Comment 16D Re: Okay

Story

Netgear Hides Router Backdoor Instead of Fixing It

Preview

Okay (Score: 2, Interesting)

by Anonymous Coward on 2014-04-23 14:41 (#15D)

this is indeed deliberate, maybe on NSA order? As a consequence Netgear, Cisco, Linksys and the other US network gear suppliers should be avoided as home and in enterprise equipment from now on

Re: Okay (Score: 1)

by songofthepogo@pipedot.org on 2014-04-23 15:26 (#15E)

Time to look into open-source firmware. Replacing oem with, eg, dd-wrt would mitigate this sort of thing, wouldn't it? I'm honestly asking.

Re: Okay (Score: 3, Informative)

by omoc@pipedot.org on 2014-04-23 17:00 (#15F)

Well, sadly most Linux distributions tend to *not activate* some exploit mitigation. I don't know about the Linux router firmwares but last time I checked they even used some old kernel versions that didn't even had some of these mitigations. Personally I use an OpenBSD on an old ALIX board for a long time. Too bad pfsense is based on FreeBSD instead of OpenBSD, otherwise it would be an ideal candidate.

For hardware, I would recommend either the ALIX boards http://www.pcengines.ch/ (there is a new APU model) or Mikrotik routerboards http://routerboard.com/

Re: Okay (Score: 2, Interesting)

by fnj@pipedot.org on 2014-04-25 14:46 (#15X)

Nothing at all against OpenBSD, it is great, but do you have something of substance against FreeBSD? Why specifically do you think basing pfsense on FreeBSD is a negative? I may be reading too much into your comment.

Re: Okay (Score: 2, Interesting)

by omoc@pipedot.org on 2014-04-25 18:07 (#168)

FreeBSD just started to implement mitigations that have been standard in OpenBSD for years. For example, ASLR or SSP, last time I checked was 2013 and FreeBSD still lacked these very simple mitigations that are even available in Windows by now. This is just utterly ridiculous.

They're just sloppy in terms of security and they also accept horrible patches just because there is some performance benefit. OpenBSD plays on an entirely different level and is my only choice for infrastructure as critical as routers.

Re: Okay (Score: 1, Interesting)

by Anonymous Coward on 2014-04-26 11:05 (#16D)

Well, most of those mitigations don't even make sense on a router box (no local user activity, a subset of daemons, no http-like stuff opened to the public, just plain old routing and NAT). And FreeBSD has a couple of other security features that - while not that relevant to routers - are absent in OpenBSD. This includes jails (and no, systrace doesn't cut it), ACL support, MAC, signed packages and port auditing. Even NetBSD's veriexec feature is still missing on OpenBSD. ASLR and SSP are nice, and they mitigate real threats, but this is not 1998 anymore. And the reason these techniques exist is because most kernel developers haven't bothered reading the actual x86 processor manual and implement a per-process, multi-segment architecture.

And yeah, I used OpenBSD for more than 10 years. I'd still pick it as a solution for VPN endpoints or small-time routing.

Moderation

Time Reason Points Voter
2014-04-26 16:36 Interesting +1 songofthepogo@pipedot.org

Junk Status

Marked as [Not Junk] by evilviper@pipedot.org on 2015-01-04 19:15