Is the recent XZ backdoor (and something that had to do with SSH too) anything to worry about in terms of the probability of there being a backdoor even in open source router software?
Not trying to dissuade anyone here, I love open source software, I’m just wondering how much effort is reasonable to be put into securing your local network (i.e. buying your own router, also installing open source software, or writing your own router software if you don’t trust existing solutions) given that not everyone is tech savvy and you get diminishing returns for every additional security measure. And when is the usual point at which you would say “okay, this is secure enough”?
My router is not from an ISP, but it does get frequent firmware updates and I don’t use any cloud management features, only local configuration.
I mean, the ISP-provided boxes don’t give you a way to upgrade past that faster than you would on an open distribution. The latter had fixes out within a week, or just weren’t affected. And it’s also way easier to check the deps on open firmware/OSes.
Is the recent XZ backdoor (and something that had to do with SSH too) anything to worry about in terms of the probability of there being a backdoor even in open source router software?
Not trying to dissuade anyone here, I love open source software, I’m just wondering how much effort is reasonable to be put into securing your local network (i.e. buying your own router, also installing open source software, or writing your own router software if you don’t trust existing solutions) given that not everyone is tech savvy and you get diminishing returns for every additional security measure. And when is the usual point at which you would say “okay, this is secure enough”?
My router is not from an ISP, but it does get frequent firmware updates and I don’t use any cloud management features, only local configuration.
I mean, the ISP-provided boxes don’t give you a way to upgrade past that faster than you would on an open distribution. The latter had fixes out within a week, or just weren’t affected. And it’s also way easier to check the deps on open firmware/OSes.