Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:02
Two and a half admins, episode 201. I'm Joe. I'm
0:05
Jim. And I'm Alan. And here are
0:07
again. High severity vulnerabilities
0:09
affect a wide range of Azusa
0:11
router models. So Aces
0:14
has come out with some updates to address
0:16
some of these. I'm releasing
0:18
these critical patch updates. The
0:20
first one, the CVE 2024 3080 is an authentication bypass which
0:26
would allow a remote attacker to log into a
0:28
device without having to provide a username and password.
0:31
So the first question is why
0:33
is remote login enabled? But
0:36
second one is why are you building
0:38
authentication systems that just
0:41
guessing here have too much of
0:43
the authentication done in the JavaScript rather than
0:45
in the backend of the web interface? My
0:47
answer for that one, which was wildly unpopular in
0:50
the ours comments section was, I mean,
0:52
this is a SUSE, y'all. This is the same
0:54
company that built routers with unauthenticated
0:57
FTP servers open
0:59
to the WAN that would expose everything
1:01
on any thumb drive or USB portable
1:03
you plugged into that router to
1:06
the entire internet read, write
1:08
for everyone. And even when that was reported to
1:10
them said, no, that's not a flaw. That's awesome.
1:13
You should love that. By the way, keep plugging
1:15
your stuff into it. There
1:17
was a court order that came out of that particular issue,
1:19
which was 10 years ago, almost to the
1:21
day, that forced them to accept third
1:23
party security mediation for a certain number of years.
1:25
I'm not sure if that's up yet or not.
1:28
And a lot of folks seem to
1:31
have taken that as like, Oh, well, you know, that
1:33
just got everything sorted with a SUSE. And I'm like,
1:35
no, man, that didn't make them security focused any
1:37
more than the Philip Morris and RJ Reynolds
1:39
companies having to put out anti-smoking ads made
1:42
them actually concerned for the health of your
1:44
lungs. Yeah. And you know, we've
1:46
also talked about on the show eight
1:48
or nine months ago, probably about the
1:50
US cyber trust
1:53
certification and trying to get to
1:55
the point where all routers has
1:57
some minimum standard of security before.
2:00
People go buying them or at
2:02
least giving the consumer some ability to
2:04
tell how well tested a router is
2:06
before they buy it and that could
2:08
factor into their purchase decision. But
2:10
that's not up and running yet. And
2:13
again, I think we'll come down to some level of,
2:16
you know, what are the testing that's going to go
2:18
into this? And there
2:20
will be a test to make sure that you
2:22
can't get unauthenticated access, but it's not going
2:24
to be able to find every bug. So
2:27
even when we have some level of certification,
2:29
or like in this case, Jim was saying,
2:32
even if they have to get the stuff
2:34
audited, it doesn't necessarily mean they're going to
2:36
have found all the problems. It
2:38
just means that at least they did some level
2:40
of something, but I think we have
2:42
to keep working to continue to raise that bar. It
2:45
sounds like this isn't just a bit of
2:47
sloppy code that led to some sort of
2:49
buffer overflow or something. This
2:52
sounds like more of a design failure
2:54
from what you have speculated at least.
2:57
Probably like authentication bypass means yeah, there was some
2:59
way to do stuff without having to log in,
3:01
which means on the back end when it checks,
3:03
are you logged in? Sometimes it just
3:05
doesn't check. And that can just
3:07
be, oh, well, you know, in the web UI, you can
3:09
only get to that page if you are logged in. It's
3:12
like, yeah, but if I know the URL and I just
3:14
type it in my browser, can I go to it? Then
3:17
that's not authenticated. This
3:19
may be another wildly unpopular idea, but it occurs
3:22
to me to wonder, have we gotten to the
3:24
point where you really
3:26
shouldn't be allowed to just sell
3:28
whatever you care to sell as a router,
3:31
regardless of what feature set you've enabled or
3:33
how you set it up and
3:35
just let normal people go out and put it
3:37
on the internet. You can't
3:39
just take anything out onto the public roads where
3:41
there are other people. Maybe
3:44
we should have some similar standards with third
3:47
party testing, not just relying on
3:49
the companies making these things. Maybe
3:52
there really ought to be some regulations that
3:54
define like this is what a consumer router
3:56
is. It must do these things. It
3:59
must not do. these things and
4:01
somebody other than the company making it's going to test
4:03
it and make sure that's the case. Yeah, although I
4:05
think that's where you get into, you know, there are
4:07
regulations about what you can call chocolate. And
4:10
so many food products are
4:12
now labeled chocolate flavor because
4:14
no, it's not a router.
4:16
It's a home media something
4:18
device that then evades the
4:20
requirement. But I think having that
4:22
would at least again, like we're talking about give
4:24
consumers something to look for to know that I'm
4:27
getting something that's at least some
4:29
level of a second set of eyes
4:31
have looked at it compared to
4:34
I have to go on faith with the
4:36
manufacturer because no manufacturer has
4:38
ever never had a flaw.
4:40
Are you trying to say that we need
4:42
to regulate the capitalism again, Jim? I mean,
4:45
always, but it's not really about the
4:48
capitalism specifically, you know, right now. I
4:51
don't think anybody would argue this is not a capitalist
4:53
society or a free market because you
4:55
have to have a driver's license and, you know,
4:57
there are rules about what you can or can't
5:00
call a car that can drive on public roads.
5:02
You'd be surprised there are some people who would
5:04
argue that, Jim. I know there
5:06
are some, but you know, you're talking about
5:08
a very, very fringe minority at this point,
5:10
and I'm just going to go ahead and
5:12
ignore the sovereign citizens of the world. We
5:15
don't need to elevate them. But
5:18
it just it occurs to me that, you know,
5:20
we have very clearly reached
5:22
a point where there
5:25
are legitimate public safety concerns
5:28
from screwing up the ways people are connected
5:30
to the Internet because in the more developed
5:32
economies in the world in 2024, a huge
5:34
amount of
5:37
any normal citizen's life happens
5:40
online, period. Like it can't
5:42
be worked around. So
5:44
if you're going to have something
5:46
that is, you know, literally a part
5:48
of daily life for everybody in your
5:51
country, then yeah, safety regulations start to
5:53
sound kind of important. And
5:55
right now we essentially have none. My only
5:57
concern there is if it's something, you
5:59
know. You have to get the safety certification on
6:02
your car before you can drive it on the road,
6:04
makes sense. But how many of
6:06
us have our router type device is a
6:09
homemade thing that there's not some manufacturer that can
6:11
pay to get it certified. I
6:13
wouldn't want to get to the point where
6:15
you can't plug any device into the internet
6:18
unless it's been certified. I'm actually more focused
6:20
on what you need to do in order
6:22
to sell a device as something. If
6:24
you're a hobbyist and you want to build your
6:26
own router out of whatever the crap in your
6:28
own house, that's
6:31
a relatively small issue. You know, you're
6:33
talking about a, again, a
6:35
vanishingly small minority of the internet's
6:37
population will actually do that. What's
6:40
really important is, you know, what's
6:42
going out to literally hundreds of
6:45
millions of households of people
6:47
who are not, cannot, and will not build
6:49
their own router or whatever, but they should
6:51
be able to go down to a store
6:53
and say, I would like a router please,
6:56
and be given a thing with
6:58
a reliable set of features and
7:00
security and privacy concerns that everybody
7:03
understands this is what this means.
7:06
Yeah, and you know, while you're at it,
7:08
maybe they could have ratings about bandwidth on
7:10
them that are actually legitimate, like tested
7:13
by a third party in normal internet
7:15
circumstances, not the numbers they
7:17
print on the wifi, where it's like, oh, up
7:19
to magical numbers, so
7:22
that you get a router that has enough CPU
7:24
horsepower to actually pass your gigabit internet through it
7:26
over the wire, we're not even talking about the
7:28
wifi side of that, and so on,
7:30
but then at that point, you know, you might as well
7:32
also ask for a pony while you're at it. I
7:34
think as far as speed certifications on routers go,
7:37
you could certainly have like minimum metrics as
7:39
part of the spec to be able to
7:41
sell it as a consumer router, or you
7:44
could even maybe have like two or three
7:46
grades of router, but it would
7:48
have to be like a bronze silver gold kind
7:50
of a deal, because to really
7:53
talk about what the router is capable of doing,
7:55
you can't just talk about bandwidth, you gotta start
7:57
talking about packets per second, and you're
7:59
never...
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More