D-Link Tells Users To Trash Old VPN Routers Over Bug Too Dangerous To Identify (theregister.com) 144
Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability. From a report: Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn't assigned it a CVE identifier or really said much about it at all other than that it's a buffer overflow bug that leads to unauthenticated RCE.
Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk. Previous bugs in similar products from other vendors have carried warnings that attackers could exploit them to install rootkits and use that persistent access to surveil an organization's web traffic, potentially stealing data such as credentials. Further reading: D-Link Won't Fix Critical Flaw Affecting 60,000 Older NAS Devices.
Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk. Previous bugs in similar products from other vendors have carried warnings that attackers could exploit them to install rootkits and use that persistent access to surveil an organization's web traffic, potentially stealing data such as credentials. Further reading: D-Link Won't Fix Critical Flaw Affecting 60,000 Older NAS Devices.
Welcome to the future (Score:5, Insightful)
Where devices are designed to last a short time and companies build their business model on customers constantly buying new devices while the companies refuse to repair old devices and use every dirty trick in the book to prevent others from repairing anything
Re: (Score:2)
Lucky for us there are usually alternate OSS firmwares (for routers at least) to load and use manufacturers for what they're best at: factories and assembly lines.
Re: (Score:3)
Which is why I ALWAYS buy ONLY routers that can run one of the third party firmware out there.. My favorite is Freshtomato, odd name, great replacement for the, often braindead firmware that comes with routers.
Re: Welcome to the future (Score:3)
If it doesn't run vanilla openwrt I don't mess with it. I might consider running a different firmware, but I know openwrt is quality.
I like going to yard sales and whipping out my phone and checking their hw support db. I am working on getting enough nodes to build an emergency network for my tiny little town.
Re: (Score:3)
I've got a Buffalo WHR-HP-G54 and probably 2-3 Asus models sitting in closets gathering dust that have it on board.
Re: (Score:2)
Some of these routers have apparently been EOL since 2015. Are versions that support hardware that old actively maintained?
Re: (Score:2)
Where devices are designed to last a short time and companies build their business model on customers constantly buying new devices while the companies refuse to repair old devices and use every dirty trick in the book to prevent others from repairing anything
I've had my DSR-250 (non-wireless) since 2011. I don't use the VPN features, but do have two VLANs configured -- one for wired devices; one for wireless, off a DAP-2660 -- and both routers have worked great. I've been considering switching to a PC-based router running pfSense / OPNSense / IPFire (etc) but haven't been able to decide on which one and on what hardware. I have a few spare small PCs that would be more than adequate, but they pull a lot more power than a mini/micro device, which I'd have to
Re: (Score:3)
where devices are designed to last a short time
The most current device in the list was released in 2014 and had 5 years of patches between being withdrawn from sale and EOL. You're not making remotely the point you think you are.
Re: (Score:2)
>"The most current device in the list was released in 2014 and had 5 years of patches between being withdrawn from sale and EOL"
Probably depends on user expectations. That means you could have as little as 5 years of service (or more, if you bought it earlier). I regularly expect to, and do, run devices longer than just 5 years; especially things that are in the background and not fancy.
The router I am using at home right now is a 10-year old Asus RT-AC68U. But I also bought one that was a bit more ex
Re: (Score:2)
That means you could have as little as 5 years of service (or more, if you bought it earlier). I regularly expect to, and do, run devices longer than just 5 years; especially things that are in the background and not fancy.
Indeed. And if we were talking about something other than a cheap consumer toy I'd agree with you. I come from a country where expected performance is codified into law, yet I'd struggle to be able to justify that a sub $100 plastic accessory should last more than 5 years, even though I have had ones last longer myself.
Ah, just looked, Asus is still releasing firmware, and there was an update a week ago- ASUS RT-AC68U Firmware version 3.0.0.4.386_51720 2024/11/13
Congrats. You're not talking about a product that has been off the market for 5 years. Just because ASUS sold something for a long time doesn't mean they don't also have an EOL process. I wil
Planned Obsolesence (Score:2)
That''s what its called.
It is bad for the environment, bad for consumers wallets, and wastes countless engineering man-hours designing products to break after a defined service life. Companies may be getting away with this now, but I doubt they will be able to get away with this in a few decades.
We'll either re-implement the way the Bell System worked in the early to mid 20th century and pay rental fees for our hardware, or the purchase prices will will go up sharply. Both of these are OK IMHO and much bett
We need a infosec recall law (Score:5, Insightful)
Cars that are unsafe get recalled, no matter how old they are. We need the same laws to cover safety-critical digital infrastructure, so companies are forced to make sure their devices are secure, and to force them to fix these old devices, when safety of tens of thousands are at risk
Re: (Score:2)
"Cars that are unsafe get recalled, no matter how old they are."
Really? When was the last Model T recall?
Re: (Score:2)
Re: (Score:2)
At LEAST 11 years old. I just got an ABS problem on my 2013 Hyundai repaired by a factory recall.
Re:We need a infosec recall law (Score:4, Informative)
Model Ts are street legal under antique car registration laws. [mtfca.com] Mind you, you can't drive them on the highway because they can't go fast enough (if the speed limit is 55, there's a minimum limit of 45, which a stock Model T would struggle to achieve) But they can be and are driven on roads.
Re: (Score:2)
Model Ts are street legal under antique car registration laws. [mtfca.com] Mind you, you can't drive them on the highway because they can't go fast enough (if the speed limit is 55, there's a minimum limit of 45, which a stock Model T would struggle to achieve) But they can be and are driven on roads.
But no one is telling Ford they should provide support, parts and upgrades
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Moving the goalposts, kiddo.
What you said was "Why would you recall a car that isn't used on roads?" and that's what we were talking about.
I'm not surprised you lost track, but do try to keep up with what you said
Re: (Score:2)
I don't think that is true. I can find a reliable reference immediately but I think the limit on auto recalls, at least where the manufacturer must pay for the repair/fix is like 10 years. I am not sure if the DOT/NTSB/whatever can't require a recall of vehicles older than 10 years but it might be at the owners cost at that point.
In any case, it is actually not reasonable to expect a vendor to have to support a product for all eternity. Sure something like a router should last a long time or could but the
Re: (Score:2)
In any case, it is actually not reasonable to expect a vendor to have to support a product for all eternity.
No, it is not reasonable to expect a vendor to fix problems with a device that are result or it wearing out. It is reasonable to expect a vendor to make a device without unsafe design flaws (which is what a software bug is).
It's not that the firmware in the device just wore out. It was designed that way from the start and only now people noticed it.
I really hate the idea that software never works properly and is supposed to be repaired all the time. Imagine buying a car and it being recalled every month bec
Re: (Score:2)
meanwhile modern cars are getting OTA updates to software, and the owners just don't realize it.
Further lots of automotive products (and basically everything else mechanical) has design flaws that get discovered later often much later. Things eventually fail that really should not fail, or they fail prematurely even if they live well beyond the warranty periods. You could say they were never correct.
You can think of problems like shape of the windows on model years .... don't seal well with gaskets water ge
Re: (Score:2)
meanwhile modern cars are getting OTA updates to software, and the owners just don't realize it.
Yeah, I guess until one update does something like Crowdstrike did. That would be fun to watch. Though do you have to have a mobile internet connection when you buy a new car or does the manufacturer pay for it?
I am genuinely curious, I drive an old car that does not have software.
A more reasonable solution if anything would be going down the right to repair path and making rules against maintaining artificial impediments like boot-loader signature checks etc to people patching / replacing software. Even that though is going to be a huge mine field.
I guess that makes more sense.
With a car design defect (taking your example of door rusting because the gasket does not fit correctly), while I would still consider rust to fall under "wear" problems, a patch can be welded and oth
Re: (Score:2)
I believe that anyone thinking a ten year old device, Internet-facing, should be supported that long, has shit for brains. This is the Internet, and new and interesting attacks occur almost every day. Hackers gonna hack.
It is unrealistic to believe that a decade old platform should be supported, given Moore's Law and variants. The rules of depreciation don't work here.
Yes, a cheap buy got you on the webtoobies. Every IPv4 addresses gets pounded 24/7 by bots. These bots are stupid, until one isn't. It's only
Re: (Score:2)
It is unrealistic to believe that a decade old platform should be supported, given Moore's Law and variants.
It's not that we necessarily expect them to continually provide updates for old products, its that we expect that if they stop providing updates, then they should provide the necessary information for the consumers to update them themselves.
Open source your firmware, and open up your repair instructions, if you're going to stop supporting the product. That's the ask.
Routers are like tires. They're going to wear out from entropy. Buy new tires.
Routers are not like tyres, router updates are like tyres. The car manufacturer identifies the specifications of tyre which will work with the
Re: (Score:2)
I agree that they could open-source it. Their license, a decade ago (or more) might say that the copyright is exclusive, or some other legal rubric that forbids dissemination. I don't know.
But for the same reason, entropy eats tires, and entropy eats security components-- especially gear connected to the fabulously dangerous raw IPv4 exposure.
Nothing is fixing old tires. Nothing is fixing old routers.
Re: (Score:2)
Nothing is fixing old tires.
Never heard of retreads?
Nothing is fixing old routers.
There are alternative operating systems for many of these old routers, just need an unlocked bootloader to load them.
Re: (Score:2)
Their license, a decade ago (or more) might say that the copyright is exclusive, or some other legal rubric that forbids dissemination.
There's these things called regulations. They exist because companies often like to make money to the negative benefit of society. Sounds like it's time for another one to be made to curtail harmful industry practices.
entropy eats security components
No, bad design decisions create flawed security components that cannot be fixed without the blessing of the original manufacturer. Who always has a profit motive to have you replace the entire product with a new one. That's not entropy, that's greed.
fabulously dangerous raw IPv4 exposure
WTF is that even supposed to mean? Anythi
Re: (Score:2)
Routers are like tires. They're going to wear out from entropy. Buy new tires.
Routers are not like tyres. Tyres wear out from use, if I don't drive a lot tyres last a long time.
I just dislike that software devs are given free pass on the huge amount of defects every software has as if it should be normal that every software has the equivalent of 50 bolts that are not tightened and not a single hose clamp in the entire car with the developer fitting a hose clamp or tightening a bolt when it is discovered that something is wobbling or some fluid is leaking.
And yeah, the owner is not al
Re: (Score:2)
Actually tires are supposed to be changed after 7 years IIRC. Hmm, this, https://tiregrades.com/tire-an... [tiregrades.com] says DOT recommends to change them at 6 years and 10 is the maximum.
Re: (Score:2)
Yes, it would be great (and a minefield as mentioned above) to permit firmware updates by third parties.
This should be mandatory.
Routers are like tires. They're going to wear out from entropy. Buy new tires.
You just said it was permissible to require replacement of the entire vehicle. Pick a side. If people could buy new tires (third party firmware) they would. No-one wants to replace the entire vehicle (internet facing device) because the passenger door has a broken window (security vulnerability).
Re: (Score:2)
can't use a 20 year old operating system.
Windows XP, Vista, and 7 could be reasonably patched by third parties. The kernel would need to be patched to allow an alternative root CA to sign things, but hackers have been doing that for years.
UEFI systems with Secure Boot will require you to install your own platform key, or otherwise have access to a key that is considered valid for signing a bootloader, but most systems allow this and once past it patching the windows kernel is more or less the same. If you're using Windows 10, you can even reuse
Re: (Score:2)
I can run the old OS on old hardware (that is one of my gripes - that due to software defects I cannot or should not use the hardware anymore, even if the hardware runs well and can still do the job it originally did).
While Windows could be patched by third parties, I'm sure if anyone tried that, Microsoft would sue them so fast that it would go faster than light in the process. And that's one of the problems - Microsoft admits that Windows XP has severe design flaws and should not be used as-is, Microsoft
Re:We need a infosec recall law (Score:5, Informative)
I am not sure if the DOT/NTSB/whatever can't require a recall of vehicles older than 10 years but it might be at the owners cost at that point.
I don't know if it's a special case, but I did get a free airbag replacement a few years back on a vehicle that was 21 years old at the time.
Re: (Score:2)
I don't know if it's a special case, but I did get a free airbag replacement a few years back on a vehicle that was 21 years old at the time.
The airbag incident definitely was a special case. It wasn't a recall based on the car or the manufacturer of the car. It was due to a global airbag supplier's hand being forced by multiple regulatory agencies all over the world, even the European Commission got involved directly. - That supplier Takata has since gone under after it was found virtually every airbag they ever supplied had a potential defect. Ultimately they recalled over 67million airbags in the USA and double that again in the rest of the w
Re: (Score:2)
Re: We need a infosec recall law (Score:2)
If it's a safety issue then there is no time limit. Defects in seatbelts can result in recalls decades later if enough of them start cropping up to get noticed.
Re: (Score:2)
Emotionally really hard for me not to agree w/ this when i see the language D-Link is using... especially for some products that reached EOL just in May 2024
"Regardless of product type or US sales channel, D-Link's general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease,"
"D-Link US is prohibited to provide support for these EOL/EOS products, if you are outside the US, please contact your regional D-Link office," it added. "If your device was provided by a licensed carrier (service provider) and firmware, please contact your carrier (service provider). Many devices on this list have available third-party open-firmware, D-Link does not support open-firmware which voids any warranty and is solely the responsibility of the device's owner."
Especially the phrase "D-Link US is prohibited to provide support for these EOL/EOS products". Prohibited by whom or what? This is purely a corporate policy. perhaps it is technically true that "D-Link US" is "prohibited" by "D-Link Taiwan" from doing anything about this, but this phrasing is a dodge.
The truer statement is "D-Link US is choosing
Re: (Score:2)
Microsoft has some pretty hard lines for its EOL products, but even it has decided here and there to publish patches for EOL platforms when something was serious enough.
Re: (Score:2)
I agree. The situation is becoming increasingly unacceptable.
Re:We need a infosec recall law (Score:5, Informative)
Actually that is true. I had a 2003 Civic recalled for defective Takata airbags just three years ago.
Re: (Score:2)
I kept getting recall notices about once every 6 months or so for my 2004 Pontiac Grand Prix. I never brought it in but had the car from around 2016 to 2021. I assume the person I transferred the title to a few years ago is now getting the notices...
Re: (Score:2)
that was a 'voluntary recall'
You can debate about what exactly that means and what degree of coercion by government was involved it boils down to they decided they'd rather proactively fix older models than face civil suits from victims.
Re: (Score:2)
That has nothing to do with vehicle recalls in the USA. The Takata airbag issue was very much a special case that got direct involvement of not just the NHSTA but governments the world over. It has virtually nothing in common with any other car recall and wasn't remotely handled in the same way. Hint: The recall itself was ongoing for over a decade, and even had the involvement of the European Parliament.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: We need a infosec recall law (Score:2)
That was what gggp was complaining about, so thanks for showing that you got the point even though you aren't able to follow the conversation.
wait (Score:2)
People out there actually trusted D-Link with their VPN? Noobs.
Re: (Score:2)
I have never really trusted any "appliances". VPN, NAS, firewalls, etc. all insecure crap.
Re: (Score:2)
Sure, that's why I won't buy a router that I can't run openwrt on. I am using a Linksys WRT1200AC, I don't use it for a VPN of course but I do run transmission on it so I can torrent while my PC sleeps. My PC is wired to it and the wifi connects to my ISP's router, which of course I don't trust but it's also a cable modem and I haven't wanted to buy one when theirs works reliably and many have reported problems using third party modems on this network.
Re: (Score:2)
Exactly. I mean, just one week of security alerts for "security" appliances and NAS appliances shows clearly they cannot be trusted. OpenWRT, PFSense, Linux NAS distros, all massively superior to the commercial "This Box will solve your problems! Honest!" crap. And as a bonus, you very rarely have to throw them away because no updates anymore.
I know how this will end (Score:5, Insightful)
They're all going to end up at Goodwill, right next to the pile of old DVD players.
Re:I know how this will end (Score:5, Informative)
Anybody in the situation would surely ask a "computer person" what to do and any computer person worth their salt would tell them to look for an alternative firmware, like OpenWRT or DD-WRT. I haven't kept up as I've long since moved to OPNSense, but there has to be some other new ones, too.
Re: (Score:2)
Anybody in the situation would surely ask a "computer person" what to do and any computer person worth their salt would tell them to look for an alternative firmware, like OpenWRT or DD-WRT. I haven't kept up as I've long since moved to OPNSense, but there has to be some other new ones, too.
Two out of the six models affected were EOL’ed in 2015. Just to give you a rough idea of the situation customers are in.
If you’re still running a router/firewall that stopped receiving support a fucking decade ago, you probably have no idea what a “computer person” is.
Re: (Score:2)
Anybody in the situation would surely ask a "computer person" what to do and any computer person worth their salt would tell them to look for an alternative firmware, like OpenWRT or DD-WRT.
There are still Microsoft fanboys out there telling people that everything Linux is bad. Most people who think they're computer people actually don't know shit about shit, just like everyone else. They have limited scope, and know nothing outside of it, but because they know a lot within their scope they think they know a lot in general. Most people don't have experience generations of heterogeneous systems like some of us do here on Slashdot, so they have no basis for comparison.
Add to this that actual ner
Re: (Score:2)
They're all going to end up at Goodwill, right next to the pile of old DVD players.
The DVD players will still work 6 months from now when you power them on.
Seriously? (Score:3)
Hasn't D-Link just signed its own death-warrant with this?
Who in their right mind would buy or use any product bearing the D-Link brand if this is the way they deal with flaws in their products that compromise the security and integrity of users' systems?
What are they smoking?
Re: (Score:3)
Hasn't D-Link just signed its own death-warrant with this?
Who in their right mind would buy or use any product bearing the D-Link brand if this is the way they deal with flaws in their products that compromise the security and integrity of users' systems?
What are they smoking?
What alternative do you propose? Can you name a vendor who provides retrospective support for an EOL product that hasn't been sold in quite a while? Even the product in the list with the most recent EOL date is a decade old and hasn't been on the market for a while.
Re: (Score:2)
My current router is an Asus RT-AC68R/U which according to Asus is no longer supported. Though I bought this router on ebay, I knew it was "unsupported", but since I was planning on putting the FreshTomato firmware on it, which is regularly updated, and has features out the wazoo, that the stock firmware could only wish, I didn't care..
Re: (Score:2)
I just checked on the Asus page for my RT-AC68U and it *is* still supported- they just put out a new firmware last week for it.
Mine is running Tomato so I don't care about the factory firmware, but this means Asus is still putting out firmware OVER 10 YEARS after I bought it (which was 10-25-2014). There is a good reason I picked Asus and this particular model :)
Re: (Score:2)
That router very much is still supported. And it hasn't been withdrawn from sale for anywhere as long as the devices we are talking about. The RT-AC68R actually had an incredibly decent run, being on the market for quite a bit longer than many other devices, but it isn't 5 years past last sale date and it hasn't been listed as EOL yet.
I have to say kudos to ASUS though, it's still getting firmware updates beyond just security bug fixes. https://www.asus.com/networkin... [asus.com] which is a step above what most compa
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
HP Printer buyers (Score:2)
Similarly, how many people keep paying crazy CC interest and monthly fees to huge banks? If you ever carry a CC balance, get thee to a credit union immediately. And you should never pay a bank fee unless you screw up; if nothing else look at Schwab. That's all real money just thrown away for nothing.
Re: (Score:2)
Who in their right mind would buy or use any product bearing the D-Link brand
A lot of people are not "in their right mind", and D-Link sales will probably not even be impacted. A working market needs competent buyers. We have too few of them.
Synology (Score:4, Informative)
I'll stump for Synology here. I got an RT5600ac about six years ago. It still runs great, and they still sell and support it with regular security and bug fixes. The great thing about these is they are so old now you can get them used for cheap. I bought a used one from Salvation Army, sans power adapter and one antenna, for $10, that I'm going to use as a mesh extender with the first one. I've seen them on eBay for $40. If you don't absolutely need ax, it's a great option.
Re: (Score:2)
The most current item in the list was released in 2014, and was in support for as long as your Synology device. If you want to make a compelling argument to switch vendors then you'll need to find one which is appreciably different from D-Link. Synology is not, they also don't patch devices past EOL date.
Support (Score:3)
If you aren't familiar with them, Synology is known for supporting their stuff. The DS111 NAS was released in 2010 and had it's latest firmware update last year. That's 13 years of support.
Re: (Score:2)
NAS != VPN router. I'm happy to be proven wrong, show us a VPN router that was removed from sale prior to 2017 from Synology in current support and I will happily grab my megaphone and rave about them with you.
Compare like products.
Timeline (Score:2)
Well, the RT2600ac (I got the model number wrong) was their very first router released in 2017, and they still sell and support it to this day. The D-Link DSR-250N was released in 2020 and EOL'd four years later.
Do you know of any other home router that has had seven years of support? Again, Synology is known for their support.
Re: (Score:3)
I prefer Mikrotik. Their devices are great, very customizable and have lots of features (some features run slow on some devices though) They also issue updates even for very old devices. I have a device made in 2007 (looking at the date codes on the chips) and the latest version of RouterOS still supports it. I had to recap it though, but, well, electrolytic capacitors do not last forever.
Re: (Score:2)
I had two routerboards which even when they were new were pathetically unreliable. Whether with RouterOS or openwrt they would freeze at least every few days and I had to restart them. I've heard they are better now, but I'm not willing to take the chance.
Re: (Score:2)
That makes sense. In my experience Mikrotik devices have been very reliable. The two that started freezing/rebooting/etc were quite old and needed new capacitors. After I replaced the capacitors, there were no more problems with those devices. MT is my go-to recommendation on what router to use for my clients (as the office router etc) and so far, no complaints. I know some ISPs that use Mikrotik CRS switches and they have been reliable as well.
Strictly for WiFi APs I prefer Ubiquiti UniFi series, but Mikro
Networking infrastructure is a mess (Score:2)
Found a 150 on Amazon (Score:3)
Limited Lifetime Warranty
D-Link offers a Limited Lifetime Warranty on the DSR-150 VPN Router to further its commitment to product quality and long-term customer confidence.
Re: (Score:2)
The key word there being "limited" ;)
Some of those devices eol'ed only last year (Score:2)
Every one has missed the point entirely (Score:2)
Its highly unlikely D-Link owns any of the ip in side of it. They bought the chips, licensed what ever Stack came with them and probably just slapped on their UI all over it.
I doubt there is any thing they can really do.
So the gist of it is (Score:2)
Comparing routers to Cars doesn't make sense. (Score:3)
It's very simple cars for many decades in most countries have had laws around them that govern health and safety. Routers do not. Organisations that employ routers may have health and safety laws but routers do not.
- Thus a 20 year old car will receive a recall if a defect is found that can harm others.
- A router manufacture will not be required to fix a flaw endangers the users of traffic that traverse it.
- An organisation such as a hospital will be required to resolve a networking issue that has the potential to impact negatively a person or persons.
In most western countries the responsibility has been placed on the owners and operators of digital equipment rather than the provider of the equipment. Thus protections do exist it's just that the responsibility of meeting those protections is on different shoulders.
The beef most people have is that more individuals as owners of these digital products now have to bare the cost of resolving the issue rather than the equipment provider.
It should be noted that this shift in responsibility is a large contributor to reducing the costs associated with the purchase of these devices. Routers are cheap, like really cheap. Cars these days are not. If the responsibility for safety of a car was on the owner then cars would be extremely cheap. Like $1000 at most. It'd be a death trap but it'd be cheap.
So how do you protect yourself as a device owner. The only real way is to ensure that you have the power to modify and improve the device. This largely takes the form of running alternative/additional software on the device.
So always check if it can run software like OpenWRT, DD-WRT, OpenSense etc. Make sure that software packages on the device can be updated via a different source. EG can you install someone else's version of OpenVPN? You don't need to do this with a car. Since the responsibility for safety is on the manufacture.
So again to complain that the router vendor is responsible is false. You probably don't like this call. But if you want it the other way then the price of routers is going to skyrocket.
Re: (Score:2)
A remote code execution execution vulnerability in your router doesn't kill people.
If you're using your VPN to hide from those who would kill you, it might
Oh, don't you worry dlink (Score:2)
I trashed your router awhile ago, I'll stick with my MikroTik thanks.
At this point (Score:2)
Re: (Score:2)
That's perfectly ethical. Revealing the details would give information to criminals who would use it to hack people who haven't replaced their devices yet. By keeping it as secret as possible they protect as many people as possible.
Of course, they still have to disclose that the bug exists at all, which they did.
It would be even better if they released a fix. Telling people to replace their devices sure seems like bad business to me. But that is a separate issue from the issue of how much detail they di
Re: (Score:2)
"That's perfectly ethical. Revealing the details would give information to criminals who would use it to hack people who haven't replaced their devices yet. By keeping it as secret as possible they protect as many people as possible."
Security by obscurity: best industry practice. Who knew?
Ethical people do not help the dumb criminals (Score:2)
"That's perfectly ethical. Revealing the details would give information to criminals who would use it to hack people ..."
Security by obscurity: best industry practice. Who knew?
Strawman, they said "ethical" not "best practices". It is ethical because releasing the info would just help the less competent and less knowledgable criminals. Doing so would make a bad situation worse.
Re:This is not how ethical people do security (Score:4, Informative)
Nope. "Security through obscurity" is when your initial system design fails to use good security practices, and you rely on "but nobody knows the protocol" or "nobody knows the port" or "nobody knows the password" as your design-level security implementation.
In this case, an unintentional security bug was discovered after release. It is still responsible to issue a patch, but it is also responsible to keep the details a secret to protect users until they can get the patch.
D-Link is refusing to issue a patch. I don't know all the details why so I can't judge. If the hardware was a recent purchase I would be pretty frustrated by that. But even still, keeping the details a secret just gives me more time to get the hardware replaced, so it is still the ethical response.
Re: (Score:2)
D-Link is refusing to issue a patch. I don't know all the details why so I can't judge.
wat
2/3 of these routers are still on sale! You certainly can judge. Fuck D-Link and fuck their trash hardware and fuck their EOLing routers which are still on shelves. None of this is news, though; D-Link has always been and will always be shit.
Re: (Score:2)
Re: (Score:2)
All that telling owners of affected routers to buy a new one is pretty close to perfectly guaranteed that they will buy some OTHER brand other than these shitheads products.
Re: (Score:2)
Re: (Score:3)
The list, from the fine article:
DSR-150N (EOL May 2024)
DSR-150 (EOL May 2024)
DSR-250 (EOL May 2024)
DSR-250N (EOL May 2024)
DSR-500N (EOL September 2015)
DSR-1000N (EOL October 2015)
2 of the 6 routers are EOL'd in 2015. the other 4 were EOL'd !THIS YEAR!.
> Strawman, they said "ethical" not "best practices". It is ethical because releasing the info would just help the less competent and less knowledgable c
Re: (Score:3)
Revealing the details would give information to criminals
They already did that by publicly announcing the existence of a bug. If you think that screaming from the rooftops "BIG EXPLOIT POSSIBLE ON X!", isn't going to attract criminals and have them expend resources to find and weaponize it, you're an idiot. (Especially when they've also announced that the only fix for BIG EXPLOIT is another hardware purchase.)
Of course, they still have to disclose that the bug exists at all, which they did.
And now the hackers are off to the races, with no fix in sight. Way to go.
It would be even better if they released a fix. Telling people to replace their devices sure seems like bad business to me.
What would be best is fully disclosing the bug so that independents who wanted
Re: (Score:2)
Yes. In my case, I'm just running a straight Linux install and managing the firewall myself. I would recommend getting a small Pi-class system with two ethernet ports and no WiFi. Use it as the firewall/gateway for your network and have the access points as separate devices that just bridge the network. In my case, I use Ubiquiti access points, but really, anything you like should work. I used to use a TP-Link, and I connected the ethernet to a LAN port instead of a WAN port to bridge the networks (aft
OpenBSD for DIY routers / firewalls (Score:2)
Re: (Score:2)