Submitted via IRC for TheMightyBuzzard
More than three months after being informed about remotely exploitable vulnerabilities in 25 router models, Linksys is[sic] yet to issue patches to remedy them.
Researchers at IOActive Labs wrote that they had informed Linksys of 10 flaws on 17 January, six of which could be remotely exploited by unauthenticated people.
But as of last week, all that Linksys had done was to notify users through a public post and suggest workarounds until patched firmware was ready.
Given Linksys' inactivity, the IOActive Labs researchers said they were holding off on providing the full technical details of the flaws until patched firmware was ready for download.
Shit, even we can manage a fix in six months...
This discussion has been archived.
No new comments can be posted.
Three Months on, No Linksys Router Patches for Remote Holes
|
Log In/Create an Account
| Top
| 32 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
(1)
(Score: 2, Touché) by Anonymous Coward on Tuesday April 25 2017, @10:31PM (3 children)
See that's what happens when you have a critical shortage of IT workers. Patches don't get written in a timely fashion. We need more H1B visas to fix the problem.
(Score: 0) by Anonymous Coward on Tuesday April 25 2017, @10:43PM (2 children)
If only we had Basic Income and Open Source then Many Eyes could make the Bugs Shallow.
(Score: 3, Funny) by maxwell demon on Wednesday April 26 2017, @05:08AM
Basic Income? No, we clearly need Python Income.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Fnord666 on Wednesday April 26 2017, @04:05PM
If only we had Basic Income and Open Source then Many Eyes could make the Bugs Shallow.
Bingo!
(Score: 3, Interesting) by jmorris on Tuesday April 25 2017, @10:34PM (8 children)
It is simple, companies selling stuff doesn't pay for issuing fixes for years. Cisco can do it on because they require everyone to stay under an annual contract to get bug fixes, Linksys doesn't and therefore won't.
Sooner later we realize this problem isn't solvable with anything like the current models. In the end there are only two that will work:
1. Companies like Linksys realize they are making their money selling hardware. That means they rebase off of something like OpenWRT and get their stuff in their tree. So once you buy it you just update from OpenWRT as bugs get patched. Linksys can contribute bits, perhaps even maintain a repo with some unique bits to add value if they think that is worth the maintenance effort. But basic OS bug fixing stops being their problem.
2. The Cisco model, where you can't expect to ever really own the product. You are committing to an annual / monthly fee forever. There had better be some serious value add to justify that fee though, good luck selling average normies on the notion of paying an annual fee just to have the defects in the product fixed as they are discovered.
(Score: 4, Interesting) by bob_super on Tuesday April 25 2017, @10:46PM (1 child)
The solution will come with BrickerBot 5 or 6 or 12...
When people can't plug devices with shitty security or unpatched holes without losing them, someone is going to have to address the problem, if they want their millions of bonus shares to be worth anything despite the lawyers and returns...
(Score: 3, Informative) by kaszz on Wednesday April 26 2017, @12:44PM
In case any thread reader missed it a BrickerBot is already on the hunt "Rash of in-the-Wild Attacks Permanently Destroys Poorly Secured IoT Devices [soylentnews.org]" (2017-04-07). Destroying IoT attack vectors for fun and security.
BickerBot.2 was out by the time of the original source article [radware.com] (2017-04-05). And the entry point seems to be exposing port 22 (SSH) and running an older version of the Dropbear [ucc.asn.au] SSH server. The attacks started on 2017-03-20.
As someone else stated: Is it efficient? No. Is it entirely fair on the consumer? No. Is it likely the only viable way of addressing the IoT security problem? Probably. [securitybytes.io]
(Score: 3, Insightful) by The Mighty Buzzard on Tuesday April 25 2017, @11:05PM (5 children)
I disagree. Both are viable options to maintain the current profit margin but in most any other industry this is a solved problem. Release a buggy car, airplane, television, widget-du-jour and people will sue the fuck out of you. For some reason this largely does not happen in the software industry.
My rights don't end where your fear begins.
(Score: 2) by jmorris on Tuesday April 25 2017, @11:19PM (4 children)
Big difference being most cars do not get recalled once. If a software product doesn't get bug fixes monthly it is only because the vendor doesn't care, not that there aren't that many bugs. It is a never ending grind, and in a product that doesn't generate a recurring revenue stream is almost certain to be cut.
I guess option three would be a huge investment in a whole new software development method that doesn't generate so many bugs, but we get one of those promised every year or two and most end up making even more bugs than the last one after a few years of discovering workarounds for its shortcomings. Again, because adding features moves product, carefully coded big free systems do not.
The problem is worst with hardware sellers who have to supply software as an afterthought, SOHO routers and printers being poster children for the problem.... until there are enough IoT products deployed to steal the crown. So recognize it, formalize it. It would require hardware makers to do as they did in the early days and produce detailed documentation, but the payoff would be no long term support costs.
(Score: 2) by NewNic on Tuesday April 25 2017, @11:59PM
I have one word for you: Takata.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by kaszz on Wednesday April 26 2017, @12:46PM (2 children)
Establish a law that put the manufacturer in 20 year update obligation unless full documentation or source is made available?
(Score: 2) by Fnord666 on Wednesday April 26 2017, @04:08PM (1 child)
Establish a law that put the manufacturer in 20 year update obligation unless full documentation or source is made available?
Your $50 router now costs $2000. Manufacturers aren't going to foot the bill for such requirements, you and I are.
(Score: 3, Interesting) by jmorris on Wednesday April 26 2017, @09:00PM
You missed the or. The proposal would quickly solve itself to a PC like router standard and hardware makers would all make commodity 'compatible' gear varying in details like WiFi standard, number of antennas, USB ports, etc. but all capable of running any of several operating systems designed to run across the range of available gear. Like PC clones and Linux/BSD/Windows, the hardware maker would be responsible for warranty coverage of the hardware only, the preinstalled OS would be more of a 'for testing purposes only' intended to merely demonstrate the hardware works and enable loading the customer's preferred OS.
(Score: 0) by Anonymous Coward on Tuesday April 25 2017, @10:37PM (10 children)
Ok, so what's with the sic in this summary? Linksys is yet to ... is perfectly valid English. You might prefer Linksys has yet to . . ., but that is only your preference.
If you want, we can make it a competition between the two and settle the issue. However, until we do, as old Caius Lucius would say [mit.edu]:
Sir, the event
Is yet to name the winner: fare you well.
(Score: 2, Informative) by fyngyrz on Tuesday April 25 2017, @10:48PM (9 children)
[sic] doesn't mean "you misspelled this" or "bad grammar", it means "this is literal from the source, it's not been changed here."
In this case, likely the editor felt that "Linksys has yet", was the preferred use just as you speculated, and simply wished to make it clear that the quote was from the source.
sic stands for sic erat scriptum, or, more or less in English: "thus was it written"
(Score: 1, Informative) by Anonymous Coward on Tuesday April 25 2017, @11:18PM (8 children)
I know what sic means, which is why I often decry its improper usage on this site. (Go back a year or so and you'll see some people who took from some definition of it up on Wiki that it is also appropriate to use it to express surprise, and they were peppering article summaries with them whenever they felt a factual error was being stated, or an exaggerated claim was being made--if the search feature here actually worked for Comments, I would dig up some examples).
My point is that there was nothing wrong with the source, meaning that the editor shouldn't have felt the need to insert himself in where it isn't needed.
Personally, I am of the opinion that for anything in the summary (or anywhere else here) that is presented in blockquote, it should be obvious that it is from the source and any and all misspellings and malapropisms can remain as they are. That is the whole reason for blockquote, unless, of course, I am in the minority where I cut-and-paste into blockquote and most people really type it in and are thus subject to adding mistakes in the source.
(Score: 2) by butthurt on Wednesday April 26 2017, @12:11AM (3 children)
My point is that there was nothing wrong with the source, meaning that the editor shouldn't have felt the need to insert himself in where it isn't needed.
The most obvious explanation is that the editor was unaware that "is yet to" is valid usage.
https://www.englishforums.com/English/Versus/djxxm/post.htm [englishforums.com]
https://english.stackexchange.com/questions/83430/he-has-yet-to-vs-he-is-yet-to [stackexchange.com]
Consider volunteering as an editor.
(Score: 2) by isostatic on Wednesday April 26 2017, @08:28AM (2 children)
I suspect the editor believed it should be "Linksys are yet to", believing that linksys are a group of people rather than a single entitiy.
(Score: 0) by Anonymous Coward on Wednesday April 26 2017, @02:33PM
Regardless of the editor's wrongly held beliefs, blockquote should obviate the need to add any sics.
(Score: 2) by Grishnakh on Wednesday April 26 2017, @02:49PM
Probably, even though that editor would be wrong, along with anyone who speaks British English. "LinkSys" is not a "group of people" at all; it's a legal corporate entity. While corporations usually have "groups of people" as employees, and sometimes even as owners, this isn't always the case. There are plenty of corporations owned by individuals, and have no employees at all. (And having employees is really irrelevant anyway, because they don't own the corporation any more than contractors that the corporation makes deals with to get work done; they're just hired hands.) A corporation is a singular entity, and the pronouns for it should reflect that.
Similarly, a human being is a singular entity, and all English speakers use singular pronouns in referring to them, when in fact *all* human beings are actually composed of billions of cells. But being composed of many different cells, many of which are radically different species even (symbiotic bacteria), doesn't change the fact that we look at humans as individuals and use singular pronouns when referring to a single human.
(Score: 1) by fyngyrz on Wednesday April 26 2017, @03:10PM (3 children)
And my point was that [sic] doesn't mean there's something wrong with the source, so your objection on that basis is invalid.
(Score: 0) by Anonymous Coward on Wednesday April 26 2017, @05:36PM (2 children)
My objection is perfectly valid. The whole point of including sic is for the conveyor of information to say: "Hey, I know this is wrong, but it isn't my fault". If there is nothing to worry about in the source, there is no reason to include. Otherwise, we should just throw it around everywhere when we quote anything, as sort of a poor man's hash to authenticate quoted material.
(Score: 1) by fyngyrz on Wednesday April 26 2017, @05:43PM
No, the whole point of [sic] – literally – is to say "this is literal as per the source."
You have a mistaken conception of what it means, insisting it is an indication of error, which it is not, so you're making a mistake in interpreting what it's telling you. Your attention has been called to the fact that this is precisely what the source said. That's all.
There are many reasons one might do this. [sic] covers them all. That is what it is for.
(Score: 1) by fyngyrz on Wednesday April 26 2017, @06:08PM
Sorry, should have covered this.
Here's the thing. Suppose someone says, exactly:
Then this thought, for some reason, is to be presented in a blurb that is going to be edited. There are several approaches to this, all perfectly valid.
Direct, without indication, simply allowing the colloquialism to pass unremarked:
Direct, with indication and clearly no intent to mischaracterize the quoted speaker, but rather to be clear that this was precisely how the speaker expressed the thought. This is particularly appropriate in times like ours where partial and out-of-context and intentional misquoting are not just extant, but rampant:
Using indicated substitution:
Referential:
S/he indicated that s/he was not an engineer.
As to misspellings:
Here, there is an obvious misspelling, and your attention is being called to it (see the theme? It's about focusing your attention.) That might have been a typo. It might have been placement of a word the author did not know the spelling of. But what it wasn't, was a misspelling the editor made. The editor is telling you "yes, I/we know this is misspelled, but this is how it was written." This is appropriate, and non-condemning, because generally speaking, it is an editor's job to notice such things and make decisions about them. Specifically in quotations, if corrections of errors are not to be made, then [sic] calls your attention to the fact that the original was left intact intentionally. Not that the error exists, because that fact is obvious on its face; but that the error is not that of the editor.
None of this is to say you can't intend to use it punitively or exclusively to point out what you consider to be errors. You can. Many do. But that is not in any way a validation of the idea that this is what it is for, and so, how it should always be taken. Therein lies your error.
(Score: 4, Informative) by digitalaudiorock on Wednesday April 26 2017, @12:55AM
I recently bought a Linksys WRT1900ACS and flashed it with dd-wrt, and will never look back. Fuck this crap with one or two factory firmware updates and then "sucks to be you" that you get from the manufacturer.
For anyone who hasn't gone that route, I can't recommend it enough. It's also quite a bit easier than the dd-wrt documentation may lead you to believe. In fact, models like this WRT1900ACS actually have two boot partitions which make it actually difficult to brick permanently. Kudos to the dd-wrt project for sure. Great stuff.
(Score: 2) by Lagg on Wednesday April 26 2017, @01:32AM (2 children)
This works for me. [a.co] Have had it a few years now and dd-wrt updates don't appear to be an issue. Also I could probably throw it through a wall in a furious rage and it'd still work fine with antennas attached. Seems to be one of those models where the ears actually help a little.
Besides, who uses linksys these days. Threw my last one through a wall in a furious rage when the lean dd-wrt bricked it.
http://lagg.me [lagg.me] 🗿
(Score: 1, Interesting) by Anonymous Coward on Wednesday April 26 2017, @07:26AM (1 child)
I have a Buffalo router and it is great (running OpenWRT). Even the company is great (at least, when I last interacted with the a few years ago). I sent them an email thanking them for their stance on alternative firmware and the person responded appreciatively and said they would bring it up in the meeting they were about to go in to.
And I know they did.. because a few hours later, I got an email from the CEO saying he was happy the product was working well for me and that he was proud his company had provided that.
tl;dr Buffalo's CEO has, at least once, personally responded to a nobody on the internet saying "thank you".
(Score: 1) by pTamok on Wednesday April 26 2017, @01:13PM
I have a Buffalo WHR-HP-G54 which has been rock-solid stable for years (running on an internal, non-Internet connected network) using OpenWrt 10.03.1 (Backfire). It has too little memory and flash to reliably run a more up to date version ( https://wiki.openwrt.org/about/history [openwrt.org] ), but I've recorded more than a year's uptime before now.
(Score: 2) by Spamalope on Wednesday April 26 2017, @02:39AM
I've been running Advanced Tomato and love it.
(Score: 1) by pTamok on Wednesday April 26 2017, @07:21AM
If you want open-source, libre firmware for SOHO routers, you might prefer to look at the LEDE project (Linux Embedded Development Environment) ( https://lede-project.org/ [lede-project.org] ) , which is a fork of the OpenWrt project which later remerged*.
Current firmware is LEDE 17.01.1 (In contrast, the legacy OpenWrt site ( https://openwrt.org/ [openwrt.org] ) offers 15.05.1 - LEDE 17.01.1 is an update to the OpenWrt 15.05.1 codebase)
Supported hardware database (Table of Hardware) is here: https://lede-project.org/toh/start [lede-project.org]
* If you are interested, it is worth reading the 'State of the Union' threads in the Feb 17 and Mar 17 LEDE Administration mailing list archives ( http://lists.infradead.org/pipermail/lede-adm/ [infradead.org] ) to gain an understanding of what has been going on with regard to LEDE and OpenWrt. It is slightly confusing.
(Score: 2) by kaszz on Wednesday April 26 2017, @01:07PM (1 child)
The vulnerable models are:
WRT Series: WRT1200AC, WRT1900AC, WRT1900ACS and WRT3200ACM.
EAxxxx Series: EA2700, EA2750, EA3500, EA4500 v3, EA6100, EA6200, EA6300, EA6350 v2, EA6350 v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400 and EA9500.
But now I found this little interesting bit! "Linksys, formerly a division of Cisco and now owned by Belkin".
And we DO know the standing of Belkin [wikipedia.org] since their sneaky man-in-the-middle http hijacking for spam in 2003. Time to steam roll them!
Seems the specific vulnerability is related to the www server and some other TCP service.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @06:54PM
https://forum.lede-project.org/t/autobuilt-images-for-wrt1200ac-wrt1900acv1-wrt1900acv2-wrt1900acs-wrt3200acm/3330/16 [lede-project.org] LEDE community automatic builds for this line of routers, wrt1200ac v2 is the best router for the money at 75 bux imo, if you want the best consumer router atm I'd go with the netgear r7800 with lede but that's $200.