Slashdot Mirror
Cisco Pushing 'Cloud Connect' Router Firmware, Allows Web History Tracking
Myrv writes "Reports have started popping up that Cisco is pushing out and automatically (without permission) installing their new Cloud Connect firmware on consumer routers. The new firmware removes the user's ability to login and administer the router locally. You now must configure the router using Cisco's Cloud connect service. If that wasn't bad enough, the fine print for this new service allows Cisco to track your complete internet history. Currently, it appears the only way to disable the Cloud Connect service is to unplug your router from the internet."
1. Unplug router
2. Open garbage can lid
3. Insert router
4. Close garbage can lid
5. Purchase new router
That shit? Fuck it.
Have to disconnect my router.
Their they're doing there hair.
http://www.cisco.com/web/siteassets/legal/connect_cloud_supp.html
I especially like how they get to keep your Internet history. Why do you think this is a good idea Cisco?
Your new Cloud Connect contract ...When you use the Service, we may keep track of certain information related to your use of the Service, including but not limited to the status and health of your network and networked products; which apps relating to the Service you are using; which features you are using within the Service infrastructure; network traffic (e.g., megabytes per hour); Internet history; how frequently you encounter errors on the Service system and other related information ("Other Information"). We use this Other Information to help us quickly and efficiently respond to inquiries and requests, and to enhance or administer our overall Service for our customers. We may also use this Other Information for traffic analysis (for example, determining when the most customers are using the Service) and to determine which features within the Service are most or least effective or useful to you. In addition, we may periodically transmit system information to our servers in order to optimize your overall experience with the Service. We may share aggregated and anonymous user experience information with service providers, contractors or other third parties to assist us with improving the Service and user experience, but any shared information will be consistent with Cisco's overall Privacy Statement and will not identify you personally in any way....
Not to mention I didn't even click-through an EULA on that router that could get them an idea they have some kind of "right".
It's MY router, I bought it. and it's not some quasi-goods digital product. This is a physical item. You want to back-door my router and install crippled firmware? I'll sign up with the class action if this is the case.
I don't want anyone *at all* to be able to update my router from the internet (or WiFi for that matter). In fact, almost every router has remote (i.e. internet) side administration disabled for obvious security reasons. Now they include the word 'cloud' and it's OK?
Hell, this isn't even cloud architecture anyway. It's just a web-based (pseudo-remote) remote administration tool. You'd think Cisco of all people would understand that.
Then I see things like this and can't help but smile at the "progress" :
Re: EA4500: weird login screen; can't login
Options
06-26-2012 05:10 PM
I found a hole... Dynamic DNS password is displayed in plain text
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
Although this is pure speculation, but I have reasonable suspicion as a former employee of Cisco, that this really plays well with law enforcement and other three letter government agencies, having the ability to track all Internet activities. That's all I have to offer on this subject. Be careful.
That's a large field. Is this just the home routers (the old linksys stuff?) I can't see them doing this on enterprise or core routers. The solution is to put it in bridge mode if it's an ADSL router and do your own NAT, etc. with a BSD/Linux box of some type. Run Zeroshell if you want a nice GUI.
Really, this is slashdot. Leave the provider installs and help desks to the punters. If you're reading this there is no reason you should be running what the ILEC initially installed.
Cisco is getting weird. On one side (enterprise) you have to pay through the nose for updates, on the other (home) you can't avoid them.
Before we get our panties all in a bunch, let's wait for some packet sniffs to see what is really going on. Just because the lawyers put it in the EULA, doesn't mean the coders wrote it.
-- I have a private email server in my basement.
* The Cloud firmware is ONLY for EA2700, EA3500, E4200v2 (not v1) and EA4500 routers. Older routers (E4200v1 or older) will not see this update. These routers shipped with information explaining that Cloud would be released this summer and update to the Cloud firmware when it was released.
* You can prevent this update by turning off "Automatic Updates" in your router. However if you didn't already do this then YES ... disconnect from the Internet before you do anything else. Then go in and turn off the Automatic Updates. Then you can reconnect. Warning: If you've already been upgraded it currently isn't possible to downgrade to the older firmware.
* If you have updated ... you CAN do -some- local router configuration without having internet access. Just go to http://routers/ LAN IP address]/ while it is disconnected and you will be prompted for the router's local password (usually this will mirror your WiFi password). You will be limited to editing the network settings (LAN, WiFi, etc) and security settings (router password, VPN, firewall, DMZ). Parental controls, Guest Access QoS and USB storage won't be accessible until you are able to log in while the router is online (you'll use your CiscoConnectCloud.com login at this point).
NOTE: If you have an EA2700, EA3500 or EA4500 that shipped with the OLDER firmware (every router out there so far, the new firmware shouldn't appear in new routers for a couple more weeks) and have not set it up yet and WANT the older firmware ... do NOT use the CD setup. Configure it using the traditional web UI while NOT connected to the Internet and turn off Automatic Updates. Again ... this is only for people who do NOT want the Cloud firmware capabilities.
* Just an FYI ... the Cisco Connect Cloud concept allows people to manage and view their home network from anywhere on the internet so long as their router has a connection to the internet. Mobile apps allow your phone to control your home network (manage guest settings, see who is online right now, etc). Additionally it enables a plugin mobile application architecture that our partners can leverage to allow remotely managed network applications. It is an entirely new direction and yes ... it has some kinks ... the biggest ones being forcing this on the user and then limiting their ability to manage their device without it being on the internet. ...
So ... I anticipate a flood of groans about all of this, and I don't disagree with a fair amount of them. Let me make some things clear:
a) Yes, I work for Cisco Linksys.
b) No, I am not speaking directly for Cisco in this post nor am I posting on their behalf (I just wanted to get some quick assistance out there to the people who read this).
c) No, I do not work for the groups (PM, Engineering) that made the decisions to do this update automatically, to not allow you to downgrade, and to not allow you access to your full configuration capability while the router is offline. Which means I can try and funnel your feedback to those groups but I can not force anyone to implement any of it.
d) While I don't like the situations mentioned above in item "c)" ... I -do- like the CiscoConnectCloud.com concept and feel that Cisco will improve it significantly over time.
e) I completely ... 100% ... recognize that the /. audience most likely prefers things like DD-WRT, Tomato, etc (though some will really like the mobile Cloud concept, I do, and I've been around the block a few times at this point). Cisco Linksys is definitely moving more towards the average consumer market instead of the tech adopter market with these products.
f) We do still sell non-Cloud routers, like the E900, E1200 and E2500
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
good comment from a user post:
No persuasian needed. Seriously. The engineer was great and you could TELL he was sincerely apologetic about the issues. I asked him about the whole incident, and he basically hinted at a little war going on within Cisco and the final decision to go ahead with updating people like this was upper management, where the lower pay grades tried hard and fought against the way they did things.
The Engineer simply sent me to a link, the one that is already listed in these threads and gave me instructions on how to revert back to the older firmware with the caveat (and he was apologetic about it - again I could tell he really was sincere) that the old firmware cant be supported. He then proceeded to give me his email address (which I wont give out, sorry) and told me to feel free to contact him with any issues I have. Very cool, very professional, and sincerely apologetic.
I asked if they were being inundated with calls, his simple reply was a sigh and "you have no idea......"
from a user called 'markdr'.
this pretty much sums up the situation, I would guess. the regular guys who write code were not for this but some idiot mgr upstream pushed for it.
I feel sorry for the real engineers there who are forced to do bullshit tasks that they KNOW will piss off their users. I hate this side of software eng. evilness of top level mgrs usually end up winning ;(
--
"It is now safe to switch off your computer."
This only affects a very small number (4) of the Linksys consumer routers and only the ones currently on the shelves. Not big Cisco routers, not Cisco SPVTG routers, not Cisco SMB routers and not even all Linksys routers.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
This is typical of the short-term thinking that is all too common among corporations today. They're throwing away their credibility with professional users – you know, the ones who buy the expensive Cisco gear that generates most of their profits – so they can grab a few quick bucks by data-mining the consumer market. How many network administrators are going to hear about this and rule out Cisco for future consideration? Keep in mind that the silent and unprompted nature of the update implies that there already was a back door into the routers, even before this recent change. And I don't think that Cisco can cleanly separate its credibility in the home and enterprise markets, even if this is what they're planning to do.
Let me explain about trust...
Help stamp out iliturcy.
It's MY router, I bought it. and it's not some quasi-goods digital product. This is a physical item.
The firmware remains the property of the company. It's software. Therefore, you don't own it. Of course, without firmware, it's useless, but I doubt you'll get many judges to sign on with the idea that you own the firmware too. Thank you copyright law.
I'll sign up with the class action if this is the case.
Your terms of service have been patched. That option was removed by v43 of SCOTUS. It was a mandatory update to legal.sys. You'll have to use the legacy mode 'civil_action' after setting has_lawyer to true and extra_money to lots. Be aware, the legacy mode is really buggy; It produces different results depending on the locale set during install. Enabling it also occasionally causes the processor and memory to jump to 100% utilization and the I/O is doggedly slow.
Hell, this isn't even cloud architecture anyway. It's just a web-based (pseudo-remote) remote administration tool. You'd think Cisco of all people would understand that.
Cisco engineers do. Cisco marketing does not. Cisco marketing sees the value of having a complete web browsing history of a substantial cross-section of the world, and has chosen to leverage that to increase profits post-SCOTUS patch, and since the CEO and the board signed a legally binding agreement to maximize profits, the engineers had no choice. You should welcome your capitalist overlords, and as a IT worker, you can help increase their efficiency as they enslave others in their salt mines.
#fuckbeta #iamslashdot #dicemustdie
So who just plugs in a firewall/router and starts using it out of the box without changing the password and checking over all the settings?
Average users.
Under the Administration / Management tab, you'll find a radio button clearly marked "Remote Management", and beneath that settings for Remote Upgrade. The day I installed it I discovered remote management was enabled by default, so I immediately set it to disabled. I remember thinking "My god, that's f*ing stupid! Who would ever want to expose router management to the wild side?" Apparently this answers my question.
This should never have been enabled by default. It's terrible security practice: the default settings should be as secure as is reasonably possible, and any loosening of those settings should have to be explicitly approved by the user/administrator. This is especially true on a consumer focused product that many users aren't going to be configuring at all.
I told my parents they should be ashamed. They first wanted to know what pwnd meant and if it involved urination. Then then wanted to know what Remote Management meant and how they get it. They looked for a radio button on the router, but couldn't find any stations they liked to listen to, and when they tried to dial the radio button, the antenna fell off.
They weren't worried about the interwebs though, as they were sure they had a floppy for it in their desk drawer...
I know exactly why Cisco did it, so they could remotely administer routers for "average users". That's not necessarily a terrible thing.
But why do they need browsing history?