Replies

Oh, I mis-read it then. I stand corrected.

Thanks!

I really don’t distrust Kaspersky for my personal use. But they won’t be my first choice.

I was only pointing the irony of trusting those who created the infection.

Of course, they are not blackhats, but the method used cannot be considered ethical. They DID breach Asus’s infrastructure and altered systems of non-consenting parties! I believe it’s against the law in many countries? So I now consider them greyhats.

My humble opinion,

Martin

There is not much worse than an update tool that fails to self-update. That is amateurish.

That reminds me of that TV company who had a compromised FTP password: they changed it, preventing TVs from updating in the future… Sooo bad!

3 users thanked author for this post.

Kirsty, alQamar, ram5thwheel

I used to like Asus hardware. But once you get the box, your experience is unclear. The support policy is unclear regarding length of firmware and driver support (at least that’s my experience from past purchases).

I once bought a great (in spec) Wi-Fi adapter that had two driver updates and became unusable. Had to use RaLink drivers that had less features.

When I think Asus, I now think “Two years and you are on your own“.

Martin

1 user thanked author for this post.

AlexEiffel

For that, you need to trust the exe given from the infecting entity…

Food for thought!

I’m one of the few who has a legitimate copy! It is from the Windows 7 launch party. I didn’t pay for it however…

I am glad they warn people about EOL.
So much computer stuff goes EOL without users even knowing (routers anyone?).

A simple nag is good. A full-on GWX behind your back install of Windows 10 after you clicked the red X to close the window is not.

Don’t forget the AskWoody crowd is different than most users. Most users need to be helped in computer security stuff. They don’t have an IT staff to look out for them.

Martin

1 user thanked author for this post.

SueW

I somewhat agree with Microsoft about getting new hardware.

The security context has changed significantly in the last few years, and most can’t ensure their hardware is supported in addition to hardware, firmware, management engine, CPU, drivers, software is secure. There is no easy way to check if your system is not vulnerable to attack. It’s out of reach to most.

The sensible recommandation (from the Windows 10 point of view) is to get hardware manufactured for Windows 10 and still fully supported.

My recommendation has always been to install manufacturer-supported versions of Windows. Unless, of course, you have the required knowledge to take the entire responsibility for securing, troubleshooting and fixing your otherwise unsupported systems. Many AskWoody readers can do it, but not everyone.

Martin

1 user thanked author for this post.

RDRguy

One point to consider when using Windows 10 on old hardware :
No longer supported (networking) hardware!

The reason is that everything that directly touches Internet can be attacked, including network drivers. There has been vulnerable network drivers in the past.

It’s also the reason why running a virtual machine of any flavour on a Windows 7 host after sunset is not to be considered safe. Better install Linux and run your VMs on top. You can then run anything you want with more safety (assuming the system BIOS/UEFI, Management Engine, CPU, firmware and network drivers are safe).

Overall, it’s safer to get a newer, still supported system with continuing updates.

Special exception : Many (most?) AskWoody readers have the knowledge to check and ensure their important devices are still supported and kept up to date with security fixes. If you want to take that responsability, do it, knowing your machine’s ass is your hands!

My family will upgrade to new hardware. Some of the 10 years old stuff will be repurposed and switched to Linux.

Martin

Can you confirm that:

slmgr /upk “activation id”

actually deactivates the key on Microsoft’s servers? Or does it only removes the local activation for a key replacement? Any Microsoft source?

Curious,
Martin

1 user thanked author for this post.

Sinclair

Yeah, TR-069 is often baked in ISP device firmware. They can check settings and connection statistics. It’s not evil, but a Privacy issue.

You need to trust the company or not. If not, change company. After all, they see all your unencrypted traffic! I know, easier said than done. VPN companies are not better, and sometimes have unclear motives. A Facebook-owned company once offered a free VPN service. Reading the EULA, I saw they would scan all the traffic “to enhance their services”. Yeah, right… No thanks!

 

I think the solution is what they did for phone service. They could guarantee service up to a demarcation point and include a modem in this guarantee. Anything beyond that is your problem.

In my residential install, there is the problem: The combo TV/Phone/Internet router box connects with optic fiber. The fiber OLT is a plug-in module that can be used with your own router (extra hardware needed). Because of the Phone part, I’m stuck with their router box. There is no known way around. TV is hard but can be separately configured in some routers.

They chose to put everything in this one box, locking you with their hardware. The demarcation point is the fiber port now, but they support the service with their Sagemcom box. Anything else and you are on your own.

They do allow you to connect with another PPPoE connection through their router, but with limited speed while Gigabit speeds are available with theirs. No way to have full speed using your own router without bypassing their router. But it’s feasible.

You are lucky if fou can deny the ISP access! Here, my ISP has baked in TR-069 to their devices. They can access it anytime. Unless, of course, they choose to open that SSH port!

Yes, a vulnerability scan of my ISP’s Sagemcom device revealed an vulnerable, accessible SSH port!!! Management listened to my report and the firmware has been fixed. But not before I pointed them to the media mess a mass attack could cause.

Lucky in my unluckiness, I can piggy-back my own router to their device using PPPoE pass-through. Their device provides IPTV phone service and (unused) Internet, while my EdgeRouter Lite provides me my Internet.

Whatever access they have, they won’t access my local network.

Martin

2 users thanked author for this post.

rc primak, GoneToPlaid

Alex, I agree with you!

I’ve broken up my reply so it’s easier on everyone. The quotes have been rearranged and edited for flow.

AlexEiffel wrote:

On a side note, in today’s world, trust should be at an all-time low.

You can now expect that software will do many things you would not want them to do in the background even when you are not using them actively for their intended purpose. Spyware has become acceptable or a “necessary” evil that people tolerate without having a clear understanding of what is going on because they feel like it is an inescapable reality of today’s apps landscape.

<…>

We need more insulation between codes. My streaming music app should just be able to play the music, not look at what I am doing on my computer, put cookies in some places or track where I go to build a marketing profile. We are far from there right now.

Rant warning: The following might be considered depressing.
As for trust, you are right. I trust very few people, and even then, I expect them to fail me. Companies? Hard, very hard. Usually, the smaller ones are better than huge ones. They need you, their customer, to be satisfied to grow. So, they care.

Facebook, Microsoft, Google? Nope. You are a pawn to them. Apple? Feels a bit better. But the bigger the company, the more centered on themselves they become. Their satisfaction before yours. Their shareholders before you anytime.

If they have shareholders, at first, the shareholders want customers to have a good opinion of their investment growth. But as profits to shareholders grows, so do their demands. The companies become prostitutes for the shareholders, and the customers, pawns in that game…

That’s the huge problem we are facing now: once the shareholders get on board, you lose your company’s soul. The focus becomes growth and revenue. Milk it as hard as you can.

I don’t know how to fix that. How to prevent that. But it’s part of the bigger problems in our society. Shareholders. Pollution, security, privacy, quality, price… Just maximize the profits while making it just good enough for people to give us money. Go as bad as the others. Then, consumer pawns, [edited].

That’s the failure of our economic model. It needs to exploit something and/or someone. The value is rarely from the work needed to get the final product, but from the desire of others to get it. Good products where the norm in the 70’s? 60’s? It’s over.

Second warning: yes, it depressing but true!
Heck, Just 8 men own same wealth as half the world (yep, eight people) own 50% (yes, fifty percent) of all resources on this Earth. Poverty is there to stay.

Climate change on top of that, and we are looking at the end of humanity.

• Climate change impacts worse than expected, global report warns
• Global warming report, an ‘ear-splitting wake-up call’ warns UN chief

Please, don’t give this poisoned gift to kids.  Don’t have kids unless you want them to suffer. Open your eyes, the bright red flashing signs are there.

Human nature wins at the end: Everyone for themselves 🙁

All right, my rant is over. Once you know something, you can’t unlearn it. I envy the ignorant.

Martin

1 user thanked author for this post.

wavy

Alex, I agree with you!

I’ve broken up my reply so it’s easier on everyone. The quotes have been rearranged and edited for flow.

AlexEiffel wrote:

I am not going to use a firmware that I have to update all the time because they add features, but for which I don’t know for each release if there is also a security fix or not. I don’t want to have to take the time to verify that constantly. <…> At the very least, you should be able to subscribe to a mailing list where security issues are sent to you right away to warn you to update the device.

However, a normal user should never have to periodically manually check for firmware updates.

I am a big fan of Long Term Support software. New features on major versions, fix on minor versions. It used to be that way, until Internet browsers made the rolling updates sexy for shareholders. Now, everyone wants to me part of that fad! Instead of only fixing bugs, you add new ones! That is plain wrong.

One point you touched: Up to date, precise documentation. Software should be built FROM documentation, not the other way around. Too often, documentation is lagging , vague or non-existent.

Anytime, there is a tough choice to make: simplicity vs flexibility vs security vs cost. The more flexible, the least simple and the less secure. Simple and secure, less flexible. The least costly, the more simple, the least flexible and the less secure. Pick your poison.

1 user thanked author for this post.

AlexEiffel