A college classmate asked me if there’s anything to the stories that DD-WRT might potentially get locked out due to new FCC regulations.
Unfortunately the answer is yes, there may be something to it.
I’ve long recommended hard-coding your DNS settings as a performance and reliability enhancement–here’s my guide for that–but it turns out it can be a security enhancement too.
Botnets targetting routers aren’t new at all, but there’s a particularly nasty one named Moose running around right now. Among other things, it changes routers’ DNS settings to point to rogue DNS servers that allow the attackers to steal your social media credentials, furthering the bot.Read More »How hard-coding your DNS can improve your security
In 2003, Dan Geer called the combination of Microsoft’s market dominance and the flimsy security of its products a threat to national security.
Today, he’s calling the security holes in consumer routers a threat to critical infrastructure.
These two things are related in more ways than being utterances from the same person. These routers were designed to protect flimsy PCs from the horrors lurking on the Internet. In 2003, they were arguably adequate. But since 2003, Microsoft operating systems have improved dramatically from a security standpoint while routers have stood still. Many of them are still running on the same outdated Linux kernels and userspaces, just on newer, faster hardware. These routers are now less secure than the computers they are supposed to protect. This isn’t a knock on Linux; Linux has improved in the last 11 years too, but router makers generally haven’t incorporated those improvements. So these routers are easy to attack, easy to use to build botnets, and the user will never be the wiser since they keep the devices until they break. The only good news here is that many of them break after a year or two, and that’s supposed to be bad news.
Sadly, these problems are all solvable.
C’mon. You knew I’d get around to writing a response to Rick Broida’s claim that he doesn’t use antivirus software.
Actually, he’s not nuts. But he’s also mistaken if he thinks he doesn’t use antivirus software. His editorial is kind of like saying, “I don’t use a web browser. I use Internet Explorer.”
Although he’s mistaken that he doesn’t use antivirus software, and not all of his advice is spot-on, you can do a lot worse than follow his advice.
Last week, a great deal of discussion about ad blocking and its effect on memory usage took place. This makes a lot of sense, and explains why my memory usage has always been really high.
I’m not sure there’s a lot you can do about it. One of these days I’m going to get around to standing up a pfsense box, which, among other things, can serve as a web cache and block ads for an entire network. My family has enough machines to justify that, and, given that security is what I do for a living, it’s something I need to be experimenting with anyway.
So, a relative’s PC was getting a bit aged, and runs Windows XP, barely, so I talked them into an upgrade. I noticed that Micro Center had HP/Compaq DC5700s for $99. They were standard issue office PCs a few years ago, and there are a lot of them in the refurb channel. We went and got one over the weekend.
“What are you going to do with that?” the sales rep asked. “We only use them as cash registers.”
“Word processing,” I said.
“You sure you want to run Windows 7 on an 8-year-old PC?”
“I wrote the book on running Windows on older PCs. Literally. It’ll be fine.”
I hate calling rank like that, but sometimes it’s what you have to do.
And really, for $99, it’s awfully good. Web browsing is plenty fast, Libre Office runs fine on it, and think about it. Windows 7 retails for $100-$109. So it’s like getting the hardware for free. Or Windows for free, however you want to look at it.
I spent some time over the weekend playing with Pfsense, and I can’t say much about it other than it does what it says. I didn’t throw a ton of hardware at it–the best motherboard I have laying around is a late P4-era Celeron board, and the best network card I could find was, believe it or not, an ancient Netgear 10/100 card with the late, lamented DEC Tulip chipset on it. Great card for its time, but, yeah, nice 100-megabit throughput, hipster.
If you actually configure your routers rather than just plugging them in, you can do this. Plug in a couple of network cards, plug in a hard drive that you don’t mind getting overwritten, download Pfsense, write the image file to a USB stick, boot off the USB stick, and follow the prompts. Then, to add wireless, plug in a well-supported card like a TP-Link and follow the howto. Read More »More about Pfsense, the alternative to the crappy consumer router
Today I found an article in PC World that gives a somber assessment of the state of consumer routers, like the device that probably sits between you and the Internet.
I’m glad this is getting attention. There’s a lot more to it than what’s in the PC World article, but I’ve droned enough about what’s bad about consumer routers. It’s bad now, and it’s going to get worse before it gets better. Kudos to PC World for providing a bit of an action plan.
What if you want to go beyond what PC World is talking about? I’m glad both of you asked. Read More »Consumer routers are the security vulnerability of the year, so far
A very good question came in as a comment to my earlier post, the benefits of practicing IT at home. What do I mean by putting some Windows 7 machines on a domain? It’s one of several good home network projects.
I mean standing up a server with centralized user accounts and shares, running on Windows Server or Samba, whichever you can afford. Make it a print server too, and print from it, just like you would from an office. Then extend it, and extend your sysadmin skills. Here are several ideas for projects of varying length, difficulty, and expense.