 want to do a quick rant on routers and security and why I choose open source software specifically for my routing and this is just insanity to me. I don't know even know how this passes code review by some of these people or how anyone thought this was a good idea. We'll start with the first one and I'll leave links to all this because I want you to read as well and kind of get a better perspective of this. Maybe I'm wrong and tell me I'm crazy if I'm crazy but we're gonna start with 5,000 routers with no telnet password nothing to see here move along like the title and type entered a hack. This does this is worthy of calling it a hack. This is a company that decided to ship devices and have telnet open with the thoughts that maybe the customers would go ahead and set this. Any amount of bother we'll put in a password on it because the customer when they get it will take the time to set it. The tyranny of the default is I've heard it called and I like that phrase because people never change things under default because if it works out of the box like default away people go and they will not change it. So then this is obviously only 5,000 only is not that big of a deal but I'll leave a link to this. This is where we're gonna start. We're gonna move on to Dre-Tec. Now I've had a few people ask me hey what do you think of Dre-Tec? Apparently they're popular security model or security routers. I'm not familiar with them. I have no feelings about them one way or another and well I didn't until this and got me reading about them. Now notification of urgent security up to Dre-Tec routers I'm glad that they are addressing it. Hats off to them. They are owning up to it and listing all the things models. They got to be patching or providing firmware for this. So thank you for that. But this started with it looks like Kevin Beaumont and I'll leave a link to the tweet storm that set all this off. Reports are coming in and Dre-Tec routers have been mass hacked and DNS service changed to them. So the first thing Kevin reports here is the default admin passwords are really weak. This is a lot of them and someone's probably going but other companies do this too. Yeah but they don't do it on the WAN side. This is a problem because if you plug something in and it just works great but if you have the WAN side wide open you're asking for trouble because someone will plug in it'll work and then they're on the WAN side. This is not really that acceptable but I mean I understand the default password part but they haven't opened on the WAN side out of the box. That's insane. The running theme so far is remote admin WAN enabled on by default. That is just wrong. Off by default would be better. Dre-Tec then he links to the confirmation and the page I showed you where they said yes there's some updates for it and you can read and this will probably be longer by the depending on when you look for this but yeah there's just a lot of problems apparently with this and this is once again these are companies that provide black boxes that are magical with no visibility into the software that runs them. They're not open source. They do use some open source components and they release under GPL the components they use but the entirety of the software is not auditable so you can't know what else might be wrong inside of here causing the issues. This is still a lot of people are complaining about this. There's other if you just do the hashtag Dre-Tec right now on Twitter. There's a lot of people complain about this but it's not a lot of details as to exactly how this hack is occurring causing the DNS to get changed and someone goes why don't you go with those expensive brand name firewalls Tom the company we all know and trust which I don't know why you trust them because the word again is is the key here. Hard coded passwords found in Cisco enterprise software again. I don't know how this passes code review. Cisco is not an inexpensive product. Generally speaking their hardware is really solid. I'm not knocking them as a performance product. They do a decent job but but you can't hard code passwords. There is nothing you can compel me to think that hard coding some of this stuff in there is ever a good idea. And this is a list of our ability some people so we shouldn't go hard on Cisco. I've seen this in one of the red comments because they self disclosed it. I'm like what what that's no no this company. Yeah, this is this is what makes me mad. So the company discovered these falls following as part of massive series of internal audit started back in December 2015. At the time the scary research found a backdoor account in Juniper. Yes Juniper did it to that could decrypt VPN traffic and Cisco decided to hunt and root out similar backdoors before tax are found. Yes, Juniper another big expensive router company. Now my rant and kind of what I want to talk about in general with this is this is one of the reasons you're seeing an even bigger push to open source firewalls. These companies are realizing at the corporate level that they've given their money to these people and their trust has been betrayed. You know when Juniper had a hard code password some of these things are sometimes found for convenience reasons. The developer thought well I just put this in here because then I could have an easy way to admin it when we got to do support. Yeah, no one will ever figure out the password no one will ever poke away at these firewalls that are on the internet where people poke at them and find this crazy password that I put in of not that hard to guess. And this is something you don't see in popular open source projects a popular because I'm sure you could find some firewall that was poorly written that is open source. So when you're choosing a firewall, you want to look at the history of that firewall. You want to look at something and now my choice is PF sense but they're not the only open source game out there. I know there's other ones out there and that's a key to me before I like to deploy some of these is are they open source have they gone through some type of code review or audit and I will tell you when you're releasing your source code, you're probably not going to hard code a password because you're just seeing ahead. I got to publish this on GitHub. I'm not going to put the password in there because that won't be hard to find. And that is at least the thought process I hope goes on with these closed source firewalls are giving you these black boxes that are magically going to protect your network. Just trust us. Okay, we blindly trusted you and you have betrayed our trust with a series of oopses. And this is one of those things I'm glad they're sorting these out. But that's still they once again, the black box just got updated with more black box data. I still can't see the software that went into it. I can't see the code that went into it. And firewalls are very complicated device here in 2018 and getting more complicated. Security is really hard. Because with security, you have to be right all the time versus the bad guys, they only got to be right once they only got to get that password once and they're in they're looking for an edge all the time to get in. So someone who wants to mess with your firewall mess with your security. That's what they're looking for. This is why I'm hesitant to, you know, just jump on and try another firewall. There's a couple of them out there that I at least from other security people I know and other IT companies I've worked with that have done some testing are really happy with them. You know, Unify has a pretty good track record of keeping things up to date. And you know, it's not like they're never going to find a flaw. So like I said, security started going to find flaw but owning up to that flaw and I say that for Dreitech, they owned up to the fly just understand the enabled by default part. I never use their devices to confirm that other than seeing that in Twitter, but that sounds odd. But you know, there's going to be flaws, there's going to be patches that isn't accepted part of it and properly disclosing having CBEs and going through disclosure processes. Those are great. But when you're you are the security flaw, that's a big problem. So PF Sense been happy with them. They've worked really well. I've heard good things about untangle. I've had a lot of people ask me if I want to review it. It's on my to-do list. It's not I kind of busy right now. Maybe I'll get to it eventually. But I've kind of been thinking to and I'm gonna shine, you know, maybe I can get some friends together and we can get some funding for this. But an idea I'm having is to try to do some testing against these firewalls that are really popular in the market. I mean, there's already these other security testing, but I'm looking for something more on the consumer side. So I want to test more of them. But unfortunately, it takes time and take security people to do it. So just some other thoughts on some of that. But open source definitely still in my opinion, the best way to go because you can see the audio can see the magic that makes the black box work. That's the important part and why I still prefer an open source firewall. Is everything going to be perfect? No, but at least I can see the code. And when you can see the code, the writers of that code are a lot less likely to do things like, you know, embed passwords and things like that. So that's my little rant about some security and open source and why I don't review every firewall or I wish I had time to. But also why you're careful, got to be careful and think about what you deploy. You know, I can't say don't always go with the cheapest as one rule. But the most expensive here, which is going to be like your Cisco, they clearly have some issues too. So once again, Kevin endorsement, like I said, one of the reasons I choose PF Sense is the platform that runs my network. Alright, thanks.