Replies

Alex, I agree with you!

I’ve broken up my reply so it’s easier on everyone. The quotes have been rearranged and edited for flow.

AlexEiffel wrote:

I am not going to use a firmware that I have to update all the time because they add features, but for which I don’t know for each release if there is also a security fix or not. I don’t want to have to take the time to verify that constantly. <…> At the very least, you should be able to subscribe to a mailing list where security issues are sent to you right away to warn you to update the device.

However, a normal user should never have to periodically manually check for firmware updates.

I am a big fan of Long Term Support software. New features on major versions, fix on minor versions. It used to be that way, until Internet browsers made the rolling updates sexy for shareholders. Now, everyone wants to me part of that fad! Instead of only fixing bugs, you add new ones! That is plain wrong.

One point you touched: Up to date, precise documentation. Software should be built FROM documentation, not the other way around. Too often, documentation is lagging , vague or non-existent.

Anytime, there is a tough choice to make: simplicity vs flexibility vs security vs cost. The more flexible, the least simple and the less secure. Simple and secure, less flexible. The least costly, the more simple, the least flexible and the less secure. Pick your poison.

1 user thanked author for this post.

AlexEiffel

Alex, I agree with you!

I’ve broken up my reply so it’s easier on everyone. The quotes have been rearranged and edited for flow.

AlexEiffel wrote:

As for uPnP, it is a tricky question. For someone that likes to buy the IoT gadgets and that have been warned about the security risks, it makes sense to leave it enabled to be able to use these things more easily from the outside, but the first thing I always tell people is do you really want to have someone from the outside be able to enter your cheap IoT things? You need this that bad or you just find it cool but if you are aware of the security risk you will not allow it?

I see people that asks me to open a port to the inside for their software to work all the time and they get annoyed when I tell them it shouldn’t be required and they should have built their software better. Lots of people go for the easy way without thinking twice about security, even today. This whole attitude needs to be changed.

Firewalls are like a house: You can make it very secure, but every hole you cut for a window or door is a security hole that needs attention. There’s nothing like building a security Fortress and leaving a cheap Ebay-provided screen door open on the side 😉

1 user thanked author for this post.

AlexEiffel

Alex, I agree with you!

I’ve broken up my reply so it’s easier on everyone. The quotes have been rearranged and edited for flow.

AlexEiffel wrote:

There is no incentive for router companies to provide security. Routers are cheap devices and as Michael said, reviews focus more on dust gathering abilities, looks and speed than security.

Years ago when it was already clear for a long time that WEP wasn’t an acceptable security solution, there was a huge internet provider that shipped tons of routers with WEP configured as the security, probably to avoid support costs on older devices. They probably calculated it would cost less to do things that way than activate WPA2 and handle the issues for the customers that would not support it. They probably thought that anyway, there are not many people that will have their wifi cracked and even if they do, they won’t be able to trace the source of the issue to them. This attitude is a disgrace and meanwhile, there was people hopping on other’s network to get free Internet access and steal their data to download torrents.

It is a shame that consumer routers are already not that well maintained by the companies who build them and it is not clear at all to the consumer when they stop being patched.

(Emphasis is mine)

There is no accountability for companies, and software security is hard. On top of that people are ignorant. Those who try to read the license agreement? Almost none. And if you do, it’s likely to say something like “We cannot be held responsible for anything the software does, whether we know about it or not, and we have no obligation to fix anything. You give up the right to sue us or to enter a Class Action suit against us. Give us your money and [edited].”

In a way, Free Market is a failure when every company agrees to be equally Evil or bad. To most companies, you are no longer the real customer. You can no longer vote with your money. Shareholders vote with theirs! THEY are the real customers.

Alex, I agree with you!

I’ve broken up my reply so it’s easier on everyone. The quotes have been rearranged and edited for flow.

AlexEiffel wrote:

I once asked the people responsible for DD-WRT if they planned to have an autoupdating firmware. They said it would be too much trouble and there are too many brands of routers to support. I think they should pick a few models and support them better with optional autoupdating firmware that doesn’t loose config for them. Then, I could install a properly configured DD-WRT firmware on old routers of some friends and be done with it for a long time. Of course, I can’t blame them for not doing it, but I still think they miss a big opportunity to make the Internet safer. If the community doesn’t do it, who is going to do it?

That’s the reason I dropped DD-WRT. I had used it since the venerable Linksys WRT-54Gv2.2. At first with original firmware, then DD-WRT. Migrated then on Asus RT-N16 with DD-WRT. A few years ago, while checking about a router vulnerability I searched for a “new”, “right” version of DD-WRT to update to.

You nailed the main problem with DD-WRT: It’s far, very far from simple. They support too many routers. Every new Beta release fixes a problem on the new “port-of-the-day” router, but causes problems on another. I like having control over my devices, and DD-WRT gave people control and so many useful features! But having to spend hours to find the “right” build that “Just Works” on my specific router is too much, even for me.

I gave up and started to shop for new routers. I am the permanent family Tech support Help Desk lone staffer, so I needed something that Just Works. Gone with Ubiquiti.

1 user thanked author for this post.

AlexEiffel

I tend to agree. It’s complicated to most users. It’s just going to be more complicated.

Home IT services will probably become as needed as a plumber or electrician. It is a specialized job. However, it relatively new compared to electricity and plumbing.

Nobody died at home from Internet issues yet. Blood brings Laws!

mn– wrote:

At least my ISP sends out DSL router/modem boxes with individually set SSID and default admin password. It’s on the device label right next to the serial number, and yes, it does go back to that if you do a factory reset on it.

One brand got bit hard because of that. The Wi-Fi password could be calculated from the “random” SSID. Am I right @Michael432?

Changing username and password is great! That is, until they kindly reset your router to defaults to “help” you solve your service issues!

2 users thanked author for this post.

rc primak, Myst

I absolutely agree!

My reading on @Michael432’s website for many years combined with my personal experience makes me believe that:

• In general, the software quality and maintenance level of consumer devices (usually the stuff you can buy from Big Box store shelves) is poor as it’s built for a price. It feels marketing has way more input in the equation than the software engineers (Dead spider routers anyone?). The devices have short term support only, almost throw-away devices. ($)
• Then there are ISP devices… Mostly as above, built for a price, less marketing, more long term support. I suspect the ISP has to pay for support. ($$)
• Finally, business devices are aimed at performance and long term support. Many of them have paid support plans. They usually Just Work. Bugs are dealt with. After all, you pay for it. ($$$)

(My) Bottom line: You get what you pay for. Software engineers don’t work for free!

Martin

Edit: Typo

3 users thanked author for this post.

rc primak, Myst, NetDef

Another danger about network devices: outdated or manufacturer abandoned devices! How many manufacturer-abandoned vulnerable routers are online? ISPs usually don’t replace an obsolete CPE device unless it’s required for service. Many have not gotten firmware fixes in years, yet are on a shelf carrying Internet to customers!

How many devices are forgotten, completely unmanaged by anyone, hidden in a cupboard until it fails? Those exist too, vulnerable, waiting to be abused.

The solution? Automatic disconnect 6 months after the last successful firmware check, firmware update or logon. If marked as vulnerable or no longer supported, 6 months too! On logon, a big red warning and by typing back a 32 character random string back, the device works for another 6 months! It WILL get the needed attention!!!

Any other ideas?

 

Martin

Hi!

Of course default password change should be mandatory on any consumer network-connected device! Heck, why even have a default one? The device should be unconfigurable until a password has been set.

For business level devices, default passwords should bring up a warning until changed. I know some of those devices get pre-configured and finished up on-site. My opinion, up for discussion!

Martin

3 users thanked author for this post.

MrJimPhelps, Michael432, Kirsty

Hi!

I am the Martin Boissonneault (@ve2mrx) quoted above! I totally agree with you, UPnP has no place on a secured and actively managed business network. IT needs to know what runs around in the network, even if only from an accountability point of view.  Letting users, or potential malware, punch holes in your firewall is a really bad idea.

In a residential setting, it’s easier to let devices set up their own incoming ports than require users to RTFM and reconfigure the firewall. It would more likely end up as a call to the family support desk permanent staffer (me)!

I would have to say, configuring UPnP should be done after considering the level of risk and the possible extent of compromise.

I agree WEP, WPA(1), WPS(pin) should be black-listed, default OFF with a big warning, and UPNP should be OFF, enabled only if the “admin” understands the risks.

Martin

6 users thanked author for this post.

Myst, NetDef, SueW, GoneToPlaid, woody, Kirsty

I don’t know, I don’t run Windows 10 often, I still hang on to Windows 7 for my machines!

With all the malware-like behaviour of Microsoft since the release of Windows 10, the trust is broken and I consider everything Windows 10 malware with a built-in OS.

Thankfully, the Lenovo machine I earned had support for Windows 7, which was quickly installed. Windows 10 is dormant on another partition.

Martin

2 users thanked author for this post.

HiFlyer, columbia2011

In many cases, malware runs using some system level rights. Removing those rights from the folder prevents the system to access the malware, thus preventing it from running on boot. After removing the rights, kill the malware processes, check the rights again, fix as needed, reboot. Then you can delete the malware. Or the Update Assistant!

2 users thanked author for this post.

jburk07, HiFlyer

What I would try :

1. Delete the files but leave the directory in place
2. Remove all rights but mine on the (now empty) directory.
3. Enjoy!

Also works with malware to prevent run on boot stuff from running with Admin rights, giving you time to delete it. If the system cannot read it, Goodbye!

Martin

2 users thanked author for this post.

jburk07, HiFlyer

Idea: Woody and Susan could set up a WSUS server and we could subscribe to it!

It seems to me they both have the knowledge to run it, and this way most M$ nasties would not even try to load?

Also, when the DefCon changes, they would flip the updates to on at the same time ☺️

2 users thanked author for this post.

columbia2011, HiFlyer