From "happy hacking" to "screw you" - the story of Meraki (virishi.net)
Then in February Meraki announced a change to their EULA (End User Licence Agreement) which precluded anyone from changing any of the software that they install on their units. This meant that from that point forward we would be breaking their rules, and maybe the law, by installing our own work on their hardware. Of course this could not be applied retroactively so we were free to continue to work with the hardware that we'd already bought but we intensified our search for alternatives to the Meraki hardware." (Seen on Slashdot).
Posted Mar 24, 2008 16:48 UTC (Mon)
by epa (subscriber, #39769)
[Link]
Posted Mar 24, 2008 18:04 UTC (Mon)
by dmarti (subscriber, #11625)
[Link]
Posted Mar 24, 2008 23:39 UTC (Mon)
by gorpon (subscriber, #25040)
[Link] (2 responses)
Posted Mar 25, 2008 0:23 UTC (Tue)
by ringerc (subscriber, #3071)
[Link] (1 responses)
Posted Mar 25, 2008 11:47 UTC (Tue)
by mbottrell (guest, #43008)
[Link]
Posted Mar 25, 2008 12:47 UTC (Tue)
by coriordan (guest, #7544)
[Link]
GPLv3
This sounds like the sort of thing that GPLv3 was designed to address. I wonder if in the
long term the adoption of GPLv3 will make a difference? It would at least act as a 'seal of
approval' for buyers; if you purchase a device that uses GNU bash then you know the vendor
can't pull your rights from under you.
Another good one: Open Mesh Picks Up Where Meraki Left Off.
Possible replacement, minus the VC hype
to play devil's advocate
for a moment, I wonder if, beyond revenue, was there a security issue as well that prompted
them to lock their devices down? If people are hacking the firmware on their mesh routers,
isn't it also possible for any mesh user to intercept and do nasty things with other people's
traffic as well?
Trusted network
No normal mesh user should have the access rights to the router required to reflash it.
Many network devices can potentially be reflashed with malicious firmware, but that generally
requires a login to the device first. You can then push the firmware over HTTP, enable TFTP
pull from an address, etc. Requiring local hardware access is just too much hassle for
efficient network admin - imagine having to unlock an access port and attach a JTAG probe to
every router you admin when a new firmware comes out. Ick.
If you don't trust the legit network admins then hostile routers are the least of your
worries. You should be worried about the packet capture session running on the upstream link
that's sifting for credit card details, passwords, etc.
In other words, disabling non-company-supplied firmwares is a business/sales/financially
motivated decision rather than an end-user security decision.
In any case, if you're doing anything of security significance or anything on an untrusted
network you're using strong encrypted protocols anyway, aren't you? (If your ISP/mailhost
doesn't support SMTP+TLS & IMAP+TLS or similar then it's time to find a better one anyway).
I very rarely send or receive any unencrypted traffic beyond plain old HTTP, and I can
trivially tunnel out to a proxy on a trusted network for that if I need it.
Trusted network
Trusted or not... where is the trust?
If I purchase the hardware, pay the electricity to run it, should I not be able to control my
own PURCHASED hardware.
EULAs need a big kick in the butt.
If I want to feed my unit to my dog, plant it in the garden to grow more or hack the device..
it should be free to do with as I see fit.
Particularly if it isn't a subscription model that I am paying someone to maintain.
Move on from Meraki (or is that pronounced Merky) -- and look for alternatives.
I'm sure the guys at MIT when first envisioning this didn't expect to see their product slip
to such a dog once the lawyers got involved.
"their units"?
Describing hardware you've bought as being "their units" is giving too much importance to the
manufacturer. It's not their hardware, it's your hardware - just as much as a pencil you buy
is yours and cannot come with a legally binding EULA saying what you can write.