Understood, but, unfortunately (for Phase 1 anyway), we have:
“The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.”
Unfortunately, “managed” only works if the managers know and care. This has not always been the case. TR-069 is somewhat less proprietary but also doesn’t have a pretty track record.
It appears that ISPs, perhaps even more so than individuals (since they are buying the things by the truckload), are price sensitive and apathetic when it comes to CPE junk; and to the degree that they do lavish care and attention it’s often on “keep filthy users from tampering with the Premium Content in our hideous STB/router/modem hybrid” rather than more prosaic security issues.(Here is a recent one where Comcast’s site was just merrily leaking users wifi passwords, which they were, apparently, gathering from hardware they had managerial control over, for what are doubtless good and excellent reasons).
There’s also the big downer of ISP-controlled gear being treated as a profit center; which leads to egregious ‘rental’ gouging for trash; which would be even harder to get around if there were a ‘because security’ mandatory managed device provision in place.
I remain baffled by why your basic plasticy router doesn’t even tend to default to checking for what pitiful few updates are available without you manually prodding them; but letting the ISPs do it would be letting an incompetent kleptomaniac fox guard the henhouse.
Rebooting your router lets the FBI/NSA ISP-loaded exe load and initialize so they can ‘protect’ you. 
I suspect that that would(much like the Android case) be a nontrivial technical problem on top of a more or less intractable(unless a suitably competent and benevolent despot immune to regulatory capture or temptation toward rent-seeking happens to be available) motivation problem.
I suspect that there are a bunch of elegant abstraction mechanisms to do what you have in mind(between virtualization-oriented features now being an option right down to the “slightly larger microcontroller” class; and sheer power making all the cool stuff that team Lisp machine had before getting massacred by ugly architectures running C really fast, and Team Java more or less fruitlessly dreamed of recapturing, now cheap and relatively low power); but it’s very, very, unclear that lack of such a cool system is the problem.
Cheap SoC boxes tend, pretty much across the board, to feature attention to security worse than even the upstream projects their software is derived from blatant GPL violations of. If they cared even slightly they could reap substantial (though by no means total) gains just by not being dicks about cooperating with mainline. But, no.
If you can’t even get them to do that, the case for “adopt this cool architectural model that will make all your core functions absoly interchangeable with your competitors; and tightly constrain your ‘value added’ ‘differentiating’ features!” seems like it could have seen trouble.
Most people don’t have that luxury, unfortunately. I run a home network for seven family members and guests. Therefore, my network has to run 24/7 without interruption.
Since I have the skills to do so, I run dedicated boxes for the modem, router, switch, and wireless access points. All kept up to date and using strong passwords.
Unfortunately, again, most people can’t do that.
But yeah, keeping your router turned off is pretty good security. Probably.
i’ll be honest that im a little bit fuzzy on the question of routers.
i never needed anything like a router for my landline, just plug it into the wall. it all goes to the big cal center in the sky. why’s it got to be different for a computer? they’ve got cpus and software up the whazoo.
gotta be a reason beyond just because the outlet’s different…
Your landline was an analog* connection to a central switch that routes traffic. If something interferes with the connection - say, a lightning strike downtown, a car passing by with bad ignition wiring, a leaking rad shield in a microwave or a ballast in a flourescent light blowing out, whatever - then you hear a little crackle or hiss in the connection and you say to the person on the other end “could you repeat that?” or you infer content from undamaged context. If another person picks up a phone extension, their voice mixes right in, and if you both talk at once, nobody understands anything until one of you shuts up.
Your data line is a digital** link, that is potentially carrying many separate streams of data - for example from bOINGbOING to your browser, and from netflix to your smart TV, and from your wifi-equipped phone to the NSA, and so forth. The data streams are broken up into packets - short bursts of digits - and if something interferes as previously described, the specific packet that was damaged has to be retransmitted. The router makes sure that the packets get where they are supposed to go - netflix to the TV and BB to your computer, and so forth.
Because you have the router there anyway, routing the packets, usually there is a bunch of additional function piled on. Some of these functions are necessary in order to have multiple devices use the router (DHCP service to assign IP addresses, outgoing address translation for example) and some are highly desirable, but not really necessary, you’d just have to be an idiot not to want them (firewalls, for example, fall in this class).
Because all the above means the router has to be fairly smart, the router vendors build them as general purpose computers, typically running linux, in order to make them affordable commodity products. This means that they are vulnerable to being hacked just like any other general purpose computer, by whoever the government wants you to believe is dastardly today (currently Russians, was Chinese, before than Iranians, before that Russians).
Did that help any?
* this means when you talk loud, the voltage gets higher, when you sing bass, the frequency gets lower, it’s literally mapping your voice from sound to electricity directly.
** this means information is being split up into individual chunks like letters, numbers, or even milliseconds of sound or video, and then those chunks are encoded as sequences of ones and zeros (+5 volts for zero, -3 volts for one, or some similar scheme). Because the chunks are being sent incredibly fast, you can send a lot of them.
that’s a great explanation.
now, if a router is a general purpose computer and so is my pc, is the reason my pc isn’t also the router historic? or is it just people don’t want to burden their machines?
i get that for maybe something like wifi you’d still need a “base station” so maybe it’s convenient to make that base station smart enough to route. you’d certainly need some pairing between pc/s and it. and routing sounds like one ( tho complex and hackable ) method of pairing.
Glad you liked it:)
Both! Back in the day you didn’t want to burden your PC, so you had a separate box. Today you could buy a multiport Ethernet card for your PC so you could plug in multiple devices, and a USB Wi-Fi antenna widget to provide wireless, and you’d be easily able to route packets for all your other devices, unless you were playing some super demanding game or something. Computers are so much more powerful now… But in the meantime, routers have gotten so cheap they cost less than the parts I mentioned, and you don’t have to be a networking guru to set them up. So pragmatically speaking it’s easier to keep them separate, and it means your network still works when the PC is off 
You could use one of these, and sneer at Russkie hackers:
This topic was automatically closed after 5 days. New replies are no longer allowed.
