> GL Tech (HK) Ltd: #601, 5W, Hong Kong Science Park, N.T. Hong Kong
> GL Intelligence, Inc.: 10400 Eaton Place, Suite 215, Fairfax, VA 22030
I'm a little curious about this. One of the reasons that some people run OpenWrt is for improved security. In the general security space, a Shenzen company isn't the most usual choice of vendor for Western countries. Also, the company having the US subsidiary/office/unit based in Virginia, and with "intelligence" in the name, hits a somewhat odd note.
Is it really any different than every person who insists on running pfSense for security reasons then immediately suggesting some Chinese shitbox PC off AliExpress as the ideal platform to run it on?
Also, since when has having a Wikipedia page proven a company legitimate? You know most companies author their own pages anyway, that's kind of how Wikipedia works.
> suggesting some Chinese shitbox PC off AliExpress as the ideal platform to run it on?
How reasonable do you think it is to be this automatically suspicious of any computer coming from China? A generic low-cost barebones Intel PC certainly has plenty of space for compromised firmware to hide, but it's implausible that a Chinese intelligence agency would indiscriminately deploy an attack that made use of a compromised Intel Management Engine firmware signing key to put firmware rootkits in cheap hardware sold to individual consumers.
On an embedded system like the OpenWRT Two where the entire BOM of the system will be public and the OS has full control over the raw flash memory, a purely software-based supply chain attack would be extremely difficult, and a hardware-based supply chain attack would be expensive. Do you think an intelligence agency would really bother with this for a device that is mostly going to be shipping to nerdy hobbyists?
There's more to a threat model than just recognizing that an attack may be technically feasible.
> How reasonable do you think it is to be this automatically suspicious of any computer coming from China?
Based on their track record? Pretty fucking reasonable.
I would say that most probably isn't malicious collaboration with the CCP, rather sheer incompetence. Shipping secure anything just isn't part of their culture. Read a comment on HN the other day from someone that evaluated Huawei hardware for a telco and swore it was so full of holes to be unusable.
The ingrained extreme cheapness of Chinese culture doesn't help. Security is viewed as a luxury - why waste time and money on it when that could be better spent elsewhere?
That said, the incompetence gives them plausible deniability when the intelligence agencies take advantage to exploit the holes for their own use.
What kind of security vulnerabilities do you think an incompetent PC OEM is going to accidentally introduce to a barebones PC that's basically shipping an Intel reference platform and no SSD? Or that GL.iNet might be able to introduce to a system where OpenWRT is assembling the firmware image that gets flashed to the board, and if there are any closed-source components they'd be coming from Mediatek and not developed by GL.iNet?
Shipping telco hardware with a massive bespoke software stack implementing an impossibly-complex pile of standards is very different from what we're talking about here.
> What kind of security vulnerabilities do you think an incompetent PC OEM is going to accidentally introduce to a barebones PC that's basically shipping an Intel reference platform and no SSD?
That's only a problem if the Active Management Technology feature is correctly supported by the OEM including wiring it up to a supported NIC, and the feature is enabled and provisioned by default, and the NIC in question is connected to a network that is a potential attack vector.
From what I can tell, the current NIC of choice for Chinese router PCs is the Intel i226-V, and such PCs come with 4-8 of those. In order to work with the Active Management Technology feature, those would have to be the more expensive i226-LM or i226-IT parts. So AMT is impossible to enable on those PCs and there's no part of the boot firmware that continues interacting with any NIC after the OS has taken over managing PCIe peripherals.
> there's no part of the boot firmware that continues interacting with any NIC after the OS has taken over managing PCIe peripherals
Are you sure about that? Because I remember something called ACPI that gets executed by the OS every time some configuration changes, such as power levels.
STH has reviewed Chinese PCs that come preloaded with malware. My MSI motherboard force installs Nahimic by default. Not technically malware but the same mechanism exists for malware.
Do you think any of that is relevant to the case of buying a barebones PC that doesn't include SSD or RAM, then adding those components yourself and installing a non-Windows OS?
If your MSI motherboard is installing Nahimic without an internet connection, it is doing so through a mechanism where the installer is made available to the OS in an ACPI table that Windows checks. That check can be disabled with a registry key to prevent such software from being re-installed, and the motherboard may have a BIOS option to disable the anti-feature (though the registry key method is generally more effective, since BIOS settings often get reset to defaults).
Please don't ignore the points I've already made about how a firmware-based attack against a non-Windows OS is a lot hardware to pull off. I'm not asking if you think a company would be willing to ship such malware, I'm asking what kind of malware you think is realistically possible. What do you expect a UEFI-based malware to be capable of doing in this context, given the constraints of the hardware we're talking about?
I’ve reluctantly come to the view that Apple is the best bet for a consumer to get a somewhat reasonable (price notwithstanding) compromise between hardware vertical integration and software that offers substantial bug bounties and large market incentives to not allow bad vulnerabilities to sit for too long. With deep enough pockets to hang tough if needed in various situations.
I completely agree about the buggy bloated software but all I’m saying is that it’s the best bet compared to actual consumer alternatives which are generally a frankenmix of the lowest cost components sourced from the lowest cost vendor with minimum effort spent to ensure and maintain any semblance of security.
Not only this, but most US companies do not really have any incentive to focus on security.
On HN there is an echo chamber with the shunning of companies who have experienced incompetence based breaches. Your average consumer does not know (beyond the news cycle) or generally even really care.
I think you can even look at FBI and NSA public service announcements and guides about consumer electronics security as a sort of ''shit this industry stuff is pretty bad we need to think about our goal differently,'' with regards to them trying to pick up some of the security slack that US companies shit out with their products.
The various 3-letter-agencies really are incentivized to help government and industry be legitimately secure against anything short of the sophisticated attacks they themselves can orchestrate
When you’ve got the sort of reach and resources they have, it does you no good if script kiddies or unsophisticated attacks are causing problems and you don’t need the easily preventable attack vectors they’d use.
Someone evaluated Huawei hardware for many telcos years ago and a lot of them decided the equipment is not only usable, it’s the best choice. So which ones were the incompetents or shills?
Im curious how you are currently writing those comments. Other than most of the hardware is made in CN or TW, there is not so much records targeting normal people.
Also you get good hardware cheap, it just works and helps us going forward. Enterprise crap from companies like Intel (especially their server disks) are nightmare for years now and last Juniper and Cisco hardcore bugs in software causing soft-drops without any metrics rising on-device - good luck with that.
I’m more than happy using CN stuff than imaginary safer and better US crap.
As someone who was personally a victim of the 1-2 punch of vulnerable HW and unquestionable malware that took advantage of said vulnerability from the same vendor (and I have the pcaps to prove it), I have sworn off CN garbage forever, I don't care if I have to pay 3x the price.
No one stops you from doing so, just know you will probably be part of a botnet sooner or later.
If you have proof, then why wouldn't you name and shame the vendor in question, or at least be less vague about what kind of product you're talking about? Talking about how you determined that you were being attacked through a combination of hardware and software vulnerabilities would be way more interesting and appropriate for this forum than generic anti-China complaints.
> How reasonable do you think it is to be this automatically suspicious of any computer coming from China? A generic low-cost barebones Intel PC certainly has plenty of space for compromised firmware to hide
The problem seems to be that this firmware doesn’t really get updated once the machine is sold.
That’s legitimate criticism for a security-critical network component.
It's not ideal, but it's not a deal-breaker for every use case. The kind of firmware you get on a barebones industrial-oriented miniPC style router from China doesn't have much potential for a remotely-exploitable vulnerability. Most of the NICs aren't even going to be touched by the boot firmware. The user-supplied OS can take care of applying CPU microcode updates. If the PC doesn't ship with a rootkit already present in the firmware, it's pretty hard for the firmware to be a security problem unless it's secondary to a security vulnerability in the OpenWRT or pfSense software.
Running an up-to-date OpenWRT or pfSense on a normal PC hardware platform with outdated UEFI firmware is still a big step up in security compared to running factory firmware+OS on a cheap consumer wireless router.
The people who source no-name/random-name computer/networking hardware off of AliExpress to use for routers aren't the security-conscious people I'm talking about.
As I said, GL.iNet is a popular company.
I didn't say that having a Wikipedia page proves that a company is legitimate.
Usually the kind of people installing their own router software are the homelabbers who would buy a netgate appliance or equivalent in a professional setting.
The existing OpenWrt One is running a version of Banana Pi, also a product by a Chinese company [1],[2],[3].
From their website, "Banana Pi open source hardware community is an open source hardware project led by Guangdong Bipai Technology, and supported by Taiwan Hon Hai Technology (Foxconn)."
I'm less concerned with their jurisdiction and company profile than their absent software/firmware maintenance.
I have a bunch of their different models and in practice most of them are unusable today (based on ancient upstream with missing important updates; their sources are a huge mess with scarce and out-of-date docs so have fun resolving that yourself; device dtb/driver require unavailable patches; IIRC their stock vendor firmware phones out and they seem to be pushing towards a centrally managed cloud platform I wouldnt trust)
It really is a shame as on paper and out-of-box-right-after launch their devices seem great but after spending too many days failing to get working builds for in particular the Mudi/E750 while realizing that stock firmware is unsafe in untrusted networks, I've given up on them until I see some drastic change in maintenance culture.
The collaboration with OpenWrt might make the "Two" an exception, I guess, if the OpenWrt people are involved and demanding enough.
You should be aware of how much collaboration the OpenWRT folks have with -say- Ubiquiti Networks. [0] And yet, OpenWRT runs fine on the UAP-AC-LITE and -LR.
I'd wager there's nearly zero collaboration between the overwhelming majority of the hardware manufacturers that create hardware that OpenWRT runs on and the OpenWRT folks.
Your concern is entirely unwarranted and -if I might be a little uncharitable- seems to come from a position of ignorance (whether actual or feigned, I cannot tell).
What does that have to do with anything? I'm speaking about experience of deploying existing gl.inet devices, marketed as "fully open source" with OpenWrt being front-and-center in marketing, as well as being promoted on the OpenWrt wiki.
That someone from the community has made OpenWrt run fine on Ubiquiti gear has nothing to do with my comment and is not indicative of anything (if anything perhaps supporting the notion that glinet should be able to do better).
> Your concern is entirely unwarranted and -if I might be a little uncharitable- seems to come from a position of ignorance (whether actual or feigned, I cannot tell).
Yeah, that's quite uncharitable. Did you read the last line of the comment you replied to?
Speaking of ignorance... How many new embedded devices have you personally ported OpenWrt (or any Linux dist for that matter) to? How many glinet devices do you have experience deploying self-compiled builds to? How much time have you spent digging through their sources and patches?
In fact I'm quite surprised by this announcement. Gl.inet is famous for claiming that their os is based on openwrt, while it can be some vendor SDK that is based on some decade-old version of openwrt and have little in common today
> Did you read the last line of the comment you replied to?
Yes. I read your entire comment and thought on it for a while before I replied. It's stupid to do otherwise.
> That someone from the community has made OpenWrt run fine on Ubiquiti gear has nothing to do with my comment and is not indicative of anything...
Yeah, except that it is. Your comment indicated that ongoing effort from the GL folks was relevant to having OpenWRT continue to run on the hardware:
> I'm less concerned with their jurisdiction and company profile than their absent software/firmware maintenance.
Ubiquiti is famously anti-open-source. They used to be less so with their routers, but always were very, very nasty when it came to their WiFi access points. There's no way in hell they're providing assistance (especially ongoing assistance) to the OpenWRT project.
This is honestly a fantastic deal for both sides, we get cheap hardware, they get working software. We're both terrible at doing the other bit and all governments are gonna have backdoors regardless.
I'd like an L3Harris gamer router with IBM CPU, Intel ROM/RAM, Xilinx DSP, and Analog Devices modem, all at $49, but only if there's going to be such a thing, ever...
MicroTik is European (Latvian) and makes some affordable routers. Their own RouterOS is closed source, but many models are supported by OpenWrt (no experience). If you are willing to spend more, OPNsense (Netherlands) also sells hardware. In the old days one could also recommend PFsense hardware, but they are becoming more and more closed (though you can usually run OPNsense on the same hardware).
QNAP is Taiwanese. Their QHora routers use closed software, but I think most models are supported by OpenWrt.
I would like to avoid Mikrotik at all costs since they are not only running questionable proprietary software, but has a history of GPL violation.
Currently they provide sources for GPL components this way, what a joke of a company:
>To get a CD with the corresponding source code for the GPL-covered programs in this distribution, wire transfer $45 to MikroTikls SIA, Ūnijas iela 2, Riga, LV-1039, Latvia.
The irony here is that it's the US who has been proven to break into allied networks and infrastructure and done both political and industrial espionage against their allies.
If global manufacturers would get with the program and ship blob-free hardware with mainline Linux support, owners could pick their desired firmware and software poison. Until then, we have Cambrian hardware innovation, old kernels and mystery firmware from Shenzen, which can be compromised by a broad spectrum of hostile actors.
I don’t see how ubiquiti not being open source is relevant here, as the original question was
> Can you recommend Western companies that would be able to produce similar hardware at the same price point?
Besides, I’m yet to see any open source routing software that’s half usable as a complete package. With the sole exception of VyOS, it’s all hot garbage, OpenWRT and pfSense included.
Ok, you may be in the wrong thread. This is a product for people who consider OpenWRT support to be a positive selling point. The OpenWRT One and OpenWRT Two are not products aimed at people who consider OpenWRT to be "hot garbage". They're not trying to produce generically good router hardware; they're trying to produce good router hardware for use with OpenWRT.
When somebody in this context is asking for similar hardware, it's reasonable to assume that OpenWRT support would still be considered important, or at least worth mentioning.
Mikrotik sells also bare boards. They come with their RouterOS platform (Linux based, closed) but some can run OpenWRT.
Also Olimex has really interesting and open products, but they're not primarily aimed at networking.
Similarly, I'd like one from outside both american/european AND chinese influence. I think you'd be absolutely insane to trust either of them.
Honestly, if we're ever going to have a decent open hardware movement, I think it's going to come from a place like Nigeria or Peru, not a wealthy country.
GL Intelligence is just their 'American Agency', or their legal representation in the United States since they are a foreign company. Probably an American consultant firm they fund. This is required. You can't use your Hong Kong lawyers here.
I don't understand this comment. All electronics assembling happens in Shenzhen. Be it Apple, Cisco or Microsoft. If anything this is par for the course.
What I personally would have liked to see was an EU based entity overseeing and taking responsibility for the project since neither US nor China really should be trusted with privacy these days.
https://www.gl-inet.com/about-us/ says:
> GL Tech (HK) Ltd: #601, 5W, Hong Kong Science Park, N.T. Hong Kong
> GL Intelligence, Inc.: 10400 Eaton Place, Suite 215, Fairfax, VA 22030
I'm a little curious about this. One of the reasons that some people run OpenWrt is for improved security. In the general security space, a Shenzen company isn't the most usual choice of vendor for Western countries. Also, the company having the US subsidiary/office/unit based in Virginia, and with "intelligence" in the name, hits a somewhat odd note.