Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed
From: Dave Taht <dave.taht@gmail.com>
To: Philip Prindeville <philipp_subx@redfish-solutions.com>
Cc: Openwrt Devel <openwrt-devel@lists.openwrt.org>,
	 cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Mofi still shipping Barrier Breaker (14.07)
Date: Sun, 3 Sep 2023 10:04:35 -0700	[thread overview]
Message-ID: <CAA93jw7sYSUq9m9rfQ42k9uRgVLvysn6CYO1Cakb-8ZVXGwE-A@mail.gmail.com> (raw)
In-Reply-To: <60AB3DD8-4F9E-46EF-B35D-BC2402675912@redfish-solutions.com>

The qsdk is on openwrt 15.

On Sun, Sep 3, 2023 at 9:51 AM Philip Prindeville
<philipp_subx@redfish-solutions.com> wrote:
>
> Hi all,
>
> As we work on the 23.05 release, I was stunned to receive a Mofi MOFI4500-4GXeLTE-V3 router with 14.07 installed on it as part of my Unlimitedville enrollment.
>
> I thought, "wow, this must have been sitting in a warehouse a while!  I'd better update it."  So I went to the company's support site, grabbed the latest image, flashed it, rebooted and... still running 14.07.
>
> For those of you too young to remember, Barrier Breaker was released 10/2014 and included the 3.10.14 kernel (released 6/2013).
>
> How is this not cyber security malpractice?  A firewall is your first line of defense against cyber attacks.  If your firewall has long known, well documented vulnerabilities and exploits, you might as well not have a firewall at all.
>
> I wrote them asking why there wasn't a more recent, more secure release of the firewall firmware and this was their response:
>
>
> > Dear Philip,
> > You dint seem to know what you are talking about and should leave software to Profesionals like us and relax
>
>
> I hope that most of the companies that use our software are more diligent, and don't incur repetitional damage to our efforts by continuing to ship EOL firmware.
>
> I get that not every company has kernel developers in-house, and frankly, providing an updated kernel release for their SoC is the manufacturer's responsibility, and MediaTek has not been responsive in this respect (for the longest time they were shipping a 2.6.36 SDK!).  Some of the larger vendors (TPLink, ActionTec, Linksys, DLink, Netgear, et al) or their ODM partners have the option to hold their feet to the fire and make orders contingent on updated SDK's...  I doubt that Mofi does the sort of volume that gives them any leverage.
>
> But I regress.
>
> Class Action suits are becoming more prevalent with computer and networking equipment manufacturers, as the public becomes aware of the increasing cyber security threats as well as manufacturers' implied responsibility to address vulnerabilities in a timely fashion as they become aware of them.
>
> I'm calling this out because I honestly hope it's the far outlier in our ecosystem, and not the rule.
>
> Sadly,
>
> -Philip
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



-- 
Oct 30: https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html
Dave Täht CSO, LibreQos

       reply	other threads:[~2023-09-03 17:04 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <60AB3DD8-4F9E-46EF-B35D-BC2402675912@redfish-solutions.com>
2023-09-03 17:04 ` Dave Taht [this message]
2023-09-03 17:10   ` Stephen Hemminger
     [not found]   ` <CAOX2RU77kAMamFDwZC3roihMXvnvRi+jvb2u79t28vYjSiWmzw@mail.gmail.com>
2023-09-03 19:26     ` Dave Taht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAA93jw7sYSUq9m9rfQ42k9uRgVLvysn6CYO1Cakb-8ZVXGwE-A@mail.gmail.com \
    --to=dave.taht@gmail.com \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    --cc=openwrt-devel@lists.openwrt.org \
    --cc=philipp_subx@redfish-solutions.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox