North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Open Letter to D-Link about their NTP vandalism

  • From: Steven M. Bellovin
  • Date: Tue Apr 11 12:25:11 2006

On Tue, 11 Apr 2006 10:28:32 -0400, "John Underhill" <[email protected]>

> It seems to me, that the only *real* solution is for these manufacturers to
> implement a [responsible] strategy of automatic firmware upgrades, as it
> pertains to these (simple eu type) devices.
> How difficult would it be to have the router test a server periodically,
> (say once a month), and in the case of a critical flaw in the software,
> silently update the device?
> I suspect it is cost/benefit skepticism that is keeping them from doing just
> that.
It would be a disaster.  My (cable modem) ISP does that to my cable
modem/NAT box.  A few months ago, a buggy update made the NAT part drop
all connections after 30 minutes.  It took me a week or so to get enough
data to nail down the problem precisely.  I then had the fun of trying to
get through the phone droids to reach someone who understood what "NAT"
or "TCP" meant.  What unusual combination of features will random upgrades

By the way, since we're talking about D-Link, it's instructive to read the
warnings on their firmware update pages.  

	Do NOT upgrade firmware on any D-Link product over a wireless
	connection. Failure of the device may result. Use only hard-wired
	network connections.

	This firmware is engineered for US products only.
	Using this firmware on a device outside of the United States will
	void your warranty and may render the device unusable.

Other warnings I've seen include warnings that all configuration options
will be reset, version incompatibilities, and the suggestion that one
should connect to a UPS before doing the upgrade, just in case.  (Hmm --
there's a vicious thunderstorm approaching, and the lights are
flickering.  And it's time for the monthly autoupgrade!)

		--Steven M. Bellovin,