On Mon, Nov 26, 2018 at 10:24 AM Sebastian Moeller <[email protected]> wrote: > > Hi Dave, > > > neither the openwrt folks (see https://openwrt.org) nor the chaos computer > club of germany (see German: https://www.ccc.de/en/updates/2018/risikorouter, > machinenglish: > https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&hl=de&ie=UTF-8&u=https%3A%2F%2Fwww.ccc.de%2Fen%2Fupdates%2F2018%2Frisikorouter&edit-text=) > seem to be fully convinced. > Personally I believe this is a step in the right direction, even though > hopefully just a first step.
I would like it very much if my country attempted to get to something similar as a requirement for FCC certification or import. Stronger yes, would be nice, but there was nothing horrible in here that I could see. It is extremely well written, could probably use a glossary. > > Openwrt and CCC mainly critizise: > > "The Chaos Computer Club (CCC) and OpenWrt took part in multiple review and > discussion rounds with the Bundesamt für Sicherheit in der > Informationstechnik (BSI) and representatives of multiple device vendors and > network operators. These are our two main demands: > > 1) Vendors have to inform customer before buying the product for all devices > being sold in Germany, how long the device will get security updates in case > problems are found. I am reminded of the mandatory warnings on all cig smoking cartons. Long term, I guess, they've been effective. I seem to be one of the few left that still smoke, and most of the other smokers I know use rollies, and don't have to read about what they are doing to themselves on every pack. > 2) The customer must have the possibility to install custom software on their > devices, to have the possibility to fix security problems even after the > official vendor support ended." > > I believe that 1) is currently supposed to be posted on a web-site so will > not be effortlessly visible at the point of sale in a store. I would rather like that. With most computer gear today, you are essentially buying a lease. "Supported for 1 week longer than our 1 year warranty". People should value a long term support plan, as much as they value getting a 10 year "bumper to bumper" warranty on a car. Spending 200 bucks on a piece > And 2) basically is a complaint that there is a weak MAY clause for > guaranteeing that 3rd party firmware like openwrt is installable. I think > this was weakened on purpose by the DOCSIS-ISPs which seem to have zero > interest for 3rd party firmwares for cable-modems/routers. (I would not be > amazed if cable labs would actually rule something like this out per > contract, but I have zero evidence for that hypothesis). These are the people that *rent* modems to you at an enormous margin and are unwilling to support it? Sigh... I have zip, zero problem, if cable folk *leased* you a modem, managed it, and then provided a new one when their support costs got too great. It would do wonders for the entire industry if they simply gave away new docsis 3 or 3.1 modems to every one still running an earlier one.... There's a huge difference in "leasing" vs "renting" vs "buying" I guess. There's a movement here called "right to repair", which is not something I've been tracking here. How's it going over there? It's used a lot when arguing with John Deer about their tractors.... > > > > > On Nov 26, 2018, at 19:05, Dave Taht <[email protected]> wrote: > > > > I only briefly scanned this, but I did find some things that made me > > happy. Still, What happens after end of life? > > > > https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03148/TR03148.pdf;jsessionid=01F54E80B004E9BFB194DBC00DE9B961.2_cid360?__blob=publicationFile&v=2 > > > > "To be able to react to newly appearing exploits of soft- or hardware > > vulnerabilities of the router or any of its components the router MUST > > have a functionality to update the firmware (operating system and > > applications) using a firmware package. The router MUST allow the > > end-user to fully control such a firmware update and determine to > > initiate an online update (router retrieves firmware package from the > > Internet (WAN interface)) and/ or manually update the firmware through > > the configuration interface (user provides firmware package) described > > in Section 4.1: Configuration and Information." > > > > The router SHOULD offer an option to automatically retrieve security > > relevant firmware updates from a trustworthy source over the Internet > > (WAN interface). If the router offers this functionality it SHOULD be > > activated by default, but MUST be possible for the end-user to > > deactivate it when using customized settings. In both scenarios > > (manual and automated update) the firmware update function of the > > router MUST check the authenticity of the firmware package (file) > > before it is installed on the router. This SHOULD be done by a digital > > signature that is applied to the firmware package by the manufacturer > > and checked by the router itself. For this purpose only signature > > schemes in accordance to [SOG-IS] Section 5.2: Digital Signatures MUST > > be used. The router MUST NOT automatically install any unsigned > > firmware. The router MAY allow the installation of unsigned firmware > > (i.e. custom firmware) IF a meaningful warning message has been shown > > to the authenticated end-user and the end-user accepts the > > installation of the unsigned firmware. > > > > the manufacturer of the router MUST provide information on how long > > firmware updates fixing common vulnerabilities and exposures that have > > a high severity (i.e. a CVSS combined score higher than 6.0 according > > to the Common Vulnerability Scoring System3 assigned to the specific > > device or a component used by the device) will be made available. This > > information SHOULD be available on the manufacturer website. > > Additionally it MAY be made available on the router configuration > > interface described in Section 4.1.2: Providing Information. The > > manufacturer MUST provide information if the router has reached the > > End of its Support (EoS) and will not receive firmware updates by the > > manufacturer anymore. This information (EoS) MUST be made available on > > the router configuration as described in Section 4.1.2: Providing > > Information. The manufacturer MUST provide firmware updates to fix > > common vulnerabilities and exposures of a high severity without > > culpable delay (without undue delay) after the manufacturer obtains > > knowledge > > > > > > -- > > > > Dave Täht > > CTO, TekLibre, LLC > > http://www.teklibre.com > > Tel: 1-831-205-9740 > > _______________________________________________ > > Cerowrt-devel mailing list > > [email protected] > > https://lists.bufferbloat.net/listinfo/cerowrt-devel > -- Dave Täht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740 _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
