From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 166603B2A4 for ; Sun, 3 Sep 2023 13:10:17 -0400 (EDT) Received: by mail-ua1-x930.google.com with SMTP id a1e0cc1a2514c-78f1210e27fso266116241.1 for ; Sun, 03 Sep 2023 10:10:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20230601.gappssmtp.com; s=20230601; t=1693761016; x=1694365816; darn=lists.bufferbloat.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=oZOZ1B9JOmxl2xcJejupKMr1JVYhOWWSSFdipF8gOzY=; b=Y7B7nl8LLznSFa7mKYuxc7K5AuBZ/465isqo0wefZb9v4L/aSOWYL5x2Y2phiP2ohJ AF3M7FPtLJhBHFH26QyabSe1L7BBw/Vy5C8LvvA4JoqECsgi0accCHK5RrWtmkcx5rNQ 4romUsTUYAQTaWYo855ueuQwXVXZYSYcrqX/2GDJC+gLkkXAc490I57/xQqf48SCRecB toNKmpOrmqNc8/Sduw9Nm9HmNLItfeQIlG1sy2kBeD1/d7AhTJMsWi1KLcJXH9Qxc/f7 oQaQ4LeRuu9IOfQk8GbkcU0Rh716Y0Bdt51ZHCeaUW5PTh+8qv8lkjH5cOxxDMJYZ3xu zc1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693761016; x=1694365816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oZOZ1B9JOmxl2xcJejupKMr1JVYhOWWSSFdipF8gOzY=; b=ZSBv6ZU02M3d18N9aSK3nnTM4WLej7l0SwIczsuBVphX9Er9HtxuUWrGrjOWS4kyBg zHC3ooAiSB8clV9h/vXwZSIWBqxY+uWGIwP8h92YH/73ze1FftVgfZ2768f9NF+d4DlP pIZaZ2s3NR3WsYFMaceCA+BVpJSlqDpAwmPWt4qrzcTihjR5I2HyNz0zdrqQQhrx7Gne ldQpOhRu53zFXPRVnjNKc6RRqGqPfcRzR9HY7qSMUOE+zzlPEdordGr86Gp3iBfOVpfS zTYlsfDx+8fI0khU0/w8PAyAWqao4wg7/MVYGYheThrbvSbuRhAbw83pONWGsHgn0Nkw YKTg== X-Gm-Message-State: AOJu0Yx6dK95Xh4iI2TFI+abW5EbsGW1CtTYC5I43a0ltG8s1V5ynhxC 5uIOM5RQrhfwj6FJ2UvFWGONXiVN7GI4C0/UBWSDsw== X-Google-Smtp-Source: AGHT+IGuCe8A3GnIGUkYzHc1KrANumB1WVIKXqv21lDzd2sIIMEq4ZQYqVpn0Tq+uJqFRp7dleTscgDU1ujiKrfSdPU= X-Received: by 2002:a1f:d984:0:b0:48d:e15:c010 with SMTP id q126-20020a1fd984000000b0048d0e15c010mr5779385vkg.12.1693761016375; Sun, 03 Sep 2023 10:10:16 -0700 (PDT) MIME-Version: 1.0 References: <60AB3DD8-4F9E-46EF-B35D-BC2402675912@redfish-solutions.com> In-Reply-To: From: Stephen Hemminger Date: Sun, 3 Sep 2023 19:10:07 +0200 Message-ID: Subject: Re: [Cerowrt-devel] Mofi still shipping Barrier Breaker (14.07) To: Dave Taht Cc: Philip Prindeville , Openwrt Devel , cerowrt-devel Content-Type: multipart/alternative; boundary="000000000000b7452f060477779d" X-List-Received-Date: Sun, 03 Sep 2023 17:10:17 -0000 --000000000000b7452f060477779d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I ended up replacing an Asus router because they were still using 3.14 with no upgrade planned The issue is vendor closed source blobs On Sun, Sep 3, 2023, 7:04 PM Dave Taht via Cerowrt-devel < cerowrt-devel@lists.bufferbloat.net> wrote: > The qsdk is on openwrt 15. > > On Sun, Sep 3, 2023 at 9:51=E2=80=AFAM Philip Prindeville > wrote: > > > > Hi all, > > > > As we work on the 23.05 release, I was stunned to receive a Mofi > MOFI4500-4GXeLTE-V3 router with 14.07 installed on it as part of my > Unlimitedville enrollment. > > > > I thought, "wow, this must have been sitting in a warehouse a while! > I'd better update it." So I went to the company's support site, grabbed > the latest image, flashed it, rebooted and... still running 14.07. > > > > For those of you too young to remember, Barrier Breaker was released > 10/2014 and included the 3.10.14 kernel (released 6/2013). > > > > How is this not cyber security malpractice? A firewall is your first > line of defense against cyber attacks. If your firewall has long known, > well documented vulnerabilities and exploits, you might as well not have = a > firewall at all. > > > > I wrote them asking why there wasn't a more recent, more secure release > of the firewall firmware and this was their response: > > > > > > > Dear Philip, > > > You dint seem to know what you are talking about and should leave > software to Profesionals like us and relax > > > > > > I hope that most of the companies that use our software are more > diligent, and don't incur repetitional damage to our efforts by continuin= g > to ship EOL firmware. > > > > I get that not every company has kernel developers in-house, and > frankly, providing an updated kernel release for their SoC is the > manufacturer's responsibility, and MediaTek has not been responsive in th= is > respect (for the longest time they were shipping a 2.6.36 SDK!). Some of > the larger vendors (TPLink, ActionTec, Linksys, DLink, Netgear, et al) or > their ODM partners have the option to hold their feet to the fire and mak= e > orders contingent on updated SDK's... I doubt that Mofi does the sort of > volume that gives them any leverage. > > > > But I regress. > > > > Class Action suits are becoming more prevalent with computer and > networking equipment manufacturers, as the public becomes aware of the > increasing cyber security threats as well as manufacturers' implied > responsibility to address vulnerabilities in a timely fashion as they > become aware of them. > > > > I'm calling this out because I honestly hope it's the far outlier in ou= r > ecosystem, and not the rule. > > > > Sadly, > > > > -Philip > > > > > > _______________________________________________ > > openwrt-devel mailing list > > openwrt-devel@lists.openwrt.org > > https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > > > -- > Oct 30: > https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html > Dave T=C3=A4ht CSO, LibreQos > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > --000000000000b7452f060477779d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I ended up replacing an Asus router because they were sti= ll using 3.14 with no upgrade planned
=C2=A0The issue is v= endor closed source blobs


On Sun, Sep 3, 2= 023, 7:04 PM Dave Taht via Cerowrt-devel <cerowrt-devel@lists.bufferbloat.net> wrote:=
The qsdk is on openwrt 15.

On Sun, Sep 3, 2023 at 9:51=E2=80=AFAM Philip Prindeville
<philipp_subx@redfish-solutions.com> wrote:
>
> Hi all,
>
> As we work on the 23.05 release, I was stunned to receive a Mofi MOFI4= 500-4GXeLTE-V3 router with 14.07 installed on it as part of my Unlimitedvil= le enrollment.
>
> I thought, "wow, this must have been sitting in a warehouse a whi= le!=C2=A0 I'd better update it."=C2=A0 So I went to the company= 9;s support site, grabbed the latest image, flashed it, rebooted and... sti= ll running 14.07.
>
> For those of you too young to remember, Barrier Breaker was released 1= 0/2014 and included the 3.10.14 kernel (released 6/2013).
>
> How is this not cyber security malpractice?=C2=A0 A firewall is your f= irst line of defense against cyber attacks.=C2=A0 If your firewall has long= known, well documented vulnerabilities and exploits, you might as well not= have a firewall at all.
>
> I wrote them asking why there wasn't a more recent, more secure re= lease of the firewall firmware and this was their response:
>
>
> > Dear Philip,
> > You dint seem to know what you are talking about and should leave= software to Profesionals like us and relax
>
>
> I hope that most of the companies that use our software are more dilig= ent, and don't incur repetitional damage to our efforts by continuing t= o ship EOL firmware.
>
> I get that not every company has kernel developers in-house, and frank= ly, providing an updated kernel release for their SoC is the manufacturer&#= 39;s responsibility, and MediaTek has not been responsive in this respect (= for the longest time they were shipping a 2.6.36 SDK!).=C2=A0 Some of the l= arger vendors (TPLink, ActionTec, Linksys, DLink, Netgear, et al) or their = ODM partners have the option to hold their feet to the fire and make orders= contingent on updated SDK's...=C2=A0 I doubt that Mofi does the sort o= f volume that gives them any leverage.
>
> But I regress.
>
> Class Action suits are becoming more prevalent with computer and netwo= rking equipment manufacturers, as the public becomes aware of the increasin= g cyber security threats as well as manufacturers' implied responsibili= ty to address vulnerabilities in a timely fashion as they become aware of t= hem.
>
> I'm calling this out because I honestly hope it's the far outl= ier in our ecosystem, and not the rule.
>
> Sadly,
>
> -Philip
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/ma= ilman/listinfo/openwrt-devel



--
Oct 30: https://netde= vconf.info/0x17/news/the-maestro-and-the-music-bof.html
Dave T=C3=A4ht CSO, LibreQos
_______________________________________________
Cerowrt-devel mailing list
Cerowrt-devel@lists.bufferbloat.net
https://lists.bufferbloat.net/listinf= o/cerowrt-devel
--000000000000b7452f060477779d--