There is a systemic complete and total regard for basic tenets of security in nearly the entire home router/cpe market.
Start with crypto - no hwrng and a known "less than ideal" version of
There is no privilege separation in most routers, which was ok when they were single function devices - BUT: not ok, when vulnerability via services like samba can be used to root most of the top 10 current home routers:
Once an attacker p0wns your home gateway they can change your dns to malicious sites, as dnschanger did:
or have it participate in botnets, or inflict further attacks on unsuspecting devices both inside and outside your firewall, or sniff your traffic - there is no security when your front door is left wide open.
What nearly every home router and cpe manufacturer is shipping is **rotware**, running 4-7 year old kernels with known CVEs, and 10 year old versions of critical services like dnsmasq. You'd think that new 802.11ac devices available for this christmas might have some modern software on it, but just to pick out a recent example - the "new" netgear nighthawk router runs Linux 126.96.36.199 and dnsmasq 2.15, according to their R7000 gpl code drop -
Brand new hardware - 4+ and 10 year old software respectively.
It's unfair of me to pick on Netgear, every router I've looked at this christmas season has some major issues.
Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware. And I wish the manufacturers (and ISPs, AND users, and governments) understood that, and there was (in particular) a sustainable model for continuous updates and upgrades as effective as android's in this market. I don't care if it came from taxation, isp fees, or built into the price of the device - would you willingly leave your networks' front door open if you understood the consequences?
Rotten routers with closed source code, and no maintenance, are a huge security risk, and they are holding back the ipv6 transition, (and nearly all current models have bufferbloat, besides)
How can the dysfunctional edge of the Internet be fixed?
What Jim and the bufferbloat.net's group of volunteers have accomplished in a year - on nearly no money - boggles my mind.
Today's commentary on slashdot is a hundred times more clueful than it was last year - and a few days back Byte Queue Limits went into linux's net-next tree, which fixes much of the bloat problems that exist at the ethernet driver layer.
What has been discussed as 'Time in Queue' limits in the higher level schedulers is still awaiting a clean way to avoid layer violations. I've been too distracted by the BQL merge to pursue that next phase of fixes.
What we could have done this year with *some money* - nowhere near the amounts you describe above! - could have been amazing, and as for the next year, well, who knows? It is going to take many man-years worth of effort to make the internet responsive again.
And even with that said, to have harnessed the powers of hundreds first, now thousands, of talented minds, to help solve the bufferbloat problem - has been a far more effective - and wonderful! thing than all the money in the world.
The original gatech study showed not only bufferbloat, but enormous variation of base latencies in the first mile for different brands of cable modem as well as for different kinds of DSL and wireless technologies.
Some commentary: http://gettys.wordpress.com/2011/02/17/caida-workshop/
I look forward to the followup!
The nicest thing about the Alto is that it doesn't run faster at night.