- Joined
- Jun 7, 2007
- Messages
- 13,728
Cry me a river
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
-
Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.
FCC bans sale of some foreign-made routers in the US
- Thread starter sphinx99
- Start date
Nicklebon
[H]ard|Gawd
- Joined
- May 22, 2006
- Messages
- 1,069
I wish all my vendors were as open and honest about their vulnerabilities as Fortinet. When it's my choice I'll deploy their "dogshit" over every one of their competitors all day every day.
Ah, yes, the "vulnerabilities don't count as a backdoor, since the code wasn't inserted for malicious purposes" company that doesn't disclose its vulnerabilities for years, with multiple hardcoded backdoor incidents. Well, I guess that does make them very...open...at least.
Overpriced, underdelivering, backdoor infested product...I can see why the US government loves them.
- Joined
- Jun 7, 2007
- Messages
- 13,728
Build your own router. Better yet, start a company in the US building and selling them.
https://one.openwrt.org/hardware/?ref=itsfoss.com
No, it won't be cheap. Yeah, you might not succeed. But it's better than throwing your hands up and saying "but nobody makes them in the US!"
If money from router sales isn't enough, prop it up with other sales. Services, support, merchandise. Make a "Gaming" router, or contract with a "VTuber" for a "special edition" that costs a bit more.
https://one.openwrt.org/hardware/?ref=itsfoss.com
No, it won't be cheap. Yeah, you might not succeed. But it's better than throwing your hands up and saying "but nobody makes them in the US!"
If money from router sales isn't enough, prop it up with other sales. Services, support, merchandise. Make a "Gaming" router, or contract with a "VTuber" for a "special edition" that costs a bit more.
- Joined
- Aug 3, 2004
- Messages
- 23,936
Fortinet is only open because of the 3rd parties who find so many of them....werent they caught trying to hide CVE's in the past as well? (or was that Sophos?)
If they really cared, they would not be #1 rated for CVE's vs any other vendor with the same market share. Their quality control is abysmal is the issue.
How many CVE's do you see PaloAlto coming out with compared to Fortinet? They get the same scrutiny....
Axman
VP of Extreme Liberty
- Joined
- Jul 13, 2005
- Messages
- 20,196
It was that one.
Nicklebon
[H]ard|Gawd
- Joined
- May 22, 2006
- Messages
- 1,069
That's just flat out unknowledgeable. You should look into things more before posting shit like that. Fortinet actually finds most of their CVEs internally unlike PAN. Also, unlike PAN they disclose openly. To be fair PAN is not as bad as Check Point at disclosure though I do personally prefer Check Point to PAN. Like I said previously, when given free reign to solution a client I'll always lead with Fortinet. We'll do Check Point, Juniper or PAN as well and even CIsco if some nutjob insists enough though no one really considers them serious players in security these days. We won't touch Sophos, Sonicwall, Ubiquity or any other glorified consumer shit beyond rip and replace.
FWIW I've got modern (read supported) hardware from pretty much every major security vendor (Check Point, Cisco, Fortinet, Juniper and PAN) here in my home lab, various certs from the lot of them and my house runs on Fortinet with the exception of an ANCIENT (read aui connectors) pair of cisco and MRV console servers.
The basic problem with the whole approach is that China just has to agree to build them in the USA, not stop siphoning data. If they build a factory in the USA then they'll bypass the ban and get a nice press release that Trump will like. And still be able to siphon data. Just because the product is built in the USA doesn't magically mean the software is suddenly spyware free.
Exactly. Location of assembly has little to no meaning on supply chain security. The US government has spent decades analyzing and certifying supply chains at various levels for things a whole lot more dangerous than routers.
- Joined
- May 19, 2008
- Messages
- 2,349
It will only add new FCC approval requirements for new designs. Currently sold designs are not affected. Anything produced in the USA will be crawling with feds. Anything produced in China is in direct involvement with the CCP as it is. We are in a cold war with China.
c. Entities responsible for IP ownership and software updates for the router;
f. Country of origin for any onboard software and firmware;
Maybe it will not be easy to get approve if you have any china link in those
Crawling with feds? Really? If China sets up a factory in the USA to make routers you really think that anyone in the government is going to have a clue what they're doing? They'll be so happy that a factory got built they'll not even notice what is going on. And, even if they watched it get built you think they're dissecting the firmware that is loaded on it looking for spyware? They could do that now if they wanted but they're not.
- Joined
- Aug 3, 2004
- Messages
- 23,936
When ever i see news about Fortinet, it is always a 3rd party that discovered the bug/exploit..
Where can you see the stats of how many are self reported, and are they actually self reported, or they took the report of a security person and posted it?
Fortinet , 1,084 CVEs
https://app.opencve.io/cve/?vendor=fortinet
https://www.cvedetails.com/vendor/3080/Fortinet.html
PA - 336 CVE's
https://app.opencve.io/cve/?vendor=paloaltonetworks
https://www.cvedetails.com/vendor/12836/
Who has worse quality control before releasing code?
I am all for companies patching, but when you are a security firm and are constantly in the news for major CVE's over and over, especially when it tends to be the same product, that tells me they just do "quick fixes" versus actually looking at the core and why these issues keep happening over and over (VPN in 2025...)
And then they make decisions like this, lets use SMS and claim it boosts security... that alone tells me all I need to know about their "security stance"
Last edited:
Nicklebon
[H]ard|Gawd
- Joined
- May 22, 2006
- Messages
- 1,069
All of that is easily found if you've even half a brain. You're either a troll, which is perfectly fine and acceptable, or deliberately obtuse, less fine but your right to be. You've clearly made your mind up and I personally don't have the time or inclination to try and change it.
I test, sell, manage and support security services on all enterprise level platforms and have for more than 25 years and am VERY good at what I do. Arguing with trolls and tempestuous children that aren't padding my bottom line is no longer entertaining.
Getting back to the actual topic of this thread .... Banning shitty consumer networking and security gear is LONG overdue! It has been a plague on the industry and I honestly rejoice in seeing it happen. If you need to be told letting your ideological and economic enemy design, build and infiltrate you infrastructure is a bad idea then you are very much part of the problem. However, I suspect that it is very much too little and WAY too late. It's akin to closing the barn door weeks after the horse has escaped.
If you want to consider the $200+ Asus, and Linksys products little kid toys sure.
Their default settings were actively overriding local DNS configurations when you left their security settings intact.
I do.
A couple of observations now that I've had time to study this in more detail.
1. This essentially defangs the FCC, taking approval of new devices entirely out of their hands. Going forward it will be the DoD (well, "Department of War") that decides what home routers are offered for sale to consumers within the United States. It's unclear to me how meaningful a role the FCC will have going forward.
2. The US consumer router market is not that big. I would not be surprised if numerous brands simply decide to no longer sell their latest and greatest in the US market. We will now be the market that settles for 3, 4 year old hardware sold at steep markups while the rest of the world sees and enjoys new releases.
It's a dumb decision.
1. This essentially defangs the FCC, taking approval of new devices entirely out of their hands. Going forward it will be the DoD (well, "Department of War") that decides what home routers are offered for sale to consumers within the United States. It's unclear to me how meaningful a role the FCC will have going forward.
2. The US consumer router market is not that big. I would not be surprised if numerous brands simply decide to no longer sell their latest and greatest in the US market. We will now be the market that settles for 3, 4 year old hardware sold at steep markups while the rest of the world sees and enjoys new releases.
It's a dumb decision.
Just don't use any of their web serving stuff since they seem absolutely incompetent with that functionality.
They also do weird shit like this: https://community.fortinet.com/t5/F...oes-not-block-incoming-WAN-to-LAN/ta-p/189641 Absolute galaxy brain thinking there...but at least they changed it a little while ago so what you think would happen actually happens now.
I've been using fortinet stuff for 10 years or so now and I want to take their shit and throw it in the trash but the other vendors aren't really any better they all suck. At least it's not JAVA and requiring 2 different interfaces like the old ASAs with the "NFGW" stuff tacked on.
Home routers though that's a whole other thing...if they get any sort of updates at all, good luck.
Last edited:
- Joined
- May 19, 2008
- Messages
- 2,349
The USA government does not send out a press release everytime they dissect a component made by a foreign government. If the USA government is good at anything, it is spying. Companies in the USA designed software components in the totalitarian police state infrastructure used in China for example. Do you think the "Five Eyes" work with companies like Palantir, but they aren't paying attention to things on the hardware side as well?
China puts as much spyware on things as they can get away with. If you don't believe that, just look at how it slows down computers in China itself. There are even hardware components they add to mainboards for the purpose of spying. HIKVISION is an example of a decent free product that everybody knows is intentionally filled with vulnerabilities for CCP use. The USA and China fight each other on the IT security and economic battlefield. I just hope it never reaches kinetic warfare.
The policies make sense, but at what cost? In all policies there are trade-offs. It is best to come back to the topic once we see how this policy gets implemented. It most likely is a "big ask" that gives agencies new tools to ask things of companies if they want to look under the hood. I have worked with the USA government a few times and this is usually what they do. They adjust their approach based on your willingness to comply.
Establishing the lowest cost implementation of the policy for the consumer is the best route. Sadly it is a wait and see situation.
Last edited:
- Joined
- May 19, 2008
- Messages
- 2,349
On the government side, employees from all agencies typically change who they report to for missions. So you will see FCC employees reporting to DoD officials during this process. I am not saying that the DoD is more efficient, but they do have more enforcement tools at their disposal so that is probably why this is set up this way. It is still executive branch, and those employees move around for various tasks. They will be using FCC labs obviously. DoD is the bureaucracy that largely stays the same regardless of POTUS and Congress. That move reveals that it was most likely something being considered for a long time by permanent government.
- Joined
- Aug 3, 2004
- Messages
- 23,936
Do you always lead with insulting people who asked an actual question, when they have not insulted you.
Seems you have already made up your mind because you work in the space for 25 years and want to be right because "I know best!, do not dare question me!"
I was actually asking, legit, if I am wrong, I like to know that and have the information to back it up.
Because I looked at various CVE sites, and the details they mostly all list is the CVE, level, and the affected vendor, i dug into several, which were on bleeping as well which did note the researchers who found them, but said CVE sites do not..
So, all mighty wisdom CVE master of 25 years, where can I so easily see all CVE's for a vendor, that includes the source of discovery and not just the vendor it affects?
Last edited:
I would trust pfSense/OPNsense and even Unifi over Fortinet.
Yes, daddy government, please run my life as much as possible and dictate what you think is safe for me and what I should be able to purchase. We certainly shouldn't leave it up to people to decide for themselves, or do unthinkable things as purchasing cheap gear and running good open source routing software on them. Or just use it as is after our own risk assessment deems it acceptable for the specific use case. But no, no, daddy government is here to tell us what is safe and regulate some more.
I've started to collect a few of the most notorious examples from Fortinet, but gave up after seeing the sheer volume. And more than one incident of exploits continuing after patching. It's so bad that probably most prosumer and many consumer routers have better security. But those are being banned and Fortinet is going strong on the highest levels of government and corporate systems. Really makes you think.
Last edited:
I was waiting to see the Broadband sites thoughts on this, pretty much what I expected, a few snippets below.
https://www.lightreading.com/security/fcc-disrupts-home-broadband-with-sweeping-foreign-router-ban
https://www.lightreading.com/security/fcc-disrupts-home-broadband-with-sweeping-foreign-router-ban
Actually, this would be dead simple with all the off-lease desktops and cheap NICs out there. 'Assembled in the USA' and fully transparent/end user serviceable. Will be interesting to see if some ebay stores pop up to serve this niche.
This is a very good point. An FCC exemption would function the same way.
I think finally the intent is starting to move in the right direction. No doubt there have been trojan horses coming in for decades now (and we've been exporting the same), and it's about time we address it since we are a world at war and I believe everything will continue to escalate--mainly due to one country to keeps doing stuff the rest of the world doesn't want, but yet has the resources to do that because the rest of the world allowed them to become their sole source for products. In case there's any doubt, that country is china. They are the aggressor and the bully here. An unfortunately, the only way to get a bully to back down is to fight them on their own level, and then hit them so hard once that they never, ever think of getting up again. We are just at the beginning of that. Luckily most of the world feels the same, but china is buying their way into the third world and getting some puppets to 'back them' even though china is just backing them to back china so it's like the bully paying to have 'friends'.
So one of the things you don't do is buy essential things from your enemies--period. I think this is a move in the right direction, but the real solution is a full out cut off with china. Sure things will be somewhat more expensive, but it's not like the 5x times more that people think it is. There are plenty of companies that make stuff right here in the USA that refuse to compromise on their product and 'outsource' and they're not super expensive and are generally better quality. I think if given no other choice, the USA will innovate and manufacture. And historically when the US has done this, it's led the way for others to also prosper.
So one of the things you don't do is buy essential things from your enemies--period. I think this is a move in the right direction, but the real solution is a full out cut off with china. Sure things will be somewhat more expensive, but it's not like the 5x times more that people think it is. There are plenty of companies that make stuff right here in the USA that refuse to compromise on their product and 'outsource' and they're not super expensive and are generally better quality. I think if given no other choice, the USA will innovate and manufacture. And historically when the US has done this, it's led the way for others to also prosper.
I love that almost Everly TV I own, operate, or maintain is legal classified as a router by this FTC ruling as they all have an Ethernet port as well as a Wifi card and they can facilitate the transfer of packets between them….
My dumbest appliances are the best ones I work with and I will cheat for the death of the IoT everything movement. Securing that crap consumes far too much of what little time I have.
My dumbest appliances are the best ones I work with and I will cheat for the death of the IoT everything movement. Securing that crap consumes far too much of what little time I have.
One of the greatest features of my gateway. Deny all new outbound unless specifically permitted. Least access is the norm now. Has to be.
I have a similar setup, but outgoing SSL on 443 is a tricky thing to block, and not kill HTTPS in the process, but I do now block all QUIC packets by App ID and by UDP port number (80 and 443 for those who want to know).
black hole lists are awesome and all that, and they update very frequently, but hot damned.... The hardest part though, isn't the North-South traffic; it's the East-West.
What tools can I put in place to prevent the TV from monitoring the PlayStation and reporting back, the printer from monitoring the iPad, iPad from the PC, etc...
Too many devices run in some form of IPv4 or IPv6 promiscuous mode, or try to take advantage of known vulnerabilities to monitor traffic within the network it is on. You can enable isolation mode for specific VLANs or SSIDs, and you can try to segregate them by using different gateways, then blocking communication between those gateways by putting them in different zones. But damned, you gotta spend more time trying to keep the devices you own from spying on your other devices than you spend setting them up in the first place.
- Joined
- Aug 3, 2004
- Messages
- 23,936
Feel like the future, for those of us who can, will literally end up being a single VLAN for every single device on our networks
. I am already at 14 VLANs on my network...(home lab testing stuff is 4 of those...)
Nicklebon
[H]ard|Gawd
- Joined
- May 22, 2006
- Messages
- 1,069
To be clear you don't run the IP stack in promiscuous mode. You run the NIC in promiscuous mode. There are non TCP/IP protocols. That said, you are 100% correct. I discovered this kind of BS due to my previous employer sniffing network traffic on my work laptop decades ago. Generally not a big deal on a not over loaded switched network as all they will see is broadcast traffic and to or from the station. Except I had enabled a port span to that port so I could capture some traffic and had not turned it off. The port was getting all external internet traffic. Weeks later I received notice that I was running bit torrent on my company laptop which I knew I was not. I pulled machine off network and ran every diagnostic I had on it, confirmed it clean and then replied to IT, CCing boss, that they were full of shit. Days later I realized what happened, the implications of it, and immediately moved company laptop to dedicated VLAN.
I'll also add that this also why DoH must be killed with fire and DoT used instead. Playing the constant game of cat and mouse blocking known DoH servers is a losing battle. TLS inspection helps, but there are too many exceptions thanks to @#$@#$@# cert pinning BS.
- Joined
- Aug 3, 2004
- Messages
- 23,936
I would of been digging deeper to see if at any point during hiring, ifcompany policies noted the tools they utilized can and will scan your personal home network, as that could of been a legal area to get them in trouble!
The bulk of my VLANs are there for splitting off different brands of IoT, so all the brands get their own VLAN, so they can see each other but not anybody else. So the Samsung smart lights are on the Samsung VLAN, and the Doorbell Cameras are on the Camera VLAN. Apple devices get theirs because Bonjour has a TTL of 1, and it doesn't hop VLANs unless you specifically put programming in place to do so, so Apple gets theirs, etc...Feel like the future, for those of us who can, will literally end up being a single VLAN for every single device on our networks
repurposed old desktops is a solution capable of addressing at most something like 0.01% of the switch/router market. The businesses that disposed of them as old won't take them back because someone stuffed a few extra parts inside.
On the consumer side, the overwhelming majority want something that's tiny, uses minimal power, and works with them in completely brain off mode.
That leaves the tiny sliver of the potential market who are willing to trade up in size/power consumption to a(nother) desktop pc, willing to accept using hardware old enough that it's getting to the bad part of the bathtub curve, as well as being willing and capable of administering a system designed by networking geeks for networking geeks. The problem there is that most of those people are also capable of stuffing a few NICs into an old box they already own, and doing the initial setup/config for the network admin tools as well.
DukenukemX
[H]F Junkie
- Joined
- Jan 30, 2005
- Messages
- 11,195
You're not the only one who thinks this. Wendell from Level1Techs thought the same thing. Most if not all routers and their components are made in other countries, so this is either another money grab or they want back doors in everyone's routers, or both. Building a router/NAS is probably the way to go today.
This is why everything pretty much is having to move to enterprise level firewalls. I need specific firewall rules for my systems to even have dns access the way I lock it down hard.
The main problem though is all these baddies are using port 80 and 443 and encrypting the data. I turn ip6 off as I've found that to be a 'solution looking for a problem', as well as anything else that's trying to be more 'smart' than it needs to be, but unless you've got active packet inspection or destination blacklist/whitelists, it's still a game of whackamole. I actually dislike the Internet now--it's just an attack vector that I'm having to use. I really want to go back to computing prior to it--was a lot simpler then because a virus had to come on a disk.