From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp89.iad3a.emailsrvr.com (smtp89.iad3a.emailsrvr.com [173.203.187.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 3451B3B2A4 for ; Tue, 5 Feb 2019 16:06:47 -0500 (EST) Received: from smtp12.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp12.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 041CF235D3; Tue, 5 Feb 2019 16:06:47 -0500 (EST) X-SMTPDoctor-Processed: csmtpprox beta Received: from smtp12.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp12.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 0019024EB2; Tue, 5 Feb 2019 16:06:46 -0500 (EST) Received: from app25.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp12.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id DC9CE235D3; Tue, 5 Feb 2019 16:06:46 -0500 (EST) X-Sender-Id: dpreed@deepplum.com Received: from app25.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.7.12); Tue, 05 Feb 2019 16:06:46 -0500 Received: from deepplum.com (localhost.localdomain [127.0.0.1]) by app25.wa-webapps.iad3a (Postfix) with ESMTP id C8DC22004B; Tue, 5 Feb 2019 16:06:46 -0500 (EST) Received: by apps.rackspace.com (Authenticated sender: dpreed@deepplum.com, from: dpreed@deepplum.com) with HTTP; Tue, 5 Feb 2019 16:06:46 -0500 (EST) X-Auth-ID: dpreed@deepplum.com Date: Tue, 5 Feb 2019 16:06:46 -0500 (EST) From: "David P. Reed" To: "Dave Taht" Cc: "cerowrt-devel" MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_20190205160646000000_83427" Importance: Normal X-Priority: 3 (Normal) X-Type: html In-Reply-To: References: Message-ID: <1549400806.789924737@apps.rackspace.com> X-Mailer: webmail/15.4.8-RC Subject: Re: [Cerowrt-devel] friends don't let friends run factory firmware X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 21:06:47 -0000 ------=_20190205160646000000_83427 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =0AWell, pots and kettles - I bet there are, amongst the huge numbers of LE= DE/OpenWRt packages, some very useful DDoS amplification concerns. So it's = really not a strong proof of the claim that "factory firmware" is bad.=0A= =0AMy own home border router I built myself, and yet it acquires new proble= ms with new updates (as well as having some fixed).=0A=0AAnd, one thing tha= t scares the bejeezus out of me is the passion for stuff like code allowing= injection of binary code into the kernel (eBPF) being thrown into the Linu= x Kernel for "performance reasons". Hacking the clever network developer ha= s never been easier - just throw them some complicated and subtle code that= runs in the kernel that "everybody thinks is the coolest new thing". Here'= s the description of eBPF from the documentation I use: "The extended BPF (= eBPF) variant has become a universal in-kernel virtual machine, that has ho= oks all over the kernel. " Lovely. So userspace can make the kernel do comp= letely untestable things.=0A =0AThere are lots of great things about creati= ng the freedom to experiment, modify your own devices' firmware, etc. I thi= nk the existence of that community makes the world generally safer (more ey= eballs, more innovation, etc.).=0A =0ABut this idea that everybody benefits= by running some non-standard firmware they choose for themselves? That's = bizarre to me, unjustifiable by any very good argument.=0A =0AUBNT here see= ms to be doing the right thing - developing an update and distributing it t= o all its customers.=0A=0A-----Original Message-----=0AFrom: "Dave Taht" =0ASent: Monday, February 4, 2019 3:41pm=0ATo: "cerowrt-= devel" =0ASubject: [Cerowrt-devel] fri= ends don't let friends run factory firmware=0A=0Ahttps://www.zdnet.com/arti= cle/over-485000-ubiquiti-devices-vulnerable-to-new-attack/=0A=0A-- =0A=0ADa= ve T=C3=A4ht=0ACTO, TekLibre, LLC=0Ahttp://www.teklibre.com=0ATel: 1-831-20= 5-9740=0A_______________________________________________=0ACerowrt-devel ma= iling list=0ACerowrt-devel@lists.bufferbloat.net=0Ahttps://lists.bufferbloa= t.net/listinfo/cerowrt-devel ------=_20190205160646000000_83427 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Well, pots and kettles= - I bet there are, amongst the huge numbers of LEDE/OpenWRt packages, some= very useful DDoS amplification concerns. So it's really not a strong proof= of the claim that "factory firmware" is bad.

My own home border= router I built myself, and yet it acquires new problems with new updates (= as well as having some fixed).

And, one thing that scares the be= jeezus out of me is the passion for stuff like code allowing injection of b= inary code into the kernel (eBPF) being thrown into the Linux Kernel for "p= erformance reasons". Hacking the clever network developer has never been ea= sier - just throw them some complicated and subtle code that runs in the ke= rnel that "everybody thinks is the coolest new thing". Here's the descripti= on of eBPF from the documentation I use: "The extended BPF (eBPF) variant h= as become a universal in-kernel virtual machine, that has hooks= all over the kernel. " Lovely. So userspace can make the ker= nel do completely untestable things.

=0A

 

= =0A

There are lots of great things about creating the f= reedom to experiment, modify your own devices' firmware, etc. I think the e= xistence of that community makes the world generally safer (more eyeballs, = more innovation, etc.).

=0A

 

=0A

But this idea that everybody benefits by running some non-standar= d firmware they choose for themselves?  That's bizarre to me, unjustif= iable by any very good argument.

=0A

 

=0AUBNT here seems to be doing the right thing - developing= an update and distributing it to all its customers.

-----Origin= al Message-----
From: "Dave Taht" <dave.taht@gmail.com>
Sen= t: Monday, February 4, 2019 3:41pm
To: "cerowrt-devel" <cerowrt-dev= el@lists.bufferbloat.net>
Subject: [Cerowrt-devel] friends don't le= t friends run factory firmware

https://www.zdnet.com/article/ove= r-485000-ubiquiti-devices-vulnerable-to-new-attack/

--
Dave T=C3=A4ht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740
_______________________________________________Cerowrt-devel mailing list
Cerowrt-devel@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel

 ------=_20190205160646000000_83427--