Has anyone seen this yet? Looks like Cisco was forcing people to join its Cloud service through an update for it's consumer level routers. http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-i... -Mario Eirea
At 15:51 05/07/2012 +0000, Mario Eirea wrote:
Has anyone seen this yet? Looks like Cisco was forcing people to join its Cloud service through an update for it's consumer level routers.
http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-i...
-Mario Eirea
For those of us who have not kept up with every latest feature that Cisco rolls out across all its platforms, can someone explain this new service? Is it like Windows update, where Cisco will auto-update your router s/w and thereby brick it? If I don't register my router with Cisco, what do I lose? I can't update it manually? -Hank
At 15:51 05/07/2012 +0000, Mario Eirea wrote:
Has anyone seen this yet? Looks like Cisco was forcing people to join its Cloud service through an update for it's consumer level routers.
http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-i...
-Mario Eirea
For those of us who have not kept up with every latest feature that Cisco rolls out across all its platforms, can someone explain this new service? Is it like Windows update, where Cisco will auto-update your router s/w and thereby brick it? If I don't register my router with Cisco, what do I lose? I can't update it manually?
And what happens when your *cough* "router" isn't actually on the Internet? How can it be managed and upgraded on a regular old network? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Jul 5, 2012, at 11:24, Joe Greco wrote:
And what happens when your *cough* "router" isn't actually on the Internet? How can it be managed and upgraded on a regular old network?
If there is no internet connection, you get a very limited page that's apparently only really good to get you back online.
On Thu, 5 Jul 2012, Sean Harlow wrote:
On Jul 5, 2012, at 11:24, Joe Greco wrote:
And what happens when your *cough* "router" isn't actually on the Internet? How can it be managed and upgraded on a regular old network?
If there is no internet connection, you get a very limited page that's apparently only really good to get you back online.
Routers are sometimes used on networks that don't have internet connectivity [by design]. This seems amazingly short-sighted for a company that's been around selling routing gear as long as cisco. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Jul 5, 2012, at 12:42, Jon Lewis wrote:
Routers are sometimes used on networks that don't have internet connectivity [by design]. This seems amazingly short-sighted for a company that's been around selling routing gear as long as cisco.
Not to defend Cisco's idiotic decision, but in this case the devices in question are extremely unlikely to be used in such a situation as they are consumer/SOHO products. The vast, overwhelming majority of these will be installed as the primary and/or only piece of network hardware other than the modem. I'd imagine that anyone who knows enough to care about a non-connected situation was never considering these devices in the first place. Frankly for the Joe Sixpack market I can't argue against the autoupdate idea itself, as outdated consumer routers probably account for a large percentage of the exploitable Linux systems out there, but the "cloud" tie in and privacy issues are clearly not well thought out.
On Thu, Jul 5, 2012 at 9:42 AM, Jon Lewis <jlewis@lewis.org> wrote:
Routers are sometimes used on networks that don't have internet connectivity [by design]. This seems amazingly short-sighted for a company that's been around selling routing gear as long as cisco.
If the router is not connected to the internet (either due to network design, or just because you ripped out the WAN cable) then it IS able to be managed locally. Plug the Internet back in, and that option goes away. Scott
On Jul 5, 2012, at 12:08, Hank Nussbacher wrote:
For those of us who have not kept up with every latest feature that Cisco rolls out across all its platforms, can someone explain this new service? Is it like Windows update, where Cisco will auto-update your router s/w and thereby brick it? If I don't register my router with Cisco, what do I lose? I can't update it manually?
Long story short, the affected routers (newer "Cisco" [former Linksys] consumer products) received an automatic firmware update which basically disables the device's onboard web UI and forces you to use Cisco's "cloud" management system. The biggest issue with this is that apparently it has some function, possibly for web filtering, which sends network traffic information of some sort to Cisco's service. They also state that regardless of the auto-update setting a device may be updated anyways if Cisco says so. One article I found says it affects the E2700, E3500, and E4500 models.
Technical users could always just flash DD-WRT onto the device and replace the Linksys/Cisco firmware; then you have a much more robust system without any big brother stuff.
Keep in mind, that to receive the update, the router has to be connected to the internet. So routers that are not connected to the internet by design will be unaffected. -Grant On Thu, Jul 5, 2012 at 11:55 AM, David Hubbard < dhubbard@dino.hostasaurus.com> wrote:
Technical users could always just flash DD-WRT onto the device and replace the Linksys/Cisco firmware; then you have a much more robust system without any big brother stuff.
Technical users could always just flash DD-WRT onto the device and = replace the Linksys/Cisco firmware; then you have a much more robust = system without any big brother stuff.
Or Cisco could just omit the big brother stuff. This is not a technological failure. In fact, automatic updates of router firmware are overdue. Good job on that front. It is the implications of your router dictating to you what sort of uses might be acceptable and what is not that's troubling, and that seems to have happened on several levels in this product. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Thu, Jul 5, 2012 at 11:07 AM, Joe Greco <jgreco@ns.sol.net> wrote:
Technical users could always just flash DD-WRT onto the device and = replace the Linksys/Cisco firmware; then you have a much more robust = system without any big brother stuff.
Or Cisco could just omit the big brother stuff.
This is not a technological failure. In fact, automatic updates of router firmware are overdue. Good job on that front.
It is the implications of your router dictating to you what sort of uses might be acceptable and what is not that's troubling, and that seems to have happened on several levels in this product.
... JG
This is what has me thinking about shorting Cisco stock. When the legal implications of this hit the FCC <http://www.fcc.gov/>, EFF<http://www.eff.org>, or here in Canada the CRTC <http://www.crtc.gc.ca>, the shouts will begin. This breaks all sorts of regulations about privacy and I'm sure a few other product sales laws in the different countries where the products are sold. Interesting times we live in.... cheers Jeff
Looks like they've modified their privacy policy in the last few days, but from what I understand it was originally pretty bad, including the collecting users' history and: [...] right to shut down the users' account if it finds that they have used the service for “obscene, pornographic, or offensive purposes, to infringe another’s rights, including but not limited to any intellectual property rights, or… to violate, or encourage any conduct that would violate any applicable law or regulation or give rise to civil or criminal liability," as well as comply with the orders it receives by "a third party or court of competent jurisdiction" if the user has been found violating those terms. [...] I haven't really kept up on consumer-grade networking; who out there presents a reasonable challenge to Cisco these days? On Thu, Jul 5, 2012 at 3:24 PM, Jeff Johnstone <jj@diamondtech.ca> wrote:
On Thu, Jul 5, 2012 at 11:07 AM, Joe Greco <jgreco@ns.sol.net> wrote:
Technical users could always just flash DD-WRT onto the device and = replace the Linksys/Cisco firmware; then you have a much more robust = system without any big brother stuff.
Or Cisco could just omit the big brother stuff.
This is not a technological failure. In fact, automatic updates of router firmware are overdue. Good job on that front.
It is the implications of your router dictating to you what sort of uses might be acceptable and what is not that's troubling, and that seems to have happened on several levels in this product.
... JG
This is what has me thinking about shorting Cisco stock. When the legal implications of this hit the FCC <http://www.fcc.gov/>, EFF<http://www.eff.org>, or here in Canada the CRTC <http://www.crtc.gc.ca>, the shouts will begin. This breaks all sorts of regulations about privacy and I'm sure a few other product sales laws in the different countries where the products are sold. Interesting times we live in....
cheers Jeff
-- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/
I suspect it'll be "Corporations control Internet and our private life" well before tomorrow. Domestic operators do that for ages with their branded routers and AFAIK DOCSIS is unimaginable without (part of) this functionality. I went berzerk when discovered such a checkbox in my home router, two days later I checked it on again and never looked back. How often do I check for firmware upgrades for for my home router? Almost never. Do I backup my config? No. Do I disassemble binary blob before upgrade. No. And I consider myself above-average Internet user. It doesn't really matter how do I brick my hardware and implementing authentication on the vendor site to download the firmware does a better job with gathering sensitive data honestly. Automatic updates is pretty much a common feature these days, it's good to know what it means for a user but is hardly game-breaking.
Significantly faster and with far fewer bugs than the Cisco/Linksys as well. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org
-----Original Message----- From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com] Sent: Thursday, 05 July, 2012 10:56 To: nanog@nanog.org Subject: RE: Cisco Update
Technical users could always just flash DD-WRT onto the device and replace the Linksys/Cisco firmware; then you have a much more robust system without any big brother stuff.
I see. Replace "local access" control with "let anyone on the internet reconfigure the thing". Whoever's idea it was should be p*ssed on, keelhauled, drawn and quartered, then burned at the stake. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org
-----Original Message----- From: Sean Harlow [mailto:sean@seanharlow.info] Sent: Thursday, 05 July, 2012 10:26 To: Hank Nussbacher Cc: nanog@nanog.org Subject: Re: Cisco Update
On Jul 5, 2012, at 12:08, Hank Nussbacher wrote:
For those of us who have not kept up with every latest feature that Cisco rolls out across all its platforms, can someone explain this new service? Is it like Windows update, where Cisco will auto-update your router s/w and thereby brick it? If I don't register my router with Cisco, what do I lose? I can't update it manually?
Long story short, the affected routers (newer "Cisco" [former Linksys] consumer products) received an automatic firmware update which basically disables the device's onboard web UI and forces you to use Cisco's "cloud" management system. The biggest issue with this is that apparently it has some function, possibly for web filtering, which sends network traffic information of some sort to Cisco's service. They also state that regardless of the auto-update setting a device may be updated anyways if Cisco says so.
One article I found says it affects the E2700, E3500, and E4500 models.
I see.
Replace "local access" control with "let anyone on the internet reconfigure= the thing". Whoever's idea it was should be p*ssed on, keelhauled, drawn = and quartered, then burned at the stake.
It'll get real interesting when Cisco's cloud database is breached and some weakness in the password encryption is discovered. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Thu, Jul 5, 2012 at 6:01 PM, Joe Greco <jgreco@ns.sol.net> wrote:
I see.
Replace "local access" control with "let anyone on the internet reconfigure= the thing". Whoever's idea it was should be p*ssed on, keelhauled, drawn = and quartered, then burned at the stake.
It'll get real interesting when Cisco's cloud database is breached and some weakness in the password encryption is discovered.
... JG
What encryption? Web stuff was probably built by a consultant using an open source database store :) Jeff
On 7/5/12, Joe Greco <jgreco@ns.sol.net> wrote:
It'll get real interesting when Cisco's cloud database is breached and some weakness in the password encryption is discovered. [snip]
Will the users' passwords even matter, if a compromise of the database allows an intruder to make a system-wide change to end users' equipment, such as delivering a compromising configuration change, or a "patched" firmware update that deactivates cloud service and turns them all into botnet nodes under exclusive control of the compromiser ? Hopefully Cisco thought that stuff out, but password encryption weaknesses at least are easily addressed by forcing all users to reset pw, and requiring a proof of physical access to the unit. -- -JH
On 7/5/12, Joe Greco <jgreco@ns.sol.net> wrote:
It'll get real interesting when Cisco's cloud database is breached and some weakness in the password encryption is discovered. [snip]
Will the users' passwords even matter, if a compromise of the database allows an intruder to make a system-wide change to end users' equipment, such as delivering a compromising configuration change, or a "patched" firmware update that deactivates cloud service and turns them all into botnet nodes under exclusive control of the compromiser ?
Hopefully Cisco thought that stuff out, but password encryption weaknesses at least are easily addressed by forcing all users to reset pw, and requiring a proof of physical access to the unit.
"and requiring a proof of physical access to the unit"? Yeah, sure, that seems likely. No, really, how bad an idea can it be to have a central database and a system that's allowed to remotely log in, configure, and update thousands of Internet-connected CPE? I mean, talk about making an attractive target. Compromise this one system and gain access to create a huge botnet. Complete list of CPE addresses and access credentials in one juicy bundle. How is it that NANOG can see this with no trouble but Cisco cannot? What's stunningly clear is that Cisco did NOT think that stuff out. You want content filtering? Boring. Been done for years, without "cloud" features. You want remote management? Boring. Been done for years, just look at DD-WRT et.al. You want configuration backup and restore? Still boring. Could have figured a slick method to do THAT "to the cloud", as an option, with per-account encryption, or config backup to local PC, or both. Automatic firmware updates? Hey, effin' great! I heartily approve of THAT idea, even of defaulting it to on. Just make sure I can also turn it off. "Forced" upgrades are not acceptable. Requiring an upgrade to happen over the public Internet is not acceptable. Make sure we have the option to upgrade manually from a local firmware file. So is a user locked out of administering the router unless it can talk to the cloud? If so, that's boneheaded in the extreme. Hey, Cisco, when my DSL with static IP finally dies and I need to switch to a provider that uses DHCP, how am I supposed to log in to my router since it can not connect to your glorious cloud? And the onerous puritanical TOS? Find and fire whoever came up with that. That's just a complete load. Did you sign an agreement not to watch porno DVD's when you bought your DVD player? It's *equipment*, Cisco. Some people will invariably use it for purposes you find to be objectionable. Geez. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Joe Greco wrote:
No, really, how bad an idea can it be to have a central database and a system that's allowed to remotely log in, configure, and update thousands of Internet-connected CPE? I mean, talk about making an attractive target.
No argument against the lack of wisdom regarding this cisco thing, but... As a botnet operator in the business of making money (and thus relying on the availability of your botnets) why go through the bother of compromising such system and creating a botnet (which will be rather quickly fixed once the breach is noticed) when you can do it easily enough sending out a simple email with the proper binary code attached, relying on the PEBKAC paradigm. ;-) This method has been proven to be very effective, considering many 100s of millions of zombie computers exist. Greetings, Jeroen -- Earthquake Magnitude: 4.6 Date: Wednesday, July 11, 2012 10:54:36 UTC Location: near the east coast of Honshu, Japan Latitude: 35.9986; Longitude: 140.9388 Depth: 27.40 km
In a message written on Thu, Jul 05, 2012 at 03:51:40PM +0000, Mario Eirea wrote:
Has anyone seen this yet? Looks like Cisco was forcing people to join its Cloud service through an update for it's consumer level routers.
Perhaps going right to the source would be educational: http://home.cisco.com/en-us/cloud The short version appears to be Cisco wanted to move to a model where you could manage your home gateway remotely, and also store settings that may (in the future) be able to be reused if you replaced your device. All in all it sounds a lot to me like Meraki's solution (caveta, I've not used Meraki, just gotten the presentation). There's probably even a market for this sort of service. Where they appear to have gone horribly wrong is that several models of Linksys routers with "auto-update" enabled downloaded this update and moved to this new management model with no user intervention, notice, or method of being down graded. Thus folks who didn't want these features and may not have upgraded to them were caught by surprise, and have been effectively forced to take the new features due to a lack of downgrade path. Technology wise it's pretty non-interesting. Others have been doing similar things. From a customer relations point of view it's a total disaster, and one that should have been entirely predictable. I was never much of a fan of Linksys pre-Cisco, but post-Cisco it seems to be in a non-stop downhill slide... -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
dd-wrt or openwrt are your friend on those devices. 8) On Jul 5, 2012, at 11:51 AM, Mario Eirea <meirea@charterschoolit.com> wrote:
Has anyone seen this yet? Looks like Cisco was forcing people to join its Cloud service through an update for it's consumer level routers.
http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-i...
-Mario Eirea
In Cisco's defense, perhaps the legalese did not fully communicate the intent of the service. http://blogs.cisco.com/home/update-answering-our-customers-questions-about-c... CB On Jul 5, 2012 8:52 AM, "Mario Eirea" <meirea@charterschoolit.com> wrote:
Has anyone seen this yet? Looks like Cisco was forcing people to join its
Cloud service through an update for it's consumer level routers.
http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-i...
-Mario Eirea
"We take responsibility for that lack of clarity, and we are taking steps to make this right." including firing the idiot responsible? -Dan On Thu, 5 Jul 2012, Cameron Byrne wrote:
In Cisco's defense, perhaps the legalese did not fully communicate the intent of the service.
http://blogs.cisco.com/home/update-answering-our-customers-questions-about-c...
CB
On Jul 5, 2012 8:52 AM, "Mario Eirea" <meirea@charterschoolit.com> wrote:
Has anyone seen this yet? Looks like Cisco was forcing people to join its
Cloud service through an update for it's consumer level routers.
http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-i...
-Mario Eirea
At 00:28 06/07/2012 -0700, goemon@anime.net wrote:
"We take responsibility for that lack of clarity, and we are taking steps to make this right."
including firing the idiot responsible?
The Nussbacher axiom of management - "Management is like a cesspool - the really big chunks float to the top". I would assume the person responsible will one day be running Cisco. -Hank
-Dan
On Thu, 5 Jul 2012, Cameron Byrne wrote:
In Cisco's defense, perhaps the legalese did not fully communicate the intent of the service.
http://blogs.cisco.com/home/update-answering-our-customers-questions-about-c...
CB
On Jul 5, 2012 8:52 AM, "Mario Eirea" <meirea@charterschoolit.com> wrote:
Has anyone seen this yet? Looks like Cisco was forcing people to join its
Cloud service through an update for it's consumer level routers.
http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-i...
-Mario Eirea
participants (20)
-
Andriy Bilous
-
Cameron Byrne
-
David Hubbard
-
goemon@anime.net
-
Grant Ridder
-
Hank Nussbacher
-
Jeff Johnstone
-
Jeroen van Aart
-
Jimmy Hess
-
Joe Greco
-
Jon Lewis
-
Keith Medcalf
-
Leo Bicknell
-
Mario Eirea
-
Randy Bush
-
Ray Soucy
-
Scott Howard
-
Sean Harlow
-
Thomas D Nadeau
-
Tyler Haske