[HN Gopher] US could ban TP-Link routers over hacking fears: report
___________________________________________________________________
US could ban TP-Link routers over hacking fears: report
Author : esaym
Score : 143 points
Date : 2024-12-18 15:19 UTC (7 hours ago)
(HTM) web link (nypost.com)
(TXT) w3m dump (nypost.com)
| tharmas wrote:
| The US Authorities remember when they did it to fax machines in
| Eastern Europe.
| oefrha wrote:
| NSA has been "SIGINT-enabling" router chips for a long time
| according to Snowden documents. Discussed last year:
| https://news.ycombinator.com/item?id=37570407
|
| There's also that famous photo of NSA "upgrading" Cisco
| routers, of course. https://arstechnica.com/tech-
| policy/2014/05/photos-of-an-nsa...
| tastyfreeze wrote:
| Exactly. Remembering that our own NSA has intentionally
| compromised devices makes all of the "ban China" calls sound
| like jealousy.
| oefrha wrote:
| More like "we know we're doing this, so they're likely
| doing it as well". Makes sense.
| kittikitti wrote:
| I guess the NY Post is a good source if it aligns with Silicon
| Valley's foreign policy interests?
| tacticalturtle wrote:
| The NY Post is just reposting original reporting by the Wall
| Street Journal:
|
| https://www.wsj.com/politics/national-security/us-ban-china-...
| jaimsam wrote:
| Ah yes, a "better" source, definitely not co-opted by
| advertisers, government aligned executives, and other
| interests, but rather truly a newspaper for, and by, the
| people!
| NDizzle wrote:
| Is the content in these articles incorrect?
| bediger4000 wrote:
| Who can tell? The WSJ article doesn't even say whether
| TP-Link hardware or software is the problem, which would
| seem to me to be extraordinarily important in reporting
| on this issue.
| tacticalturtle wrote:
| To be a little more charitable, I don't think the average
| non-technical newspaper reader knows or cares about the
| difference.
|
| Most non-tech people I know treat a router as a black box
| system - you plug it in, and then when you have issues,
| you turn it on and off again. If it keeps happening you
| get a new one. The word firmware will draw blank stares.
| pessimizer wrote:
| Some people read things as a source of information, others read
| them as a source of opinion. For the former, this link is fine
| because they don't care what the NY Post wants them to think.
| For people who prefer to receive their opinion along with their
| information, they should maybe consult a more personalized
| outlet, or their pastor.
| dole wrote:
| Those running TP-Link gear might want to check whether theirs
| supports OpenWRT or another firmware option.
| throwway120385 wrote:
| That doesn't help people running TP-Link infrastructure like
| Omada switches and Omada WAPs with an Omada controller behind a
| separate firewall/router.
| fidotron wrote:
| APs are going to be the great new app platform, but also a very
| clear security problem. They have now grown so much spare
| capacity they can host a lot of extra interesting services. The
| noises from China suggest some people in companies like Xiaomi
| worked this out a while ago.
|
| Fundamentally we need to move to a home networking model that
| involves isolating all clients completely (especially cameras and
| smart TVs), and using AP hosted services to mediate interaction
| between them and the Internet at large. This will involve needing
| to trust the AP, but will have the advantage of being able to
| deploy slightly less trustworthy devices at the very edge.
| toomuchtodo wrote:
| Can you ensure this level of assurance without requiring an
| independent review of router firmware? If it is managing
| security boundaries, how do you know if you trust it? And how
| do you ensure that trust is maintained over device lifetime as
| firmware updates are shipped? Hard problem to solve by building
| and maintaining long run "people, process, tech" systems.
| fidotron wrote:
| That's kind of my point - it's inevitable that we will end up
| having to take the security of the AP enormously more
| seriously than we have. The AP will end up needing cellphone
| style updates and chain of trust integrity checks for the
| firmware.
|
| The reason this is inevitable is the alternative hasn't
| worked. Cloud based IoT has been a disaster in both the
| atrocious edge device security and cloud service bait and
| switch burning customer confidence in the whole concept. Most
| people are not going to deploy dedicated servers in their
| house, but an AP absolutely. The HomeAssistant and Frigate
| ecosystems demonstrate the demand for functionality is there,
| but they are very much enthusiast type tools.
| toomuchtodo wrote:
| Strongly agree, I just don't see evidence there is any
| appetite for spending the resources needed to accomplish
| this. I would very much like there to be, but, you know. No
| one likes to spend until the place is already on fire. If
| this is the fire ("never let a crisis go to waste"), we
| should try to spend what's required to do what is needed.
|
| (a component of my work is software supply chain security)
| fidotron wrote:
| > Strongly agree, I just don't see evidence there is any
| appetite for spending the resources needed to accomplish
| this.
|
| Yeah, that is the problem, and I gave up on waiting for
| it, so kicked off an exploration of the problem space
| https://github.com/atomirex/umbrella (Hitting video
| handling first because it is one of the major headaches).
|
| I come from the intersection of embedded/mobile/games and
| saw what a dumpster fire that was, and am under no
| illusions this will be solved either fast or by any
| existing group.
| kbolino wrote:
| I like the idea of isolating every client, or certain clients
| at least, but I don't see why this needs special apps or
| services. Just treat these clients as existing on their own
| VLAN segments and either get rid of the GTK (forcing
| broadcast/multicast to go through the AP) or generate a
| different one for each such segment (separating the broadcast
| domains).
| fidotron wrote:
| Clients shouldn't connect to the Internet by default, and
| when they do it should be domain/IP whitelisted only.
|
| For example, an IoT lightswitch in your home should only talk
| to what looks like an MQTT broker in the AP. It doesn't need
| to have any concept what that topic it publishes to does.
| Similarly, the receiving light doesn't need to know what
| caused it. This way those devices literally never need any
| external network access at all.
|
| I started working on this idea by playing with OpenWrt hosted
| video relays, and learned that it works, and am now extending
| it: https://github.com/atomirex/umbrella
|
| Right now I am on HN procrastinating when I should be
| producing a video of ingesting from a TP Link security camera
| (really) into a webrtc SFU on the AP, sending it to another
| SFU, and watching the result.
| kbolino wrote:
| I like this vision, but I'm not optimistic about it coming
| to fruition. IoT vendors want their devices phoning home
| over the Internet, it gives them traceability and platform
| lock-in.
| simoncion wrote:
| > ...when they do it should be domain/IP whitelisted only.
|
| In practice, this will work very poorly. Your whitelist
| will end up looking like "All of Azure, GCP, AWS, and
| CloudFlare, plus some one-offs"... which doesn't really
| stop anything.
|
| I work at a BigCo that tries to do what you're proposing
| and it works so, so badly. Thankfully, we can turn off the
| "security" software that does this on our workstations.
| Unfortunately, cannot do the same for our software that
| runs on datacenter-hosted hardware that IT manages.
|
| > Clients shouldn't connect to the Internet by default...
|
| I have a couple of VLANs on my LAN that don't provide
| Internet access just for this reason.
| fidotron wrote:
| > Your whitelist will end up looking like "All of Azure,
| GCP, AWS, and CloudFlare, plus some one-offs"...
|
| Why?
| ndriscoll wrote:
| I think what's being said here is that if we're going to
| talk about what "needs" to be done about security
| (especially if government regulation is to be involved),
| and if we're going to ban _something_ , then it ought to
| be devices that need to talk to "the cloud". Saying we
| "need" APs to segment VLANs is missing the point. The
| cloud servers are known to be malicious (e.g. that
| company that intentionally bricked people's inverters the
| other day). As you say, it's impossible to have
| reasonable filters when everything wants to talk to the
| entire world. What we "need" is for IoT devices to
| communicate through purely local networks and have no
| Internet access. e.g. mandate a standard to discover a
| local MQTT broker (which the router may also provide). In
| that world, there's no reason for a device to ever talk
| to anything other than e.g. 192.168.1.1, so filtering is
| easy and can be made default.
| generj wrote:
| Because less than 5% of the population knows what a VLAN is
| yet alone how to set one up for their IOT devices.
|
| Ideally Apple will resurrect the Airport and make it easy to
| have privacy and security in the home. An Airport-HomePod
| combo could do a lot of neat AI things in-house / on-prem.
| kbolino wrote:
| I wouldn't expect the average person to set anything up.
| I'd expect the AP to isolate all devices by default. Most
| of these devices and their corresponding apps are just
| reaching out to "the cloud" anyway. It's not like they
| actually treat the LAN they're on as a LAN.
|
| That having been said, I don't know for sure that most
| generally available consumer devices would actually work
| under this arrangement.
| 9x39 wrote:
| Client isolation (whether wireless, by broadcast domain,
| IP filtering) is in conflict with ubiquitous device
| casting/streaming/detection features common in apps,
| which often do expect the ability to find each other on a
| LAN.
|
| I think throwing those features out is a tough sell for
| the home consumer market, but makes sense in the SMB and
| above area.
| fidotron wrote:
| That's why you replace those features with things like a
| local mqtt broker. That way devices communicate only via
| the local services. I tried doing real time video first
| because it's widely assumed to be the hardest.
|
| Multicast is widely exploited for fingerprinting by smart
| TVs, unfortunately, much as I think mdns is a beautifully
| elegant idea.
| jalk wrote:
| > fundamentally we need to move to a home networking model that
| involves isolating all clients completely (especially cameras
| and smart TVs) That is currently solved by using separate
| SSID's on individual VLANs (i.e. main, guest, iot) and firewall
| rules "mediate" the connection between the VLANs. I'm
| handrolling this with OpenWRT on APs and main router (NanoPI
| R5C) with ISP cable router is in bridge mode. Can't say it was
| easy to set up though
| bloomingkales wrote:
| I have one, should be worried?
| amelius wrote:
| This is a real pity since TP-link makes reliable gear with a very
| good price/performance ratio (Linux user).
| alephnerd wrote:
| Conversely, I find Ubiquiti to provide a better product
| y-c-o-m-b wrote:
| I've found the opposite. The TP-link router I had was
| frustratingly unreliable, even when setup to reboot every
| night. Their firmware updates were slow to arrive. I tossed
| both the router and the TP-link PoE devices I had into the
| dumpster. My dad bought some TP-link devices and also
| complained about reliability issues. We've both vowed not to
| buy that junk again. Switched to ASUS a couple of years ago
| running ASUSwrt-merlin and haven't looked back.
| wtallis wrote:
| It seems a little unfair (and wasteful) that you didn't
| consider simply using decent third-party software on the TP-
| Link hardware you already owned, but rather bought new
| hardware and _then_ started using third-party software. ASUS
| consumer networking hardware is no higher quality than TP-
| Link consumer networking hardware, and _neither_ of them (nor
| anyone else operating in the consumer networking hardware
| market) provides high-quality software out of the box.
| imp0cat wrote:
| This is not my experience, but I use the AX73, which is not a
| completely bottom-of-the-barrel model.
| JaggedJax wrote:
| I have to agree here. I've had multiple TP-Link routers and
| all of them had regular random dropouts that would require
| reboots. They may work if you have 5 devices connected, but
| they are simply unreliable with even a moderate amount of
| devices and traffic. TP-Link is on my list of, "Not worth it
| at any price."
| constantlm wrote:
| I thought this was true. However after buying and trying to use
| one of their mesh products, I gave up and got rid of it. I bit
| the bullet and went with Ubiquiti, and I'll never buy anything
| else again. Worth the extra cost imo.
| nottorp wrote:
| There's that nagging feeling that they're not concerned about
| security but banning anything that works well, is inexpensive and
| isn't made by an US company...
|
| Anecdote: once I bought the cheapest router I could find online.
| The idea was to test connecting to a crap AP. Unfortunately the
| cheapest was a TP-Link and it worked absolutely perfectly,
| ruining my test plan.
| tiahura wrote:
| That doesn't seem likely. Are there really US companies
| clamoring to make 0 margin disposable electronics?
| bluGill wrote:
| The margin is not 0. there is a lot of $$$ in low margin
| disposable products (think toilet paper). However it takes
| great management to make money building such things and few
| companies are that good.
| rekabis wrote:
| Their firmware is absolutely riddled with flaws and exploitable
| vulnerabilities.
|
| Unless you are willing to re-flash their hardware with third-
| party firmware such as DD-WRT or OpenWRT, I would always
| encourage anyone to go with a company that keeps their firmware
| up to date, like Ubiquity.
|
| It's not their hardware. It's their firmware which is the
| problem.
| nottorp wrote:
| Ubiquity has already attempted to make their customers
| dependent on the "cloud" once. I believe there was some
| pushback and they just made it annoying to not use their
| online services, but I'd still like to know what they need my
| personal data for...
| buildbot wrote:
| According to their privacy policy, they don't collect or
| sell anything (besides the standard we run a website
| stuff).
|
| The nefarious, evil purpose of the cloud service is...just
| lock in. And being easy to configure.
| ryanianian wrote:
| For anyone curious about the vulnerabilities, this Ars
| article from November 2024 is a good read:
| https://arstechnica.com/information-
| technology/2024/11/micro...
| moduspol wrote:
| Perhaps the ban / tariff / regulation should be applied to
| companies making networking hardware that's riddled with
| flaws and exploitable vulnerabilities, rather than by naming
| specific companies or countries of origin.
| rekabis wrote:
| I would be fully open to the FTC/CRTC or whatever
| network/ISP regulator that exists in your country be the
| determiner of what should be exposed to world+dog. Let them
| do remote vulnerability scans once a day on all IP
| addresses assigned to domestic ISPs or locations physically
| in-country, then flag the IPs that have vulnerable routers.
|
| From there, they can force ISPs to contact their clients to
| demand the issue be resolved. If the client does not
| respond to the ISP, the ISP is forced to suspend the
| connection until the client can demonstrate a fix has been
| implemented. In all cases, that vulnerability vanishing has
| the ISP updated so the client is no longer in danger of
| being pestered.
|
| If the product is still being sold in stores, or is not
| very far past EoL, and there is no manufacturer patch
| available, those manufacturers must take their hardware
| back for a 100% MSRP refund, or provide an equivalent
| router without those exploits.
|
| It's only if the product has been no longer manufactured
| for a minimum set period of time - say, 7 years - that it
| is deemed "too far past EoL" for the responsibility for
| patching/replacing to fall on manufacturers, and
| responsibility finally falls to the consumer to
| replace/upgrade.
|
| In all cases, a customer can "fix" their router with third-
| party firmware such as OpenWRT or DD-WRT, but this also
| requires laws to be written that forces manufacturers to
| not hardware-lock their routers, and force them to meet the
| minimum storage/driver-availability specs these third-party
| firmwares need.
| hindsightbias wrote:
| Even with the WRTs, the firmware is probably built by the
| manufacturer. Try finding the provenance of who wrote the
| source code and where they live. AFAIK, that's not possible.
|
| So you have a router built with Chinese components (all of
| the ones anyone here can afford) with closed and "open"
| firmware built by them. I bought one of those GL.inet "open"
| routers and the WRT packages bricked it, so I have a choice
| of reverting or flashing from the factory (which appears to
| be a link to HK).
|
| That's probably 99.99% of use cases. They're in your base and
| they always have been.
| rekabis wrote:
| > Even with the WRTs, the firmware is probably built by the
| manufacturer.
|
| Say you know nothing about router firmware without saying
| you know nothing about router firmware.
|
| OpenWRT and DD-WRT and other open-source third-party
| firmwares _are THIRD PARTY firmwares._ They have no
| connection with the manufacturer whatsoever.
| hindsightbias wrote:
| I just looked at 10 different openwrt data entries:
|
| > WikiDevi URL: https://wikidevi.wi-cat.ru/TP-
| LINK_Archer_C2_v3.x
|
| Every one had a .ru domain. How do you know, exactly, who
| built it? GL.inet builds their own WRT package. It's a
| "feature".
| rekabis wrote:
| > Every one had a .ru domain.
|
| Brand-new to the Internet, are ya?
|
| Just because you cherry-pick Russian _informational_
| sites doesn't mean that third-party firmwares have _any_
| connection to Russia whatsoever.
|
| Third-party firmwares are _open-source_ projects, worked
| on by tens of thousands of volunteers from around the
| planet, and frequently have ZERO CONNECTION to any one
| hardware manufacturer.
|
| There are some collaboration efforts, when a particular
| manufacturer decides to adopt an open-source firmware as
| the exclusive firmware for their own hardware, but that
| simply means the hardware is fully unlocked for _any_
| third-party firmware that wants to be adapted for that
| hardware. These manufacturers just decided that they had
| no desire to f**k over the consumer by locking them into
| custom-made firmware.
|
| For example, I believe Turris https://www.turris.com/
| takes a stock, latest copy of OpenWRT and makes a few
| tweaks to extend its capabilities for additional, server-
| like features.
| wtallis wrote:
| One slight correction/clarification: "firmware" in this
| context can sometimes be referring specifically to the
| firmware that runs on the WiFi radios, rather than the
| whole Linux OS running on the application processor. The
| WiFi firmware is closed-source and comes from the
| _silicon_ vendor rather than the router OEM: Qualcomm,
| Broadcom, or Mediatek, not TP-Link, ASUS, Netgear, etc.
| Even when running OpenWRT, you 're still relying on that
| closed-source WiFi firmware to have a working radio. (The
| closest thing to an exception:
| https://www.candelatech.com/ath10k.php)
|
| WiFi NIC firmware is a much smaller attack surface than
| the whole Linux OS.
| adamc wrote:
| I dislike the pattern where we have to hook into their cloud.
| KerrAvon wrote:
| I think I can count the number of routers assembled in the US
| today on zero fingers.
|
| Some TP-Links are not great -- get a first gen C7, IIRC.
| bluGill wrote:
| I assume you are not counting hobbyist things.
| jdewerd wrote:
| I love cheap and reliable TP-Link routers as much as the next
| guy, but it's definitely also a security issue. The CCP almost
| certainly has a backdoor. Maybe a respectable one in the form
| of an undisclosed bug or the ability to lean on an update
| provider, but the point stands: it's absolutely a security
| issue and denying this is cope.
|
| Routers are going to be a bit more expensive and a bit less
| reliable for a while. We'll live.
| c22 wrote:
| Probably a better approach than the futile attempt to excise
| all routers with backdoors or bugs would be to continue the
| ongoing efforts to make network security router agnostic.
| throwawaymaths wrote:
| i had the opposite experience. i got a tp link that refused to
| work if i didnt register it. i tried to get customer service
| and there were so many dark patterns in their customer service
| queue (fake "you have X minutes in the queue" numbers, etc)
|
| Eventually i got through to a human that said you can't run it
| without registering it. it did NOT say that on the box.
|
| shit like this is what the ftc should crack down on
| pkaye wrote:
| I've been researching a new Wi-Fi router and heard lots of
| complaints that TP-Link doesn't provide many firmware updates?
| Is that not true? ASUS is not that much better but I do have an
| option of using the AsusWRT-Merlin open source alternative on
| their router.
|
| Another thing I've noticed is companies tend to still sell
| their models which are close to EOL on their website. Something
| needs to be done about that.
| dole wrote:
| That's true, TP-Link isn't great about keeping their consumer
| product firmware secured or updated. ASUS isn't much better
| but when it comes to network gear, you kind of do get what
| you pay for.
|
| Selling models close to EOL or trying to hold hardware makers
| responsible for firmware security has been an issue for
| decades.
| giantg2 wrote:
| Are there manufacturers that are consumer focused that are
| good about security and updates? Some of the ASUS models
| are not particularly cheap, raising the question of why not
| go with business oriented models.
| throw0101c wrote:
| > _That 's true, TP-Link isn't great about keeping their
| consumer product firmware secured or updated. ASUS isn't
| much better but when it comes to network gear, you kind of
| do get what you pay for._
|
| If this is actually the case then you should contact the
| FTC because Asus under an order to pay attention to
| security:
|
| * https://www.ftc.gov/news-events/news/press-
| releases/2016/07/...
|
| I have an Asus RT-AC68U that I bought ages ago that's still
| getting regular first-party firmware updates (plus the ones
| from Merlin). Currently using ISP-provided hardware, but
| given my past experience I'd definitely look at Asus as an
| option if I needed a new router.
| dole wrote:
| I have an Asus RT-AC1200, released in 2019 that hasn't
| had a firmware update since 2021/05 which is the reason
| why I bought the TP-Link. I do see Asus has a Nov 2024
| firmware for that RT-AC68U on their site.
|
| As far as my TP-Link router, I think I remember it being
| stuck on a 2022/09 firmware until at least 2023/09, and I
| wound up flashing it with OpenWRT earlier this year.
| throw0101c wrote:
| The AC1200 series was originally released in 2015:
|
| * https://wikidevi.wi-cat.ru/ASUS_RT-AC1200_series
|
| The V2 seems to be exactly the same except for some minor
| chip revisions (e.g., -DAN vs -AN), perhaps due to OEM
| part availability.
|
| OpenWRT also supports (supported?) the V2:
|
| * https://openwrt.org/toh/asus/rt-ac1200_v2
| glimshe wrote:
| What is a good brand today? TP Link is abysmal and my
| NetGear Orbi is feature light without their subscription.
| Even then, their app is very buggy.
|
| Google and Amazon are full of spyware. I feel I have
| nowhere to run!
| cassianoleal wrote:
| It depends on your use, but generally anything that runs
| OpenWRT should be good. Fairly inexpensive GL.iNet GL-
| MT6000(Flint 2) seems pretty good for a decent price.
| Comes with a Chinese fork of OpenWRT but you should be
| able to easily flash upstream.
|
| Another option is the recently released official OpenWRT
| One.
|
| https://openwrt.org/toh/openwrt/one
| somerandomqaguy wrote:
| Mikrotik maybe? I don't know if they're any good but they
| have a statement on the bottom of the page indicating
| software updates to either end of product life or minimum
| of 5 years after purchase date.
| alias_neo wrote:
| It's absolutely true, I have a graveyard of fairly high-end
| consumer routers that were thrown in the pile as soon as they
| stopped getting updates, they range from Asus, TP-Link to
| Belkin.
|
| I switched to Ubiquiti EdgeRouters for a while but they went
| the way of the dodo too, so now I use a Protectcli box
| running Coreboot and OPNSense; it's essentially just a PC
| with nice Intel NICs that play nice for networking in a small
| fanless form-factor that you can install a routerOS on
| (pfSense, OPNSense etc) and always be up to date.
| 2Gkashmiri wrote:
| Curious. A layman here.
|
| I own one dlink router I bought in 2014. Has been running
| since then. 0 updates.
|
| What "update" should I give my router ?
|
| Forgive my ignorance
| alias_neo wrote:
| The manufacturers should release "firmware" updates; they
| update the software in the router and fix vulnerabilities
| or add features.
|
| Your D-Link router from 2014 likely stopped receiving
| updates within 2-4 years of its manufacture so updating
| now will still leave you quite outdated, if the
| manufacturer released any updates at all (and if they
| did, they may even have pulled them offline as we're now
| 10 years after the fact).
|
| If you're concerned about the security, you can check if
| your router is supported by an open-source OS like
| OpenWRT and flash that over the factory software, or
| upgrade to a newer model (bearing in mind another
| consumer router will only get you a few short more years
| of updates).
|
| If you're really cautious (like I am) you buy something
| that you can install a router OS on that you know will
| always be updated; pfSense, OPNSense, OpenWRT, Vy etc.
| pkaye wrote:
| There are always new security vulnerabilities found on
| these network devices and they directly face the
| internet. Most of these companies tend to EOL them after
| a few years and often continue to sell that close to or
| after the EOL date.
|
| This link is from a quick query on dlink routers.
|
| https://unit42.paloaltonetworks.com/6-new-d-link-
| vulnerabili...
| whatevaa wrote:
| I can't upgrade my Mikrotik because new firmware breaks wifi.
| Known issue, ignored. So updates are not always useful.
| TiredOfLife wrote:
| Can you link to this known issue?
| kwanbix wrote:
| I am not a US citizen, nor I live there. However, I trust the
| Chinese goverment much less than the US one. So I get the
| banning if they really believe they could have a trojan horse.
| What I don't get is, what guarantees you that there is not a
| trojan jorse on any electronic device they produce?
| alias_neo wrote:
| I suppose the issue is really the risk; attacks on
| infrastructure need to route over networks; even a completely
| vulnerability ridden machine isn't a risk if it isn't
| reachable from the net (inbound or outbound).
|
| Routers as the gateways into all sorts of networks, and they
| see/control all of the traffic in and out and often between
| devices on the network; they're a critical junction.
| taco_emoji wrote:
| This is an extremely good question that our government (I'm
| American) is completely disinterested in asking or answering.
| eightysixfour wrote:
| If the US was serious about this or TikTok, they would create
| security and privacy rules that applied to everyone. Instead
| they are targeting individual companies, which means it has
| little to do with security or privacy.
| giantg2 wrote:
| If they did that, it would mean the "good" spy agencies
| wouldn't have platforms. This is selective so they can just
| ban the platforms of "bad" spy agencies.
| AnarchismIsCool wrote:
| I can't wait to see TP-Link being sold rebranded on amazon as
| "ANDORBEST FASTEST PRO ROUTER ACCESSPOINT CHAINSAW WEEDEATER
| PINEAPPLE YOGURT"
| all2 wrote:
| This reads like my BTC wallet recovery string.
| pixl97 wrote:
| >There's that nagging feeling that they're not concerned about
| security but banning anything that works well, is inexpensive
| and isn't made by an US company..
|
| Two things can hold true at the same time. A US company selling
| US equipment and US software can have US law enforcement agents
| show up and point US guns at them for non-compliance.
|
| But that in turns sets up a captive market where the US players
| in the market are more likely to perform collusion and raise
| prices.
| AnarchismIsCool wrote:
| Non-compliance is a weird way of saying "refusal to install
| US backdoors"
| whimsicalism wrote:
| nagging feeling? that is absolutely what is happening, unless
| the US is claiming there is some backdoor in chinese cars
| throw0101c wrote:
| > _There 's that nagging feeling that they're not concerned
| about security but banning anything that works well, is
| inexpensive and isn't made by an US company..._
|
| The FTC went after (Taiwan-based) Asus for security reasons:
|
| > _After a public comment period, the Federal Trade Commission
| has approved a final order resolving the Commission's complaint
| against ASUSTeK Computer, Inc., charging that critical security
| flaws in its routers put the home networks of hundreds of
| thousands of consumers at risk._
|
| * https://www.ftc.gov/news-events/news/press-
| releases/2016/07/...
|
| So 'legitimate' security concerns have been a thing in the
| past.
| ralferoo wrote:
| Totally agree. The only line that really stood out to me in the
| whole article was "... has grabbed a 65% market share in the
| United States..."
| Havoc wrote:
| These sort of bans won't affect those willing to play it fast &
| loose
|
| Ebay, aliexpress, reshipper, friend in europe...there is always
| a way
| amelius wrote:
| Can we start banning hardware companies __after__ we have banned
| the selling of user data to the highest bidder (which might as
| well be Chinese companies)?
| ToucanLoucan wrote:
| Fuck no. There is NO effort at all here to go after
| surveillance capitalism, I don't give a shit what their press
| releases say about "protecting American's privacy." It's
| straight horseshit. The biggest offenders to American's privacy
| are squarely in Silicon Valley, and the only companies that
| ever end up in the Government's crosshairs are the _big scary
| Chinese ones_ that are gonna use their algorithms to turn you
| into a communist or whatever the fuck.
|
| And FWIW to anyone in power who happens to read this, I was
| plenty radicalized by my own experiences and those of my
| friends under capitalism. China didn't do shit.
| pixl97 wrote:
| This is a pretty poor take. Whoever is getting the
| information is going to use it for their benefit. The Chinese
| government is a scary government, this does not take away
| from or add to the US government being a scary government.
| ToucanLoucan wrote:
| You're correct, and banning TikTok and/or TP-Link is not
| going to stem the flow of user data to the companies who
| sell it, not even a little bit. Hence my comment: this is
| not about protecting anyone's privacy, it's about keeping
| American tech companies on top.
| eqvinox wrote:
| I agree with you on content but unfortunately you're
| communicating it very poorly. 1 notch down on the bile?
| ToucanLoucan wrote:
| Apologies, Jingoistic nonsense that parrots talking points
| about _actual problems that need solutions_ , in this case,
| reigning in user data collection in service of
| protectionism for precious American companies to continue
| their unethical behavior makes me puke.
| archagon wrote:
| I think it's a better written and more earnest comment than
| most I see on this site.
| taco_emoji wrote:
| I completely disagree, I appreciate the passion. Please
| stop treating your personal aesthetic preferences as
| objective.
| zamadatix wrote:
| ToucanLoucan's message has some great discussion points
| but the half of the thread doing something useful with
| them only got there by managing to ignore the "fuck no
| shit horseshit fuck shit" portions. Even if one labels
| that as an aesthetic choice over one core to what
| promotes quality online conversation, fulmination isn't a
| requirement of conveying passion.
| 2OEH8eoCRo0 wrote:
| I chucked my only piece of TP-Link equipment a few months ago out
| of caution.
| pjmlp wrote:
| Yet another step for nationalists to start pushing for internal
| technologies across the globe.
|
| Slowly I am feeling back into world geopolitics of my childhood.
| neilv wrote:
| I'm currently upgrading my home network, trying various options,
| and one of the headaches is _provenance_ of the equipment.
|
| By provenance, I mean where it's designed, where it's
| manufactured, who has brand oversight of it, who controls the
| firmware, who runs the IoT phoning-home servers, etc.
|
| (I don't have high security requirements for home, but I pay
| attention to such things out of curiosity.)
| alias_neo wrote:
| The closest I've been able to get is to buy a Protectli box,
| replace the AMI with Coreboot that you can compile yourself,
| and install OPN/PFSense.
|
| It's still Chinese hardware, but it's warrantied by Protectcli
| and you have control over the bits you can change.
|
| My first move out of the consumer "junk" was Ubiquiti
| EdgeRouters but their software quality declined a few years
| back, and my models got no more updates, then my main router
| died. My overkill i3 6-port Protectcli box has been running
| great ever since; first with pfSense now OPNSense; I'll only
| replace it when it dies or I want 10GbE routing.
| dvdbloc wrote:
| What solution do you use for wireless access points? That's
| generally my problem, you can find plenty of solid hardware
| to run pfSense on but as soon as you look at access points
| everything seems to be proprietary something or from
| questionable sources.
| alias_neo wrote:
| I currently use a bunch of Unifi APs, not got full-house
| coverage yet, but I have key areas and run their management
| software on a Raspberry Pi.
|
| They've mostly been solid, and aren't too expensive. I did
| replace the one in the hall (on the ceiling) outside my
| living room recently though, upgrading it from an AP-AC-Pro
| to an U6-Pro and the range is significantly worse on the
| same WiFi spec, making the living room TV basically
| unusable for streaming, despite being flawless on the older
| AP.
|
| I'm going to try the newer U7 Pros and if that doesn't work
| out, I'll start looking at alternatives, but I suspect
| anything acceptable will be more expensive. I run ethernet
| almost everywhere so WiFi is just for our
| mobiles/laptops/tablets/IoT, but the TV in the living room
| currently has no easy way to get cables to so that AP is
| critical.
| toast0 wrote:
| Try to get something that runs OpenWRT (or can run it) and
| isn't like super tight on flash space. Although I'm having
| some issues with my latest batch of access points; I have a
| few clients that seem to have more trouble staying
| associated, and I was hoping to use 802.11r, k and v and
| DAWN, but I had to turn all of them off because too many
| subsets of the clients wouldn't work with some of those.
|
| I'm coming to the realization that mixed 2.4 ghz/5ghz
| access points aren't a great idea. If I wanted consistent 5
| ghz coverage, I'd need a lot more access points, but I'd
| want to turn the 2.4ghz radios off on most of them because
| 2.4ghz goes too far.
| VTimofeenko wrote:
| Ruckus is awesome. R710 and similar models are pretty cheap
| off-lease on ebay.
| ssl-3 wrote:
| I use Mikrotik access points at home. They're not the
| simplest to configure, but they aren't daunting to someone
| who has been futzing around with networking for awhile. I
| like that they allow me to implement whatever weird stuff I
| can dream up, and that I can generally implement that weird
| stuff all in the GUI.
|
| The hardware is relatively inexpensive and seems to be
| rather stable, the company is based in Latvia, and the
| manufacturing (or at least the board-stuffing and
| injection-molding) seems to primarily be done in Europe.
| Some of their stuff is pretty flexible about what kinds of
| PoE is can work with.
|
| All of the Mikrotik stuff I'm aware of runs their Linux-
| based RouterOS. This means they all get the same user
| interface -- the same for a "switch," for an "access
| point," and for a "router."
|
| I like that this blurs the lines between different device
| classes. For instance, my access points have two Ethernet
| ports on them, and two radios. I can use them as simple
| access points, or as routers, or as switches... or all of
| this at the same time. Whatever I want to do with them is
| fine: It's just a highly-configurable device with _n_
| hardware interfaces available on it.
|
| I could replace the separate switch and OpenWRT router that
| I have on a shelf in the basement with a singular Mikrotik
| switch that did both jobs if I wanted to. (I probably would
| not, and it probably would never make sense to do so, but
| their software allows me to do as many nonsensical things
| as I choose. That's a good thing.)
| mikece wrote:
| How much of a difference does it make to use Coreboot rather
| than AMI? (I'm running OPNsense on a Protectli box
| currently...)
| alias_neo wrote:
| It really depends. Coreboot is open source and you can
| review the code, it's also much lighter (though fewer
| things can be tweaked), vs AMI which we don't know/can't
| check what it contains.
|
| For me, wanting as much open source in the stack as
| possible, it gives me peace of mind, but it really depends
| on the individual.
|
| All I can really suggest, is to take a look at the Coreboot
| site[0] and see if it sounds like something you'd want.
|
| [0]https://www.coreboot.org/
| Infernal wrote:
| FWIW I thought my EdgeRouter X died a few years back, power
| light would blink but wouldn't boot up - turned out to be a
| dying wall wart. Swapped it out for one I had lying around
| that happened to match voltage/current/connector and that was
| maybe 3 years ago.
| nobody9999 wrote:
| >I'm currently upgrading my home network, trying various
| options, and one of the headaches is provenance of the
| equipment.
|
| If you're concerned about provenance (or even if you're not), I
| suggest using a general purpose device and rolling your own ala
| pfSense[0]/OPNSense[1], etc, or just use one of the BSDs or
| Linux and use native tools or one of the many router/firewall
| distros[2]
|
| [0] https://www.pfsense.org/
|
| [1] https://opnsense.org/
|
| [2]
| https://en.wikipedia.org/wiki/List_of_router_and_firewall_di...
| neilv wrote:
| One of the things I learned while building such a server-
| based box is that eBay is awash in counterfeit high-end Intel
| NICs.
|
| Regarding pfSense and OPNsense, I recently built and used a
| nice OPNsense box, including IPS, but decided to go back to
| OpenWrt for home use, because OpenWrt actually worked a bit
| better for the things I needed.
|
| I might use pfSense (or maybe OPNsense) router for a startup
| office of more than several people, though (until we can
| cost-justify a dedicated IT infra&support specialist). With
| OpenWrt on the WiFi APs.
| nobody9999 wrote:
| >One of the things I learned while building such a server-
| based box is that eBay is awash in counterfeit high-end
| Intel NICs.
|
| Assuming you mean NUCs[0] and not NICs, I'm sure you're
| correct. That said, there are many _other_ fanless miniPCs
| which are both less expensive and, as such, much less
| likely to be counterfeited.
|
| >Regarding pfSense and OPNsense, I recently built and used
| a nice OPNsense box, including IPS, but decided to go back
| to OpenWrt for home use, because OpenWrt actually worked a
| bit better for the things I needed.
|
| A fair point. The device I use as a router/firewall came
| pre-installed with OPNSense, which I immediately wiped and
| replaced with a vanilla Linux install and customised it to
| my own taste.
|
| I mentioned OPN/pfSense not because I use them, but because
| they offer a _fairly_ complete solution without having
| strong networking knowledge. Rolling your own is, IMNSHO,
| definitely superior to those, as well as to OpenWRT.
|
| As for WiFi, I restrict my APs to just bridging to my wired
| network and have implemented strong egress filtering to
| control outbound access.
|
| >I might use pfSense (or maybe OPNsense) router for a
| startup office of more than several people, though (until
| we can cost-justify a dedicated IT infra&support
| specialist). With OpenWrt on the WiFi APs.
|
| That's not a bad idea at all. Although you might also
| consider one or more of the other distros/packages in the
| Wikipedia link[1] I included in my previous comment. Good
| luck!
|
| [0] https://en.wikipedia.org/wiki/Next_Unit_of_Computing
|
| [1] https://en.wikipedia.org/wiki/List_of_router_and_firewa
| ll_di...
| neilv wrote:
| I mean Ethernet NICs. For example, various PCIe quad-port
| models.
|
| (I used industrial NUC PCs as part of factory stations
| for a startup a few years ago, and they were nice. I
| looked into NUCs for home routers/firewalls, but I didn't
| like their NIC options.)
| nobody9999 wrote:
| >I mean Ethernet NICs. For example, various PCIe quad-
| port models.
|
| My misunderstanding. Apologies.
|
| I use something similar to this[0] device, which has
| 4X2.5Gb ethernet ports and no WiFi (which was my
| preference) interface.
|
| As such, no additional NICs were required, even with a
| dual ISP configuration.
|
| [0]
| https://www.amazon.com/gp/product/B09J4H9ZXY?ie=UTF8&th=1
| rsync wrote:
| An aside: I, also, was frustrated by the lack of multi-
| NIC options on NUC sized computers and was pleased to
| find this vendor: gmktec.com.
|
| Many of their NUC-sized computers have dual physical LAN
| ports.
| dfc wrote:
| No, they meant counterfeit NICs. It has been a problem
| for a long time now for anyone trying to find a deal on
| Intel NICs:
|
| https://www.servethehome.com/identifying-risky-
| counterfeit-i...
| SoftTalker wrote:
| Yeah don't buy this stuff on eBay or Amazon. Buy from a
| reputable vendor.
| gessha wrote:
| Such as? Also, is this new gear or second hand gear?
|
| (I'm looking at my stack right now and looking to
| upgrade)
| SoftTalker wrote:
| CDW, B&H Photo, anyplace that doesn't comingle inventory
| and doesn't allow random sellers on their platform.
| klowner wrote:
| I'm extremely fond of Mikrotik gear, they're capable of pretty
| much anything and really reasonably priced. They're out of
| Latvia.
|
| The only thing is they're definitely not designed for regular
| consumers, you at least need familiarity with Linux networking.
| AnarchismIsCool wrote:
| I have some of their stuff and really like it. It's not fully
| plug and play, but it's some of the best kit on the market
| for tech people.
| TiredOfLife wrote:
| > The only thing is they're definitely not designed for
| regular consumers, you at least need familiarity with Linux
| networking.
|
| Mikrotik has had quickset (a single page configuration for
| home use) for 8+ years, Android Home app for 3+ years
| baq wrote:
| The one time I tried to use the quickset page was to set up
| an AP and it did. I was rather surprised that it didn't
| configure an IP address to access the admin page
| afterwards...
| greycol wrote:
| It's a hard problem because when you start asking questions
| about what an unqualified home user needs it's easy to say
| just one more thing.
|
| port forwarding? ofcourse how else can the kid have a
| minecraft server with friends
|
| dynamic dns? then the friends don't need to search "what's
| my ip" every time
|
| parental controls? to schedule how much time they can play
| minecraft...
|
| I like Mikrotik but for anyone trying to go beyond the
| barebones default firewall/router/ap on the quickset page
| you need to be prepared to learn. i.e. To make a DHCP
| reservation, you go through the menus until you click IP,
| then you realise you don't click on DHCP client to set up a
| DHCP client you go into DHCP server and try to give a
| device a reservation which requires the step of making it
| static first then seperately setting it's IP.
|
| The complaint basically boils down to: they have all the
| options there and available and the least common task is
| just as easy to do as the 2nd most common (after initial
| basic setup), and if a task touches multiple parts of the
| config you need to touch each of those parts. Great for
| someone who knows what they're doing but for a home user it
| would be great to have more quickset pages for the 2nd to
| 10th most common tasks (as intagible as that list is).
| tails4e wrote:
| Their software It's incredibly powerful, but also quite
| opaque to someone not into hardcore networking. I setup a
| small private WISP using their gear and configuring it was
| pretty rough for a non networking nerd. It's not running
| Linux, but a custom OS. The quickset is handy, but as soon as
| you want to do something slightly different, you're up to
| your neck in low level config. Still great HW and if you know
| how it can do everything you need. Ubiquity gear has a
| friedlier interface.
| ssl-3 wrote:
| Mikrotik gear absolutely runs Linux. It just uses a custom
| userland.
|
| Ubiquity gear is structured the same way: It, too,
| absolutely runs Linux, and it uses a custom userland.
|
| One of these userlands is friendlier than the other, but
| they're both still Linux.
|
| It's a tale as old as the hills, or at least as old as the
| OG Linksys WRT54G -- which was my own first foray into
| owning dedicated routing hardware ~20 years ago (which was
| -- guess what -- Linux with a custom userland). (Previous
| to that, I used Linux with the userland of my choosing on
| my desktop PC.)
| 9x39 wrote:
| I love Mikrotik too and the price point, but it's for people
| who know network engineering or need a particularly rare type
| of gear (like a small inexpensive 10G SFP switch).
|
| I tell people to jump into Ubiquiti's (ui.com) ecosystem
| which is much more accessible for power users who
| occasionally wrestle with concepts like wireless, VLANs,
| subnets, and traffic rules.
| m463 wrote:
| I bought one and ran their firmware but it phoned home. kept
| on sending packets to some weird ip address at boot.
|
| So I installed openwrt. They're actually pretty well
| supported by openwrt (except for the newer 10g switches)
| rpcope1 wrote:
| This is what makes me concerned about ever needing to upgrade
| from my PC Engines APU2. It's about as open as a piece of
| hardware can get, including using coreboot, but now that
| they've wound down, there's not a lot of good options that
| occupy the same niche.
| transpute wrote:
| PC Engines was a Swiss company with Taiwan manufacturing.
|
| Since APU2 schematics are open, rebooting PC Engines as a US
| company could be initiated by US leadership requesting AMD to
| restart production of the AMD GX-412TC SoC, until AMD can
| ship a Ryzen Embedded alternative with comparable power
| efficiency. The lack of a replacement SoC forced the end of
| APU2 and PC Engines.
|
| National policy tools are not limited to banning negative
| examples, they can also encourage scaling of positive
| existence proofs.
| throwaway48476 wrote:
| Openwrt now has official hardware.
| bilal4hmed wrote:
| So what are my options here now? I run an omada system - do I
| move over to ubiquiti or DIY with opnsense ? if firmware is the
| issue then an entirely open system is what makes sense here.
| ulfw wrote:
| Things get dumber by the day. I'm very happy with my TP-Link Deco
| mesh router.
|
| The US outsourced absolutely everything to China and is now
| banning it up down and centre. Shizophrenic much?
| pixl97 wrote:
| No, we just had the capital class sell us out for money, and
| now that the world is beating the war drums again we realize
| how much of a fuckup it was.
| whimsicalism wrote:
| then tax them, don't go crazy over some foreign policy
| paranoia - and it _is_ paranoia.
| HankB99 wrote:
| I upgraded to Deco mesh (2 nodes) about a year ago. They
| perform well, but the settings have been dumbed down quite a
| bit. I'm using them as APs and have a small box running pfSense
| connected to my cable modem. The Deco AP should be unreachable
| from the Internet but still have full access to the Internet.
|
| In theory no black hat should be able to access them from the
| Internet but they could call out and ask for commands if they
| are so programmed.
| ksec wrote:
| I will take this opportunity to ask if anyone want Apple to make
| AirPort Extreme again?
| tgeorge wrote:
| I wonder what happens to their Kasa brand of smart devices then.
| I have bunch of wall switches and smart power plugs with them.
| ljoshua wrote:
| I have two Kasa light strips (KL400) and anecdotally I've
| noticed that its performance degrades every other day or so to
| the point where it stops responding to change commands.
|
| The fix? Blocking all inbound and outbound WAN (internet)
| traffic to it. Now works flawlessly, just like you think a
| light strip would. I only ever want to issue commands locally
| anyway, and why it should be talking to the broader internet in
| that case is beyond me.
| eqvinox wrote:
| To be fair, TP-Link routers without OpenWRT installed _should_ be
| banned, considering their vulnerability history...
|
| But they _are_ nice and cheap OpenWRT platforms. Ban the software
| instead? ;D
| myself248 wrote:
| Exactly this. I don't want my source of hardware to dry up, but
| I'd love if ISPs wouldn't allow the stock firmware to connect
| to their networks.
|
| I bought a pair of TP-Link units specifically because OpenWRT
| ran well on them. If I had to get something more expensive, I
| might not decide to keep a cold spare.
| m000 wrote:
| Yes, but if they did that, they would have to enforce the same
| rule on routers of US companies. So the net advantage for the
| US companies would be zero (which I believe is the point - the
| "hacking fears" is just a smokescreen).
| dokyun wrote:
| God forbid any of that corrosive communist ``free software''
| touch our pure American companies.
| Havoc wrote:
| I'm sure you'll be able to still get older gen openwrt
| compatible stuff.
|
| The newer generations of TP links are a different beast
| entirely. Doubt you can even set it up local only let alone
| openwrt it
| emchammer wrote:
| I'm wondering if this suspicion should apply to TP-Link wifi
| range extenders as well as they should be just layer 2 devices.
| I tried installing OpenWRT on my TP-Link extender, everything
| was supposed to be compatible, but it did not work.
| wtallis wrote:
| > TP-Link wifi range extenders as well as they should be just
| layer 2 devices
|
| Nope. Any device that has a wired Ethernet port _and_ an
| antenna cannot be just a layer 2 device; WiFi is not just a
| wireless Ethernet. Also, any device that you can ping by IP
| address and configure over the network rather than over a
| serial cable is operating above layer 2 for at least the
| control plane.
| whimsicalism wrote:
| what i would give to live in a rational well-run country, rather
| than one governed by populism, paranoia, and jingoism
| pixl97 wrote:
| Tell me when you find that planet. Nationstates have nation
| state interest and politics has not changed in thousands of
| years.
| whimsicalism wrote:
| I have a nation state interest in getting wealthy and trading
| our comparative advantage. Not paranoid delusions and one-
| sided brinksmanship.
|
| China can produce things cheaper than we can. "Industrial
| policy" to make a wealthy nation like the US a competitive
| low-cost manufacturing hub are delusional. Let us focus on
| what we are good at and other countries focus on what they
| are good at.
|
| Realpolitik is making our country wealthier and rationally
| approaching emerging risks, not banning cheap cars and solar
| panels because other countries are too good at making them.
| Let alone engaging in trade wars with our allies and banning
| acquisitions from Japan.
| shadowerm wrote:
| To believe this is paranoid is rather delusional really. You
| should try reading less political bullshit that is rotting your
| brain.
| showerst wrote:
| What's everyone's recommended replacement brand for home users?
| Mikrotik?
| lotsofpulp wrote:
| I'd go with Aruba instant on.
|
| https://www.arubainstanton.com/
| daft_pink wrote:
| Ugh, I use TP-Link Omada and I really don't want to rip out
| everything to switch it to Unifi.
| sharpshadow wrote:
| "investigators believe that TP-Link routinely fails to address
| vulnerabilities in its products that are shipped to customers who
| use the routers for both home and business purposes" good luck
| finding someone which is able to adress this issue and can
| deliver the same amount of devices in the price range.
|
| Sounds like they want to apply pressure to TP-Link so they start
| to fix more and faster.
| eduction wrote:
| Wirecutters top two router recommendations are both TP-Link. Near
| the top of the review they praise "Hitting the sweet spot between
| price and performance" but then bury the disclosure that you have
| to pay extra for security, including "most protection."
|
| "TP-Link also offers a $5-per-month or $36-per-year plan for
| Security+ network protection and IoT security. If you don't pay,
| you still get some basic functionality such as the ability to
| block websites and to manually toggle internet access on your
| kids' devices, but advanced settings, automatic timed internet
| control, most protection, and reporting are disabled after the
| one-month free trial. That said, the Archer AX3000 Pro will
| continue to provide solid Wi-Fi connectivity even if you don't
| sign up for the added plans."
|
| This report is a great example of why it's a bad deal to trade
| away security for a lower price. Wirecutter should have been
| leading the way in pointing this out, instead of just steering
| people to the cheapest fast thing, YOLO style (anyone can make
| that kind of recommendation).
|
| https://www.nytimes.com/wirecutter/reviews/best-wi-fi-router...
| impish9208 wrote:
| Dupe: https://news.ycombinator.com/item?id=42449503
| zenethian wrote:
| What is a good recommendation for replacing a TP-Link Omada AP? I
| have the Wifi6 AP and it performs great. But if I do need to
| replace it with something more secure, what are my choices?
|
| I know Ubiquity is a choice, but the reason I chose Omada over
| Ubiquity is that I can host the Omada controller locally and not
| be forced to use a cloud product.
| ElectRabbit wrote:
| You can host a Unifi controller yourself. No cloud needed.
| gtvwill wrote:
| This in itself is a nightmare. I recently hacked for a client
| their Unifi controller db on a network. It had been setup 5
| years ago and the company that did the setup didn't hand over
| any admin passwords. 5 companies and 4 years of problems
| later they almost turned their accommodation business into a
| wifi free off grid experience because they couldn't get the
| system working correctly without admin access. Nightmare
| stuff.
|
| Any system so heavily reliant on a single point of failure
| with such difficulty to replace is a no go for me. Never in
| half a decade have I seen such a problem whilst rolling out
| mikrotik hardware.
| EvanAnderson wrote:
| > ... It had been setup 5 years ago and the company that
| did the setup didn't hand over any admin passwords. ...
|
| > Any system so heavily reliant on a single point of
| failure with such difficulty to replace is a no go for me.
|
| Not to shill for Ubiquiti here, but none of that sounds
| like a problem with UniFi or the idea of centrally-managed
| APs.
|
| UniFi APs don't stop working if the UniFi server fails. You
| can't make configuration changes, but you can SSH into the
| AP, reset it, and associate it with another UniFi server.
| 9x39 wrote:
| Sloppy work and bad security can happen with any system,
| can't it? Especially a system abandoned for years without
| management.
|
| Mikrotik could easily be setup with weak passwords and
| management exposed, as can Cisco/Aruba/Ruckus/insert
| favorite vendor here.
| wil421 wrote:
| All my UniFi stuff is hosted locally. You don't need their
| cloud product and their NVR saves video locally too.
|
| If you want to access your controller(s) on the go then just
| setup a VPN on UniFi. Turn on your VPN, manage from the unifi
| app, and then turn the VPN off if needed.
| unethical_ban wrote:
| Unfortunately, they stopped allowing people to host the NVR
| on their own OS and you have to buy their hardware product.
| izacus wrote:
| Huh? Their routers all come with controller software locally.
| Dream Machines, UniFi Express, UCGs are all controllers.
| blackeyeblitzar wrote:
| It might be the right move. I've noticed a lot of oddities with
| my top of the line TP Link Mesh routers. Limited ability to
| configure it compared to past routers (not many advanced
| settings). Forced use of a very sanitized app instead of a
| browser based panel. Forced updates with no ability to use the
| admin panel without accepting the update. And so on. It works and
| is high quality in a way, but I also don't trust it.
| Unfortunately a lot of these issues aren't visible until after
| you buy it.
| buffington wrote:
| Are those Omada based routers? For the price, I've been very
| impressed with the Omada based APs from TP-Link. All of my
| equipment is configurable through a web based interface that's
| served by a Windows app (or through an available hardware
| controller).
| tyjen wrote:
| Wait until Congress figures out about all the new "free" games
| pouring out of China, each requiring kernel level anti-cheat
| software to operate in the background.
| m3kw9 wrote:
| How hard is it to place transistor level string detection that
| activates an encrypted program within the asic
| Havoc wrote:
| The concept of string doesn't exist at "transitor level"
| nashashmi wrote:
| We are on a slippery slope of banning everyone: TikTok;
| Kaspersky, ... TP-Link.
|
| Huawei was not banned, they were bullied out of the US market,
| and had restricted access to US technologies.
| _bin_ wrote:
| slippery slope? i think curtailing china's access to US
| networks and data, as well as crippling her tech sector, is a
| great goal. this is one step along the path, not another foot
| downhill.
| nashashmi wrote:
| Im all for crippling tech advancements in other countries.
| It's wrong when we do it by bullying and abusing our powers.
| Instead we should have the foresight to attract their best
| talent. This we don't do as much like we used to before the
| Bush years.
| _bin_ wrote:
| i don't think it's wrong. you can't fight a bad-faith actor
| with good-faith actions. china has built an entire nation
| off lying, cheating, and stealing. we shouldn't be bound to
| respond by only being nice.
|
| attracting her best talent works better when the CPC
| doesn't hold families hostage. because of that, we are
| unable to trust most chinese nationals.
| ryanalam wrote:
| An alternative to NY Post, which I don't find very credible:
|
| https://arstechnica.com/tech-policy/2024/12/report-us-consid...
| phendrenad2 wrote:
| Do TP-Link routers really have more security holes than, say,
| ASUS (designed in Taiwan) or Mikrotik (designed in Latvia)?
| orbital-decay wrote:
| I think it's painfully obvious it's not about software security
| concerns at all, since most non-enthusiast home routers are
| pretty janky, not just TP-link ones.
| harry8 wrote:
| So who knows much about banana pi and using that to build a
| router. What firmware? Are there better hardware options?
| Anything user-friendly enough to compare with consumer grade uis
| for routers? Anything else that should be being asked in this
| space?
|
| https://www.banana-pi.org/
| bdcravens wrote:
| Is it possible to run BPi on any hardware? If TP-Link is
| banned, I'd think that many other Chinese-based manufacturers
| may also be on the chopping block.
| onewheeltom wrote:
| Probably compromised from the factory
| wrs wrote:
| "...routinely fails to address vulnerabilities in its products...
| When cybersecurity experts point out the flaws...the company
| declines to engage with them..."
|
| I feel like this used to apply to most mass-market home routers.
| Have things improved recently such that TP-Link is an outlier?
| vkaku wrote:
| I haven't found a competitively priced US made product in the
| segments where TP-Link seems to do extremely well.
|
| For home office routers, if we required PoE 1G + 10G ports - the
| nearest option sold by US companies is 2x the price of TP-Link.
| There are no competitively priced options (10-20% additional
| cost) available for these segments. Ditto for gateways.
|
| In the higher end network switches, the campus routers offered by
| the competition is not even priced at < 10x the TP-Link router
| prices. Which means the immediate cost of using TP-Link right now
| and replacing it with a much better TP-Link router 2-3 years down
| the lane would justify buying TP-Link only. At this point, the
| expensive gear feels like over-engineering + cash grabs to an end
| user.
|
| Shouldn't more competition be about lowering prices and
| increasing choices? Where are the choices? Is there even an
| effort being made to help the end users of these budget segments?
___________________________________________________________________
(page generated 2024-12-18 23:02 UTC)