[Cerowrt-devel] [Make-wifi-fast] arstechnica confirms tp-link router lockdown

moeller0 moeller0 at gmx.de
Sun Mar 13 17:17:22 EDT 2016


Hi Jonathan,

> On Mar 13, 2016, at 21:15 , Jonathan Morton <chromatix99 at gmail.com> wrote:
> 
> 
>> On 13 Mar, 2016, at 20:25, moeller0 <moeller0 at gmx.de> wrote:
>> 
>> I also fondly remember my 3310, but I certainy do not want to go back there, that week of standby be damned ;)
> 
> I don’t actually use my 3310 very much - it’s there for emergencies more than anything else.  But I do think it makes a better phone than my Android phablet.
> 
> The latter is pretty good at the whole “internet terminal” and “utility app” thing, but it’s a pretty lousy phone.  Indeed the “make a phone call” functionality is presented as just another app, albeit one that can’t be uninstalled.  I can’t even type a text message any faster on it (to the same accuracy) than on my 3310.  It works adequately as a phone, rather than well.

	My sentiment as well; only I realized I value a mobile internet terminal (with acceptable phone capability) more than an excellent phone without internet access ;)

> 
>> while the password could be randomized, I envision user unhappiness with randomized SSIDs
> 
> I don’t see why - that’s the one they don’t have to type, because it gets scanned for.
> 
> A straight random string of characters from the base64 or base85 character sets would be hard to recognise or read out loud, but I was thinking more along the lines of picking randomly from wordlists, so you’d get SSIDs of the form “AdjectiveNoun” which are relatively easy to recognise and remember, yet still likely to be locally unique.
> 
> Passwords chosen by a similar method (ie. virtual diceware) would also be easier to type, etc.  CorrectHorseBatteryStaple…

	I had considered this, but looking at the SSIDs in my neighborhood, people either stick to the default or pick something clever/funny; and dice ware will not allow those users to fulfill their wittiness. For passwords that might work, have people “roll” a fresh one until they like the result …

> 
>> That reminds me a bit of https://www.securifi.com/almondplus
> 
> The eye-watering price is certainly notable.  It’s unclear how much of that is profit margin, and how much went into the screen.  I note also the touchscreen UI, at which I have to squint to work out what each icon is for (despite the bright, high-res colour screen).

	The price is putting this well into the life-style accessory terrain ;) (I wonder whether this thing actually sells, but its main selling point is the display so I thought it relevant to the current discussion).

> 
> There’s a lot to be said for the old Amstrad PCW type of UI.  Very little window dressing, straight down to business.
> 
>> The keypad is sort of helpful to put in say IP addresses (or passwords with a T9 like numerical hash for words system). I have used old HP on printer interfaces to configure IP networking, not an experience I would recommend to emulate (not that you are doing tis, but please keep the failures of old in mind when designing your system).
> 
> I just looked up a few HP printer manuals to see what you’re talking about.  Setting numerical values by incremental button presses does sound tedious - but I already knew that from badly-designed microwave ovens.  The cheap ones come with a clockwork dial, which is actually easier to use than the typical “increment 10 mins, 1 min or 10 sec” buttons.  I deliberately bought a good one with a digital dial.
> 
> At university, I often saw people routinely set the microwave timer for 10 minutes, simply because it required fewer button presses than the correct setting.  We had a lot of false fire alarms.
> 
> But I’m not presently considering putting buttons on the device itself.  The screen will be a significant expense in itself; adding enough buttons to be a worthwhile input device sounds like another big cost.  But there’ll be a USB port somewhere anyway, and most users will have something worthwhile to plug into it.

	Honestly, if it is not self sufficient, then an display-only solution seems inferior to even a mediocre web-interface, given that everybody (requiring to set-up a router) probably is browser-proficient already. Having the display in addition is superior for sure.

> 
> Clearly a keyboard will be the preferred input device.  Though there are many national layouts, we can rely on arrow keys, a full Latin alphabet, Arabic numerals, space, backspace and return giving consistent keycodes.  Or at least, we can once we correct for QWERTY/QWERTZ/AZERTY/Dvorak quirks - we can prompt the user to press the Z key to distinguish between these.  Rapid and accurate navigation and data entry should then be easy.

	I believe using a web browser for access solves these issues quite elegantly ;)

> 
> As a subtype of keyboards, though, there are standalone numeric keypads, essentially the part missing from a laptop keyboard.  Those may merit special consideration - they don’t have a Z key.
> 
> There are established ways of navigating menus and entering text using console controllers - since that’s a problem consoles themselves have had to solve.  It’s clunky, but somehow they get people to pay $60 per game for the privilege of entering CD key codes this way.
> 
> It should also be feasible to allow a mouse to be used.  Almost all mice these days have a scroll wheel, which we can use to scan through the character set instead of trying to squeeze a virtual keyboard onto the screen.  Navigation would be by pointing, left-click to select, right-click to cancel/exit.

	If this comes as an additional/emergency method to access the device this all sounds great, but as the main method that does not seem to be superior to a reasonably well made web-interface (or as much as I dislike those an “app” interface). But I am fully aware that this is a) a matter of taste and b) my taste is quite peculiar (meaning I have no clue what the “masses” will like).

> 
> If this sounds like a complex solution to a problem - maybe it is, at the design level.  I think users will find it simple.  That matters more.
> 
>> Well, a lot of ISP supplied routers have a sticker on the back giving exactly the information (in addition to the password for the web-gui)
> 
> My Buffalo router has such a sticker.  It says the web-UI login is root/(blank).  That, right there, is my best argument against Web configuration interfaces - they are impossible to secure in the factory-fresh state.

	I can only speak for my ISP, but each device has a unique(?) password/passcode (which might be trivially deduced from serial and/or mac numbers). So if DTAG can pull this through so could OEMs/ODMs (that after all build the devices the ISPs distribute in the first place).

Best Regards
        Sebastian

> 
> - Jonathan Morton
> 



More information about the Cerowrt-devel mailing list