0:02

Two and a half admins, episode 201. I'm Joe. I'm

0:05

Jim. And I'm Alan. And here are

0:07

again. High severity vulnerabilities

0:09

affect a wide range of Azusa

0:11

router models. So Aces

0:14

has come out with some updates to address

0:16

some of these. I'm releasing

0:18

these critical patch updates. The

0:20

first one, the CVE 2024 3080 is an authentication bypass which

0:26

would allow a remote attacker to log into a

0:28

device without having to provide a username and password.

0:31

So the first question is why

0:33

is remote login enabled? But

0:36

second one is why are you building

0:38

authentication systems that just

0:41

guessing here have too much of

0:43

the authentication done in the JavaScript rather than

0:45

in the backend of the web interface? My

0:47

answer for that one, which was wildly unpopular in

0:50

the ours comments section was, I mean,

0:52

this is a SUSE, y'all. This is the same

0:54

company that built routers with unauthenticated

0:57

FTP servers open

0:59

to the WAN that would expose everything

1:01

on any thumb drive or USB portable

1:03

you plugged into that router to

1:06

the entire internet read, write

1:08

for everyone. And even when that was reported to

1:10

them said, no, that's not a flaw. That's awesome.

1:13

You should love that. By the way, keep plugging

1:15

your stuff into it. There

1:17

was a court order that came out of that particular issue,

1:19

which was 10 years ago, almost to the

1:21

day, that forced them to accept third

1:23

party security mediation for a certain number of years.

1:25

I'm not sure if that's up yet or not.

1:28

And a lot of folks seem to

1:31

have taken that as like, Oh, well, you know, that

1:33

just got everything sorted with a SUSE. And I'm like,

1:35

no, man, that didn't make them security focused any

1:37

more than the Philip Morris and RJ Reynolds

1:39

companies having to put out anti-smoking ads made

1:42

them actually concerned for the health of your

1:44

lungs. Yeah. And you know, we've

1:46

also talked about on the show eight

1:48

or nine months ago, probably about the

1:50

US cyber trust

1:53

certification and trying to get to

1:55

the point where all routers has

1:57

some minimum standard of security before.

2:00

People go buying them or at

2:02

least giving the consumer some ability to

2:04

tell how well tested a router is

2:06

before they buy it and that could

2:08

factor into their purchase decision. But

2:10

that's not up and running yet. And

2:13

again, I think we'll come down to some level of,

2:16

you know, what are the testing that's going to go

2:18

into this? And there

2:20

will be a test to make sure that you

2:22

can't get unauthenticated access, but it's not going

2:24

to be able to find every bug. So

2:27

even when we have some level of certification,

2:29

or like in this case, Jim was saying,

2:32

even if they have to get the stuff

2:34

audited, it doesn't necessarily mean they're going to

2:36

have found all the problems. It

2:38

just means that at least they did some level

2:40

of something, but I think we have

2:42

to keep working to continue to raise that bar. It

2:45

sounds like this isn't just a bit of

2:47

sloppy code that led to some sort of

2:49

buffer overflow or something. This

2:52

sounds like more of a design failure

2:54

from what you have speculated at least.

2:57

Probably like authentication bypass means yeah, there was some

2:59

way to do stuff without having to log in,

3:01

which means on the back end when it checks,

3:03

are you logged in? Sometimes it just

3:05

doesn't check. And that can just

3:07

be, oh, well, you know, in the web UI, you can

3:09

only get to that page if you are logged in. It's

3:12

like, yeah, but if I know the URL and I just

3:14

type it in my browser, can I go to it? Then

3:17

that's not authenticated. This

3:19

may be another wildly unpopular idea, but it occurs

3:22

to me to wonder, have we gotten to the

3:24

point where you really

3:26

shouldn't be allowed to just sell

3:28

whatever you care to sell as a router,

3:31

regardless of what feature set you've enabled or

3:33

how you set it up and

3:35

just let normal people go out and put it

3:37

on the internet. You can't

3:39

just take anything out onto the public roads where

3:41

there are other people. Maybe

3:44

we should have some similar standards with third

3:47

party testing, not just relying on

3:49

the companies making these things. Maybe

3:52

there really ought to be some regulations that

3:54

define like this is what a consumer router

3:56

is. It must do these things. It

3:59

must not do. these things and

4:01

somebody other than the company making it's going to test

4:03

it and make sure that's the case. Yeah, although I

4:05

think that's where you get into, you know, there are

4:07

regulations about what you can call chocolate. And

4:10

so many food products are

4:12

now labeled chocolate flavor because

4:14

no, it's not a router.

4:16

It's a home media something

4:18

device that then evades the

4:20

requirement. But I think having that

4:22

would at least again, like we're talking about give

4:24

consumers something to look for to know that I'm

4:27

getting something that's at least some

4:29

level of a second set of eyes

4:31

have looked at it compared to

4:34

I have to go on faith with the

4:36

manufacturer because no manufacturer has

4:38

ever never had a flaw.

4:40

Are you trying to say that we need

4:42

to regulate the capitalism again, Jim? I mean,

4:45

always, but it's not really about the

4:48

capitalism specifically, you know, right now. I

4:51

don't think anybody would argue this is not a capitalist

4:53

society or a free market because you

4:55

have to have a driver's license and, you know,

4:57

there are rules about what you can or can't

5:00

call a car that can drive on public roads.

5:02

You'd be surprised there are some people who would

5:04

argue that, Jim. I know there

5:06

are some, but you know, you're talking about

5:08

a very, very fringe minority at this point,

5:10

and I'm just going to go ahead and

5:12

ignore the sovereign citizens of the world. We

5:15

don't need to elevate them. But

5:18

it just it occurs to me that, you know,

5:20

we have very clearly reached

5:22

a point where there

5:25

are legitimate public safety concerns

5:28

from screwing up the ways people are connected

5:30

to the Internet because in the more developed

5:32

economies in the world in 2024, a huge

5:34

amount of

5:37

any normal citizen's life happens

5:40

online, period. Like it can't

5:42

be worked around. So

5:44

if you're going to have something

5:46

that is, you know, literally a part

5:48

of daily life for everybody in your

5:51

country, then yeah, safety regulations start to

5:53

sound kind of important. And

5:55

right now we essentially have none. My only

5:57

concern there is if it's something, you

5:59

know. You have to get the safety certification on

6:02

your car before you can drive it on the road,

6:04

makes sense. But how many of

6:06

us have our router type device is a

6:09

homemade thing that there's not some manufacturer that can

6:11

pay to get it certified. I

6:13

wouldn't want to get to the point where

6:15

you can't plug any device into the internet

6:18

unless it's been certified. I'm actually more focused

6:20

on what you need to do in order

6:22

to sell a device as something. If

6:24

you're a hobbyist and you want to build your

6:26

own router out of whatever the crap in your

6:28

own house, that's

6:31

a relatively small issue. You know, you're

6:33

talking about a, again, a

6:35

vanishingly small minority of the internet's

6:37

population will actually do that. What's

6:40

really important is, you know, what's

6:42

going out to literally hundreds of

6:45

millions of households of people

6:47

who are not, cannot, and will not build

6:49

their own router or whatever, but they should

6:51

be able to go down to a store

6:53

and say, I would like a router please,

6:56

and be given a thing with

6:58

a reliable set of features and

7:00

security and privacy concerns that everybody

7:03

understands this is what this means.

7:06

Yeah, and you know, while you're at it,

7:08

maybe they could have ratings about bandwidth on

7:10

them that are actually legitimate, like tested

7:13

by a third party in normal internet

7:15

circumstances, not the numbers they

7:17

print on the wifi, where it's like, oh, up

7:19

to magical numbers, so

7:22

that you get a router that has enough CPU

7:24

horsepower to actually pass your gigabit internet through it

7:26

over the wire, we're not even talking about the

7:28

wifi side of that, and so on,

7:30

but then at that point, you know, you might as well

7:32

also ask for a pony while you're at it. I

7:34

think as far as speed certifications on routers go,

7:37

you could certainly have like minimum metrics as

7:39

part of the spec to be able to

7:41

sell it as a consumer router, or you

7:44

could even maybe have like two or three

7:46

grades of router, but it would

7:48

have to be like a bronze silver gold kind

7:50

of a deal, because to really

7:53

talk about what the router is capable of doing,

7:55

you can't just talk about bandwidth, you gotta start

7:57

talking about packets per second, and you're

7:59

never...