[Cryptography] "Home router warning: They're riddled with known flaws and run ancient, unpatched Linux"
Henry Baker
hbaker1 at pipeline.com
Thu Jul 9 18:14:15 EDT 2020
At 11:30 AM 7/9/2020, Dan McDonald wrote:
>On Thu, Jul 09, 2020 at 08:57:36AM -0400, Jerry Leichter wrote:
>> https://www.zdnet.com/article/home-router-warning-theyre-riddled-with-known-flaws-and-run-ancient-unpatched-linux/
>>
>> Shocking. And there's gambling going on, too.
><SNIP!>
>
>It's one of the strongest arguments for:
>
>1.) Decoupling the WiFi access point from the NAT/Router.
>
>2.) FURTHER distrusting wifi/NAT/Router combos provided to you by your
> helpful ISP. (I've a VZ one that's sat unplugged since 2009, e.g.)
Re: "Decoupling the WiFi access point from the NAT/Router"
This is absolutely critical; there used to be a "demarc" for POTS;
set up a digital demarc at the cable modem boundary: there's no
reason for anyone to be trusting the crappy combo NAT/router/wifiAP
devices that ISP's give^H^H^H^Hrent to you.
So here's my suggestion:
* cable modem with 10-12 year-old never-updated Linux connected via Ethernet;
disable wifi HW on this device (or better: buy a cable modem w/o wifi at all)
* Raspberry Pi 4 acting as NAT/router/DoH DNS/... connected via Ethernet
* Wired LAN backbone (Ethernet, etc.)
* various wifi AP's running the latest OpenWRT SW
NO uPnP!!!!!! (compile OpenWRT w/o uPnP, and w/o SMB)
I'm considering setting up separate internal VLAN's/VPN's
*solely* for closed-source home devices that I don't trust,
and that I don't want anyone of which to see anyone else:
'smart^H^H^H^H^Hsurveillance' streaming TV's/NEST's/RING's/etc.
Yes, I know, Raspberry Pi's have some closed HW & blobs,
but the good news is that RPi4 SW is kept very much up to
date -- as well as, if not better than, many desktop
Linux's.
More information about the cryptography
mailing list