LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Interview: Kristen Carlson Accardi

LWN.net Weekly Edition for July 24, 2008

Tracing: no shortage of options

Interview: Wind River's John Bruggeman

LWN.net Weekly Edition for July 17, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

to play devil's advocate

to play devil's advocate

Posted Mar 24, 2008 23:39 UTC (Mon) by gorpon (subscriber, #25040)
Parent article: From "happy hacking" to "screw you" - the story of Meraki (virishi.net) 

for a moment, I wonder if, beyond revenue, was there a security issue as well that prompted
them to lock their devices down?  If people are hacking the firmware on their mesh routers,
isn't it also possible for any mesh user to intercept and do nasty things with other people's
traffic as well?

(Log in to post comments)

Trusted network

Posted Mar 25, 2008 0:23 UTC (Tue) by ringerc (guest, #3071) [Link] 

No normal mesh user should have the access rights to the router required to reflash it.

Many network devices can potentially be reflashed with malicious firmware, but that generally
requires a login to the device first. You can then push the firmware over HTTP, enable TFTP
pull from an address, etc. Requiring local hardware access is just too much hassle for
efficient network admin - imagine having to unlock an access port and attach a JTAG probe to
every router you admin when a new firmware comes out. Ick.

If you don't trust the legit network admins then hostile routers are the least of your
worries. You should be worried about the packet capture session running on the upstream link
that's sifting for credit card details, passwords, etc.

In other words, disabling non-company-supplied firmwares is a business/sales/financially
motivated decision rather than an end-user security decision.

In any case, if you're doing anything of security significance or anything on an untrusted
network you're using strong encrypted protocols anyway, aren't you? (If your ISP/mailhost
doesn't support SMTP+TLS & IMAP+TLS or similar then it's time to find a better one anyway).

I very rarely send or receive any unencrypted traffic beyond plain old HTTP, and I can
trivially tunnel out to a proxy on a trusted network for that if I need it.

Trusted network

Posted Mar 25, 2008 11:47 UTC (Tue) by mbottrell (guest, #43008) [Link] 

Trusted or not... where is the trust?

If I purchase the hardware, pay the electricity to run it, should I not be able to control my
own PURCHASED hardware.

EULAs need a big kick in the butt.

If I want to feed my unit to my dog, plant it in the garden to grow more or hack the device..
it should be free to do with as I see fit.

Particularly if it isn't a subscription model that I am paying someone to maintain.

Move on from Meraki (or is that pronounced Merky) -- and look for alternatives.  

I'm sure the guys at MIT when first envisioning this didn't expect to see their product slip
to such a dog once the lawyers got involved.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.