Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Can Commercial Hardware Routers Be Trusted?

timothy posted about 9 months ago | from the rot13-is-the-only-way dept.

Encryption 213

First time accepted submitter monkaru writes "Given reports that various vendors and encryption algorithms have been compromised. Is it still possible to trust any commercial hardware routers or is 'roll your own' the only reasonable path going forward?" What do you do nowadays, if anything, to maintain your online privacy upstream of your own computer?

cancel ×

213 comments

Sorry! There are no comments related to the filter you selected.

No. (5, Interesting)

deconfliction (3458895) | about 9 months ago | (#45756773)

'nuff said.

Re:No. (5, Interesting)

deconfliction (3458895) | about 9 months ago | (#45756805)

actually the obvious answer is that trust is not a binary thing. Evaluate your threat models. If you want to be safe from the NSA, and you are protecting information they want to know, then yes, I would say that eschewing any technology from corporations that are easily coerced by the NSA would be a good idea. Of course, that is practically impossible. But you do what you can. And wanting a device with all source available, in a form that is easy to (perhaps modify and) compile to a verifiable equivalent of the stock firmware and operating system would be the first obvious step.

Re:No. (5, Insightful)

sabri (584428) | about 9 months ago | (#45756841)

actually the obvious answer is that trust is not a binary thing.

Actually, the obvious answer is that you don't have a choice. No matter how much effort you put into it, you will always be depending on third party hard- or software that simply have to trust. So, you want to solder your own PCB? Sure, go ahead, but your Ralink SoC is still manufactured somewhere in China. Don't trust Cisco's IOS? Sure, write your own, and let me know how you designed and manufactured your own ASICs. And then we're not even discussing the fact that as soon as the packet leaves your router, it will enter one that you don't even own. Yes, there is a lot that you can do and I think the closest real answer to the poster's question is to just get an OpenWRT capable router and compile from scratch, but to not trust anyone is simply not an option.

Not trusting vendors = you give up a lot (3, Interesting)

davidwr (791652) | about 9 months ago | (#45756937)

One solution is to simply not communicate outside of a domain you trust. Go offline. I the extreme, use pen and paper to store information you don't want others to see, and if you need to share that information with others, memorize it and tell it to them in person. As a compromise, use a trusted courier. But even that requires trusting someone.

Basically, adopt the same "off the communications grid" techniques that Osama bin Laden was thought to use.

As I said, you give up a lot, and for 99+% of us, that's not going to be the best option out there. But for a few, it is.

Re:Not trusting vendors = you give up a lot (1)

Anonymous Coward | about 9 months ago | (#45757469)

I think the answer is "no" which is why McAfee wants to build something to try to remedy that with Tor built in. The problem (as others have noted) is that unless you are building everything from the ground up at some point you have to trust someone else.

Re:Not trusting vendors = you give up a lot (0)

Anonymous Coward | about 9 months ago | (#45757609)

Basically, adopt the same "off the communications grid" techniques that Osama bin Laden was thought to use.

And how did that work out for him? Oh yes, he's fish food.

Re:Not trusting vendors = you give up a lot (3, Funny)

Anonymous Coward | about 9 months ago | (#45757965)

He died non-violently in December 2001 of kidney failure.

Re:No. (3, Interesting)

deconfliction (3458895) | about 9 months ago | (#45757009)

es, there is a lot that you can do and I think the closest real answer to the poster's question is to just get an OpenWRT capable router and compile from scratch, but to not trust anyone is simply not an option.

I agree with you, though would optimistically add to your thoughts- "to not trust anyone is simply not an option... yet". Maybe there will come a day when a truly open source and hardware replicator will become possible. Before dismissing me completely, I imagine there would be some years where it looks like an Apple-II 3d printing another Apple-II, but it's seeming more and more possible. And then it's a bootstrapping issue from there to catch back up to modern specs. But I'd have a lot of fun with an Apple-II that I had a lot more trust in of not being infiltrated by the NSA (regardless of whether the original already was)

Re:No. (0)

Anonymous Coward | about 9 months ago | (#45757555)

With upcoming 14nm transistors, it may be a while before we can use 3d-printers to create opensource CPUs

Amish (2)

smitty_one_each (243267) | about 9 months ago | (#45757213)

Actually, the obvious answer is that you don't have a choice.

There is always subsistence farming.

Re:No. (4, Interesting)

tibman (623933) | about 9 months ago | (#45757897)

You could always just build a cpu from scratch? http://www.homebrewcpu.com/ [homebrewcpu.com]

Re:No. (4, Informative)

D-Fly (7665) | about 9 months ago | (#45756901)

Public key cryptography using open source tools that have been tested and retested by lots of other coders still works pretty well. The RSA backdoor you are referring to is certainly discouraging news. But on the other hand, the fact that RSA had backdoored itself was sort of understood by the community at large as far back as 2006, shortly after they issued the compromised tool. This week's news is merely confirmation. That's why PGP and its ilk, open source and made by activists, might be a better option than commercial tools by companies with a strict profit motive.

If you are really concerned about security, you might very well want to roll your own machine, and certainly should run a fresh, clean linux install off a CD every time you start up, to reduce the chances your machine is compromised.

Re:No. (4, Interesting)

couchslug (175151) | about 9 months ago | (#45757025)

"certainly should run a fresh, clean linux install off a CD every time you start up, to reduce the chances your machine is compromised."

You can also boot an .iso image from a USB or other flash as well as CD and load it entirely to RAM with no persistent home.

Knoppix (nicely polished distro) has had the "toram" option for many years as do other distros it inspired.

http://en.wikibooks.org/wiki/Knowing_Knoppix/Advanced_startup_options#Transferring_to_RAM [wikibooks.org]

Re:No. (3, Insightful)

toejam13 (958243) | about 9 months ago | (#45757039)

If you are really concerned about security, you might very well want to roll your own machine, and certainly should run a fresh, clean linux install off a CD every time you start up, to reduce the chances your machine is compromised.

The next question is, what motherboard and network card firmwares can you trust? Running trusted code at the OS level and higher does reduce your risks, but until you can audit the code running your hardware, there is still a threat.

Obviously, one can ask if most companies are a big enough fish to worry about this. Firmware hacks are fairly sophisticated, which makes me believe that they'd mostly be used to spearfish data from specific companies. So unless there is hidden backdoor in every network card manufactured by Popular Company X, should we be worried?

Re:No. (5, Informative)

Anonymous Coward | about 9 months ago | (#45757097)

Firmware attacks can be sophisticated indeed: http://spritesmods.com/?art=hddhack&page=1 [spritesmods.com]

Re:No. (1)

Anonymous Coward | about 9 months ago | (#45757279)

Warning: Awesome Link!
Lost many minutes after clicking!

Re:No. (5, Informative)

Jane Q. Public (1010737) | about 9 months ago | (#45757047)

" But on the other hand, the fact that RSA had backdoored itself was sort of understood by the community at large as far back as 2006, shortly after they issued the compromised tool."

"Backdoored itself" is a singularly apt way to put it. But apparently they were engaged in trying to "backdoor" other people, too, which is not a victimless crime.

Personally, after their "SecureID" debacle and now this, I'm not inclined to "trust" RSA at all. Fool me once, and all that.

And the same can be said about DropBox. They promised end-to-end encryption, but instead they were "de-duping" files to save storage, which means that entirely contrary to what they told their customers, they actually had direct access to your raw files. Sure, they fixed that (so they say), and said "Sorry, we won't do it again." But how much can you trust them, considering that they blatantly lied to you before?

Re:No. (1)

icebike (68054) | about 9 months ago | (#45757773)

And the same can be said about DropBox. They promised end-to-end encryption, but instead they were "de-duping" files to save storage, which means that entirely contrary to what they told their customers, they actually had direct access to your raw files. Sure, they fixed that (so they say), and said "Sorry, we won't do it again." But how much can you trust them, considering that they blatantly lied to you before?

Deduping should never actually work if the files were store with unique encryption keys. On personal stuff, multiple files that are bit-for-bit identical (such as THIS GUY's Experiment [fosketts.net] you can see where it might be possible, but perfectly innocent. After all he sent the exact same file with just a different name.

But de-duping encrypted files seems unlikely to have much of a payout.

Alternatives to being spied on? (4, Interesting)

unixisc (2429386) | about 9 months ago | (#45757515)

If you wish to skirt the NSA, get your router from Huawei, and let the Chinese spy on you instead. If you don't want the Chinese to spy, get something from the usual NSA contributors. Or see if there's anything made in Russia or any country that's totally independent of the US.

How easy is it to get a standard router from Cisco or Juniper, and replace IOS or JunOS w/ something like pFsense, m0n0wall or OpenWRT?

While at it, switch to IPv6, and within a group of people, share a /64 subnet so that even if the NSA spies, they'll find it impossible to source the original source/destination, particularly if dynamic IPs are used.

Re:No. (4, Insightful)

erroneus (253617) | about 9 months ago | (#45756855)

I was going to say that.

RSA compromised with money. Cisco compromised already documented. Juniper? I don't know but I wouldn't doubt it.

NSA, you've turned the world against the US and all its businesses. Happy yet?

Re:No. (0)

Anonymous Coward | about 9 months ago | (#45756923)

The NSA is executing policy of the current and past administrations. You know who to blame, you're just afraid to point the finger at the President who is directly responsible.

You mean... (0)

Anonymous Coward | about 9 months ago | (#45756969)

Bush? Clinton? Bush? Reagan? Carter? Ford? Nixon?

Maybe Lincoln or Hoover?

Hell if you really want to blame anyone, how about George Washington and his leading of thousands of men strong against a few hundred rioting moonshiners out West (Who by the way had already dispersed before they ever got there)?

There's a lot of blame to go around, so stop trying to pin it on a specific president just because you don't like his policies.

If you really want to place blame, place it on we the people for not holding our elected officials responsible before, or even, now.

Re:No. (4, Insightful)

erroneus (253617) | about 9 months ago | (#45757445)

It has been demonstrated that the intelligence agencies (plural) in the US government is the tail that wags the dog. This is historically true and more than likely true today as well. When you've got the dirt on many people, how tempting would it be to leverage that into getting your way? It's a temptation many could not avoid exploiting.

Re:No. (1)

mellon (7048) | about 9 months ago | (#45757017)

To expand, your router is plugged into the Internet. Your packets traverse many unfriendly wires. They might even trombone through Belarus. So if you want real privacy, find a Tor router you know you can trust. Good luck!

Re:No. (1)

msauve (701917) | about 9 months ago | (#45757245)

It doesn't matter. Either there's an airgap, where nothing can get out regardless, so it doesn't matter, or their's a hop along the path you don't control so the security of your device doesn't matter.

What airgap? (2)

Skewray (896393) | about 9 months ago | (#45757291)

It doesn't matter. Either there's an airgap, where nothing can get out regardless, so it doesn't matter, or their's a hop along the path you don't control so the security of your device doesn't matter.

If you have an Intel processor, then there is already a radio backdoor built in. See http://www.intel.com/content/www/us/en/enterprise-security/what-is-vpro-technology-video.html [intel.com]

Re:What airgap? (0)

Anonymous Coward | about 9 months ago | (#45757879)

Radio? Where do you get that?

And it's the VPro processors only, at the moment.

Re:No. (2)

hackus (159037) | about 9 months ago | (#45758009)

and our enemies don't trust them either:

http://arstechnica.com/business/2013/11/cisco-attributes-part-of-lowered-earnings-to-chinas-anger-towards-nsa/ [arstechnica.com]

Do yourself a favor and get yourself a PC white box and start routing with a LINUX source code stack.

At least then you can pick the hardware you want to trust and you can have a choice as to how far you want your security to go into the software stack audit.

But all of this is pointless.

As I pointed out before, it is IMPOSSIBLE to build a secure system anywhere NATO or its allies are operating.

Any claim of data protection by any company in this domain is FALSE.

We now know if you refuse to turn over any encryption information or fail to give your customers or your private data to the NSA you will get butt f*cked in prison.

So it is pointless to even consider TRYING to build a secure system, it cannot be done as a goal or even as a business benefit towards your customers.

My personal opinion as I have watched my friends and other companies literally go to jail or go under due to NSA activities is this: It has nothing to do with security, it has everything to do with funding NSA mischief.

That means industrial and financial espionage operations to insure information is known ahead of the game in the financial markets.

So the entire issue is that we are dealing with just common criminals and thungs.

The NSA is not even particularly smart, but they ar elike a large gang of wolves cornering the beast we call freedom and liberty and they are going to take it down.

-Hack

X-Files (0)

Anonymous Coward | about 9 months ago | (#45756787)

Trust No One!

Re:X-Files (3, Insightful)

davidwr (791652) | about 9 months ago | (#45756947)

Trust No One!

And I should believe you why?

Re:X-Files (1)

Anonymous Coward | about 9 months ago | (#45757079)

Trust No One!

And I should believe you why?

Because the truth is out there.

Re: X-Files (1)

jd2112 (1535857) | about 9 months ago | (#45757443)

You want the truth? You can't handle the truth!

Still have to rely on the NICs (4, Insightful)

ModernGeek (601932) | about 9 months ago | (#45756795)

You still have to rely on the trustworthiness of the NICs. Anything contacted to the Internet can not be trusted.

Re:Still have to rely on the NICs (1)

the_B0fh (208483) | about 9 months ago | (#45757287)

Like that Intel NIC that was reliably going offline when receiving a "corrupted" packet?

Re:Still have to rely on the NICs (1)

ewieling (90662) | about 9 months ago | (#45757357)

I still have nightmares from that. We call it Intel NIC Debacle of 2013 (or sometimes just The Dark Times). Lost business and had many very angry customers because of that NIC. Kristian Kielhofner should be named some sort of geek Saint or something for finding the root of the problem.

Re:Still have to rely on the NICs (2, Funny)

Anonymous Coward | about 9 months ago | (#45757521)

[Posting Anon to preserve mods already made...]

I still have nightmares from that. We call it Intel NIC Debacle of 2013 (or sometimes just The Dark Times). Lost business and had many very angry customers because of that NIC. Kristian Kielhofner should be named some sort of geek Saint or something for finding the root of the problem.

Jesus Ad Hominem Christ! You got this close and didn't even think about naming him Saint NIC?!?

Prepare to be visited by the Ghost of Slashdot Past....

For VPNs, or for routing? (5, Informative)

dgatwood (11270) | about 9 months ago | (#45756811)

The answer depends on what you mean. As far as I'm concerned, a hardware router can probably be trusted to be a basic firewall/router. It's pretty unlikely that anyone will come up with a useful attack on a device that's just doing port blocking, NAT, and basic routing. At worst, somebody might DOS it or turn it into a well-connected zombie to aid in DDOSing somebody's server, but neither of those is compromising your data.

Now if you're passing unencrypted data across that router, you might have a problem, but then again, passing unencrypted data across any router outside your own intranet is a bad idea, so nothing new there. And if you're expecting the commercial router to provide a VPN, then the answer to whether it is trustworthy becomes "no", because its crypto implementation cannot readily be audited and verified to be trustworthy.

Re:For VPNs, or for routing? (1)

LWATCDR (28044) | about 9 months ago | (#45756997)

That pretty much sums it all up. Frankly unless you are some high profile location I would not worry much about a government based backdoor in your router. If they want your data bad enough they will find a way. You are going to do Tempest? Are you hardened for social attacks? What about all your PCs?
If you are worried, something like OpenBSD or Linux as a router should work. I am pretty sure if they are interested enough they will get the data one way or another.

Re:For VPNs, or for routing? (4, Insightful)

FlyHelicopters (1540845) | about 9 months ago | (#45757209)

I am pretty sure if they are interested enough they will get the data one way or another.

This...

Or has no one ever heard of rubber-hose cryptography?

If all else fails, they can break in at night and steal the information locally, or simply put a gun to your head.

When it comes to computer nerds, that last option probably has a 99.99% success rate.

Re:For VPNs, or for routing? (0)

Anonymous Coward | about 9 months ago | (#45757803)

Funny thing is, I quit trusting commercial routers with VPNs years and years ago because the only thing I could trust is that they'd sell me 5 vpn licenses for $500 and if I want 10, well, we have this fabulous line of VPN concentrators for only $50,000 plus per-vpn license fees.

Re:For VPNs, or for routing? (3, Insightful)

RR (64484) | about 9 months ago | (#45757889)

As far as I'm concerned, a hardware router...

There is no such thing. A device that moves data from one location to another, using some policies to examine and transform it, is not just a "hardware" device. It's also software. And if it interfaces with software, then it can be compromised. Or haven't you noticed the news about D-Link routers? [slashdot.org] A lot of these routers have 2MB or less of flash, which makes it difficult to find a useful exploit, but "difficult" doesn't mean "impossible."

It's pretty unlikely that anyone will come up with a useful attack on a device that's just doing port blocking, NAT, and basic routing. At worst, somebody might DOS it or turn it into a well-connected zombie to aid in DDOSing somebody's server, but neither of those is compromising your data.

With just a little paranoia, I can imagine someone finding a way to get those routers to copy your traffic, or at least the headers, to some hostile entity. It doesn't take full knowledge of your traffic to destroy your privacy. [arstechnica.com]

A router is a type of computer. It's subject to all the same concerns about trustworthiness as any debate about proprietary and free software.

First!? (-1)

Anonymous Coward | about 9 months ago | (#45756813)

First!?

How are you going to roll your own? (2, Interesting)

kasperd (592156) | about 9 months ago | (#45756819)

If you replace a hardware router with a PC, you have to trust
  • CPU
  • Motherboard
  • BIOS
  • Storage device
  • Storage controller
  • Network interface
  • Operating system

If any of the above is compromised, you are no better off than with a hardware based router.

If you by hardware router mean a device that truly forwards packets in hardware without involving any sort of CPU, then your best guarantee is the economical one. It is cheaper for the vendor to manufacture hardware without snooping capabilities than with.

Re:How are you going to roll your own? (1)

dcollins117 (1267462) | about 9 months ago | (#45756845)

I was going to suggest OpenBSd plus pfsense, but you kind of took the wind out of my sails.

Re:How are you going to roll your own? (0, Offtopic)

wonkey_monkey (2592601) | about 9 months ago | (#45756971)

Some guys just made a car out of Lego.

Re:How are you going to roll your own? (1)

AHuxley (892839) | about 9 months ago | (#45757331)

Be your generations http://www.gnewsense.org/Projects/Lemote [gnewsense.org] you don't have to 'trust' just understand and test.
Take your cash, skills and efforts away from the tame junk "compromised" brands and build with more interesting products, projects.

And they ARE compromised. (5, Interesting)

Ungrounded Lightning (62228) | about 9 months ago | (#45757407)

Modern laptops and desktops come with remote administration tools built into the chips on the board. (The vendors tout this as a feature, simplifying administration of a large company's workstations. It's easier and cheaper to build it into everything than to be selective, so it's in the machines sold to individuals, too.)

One example: Intel Active Management Technology (AMT) [wikipedia.org] and its standard Intelligent Platform Management Interface (IPMI) [wikipedia.org] , the latter standardized in 1998 and supported by "over 200 hardware vendors". This is built into the northbridge (or, in early models, the Ethernet) chip).

Just TRY to get a "modern laptop" (or desktop), using an Intel chipset, without this feature. (I suspect the old Thinkpad is how far back they had to go to avoid it.)

You can't disable it: Dumping the credentials or reverting to factory settings just makes it think it hasn't been configured yet and accept the first connection (ethernet or WiFi, whether powered up or down) claiming to be the new owner's sysadmins.

If the NSA doesn't know how to use this to spy on, or take over, a target computer, they aren't doing their jobs.

Some of the things this can do (from the Wikipedia articles - see them for the footnotes):

Hardware-based AMT features include:

                Encrypted, remote communication channel for network traffic between the IT console and Intel AMT.
                Ability for a wired PC (physically connected to the network) outside the company's firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console. Examples of an open LAN include a wired laptop at home or at an SMB site that does not have a proxy server.
                Remote power up / power down / power cycle through encrypted WOL.
                Remote boot, via integrated device electronics redirect (IDE-R).
                Console redirection, via serial over LAN (SOL).
                Keyboard, video, mouse (KVM) over network.
                Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.
                Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.
                Agent presence checking, via hardware-based, policy-based programmable timers. A "miss" generates an event; you can specify that the event generate an alert.
                OOB alerting.
                Persistent event log, stored in protected memory (not on the hard drive).
                Access (preboot) the PC's universal unique identifier (UUID).
                Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through power-on self-test (POST).
                Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information.
                Remote configuration options, including certificate-based zero-touch remote configuration, USB key configuration (light-touch), and manual configuration.
                Protected Audio/Video Pathway for playback protection of DRM-protected media.

Additional AMT features in laptop PCs

Laptops with AMT also include wireless technologies:

                Support for IEEE 802.11 a/g/n wireless protocols
                Cisco-compatible extensions for Voice over WLAN

This just happens to be one I'm familiar with. I don't know whether (or which) other chip makers (such as AMD) have similar "features" built in as well (though I'd be surprised if they didn't, since they want to sell into big companies, too).

Re:How are you going to roll your own? (1)

RabidReindeer (2625839) | about 9 months ago | (#45757473)

If you replace a hardware router with a PC, you have to trust

  • CPU
  • Motherboard
  • BIOS
  • Storage device
  • Storage controller
  • Network interface
  • Operating system

If any of the above is compromised, you are no better off than with a hardware based router.

If you by hardware router mean a device that truly forwards packets in hardware without involving any sort of CPU, then your best guarantee is the economical one. It is cheaper for the vendor to manufacture hardware without snooping capabilities than with.

The flip side of that is that if you are a powerful agency - one powerful enough to control what's going on in overseas fabrication plants and suppress any signals coming out of them, you have to be able to set up a scheme that's subtle enough to go undetected without it either being subverted by or corrupting the:

  • CPU
  • Motherboard
  • BIOS
  • Storage device
  • Storage controller
  • Network interface
  • Operating system

Because Chthulhu knows, it's hard enough to get that stack operating reliably even without a secret agenda. If just one component in there doesn't operate precisely like its Secret Masters expect it to - whether due to local customization or even simple software upgrades, it's likely to explode very messily.

It can be a good thing too (0, Troll)

jones_supa (887896) | about 9 months ago | (#45756821)

Commercial. You keep using that word. Remember that "commercial" can sometimes also be a guarantee that you do not get fucked: screw with your customers and that kind of company will soon be out of business.

Re:It can be a good thing too (4, Insightful)

SB9876 (723368) | about 9 months ago | (#45756873)

Like RSA or Microsoft?

Re:It can be a good thing too (1)

wvmarle (1070040) | about 9 months ago | (#45757725)

When it comes to trustworthy, it seems nowadays made-in-China is the way to go. At least no NSA involvement there.

Re:It can be a good thing too (5, Interesting)

PopeRatzo (965947) | about 9 months ago | (#45756895)

Remember that "commercial" can sometimes also be a guarantee that you do not get fucked: screw with your customers and that kind of company will soon be out of business.

See, that's the theory, but it can not work in practice the way things are today..

Today, you will notice that an increasing number of business models reject the notion of "I'm the seller and you're the buyer". Most of the corporations with whom you do business don't really see you as the customer any more. For example. If you use Google, are you the customer or are the advertisers? If your data is compromised, that doesn't change anything about the relationship between the seller and the buyer. Same goes for banks, and for Microsoft, Apple, and most of the big tech corporations. While they may sell products to you, they have significant income streams that are deals with the government. In the next six years, Apple computers could have almost a trillion dollars in cash-on-hand. Are they a tech company or a bank? The money they make from their intellectual property doesn't come from you. The money they make from their "strategic partnerships" doesn't come from you.

You're going to buy their products regardless, so it's a lot more important to Apple that they have a good relationship with the government than with you. Because their beneficial sweetheart tax deals could bring in as much as the profit from selling consumer electronics.

Same goes for the telecommunications industry. When you've got telecoms involved in creating content, you're no longer the customer. You're not the consumer, you are the consumable.

This new relationship circumvents every aspect of the notion of "free market", at least any "free market" that involves you. And make no mistake: this new relationship where there is a third party that inserts itself between you and the company from whom you purchase an item is the model of the future. Video gaming, food, intellectual property (of course), transportation, right on down the line. You are being cut out of the equation. There is more profit in making the government happy than there is in making you happy.

Re:It can be a good thing too (5, Interesting)

PopeRatzo (965947) | about 9 months ago | (#45756911)

Bottom line is this: there is no longer a division between the corporate world and government. They are one in the same. They rely on each other and have no reason to take you into consideration.

This makes dealing with the problem as citizens ten times harder. Because if you attack one of the heads of this snake, the head at the other end comes around to bite you. And the current setup is sweet for both corporations and government so they've got no reason to want to change it.

true, except failed arithmetic re taxes (1)

raymorris (2726007) | about 9 months ago | (#45757013)

True, for some business models the user is the product. The advertiser is the paying customer. Broadcast TV and radio are examples.

You forgot how to multiply when you made this statement, though:
> Because their beneficial sweetheart tax deals could bring in
> as much as the profit from selling consumer electronics.

Assume a 100% tax break, the company pays 0% taxes.
That's zero percent of their profit. Profit = sales - expenses.
If they have no sales, they make no money, and paying 0% tax doesn't help them. Sales is always more important.

Let's compare two sales figures, both with a 10% tax reduction. If the company does $10 million in sales, that 10% tax cut is worth $1 million. If the company does $100 in sales, a 10% tax reduction is worth $10 million. So we see that to maximize the value of tax breaks, a company needs to have more happy customers, generating more profit subject to the tax break.

Re:It can be a good thing too (2)

Miletos (1289588) | about 9 months ago | (#45756903)

NSA: Plz backdoor because terrorists. K thx bai.
Company: No! We can't lull our customers into a false sense of security. It's unethical and the stockholders will destroy us if they find out.
NSA: But, but...$10 million contract [slashdot.org] ?
Company: ...I'll call you back monday.

How about open-source firmware? (2, Interesting)

Anonymous Coward | about 9 months ago | (#45756825)

I'm definitely in the "no" camp on this one, but how about after-market, open-source firmware? I run DD-WRT on my good ol' WRT54G, which I trust a heck of a lot more than the OEM code. How far does replacing the stock firmware go towards securing my home network?

Re:How about open-source firmware? (1)

RabidReindeer (2625839) | about 9 months ago | (#45757495)

I'm definitely in the "no" camp on this one, but how about after-market, open-source firmware? I run DD-WRT on my good ol' WRT54G, which I trust a heck of a lot more than the OEM code. How far does replacing the stock firmware go towards securing my home network?

It goes as far as you can trust your replacement code.

It won't protect you from hardware-based exploits except to the degree that you use the hardware in unexploitable ways. It won't protect you from fifth-column code in your OS if you use that code without inspecting it. But at least you should have a reasonably degree of trust in your own code.

And yes, I know the theory behind malware-injecting compilers, linkers and debuggers. But as long as you're not operating in a monocultural environment, there are simply too many ways that fifth-column software tools can fail, and fail in ways that make it obvious that there's something seriously wrong.

The Wrong Question (4, Insightful)

agwadude (666995) | about 9 months ago | (#45756829)

You shouldn't have to trust your upstream routers. Instead you should assume they're compromised and use end-to-end encryption. HTTPS and SSH, for example, specifically protect against active attackers such as malicious routers.

Re:The Wrong Question (2)

storkus (179708) | about 9 months ago | (#45757157)

This! Mod parent way up! The question isn't whether your [insert endpoint here] is safe, but if the intermediate points are. Even if your own router is safe, what about the one upstream? I've assumed for a long time (way before Snowden) that all electronic communications are monitored, and when you realize that, and the insane difficulty of getting around that monitoring, you kind of give up. You have to decide what is important enough to secure from a worthy (non script-kiddie) adversary and versus letting them see what kind of pr0n you like. IMHO this has been the reality for years (probably before 9/11 thanks to CALEA and friends), but it took Snowden to wake most people up to the fact.

Now securing your own machine, that's whole other level: again, how secure to do need it to be? I'm *HOPING* that keeping the browser cache clean/disabled, using Linux and FF and shutting down the browser when accessing bank account info and such is enough to keep the CC guys from getting my info; OTOH, if you're doing something that the intelligence agencies (regardless of country) is interested in, your only real hope is to use the the 100% open software/firmware like the FSF advocated, and (of course) even then there's no guarantee the hardware doesn't have a compromise or some CIA/FBI/whatever spy doesn't physically attack your machine when you're not looking (which is normal if you're actually under investigation).

As others have pointed out, its you versus agencies with BILLIONS of US$ (or equivalent) funding: you can resist, but if they really want you, you have no chance of winning: think the end of Half Life when Freeman refuses--that's what you face, proverbially.

tl;dr YOU ARE SCREWED, and your barely computer-literate family and friends have probably already been pwned and not even know it.

Re:The Wrong Question (1)

FlyHelicopters (1540845) | about 9 months ago | (#45757247)

OTOH, if you're doing something that the intelligence agencies (regardless of country) is interested in, your only real hope is to use the the 100% open software/firmware like the FSF advocated

The question is, are you trying to stay off the radar, or trying to avoid having the NSA hack your computer once you're on the radar?

If the former, the challenge is that they can miss and miss and miss, and only have to hit once. You have to hit every time. The odds of that over any period of time are nearly zero. A single mistake and all your efforts are for nothing.

If the latter, no amount of electronic protection is going to do you any good. If they really can't hack their way in, they'll just wait until you leave for lunch and physically break in and copy your hard drives.

And if that fails and you're really on their radar, they'll just use rubber-hose cryptography. Very, very few computer people would stand up very long to a real honest-to-god gun put against their head.

And if that really does fail, there is always your family.

I might resist (at first) if they just threaten me, but I have 3 kids, put a gun to their heads and I'll do whatever I'm told. 99.9% of everyone will.

Re:The Wrong Question (1)

VortexCortex (1117377) | about 9 months ago | (#45757167)

You shouldn't have to trust your upstream routers

No, instead you should be able to verify all of your hardware and software are valid. One way to do this is demand the VHDL and compiled chipset designs for all your hardware. This way one can benchmark things such as power draw or timing characteristics in reality and simulation, allowing some degree of verification that pattern matching code isn't running across your bits.

Unfortunately people are confused by the infinitely reproducible nature of information. This is the first generation of the online Information Age wherein information is infinitely reproducible, not scarce, i.e., we now live in a post information-scarcity world, but the laws and economic concepts are still having growing pains. E.g: If something is in infinite supply, what price does it have? ECON101 says Zero. What's scarce is the ability to create new configurations of bits and make new discoveries, not the ideas or information itself. Instead of agreeing to pay scientists, inventors, and creators well up front for their efforts of creation, their efforts are devalued because corporations would rather cherry pick and pay only that which becomes popular; It takes the same work to create either way. The fallacy is that the mechanic should charge you each time you benefit from his efforts later -- They don't. They do work once and get paid for it once; It's a sane business model since there's an unbounded times one can benefit from the labor to fix the car down the road.

This simple bid, agree on price, do work once, get paid once, and work more to make more money concept is accepted everywhere but the illogical and economically untenable market of research, ideas, and information... So, your in ability to apply basic economic principals to technology is to blame for your current inability to trust your hardware. It's quite poetic, eh? That deception as to the fundamental process of creation breeds a world full of distrust.

Here's an idea for you: Consider that if you connect via HTTPS to, say, Anywhere.com, it could have been compromised and serves you an exploit or backdoor instructions for your router, browser, OS combination.

What good will encryption do you, Mr. Anderson, if you can't trust your system security?

Pick a subset of the system to test for integrity. Now, replace all non consequential input and make it white noise or a no-op on the processing thereof. For a browser you'll process connections and scripts and rendering of HTML but images, text, video, audio, etc. remain unprocessed. If your 'input sanitized' virtualized system state does not match the non 'input sanitized' system state then there is an exploit (information has breeched its containment boundary). If the system states are the same however on the sanitized or not systems then the input is safe to feed to your hardware implementation, so long as the virtual hardware systems are accurate representations of reality, and all their other subsets check out.

The reason why The Unix Way of doing one thing and doing it well is the right way is because one can verify security thus. The complexity of the system sky rockets if scripts can trigger on image data contents, etc. Indeed you wind up with unintended consequences such as cache cookies being able to track you by serving you a unique image, etc. This is also why modern design of information systems is such a train wreck: Your race still treats breeches as features instead of vulnerabilities. The information leaks across your porous "boundaries" like through sieves, and you entertain the ridiculous notion such can be secured. I'm surprised you don't build banks out of tissue paper.

There are more efficient means by which to eliminate any distrust and verify cybernetic integrity, however you humans do not currently possess the technology or even the cognitive language to express them properly yet. You still sell ideas and data as if they're scarce; Like physical things. You're still struggling with your first brush with post-scarcity economics. You're becoming vaguely aware of how primitive you truly are kept, like the encultured apes who laments their lot in life when picking up on hint that human life can be more grand. Integrity has a cost the irrational can not pay. That is your lot in life.

Re:The Wrong Question (2)

deconfliction (3458895) | about 9 months ago | (#45757391)

where is my "+1:alien" moderation button...

How to maintain privacy upstream... (0)

Anonymous Coward | about 9 months ago | (#45756835)

Don't connect

Personally, I took the consequences. (1)

Anonymous Coward | about 9 months ago | (#45756851)

I have switched my entire network to a massive 20 parallel lines using RFC 1149. All packets are compared. Compromised packets are noticed and filtered immediately. Through special in-built markers, exchanging lines out or manipulating them is not possible. All packets are constantly tracked. Bit pricey but worth the money.

100% NSA proof.

Re:Personally, I took the consequences. (1)

mbone (558574) | about 9 months ago | (#45756925)

How do you know that those are not genetically modified birds, subjecting you to a roost in the middle attack ?

Re:Personally, I took the consequences. (2)

rubycodez (864176) | about 9 months ago | (#45756927)

I'm afraid my cat decreased your throughput by 5%

Re:Personally, I took the consequences. (0)

Anonymous Coward | about 9 months ago | (#45757109)

That's a lot of work to protect your lolcats photo collection.

Buy what NSA is buying (0)

Anonymous Coward | about 9 months ago | (#45756867)

Would you trust that they did their homework ?

routerpwn (2, Informative)

Anonymous Coward | about 9 months ago | (#45756871)

http://www.routerpwn.com/ [routerpwn.com]

Re:routerpwn (0)

Anonymous Coward | about 9 months ago | (#45757177)

mod parent up! there's some hard core pwnage going on there.

I wouldn't (1)

digitaltraveller (167469) | about 9 months ago | (#45756879)

I wouldn't. [schneier.com]

Our team of scientists and Linux netwokring experts has an open, next generation router project [igg.me] up on IndieGogo right now, but we aren't getting much traction. I guess we missed product-market fit. To the point that we are have modified the campaign to ask people not to buy the router or if they do - risk us not shipping some of the more advanced features that we are working on in this product. We had hoped to release it all as open source but I just don't think that' going to be possible now, unless we somehow magically start getting a ton of orders.

Re:I wouldn't (1)

BitZtream (692029) | about 9 months ago | (#45757071)

...
Why choose Linux for a 'next generation router' when there are at least 3 OSes with FAR faster IP stacks?

IF you're picking Linux for your router, you've already shown you're not qualified to be making such a router.

The OS you were looking for was FreeBSD, which is what gets used in high end routers (or at least is the base in which those OSes are derived from). Juniper, F5, all the high end gear is FBSD, not Linux.

Re:I wouldn't (1)

vadim_t (324782) | about 9 months ago | (#45757159)

Who cares? A consumer router is going to run well enough with either, and won't have a 10 page long list of firewall rules to slow things down.

I have a router running Linux and it deals with a 100 Mbps fiber line just fine. Running BSD on it isn't going to make any difference except for me having to learn how to do things in FreeBSD.

Re:I wouldn't (1)

digitaltraveller (167469) | about 9 months ago | (#45757645)

I really like the BSDs, especially Tinfoil [openbsd.org] . There will always be standalone servers. But we think that the future is partially about router/server hybrids with eg. big LRU caches. A great example of this. A busy router can easily download the same image file, 100K times a day. That's waste. In a perfect world we'd have a completely finished software system, that works everywhere, without hacks, and doesn't have to leverage the convenience of an OS that seems to have most of the market share out there. If it's any consolation anything we do should be trivially portable to the BSDs. But at the moment it doesn't seem like there is a big market for what we are doing.

tl;dr Premature optimization is the root of all evil.

Re:I wouldn't (0)

Anonymous Coward | about 9 months ago | (#45758029)

Not to mention using pf vs. whatever the current Linux firewall flavor-of-the-month is

Re:I wouldn't (2)

vadim_t (324782) | about 9 months ago | (#45757269)

Some comments:

"Upliink"? Took me a while to notice there are two "i"s there for some bizarre reason. As a result, googling for it failed. If you're going to make up words, at least don't make them confusingly similar to normal ones.

Half a million is an awful lot of money. $430 is a lot for a router.

It's not clear at all what it does. IPv6 internet? What is that?

Sharing the connection with nearby people? Why would I want to?

Mesh networking. How is this going to scale? What performance and latency do you expect? How likely is it that two users will find one another? You need a huge amount of deployed devices for this to work, especially for ones in fixed locations.

There's some nonsense in the video about the number of people in the world without internet access. A $430 device sold in first world countries won't do anything to address that.

It's an enormous mish-mash of things. Android, mesh networking, some nebulous IPv6 internet, a web browser, an API for I don't know what... seriously, I'm well versed in tech, but I have no clue what is all this about. And that is a bad sign.

TL;DR: it's unclear what it does, why would I want to participate, and it's very expensive. Why aren't you developing alternative firmware for cheap wifi routers, for instance?

Re:I wouldn't (1)

digitaltraveller (167469) | about 9 months ago | (#45757597)

Thanks for your feedback. Something I've learned is that marketing and complexity don't mix, so I agree our communication strategy is not optimal. We are trying to talk to too many audiences and doing a bad job with all of them. We'll try harder.

Half a million is an awful lot of money. $430 is a lot for a router.

It's a server/router hybrid. We need to be clearer about that. The specs are competitive with what you'd find in the market for regular computers, but we thought it would be distracting to break them down because some of them are subject to change.

It's not clear at all what it does. IPv6 internet? What is that?

Sharing the connection with nearby people? Why would I want to?

Because at scale, the idea turns your internet acquisition cost into a one time cost [tricorder.org] . It's true that it's better for municipalities to adopt this kind of technology than individuals. Sharing your connection: For better performance and your privacy. We probably could probably selll the privacy aspect more, as I think our architecture is the best I know out there for turning the internet back into the bastion of liberty it once was, rather than the surveillance state it has become. Our solution to this by the way was to create a commodity market for anonymous distributed computation, but more work needs to be done.

Mesh networking. How is this going to scale? What performance and latency do you expect? How likely is it that two users will find one another? You need a huge amount of deployed devices for this to work, especially for ones in fixed locations.

I admit there are critical mass issues, and this is a very legitimate criticism of the project. Our strategy to bootstrap this network is to run our network over the regular internet until such time that it spreads to someone near you in physical proximity.

There's some nonsense in the video about the number of people in the world without internet access. A $430 device sold in first world countries won't do anything to address that.

I don't think it's nonsense. We are trying to turn internet acquisition into a one time cost. It's a high price, why we were asking people to get in touch with internet.org for us and ask them to talk to us. We've now made contact with them, and hope something comes of it.

It's an enormous mish-mash of things. Android, mesh networking, some nebulous IPv6 internet, a web browser, an API for I don't know what... seriously, I'm well versed in tech, but I have no clue what is all this about. And that is a bad sign.

TL;DR: it's unclear what it does, why would I want to participate, and it's very expensive. Why aren't you developing alternative firmware for cheap wifi routers, for instance?

Mish-mash: That's true, but I think the strength of our approach will come out as we roll out more of our stuff. If you are serious about solving this problem you have to look at it from a lot of different angles. Also most WIFI hardware sold out there has closed source drivers, even on Linux. That's a nonstarter for a project like ours. Controlling the hardware makes things much easier.

Anyhow, thanks for this feedback. Overall, it's some of the best we've got. We'll review it and act accordingly to improve our message.

Re:I wouldn't (1)

wvmarle (1070040) | about 9 months ago | (#45757761)

You always talk about Internet to be a one-time cost.

That's only true if there is no (high speed) uplink to the rest of the world to be paid for, for example. Those don't come for free. And if you're really sticking to your own mesh network, it's going to be unusably slow. And people wouldn't be able to access staples like Slashdot, or Google.

Trust nothing (0)

Anonymous Coward | about 9 months ago | (#45756899)

I encrypt everything end-to-end using a Caesar-13 algorithm. The NSA had nothing to do with the development of that cipher, unlike DES, AES, SHA hashes, etc.

Ceasar-13? (1)

davidwr (791652) | about 9 months ago | (#45756987)

I bet that's more interesting with a 23-letter alphabet [wikipedia.org] than the ROT-13 algorithm I sometimes use in my 26-letter alphabet.

Re:Ceasar-13? (0)

Anonymous Coward | about 9 months ago | (#45757083)

I often wonder that if you layered the encryption would it decrease or increase in security. For example, encrypt with some good algorithm X but then apply 2 of your own on top of it (or maybe before it). Like blindly adding 1 to every byte in the stream and then doing a simple xor swap across all the bytes.

If you do it before you encrypt, the people will hack through X but still be left with gibberish making them think something is wrong.

If you do it after you encrypt, the people will try to hack through X (if they can guess that's what you used) but their efforts would fail.

There are easy ways to solve this (1)

pcsutt0n (3433481) | about 9 months ago | (#45756913)

If you want to roll your own, there's a great OpenBSD router [bsdnow.tv] tutorial. If you're not comfortable with commandline configuration, pfSense is a really great option for old PCs with a few NICs.

Re:There are easy ways to solve this (1)

VortexCortex (1117377) | about 9 months ago | (#45757335)

"roll your own", ah but you didn't, and by suggesting that you did only make Ken Thompson sad. [bell-labs.com]

Would that the IETF knew (3, Interesting)

mbone (558574) | about 9 months ago | (#45756921)

This is a big (and, I personally fear, unfixable) problem for the IETF [youtube.com] and associated Internet bodies. Of course, router security is only a tiny piece of it. Given that RSA has been revealed as taking money from the NSA to weaken security protocols [cnet.com] , who knows how deep the rot goes.

One big fight right now is in over the removal of NSA employed Chair of the Crypto Forum Research Group [ietf.org] . There will be more.

Trust for what purpose? (3, Interesting)

vadim_t (324782) | about 9 months ago | (#45756931)

For ensuring the safety of your outgoing traffic, it doesn't matter at all whether you can trust your router or not. It's just one step away from a router at your ISP, which you can't trust, and which can be assumed to be malicious.

It's a bit different for ensuring the safety of your internal network, though. If you think there might be any reason why the NSA, government or whoever might want to reach inside your personal network, then you certainly should avoid any closed solutions and keep it under as much control as possible. That router might well hiddenly allow people that know how to access your network without permission.

Router manufacturers also have been caught rewriting pages to insert ads. Here is one example of such a thing [theregister.co.uk] .

Why bother? (0)

VonSkippy (892467) | about 9 months ago | (#45756981)

So what exactly do you have to hide?

Just kidding (more or less) but really, what difference does it make. If NSA (or any other powers that be) wants to "get you", does it matter if they have "real data" they sniffed from one of your digital systems or not? If they truly want to arrest/harass/make you disappear whether they have real data or fudged data is rather moot.

So why worry? Either you're below their radar, and they can collect or not your precious data, or you're a target, in which case no matter what you do/hide/avoid won't help you in the long run.

Privacy went out the door along with all those AOL CD's - what's amazing is that people are just starting to notice (or care).

Re:Why bother? (1)

dbIII (701233) | about 9 months ago | (#45757339)

It matters is you are for instance Airbus and Boeing want your passenger aircraft designs and ask the government for help - but that was a few years ago and I'm not sure the NSA was the perpetrator. You can write that off as sticking it to the cheese eating surrender monkies and mindlessly wave the flag, but that's ignoring that it could go the same way between two US companies depending on who has the political influence.

You're doing it wrong. (3, Insightful)

BitZtream (692029) | about 9 months ago | (#45757035)

If you're worried about a router and if you can trust it, you've already done it wrong.

Your data should have been encrypted before it let the original application if its something you care about.

It shouldn't MATTER if you can trust the router, if it does, you've already failed.

It's situation specific (1)

doubledown00 (2767069) | about 9 months ago | (#45757073)

Start by evaluating what you have and whom you wish to keep it away from. If you have classified data that a national security apparatus wants, do what a poster up-thread suggested and keep it offline (also, stay the hell away from me). If your data is less sensitive, then evaluate your security posture using a multi-tiered approach. Assume all routers can be compromised and treat them as the first line of defense. Evaluate where you data sits (cloud based versus local) and how it is transferred (encrypted versus non). Evaluate your own work flows in determining how the data is potentially vulnerable.

You can build your own fortress unto yourself if you want to, but at the end of the day even if you're sharing with other fortress entities you will still end up having to send data across untrusted lines. Some of those lines are run by people who don't have your privacy interests at heart. So knowledge and common sense are still your best defenses.

Re:It's situation specific (1)

dbIII (701233) | about 9 months ago | (#45757321)

If you have classified data that a national security apparatus wants

As Boeing vs Airbus showed well over a decade back the national security apparatus is for hire, so commercial stuff (like the Airbus passenger aircraft designs) is also potentially stuff they want.

Good question! (1, Insightful)

mikeg22 (601691) | about 9 months ago | (#45757081)

I have no answer. I wanted to comment that this is the most pertinent "Ask Slashdot" that I've seen in the last five years. I would guess any router who's firmware was open-sourced.

Who keeps the keys to your kingdom? (1)

BoRegardless (721219) | about 9 months ago | (#45757107)

If you are doing things that affect large powerful organizations in potentially negative way, you already know you are a target. Deal with it with hardened software, but don't forget that most secret information is lifted with social engineering (inside jobs of dozens of types.) Someone gives the combo to the safe away!

If you are not stepping on government, NSA or mega-corp toes, standard encryption techniques are probably just fine, but that is just one of the lines of defense.

Commercial ANYTHING cannot be trusted (1, Interesting)

Anonymous Coward | about 9 months ago | (#45757255)

Come on, you sheeple- how many explicit revelations about how the monsters rule over you do you have to read before you get it? You are less than s**t in the eyes of those types of Humans that seek to rise to the top of any business enterprise. In Soviet nations back in the day they had a phrase- "SCUM RISES TO THE TOP".

Amoral and immoral psychologies are universal amongst corporate controllers. "Never give a sucker an even break" is their motto. Then, worse, these worthless individuals hob-nob with people of the same 'class'- powerful religious, government, media, military, 'charity' leaders and the like. They call themselves 'the elite' and define themselves essentially as NOT YOU.

People like Tony Blair have spent the last two decades+ getting 'the elite' to sing from the same page in the same hymn book. A large chunk of Blair's project is the rolling, expanding programs of "TOTAL SURVEILLANCE". Blair instructs his disciples that the better you monitor the sheeple, the better you control them, and the greater chance you will keep their passive support that actually empowers the elite.

All major commercial software is compromised. All major computer hardware, where possible and useful, is compromised. Intel's x86 CPUs have had hardware back-doors for years now (activated by encrypted keys). Intel's hardware 'random' number generators have been designed by the NSA, and can be controlled at will by the chips hardware back-doors, where given sequences of op-codes allow the behaviour of the generator to be altered.

All network equipment is fully back-doored and compromised in multiple ways. Many of these NSA methods are so horrible, form an engineering POV, that the normal functionality of the equipment is horribly degraded even when no intelligence agency hacking is involved.

The biggest open-source projects are also fully compromised. The NSA uses teams of psychologists to exploit the 'autistic' nature of many developers, so that flaming and aggressive behaviour in developers' forums can act as cover for slipping into builds modules of NSA designed code.

But open-source is ONLY vulnerable if the project is so unwieldy, testing the validity of key modules becomes impractical. Small, tight focused code projects like Truecrypt can never be viable targets, so the NSA focuses on psychological propaganda scaring users away from such options, or the simple distribution of NSA hacked binaries from sites under the control of NSA allies (if your favourite tech site "supports the troops", it most certainly supports the NSA and will willingly supply NSA-hacked versions of your favourite utilities).

The US intelligence agencies have a budget running into HUNDREDS of BILLIONS of dollars every year, and rising. Only the tiniest fraction of this spending is given any public coverage. In reality, the NSA has far more money than it know what do do with, and all 'blue sky' ideas to improve full surveillance programs against every single citizen are given real consideration. NSA data centres are hundreds of times larger than you imagine, and are well beyond the capacity required to store FOREVER every single available electronic communication.

The NSA has a desperate need for new, comprehensive data sources- hence Bill Gates' inBloom and Kinect 2 projects. Gates promises to provide, within a decade, everything you can possibly learn about every child, across their entire childhood, in the USA. With the Xbox One, Gates promises to groom the entire population of the USA to accept government cameras and microphones in their own homes.

Of course you MUST accept cameras in your house. You MIGHT be raping your daughter. You MIGHT be beating your wife. You MIGHT be saying the "N-word". You MIGHT be planning resistance against Obama and Gates. You MIGHT be a 'moosleem' terrorist. What right do you have to hide from US justice, you depraved anti-American criminal terrorist scumbag? Don't you read what the owners of Slashdot have their vile shills rant here over and over, with a score of 5?

"If you have nothing to hide, you have nothing to fear."

Bill Gates has placed Obama's NSA's eye and NSA's ear into the homes of millions of Americans, and the backlash has been non-existent, even at the level of simple commentary. In the light of the existence of the Xbox One, each of which comes with an always on NSA spy sensor block of unprecedented computing power, worrying about hacking in your router now seems almost irrelevant in comparison.

Did you know that every time you walk in front of the Kinect camera system of the Xbox One, it takes a photo of your face, makes a note of the time, and uploads this information to NSA servers hiding in Microsoft's cloud. If the Xbox One is connected to the mains, and Kinect is plugged in, it does this even if your Internet connection is currently off, under which circumstance it stores the same data on the internal HDD to upload later.

The NSA has a database of all these Kinect collected face photos, and runs Google designed face recognition software, so that even IF the person is not specifically identified, they are recognised as the SAME labelled individual when they turn up on future Xbox One made photographs. Every Xbox One, via its ISP given IP address (and any other intelligence like credit card info regarding the original purchase) has its exact location known by the NSA, and therefore the NSA knows the identity of those people supposedly currently living at that home.

The NSA is interested in SOCIAL NETWORKS above all other forms of intelligence. While any Xbox One can be remotely commanded by the NSA (or partners like GCHQ) to begin capturing video and sound from the users home, this is NOT the universal form of Xbox One spying. But EVERY Xbox One is recording your face on EVERY occasion you enter or leave the room. The data payload is comparatively small- the face shot is quite a small JPG file before it is encrypted and uploaded,and obviously the time and data is but a few bytes per person.

In America, you become a criminal or 'terrorist' by association, even when you haven't a clue of the background of the person who causes you to be labelled this way. And in turn, once labelled, YOU label in the same way other innocent people YOU associate with. In this way, Bill Gates allows whole communities to be labelled as 'terrorist' or criminal targets.

Does it matter when the telcos are 0wned? (1)

dbIII (701233) | about 9 months ago | (#45757311)

Where I am the telco that is a bottleneck to the rest of the world has admitted letting the NSA watch everything available. If you are in such a situation if your router is phoning home that's just redundancy.

It's not just the hardware, it's the algorithms (2)

Mr. Protocol (73424) | about 9 months ago | (#45757403)

All the crypto software I've looked into depends on big internal arrays of special numbers to do its work. If those numbers are compromised (which is what NSA contracted RSA to do, basically), then the whole end-to-end crypto channel is compromised.

And that's the problem. You can build an open-source hardware router with open-source software, to keep the possibility of hardware backdoors to a minimum, but if the basic crypto algorithm you use has been compromised from the get-go, none of it matters. I think that's going to be the next really difficult intellectual load to lift: vetting ALL of the current crypto algorithms in use today to make sure the algorithms don't have built-in compromises. Since that vetting has to be done by crypto experts, not just software engineers, that pushes the trust back up one step: which crypto experts do you trust?

Want to be 100% safe? Then forget the Internet. (2)

kheldan (1460303) | about 9 months ago | (#45757569)

The only way to obtain 100% safety from being hacked by a government agency, as well as anyone else, is to place an air gap between your system(s) and the public Internet. Think of it like trying to protect your house from burglars breaking in: The best you can do is slow them down. Given enough time, skill, and resources, any burglar can defeat any security arrangement in any house. Same goes for your computers. Therefore there is an implied level of risk involved if you wish to continue using the internet, and if you cannot accept that risk, even after taking reasonable precautions against your system(s) being compromised by whoever might wish to, then you must re-evaluate whether or not it's worth it to you to continue using the internet at all. Now, some people are going to flame me for saying this, because they're convinced that life cannot continue without internet access, but that's simply not true, just ask anyone who was an adult about 25 years ago how they managed to get along without the World Wide Web (hint: they got along just fine without it).

No trust (1)

manu0601 (2221348) | about 9 months ago | (#45757615)

I do not trust commercial routers, not because of NSA-weakened crypto, but because of plain old security holes like unclosed developper backdoors or web administrative interface full of CRSF vulnerabilities

I use a Soerkis [soekris.com] box with a PCI DSL board, and I run NetBSD [netbsd.org] on it

Do you trust the code? (1)

tbshmkr (3470849) | about 9 months ago | (#45757637)

The question is can you trust the algorithms/OS used in the routers. If you build your own router/firewall, will you be sure there is no backdoor built into the code?

Open Source Routers (0)

Anonymous Coward | about 9 months ago | (#45757677)

There are any number of Open Source router projects to replace proprietary router software with a Linux or BSD system on your own router hardware. OpenWRT and others. For home or small business it may well be a fair idea if you are upset by the RSA fiasco or don't trust venders. Of course its more work, and not for those scared of such projects. I lnow little about them except some projects seem to have been around a decade or more.

If you can't get the builders to give you a back d (0)

Anonymous Coward | about 9 months ago | (#45757975)

then change the list of people who are building it into a list of people who will back door it for you. Simple as that. Not everyone can be bought for a price, but there is enough people who can be bought for a price to buy it for a price.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>