Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sat Oct 12, 2019 7:27 Post subject:
well it seems, there will be no prove of concept here....
as well, the link you posted, cannot open in my environment, there is something dodge with it..
or just the restricted GGL stuff who knows..i don't have a time for it know...
I don't know anything about trolling, but i know that you are doing whistle-blowing, without providing a back up prove...
sharing a link does not explain in details what you've found and have good will to share the knowledge with other either forum members or Devs...
Interesting you've spent more time to defend yourself from a ghost, that you created so successfully...
Next time when you decide to spend time typing plz do expose a DDWRT bug and how to fix it, instead of sharing a link..it will be more useful if ppl can see the trick in the forum not on GGL drive..
By the way I'm willing to learn and share the knowledge (so as many guys here
), im not afraid to say i'm stupid...
p.s. someone either lock this one or revised it and delete my posts or the ghost ride... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
You clearly didn't read the article to realize that the IoT device they are referring to is a router, not some 'smart' home devices made by amateurs who think cybersecurity is a cool word engineers use.
A router is considered an IoT by some entities. They are not testing 'smart' devices. The IoT they are referring to is only routers specifically.
The problem is that even though you may have good intentions, or maybe even valid points here and there, by stating that IoT is referring only to routers gives me the impression you don't understand what IoT means. Did you read the conclusion to the article?
ironstaff wrote:
1. Major router firmwares are losing hardening coverage as time goes on.
It seems routers experience the same problems men do over time. But seriously, vendors only care about money. We all know this.
ironstaff wrote:
2. Synology's firmware binaries are in better shape than binaries from other vendors examined by the researchers.
Sure if you have a bunch of cheap poorly designed and/or untrusted easily exploitable devices that you absolutely must have on your network and you refuse to physically isolate them, you can rely on Synology to counter some of your configuration mistakes.
ironstaff wrote:
3. DD-wrt, while hardened with non-executable stacks, is still lacking stack guard protection, fortification, and address space layout randomization entirely.
Okay, provide your evidence and case scenario(s) instead of regurgitating keywords from an article you saw online with a new user account on a DD-WRT user forum with an alarmist title.
ironstaff wrote:
There's nothing to doubt. Even you can download the latest build from the beta suppository and test the binaries yourself: Your results will align with what they produced.
You are using a dataset spanning 15 years across multiple vendors, with a focus on two recent years, to show what?
How does this apply to today's build? What are your results?
This is a user self-support community forum (for Atheros hardware no less); take it to PM or email and maybe try not to insult everyone along the way with your condescension.
You clearly didn't read the article to realize that the IoT device they are referring to is a router, not some 'smart' home devices made by amateurs who think cybersecurity is a cool word engineers use.
A router is considered an IoT by some entities. They are not testing 'smart' devices. The IoT they are referring to is only routers specifically.
The problem is that even though you may have good intentions, or maybe even valid points here and there, by stating that IoT is referring only to routers gives me the impression you don't understand what IoT means. Did you read the conclusion to the article?
ironstaff wrote:
1. Major router firmwares are losing hardening coverage as time goes on.
It seems routers experience the same problems men do over time. But seriously, vendors only care about money. We all know this.
ironstaff wrote:
2. Synology's firmware binaries are in better shape than binaries from other vendors examined by the researchers.
Sure if you have a bunch of cheap poorly designed and/or untrusted easily exploitable devices that you absolutely must have on your network and you refuse to physically isolate them, you can rely on Synology to counter some of your configuration mistakes.
ironstaff wrote:
3. DD-wrt, while hardened with non-executable stacks, is still lacking stack guard protection, fortification, and address space layout randomization entirely.
Okay, provide your evidence and case scenario(s) instead of regurgitating keywords from an article you saw online with a new user account on a DD-WRT user forum with an alarmist title.
ironstaff wrote:
There's nothing to doubt. Even you can download the latest build from the beta suppository and test the binaries yourself: Your results will align with what they produced.
You are using a dataset spanning 15 years across multiple vendors, with a focus on two recent years, to show what?
How does this apply to today's build? What are your results?
This is a user self-support community forum (for Atheros hardware no less); take it to PM or email and maybe try not to insult everyone along the way with your condescension.
1. The real question is if YOU read the article. Read it again and focus on the mistake @Alozaros made in his first post in response to my first post. He thought they were talking about smart home IoT devices negative effects on router security (He completely missed what the article about since he was too aloof to read it). You seem confused too.
2. I agree with you.
3. Synology OS may be well-designed from a hardening perspective but I still don’t trust vendor firmware due to backdoors and telemetry shuttling/phoning home. I’d rather DD-WRT have those hardening features.
Quote:
Sure if you have a bunch of cheap poorly designed and/or untrusted easily exploitable devices that you absolutely must have on your network and you refuse to physically isolate them, you can rely on Synology to counter some of your configuration mistakes.
I also think you’re confused on Synology’s win or the point of the article here. It is ahead in terms of binary hardening i.e. ALSR, stack guards, Relro, non exec stacks. These are all to mitigate buffer overflow attacks on the router’s firmware (not to do what you stated). Please re-read the article.
4. Evidence is in link I provided and dataset. Are you confused? If you are, contact Cyber ITL for more info. They will respond to you.
5. Re-read the article and see what year dd-wrt was analyzed (2018), then I’m sure you’ll understand where my focus is and that you’re a bit confused here. If those features have been added to dd-wrt by now, show me. Mildly alluding to the fact that today’s build wasn’t analyzed is not proof that dd-wrt binary suddenly gained complete hardening by now.
6. I’ll leave it to you to decide who initiated the condescending statements and insults. Hint: Look at initial responses after my first post. Try not to be so biased.
Last edited by ironstaff on Sat Oct 12, 2019 12:59; edited 2 times in total
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sat Oct 12, 2019 13:48 Post subject:
ironstaff m8 you keep shouting out loud...and still not a single,line of valuable information....you just came out of the blue, posting a link to an article where there are some statistics/results, tested in god knows what kind of environment...(very unclear)!!
Did they mention something specific, any examples test's....proves??? nope (very unclear)!?
Any specific code/binaries found with bugs...(yep i know they are many, especially buffer stack overflow based)... Most of the binaries are in constant development/patching.. and you tend not to use EOL stuff...Any patches you have in your stash bag???
Since 2018 there are so many updates around...
as the other forum members pointed out SVN line...
you can have a deep look there and if you find something suspicious and can contribute to the Development, plz do so, we are avidly waiting to improve security everyday : P ...
and yep i got confused about IoT , cause you are the first person in my entire life, that called routers IoT... this is a fact...!!!! (dot dot dot)
p.s. off topic recently there was a opkg update/upgrade ... nice to see the new stuff there... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Any body who finds security issues with DD-WRT and to be CREDIBLE in their findings, they need to post the security issue and provide a FULL configuration/setup causing the security issue and make it repeatable for others to test.
Posting articles after articles is pointless and meaningless. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Any body who finds security issues with DD-WRT and to be CREDIBLE in their findings, they need to post the security issue and provide a FULL configuration/setup causing the security issue and make it repeatable for others to test.
Posting articles after articles is pointless and meaningless.
Flawed reasoning. Article has proof. Just because you choose to ignore it doesn’t mean it wasn’t carried out with results to show for it in a downloadable data-set.
Anyway, I’ve already emailed the dev and also let him know which compiler flags to change based on his tool chain to fix this. Up to him now since it’s his project. End of story.
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sun Oct 13, 2019 9:38 Post subject:
ironstaff wrote:
Anyway, I’ve already emailed the dev and also let him know which compiler flags to change based on his tool chain to fix this. Up to him now since it’s his project. End of story.
Thank's in advance !! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Anyway, I’ve already emailed the dev and also let him know which compiler flags to change based on his tool chain to fix this. Up to him now since it’s his project. End of story.