D-Link patch doesn’t address all bugs listed in their own security advisory (opens in new tab)

I used to own a D-Link DIR-655. It had a hilariously terrible bug: It had a scheduler built in, so you could set WiFi to turn off overnight, amongst other things.

The scheduler web interface would only accept a range in the same 24 hr day, if you tried to set it to e.g. start (WiFi off) at 11 pm and stop (WiFi on) at 5 am, it refused with an error (paraphrasing) "end time must be after begin time."

It was ONLY a JavaScript issue. You could trivially bypass it using a developer bar, and it worked perfectly. But they never fixed the JavaScript in all the years I owned it (and I doubt it is fixed right now today).

It was good for its time, but has limited onboard RAM, limited storage, and pretty slow WiFi by modern standards (there are even faster G-band, let alone N). Wouldn't recommend it today, and certainly wouldn't recommend touching Linksys with a ten foot pole.

As to stability, I'd describe it has a mixed bag. I owned one for just under five years and had to do fortnightly restarts (which I eventually automated), and we also owned one at work which needed nightly reboots (DD-WRT provided that).

PS - In fairness to the work one, the building was insanely congested. It was one of these buildings which are shared by three dozens small businesses, and each had 1-2 WiFi networks, plus the local homes also. When you spun up a WiFi analyzer it could not find an empty piece of spectrum, and a lot of routes/APs would crash if you left the "find best frequency" option checked (as they would hop continuously and never find anything).

To be fair, I know that firewalls have come to be considered "good security practice" -- but I've always been more comfortable to only expose programs that are supposed to talk to the Internet. Any recent version of Windows (say 8.1) comes with a firewall enabled (and that's needed, as windows still is a bit chatty with various smb protocols etc... just don't enable filesharing on your lan, if it's not protected from the Internet...). Don't know about OS X -- and for a Linux box, one can just make sure that everything is either off, listens to loopback -- or is supposed to be open.

Now, in many settings one do need a "LAN" in the sense of a firewalled playground for hopeless consumer devices, such as printers, ip web cameras etc.

Perhaps the biggest reason to have a firewall, is if you're running windows -- as unpatched windows machines live dangerously on the open Internet. And you'll be unpatched from initial install until you've patched up...

AFAIK there's been a while since any major Linux distro shipped with remote (no-action needed, like browsing) vulnerability out of the box.

As for "does not have an email account" -- I generally assume that anyone with half a brain can patch into the upstream DSLAM of my DSL line, so anything between me, and everywhere else is suspect. Which is of course why I protect my IMAP/SMTP with TLS.

[edit: consider people that use a laptop outside of the home -- they'll probably have to use dubious wireless links. It's more convenient to assume that the trust-boundary between you and the internet is at the local ethernet port/wireless card -- than anywhere else. That way you can have one set of "OpSec" that works (or not) wherever you are -- rather than fighting an uphill battle of situation awareness...]

>"This person does not do online banking, does not have a webcam or mic installed device such as a laptop, and does not have an email account."

I don't know a ton about networking (probably not too much in fact) but doesn't HTTPS fix most of this? And if your laptop grants access to its mic/webcam to any packet that manages to make it past your router, I think you have a bigger problem.

Email and banking has two factor authentication and runs over SSL so it would have to be a very determined hacker to get to my money.

Its not perfect, but as I'm pretty comfortable with the risk balance. Things like all these android apps containing god knows what make me way more jittery (See google's recent cleanup).

Apple's routers are based on VxWorks. So if you trust VxWorks' networking, then you can trust Apples routers.

Personally I trust VxWorks over some patchwork router of the week by the usual vendors. It's used in many safety critical/medical applications, including the mars rovers.

The downside being that VxWorks has very low resource requirements, so some vendors use them to cut resources. Hence, You'd better be happy with the factory provided configuration because you can't flash them.

I recently bought an Asus AC-1900 router (the RT-AC68W) after a long search, specifically for its supporting DD-WRT.

Some OpenWRT routers like the TL 1043ND I have suffer from VLAN leakage. Basically the router separates WAN from LAN via a VLAN config as the CPU has only one LAN port. At the router's bootup, devices on my lan would randomly get a public IP adress assigned by the DHCP server on the modem. Scared the crap out of me. From now on the thing is an access point, not a router.

You can buy routers which come stock from the factory with DD-WRT installed. I just bought one from Buffalo. Zero fuss and works great.

I would trust Apple's even more if the firmware releases were as regular as iOS updates. And the same goes for AirPort Utility releases, especially on Windows.

Yes, typically home routers tend to use pretty industry standard chips like Broadcom chips (like the BCM5357 in my home router). D-Link, Linksys, and crew don't usually roll their own SoCs, but just seem to throw off the shelf stuff in there. These chips tend to be SoCs, and while I can't be totally sure that there isn't a weirdo NSA backdoor on it (probably just as likely as any other router, residential or commercial), most of the meat lives in the chip, and with good open source firmware (DD-WRT et al.) it's probably just about as reasonable as anything else coming and going. I certainly have far more faith in a regular off-the-shelf SoC + open source firmware tuned to my own needs (and believe or not thisn't hard at all) than anything with propriety firmware, including (and especially, to me) Apple. Maybe the next best thing to do is to build your own WiFi router from totally off the shelf parts (not so hard to get into a small form factor any more).

As to inspecting the SoC itself, that would be certainly interesting. Most of them are just ARM SoCs; this might make for an interesting blog post looking at the silicon.

The OpenWRT wiki pages for the routers usually has some detailed info about the hardware. That won't tell you about hardware problems they might have that they didn't investigate but you can usually find photos of the boards to see what's there. [1][2][3]

[1] http://wiki.openwrt.org/toh/tp-link/tl-mr3040#photos_v10 [2] http://wiki.openwrt.org/toh/linksys/wrt610n#opening_the_case [3] http://wiki.openwrt.org/toh/netgear/wndr3700#photos

I wouldn't exactly say comfortable, maybe more comfortable. Sometimes you have/need to make do with what you have.

good point...

i do think it is pretty hard to stop caring though, what happens generally is that if you start to get that demoralised you will leave and find something else. :)

Isn't Tomato way out of date? Wikipedia shows the last stable release was almost 5 years ago, and the website shows no dates on its releases (not a good sign). I ran Tomato for a long time and loved it, but I just got too nervous running such old software as the gateway to my network. Ended up upgrading to a cheap TP-Link router, switching to the latest and greatest OpenWRT release, and haven't had any complaints at all.

OpenWRT tracks upstream software as well as the desktop Linux distros do, and it's what the upstream developers use. DD-WRT and Tomato put their own web interface on things but often leave important parts of the system out of date for very long times, especially when they're being held back by proprietary drivers. If you want to make full use of the features and stability and security of modern Linux networking, OpenWRT is where to start: you know you're getting proper IPv6 support, state of the art QoS stuff many DD-WRT and Tomato devs haven't even heard of let alone understand, and a current kernel.

You can disable their http/https/telnet interfaces and stick to ssh with key auth for administrative tasks. That alone should help.

Also, they come with upnp and other unnecessary daemons disabled which greatly reduces their attack surface.

I wonder where this "length blindness" comes from, since it certainly leads to a lot of vulnerabilities. Are these programmers who started with a higher-level language than C, one with dynamically sized strings that automatically expand? Do they even know how big the buffer is, or how long the input string could conceivably be? Did they ever consider the case where the input is very, very long?

A funny analogy I've heard is "programmers who don't know the size of their buffers are like drivers who don't know the size of their cars."

I agree, but I don't think mentioning such an exception is a good idea. That's basically the same reason why gets() is part of ISO C90 and C99. Just call snprintf() even in such cases and forget about sprintf().

From http://www.open-std.org/jtc1/sc22/wg14/www/C99RationaleV5.10..., PDF page 163:

>The Committee decided that gets was useful and convenient in those special circumstances when the programmer does have adequate control over the input, and as longstanding existing practice, it needed a standard specification.

Yes, the point is that these are obvious flaws, and dlink didn't even fix them. Someone from the dlink team just sucks.

edit: And that someone may not even be the developer, at the end of the day, the company does not have the systems in place for quality control.

Yes there are these things, although usually more focused on C++ these days.

Compiling C as C++ with a C++ compiler is not a bad idea though... many compilers which will deal with both and tend not to care about pure C very much at all. Modern, extremely popular compilers may not even support C89 features yet... not to mention that lots will allow dangerous things like returning nothing from a function with a non void return type without even a compile error.

Many tools can catch the bugs mentioned here though - things like PVS studio, cppcheck, or the built in visual studio or xcode analysers (I would never recommend pc-lint, sorry), and some of these things mentioned are compiler warnings in some cases (sprintf will trigger the endlessly annoying CRT_NO_SECURE_WARNINGS message from the ms compiler for instance).

Indeed, but I don't think ariendj was talking to mom or pop.

It's the HP T5735. It's second hand from ebay. I got the fat version that has an extra PCI slot and I put a Realtek gigabit NIC in there. It's fast enough for home use, it does not saturate with my 200 megabit link. I use a TL-WR1043ND as an access point and VLAN-capable switch.

I think that he means per month in electricity costs. ;)

Ditto. Also, even low power x86-64 just beats the crap out of any MIPS processor you'd typically run OpenWRT on.

HP T5735, there is a wide version of it with a PCI slot. I don't know about prices worldwide but 40$ is pretty much what I payed for a second hand one here in Germany.

The Apple Airport Express is reasonably cheap, has a great range, is easy to configure, and doesn't have a reputation for being insecure.