Dear Asus Router User: All Your Cloud Are Belong To Us 148
New submitter Trax3001BBS writes "Ars is running an article about a vulnerability of Asus routers that are becoming very popular at the moment for connecting USB devices to the Internet. From the article: 'An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend — a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used ... The guerilla-style hacking disclosure comes eight months after a security researcher publicly disclosed the underlying vulnerability that exposed the hard drives of ... Asus router users. ... According to Lovett, the weakness affects a variety of Asus router models, including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Asus reportedly patched the vulnerabilities late last week...' And this old news, come new again: The Asuswrt Merlin ROM took care of this vulnerability months ago (defect #17)."
Open Source is better. (Score:4, Insightful)
Re: (Score:3)
Yep DD-WRT is on my RT-AC66U. Works brilliantly.
Re: (Score:2)
Watch out for SSL bugs in dd-wrt.
Re:Open Source is better. (Score:5, Informative)
I've got an RT-AC66U myself and honestly I like tomato (shibby version) a hell of a lot better for it. Multiple reasons, but the biggest include:
The interface in DD-WRT is clunky; by that I mean they use a worse than MS Windows* style of individual fields for IP address octets so that you have to tab between fields instead of naturally typing it out in the dot notation like you do everywhere else; and if you change one setting that uses a refresh object it *very annoyingly* undoes any unsaved settings you may have made on that page. *(MS Windows is actually slightly better here because if you type in the dots it automatically moves to the next field, whereas DD-WRT does not, requiring you to tab instead, and if you make an error in a previous field you have to shift-tab and arrow to your mistake instead of simply hitting backspace.)
Tomato has really nifty links for doing things quickly. A beautiful example is like giving a MAC address a sticky dynamic IP address just requires a click, typing the IP address and desired hostname (for local DNS resolution if you desire) and then clicking save. With DD-WRT you have to go through numerous steps just to type in the MAC address.
DD-WRT's QoS functions, and its network monitoring and analysis functions are downright awful compared to tomato. Just straight up awful.
DD-WRT deliberately cripples certain features unless you pay for them (such as its QoS features, which even the paid version is worse than what Tomato offers for free.)
(Kind of hypocritical too because DD-WRT was originally built by a group that was tired of the Sveasoft guy hoarding his changes to the GPLed code to only those who paid him, but I don't count that against them because I'm more of a "I use what works" kind of guy.)
Then again I'm a hobbyist when it comes to networks, so I might have more stringent demands than anybody else.
Re: (Score:2)
Got to agree here, my N66U is flying with shibbys tomato.
I can't really figure out why one would want to put hard drives on the edge device, but still the custom firmware is best.
And the hardware of these devices are excellent :)
Re: (Score:2)
You might put a thumb drive in there to hold log files. I do this to track my bandwidth usage. Well no- I use the CIFS support in Tomato for that.
Re: (Score:2)
I prefer Tomato too but what drove my to DD-WRT is a lack of hardware support. If you want a reasonably priced, reasonably fast router with 802.11ac support you can't run Tomato, which is a real shame.
Fortunately QoS is irrelevant once your internet connection is fast enough (I'd say 100/100 or better), but unfortunately most people don't have that.
Re: (Score:3)
I installed Tomato once, went back to DD-WRT less than an hour latter.
Tomato does some cool stuff, but its complete lack of pretty much every feature that DD-WRT has was a deal breaker.
Re: (Score:1)
Re: (Score:2)
Only used it for half an hour, so all I remember is that I could not do anything that I wanted to do.
Re: (Score:2)
All I know about feature sets in tomato vs. dd-wrt is that when I followed the instructions on the dd-wrt website to do WDS on dd-wrt it didn't work, but the tomato instructions worked to get WDS working on tomato. Otherwise they seem to do all the same stuff.
Re: (Score:2)
I'm genuinely curious what features you're missing, because as far as I'm aware there aren't any that DD-WRT has and Tomato does not. Tomato even offers several features that DD-WRT does not. There was some paid hotspot service (e.g. you get commissioned or something) I recall DD-WRT including out of the box in some releases that Tomato didn't have, but if you really wanted that service (it has VERY limited use cases) you can add it to tomato rather easily using optware.
Re: (Score:2)
But basically what struck me was.
DDWRT has like 40 option pages with like 40 options each, and a command line.
Tomato has like 3 option pages with like 3 options each.
Re: (Score:2)
That description isn't accurate for either one, actually. DD-WRT has a lot of pages that just have a single option in them, and navigating among them requires an entire page reload (part of why the UI is really badly designed IMO.) For example, in DD-WRT there are two separate pages for configuration data (one for backup/restore, another for factory reset) whereas Tomato consolidates these into one page.
If you want raw numbers, to my count (I have DD-WRT running on one of my switches, tomato running on two)
Re: (Score:2)
Well you make me want to try it again. All I know is I re-imaged it the very same day when I did give it a try, because I could not get it to do the same things.
Re: (Score:2)
No, not quite "have done with it." Keep it up to date as vulnerabilities are found and fixed, just like everything else.
Re: (Score:2)
Just install DD WRT and have done with it.
+1 for this. Most of the cases DD-WRT is more secure and stable than the manufacturer-provided firmware.
But still, these kind of community-built firmwares should not be required to have a good experience. As paying customers, we should demand high-quality firmware and consistent security updates directly from the manufacturer.
Re: (Score:2)
Re: (Score:2)
My experience is, in general, Asus makes decent featurefull router firmwares. However, I like tinkering and moar ;) options so my RT-AC68U soon got DD-WRT on it and some custom scripts. Multiple WLan segments with their own SSID so I have a public and private channel, multiple VLAN segments, one for DMZ, one for local lan, one for 'experiments'. Everything with a proper IPTables script which runs at boot... Custom DNS lookup table. It's just fun to hack router.
A clunky interface doesn't matter to me, as lon
Re: (Score:2)
If you like the Asus RT-N16, I don't recommend DD-WRT anyway. I have the same model and love how stable Tomato (Shibby build) is. The UI is very clean compared to DD-WRT, so you're not losing convenience for functionality. I also think the router is actually a bit faster on Tomato vs. stock. Then again - if you don't use the USB ports, you're not at risk anyway.
Re: (Score:2)
It turns out that it was the minecraft client that my daughter was playing. Apparently, minecraft client uses more bandwidth than streamin
Re: (Score:2)
Actually Asus' firmware IS open source. GPL even. You can download the sources and play with them and improve them. Which is exactly what Merlin does.
Re: (Score:2)
I'm not sure why anyone would use the stock firmware. I use the RT-N16 with Tomato. It's the best router I've ever had. I hardly care that it doesn't have the 5GHz band, which would only reach the one room that doesn't have any wireless devices anyway.
Re: (Score:2)
Re: (Score:2)
I was going to try Shibby, which everyone recommended, but I had trouble finding a recent one and went with Toastman instead. I used Tomato-USB prior to that. My about screen (on my RT-N16) says I'm using Tomato Firmware v1.28.0503 MIPSR2Toastman-RT-N K26 USB VPN. So it's a special build specific to the RT-N models.
Great stability. Make sure to do a hard reset both before and after the firmware upgrade. Hard to find the proper instructions out there. Current uptime: 105 days, 17:33:22. And that was wh
Re: (Score:2)
Re: (Score:3)
Just FYI - I had a lot of trouble finding instructions. So here you go:
http://tomatousb.org/forum/t-2... [tomatousb.org]
I used Lassik's instructions (multiple posts). And yes, I only found the firmware on the 4shared site:
http://www.4shared.com/dir/v1B... [4shared.com]
Re: (Score:2)
I'm not sure why anyone would use the stock firmware.
I'm going to go with, "because we want to buy a box, at a given price, and be done with it".
Tinkering is all good and fine, but the majority of end-users just want shit that works.
Re: (Score:2)
I was referring specifically to the audience I was addressing - didn't feel like spending my time being so specific with my words. Who know that router firmware tends to be bad all around.
Re: (Score:2)
I prefer PFSense on a netgate appliance.
Re: (Score:2)
Known issue.
Empty your browser's cache.
Re: (Score:2)
Re: (Score:2)
It sucks that your experience was lackluster, though :/ Have you checked if there's been newer releases of DD-WRT for your D-Link?
And if the problem persists, submitting a detailed bug report might be a good idea too.
Re: (Score:2)
its web-based management system only worked with Internet Explorer.
Hmm, I may be mistaken, but it seems like the DD-WRT interface wanted me to use IE as well, at least for flashing.
Re: (Score:2)
It's next to impossible to know what DD-WRT version/build/release to install on anything.
It's certainly not easy. It's clearly a mess. I wouldn't say it's "next to impossible". I spent about an hour figuring out what I needed to do, after installing a version suggested by the selection tool (that did not work very well).
Which D-Link model? (Score:2)
I have a couple of D-Link DIR825-C1 units on my network, both with DD-WRT, one in client bridge mode and the other as my router. Both have been rock solid, and a worthy upgrade from my classic WRT54G boxes.
Best way to let someone know something's amiss (Score:2)
Re: (Score:3)
Re:Best way to let someone know something's amiss (Score:5, Interesting)
Do be careful about that...
I did that once, years ago, on a hotel WiFi network while traveling - I found a wide-open shared directory (I was bored, so I sniffed around, and...) The folder had a lot of rather sensitive-looking stuff laying about in it, judging by the filenames. I left a small anonymous text file asking the owner to secure the laptop in the future, and wrote out step-by-step how to do it. The next morning, I was walking by the front lobby desk when I heard a hysterical woman demanding that the staff call the cops because she'd been "hacked".
First, last, and only time I'll ever be a good samaritan. :(
Re: (Score:1)
Way open I was able to print to the office center printers from my room at one place (it was just an small area near the front desk) I only needed to print a few pages. But some could of really printed off pages and pages of stuff. Also lot's of other guests systems showing up as well.
Re: (Score:3)
I left a small anonymous text file asking the owner to secure the laptop in the future, and wrote out step-by-step how to do it.
That wasn't very elegant way to handle that. Snooping into other people's files and telling them what to do is not cool, no matter if the objects are password-protected or not. I guess that's why the woman freaked.
And if I were to get a little text file like that, how would I know that you didn't actually tamper something else in the process.
I know you were just trying to help, but still...
Re: (Score:1)
And if I were to get a little text file like that, how would I know that you didn't actually tamper something else in the process.
You cannot know whether anyone tampered with your files regardless of whether the text file was put there. That's the whole point of letting you know about the problem: anyone can do whatever they want with your files and hopefully after you see the file you will take steps to fix that.
Re: (Score:2)
Re:Best way to let someone know something's amiss (Score:5, Insightful)
Which works until you use this method to "advise" the wrong person, who contacts the cops and you end up arrested for computer trespassing. Too often we hear stories about people intending to do good are blamed for the message they bring.
Unfortunately, there doesn't seem to be any "right" way to bring these problems to the attention of the user or the developer since the laws all seem to be unfairly balanced against the whistleblower. There is an automatic assumption that anyone providing the information could only have come upon the data because they were intending to do something malicious.
Having said that, there are many the times I've been tempted to rename the SSIDs of wireless networks that still use WEP in some vain attempt to knock some sense into the user's head. Never gave into that impulse, but boy, sometimes it was quite a struggle.
Re:Best way to let someone know something's amiss (Score:4, Insightful)
Having said that, there are many the times I've been tempted to rename the SSIDs of wireless networks that still use WEP in some vain attempt to knock some sense into the user's head. Never gave into that impulse, but boy, sometimes it was quite a struggle.
There are legitimate reasons for using WEP.
I still use WEP on my home network, because I still have a few devices that simply won't reliably do anything better. I figure that this is largely ok because:
1. Everything I do over the wireless network internally is using encrypted protocols anyway, and I wouldn't be using non-encrypted protocols for transporting sensitive data externally anyway.
2. There are a bunch of my neighbours' completely unsecured APs visible from my house so I figure if someone is interested in cracking a wireless network, they're probably going to go for the easy option and use one of those networks rather than cracking my WEP key.
Whilst I'm of the opinion that if an AP is left completely open, it should be legal to treat it as a public hotspot, I do still think that if you're having to crack some kind of security, however weak, in order to gain access then you need to be arrested and punished because you're clearly stepping over the line. (And yes, cracking someone's WEP key and router password in order to change their SSID counts as stepping over the line).
Re: (Score:1)
I still use WEP on my home network, because I still have a few devices that simply won't reliably do anything better. I figure that this is largely ok because:
1. Everything I do over the wireless network internally is using encrypted protocols anyway, and I wouldn't be using non-encrypted protocols for transporting sensitive data externally anyway.
2. There are a bunch of my neighbours' completely unsecured APs visible from my house so I figure if someone is interested in cracking a wireless network, they're probably going to go for the easy option and use one of those networks rather than cracking my WEP key.
Cracking a WEP key takes minutes and almost zero effort if there is already traffic on the network (and a bit more if there isn't). There may be completely unsecured APs around but whether they are actually as usable as yours depends on 1) the signal quality and 2) how many others are connected to these open APs and sucking up bandwidth. You say that everything using the network is encrypted but that is only half of the problem. The other half is somebody using your network to do (very) illegal things on th
Re: (Score:3)
Cracking a WEP key takes minutes and almost zero effort if there is already traffic on the network (and a bit more if there isn't). There may be completely unsecured APs around but whether they are actually as usable as yours depends on 1) the signal quality and 2) how many others are connected to these open APs and sucking up bandwidth.
Smashing a window and entering your home takes minutes and almost zero effort. There may be completely unsecured homes around but whether they are actually as vulnerable depends on 1) the value of anything in the home and 2) how many people are present in the open home at the time.
My point was that placing encryption on a network, however insecure that is, demonstrates that the network is private - anyone who accesses the network has conciously broken into it in the full knowledge that they were committing
Re: (Score:2)
There are legitimate reasons for using WEP.
Not really. There's just one: your devices don't support WPA. Otherwise, you might as well use no encryption. Given recent revelations, though, that's probably true anyway; you should use openvpn, or ipsec, or whatever else you like in order to provide encryption.
Re: (Score:2)
There are legitimate reasons for using WEP.
Not really. There's just one: your devices don't support WPA.
Doesn't that constitute a legitimate reason?
Otherwise, you might as well use no encryption.
There is a significant distinction between no encryption and weak encryption: There is absolutely no way for someone to know whether or not an open AP is a public or private network (in fact, many devices will automatically connect to an open AP on the assumption it's a public hotspot, completely removing the user from the equation). Conversely, in order to use a weakly encrypted network, you must make a concious decision to do something that you know is crimina
Re: (Score:2)
There is a significant distinction between no encryption and weak encryption: There is absolutely no way for someone to know whether or not an open AP is a public or private network
Right, but that's a problem for someone else, not for you.
Breaking into a network and changing the SSID to let the owner know it can be broken into is akin to chucking a brick through someone's window with a note attached telling them that it's possible to break in through their window, or climbing over their garden fence and spraypainting a note on the side of their house warning them that it's possible to climb over the fence - it's not a "good samaritan" geasture, it's wanton criminal damage.
That is a stupid thing to say, and only a stupid person would say it. It's not damage at all. It's equivalent to picking up someone's car and facing it the other way. It's an annoyance, not damage. Now, if you did that to someone who was depending on it for work, it might cause them actual loss, but someone who is using a network for work and doesn't secure it is an asshole. That doesn't change the fact, but it does change who it's done to.
Re: (Score:2)
There is a significant distinction between no encryption and weak encryption: There is absolutely no way for someone to know whether or not an open AP is a public or private network
Right, but that's a problem for someone else, not for you.
No, I treat that as my problem - I have no expectation of someone not treating my network as a public hotspot if I provided no way for them to know it wasn't.
That is a stupid thing to say, and only a stupid person would say it. It's not damage at all. It's equivalent to picking up someone's car and facing it the other way. It's an annoyance, not damage.
If the person who owns the network isn't very technically literate then it's equivalent to damage - they suddenly won't be able to connect to their own network and will have to hire someone to undo the damage and make it work again. You are making the assumption that everyone knows how to diagnose and fix the problem you're creating which is fundament
I have an Asus RT-N66U with OEM Firmware and... (Score:3)
I don't have to worry about this, AT ALL, because the router only worked for 2.5 hours after installation before it died. so there!
My router keeps reporting no new firmware! (Score:1)
The best part about this, IMHO, is that my router reports that there is no new firmware. I was able to download it from ASUS and it installed successfully. But had I not seen this article, I would have kept on assuming that mine was the latest and greatest because that is what the router told me.
Holy crap! (Score:1)
So I try a random IP, paste it in my URL bar (specifying an old, insecure file transfer protocol) and bam next second I'm looking at a guy's medical files (an excel sheet with daily blood sugar levels, what he ate that day, and sometimes comments) and his tax returns. Looked at a few pics too.
Another IP doesn't work immediately, another has the server up but no shares, another has some music and I'm downloading some to try it out, hell I even curlftps'ed in for the sake of it and it works albeit slow. Aww f
Re: (Score:2)
you also probably just technically broke the law.
Heres a tip to all voyeurs out there: dont probe random IPs specified as "vulnerable". You probably wont get noticed, but if you are you can get in a whole bunch of trouble. "Unauthorized access" means you unless you have permission.
Re: (Score:2)
In the case of someone else's story of being at a hotel on their wifi and a fileshare with no password setup, probably not.
You're assuming an educated user who has any idea about any of this stuff.
Re: (Score:2)
I'm pretty sure it's hacking only when the other end has an expectation of security.
Im not aware of that being a factor. Whether it is illegal or not is up to the courts, but it truly is best not to tempt fate.
See:
http://nmap.org/book/legal-iss... [nmap.org]
Asuswrt Merlin ROM did NOT take care of this (Score:3, Informative)
From Merlin himself:
http://forums.smallnetbuilder.... [smallnetbuilder.com]
He says disable aicloud and the ftpd for now.
Thanks (Score:2)
Dear IT People (Score:5, Informative)
Dear IT People,
Despite what you might think in the modern day, exposing things to the Internet unnecessarily is still just asking for problems. Especially things with firmware rather than regularly- and automatically-updated software.
Yes, we all run websites. Yes, we have RDS and VPN and all kinds of clever technology. And, yes, I'm sure you "keep it up to date" and have 28-digit passwords.
But that doesn't change the fact that the connection that comes into your business/home is "hostile". It receives rogue packets and attacks 24 hours a day whether you know it or not. In fact, it's kind of a credit to most firewalls how LITTLE you actually notice coming down the line because it's just handling all the obvious attacks and scans all the time.
But every port you open, everything you expose past your firewall (and even your firewall can be a problem if it's not good enough to handle unusual packets like a lot of ADSL routers that crash if they get too many connections or large packets, etc.) is a risk. Honestly. It's a risk.
If you buy some cheap piece of commodity hardware and port-forward direct to it on the standard ports, you are relying on the security of that device to keep intruders out - not your firewall.
If it's some cheap router, or some crappy CCTV PVR or a games console or even just a test experiment or network switch or something else in your home, then you are relying on THAT to be a secure gateway from attacks from the Internet. And guess what, the weakest link in the chain will be the first exploited.
Please, before you go exposing this crap to the general Internet, limit its damage potential. Don't put it on your local network, but a VLAN of some kind. Don't forward every port. Don't have things like UPnP enabled (which is just automated, authentication-less port-forwarding). Put some authentication on it. Don't rely on some web interface knocked up by a foreign CCTV manufacturer, intended as a GUI for the local network to be as trusted as your firewall.
Similarly, don't let these cheap, shit ADSL routers to be exposed to the general Internet while having all your personal files on them (and presumably running Samba, Bonjour, FTP, all kinds of shit to the local network to let you access them). Just... don't.
You want to do this kind of thing? Use the VPN functions and make sure you keep on top of their updates and security. They will allow you to join the local network remotely, and that local network can be as insecure as you like with this cheap shit dangling off it unauthenticated if you like, as your VPN access can be secured, logged, audited and checked quite easily.
Don't allow some piece of firmware junk, probably written in some C/Perl CGI/PHP that hasn't been updated since the day it started working enough to be saleable, to be your public face and guardian on the Internet.
The principle applies all the way up too. Don't put AD controllers on the visible Internet. Don't let your public RDS server be the same as your DC or even on the same VLAN. Don't run IIS exposed to the world for some crappy HP utility, or external page.
Do what those weird old tech guys used to do for decades and limit your exposure at all times. Sandboxing, VLAN'ing, permissioning, auditing. And, in the extreme, run a server OUTSIDE your home for this kind of shit. Seriously, VPS and cloud server with large storage allocations are cheap as chips nowadays. And they are kept up to date for you. And if someone compromises them, you have someone to blame AND you can be sure they haven't popped onto your home network and downloaded everything off your private laptop too.
If some random consumer buys this crap and gets attacked, that's their problem. This is a site for damn geeks, though. We should know this kind of stuff. We should be advising against this kind of stuff. I should be able to nmap any one of you, at home or at work, and come up with nothing but a handful of secured ports running the latest software (if any
Re: (Score:2)
Secure your internal network too, don't rely solely on your border devices... All it takes is one pinhole and you're totally screwed.
Treat every device as if it was directly connected to the internet, use secure protocols, disable unnecessary features and choose wisely when buying devices. If you then want to hide these devices behind a firewall *as well* then more power to you, but never rely totally on a firewall because eventually they will fail you one way or another.
Re: (Score:3)
That's the way I do things, too, but the critical first step is to secure the borders.
My usual home setup is actually:
Internet router (everything disabled and DMZ enabled so it merely pipes all traffic to next device without processing it, like a modem).
- to -
Router / firewall (which treats all external traffic as hostile).
- to -
Wireless AP and LAN (separate ports / numbering / VLAN)
But even there, the Wireless has client separation (so one dodgy PC on the wireless can't see another), it's treated as "untru
Re: (Score:2)
use secure protocols, disable unnecessary features and choose wisely when buying devices
While absolutely correct, your strategy does not account for 99% of the users who lease Internet connections.
Re: (Score:2)
Maybe we need to think of operating this kind of equipment more like driving a car. You need to learn how to do it safely, and manufacturers have a responsibility to make sure their products are safe and issue fixes/recalls if problems are discovered.
Allow dumb routers with minimal features for those who don't want all that, and any router with more power has to be developed and operated responsibly.
The FEB-12-2014 firmware fixes N66 units (Score:5, Informative)
ASUS RT-N66U Firmware version 3.0.0.4.374.4422
Security related issues:
1. Fixed lighthttpd vulnerability.
2. Fixed cross-site scripting vulnerability (CWE-79).
3. Fixed the authentication bypass (CWW-592).
4. Added notification to help avoid security risks.
5. Fixed network place(samba) and FTP vulnerability.
Improvement:
1. Redesigned the parental control time setting UI.
2. Updated multi language strings.
3. Adjusted FW checking algorithm.
4. Adjusted Time zone detecting algorithm.
5. Improved web UI performance.
Re: (Score:2)
Did they fix the download master killing ping times? One of the selling points of the router for me and ended up being worthless since it drove latency to 2+ seconds whenever it was enabled.
Connecting USB devices to the internet (Score:2)
Do it with a pogoplug. You can run debian (or allegedly BSD) from an SD card, it gets updated more than the various router firmwares, and you can get one with USB3 for $20 brand new.
RT-N16 will be secured automatically when it dies. (Score:3)
Haven't checked into other routers, but the RT-N16 has a "warranty cap". There is a capacitor on the far right of the unit, roughly centered. It's clearly designed to fail after a period of time. The rest of the capacitors are a different brand that isn't generally known to fail, the warranty cap is known to be a defective make.
Normally it takes a bit longer than the actual warranty length to fail.
Re: (Score:2)
Is it easy to recognize? It was still worth it to me to buy a second RT-N16, but I still have the failed one. Would love to resurrect it.
Re: (Score:2)
It'd probably take you less time to rip it open and find out than to wait for the reply, or even to find pictures in the fcc database
Re: (Score:2)
I already had it open. I never figured it out. No obvious problems in there (no bulged caps), but it behaved just like a capacitor problem.
Re: (Score:2)
The description said that it was a different-brand cap on one side of the board all alone. You could probably have found it and desoldered it by now, if it's there. Could always be another rev of the same board, in which case any answer would be useless. If you can find your ass with both hands and a map and pour piss out of a boot with instructions printed on the heel, you're qualified to figure this one out on your OR.
Re: (Score:2)
I didn't have it open today - I had it open 6 months ago.
I misread on the brand part.
Why is this bother you so much?
Re: (Score:2)
Very easy, yes.. there's one that stands off on its own. I had 5 of them in service, they all died within the same month.
Guerilla-style hacking disclosure?? (Score:2)
Give me a break. A vulnerability was disclosed, and then some time after that it was leveraged by attackers in the wild. This is what happens.
School me up - how does this happen? (Score:2)
I'm using Bell Fibe in Canada, and they supply a Modem / Router solution. I believe that Rogers (other major ISP) provides similar technology. So for many people they would not have their own router / firewall as first line of defense, they'd have ISP-supplied equipment.
Is it common in Canada or the US for people to just get a WAN Modem / Driver from their ISP and then put their own router into place? Or worse, plug their laptop right into the Driver and hope that MS firewall will keep the wolves at bay?
Re: (Score:2)
Re: (Score:2)
Unless you're cursed with a Zyxel 5001... That piece of crap completely soils itself if it loses connection (such as might happen given SW Florida's weekly power flickers) in "Transparent bridging" mode. For some reason, it seems completely incapable of reestablishing a connection until I log into the admin panel, set it back to DHCP, and let it reconnect before resetting the whole thing.
I thought about getting a UPS for it, then I decided that if I'm going to spend more dough on it, I'd be better off getti
Re: (Score:2)
Re: (Score:2)
Sure it is, you just have to know how to configure it. It's not that difficult.
Re: (Score:2)
Re: (Score:2)
This is a DSL provider, not cable (who do tend to make setting up the client side an utter pain), and I do know what I'm talking about. I've done it before, multiple times.
Virus warning (Score:2)
ClamXav on OS X reported a virus infection in one of the files in the archive: ASUSGATE/FTP-dirlist/75.183.112.181.dirlist: JAVA.Exploit.CVE_2012_1723 FOUND
I don't know exactly what to make of that, but be careful.
The WORST part is ... (Score:2)
This firmware has been available for several days but if you go into your router and have it check for an update (and you are running the one from months ago like I was) it still says you are using the current version.
I'll NEVER buy another ASUS router again. Their routers get such good reviews. I think it's time to just start running pfsense in a VM on my linux box and just be done with it. Just use the wifi on these shitty routers for wireless lan access.
Burn other firmware (DD-WRT rant) (Score:2)
The way I did. Now, if you're not an experienced sysadmin, and want to use your Asus router for *anything* else, give up. I've got DD-WRT on mine, and it took months, for the simple reason that I wanted to use the router, as it advertised on the box, to serve a USB printer.
Calling Asus about the stock firmware, when I told them my printer, they told me, "oh, it servers printers, but not that printer, you should have checked what we support...." The box does *NOT* say "only supports some printers...."
So I we
Re: (Score:3)
For network accessible storage that doesn't require someone to leave a computer up 24/7 to run? The Internet accessibility is so you can get stuff from home when you're away from home.
It's all part of giving Joe Sixpack the abilities of a techie with a FreeNAS server, without making him learn anything about computers or networking -- or security for that matter.
Re: (Score:2, Insightful)
Shit, man - I can do that with a Raspberry Pi, a copy of FreeBSD, a multi-GB MicroSD stick, and I'd get an infinitely more secure solution to boot. :/
Re: (Score:3)
Shit, man - I can do that with a Raspberry Pi, a copy of FreeBSD, a multi-GB MicroSD stick, and I'd get an infinitely more secure solution to boot. :/
No one is doubting that. I'd venture it a safe wager that nine Slashdotters out of ten can set up some form of network storage using a RasPi or a spare desktop. The reason why router-based access is handy is that most routers take roughly the same electricity as a CFL light bulb, and by definition are network accessible, either via SMB, FTP, or DLNA. You're not putting a Samba share accessible on the WAN port. It's the same principle as the Western Digital Personal Cloud drives, only without using an ethern
Re: (Score:3, Funny)
Wuss.
I can do it with a stick of gum, a hair dryer, a usb jack, an RJ45 jack, some aluminum foil, and several hamsters with a hamster wheel.
And food for the hamsters for as long as you want the device to work.
Re: (Score:2)
Shit, man - I can do that with a Raspberry Pi, a copy of FreeBSD, a multi-GB MicroSD stick, and I'd get an infinitely more secure solution to boot. :/
So the idea of the Asus product is that you don't have to do the hours of manual crafting that your solution requires.
Re: (Score:2)
It also costs about $100 extra and requires a whole bunch of extra configuration and knowhow.
Theres basically no reason not to use your router as your NAS as long as it doesnt have any vulnerabilities and it meets your performance need. Simplicity is a good thing, you know?
Re: (Score:2)
WTF does a ROUTER need a hard drive? That just sounds like a disaster waiting to happen.
These routers don't have a hard drive included. They have a USB port, to which the user can connect an external hard drive, which will then be made accessible on the router's LAN. This lets inexperienced users have network-attached storage without having to go through the process of sharing a network drive (and without having to leave a particular computer powered on all the time). Unfortunately, it looks like they wer
Re: (Score:2)
These routers don't have a hard drive included. They have a USB port, to which the user can connect an external hard drive, which will then be made accessible on the router's LAN.
There's a Netgear [newegg.com] that goes one step further.
Re: (Score:2)
i.e. you put a url to a file into the “Download Master” gui and the file will download onto the usb "hdd" device.
Re: Hard drive? (Score:1)
Buy a cheap NAS. The Internet facing device should not be an all-in-one device for security reasons.
Re:and this is why smart peiple don't touch window (Score:5, Insightful)
You realize that open FTP servers used to be the norm? You realize that the RFC itself requires PORT to be open so that you can do a bounce attack?
Please don't be an idiot. This stupidity has nothing to do with windows, and is clearly the fault of Asus and not anything OS related.
Re: (Score:3)
...oh the irony.
I have a couple of the Asus routers, and I love them. One runs as an openvpn server, the other runs a few services to simplify remote administration of an offsite location. Good little boxes.
But, it has really opened my eyes as to how bad security can be. These systems are at least slightly more secure than the WD drives. Third party firmware adds some levels of complexity, but a whole lot of functionality.
Re: (Score:2)
Re: (Score:3)
I thought Asus router firmware was open source.
has ... judgment of when and what to update.
That's more the problem. As I understand it, the last DD-WRT vulnerability was fixed within hours (not that that'll do much good if people aren't keeping it up to date)
Re: (Score:2)
Pretty sure the attack is on an Asus router which if i had to guess is running some unix variant...
not sure if you're trolling or what, but you really never know on slashdot.