Look, I'm a cowboy coder, through and through; but I still know better than to close the barn door after the horse bolted.
Information security and software processes aren't that closely related. You can be secure and yolo in production. You can run an extensive change management system and a) push mostly unnecessary cloud services, b) not use reasonable precautions to protect information in transit (and at rest) when sending to cloud services.
I picked up some of the Linksys Velop wifi 6 routers recently, because OpenWRT works on them, but I figured I'd try the factory firmware first... Woof, it's bad (but I only used the web interface... I wasn't willing to install the app), I lasted a day.
Forming a mesh involves the central node using the default password when accessing the other nodes. I guess that's effective, but felt pretty gross to me.
Why are you giving this company benefit of the doubt - just because it’s western? They haven’t even bothered to comment on the issue, they made no promise to fix it, for all you know they are selling your data to the highest bidder. And to anyone from China too.
If a Chinese company does it we are quick to label it stealing, but here we have the authority to regulate, and we go soft, oh no, it’s disorganisation, poor them, they’ve only been in this business for like 40 years or whatever.
Maybe we should assume malevolence, just like we do with China.
> Maybe we should assume malevolence, just like we do with China.
I'm fine with assuming ignorance for a brief window. But when the vendor doesn't reply after multiple repeated attempts, and no fix is in sight, it should quickly evolve from ignorance to willful malpractice at the very least.
Where did I give them the benefit of the doubt? I am furious at the network providers ongoing negligence/incompetence. Either they are in bed with the NSA or they just suck at their job. Regardless of the root cause, we all suffer.
The mention of Huawei was to point out the humor that the government has banned a company on the potential for subtle back doors. Something like the xz exploit. Yet the domestic vendors put out trivially broken crap on the regular. How many Cisco devices have shipped with hardcoded passwords in the past decade.
Making this about foreign vs domestic is bullshit. There is no such thing as a friendly vulnerability.
Just quit allowing corporations to bake up pointlessly unique proprietary firmware blobs for every single device, and we won't have this problem! It's redundant work anyway.
"There is no such thing as a friendly vulnerability." is going right up there with "You can't trust code that you did not totally create yourself." in my list of favorite infosec quotes. Thank you!
I am sick of reading about these embarrassing security holes in Cisco/Juniper/etc. The internet is an adversarial place. Stop cowboy coding