EFF gets into the CPE router software business..
So the EFF is pushing development of an open CPU router https://www.eff.org/deeplinks/2014/07/building-open-wireless-router https://openwireless.org/ It's currently targeting WNDR3800's and based on the CeroWRT software (which works pretty well in my own experience). What will possibly be interesting in this forum is that it's explicitly targeting having open guest wireless access (unlike the stuff being pushed by some ISPs, where you can roam but only to other customers of the same ISP).
On 7/24/14, 1:04 PM, "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu> wrote:
It's currently targeting WNDR3800's and based on the CeroWRT software (which works pretty well in my own experience).
Agree - CeroWRT works well. We at Comcast worked with Dave Taht on CeroWRT to explore and understand approaches to resolving Buffer Bloat. So it¹s nice to see that it is seeing other applications like this. I also like the secure method for software updates in this release. Jason
On 2014-07-24 12:04, Valdis Kletnieks wrote:
So the EFF is pushing development of an open CPU router
https://www.eff.org/deeplinks/2014/07/building-open-wireless-router https://openwireless.org/
It's currently targeting WNDR3800's and based on the CeroWRT software (which works pretty well in my own experience).
What will possibly be interesting in this forum is that it's explicitly targeting having open guest wireless access (unlike the stuff being pushed by some ISPs, where you can roam but only to other customers of the same ISP).
!DSPAM:53d13dc965333732154236!
The Free Network Foundation (which I co founded and am CTO of) has been helping several groups in the USA do this for ~1 year now. EFF is simply rebranding/respinning community networking, but they are pretty new to the USA Free Networks party overall. They just have a bigger budget/brand recognition (though FreedomTower has become a pretty resilient brand based on the e-mails we get on a daily basis). Also I'm not sure of the level of support/hand holding/documentation etc EFF will provide for folks wanting to build a network off this setup (I'm guessing not much). Also most incumbent carriers prevent sharing (where FNF supported/assisted/collaborative/affiliated US based efforts back haul (over high capacity wifi or VPN over incumbent circuits) to wholesale colocation facilities POP and do things like monitor abuse@ contacts etc. (Ya know, actually responsibly run an ISP). I'd rather of seen them partner with FNF, (or actually much more preferable would be upstream wrt projects like QMP) and not spin YET ANOTHER FIRMWARE. I'm glad they picked CeroWRT though.
Any idea how well CeroWRT stands up to nation-state level intrusion efforts? George William Herbert Sent from my iPhone
On Jul 24, 2014, at 10:24 AM, charles@thefnf.org wrote:
On 2014-07-24 12:04, Valdis Kletnieks wrote: So the EFF is pushing development of an open CPU router https://www.eff.org/deeplinks/2014/07/building-open-wireless-router https://openwireless.org/ It's currently targeting WNDR3800's and based on the CeroWRT software (which works pretty well in my own experience). What will possibly be interesting in this forum is that it's explicitly targeting having open guest wireless access (unlike the stuff being pushed by some ISPs, where you can roam but only to other customers of the same ISP). !DSPAM:53d13dc965333732154236!
The Free Network Foundation (which I co founded and am CTO of) has been helping several groups in the USA do this for ~1 year now. EFF is simply rebranding/respinning community networking, but they are pretty new to the USA Free Networks party overall. They just have a bigger budget/brand recognition (though FreedomTower has become a pretty resilient brand based on the e-mails we get on a daily basis). Also I'm not sure of the level of support/hand holding/documentation etc EFF will provide for folks wanting to build a network off this setup (I'm guessing not much). Also most incumbent carriers prevent sharing (where FNF supported/assisted/collaborative/affiliated US based efforts back haul (over high capacity wifi or VPN over incumbent circuits) to wholesale colocation facilities POP and do things like monitor abuse@ contacts etc. (Ya know, actually responsibly run an ISP).
I'd rather of seen them partner with FNF, (or actually much more preferable would be upstream wrt projects like QMP) and not spin YET ANOTHER FIRMWARE.
I'm glad they picked CeroWRT though.
On 2014-07-25 00:06, George Herbert wrote:
Any idea how well CeroWRT stands up to nation-state level intrusion efforts?
Interesting question. It uses OpenWRT as a base. IPTables for the firewall. So that's a pretty big code base right there (though certainly a bit less than a comparable x86 Linux box). Most people use it with LUCI (web UI). So that adds more code. Is this attack from the WAN side? Or from a comped browser on the LAN side? Interesting discussion for a Friday! :)
On Thu, 24 Jul 2014 22:06:38 -0700, George Herbert said:
Any idea how well CeroWRT stands up to nation-state level intrusion efforts?
If they are as determined as FBI v Scarfo (the FBI pulled a black bag job to install a keystroke logger in a mobster's PC to capture his PGP passphrase), it's pretty much "game over". Isn't much the average router-class hardware can do to protect itself at that point. The second big challenge is that to the best of my knowledge, there exist no router-class hardware that includes a TPM chip, which means that you're not going to be able to implement a trusted boot environment. This means that we're stuck with trusting at least part of the boot process (though we can probably trust the first stage boot loader on a 3800, as that appears to be in an actual ROM, and we'll have to trust the bootstrap code on the flash, but if we use a signed kernel, everything after that can have some trust attached.) There's a number of attack surfaces left on CeroWRT, starting with the usual "find a 0-day and point it" - good targets there are the Linux network stack, the IPtables code, dropbear (which is nice, but almost certainly not audited as heavily as OpenSSH), and Luci. And yes, reflecting an attack off a browser behind the router is *very* much in scope - *most* of the pwned router attacks we see come from javascript or other executables pointed at the usually well-known router address from a PC behind the router. All the way to pulling a MITM on downloads from Dave Taht's repositories. The combination of DNSSEC, trusted crypto signatures on the dowload package, and OpeWireless's plans to use Tor to do the software download should make it a *lot* harder to attach via that route. And the rabbit hole goes *much* deeper - see Ken Thompson's "On Trusting Trust", which itself got the idea from Karger and Schell's analysis of Multics security. http://cm.bell-labs.com/who/ken/trust.html Actually, Karger and Schell is a good read if you haven't done so - that *was* a nation-state funded intrusion effort. :) http://www.acsac.org/2002/papers/classic-multics-orig.pdf They were nice enough to go back 30 years later and tell us what we had learned in the meantime. tl;dr: Not much. https://www.acsac.org/2002/papers/classic-multics.pdf Hope that 15-minute analysis helps....
On 2014-07-25 12:22, Valdis.Kletnieks@vt.edu wrote:
On Thu, 24 Jul 2014 22:06:38 -0700, George Herbert said:
Any idea how well CeroWRT stands up to nation-state level intrusion efforts?
If they are as determined as FBI v Scarfo (the FBI pulled a black bag job to install a keystroke logger in a mobster's PC to capture his PGP passphrase), it's pretty much "game over". Isn't much the average router-class hardware can do to protect itself at that point.
Of course. Physical access is root access. We know this.
The second big challenge is that to the best of my knowledge, there exist no router-class hardware that includes a TPM chip,
OpenWRT x86? Run it on a decently specced laptop a couple gens old (like a Dell Latitude 6500 or so). That's got TPM, plenty of ram. Of course you can run on a server board (Dell Poweredge or something). I prefer pfsense myself for full blown kit. which means that you're
not going to be able to implement a trusted boot environment. This means that we're stuck with trusting at least part of the boot process (though we can probably trust the first stage boot loader on a 3800, as that appears to be in an actual ROM, and we'll have to trust the bootstrap code on the flash, but if we use a signed kernel, everything after that can have some trust attached.)
Right.
There's a number of attack surfaces left on CeroWRT, starting with the usual "find a 0-day and point it" - good targets there are the Linux network stack, the IPtables code, dropbear (which is nice, but almost certainly not audited as heavily as OpenSSH), and Luci. And yes, reflecting an attack off a browser behind the router is *very* much in scope - *most* of the pwned router attacks we see come from javascript or other executables pointed at the usually well-known router address from a PC behind the router.
Agree 100%
All the way to pulling a MITM on downloads from Dave Taht's repositories. The combination of DNSSEC, trusted crypto signatures on the dowload package, and OpeWireless's plans to use Tor to do the software download should make it a *lot* harder to attach via that route.
Oooo. I'll have to clone that methodology for the FNF downloads.
On Fri, 25 Jul 2014 13:11:29 -0500, charles@thefnf.org said:
On 2014-07-25 12:22, Valdis.Kletnieks@vt.edu wrote:
The second big challenge is that to the best of my knowledge, there exist no router-class hardware that includes a TPM chip,
OpenWRT x86? Run it on a decently specced laptop a couple gens old (like a Dell Latitude 6500 or so). That's got TPM, plenty of ram. Of course you can run on a server board (Dell Poweredge or something). I prefer pfsense myself for full blown kit.
Yeah, but it's hard to justify a PowerEdge for a Joe Sixpack consumer CPE (admittedly, I managed to leave that phrase out of 'router-class', mea culpa).
Well yes. :) Plenty of relatively inexpensive x86 based kit out there. Maybe with TPM? Never looked. Atom can push a good amount of packets. I am in the process of building an HCL for the various bits of the FreedomStack. (CPE/distribution/core etc). My family is a very heavy internet user. Both directions. An atom pfsense router and netgear 3800 has done the trick. Now to package them up with a slick / simplified / turnkey configuration and not have people balk at the price. I hadn't taken much security/TPM wise into account. Would be a good way to help folks deal with the increased expense. NSA proof, Snowden endorsed! :) On July 25, 2014 6:42:13 PM CDT, Valdis.Kletnieks@vt.edu wrote:
On Fri, 25 Jul 2014 13:11:29 -0500, charles@thefnf.org said:
On 2014-07-25 12:22, Valdis.Kletnieks@vt.edu wrote:
The second big challenge is that to the best of my knowledge, there exist no router-class hardware that includes a TPM chip,
OpenWRT x86? Run it on a decently specced laptop a couple gens old (like a Dell Latitude 6500 or so). That's got TPM, plenty of ram. Of course you can run on a server board (Dell Poweredge or something). I prefer pfsense myself for full blown kit.
Yeah, but it's hard to justify a PowerEdge for a Joe Sixpack consumer CPE (admittedly, I managed to leave that phrase out of 'router-class', mea culpa).
------------------------------------------------------------------------
!DSPAM:53d2eb62262122034419612!
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (6)
-
Charles N Wyble -
charles@thefnf.org
-
George Herbert -
Livingood, Jason -
Valdis Kletnieks -
Valdis.Kletnieks@vt.edu