[plug] Safely using an untrusted router

Dirk justanothergreenguy at gmail.com
Tue Oct 20 05:17:46 UTC 2015 

Oops, my error, I think I'm already using PPPoE.  But don't you lose the
firewall of NAT (re unsolicited traffic) in pass-through mode? ...and a
MITM in the modem could still play funny games if your traffic isn't
encrypted from your computer.

Am I wrong in thinking a VPN (set up on the PC, not in the
router) would offer far greater security through an (any) untrusted
router?  I mean, isn't that what is recommended for people logging into
their corporate network remotely (say from a hotel, etc)...?

As far as I know, the RPi incorporated the GPU driver with the OS in the
one big blob that goes on the SD card.  As such, you can verify the
integrity of everything volatile / rewriteable before using it, with a
simple MD5 checksum across the whole SD device. ...but I may be mistaken  :)

Btw, they should make modem routers (and USB controllers, motherboards,
hard drives, etc) with non-volatile firmware, or firmware inserted
via microSD card, so it can be replaced and verified, according to known
checksums.  Am I the only one who would pay for this?  Anyway, I digress.

Cheers, Dirk




On Tuesday, 20 October 2015, Brad Campbell <brad at fnarfbargle.com> wrote:

> On 20/10/15 11:47, Dirk wrote:
>
> I might have to look into using a modem in pass-through mode, and
>> hopefully my ISP can enable the PPPoE at their end.
>>
>
> Is your router currently configured for pppoe or pppoa?
>
> Does your Billion modem have any firmware that can be updated or
>> compromised (i.e. wouldn't solve my issue), or is it all hardware?
>>
>
> All modems/routers have firmware that can be updated and compromised. By
> using the modem in passthrough mode it'd have to be modifying the ppp
> encapsulated packets on the fly. Not impossible, but a bit more complex
> than just re-routing IP packets using the kernels filtering infrastructure.
> There hasn't been a 'hardware only' modem in 30 years.
>
> Btw, I'm considering using a Raspberry Pi (not sure how secure Raspbian
>> is though), to get around the possibility of BIOS malware in my PC, as I
>> can verify the integrity of the Pi's 'firmware' by rewriting the OS onto
>> a small SD card each time I need to access important online accounts.
>>
>
> How can you verify the integrity of the PI? I thought it had some binary
> blob drivers for the GPU. That's no more secure than the BIOS in your PC.
>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20151020/1e68e857/attachment.html>

More information about the plug mailing list