I love my RT-AC router and I do not use Ai Cloud and I have FTP turned off. I check all the time. People that buy $200+ routers should be the ones to turn things off.
>People that buy $200+ routers should be the ones to turn things off.
The price of an object says nothing about the cluefullness or cluelessness of the end user. A tech illiterate soccer mom could easily buy one of these because their child told them they need 'extreme performance' to play BF4. Releasing products with poor security, then not fixing it when released to the public is unacceptable in this day and age.
That's why you don't release terrible security flaws in the first place.
The second problem of the illiterate flashing ones router is more difficult, but not completely impossible to deal with. It's not optimal, but you could force redirect all http connections to the router from inside the network to a page where the user has to log in and click flash for the router to download and update the flash itself. Auto-updates are possible, but not without risk either.
I am rather bored by the specifics of Asusgate, but I do think the story has one very interesting conundrum. If change has to be driven by impassioned masses. And the masses only become impassioned when directly affected. Does it become OK for the good guys to accelerate exposure of the masses to the risks in order to prevent harm happening at a larger scale in the future?
That is a question researchers have been asking for decades. Rain Forest Puppy, with the help of some smart, invested colleagues, put together a good framework for Full Disclosure a long time ago:
When I first found myself involved in disclosures in the mechanical security world, I turned to that document to orient myself, though mechanical security has some different challenges that make following that framework perfectly fairly hard.
I was wondering the same thing. His website[1] and the Wikipedia article[2] about him don not mention anything about his interest in network security. But he does seem to closely guard his personal life.
My RT-AC66u died a month ago (trying to factory reset, and it never woke up), and I just plugged my 5-year old Apple Wifi-N router and never looked back.
Looks like there isn't really a good AC router - most AC routers have poor reliability reviews everywhere (even the new Apple one).
That's usually because the spec wasn't finished at release time so your card might be following one set of rule and your WAP another. I'm always leary about a company who wants to be first to market before everyone has agreed on how things should work. You can see that pattern in their security audit too.
EDIT: Asus' security audit, The apple one should work if you don't leave their eco system since the card and WAP probably have the same specs.
It's depressing how bad many consumer-targeted products there are in the tech space. Printers (seriously, why do we still have printer drivers), routers, operating systems, even software. Even non-techie users take notice of this!
Is there space for a competitively priced consumer router of high quality?
TP-links have been long-standing favorites of hacker community. They might not be the highest specced and you need to be careful about which model you pick, but there are some good (value) devices there.
Of course assuming you are going to run OpenWRT or something equivalent. Running some OEM crap on routers is just madness.
I would definitely fund a kickstarter campaign for a fully open-source AC router designed for OpenWRT.
I would imagine that the OpenWRT community (and related open-source firmwares like Tomato and DD-WRT) are sufficiently large enough that there is a market for a piece of hardware that is optimal for open-source router firmware.
For quite a long time, there was a Linksys WRT model that remained in production long after its useful life (because it had old radio standards and was slow and because newer devices were much cheaper with greater capabilities) because it ran Linux, and could be hacked very easily and could use all Open Source drivers and such. It's even where "OpenWRT" got the WRT in its name.
So, there's definitely a market for it. But, I don't know that it's comparable to the market for consumer oriented devices. It'd be nice if consumers were smarter and knew enough to demand this kind of thing.
It'd be really nice if one could go to the store and buy a router running OpenWRT or Tomato or whatever, like you can go to the store and ask for an Android phone or a Windows PC. As operating systems go, many current routers are probably more complex than DOS or early Windows versions and certainly more complex than many early phone operating systems. Not sure why nobody has thought to make the OS a competitive factor for routers.
You're thinking of the WRT54G (earlier firmware versions only, as later versions used VxWorks which prevented third-party firmware from being used), and finally the WRT54GL that was created specifically for OpenWRT and such (they returned to a Linux based OS).
The WRT54G went through several generations, the later generations having different hardware and just sharing the model name. They weren't all compatible with the various xWRT's of the day.
I had a v1 WRT54G; after six or seven years running OpenWRT, it finally died last month. Now I have a cheap TPLink while I wait for the dust to settle on the AC models.
What's worse is that the older generations were not necessarily an improvement either (IIRC). I think the amount of persistent memory of the device in later generations was reduced to lower costs and that some later generation models don't have enough disk space for OpenWRT.
TBH the only moderately safe way forward is open source firmware that is autoupdated via signed packages made by individuals with impeccable reputations and verified/audited by others with impeccable reputations.
OpenWRT or other OpenWRT-based firmwares are really easy to get up and running these days.
Trusting consumer electronics manufacturers running on razon-thin margins for your security is pure madness, not advisable at best.
54 comments
[ 4.8 ms ] story [ 120 ms ] threadMy name wasn't on the list.
The price of an object says nothing about the cluefullness or cluelessness of the end user. A tech illiterate soccer mom could easily buy one of these because their child told them they need 'extreme performance' to play BF4. Releasing products with poor security, then not fixing it when released to the public is unacceptable in this day and age.
The second problem of the illiterate flashing ones router is more difficult, but not completely impossible to deal with. It's not optimal, but you could force redirect all http connections to the router from inside the network to a page where the user has to log in and click flash for the router to download and update the flash itself. Auto-updates are possible, but not without risk either.
http://dl.packetstormsecurity.net/papers/general/rfpolicy-2....
When I first found myself involved in disclosures in the mechanical security world, I turned to that document to orient myself, though mechanical security has some different challenges that make following that framework perfectly fairly hard.
http://www.wired.com/threatlevel/2012/03/zero-days-for-chrom...
[1]: http://chuckpalahniuk.net/
[2]: https://en.wikipedia.org/wiki/Chuck_Palahniuk
[1]http://www.codinghorror.com/blog/2012/06/because-everyone-st...
Quit lying you pricks.
Looks like there isn't really a good AC router - most AC routers have poor reliability reviews everywhere (even the new Apple one).
EDIT: Asus' security audit, The apple one should work if you don't leave their eco system since the card and WAP probably have the same specs.
http://reviews.cnet.com/8301-3132_7-57594003-98/asus-patches...
It's depressing how bad many consumer-targeted products there are in the tech space. Printers (seriously, why do we still have printer drivers), routers, operating systems, even software. Even non-techie users take notice of this!
Is there space for a competitively priced consumer router of high quality?
Of course assuming you are going to run OpenWRT or something equivalent. Running some OEM crap on routers is just madness.
TL-MR3020+OpenWRT = <333
I would imagine that the OpenWRT community (and related open-source firmwares like Tomato and DD-WRT) are sufficiently large enough that there is a market for a piece of hardware that is optimal for open-source router firmware.
So, there's definitely a market for it. But, I don't know that it's comparable to the market for consumer oriented devices. It'd be nice if consumers were smarter and knew enough to demand this kind of thing.
It'd be really nice if one could go to the store and buy a router running OpenWRT or Tomato or whatever, like you can go to the store and ask for an Android phone or a Windows PC. As operating systems go, many current routers are probably more complex than DOS or early Windows versions and certainly more complex than many early phone operating systems. Not sure why nobody has thought to make the OS a competitive factor for routers.
I had a v1 WRT54G; after six or seven years running OpenWRT, it finally died last month. Now I have a cheap TPLink while I wait for the dust to settle on the AC models.
https://www.kickstarter.com/projects/2037429657/almond-80211...
The beta units are just now shipping, and I would expect full production to be underway within a few months.
[0] http://www.securifi.com/almondplus
> The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it's shipped.
https://www.schneier.com/blog/archives/2014/01/security_risk...
I mean, it's not exactly rocket surgery