4 comments

[ 0.30 ms ] story [ 17.3 ms ] thread
> We have been assessing our existing processes (for OpenWrt, and especially the OpenWrt One) against NIST IR 8425A, and are now accelerating those efforts to ensure we can show that routers using OpenWrt are indeed safe and secure, as determined by independent bodies.

It would be awesome to have somebody show that OpenWrt-based routers are safe and secure. I looked into this problem about 10 years ago and my concluding was that stock OpenWrt was really questionable. Like, there is no auto-update story, but at the same time it is a giant (relative to what it should be, IMO) Linux distro full of vulnerability-laden components. This space is in dire need of a minimal security-first-from-the-ground-up alternative with a real trustworthy update story.

OpenWRT updates are very much discouraged on an ongoing basis primarily because most devices running it use very cheap flash chips which are small and fail quickly after too many writes. They’re nowhere near the level of SSDs, or even SD cards, that can handle many flash cycles.

Almost as important is the fact that updates do not overwrite the original packages, because those are in a read-only partition. Updates are written to an overlay file system, so every updated package uses twice as much flash space. Installing updates weekly would quickly fill the flash.

But as far as vulnerabilities go, what’s the actual exposure? From the outside there’s no ports open, and on the inside only a few for device management, and basic services like dhcp, etc. Those have been around for decades and are pretty well hardened by now.

>see the Librem 5 (USA) for example

I always assumed it was priced outrageously to have a big enough margin to start fulfilling the preorders and refund requests from the original kickstarter. The device does not sell very many units so it won't benefit from bulk pricing.

April 2. Was this an April 1 joke?