back to article Broadband routers: SOHOpeless and vendors don't care

It is far more common to find routers with critical flaws than without – Craig Young It's sad that end-user education about strong passwords, password safes, and phishing can be undone by something as innocuous as the blinking box in the corner of your room. – Peter Adkins Introduction Home and small business router …

  1. Anonymous Coward
    Anonymous Coward

    Hear, hear !

    The router is probably the most critical piece of kit there is and it's about time vendors were brought to book on this.

    1. John Brown (no body) Silver badge

      I agree. But it's a hard choice to make. Increase the price of your base level home routers so you can make them secure or get the price as low as possible so you can stay in the market where Joe Public only cares about price?

      Quality costs money, whatever the product, and the majority of Joe Public care more about the cost at the point-of-sale than quality or product longevity, even it actually costs more in replacement goods over time when the shitty cheap stuff breaks as soon as the warranty period ends.

      1. illiad

        Just remember, 'Joe public' (sorry, but that INCLUDES most management!!) outnumbers most 'techs with a good knowledge' by up to 10 to 1!!! , This is why there are so few good digital TV recorders about..

      2. Anonymous Coward
        Anonymous Coward

        As a non-expert, but avid tech reader

        If this was new problem I could agree with you. This, in general, has been an issue for many years and many of the specific attacks have been known for years. If a company wants to introduce bells and whistles, for differentiation and value, and those negatively affect the security of their device(s) then they should certainly be responsible for fixing it.

        Do commodity vendors get away without supplying said software largely because their devices and software are owned by a huge number of individuals, non-experts, making it difficult to prove malfeasants? I think that a lot of these devices are bought by large businesses that should have experts to test said equipment before it's shipped; although, those large businesses don't appear to bother.

        The commodity hardware industry may provide crap products; but, so does the commodity software industry. I would think that a company could make a good living "hardening" said software and providing it to vendors for a small price per unit. A company like that could offer security updates, provide vendor specific GUIs for more money and do this for little cost when spread over the cost per unit of commodity devices.

        With computers, routers, and switches becoming increasingly important to all of our lives should the EULA become a thing of the past? If secure software can't be provided and updated then that software is not fit for purpose. Of course, the big players in the software industry have the economic clout and thus political influence that this won't change any time soon.

  2. Mephistro
    Flame

    Why, oh why...

    ...aren't the makers and distributors of this gunk being held liable for their lack of due diligence? Most of these 'defective by design' units are distributed by ISPs who also ignore due diligence when evaluating a new router. Yes, ISPs should also respond for this rolling SNAFU.

    1. Ole Juul

      Re: Why, oh why...

      And many are being sold and/or advertised by companies giving them favourable reviews.

    2. Ian Michael Gumby
      Boffin

      @ Mephistro Re: Why, oh why...

      In order to hold a manufacturer liable you have to show that they intentionally created a substandard product. If the lack of security is the 'state of art' ... don't have much of a case, along with you the plaintiff who needs to show damages.

      In addition, you have a price point that you need to reach because consumers don't want to pay the cost of a commercial wireless access point / router which has these security features. Its also the price point where cable / broadband providers will install and 'maintain' the unit for you for a 'small' rental fee.

      So unless you're willing to pony up the extra cash to be online, you will have this problem because some of the software, firmware you find in a commercial grade access point costs the manufacturer licensing fees and even under FRAND, it adds to the cost.

      My consumer grade wireless access point got hacked. I made the decision because I run a SOHO to upgrade to a Cisco Meraki. So I paid 4-5X over the cost of consumer grade, plus an annual license for management software. (Its actually worth it.) Not only did I increase my home security, but I upgraded to ac in addition to a/b/g/n. Now my ac enabled devices can access the network with greater bandwidth.

      In addition to this, I also found out that there were several compromised APs that were flooding the network and causing interference with those using a/b/g/n routers.

      I agree that companies that produce equipment should improve their products, however we as consumers need to be willing to pay the price. Not everyone is a consultant like myself and can afford to install commercial grade hardware in the home. But you're limited on being able to force companies to do the right thing until you can show true damages.

      1. SImon Hobson Bronze badge

        Re: @ Mephistro Why, oh why...

        > In order to hold a manufacturer liable you have to show that they intentionally created a substandard product.

        Err, no you don't.

        You merely need to show that it was substandard, AND that they either knew or should reasonably have known that it was substandard.

        I'm sure that a creative lawyer could argue that by providing an insecure router (a defect unpatched after one year, let alone 7 should be enough evidence) the manufacturer is guilty of "aiding an offender" or "conspiracy to commit a crime" by providing the tools used by the criminals that exploit them.

        A good test case "pour discouragement les autres" would shake things up a bit. Lets just say, I'm not holding my breath on that happening.

      2. Mephistro

        Re: @ Mephistro Why, oh why...(@ Ian Michael Gumby)

        While you have some good points, i think you're forgetting some important facts:

        - Most SOHO modem/routers are sold by ISPs to the customers, who usually pay the kit over a period of months, and agree to a minimum stay term. As sellers, they have a responsibility over the kit they sell. The flaws discussed in the article clearly describe a "not fit for purpose" product.

        - There are a few SOHO modem/routers with no known serious vulnerabilities. Yes, they're probably more expensive than kit sold by the ISPs nowadays. So what? Let the customer more time to pay the device. Fixed.

        - SOHO modem routers are made by the millions. Adding a few good coders to create and test the firmware should add no more than $1 to the price per unit.

        - ISPs usually add changes to the firmware. Sometimes it's these changes that compromise the kit.

        - Adding a little bit of regulation regarding routerscomputing devices and their support, and what's expected of the makers and the distributors in terms of security, would be a good thing. As other fellow commentards have pointed out, the automotive industry without regulation would be a frecking bloodbath.

    3. Anonymous Coward
      Anonymous Coward

      Re: Why, oh why...

      All I want is a white list of devices that at least have no "known" security defects. Does that exist?

      1. illiad

        Re: Why, oh why...

        WHY are you here then?? this site is for news and fun, go to PROPER sites for serious stuff!!! :)

        http://www.trustedreviews.com/best-routers_round-up

        http://uk.pcmag.com/apple-airport-extreme-base-station-a1521/8151/guide/the-10-best-wireless-routers

        http://www.cnet.com/uk/topics/networking/best-networking-devices/

  3. Ole Juul

    Why does this problem exist?

    Surely they're not held back by the development cost, because I'd wager they'd sell as many units if they put one of the excellent open source router distros on them. It's not like they're making money on the firmware. I assume that these companies just don't care, but why is there no pressure on them to fix the problem?

    1. Anonymous Coward
      Anonymous Coward

      Re: Why does this problem exist?

      Some of them DO use the open-source firmwares as noted. BUT as noted the low-price router market has multiple price pressures. One slip and the competition has them for lunch. It's like trying to develop E.T. on a six-week schedule: you lose either way. Either you make the deadline by being forced to take security shortcuts or you miss the boat, get beat to market, and get left with nothing. And before you say people will pay for secure, that's only true in the tech-savvy El Reg audience. Meanwhile, in the REAL real world, the market is ruled by sheep whose primary interest is getting something quick and cheap, thus locking safe out of the "quick-safe-cheap" triangle.

      IOW, the router vendors are under existential pressure to get their product out yesterday and the consumer is too stupid to demand a safe product. A sarcastic quote comes to mind: "We're all gonna die..."

      1. Warm Braw

        Re: Why does this problem exist?

        While it's true that there are constant development pressures to incorporate faster wireless and DSL standards (for example), the management software (which is where most of the security problems lie) generally hasn't changed much in functionality over years, and is barely ever touched by most of the end users. In a sane world, the management code would have been stable apart from the odd bug fix for nearly a decade. And probably locked into a standard, safe, configuration by default.

        However, the notional manufacturers don't actually seem to have much responsibility for hardware or software, beyond developing a functional spec which they then sub out to the cheapest supplier. Or in some cases to a batch of different suppliers - it's not uncommon for different "revisions" of the supposedly-same hardware to have significantly different chip sets.

        That actually adds to long-term costs as the vendor is constantly re-buying functionally-similar hardware and software components that are so different in implementation it's impossible to support them in any meaningful sense. And all they have to show in assets at the end of the process is a brand name tarnished by shoddy products that are indistinguishable from every other tarnished brand's shoddy products.

    2. Anonymous Coward
      Anonymous Coward

      Some of the issues are due to the bad use of open source code as well

      I've found many devices built on open source code, but still using old, buggy one even when updates and fixed were available - but sometimes they use "abandoned" ones and never spent the time to change the code to use a different one.

      It looks developers never mined to updated it, probably because the old "it works, don't touch it" rule is still in use. Often, the same handful of libraries are used across a wide range of devices even of different vendors, meaning a flaw will have a large impact.

    3. Anonymous Blowhard

      Re: Why does this problem exist?

      And the answer is, of course, money!

      The cheaper they are, the more likely they are to get huge ISP contracts! And ISPs like to remote manage things, so "value-added" features like remote access are put in at lowest cost, so no surprises if the security gets compromised in the implementation.

      And the difference between excellent security and no security can be one firmware update!

      And there are different firmware builds for different countries, so a product that's secure in one region may be insecure in another.

      Market forces will guarantee the current situation as manufacturers race to the bottom; the cure may be worse than the disease though, as it will require regulation to force manufacturers to compete on an even playing field.

      Many of the safety features in your cars are there because the government says so, and the the car must pass government mandated safety tests; all manufacturers have the same requirements so no-one can gain an advantage by cutting corners.

      So the answer is pay more to support regulation and testing or keep it cheap and every man for himself.

    4. Decade
      Facepalm

      Re: Why does this problem exist?

      The problem exists because of tradition.

      The networking companies have always sucked. Back when NICs were add-on parts, unless you got your NIC straight from 3COM or Digital, it would just be the lowest-bidder chip and board. You could never depend on the model number, because they completely changed the insides without changing the model name.

      When they started making routers, they just brought these bad habits with them. They make no promises about what's inside, because they like to have the option of changing it when they find a way to save a few pennies. This makes it difficult to shop for a device for use with open-source firmware.

  4. frank ly

    We didn't make that bit

    "Big names complain they do not always control components that could introduce security risks which they say is often to blame as the point of failure"

    And that's why Ford is not responsible if the tyres on your new car all burst if you drive above 60mph. Oh, ..... wait a minute.

    1. rhydian

      Re: We didn't make that bit

      "And that's why Ford is not responsible if the tyres on your new car all burst if you drive above 60mph. Oh, ..... wait a minute."

      Ford and Firestone fell out over who was to blame....

      http://en.wikipedia.org/wiki/Firestone_and_Ford_tire_controversy

  5. Mage Silver badge
    Black Helicopters

    OpenWRT?

    I was fed up with router reliability. I "made" my own 7 years ago using an industrial computer board with two ethernet ports. (no 5 port switch made to look like Wan port and 4 x Lan)

    OpenWRT + serious passwords.

    It uses a laptop WiFi card to act as an airpoint too.

    OS on a CF card.

    spare card holder (2nd WiFi?)

    2 x USB hosts unused

    1 x Serial port unused.

    I experimented with other features but decided router + firewall + Airpoint (bridged to LAN ethernet) was enough due to security concerns.

    I stuck it in an old 300 Baud Sagem modem case.

    1. Big-G

      Re: OpenWRT?

      ..and, apart from polishing your halo, your point is ?

      1. jason 7

        Re: OpenWRT?

        I was waiting for the obligatory OpenWRT/DD-WRT post. Came in later than expected.

        As predictable as the "Oh wow I'm so clever, I bought a Chromebook and slapped linux on it!" post in a Chromebook topic.

        Yes...we know!

      2. Chronos

        Re: OpenWRT?

        Big-G wrote: ..and, apart from polishing your halo, your point is ?

        I suspect his point is if he can do it securely, why can't the manufacturers who, let's face it, have far more resources and cash available to them than he does? You can't expect Joe Facebook to look at a plastic box with blinkenlights that is allowing him to see funny cat videos and make a rational review of its ability to fend off nasties. That's the manufacturer's responsibility.

        One would almost think it's deliberate. Almost. Hanlon's razor applies. To pile on the quotes in a vain attempt to sound authoritative, only two things in life are infinite: The Universe and human stupidity and I'm not sure about the former.

      3. Mage Silver badge
        Devil

        Re: OpenWRT?

        The point is it's pretty lame how rubbish most domestic gear on sale in Tesco, Argos etc is compared with a generic controller card and 7 year old open source software.

        This isn't hard at all.

        They have lavished more attention on the box that no-one is going to look at.

        Icon, cos I have no halo.

        Sorry I didn't explain my point.

        My ISP's "cable modem" is nearly 10 years old. It's purely a DOCSIS 2.0 modem. The cable Modems or ADSL modems with router built in and no bridge mode are evil. At least xDSL you can put your own. Very rare a DOCSIS (Cable) based provider will provision anything other than their own.

    2. Anonymous Coward
      Anonymous Coward

      Re: OpenWRT?

      Ok, and how much did it cost you? Something like a Soekris board or the like is more expensive than a off-the-shelf device. You have also no warranty but on the pieces themselves.

      Sure, if you're a "nerd" (I'm too) you can easily assemble your router yourself, even if it costs you some money, but those companies are trying to sell lots of very cheap devices, even at larger volumes, your setup would cost more - and it's exctly the kind of hardware you find in more professional/enterprise devices.

      1. illiad

        Re: OpenWRT?

        Yup, he's a nerd and most likely 'just happens' to have those pieces lying about... - nothing to do with 'price' :/

        Also, the word 'router' has gone though a lot of 'actual meaning' changes in the last few years... eg..

        (yes, this is what the confused PC shop calls them!! :roll:

        - 'router' or 'switch' - I forget, one routes packets by IP to the ONE PC it is for, the other just sends the packets to ALL connected PCs..

        - ADSL router - can mean ADSL modem, may have ONLY ONE Ethernet output, telephone socket input!! - may have NO modem, you just plug the output of your modem in, and get 5 rj45s out...

        - cable router - Its just a splitter for the output of your cable box, for 5 rj45s out...

        The next problem with home made, is the ISP going to 'recognise' it, so its services can run properly???

        - then again, I guess nerds wont be using the 'awful' premier BB provider, in preference for one of the 'non-consumer ' ones... :)

        1. fnj

          Re: OpenWRT?

          <blockquote>- 'router' or 'switch' - I forget, one routes packets by IP to the ONE PC it is for, the other just sends the packets to ALL connected PCs..</blockquote>

          Incorrect. A switch replicates incoming packets to single SELECTED ports based on the addressed MAC vs the MAC of the attached device. A router redirects all incoming packets on the LAN which are addressed off the LAN subnet, to the WAN port (and vice versa). A NAT router (which basically everybody thinks of when you say router) adds rewriting the source IP/port-number pair of LAN packets which it redirects to the WAN, and reverses the process on responses from the WAN so they get to the right place.

          You are thinking about a "hub", which simply replicates all packets coming in on any port, to all other ports.

          To put it as simply as possible, a hub filters/rewrites nothing; a switch filters by destination MAC; a router filters by destination IP; and a NAT router filters by destination IP and rewrites source IP and port number.

    3. Anonymous Coward
      Anonymous Coward

      Re: OpenWRT?

      If you had said pfSense then people would have taken you seriously but a Linux based firewall... LOL

      1. Andy Davies

        Re: OpenWRT?

        If you watched the video the guy said that BSD systems shared these vulnerabilities.

    4. Anonymous Coward
      Anonymous Coward

      Re: OpenWRT?

      "OpenWRT + serious passwords"

      I usually find comedic and satirical passwords work better, but each to their own.

  6. Martin
    Unhappy

    What is missing from this article is...

    ...what can we do about it?

    As it stands, this is an article which says router security is awful, gives a few reasons why it might be happening, and then says someone ought to do something - but gives no suggestions as to who that someone ought to be, or what that something should be.

    Globally - are there any groups out there trying to improve things?

    Individually - what are the basic recommendations (apart from the obvious one of changing the default password to something safer)? Do you assume that if you're using vanilla OpenWRT, you're going to be safer? Are there manufacturers that consistently demonstrate a lack of security - or are they all bad?

    Come on, El Reg - don't just whinge about the problem - suggest some solutions!

    1. Reghack Pauli

      Re: What is missing from this article is...

      Rightly so!

      I've asked a couple of intelligent folks for advice and will post something once the data's in.

    2. John H Woods Silver badge

      Re: What is missing from this article is...

      I've said it before so sorry if I'm boring people, and I haven't yet tested it myself, but I am pretty sure that, in the UK, SoGA (The Sale of Goods Act) should enable you to get your money back. It would be moderately easy to argue that a basic level of cybersecurity is a realistic expectation regarding being "fit for purpose" -- certainly the consumer would be entitled to compensation had they purchased a door lock with analogous defects.

      Of course, the level of security one can reasonably expect depends on other factors ... nobody expects a cheap lock from a DIY store to be match expensive high security locks. But even very cheap items must be fit for purpose, and as many of these routers come with explicit claims about security or "firewall" functionality, I think they'd find it pretty hard to defend their case.

      Who's going to try it?

  7. Aitor 1

    Price

    The problem es the telcos expect to bay them for 10 pounds AT MOST.

    Therefore, no money can be spent checking vulnerabilities, etc.

  8. PlacidCasual

    I honestly don't know what to do about this?

    Hi

    I'm not an IT professional, I'm a mechanical engineer. But I am responsible for all the IT in my house. I use a Sky router modem, because as far as I know I have to. I use powerline adapaters with encryption and wifi with encryption. My NAS, my Sky box, my TV and desktop are wired connections via the powerline and my tablet and phones are wifi. With the best will in the world I don't know how to improve the situation, I'm guessing my router has a generic admin password but I can't remember if that's something Sky let's me change.

    No-one involved in the process of recieving and purchasing this stuff has ever suggested I need further measures to make it secure. It's a very unfortunate situation to be in.

    1. John Robson Silver badge

      Re: I honestly don't know what to do about this?

      "I use a Sky router modem, because as far as I know I have to"

      This is the problem - ISPs don't "support" anything other than their own router.

      I convinced the BT engineer to leave me an openreach modem for my VDSL line, and subsequently have swapped out the ISP provided router with a debian installation doing PPPoE itself.

      That's beyond most people, but we used to have the concept of having a modem and a router as separate devices, and that is a possible solution.

      1. Phil O'Sophical Silver badge

        Re: I honestly don't know what to do about this?

        This is the problem - ISPs don't "support" anything other than their own router.

        It's not just a question of "support'. If you take the French market most of the ISPs supply a standard "box" that also has an RG11 on the side for a telephone, through which they provide free calls, and a connection to a TV decoder for streamed TV. It may also have a USB port for a NAS and/or webcam. Replace it with a standard or home-built router and you lose access to all the 'free' extras. It's a model that seems to be spreading.

      2. Peter Gathercole Silver badge

        "having a modem and a router as separate devices"

        Before I had FTTC installed, I used to have an ADSL router connected to the Smoothwall firewall "Red" network, and all other comms kit on the "Green" network, including the wireless router(s), powerline Ethernet and all the systems.

        My wife, looking at the pile of 'things' next to the 'phone line always complained about the space and power (really), and whenever we had an interruption to the Internet, always blamed it on the fact that we did not do it the same as everyone else, even though she has no more idea of comms and security than a potato.

        Unfortunately, and to my shame, I've had to drop the idea of running a separate firewall. The hardware I have available just can't keep up with the speed of the network, and having just a single box powered on all the time appears quite attractive at the moment.

        I need to spend some real money sometime! Anybody know if IPFire for a RiPi is any good?

        1. Arthur the cat Silver badge

          Re: "having a modem and a router as separate devices"

          "Anybody know if IPFire for a RiPi is any good?"

          If by RiPi you mean Raspberry Pi, I believe the ethernet interface runs via the USB controller, and probably isn't up to FTTC speeds. I recently replaced my old Alix router because it was struggling to cope with FTTC speeds.

          Now I use a newer Atom D525 mini-ITX system running pfSense. Ticks over at a few percent CPU, doesn't break a sweat even under heavy download. Just make sure the network interfaces are Intel rather than RealTek.

          1. Peter Gathercole Silver badge

            Re: "having a modem and a router as separate devices"

            Yes, I meant Raspberry Pi.

            The problem is that I don't want to spend too much (any?) money (you can call me a skinflint if you like, I won't take exception). I've got used to using otherwise discarded kit (It's a Thinkpad T20 at the moment) for my firewall, and it's got to the point where I don't actually really have anything powerful enough to comfortably do this job without having to resort to a re-purposed deskside machine. Being a full-time Linux user, I'm still finding my go-to Thinkpad T43 good enough with Ubuntu 14.04 (LTS with Gnome-fallback), and have not had to buy a more modern laptop to free up anything remotely powerful.

            I've now actually looked at IPFire on Intel processors, and it may actually be good enough with the current laptop I'm using as a firewall, when used with a PC-Card ethernet device. This is where Smoothwall was lacking, it didn't support PC-Card devices without serious modification, involving a modified kernel - the stock kernel does not support PC-Card modules.

            But I then have the problem that the best Wireless Access Point I have (in the Bright Box) is outside of the firewall!

        2. Anonymous Coward
          Anonymous Coward

          Re: "having a modem and a router as separate devices"

          I guess you need at least two real Ethernet interfaces to run a good router/fw at a decent speed. Check Soekris boards or something alike, they are more expensive than a Pi, but are designed for such kind of tasks. You can easily build a fanless system using a CF or a small SSD disk, quiet and unobtrusive, although it can be not very cheap.

          1. Adam Inistrator

            Re: "having a modem and a router as separate devices"

            I use pfsense and atom based netbooks £50 from ebay and pfsense with a usb ethernet adapter to provide the 2nd ethernet connection ... usb2 can handle 20Mb adsl connections. they are not quite as low power as ordinary routers .. but close

          2. Peter Gathercole Silver badge

            Re: "having a modem and a router as separate devices" @LDS

            I mentioned Raspberry Pi, because I happen to have a B+ sitting around not doing a lot at the moment. For me, it's all about not spending too much money.

            My VDSL sync speed to the exchange is around 80Mb/s, and I have managed to get speed tests of ~50Mb/s when directly connected via GigE to the router, so I am a little uncertain that USB2 connected Ethernet adapters (theoretically capable of connection at the required speeds, but I' always sceptical) can hack it.

            I've just scavanged a newer old laptop back from one of the kids (they weren't using it as it would not game), and am going to try a firewall distro that supports Cardbus with a 1GB Cardbus Ethernet card that I have lying about. IPFire looks like a suitable distro.

            1. Down not across

              Re: "having a modem and a router as separate devices" @LDS

              My VDSL sync speed to the exchange is around 80Mb/s, and I have managed to get speed tests of ~50Mb/s when directly connected via GigE to the router, so I am a little uncertain that USB2 connected Ethernet adapters (theoretically capable of connection at the required speeds, but I' always sceptical) can hack it.

              You might be pleasantly surprised about the throughput that a router with bit of grunt can make. Personally I wouldn't touch USB ethernet adapters with a bargepole. In fact I'd rather suffer even Realtek card.

              I've just scavanged a newer old laptop back from one of the kids (they weren't using it as it would not game), and am going to try a firewall distro that supports Cardbus with a 1GB Cardbus Ethernet card that I have lying about. IPFire looks like a suitable distro.

              I'm partial to pfsense (just (or because) like I am partial to *BSD). Pfsense has been around a while and is pretty solid. Having said that ipfire seems rather good as well, but I haven't used that so I can't speak for it. In your particular case ipfire might indeed be a better solution even if only for the vast hardware support linux has. I suspect pcmcia support in FreeBSD won't cover quite as many cards/chipsets as linux is likely to.

              I also vaguely recall some people saying (apologies can't find reference as it was some random forum posts iirc) that under heavier traffic ipfire has lower cpu consumption than pfsense. I do know that pfsense really likes intel NICs so using "lesser" NICs could well contribute to CPU load differences under heavy network traffic.

              tldr; go for it, but try to steer way from USB NIC (imho)

      3. Anonymous Coward
        Anonymous Coward

        Actually, a router is a router, and "modems" no longer really exists...

        The very concept of "modem" is outdated. What your router does it's all every router has always did - interconnect two different networks and unserstand what packets should be routed to and from, performing transport layer translation if and when needed.

        Those network can also use different physical transport technologies (and even logical), and the translation functionality is not exactly to be a "modem" - lots of router always converted Ethernet to FDDI or ATM or whatever you needed. What you call a "modem", one with a "WAN" port (ADSL, whatever) and a LAN port (Ethernet) is actually a "simple" router.

        But SOHO "routers" are far more than that. They are also switches, access points, DNS servers, DHCP servers, VPN servers, firewalls, etc. etc., all with their managment interfaces. And here often lies the problem, not in the routing functionality itself.

        You can easily disable amd/or not use all of the above functionalities and greatly reduce the attack surface, and move them on devices beyond the router - of course it comes at a price - complexity, noise, power consumption, etc. etc.

        But what you really meant is "having a router and all other functionalies as separate devices".

        1. Anonymous Coward
          Anonymous Coward

          Re: Actually, a router is a router, and "modems" no longer really exists...

          What you call a "modem", one with a "WAN" port (ADSL, whatever) and a LAN port (Ethernet) is actually a "simple" router.

          No, it isn't. A modem (MOdulator-DEModulator) is a device for converting between digital and analogue domains, and the ADSL signal on the copper pair (or the signal on the fibre) is still analogue, and you still need a modem to convert it to something digital that can be routed by a router.

          But what you really meant is "having a router and all other functionalies as separate devices".

          One of which separate devices would be the modem.

          1. Anonymous Coward
            Anonymous Coward

            Re: Actually, a router is a router, and "modems" no longer really exists...

            Sure, even your wifi access point is modem... did you know? Why don't yo call it the "wireless modem"?

            Even Ethernet signal, when it gets to the wire, needs to be "modulated" (it uses some form of PAM), because until you can't control each single electron moving through the cable you have to deal with "waves" - why don't you call your Ethernet card a "modem"? (Oh, the old Ethernet MAU....)

            Even data written on your magnetic spinning hard disks needs modulation/demodulation, is your hard disk a "modem"?

            Each bridge/router designed to interconnect two different network using different transport layers embedds the necessary hardware to communicate over them in the proper format - including "modem" circuitry, if necessary.

            "Modem" is just a part of any devices requiring it, the part that turns one signal into another signal and back for the required underlyng medium. But from a networking point of view what you call a "modem" is actually a "media converter" - transforming one signal format into another (which may require modulation/demodulation, if the transport layer needs so).

            1. John Robson Silver badge

              Re: Actually, a router is a router, and "modems" no longer really exists...

              My "Router" doesn't have any IP routing capabilities. It is purely a media transformation device (VDSL <-> Ethernet).

              My server, which is connected via ethernet, does the PPPoE negotiation with the exchange and gets a public IP address itself. I doubt if the modem has an IP address, although I suspect it might respond to something in the 192.168 range if directed at it (since nothing downstream would accept that IP address it's a reasonably intercept) But what could I configure on it - it's a dumb link negotiator and media translator.

              Genuine question - what can you configure on a BT OpenReach VDSL "modem".

              Hmm - quite some: https://huaweihg612hacking.wordpress.com/about/

            2. Michael Wojcik Silver badge

              Re: Actually, a router is a router, and "modems" no longer really exists...

              Even Ethernet signal, when it gets to the wire, needs to be "modulated"

              Unless it's baseband. As most Ethernet signals are. That's what the "BASE" part of "10BASE-T", "100BASE-TX", etc stands for.

              because until you can't control each single electron moving through the cable you have to deal with "waves"

              You clearly don't know what you're talking about.

              - why don't you call your Ethernet card a "modem"?

              Because it probably doesn't have one?

              The fact is, your original statement about modems was rubbish, and your followups are just digging the hole deeper.

          2. Peter Gathercole Silver badge

            Re: Actually, a router is a router, and "modems" no longer really exists...

            There used to be single function devices that took a Ethernet (or USB) on one side, and an DSL link of some sort on the other. They allowed you to use PPPoE on another device (firewall or computer) directly to whatever was in the exchange. There was no 'routing' done in the device at all. You might have called them 'repeaters' or bridges, although both of those names have fallen into disuse. These devices could not remotely be called routers, although modem would not really be accurate either, but was a common term used.

            Some ADSL routers could operate in bridge mode, doing the same, and not actually offering any IP routing. This may still be possible, I've not looked recently.

            But nowadays, what you get is a multi-function device that does lots of things including routing, wireless access, firewall, DHCP, VPN and in some cases print and filesharing, and this is one angle of the story, that the more function you build into a device, the more likely it is to have a security vulnerability.

    2. Andy Davies

      Re: I honestly don't know what to do about this?

      ... well there were a few suggestions if you watched the video

    3. John H Woods Silver badge

      Re: I honestly don't know what to do about this?

      The shipped credentials on mine were

      admin

      sky

      Yeah, I'm speechless too

    4. jbuk1

      Re: I honestly don't know what to do about this?

      IPSec tunnels between all internal machines should stop network snooping from a hacked router but I guess any traffic sent to the gateway (router) would likely need to be in the clear.

      Maybe a VPN or tor could be used for all outbound connections.

      I've toyed with this sort of idea before but really configuring ipsec for every device new device does become a pain.

  9. DropBear
    Facepalm

    The thing is, as horrible it would be to take a falling brick to one's head simply walking on the street, it's also extremely unlikely to happen and therefore we don't all walk wearing hard-hats. IT security in general (including securing one's router in particular) is much like that inasmuch for every unfortunate, hapless victim who gets his identity stolen or credit card emptied there are probably a million others who will get away with the exact same thing without ever suffering any ill consequences. And they know that all too well, and that's the reason no-one can be assed to do anything about it - the perceived level of danger simply does not justify spending a single penny more on this that one has to.

    To be clear: I'm by no means advocating inaction or downplaying the depth of the problem. I'm simply explaining why consumers don't give a f###, which by definition automatically implies manufacturers don't give a f###. Of course, for every million who really doesn't care there are some, like us, who do. But if we turn out to be, say a hundred people or less to that million, we're likely to be noticed by the industry some time after phone manufacturers start catering for the niche that would love a full physical QWERTY phone, or after Hollywood starts making high-quality entertainment for the few unhappy with the current lowest common denominator (hint: hell and ice, pigs and wings (three different ones), etc.)...

    1. DropBear
      WTF?

      So, shall I assume that every single buyer of a router has security on the top of his list and would pay its weight in gold for a super-secure one, the manufacturers just scoff at all that money to be made? Or does every one of those people wake up pwned into the ground the next morning? Sorry, I'm just a bit confused about which part of the previous comment isn't a fact...?

      1. Jamie Jones Silver badge

        There seems to have been a few obsessive downvoters in this thread...

        1. KungFuDazza

          Must..... Not........ Down.... Vote......

  10. Paul Kinsler

    Re: an unknown ganghad ...

    I like this new "ganghad" coinage. Is it meant to be a sort of gang-on-a-jihad portmanteau?

    1. Hollerith 1

      Re: an unknown ganghad ...

      Yes, I noted that and thought 'a fun new unknown word to use coolly on chat threads!' and I also thought of adding -had' to many other words in order to describe deliberate, dedicated, unremitting effort, e.g. ''pizzahad' or 'beerhad'.

      1. Paul Kinsler

        Re: e.g. ''pizzahad' or 'beerhad'.

        Nice!

        Although really I have a lot to do today & tomorrow ... I might just declare a sci-had until I get this calculation finished up...

        1. Anonymous Coward
          Anonymous Coward

          Re: e.g. ''pizzahad' or 'beerhad'.

          Pot legalisation campaigners could declare a highhad. They would announce this by producing a fatwahn.

  11. Mystic Megabyte
    Unhappy

    Advice?

    My ISP is a small concern who charge extra to supply a modem/router.

    I bought myself a cheap Edimax* modem/router and created a very long password for it.I recently looked into buying something better but the only options are for routers running DD-WRT, Tomato etc. This does not solve the modem problem. If a hacker can change the DNS settings then I'm still screwed.

    We are not all networking experts so c'mon ElReg, give us some advice!

    *which stupidly comes with ftp and telnet ports open by default. Change the Firewall settings to SPI to close them.

    1. Callam McMillan

      Re: Advice?

      Personally I favour Cisco routers, which can be bought used from eBay for the same sort of prices as a decent SOHO router. The upsides of them are a generally better (if not perfect) level of security, greater reliability, and a better build quality. Downsides are that they're generally bigger, noisier, and more power hungry; they don't generally have wi-fi on them, and they are more expensive. Finally they have no fancy web interface, so they have to be configured using a command line which means you need an above-basic level of knowledge to set them up.

      I have a number of tutorials on my website about doing this, and given the number of messages I get from people that have never touched a Cisco router before, it's something more and more people seem to be doing.

      1. jason 7

        Re: Advice?

        I took a free one day intro course to CCNA that basically covered how to configure a Cisco router with Command Line.

        Worth doing. Still have my notes somewhere.

      2. Anonymous Coward
        Anonymous Coward

        Re: Advice?

        Can you get Cisco updates without paying for support?

        1. John Brown (no body) Silver badge

          Re: Advice?

          "Can you get Cisco updates without paying for support?"

          Ideally, security updates should be free to all users of their kit since they are fixing faults which were not discovered at build time and potentially should have been. Other updates which change or add to functionality are a different matter.

          It's a problem the software industry has had almost since it's inception. Software released with inadequate testing so patches are required in some case even to get it working. But they also included patches not directly related to advertised functionality and have effectively built a rod for their own backs.

          MS Windows is a prime example. Service packs are effectively a point (or more) upgrade from the base install. Maybe they ought to place a change freeze on an OS and just do security updates and fixes for free. Other updates could then be chargeable if you want the added functionality that you didn't get or expect when you bought the product. On the other hand, with a complex ecosystem like Windows OS, maybe it's cheaper for MS to force the updates on everyone and only "support" a fully patched and updated system.

      3. illiad

        Re: Advice?

        well wifi is better as a separate unit... then it can be firewalled or 'made invisible' to stop the idiots... :)

        1. KungFuDazza

          Re: Advice?

          You can't make it undetectable, and it's already invisible.

          </pedant>

    2. Steven Raith

      Re: Advice?

      I've been running a Draytek 2830N for the last few years, I've found it to be plenty quick for VDSL (handles 80mb firewalled no problem, although I believe it'll struggle with anything more) and although it doesn't have the best wifi performance, it's fine otherwise. Very good granular controls too, and although obviously it's not as quick and easy as your average Netgear modem to set up, it's not terrifying. You get proper VLANs and multiple SSIDs, etc too.

      2830 has a built in ADSL modem, 2860 has a built in dual mode ADSL/VDSL modem (and has a WAN port for fiber, as well as USB for 3/4G modems).

      They do cost around £200 though - but they are kept updated for years, and have lots of connectivity, slow line firmware, etc.

      They aren't as fully loaded as a enterprise Cisco, but they are a damned site better than the average consumer device without being quite as tricky to set up.

      The only vulnerability I've seen them fall to is the TR069 one - but TR069 was possible to disable (unlike lots of the other devices).

      Don't work for Draytek, just never had any real issues with them at home, or at dozens of client sites - if anyone wants to poke holes in Drayteks reputation, go for it, I'm always up for an education!

      Steven R

      1. jason 7

        Re: Advice?

        Only issue I've had with Drayteks is wi-fi cards in them burning out.

        Other than that, pretty good but only if you get a good deal on one.

        1. Steven Raith

          Re: Advice?

          Jason 7 - interesting, in my last job, we had dozens of sites with Drayteks, no wifi problems with 'em, but it might have been a shoddy batch you got etc.

          Only problem I've seen with Drayteks are the occasionally port forwarding bug. That, and the SSL VPN being on by default on port 443 needing to be changed to summat else.

          I've got a seperate AP (A result of having poor wifi in the bedroom of my last place) so I don't use the wifi on the Draytek so maybe I've just not spotted a problem meself.

          Otherwise, they've been rock solid.

          Steven R

    3. Dan 55 Silver badge

      Re: Advice?

      My router's running a two-year old build of DD-WRT but there's nothing newer available for it. It's probably more secure than the usual cruddy router firmware but there have been a few security scares in the past two years. I'd put OpenWRT on it if there were a flash image I could download, but there isn't. As I'd have to compile my own version and configure it there's too high a chance of it turning into a brick.

      There are relatively few OpenWRT images for modem-routers so that reduces your choices to something managable. Try looking here... http://zo0ok.com/techfindings/archives/1663

      1. Anonymous Coward
        Anonymous Coward

        Re: Advice?

        I was in the same boat and finally decided to bite the bullet and go with something that was updated on a regular basis. Outside of expensive enterprise kit, there weren't many options. I looked at Mikrotik, but wasn't impressed by either their hardware (which was relatively inexpensive) or firmware (I downloaded a trial and ran it through its paces in a virtual machine). Finally settled on pfSense loaded into a low-power PC Engines APU (the same hardware ESF, pfSense's maintainer, sells as their VK-T40E). I've already upgraded the software once (from 2.1 to 2.2 last month) and look forward to a point release soon (2.2.1). The pfSense system is well thought out and pretty easy to manage. It's based on FreeBSD (I'm using the "nano" build), which is rock solid. The book/manual covering the latest version is not freely available (you have to purchase a $99 "Gold" subscription), but people on the community forums are helpful and there's a wiki that provides information on a variety of subjects. The particular hardware solution I'm using wasn't cheap (just under $200 in all), but there are of course a lot of options there. A modestly outfitted PC with at least 2 NIC cards can work just as well.

        1. Andy Davies

          Re: Advice?

          "A modestly outfitted PC with at least 2 NIC cards can work just as well." - which is exactly what of the shelf routers are!

    4. Christian Berger

      Re: Advice?

      Well OpenWRT probably is somewhat more secure than Cisco and easier to administrate.

      If you want to have some rather secure "consumer router" look into the Fritz!Box line. Those are expensive, but the manufacturer actually makes their own firmware. So it's a far cry from those 'skin the firmware from the chipset manufacturer you got 2 years ago' you get from other vendors.

      1. illiad

        Re: Advice?

        OK... multiple firewalls, cisco router (yeah management forced that on us!! ), AZZ* service/hardware, that we are dumping soon, as they think £1000 a month is cheap!!!!

        Will soon get Draytek, vmedia business, for only £50 a month!!

        *experts will know who... they are being 'IBM' at the mo, and crashing hard...

  12. johnck

    I dont know what to do

    I don’t know what to do without “something of a security star rating could help guide consumer tastes”. Maybe a magazine or website dedicated to IT things could set something up, it wouldn’t have to do all of them just a selection, and allow the manufacture* to put a little badge on the product giving “4 out of 5 stars Mar 2015” or something. It could even make more people come to the site to find information about this security rating, leading to an increase in ad revenue.

    Does anyone know of an IT focused site that could do such a thing? ... Anyone? ...

    *I mean the name on the box not necessarily the manufacture, but you know what I mean

    1. Callam McMillan

      Re: I dont know what to do

      But when your product scores "1 out of 5 stars" and is called "quite literally the worst router ever made", are you going to proudly advertise that on the box of your product? Then you end up with those advertising they got a good rating - if they can be bothered. As for everyone else, you don't know if they're bad, or have just never been reviewed.

      1. John Brown (no body) Silver badge

        Re: I dont know what to do

        "As for everyone else, you don't know if they're bad, or have just never been reviewed."

        Yeah, something like that could only work if it was mandated by law. Something like the food hygiene star rating system in pubs/restaurants/cafes etc. But then you get the problem of administration, checking that everyone is using the correct rating, paying to be rated, voiding the rating every time you update the firmware and paying again to be retested, having your rating removed when a new vulnerability is discovered and so potentially recalling all retail packs off the shelves....

        Nahhh...won't work without doubling or tripling the price of the "cheap" SOHO routers.

    2. Phil O'Sophical Silver badge

      Re: I dont know what to do

      something of a security star rating

      http://xkcd.com/937/

  13. cantankerous swineherd

    forget rise of the machines and get ready for rise of the light bulbs.

  14. Efros

    Routers of any description

    Probably one of the few IT items where there is a consensus of "they're all pretty crap" just some less so than others. Over the years I've had probably 20 routers through my hands either as personal property or as review items, they have got better over time but to be perfectly honest they are, for the most part, still pretty awful. The ones that I've had better experiences with have been from lesser known manufacturers, Rosewill and Edimax. The big names have always given me significant problems the worst being a My Cloud device from WD, maybe because the big names try to do too much on pretty weak hardware and the lesser known ones do just what the hardware will bear. The only other piece of kit that springs to mind for lack of reliability, time wasted over awful configuration problems would be the old TV Cards.

  15. Fihart

    virgin on the ridiculous

    Our Netgear router supplied by the isp with proprietary firmware some years ago had barely functioning wifi until an update was released weeks later. As far as I know the retail Netgear version either had no problem or it was solved sooner but we could not use that firmware. Situation is similar to mobile phones hobbled with useless telco firmware. Mostly the proprietary stuff adds nothing but branding and disables some features.

    1. Boothy

      Re: virgin on the ridiculous

      I had a Sky branded modem a few years back, that was also a Netgear (white thing, about the size of a hardback book).

      The firmware was customised by Sky, so for example the login was fixed as 'admin' and you can probably guess the password! It also had things like the DNS options hard-coded to only use Sky's DNS servers, so you couldn't select a 3rd party DNS service.

      It also had bugs, for example if UPNP was enabled, the router would run slower and slower, and eventually hung a few days later (I'm guessing a memory leak or similar).

      Turned out that Netgear themselves had resolved the UPNP bug, plus others, some years earlier for that router model. But Sky hadn't bothered to update their image, ever as far as I know!

      I ended up running some tool to extract the ADSL settings, and then flashed a stock firmware. Resolved all the issues I'd had at the time.

      1. Fihart

        Re: virgin on the ridiculous @Boothy

        Yup. Prior to Virgin we had the Sky hobbled white Netgear box. Luckily SkyUser website steered me to UPnP fix. Better still the router could be (unofficially) reflashed to Netgear retail firmware and re-used with other ISPs.

  16. Anonymous Coward
    Anonymous Coward

    If I was looking for a firewall I would buy an AMD AM1 chip + motherboard which idles ~15W and has AES-NI support for crypto and then install pfSense on it due to the great community support, features, jails, timely patches + regular OS updates etc.

    1. Dave Robinson

      I've built an Atom-based Jetway box from mini-itx.com, and stuck Sophos UTM 9 on it. Awesomely powerful full UTM (3 year free license for home use), and uses <10W. Cost just over £200 all-in. No wifi, no modem (just a router), and buggered if I can get IPTV to work, so won't suit everyone.

      1. John Brown (no body) Silver badge

        "Cost just over £200 all-in."

        Considering the very low cost of the crappy SOHO routers under discussion, what sort of enterprise (or just decent) router could one buy for around the £200 mark?

  17. sjiveson

    What I Use

    Mainly due to reliability rather than security reasons I 'split' out my network setup.

    I now have:

    Zyxel Prestige 660R-D1 ADSL modem/router (not vulnerable to the Misfortune Cookie despite Checkpoint claiming that is the case) - £25 from Amazon - all external management access disabled

    Ubiquiti EdgeRouter Lite - main router/firewall, very fast and slick, regular software updates - £80 or so from Amazon - no wireless

    Ubiquiti UniFi UAP-LR - wireless AP - again, very impressive - £70 or so.

    So, that's about £175 already.

    I use TPLink powerline everywhere I can so wireless is just phones and laptop, its a big house so that probably added over another £100.

    Regardless, well worth it. Broadband performance is amazing considering my remote location and distance from the exchange. Haven't had a single complaint from anyone in the large family about performance, reliability or Facebook not working since. That used to be an almost daily occurrence, normally resulting in a reboot. Worth every penny.

    1. Anonymous Coward
      Joke

      Re: What I Use

      If Facebook *is working*, it really means your firewall is not configured properly...

  18. Michael3

    I use a Pepwave Surf SOHO

    For security reasons rather than hardware reasons I use a Pepware Surf SOHO. The software/firmware is corporate grade rather than consumer. Firmware is easy to configure. In the US it sells for roughly $140 with internal antennas and $170 with additional external antennas.

    http://www.peplink.com/products/pepwave-surf-soho/

    http://www.peplink.com/products/pepwave-surf-soho-specs/

    Speeds and feeds are second class (single band wifi, no GB ethernet). Security and reliability are first class. I had one Peplink router run for over a year without rebooting and without the box ever getting warm.

    My favorite feature: it keeps *two* copies of the firmware. You always download new firmware to the unused copy and then you can reboot to the new firmware whenever you please. If the new firmware causes a problem, then simply reboot back to the previous firmware.

  19. paulf
    Flame

    I'll add my £0.02 worth

    I've had two Netgear routers - neither received support for long after purchase.

    My first DG834G received firmware updates for about 12 months after purchase until it was EOLd. The final update managed to bork the Ethernet side of things (Ethernet frames became so corrupted the network just ground to a halt) so I had to regress to the previous version I had. Good job I kept the previous firmware installs! The idea of Auto updates (with no manual intervention/regression) would concern me for this reason alone as an update that breaks existing functionality would be pretty final for many users (and it's not like that ever happens).

    My second was a DGND3700 (top of the range N600 home router). It was EOLd 3 months after purchase (a year after original launch) when v2 was released (v1 and v2 firmwares are incompatible, natch). I took a risk as it had mixed reviews on ADSL performance (some had no problems - some endless problems) but Netgear support provided an Eng build of the firmware to fix the ADSL issues. This was a Beta so never got released on their website.

    That was about 4 years ago and its not been patched since. I thought £120 was a lot for a Consumer router and reasonably expected more than a few months of updates. It now runs my FTTC connection via the Openreach modem.

    I'd say there is a market for routers that are supported with security and bug fixes as my next router won't be a Netgear after that experience.

    1. Down not across

      Re: I'll add my £0.02 worth

      I'd say there is a market for routers that are supported with security and bug fixes as my next router won't be a Netgear after that experience.

      Well you do have DD-WRT and OpenWRT as options for WNDR3700 iirc v3 was the odd one out with Broadcom instead of Atheros chipset (along with v1 the one with less (8MB) flash so might not fit full-feature firmware.

      Some routers (from Buffalo for example) come from factory with DD-WRT.

      Asus is rather well supported by Merlin which gets updated and patched very frequently. Merlin is based on latest GPL'd Asuswrt firmware.

      Also point to make with the recommendation to buy old Cisco kit from eBay, yeah its great but if you want one with throughput to match your VM cable (assuming XL) it won't be cheap, whereas for example the recent Asus seem to push through 800-900+Mbits, obviously dropping fair bit if you use features that turn hw acceleration off. Even if it dropped to say half, you're still not likely (at least in UK) to find many residential connections where it isn't enough.

      If you look at cisco router performance you'll see that you have to go for fairly recent or higher end kit to get 100Mbit/s. The figures are for routing. Once you add services (firewall,QoS,PAT,NAT,etc) the throughput drops sharp. You're also very likely to end up losing CEF and starting to process switch.

      A small PC with some intel gige cards and pfsense/ipfire would make more sense for home/smb.

      Or again consumer router as mentioned above (Asus probably easiest as Merlin is just as easy to load than stock asus update, although DD-WRT has gotten lot better over time) that has decent support outside vendor.

      Dsiclaimer: I run way too much old cisco kit in my home and I really should replace it with something more sensible...

  20. Badger Murphy

    Regulations?

    I know its not always a popular viewpoint, but I think this is a prime example of a situation that is best solved by government regulation.

    The consumers are too ill-informed to make the right choice, and their making the wrong choice has a high societal cost in the form of DDoS and other distributed attack fodder.

    The manufacturers can't be expected to cater to a virtually non-existent user base (I'm talking about us) instead of the whole rest of the market; their cheaper competitors will take those customers.

    However, if they're legally obligated to make a secure product, all manufacturers will be compliant or eventually legislated out of existence. The problem will automatically be solved without the consumers having to automagically get educated. If we all have to pay twice as much, so be it. The cost of doing nothing is higher, just less obvious.

    1. illiad

      Re: Regulations?

      The consumers are too ill-informed?? well the gov is even worse, some oldtimers not really haveing a clue *what* 'internet' **is** beyond a memo sent round!!

      It is not usually them that even 'sees' the email/ webpage - it is their secretary that prints them out for him!!

      yes, there are exceptions, but most are like some of the managers where I work, they think paying a guy to sit around waiting for IT problems to occur is a waste of money.. Until I get a desperate call!! LOL

      1. Anonymous Coward
        Anonymous Coward

        Re: Regulations?

        So IOW the manufacturers are too apathetic, the government too clueless and the consumer too stupid. Leaving no one left to turn to. "We're all gonna die..."

  21. RobTub

    Good Password(s) inadequate?

    The first things I do when putting a consumer router to use is to change the admin password and set up the wifi password. Assuming my password strength is high, would that be enough? Or are hackers able to get in without hacking my passwords? Is there a list of routers where hackers can control without knowing the passwords?

    1. illiad

      Re: Good Password(s) inadequate?

      how to make a LONG, *easily memorable* password!! :)

      http://xkcd.com/936/

      or even make it 'invisible' (switch off the broadcast radio) and restrict by MAC code..

      1. Down not across

        Re: Good Password(s) inadequate?

        or even make it 'invisible' (switch off the broadcast radio) and restrict by MAC code..

        Better than nothing I suppose. However if someone if going to break via the wireless side, they will sniff your traffic and spoof their MAC.

        1. illiad

          Re: Good Password(s) inadequate?

          It all depends how extreme you want.. If the traffic is that sensitive, it will also be encrypted, have a 'black hole' server with multiple routing bounced from many locations...

      2. Charles 9

        Re: Good Password(s) inadequate?

        That's good for making ONE long, easily memorable password.

        Now try making A HUNDRED long, easily-memorable passwords AND be able to recall which is which without mixing them up. Because that's the situation the average user actually faces today: not just being able to remember A password but remembering WHICH password. And because of password-stealing we're expected to use a different password for each site to mitigate this, even for supposed-low-priority targets since they can glean information from these to facilitate identity theft.

        1. illiad

          Re: Good Password(s) inadequate?

          chronically simple!! take your exceedingly long password, then think up a 4 or 5 char word that describes what it is used for... eg mike, john, boss, etc, etc.... just add that to the start!!

          http://xkcd.com/936/

          becomes

          bosscorrecthorsebatterystaple

          mikecorrecthorsebatterystaple

          mystashcorrecthorsebatterystaple

          these would take about 600 years at 1000 guesses a second... :)

          1. Charles 9

            Re: Good Password(s) inadequate?

            Not if they can figure out ONE of the passwords and know the technique, meaning it boils down to a one-word dictionary attack, which IIRC is within feasibility.

            Also, what if you visit a bunch of sites with the same theme OR have a truly abysmal memory...oh, and the computer's shared so you can't use a password manager?

  22. atlatl265

    Just a Note

    The link in "But users also "share some responsibility" does Not seem to be working. When it attempts to connect to www.tripwire.com I get the following:Error Ref# 97.3495fea5.425922698.1770ee99

    I have a COMTREND Corp. AR5381u Router supplied by Fairpoint Communications with good password,NAT IP, SSIDS, MAC and WPA2 security. I don't think the router has anything to do with the Error and Ref#, all other connections are fine. Anybody have a clue to what that Ref# means ? Thanks

  23. Anonymous Coward
    Anonymous Coward

    The best answer available

    Use a regular modem from the ISP.....not one with the built in router

    Docsis 3 alteast for cable and DSL only when cable isn't an option

    Use a server as your router....running pfsense for it's os (giving you all the control)

    setup that server with multiple ethernet ports or wire it into a switch

    wire in a wireless access point only of Wifi is needed.

    avoid Wifi when you can....yes I know phones, tablets, and laptops will generally connect using Wifi but Wifi is being used in general as a kind of crutch and will never be as stable, secure, or as fast as wired. Wire in all smart tv's, game consoles, desktop computers, and anything else that doesn't "walk around". If Wifi is required, make it the ONLY item in the home using 2.4Ghz or 5.8Ghz....that means any cordless house phone should be digital 6.0 or atleast an older 900Mhz. No wireless baby monitors and all security cameras should be wired.....NOT wireless If you live in an apartmet building; expect to have issues with Wifi as you cannot run 20+ wireless networks within the same 100 foot span and not have problems.

    Assign specific IP addresses to all connected devices to better control what is doing what and to prevent problems.

    If your using cable based internet (coax), make sure the modem is NOT connected through too many splitters and uses RG6 coax cable (not RG59)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like