Anyone checked to see if discourse.codinghorror.com actually encrypts the login page yet?
Cause as of the previous security related blog article, it was still butt-ass naked.
Thatās why I use Google to log in, which goes through https 
Great blog. Inside Your Home and Outside Your Home sections is just want any average internet user would like to know about. Great!
Iām pretty bummed that I read through that entire cryptostorm article, thinking there was something there because Jeff linked to it. As I was reading, I kept thinking this sounded more and more like a conspiracy theory with almost no actual technical content (just ālook - something I donāt understand! Must be malicious!ā) but struggled through the entire thing before concluding itās mostly BS.
A quick Google later confirmed my suspicions that itās already being well-debunkedā¦or maybe my router is just compromised and thatās what they want me to think.
This is very true.
Most do not know what risks they are taking by connecting to an unknown network!
This compromise in security could easily lead to personal and bank details that can be stolen.
I never knew one could be attacked by only an infected router alone.
Thank you for all your tips!
Some of these steps are too difficult for standard users which would mean that they are still vulnerable.
Never access anything but HTTPS websites.
This should be spread so that everyone can be safe.
Same here. I want my time back 
I was already suspecting when it mentioned the OCSP url 404 thing as if it was something significant, and I gave up 3/4ths through, when i saw this:
It claims ānumerous proven methodsā and links a bunch of askubuntu questions with GPG errors from APT, no proofs
Thatās when I looked into what kind of organization this thing is, and on the surface it looks like a VPN service with a neat sense of aesthetics, but they also have wacky stuff like a collection of āsuspicious looking certificatesā, with criteria such as āSubtle typos in the names of companies. Start times that are 1:00:00 exactly. That sort of thingā.
Uhhhhhhā¦ well if they say so.
@codinghorror can you add an edit around that cryptostorm link, warning readers that itās bullshit? At best, itās an inconclusive info dump, thereās nothing indicating that messing with DNS or BGP will break HTTPS.
edit: Here, have adam langley telling you that itās nonsense. I didnāt get here through HN but I wish I had seen this comment before.
1 Like
DefCon this year was full of different vulnerabilities on the IoT, including in cars. It was like a playground out there for hackers. Lots of fun, unless you get hacked, I guess.
The Netgear Nighthawk is an awesome router and it offers vpn for you to use when away. I generally use my phoneās wifi hotspot when out and about though, because in addition to security, the bandwidth is much better.
Looks like a typical overpriced consumer-level router. Who knows, Asus may have a good offering. Itās just the look of the thing that reminds me of years of Linksys WRT54G hardware upgrades (read downgrades).
Why not try a Ubiquiti? I use a Motorola Modem for DOCSIS, connected to a Ubiquiti Picostation. The little thing is a workhorse and it has all the advanced features I could ever want. I actually purchased it with the intent of loading custom firmware (ie it was replacing my crippled DD-WRT router) but liked the stock capabilities enough that I didnāt bother.
It can be configured to work as SOHO, wireless bridge, and mesh network node. With all the usual advanced networking capabilities. Theyāre cheap but surprisingly powerful for the cost.
My solution to this is to use a VDSL modem that just passes through the PPP level packets for my Linux server/router/firewall to do the PPPoE part of things. This way I have full control and itās all my responsibility for keeping it up to date and configuring correctly. No trusting some āopenā firmware vendor to not put hardcoded credentials (Iām looking at you OpenELEC, or have they fixed that in later versions?) and to otherwise be on the ball.
So for anyone comfortable with using a custom firmware on a ārouterā Iād advise going this route instead. WiFi is a separate unit and goes inside the Linux router, preferably on its own sub-net with firewall rules controlling what it can access internally.
And, yeah, I need to get around to setting up a home VPN (for my phone to use when on random WiFi), given I finally have decent (for a home connection) upstream bandwidth.
Good set of recommendations in this blog post:
In my earlier Mirai blog post, I offered some guidelines that are both practical and achievable in the home router and IoT device market. My hope with the following guidelines is to inspire innovative technical solutions among device vendors and service providers to redesign or update home routers to limit the risk that these devices will end up being used for nefarious purposes:
- Design home routers and IoT devices to operate with read-only filesystems, making run-time installations of malware impractical.
- Disable any packet crafting/spoofing/promiscuous mode on the firmware level to avoid malicious use of network resource on these devices.
- Provide automated updates for firmware with either planned downtime or no downtime to resolve vulnerabilities proactively.
The purpose of these lightweight, low-cost devices is to transit network data or stream live data (like IP cameras) with little reason for any persistence. In fact, some of the newer home routers do operate within a chroot and a read-only file system, making it hard to both exploit these devices and install third-party software for persistence. Even if a would-be attacker learns or guesses an administrative password, malicious code installation performed by VPNFilter and Mirai would not be successful on these devices.
1 Like
With the release of the Mirai source code and the rise of the Mozi botnet, this issue isnāt going away.
1 Like