From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dave.taht@gmail.com>
Received: from mail-ob0-x235.google.com (mail-ob0-x235.google.com
	[IPv6:2607:f8b0:4003:c01::235])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 6C76421F2E5
	for <cerowrt-devel@lists.bufferbloat.net>;
	Fri,  1 Aug 2014 07:22:10 -0700 (PDT)
Received: by mail-ob0-f181.google.com with SMTP id va2so2593350obc.26
	for <cerowrt-devel@lists.bufferbloat.net>;
	Fri, 01 Aug 2014 07:22:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:date:message-id:subject:from:to:content-type;
	bh=GIZ0qmJe+nsn0X7iNe2ft94ZFNBSKHnD/72MMUaAU18=;
	b=OEezVdlI18Ur5wGzHg/GuwmjXnO15zZUPVZ6jJufHcoeiumukjg7Y8xbO53JaF0Wq3
	jYexNsNHIxIwe1wG3/JKL2AvT3llAQr7xbItBPLAOB1iEOwy7buz8v+Z7C1sak9SstOh
	rvJYNkr5Mk4QJiLzwBJlch0WNQxCChrQ/8Zp/5qO6Fxv18ER7hhUbns+rvUovfuITqFm
	e/9zwwMsaJLPpeD+nBngjxfX7IWwvkXN8nsikfWucLCYmN13QmJkk1SjJ3Fna2khCQ3t
	lvtPSjUAmKJvY7ULDuLhIOoqVgZh+froNn1Jm+NmUfFBWH9cAFdUs2OrOl4xPU9BRVh6
	4PwQ==
MIME-Version: 1.0
X-Received: by 10.60.135.233 with SMTP id pv9mr8681197oeb.75.1406902928552;
	Fri, 01 Aug 2014 07:22:08 -0700 (PDT)
Received: by 10.202.93.69 with HTTP; Fri, 1 Aug 2014 07:22:08 -0700 (PDT)
Date: Fri, 1 Aug 2014 10:22:08 -0400
Message-ID: <CAA93jw5XjWiX7=JfkiR9Djy93=YC7cDqAZf1eYNjoXhnGcGy5Q@mail.gmail.com>
From: Dave Taht <dave.taht@gmail.com>
To: "cerowrt-devel@lists.bufferbloat.net" <cerowrt-devel@lists.bufferbloat.net>
Content-Type: multipart/alternative; boundary=047d7b41cd044a9d5604ff921d8c
Subject: [Cerowrt-devel] EFF's contest at defcon 22: SOHOplessly broken goes
 looking for attacks against home routers
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 14:22:10 -0000

--047d7b41cd044a9d5604ff921d8c
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

https://www.eff.org/deeplinks/2014/07/your-wireless-router-broken-help-us-f=
ix-it-def-con

At one level, I'm pleased that the EFF is raising awareness of the security
issues home routers have... though I wish they'd pointed to jg's work in
this area http://cyber.law.harvard.edu/events/luncheon/2014/06/gettys

A problem I have with the contest structure is that it doesn't appear that
any third party firmwares are targeted, like openwrt, gargoyle, cerowrt,
dd-wrt, etc, and I do somewhat perversely hope those are targeted also,
because those of us working on those distros ARE in a position to rapidly
update them and inform our userbases... and while we're much more security
conscious overall than the soho router makers, there's always the
possibility we missed something.

It's also not clear if they are targeting common CPE such as cable modems
and DSL routers. These too could use a shaking up. So could all the
whiz-bang new ipv6 based features.

At another level I'm frozen, hovering over my tree, waiting for a possible
flood of zero-days against cerowrt and openwrt and hoping for a chance to
fix them before they hurt anybody, and not getting anything done. I feel
like I have a great big target painted on my back...


--=20
Dave T=C3=A4ht

msg sent from a secure, undisclosed location

--047d7b41cd044a9d5604ff921d8c
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><br></div><a href=3D"https://www.eff.org/deeplinks/20=
14/07/your-wireless-router-broken-help-us-fix-it-def-con">https://www.eff.o=
rg/deeplinks/2014/07/your-wireless-router-broken-help-us-fix-it-def-con</a>=
<div>
<br></div><div>At one level, I&#39;m pleased that the EFF is raising awaren=
ess of the security issues home routers have... though I wish they&#39;d po=
inted to jg&#39;s work in this area=C2=A0<a href=3D"http://cyber.law.harvar=
d.edu/events/luncheon/2014/06/gettys">http://cyber.law.harvard.edu/events/l=
uncheon/2014/06/gettys</a></div>
<div><br></div><div>A problem I have with the contest structure is that it =
doesn&#39;t appear that any third party firmwares are targeted, like openwr=
t, gargoyle, cerowrt, dd-wrt, etc, and I do somewhat perversely hope those =
are targeted also, because those of us working on those distros ARE in a po=
sition to rapidly update them and inform our userbases... and while we&#39;=
re much more security conscious overall than the soho router makers, there&=
#39;s always the possibility we missed something.</div>
<div><br></div><div>It&#39;s also not clear if they are targeting common CP=
E such as cable modems and DSL routers. These too could use a shaking up. S=
o could all the whiz-bang new ipv6 based features.</div><div><br></div>
<div>At another level I&#39;m frozen, hovering over my tree, waiting for a =
possible flood of zero-days against cerowrt and openwrt and hoping for a ch=
ance to fix them before they hurt anybody, and not getting anything done. I=
 feel like I have a great big target painted on my back...</div>
<div><br clear=3D"all"><div><br></div>-- <br>Dave T=C3=A4ht<br><br>msg sent=
 from a secure, undisclosed location</div></div>

--047d7b41cd044a9d5604ff921d8c--