1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

firewall attack proof ?

Discussion in 'Tomato Firmware' started by zatoom, Jan 5, 2014.

  1. zatoom

    zatoom Addicted to LI Member

    Hi, I wonder if the two main versions of tomato have been NSA, Chinese, Russian, India etc proof. There are many rumors around about what Mister Snowden has said.
    Backdoors so, how do you deal with these revelations?
    I assume that not everyone is a terorist.
    And I do not wanna be treated like a terrorist.
    I do not have the knowledge and the ability to test the versions of Tomato these things.
    Are the versions of Tomato safe? such as at the top of data?
     
  2. gfunkdave

    gfunkdave LI Guru Member

    Tomato is open source. If you're that concerned, you should read through the source code yourself. If you don't know how, you can learn. It would be an excellent learning opportunity.

    Short answer: it's probably fine. If you have the NSA after you, then you have bigger problems than choosing a router firmware.
     
  3. krasnal

    krasnal Serious Server Member

  4. gfunkdave

    gfunkdave LI Guru Member

    OK - there's still nothing about Tomato in here... :)
     
    koitsu likes this.
  5. koitsu

    koitsu Network Guru Member

    As far as we (folks involved in TomatoUSB development) know, the backdoors which have recently been discussed are not applicable to TomatoUSB. AFAIK they exist only in the stock factory firmwares.

    The only part of TomatoUSB which consists of "binary blobs" are the wireless driver and (I think -- please someone in the know correct me if I'm wrong) some small parts of the Ethernet switching driver. This is because Broadcom is a very IP-oriented (intellectual property) company and does not give out source code to those drivers (and this is nothing new).
     
  6. zatoom

    zatoom Addicted to LI Member

    Thanks for letting know, it's not that I distrust the team Tomato, to the contrary, thanks for the reply.
     
  7. krasnal

    krasnal Serious Server Member

    Good point, well brought out, as my old prof would say.

    However... I'm guessing that you've not had time to read the report (please correct me if I'm wrong). The report is not about simply getting admin access to a router. The report is alleging that some BT-supplied routers are creating a parallel VLAN to an IP address somewhere in the UK, that's part of a US DOD-registered block. The report suggests, whether correctly or not, that, amongst other things, users' wi-fi MAC addresses might be passed via the VLAN to "persons unknown".

    And the Tomato angle? While the MAC address of wi-fi users will be unavailable to a cable or ADSL router/modem if they are going via a Tomato router, the modem/router will still see the MAC address of the Tomato router's WAN interface. While I know that this cam be randomized via the user interface, is this function available via the command line - and therefore through a cron job? Doing so is unlikely to be more than a minor inconvenience to any monitoring party, but we have a duty to keep them on their toes.
     
  8. lollekatt

    lollekatt Reformed Router Member

    The advantage of TOmato's older kernel is actually beneficial here.... (it however, does make the attack vector higher for traditional break-ins).. but in that case, NSA isn't your worry... (if it were, then as mentioned, the router ain't your biggest concern), but other hackers.

    On a side note though.. if you wondered why intel cpu's are so great a price the past years (beginning with sandy onwards) it is due to the embedded backdoors.. plus as someone has shown .. intel micorcode updates have a 2048 bit key embedded in tthem... most likely for remote controlling by a "particular" owner (Intel/NSA). It's been known those over more than just one decade, that no US companies are trustworthy.. and this doesn't go for just tech.

    Worse is looking at the budget NSA had just this last year to subterfuge and push/pay any tech compan{y,ies} , including non -US :/

    250 million USD was it? :/

    One example... openssl, the famed elliptic weakness.. its there, NIST is NSA... and openssl don't even confirm it.. except indirectly... "we can't speak about it due to over 200 NDA's LOL)... Needless to say.. no other "company" in the world, would demand 200 NDA's.
     
  9. lollekatt

    lollekatt Reformed Router Member

    krasnal : yes... although you have ot bring down the interface whilst changing the mac address...

    eg. cmdline: ip link set dev eth0 down;ip link set dev eth0 address 11:22:33:44:55:66;ip link set dev eth0 up
    (rebind dhcp lease).
     

Share This Page