. it will hurt, but it's massively less bad than what our people would experience in the alternative situation.
You do raise an interesting thought experiment. A word that has passed the US by. It is so difficult to fathom. The Chinese people seem to be producing wonders as evidenced by this recent interview with Asianomoetry[1]: https://youtu.be/pE3KKUKXcTM?t=2019
They took an old node and managed to squeeze more out of it than any of the western firms could do. This is some serious talent and skill. Its also making me think the sanctions are backfiring in some regard.
However the Chinese system is on shaky ground. Their demographics are horrendous and immigration to plug the gaps is not likely. Furthermore can their system really tolerate failure and embarrassment? This is one aspect where the USSR really fell short and the US shines. Accepting Failure is tolerated, its part of the US culture whereas the USSR was obsessed with saving face. China seems to really understand rapid iteration well though. They studied and learned from the mistakes of the USSR.
>i'm not saying this will come without some level of pain for America. the nineties clinton "end of history" types were buffoons to think china was anything but a malignancy on the international order and should have cut her out from the start. but it's too late for that now, the cancer has spread and this means global economic chemo. it will hurt, but it's massively less bad than what our people would experience in the alternative situation.
Is it really even possible to keep the 17.7% of the world population from aspiring to be at the top while trying to preserve the wealth of 4% of the worlds population? That dam was going to break regardless of whatever the neoliberals did in the 90s.
Hell the global south are the majority and they are kept from reaching to the top quintile. Its just seems inevitable.
they can aspire all they want. the issue is when they attempt to do so to the detriment of Americans. there are some scarce resources that will only ever be enjoyed by the people in that top quintile. it is both the practical and moral obligation of the U.S. government to ensure we, not they, remain in that top quintile and secure scarce resources for our own people before any others. the global south may contain the majority of sets of hands, but the west continues to control the lion's share of human capital, wealth, and military equipment. we ought to continue using those to maintain them.
there's no issue with the wealth of everyone growing as the world improves. but we must continue to secure those critical scarce resources for our own first, and that requires that even if the south grows in wealth, we exert all available power and influence to ensure we grow faster.
second place sucks. since there will always be a second place, it's our job to avoid it at all costs.
As we act now? No I strongly suspect not, because standard American foreign policy of the last roughly eighty years has been swinging our massive dick around and screwing over every other nation on planet Earth, economically, financially, militarily, or some combination of the three.
Let me posit an opposing question: What right does America, one fucking country, in one part of the world, that isn't particularly large, have to basically dictate world geopolitic as we have for decades at this point? What right does America have to say China cannot have an "advanced economy"? Who appointed us? Who elected us? Most importantly, who are we accountable to and who must be justify those kinds of statements to? Or is it literally just down to the fact that we have the biggest bombs on the planet? I don't know, genuinely, what the consequences are of a world that is not headed by the United States, but to get really honest here, the US is not doing a great job in that regard anyway. Would I want North Korea at the helm? Obviously not. But I don't ascribe even remotely that level of hostility to the state of China.
And to continue to be blunt, ARE Americans doing so well as your question presupposes? Because I kinda think we're getting screwed in a lot of ways, and I grant, not as hard as people elsewhere in many cases, but also uniquely hard to other people of other developed nations in specific ways. I, personally, would much prefer that instead of lighting trillions of defense dollars on fire year over year to continue inflating the aforementioned massive dick that we wave around the world all the time, be put instead towards fixing... hell, any of the major problems America actually HAS. And like, take your pick. Healthcare, Infrastructure, Education, Poverty, just to name the four biggest that immediately come to mind. Hell maybe we just give up new tanks for one year and make sure everyone in Flint, Michigan can have WATER without any goddamn lead in it.
I am exhausted of the narrative that the world, the whole WORLD, will topple over dead if America isn't in charge. America has BEEN in charge, defacto, since the end of World War 2. LOOK AROUND!!!
we are accountable to the American people. and yes, a huge chunk of influence is due to us having the biggest bombs. other parts are due to continual largesse, from the Marshall plan post-wwii to the continued support of the IMF and World Bank today.
i agree Americans aren't doing as well as we could be. my question is not whether America at the head of the world is doing a perfect job, it's whether specifically Americans will do better under a different system. the chinese one freaking sucks. it's anti-liberty. mainland chinese have no rights to free speech, to bear arms, to equal protection and due process. there is only the party.
flint's water has been clean for four years btw. we spend the balance of our budget on non-military matters. defense is less than one-quarter of our spend. perhaps you should examine why we are lighting so much money on fire, primarily to provide outsized levels of healthcare to people who choose to live poorly and to subsidize the old people who already own most of the wealth in the country. perhaps instead, we means-test social security. surely we can wait until boomers have spent down the value of their million-dollar homes before we start cutting them checks each month.
the world, the whole world, is a hell of a lot better than it was post-wwii. America has led the world, and most importantly, ourselves, to an age of prosperity that has never before existed. if we want to keep our wealth, our liberty, our way of life, it is essential we use any means necessary to keep any other nation from ever surpassing us in power.
Ha! How many civilians have been killed in the last 50 years by the american military vs the Chinese?
here are some civilian deaths within china:
- land reform killed 1-4.7 million
- campaign to suppress counterrevolutionaries killed 712k-2mm
- three-anti and five-anti campaigns killed at least 100k
- sufan movement killed ~53k
- anti-rightist campaign killed 550k-2mm
- '59 tibetan uprising killed 87k
- violence in the great chinese famine killed 2.5mm
- socialist education movement killed 77k
- guanxi massacre killed 100-150k
- inner mongolia incident killed 15-100k
- yangjiang massacre killed 3.5k
- daoxian massacre killed 9k
- ruijin massacre killed 1k
- zhao jianmin spy case killed 17k
- shadian incident killed 1.6k
- tiananmen square protests & massacre killed 200-10k
that's just a sample. this doesn't show the ongoing genocides, the economic colonization of SE asia and africa, the abuses of chinese-supported states (DPRK, burmese junta, naval intervention in libya, etc.)
objectively the American system seems to work out much better and is based on vastly superior principles.
all that aside, I am an American and place the interests of my people ahead of those of foreigners. as such, I will support a world order led by the government most likely to maximize our welfare and very nearly any means needed to preserve that.
> all that aside, I am an American and place the interests of my people ahead of those of foreigners. as such, I will support a world order led by the government most likely to maximize our welfare and very nearly any means needed to preserve that.
The last sentence you said explained what you said above, it also explained many other *Amerikkans* minds
Interestingly, even the most loyal and fervent American imperialists have to find some ridiculous moral excuses.
Despise your hypocrisy, but appreciate your honesty.
China is the powerhouse it is today because it was essentially funded by US greed.
It's actually pretty funny (if I look at it like a movie script rather than real life - which is a coping mechanism) watching the US tying itself into pretzel shapes around things like free speech and general values of "freedom" that it's espoused for it's couple of centuries because it's chickens (bats?) have come home to roost, and they're shitting everywhere making people unhealthy.
It could be a GIRD or acid reflux condition. Civil discussions online shouldn't cause vomiting. You should probably see a doctor about that.
No. Do both. Why would we wait to fix one problem when we have two problems?
This just seems like distracting from the router issue, and taking the discussion off-topic.
Slowly I am feeling back into world geopolitics of my childhood.
By provenance, I mean where it's designed, where it's manufactured, who has brand oversight of it, who controls the firmware, who runs the IoT phoning-home servers, etc.
(I don't have high security requirements for home, but I pay attention to such things out of curiosity.)
It's still Chinese hardware, but it's warrantied by Protectcli and you have control over the bits you can change.
My first move out of the consumer "junk" was Ubiquiti EdgeRouters but their software quality declined a few years back, and my models got no more updates, then my main router died. My overkill i3 6-port Protectcli box has been running great ever since; first with pfSense now OPNSense; I'll only replace it when it dies or I want 10GbE routing.
They've mostly been solid, and aren't too expensive. I did replace the one in the hall (on the ceiling) outside my living room recently though, upgrading it from an AP-AC-Pro to an U6-Pro and the range is significantly worse on the same WiFi spec, making the living room TV basically unusable for streaming, despite being flawless on the older AP.
I'm going to try the newer U7 Pros and if that doesn't work out, I'll start looking at alternatives, but I suspect anything acceptable will be more expensive. I run ethernet almost everywhere so WiFi is just for our mobiles/laptops/tablets/IoT, but the TV in the living room currently has no easy way to get cables to so that AP is critical.
I'm coming to the realization that mixed 2.4 ghz/5ghz access points aren't a great idea. If I wanted consistent 5 ghz coverage, I'd need a lot more access points, but I'd want to turn the 2.4ghz radios off on most of them because 2.4ghz goes too far.
The hardware is relatively inexpensive and seems to be rather stable, the company is based in Latvia, and the manufacturing (or at least the board-stuffing and injection-molding) seems to primarily be done in Europe. Some of their stuff is pretty flexible about what kinds of PoE is can work with.
All of the Mikrotik stuff I'm aware of runs their Linux-based RouterOS. This means they all get the same user interface -- the same for a "switch," for an "access point," and for a "router."
I like that this blurs the lines between different device classes. For instance, my access points have two Ethernet ports on them, and two radios. I can use them as simple access points, or as routers, or as switches... or all of this at the same time. Whatever I want to do with them is fine: It's just a highly-configurable device with n hardware interfaces available on it.
I could replace the separate switch and OpenWRT router that I have on a shelf in the basement with a singular Mikrotik switch that did both jobs if I wanted to. (I probably would not, and it probably would never make sense to do so, but their software allows me to do as many nonsensical things as I choose. That's a good thing.)
For me, wanting as much open source in the stack as possible, it gives me peace of mind, but it really depends on the individual.
All I can really suggest, is to take a look at the Coreboot site[0] and see if it sounds like something you'd want.
[0]https://www.coreboot.org/
If you're concerned about provenance (or even if you're not), I suggest using a general purpose device and rolling your own ala pfSense[0]/OPNSense[1], etc, or just use one of the BSDs or Linux and use native tools or one of the many router/firewall distros[2]
[0] https://www.pfsense.org/
[1] https://opnsense.org/
[2] https://en.wikipedia.org/wiki/List_of_router_and_firewall_di...
Regarding pfSense and OPNsense, I recently built and used a nice OPNsense box, including IPS, but decided to go back to OpenWrt for home use, because OpenWrt actually worked a bit better for the things I needed.
I might use pfSense (or maybe OPNsense) router for a startup office of more than several people, though (until we can cost-justify a dedicated IT infra&support specialist). With OpenWrt on the WiFi APs.
Assuming you mean NUCs[0] and not NICs, I'm sure you're correct. That said, there are many other fanless miniPCs which are both less expensive and, as such, much less likely to be counterfeited.
>Regarding pfSense and OPNsense, I recently built and used a nice OPNsense box, including IPS, but decided to go back to OpenWrt for home use, because OpenWrt actually worked a bit better for the things I needed.
A fair point. The device I use as a router/firewall came pre-installed with OPNSense, which I immediately wiped and replaced with a vanilla Linux install and customised it to my own taste.
I mentioned OPN/pfSense not because I use them, but because they offer a fairly complete solution without having strong networking knowledge. Rolling your own is, IMNSHO, definitely superior to those, as well as to OpenWRT.
As for WiFi, I restrict my APs to just bridging to my wired network and have implemented strong egress filtering to control outbound access.
>I might use pfSense (or maybe OPNsense) router for a startup office of more than several people, though (until we can cost-justify a dedicated IT infra&support specialist). With OpenWrt on the WiFi APs.
That's not a bad idea at all. Although you might also consider one or more of the other distros/packages in the Wikipedia link[1] I included in my previous comment. Good luck!
[0] https://en.wikipedia.org/wiki/Next_Unit_of_Computing
[1] https://en.wikipedia.org/wiki/List_of_router_and_firewall_di...
(I used industrial NUC PCs as part of factory stations for a startup a few years ago, and they were nice. I looked into NUCs for home routers/firewalls, but I didn't like their NIC options.)
My misunderstanding. Apologies.
I use something similar to this[0] device, which has 4X2.5Gb ethernet ports and no WiFi (which was my preference) interface.
As such, no additional NICs were required, even with a dual ISP configuration.
[0] https://www.amazon.com/gp/product/B09J4H9ZXY?ie=UTF8&th=1
Many of their NUC-sized computers have dual physical LAN ports.
https://www.servethehome.com/identifying-risky-counterfeit-i...
(I’m looking at my stack right now and looking to upgrade)
The only thing is they're definitely not designed for regular consumers, you at least need familiarity with Linux networking.
Mikrotik has had quickset (a single page configuration for home use) for 8+ years, Android Home app for 3+ years
port forwarding? ofcourse how else can the kid have a minecraft server with friends
dynamic dns? then the friends don't need to search "what's my ip" every time
parental controls? to schedule how much time they can play minecraft...
I like Mikrotik but for anyone trying to go beyond the barebones default firewall/router/ap on the quickset page you need to be prepared to learn. i.e. To make a DHCP reservation, you go through the menus until you click IP, then you realise you don't click on DHCP client to set up a DHCP client you go into DHCP server and try to give a device a reservation which requires the step of making it static first then seperately setting it's IP.
The complaint basically boils down to: they have all the options there and available and the least common task is just as easy to do as the 2nd most common (after initial basic setup), and if a task touches multiple parts of the config you need to touch each of those parts. Great for someone who knows what they're doing but for a home user it would be great to have more quickset pages for the 2nd to 10th most common tasks (as intagible as that list is).
Ubiquity gear is structured the same way: It, too, absolutely runs Linux, and it uses a custom userland.
One of these userlands is friendlier than the other, but they're both still Linux.
It's a tale as old as the hills, or at least as old as the OG Linksys WRT54G -- which was my own first foray into owning dedicated routing hardware ~20 years ago (which was -- guess what -- Linux with a custom userland). (Previous to that, I used Linux with the userland of my choosing on my desktop PC.)
From that point I found the CLI to be relatively discoverable as a way to configure the devices.
I like RouterOS well enough, though.
I tell people to jump into Ubiquiti's (ui.com) ecosystem which is much more accessible for power users who occasionally wrestle with concepts like wireless, VLANs, subnets, and traffic rules.
So I installed openwrt. They're actually pretty well supported by openwrt (except for the newer 10g switches)
You mean an RFC1918 for etherboot? I have a "few" of these devices and this simply doesn't make any sense in any context.
I've since wiped the firmware/license keys so no idea.
Since APU2 schematics are open, rebooting PC Engines as a US company could be initiated by US leadership requesting AMD to restart production of the AMD GX-412TC SoC, until AMD can ship a Ryzen Embedded alternative with comparable power efficiency. The lack of a replacement SoC forced the end of APU2 and PC Engines.
National policy tools are not limited to banning negative examples, they can also encourage scaling of positive existence proofs.
Arguably the most important area of "provenance" is who controls the software ("firmware"). (Perhaps the hardware owner should control the software, e.g., compile and install OpenWRT.) The report on which this submission appears to be based mentions "command injection" as the vulnerability being exploited.
https://www.cyfirma.com/research/comprehensive-analysis-of-c...
https://www.microsoft.com/en-us/security/blog/2024/10/31/chi...
I still don't understand why because it's not fully installed.
I thought this was just a DC generator plugged into a DC-to-AC converter (an "inverter") and nature did its thing to autobalance the flow of electricity. I'm excited to find out what the app does and why these panels need a WiFi password.
The US outsourced absolutely everything to China and is now banning it up down and centre. Shizophrenic much?
In theory no black hat should be able to access them from the Internet but they could call out and ask for commands if they are so programmed.
The fix? Blocking all inbound and outbound WAN (internet) traffic to it. Now works flawlessly, just like you think a light strip would. I only ever want to issue commands locally anyway, and why it should be talking to the broader internet in that case is beyond me.
But they are nice and cheap OpenWRT platforms. Ban the software instead? ;D
I bought a pair of TP-Link units specifically because OpenWRT ran well on them. If I had to get something more expensive, I might not decide to keep a cold spare.
The newer generations of TP links are a different beast entirely. Doubt you can even set it up local only let alone openwrt it
Nope. Any device that has a wired Ethernet port and an antenna cannot be just a layer 2 device; WiFi is not just a wireless Ethernet. Also, any device that you can ping by IP address and configure over the network rather than over a serial cable is operating above layer 2 for at least the control plane.
WiFi in fact goes to great lengths to behave as wireless Ethernet, putting all its complexity on layers below carrying Ethernet frames.
Set aside the theory and look at how any of the real devices are implemented. These devices are all running Linux, and that Linux OS is managing a minimum of two separate NICs with the full software networking stack. They incorporate all of the software complexity of a full-blown router, and none of the simplicity and security/privacy advantages of an unmanaged Ethernet switch which is a purely L2 device. There's no separation of control plane and data plane; no hardware-accelerated forwarding between Ethernet and WiFi to allow packets to skip a trip through the CPU cores. In fact, it is often the case that the only meaningful difference between a consumer WiFi router and a WiFi extender is that the latter omits the Ethernet switch chip and consequently only has one or two Ethernet ports rather than 5+ ports. Presuming that a WiFi extender is less likely to be nefarious than a WiFi router by analogy to a layer 2 unmanaged Ethernet switch (with at most kilobytes of RAM and likely only an 8-bit or 16-bit microcontroller for a processor core) is entirely wrong.
China can produce things cheaper than we can. “Industrial policy” to make a wealthy nation like the US a competitive low-cost manufacturing hub are delusional. Let us focus on what we are good at and other countries focus on what they are good at.
Realpolitik is making our country wealthier and rationally approaching emerging risks, not banning cheap cars and solar panels because other countries are too good at making them. Let alone engaging in trade wars with our allies and banning acquisitions from Japan.
https://www.arubainstanton.com/
Sounds like they want to apply pressure to TP-Link so they start to fix more and faster.
"TP-Link also offers a $5-per-month or $36-per-year plan for Security+ network protection and IoT security. If you don’t pay, you still get some basic functionality such as the ability to block websites and to manually toggle internet access on your kids’ devices, but advanced settings, automatic timed internet control, most protection, and reporting are disabled after the one-month free trial. That said, the Archer AX3000 Pro will continue to provide solid Wi-Fi connectivity even if you don’t sign up for the added plans."
This report is a great example of why it's a bad deal to trade away security for a lower price. Wirecutter should have been leading the way in pointing this out, instead of just steering people to the cheapest fast thing, YOLO style (anyone can make that kind of recommendation).
https://www.nytimes.com/wirecutter/reviews/best-wi-fi-router...
I know Ubiquity is a choice, but the reason I chose Omada over Ubiquity is that I can host the Omada controller locally and not be forced to use a cloud product.
Any system so heavily reliant on a single point of failure with such difficulty to replace is a no go for me. Never in half a decade have I seen such a problem whilst rolling out mikrotik hardware.
> Any system so heavily reliant on a single point of failure with such difficulty to replace is a no go for me.
Not to shill for Ubiquiti here, but none of that sounds like a problem with UniFi or the idea of centrally-managed APs.
UniFi APs don't stop working if the UniFi server fails. You can't make configuration changes, but you can SSH into the AP, reset it, and associate it with another UniFi server.
I advocate certain clients towards centrally managed systems, but for most of these clients who aren't interested in a regular checkup or business agreement with an IT provider I generally put them on un-managed setups with at least 2x USB devices with copies of config on-site and a printout of what the setup and network layout is. This is in-case I'm not here the next time they need work done or in case I do come back and don't want to spend a day deciphering their setup again. All cloud services are disable, no external log-in from outside of the site allowed. I leave the main modem/ISP connected router ideally up to the ISP they are getting internet services from and build everything downstream from that. Auto-update set to on. I've got multiple p2p and p2mp wireless networks at properties all around the region that haven't had a tech on-site for 4+ years and they won't until something breaks or the protocol their operating on gets too slow for user requirements which I would expect is another 4+ years at least because mikrotik wifi is rock solid when its setup manually and correctly.
Security is less of a worry. I mean honestly if your willing to drive out to the middle of nowhere to war-drive and crack the passwords and get into their network...hell you probably deserve to get some internet and check ya emails for the effort you've put in. They'll probably see your vehicle while your doing it and invite you in for a cuppa and give you the password anyways.
Mikrotik could easily be setup with weak passwords and management exposed, as can Cisco/Aruba/Ruckus/insert favorite vendor here.
If you want to access your controller(s) on the go then just setup a VPN on UniFi. Turn on your VPN, manage from the unifi app, and then turn the VPN off if needed.