Ask Slashdot: Can Commercial Hardware Routers Be Trusted?

First time accepted submitter monkaru writes "Given reports that various vendors and encryption algorithms have been compromised. Is it still possible to trust any commercial hardware routers or is 'roll your own' the only reasonable path going forward?" What do you do nowadays, if anything, to maintain your online privacy upstream of your own computer?

No.

[deconfliction]

'nuff said.

Re:No.

[deconfliction]

actually the obvious answer is that trust is not a binary thing. Evaluate your threat models. If you want to be safe from the NSA, and you are protecting information they want to know, then yes, I would say that eschewing any technology from corporations that are easily coerced by the NSA would be a good idea. Of course, that is practically impossible. But you do what you can. And wanting a device with all source available, in a form that is easy to (perhaps modify and) compile to a verifiable equivalent of the stock firmware and operating system would be the first obvious step.

Re:No.

[sabri]

actually the obvious answer is that trust is not a binary thing.

Actually, the obvious answer is that you don't have a choice. No matter how much effort you put into it, you will always be depending on third party hard- or software that simply have to trust. So, you want to solder your own PCB? Sure, go ahead, but your Ralink SoC is still manufactured somewhere in China. Don't trust Cisco's IOS? Sure, write your own, and let me know how you designed and manufactured your own ASICs. And then we're not even discussing the fact that as soon as the packet leaves your router, it will enter one that you don't even own. Yes, there is a lot that you can do and I think the closest real answer to the poster's question is to just get an OpenWRT capable router and compile from scratch, but to not trust anyone is simply not an option.

Re:No.

[erroneus]

I was going to say that.

RSA compromised with money. Cisco compromised already documented. Juniper? I don't know but I wouldn't doubt it.

NSA, you've turned the world against the US and all its businesses. Happy yet?

Re:No.

[D-Fly]

Public key cryptography using open source tools that have been tested and retested by lots of other coders still works pretty well. The RSA backdoor you are referring to is certainly discouraging news. But on the other hand, the fact that RSA had backdoored itself was sort of understood by the community at large as far back as 2006, shortly after they issued the compromised tool. This week's news is merely confirmation. That's why PGP and its ilk, open source and made by activists, might be a better option than commercial tools by companies with a strict profit motive.

If you are really concerned about security, you might very well want to roll your own machine, and certainly should run a fresh, clean linux install off a CD every time you start up, to reduce the chances your machine is compromised.

Re:No.

[deconfliction]

es, there is a lot that you can do and I think the closest real answer to the poster's question is to just get an OpenWRT capable router and compile from scratch, but to not trust anyone is simply not an option.

I agree with you, though would optimistically add to your thoughts- "to not trust anyone is simply not an option... yet". Maybe there will come a day when a truly open source and hardware replicator will become possible. Before dismissing me completely, I imagine there would be some years where it looks like an Apple-II 3d printing another Apple-II, but it's seeming more and more possible. And then it's a bootstrapping issue from there to catch back up to modern specs. But I'd have a lot of fun with an Apple-II that I had a lot more trust in of not being infiltrated by the NSA (regardless of whether the original already was)

Re:No.

[couchslug]

"certainly should run a fresh, clean linux install off a CD every time you start up, to reduce the chances your machine is compromised."

You can also boot an .iso image from a USB or other flash as well as CD and load it entirely to RAM with no persistent home.

Knoppix (nicely polished distro) has had the "toram" option for many years as do other distros it inspired.

http://en.wikibooks.org/wiki/Knowing_Knoppix/Advanced_startup_options#Transferring_to_RAM

Re:No.

[toejam13]

If you are really concerned about security, you might very well want to roll your own machine, and certainly should run a fresh, clean linux install off a CD every time you start up, to reduce the chances your machine is compromised.

The next question is, what motherboard and network card firmwares can you trust? Running trusted code at the OS level and higher does reduce your risks, but until you can audit the code running your hardware, there is still a threat.

Obviously, one can ask if most companies are a big enough fish to worry about this. Firmware hacks are fairly sophisticated, which makes me believe that they'd mostly be used to spearfish data from specific companies. So unless there is hidden backdoor in every network card manufactured by Popular Company X, should we be worried?

Re:No.

[Jane+Q.+Public]

" But on the other hand, the fact that RSA had backdoored itself was sort of understood by the community at large as far back as 2006, shortly after they issued the compromised tool."

"Backdoored itself" is a singularly apt way to put it. But apparently they were engaged in trying to "backdoor" other people, too, which is not a victimless crime.

Personally, after their "SecureID" debacle and now this, I'm not inclined to "trust" RSA at all. Fool me once, and all that.

And the same can be said about DropBox. They promised end-to-end encryption, but instead they were "de-duping" files to save storage, which means that entirely contrary to what they told their customers, they actually had direct access to your raw files. Sure, they fixed that (so they say), and said "Sorry, we won't do it again." But how much can you trust them, considering that they blatantly lied to you before?

Re:No.

Firmware attacks can be sophisticated indeed: http://spritesmods.com/?art=hddhack&page=1

Re:No.

[erroneus]

It has been demonstrated that the intelligence agencies (plural) in the US government is the tail that wags the dog. This is historically true and more than likely true today as well. When you've got the dirt on many people, how tempting would it be to leverage that into getting your way? It's a temptation many could not avoid exploiting.

Re:No.

[tibman]

You could always just build a cpu from scratch? http://www.homebrewcpu.com/

Re:No.

[hackus]

and our enemies don't trust them either:

http://arstechnica.com/business/2013/11/cisco-attributes-part-of-lowered-earnings-to-chinas-anger-towards-nsa/

Do yourself a favor and get yourself a PC white box and start routing with a LINUX source code stack.

At least then you can pick the hardware you want to trust and you can have a choice as to how far you want your security to go into the software stack audit.

But all of this is pointless.

As I pointed out before, it is IMPOSSIBLE to build a secure system anywhere NATO or its allies are operating.

Any claim of data protection by any company in this domain is FALSE.

We now know if you refuse to turn over any encryption information or fail to give your customers or your private data to the NSA you will get butt f*cked in prison.

So it is pointless to even consider TRYING to build a secure system, it cannot be done as a goal or even as a business benefit towards your customers.

My personal opinion as I have watched my friends and other companies literally go to jail or go under due to NSA activities is this: It has nothing to do with security, it has everything to do with funding NSA mischief.

That means industrial and financial espionage operations to insure information is known ahead of the game in the financial markets.

So the entire issue is that we are dealing with just common criminals and thungs.

The NSA is not even particularly smart, but they ar elike a large gang of wolves cornering the beast we call freedom and liberty and they are going to take it down.

-Hack

Re:No.

[AmiMoJo]

If you use commodity hardware you could have two CPUs from different manufacturers and compare outputs. Back in the 80s that sort of thing was popular in critical systems. Buy a 68000 CPU from two different sources, preferably from different continents and with each being a unique design. Run the same code on both, and if their outputs don't match for some reason one is faulty. This of course assumes that both don't have identical back-doors.

Re:No.

[Thor+Ablestar]

You are right. But there IS a FPGA strong enough to program it to be a processor. And there are FPGA configs to make some popular architectures out of it, including Sun Sparc. It's quite enough for 90 per cent of jobs you make on your Intel or AMD desktop. I don't believe that it's possible to create a bugged VHDL compiler or bugged FPGA. It' too low-specialized for such task, and any mismatch between FPGA and the VHDL's idea of it will just cause a total failure.

Re:No.

[crazytrain86]

I always chuckle when people claim that being able to compile from source is helpful in securing their stuff. How many people have actually bothered to review open source anyway? It has taken until now to actually get a review of TrueCrypt, a program that almost everyone uses for encryption and open source. Along those lines, we should all switch to Gentoo and never get compromised again! *rolls eyes*

Re:No.

[Sqr(twg)]

That's why PGP and its ilk, open source and made by activists, might be a better option than commercial tools by companies with a strict profit motive.

If you were an unpaid maintainer of an open-source cryptography tool, and someone offered you $3 million (tax free) to use a specific random-number generator (with no known weaknesses) in your software, would you do it?

Re:No.

[furbyhater]

We aren't forced to use a 14nm process just because the industry giants are doing it.

Re:No.

[Miamicanes]

The problem with using a FPGA is that THEN you're buying a chip that costs more than Intel's second- or third-most expensive i7, and getting a CPU with the approximate performance of a 500MHz Pentium III.

More importantly, even if you DO build your own CPU using a FPGA, at least 95% of your VHDL is going to come from somebody else if you want to have it meaningfully working, with Ethernet and USB, before you die someday. If somebody is so paranoid about security that he doesn't think he can trust a COTS CPU from someone like Intel, what makes him think that ${government-espionage-agency} doesn't have the resources to plant exploits in the VHDL components he'd download and add?

And before someone brings up China... frankly, if my hardware is going to be pwn3d by ANY government espionage agency, I'd PREFER to have it be pwn3d by China's instead of the NSA (or some other American agency, or the agency of some obedient American vassal state). At least China doesn't have the legal authority to deprive me of my life and liberty based upon data mining for technical violations of some obscure law.

Still have to rely on the NICs

[ModernGeek]

You still have to rely on the trustworthiness of the NICs. Anything contacted to the Internet can not be trusted.

Re:Still have to rely on the NICs

[Posting Anon to preserve mods already made...]

I still have nightmares from that. We call it Intel NIC Debacle of 2013 (or sometimes just The Dark Times). Lost business and had many very angry customers because of that NIC. Kristian Kielhofner should be named some sort of geek Saint or something for finding the root of the problem.

Jesus Ad Hominem Christ! You got this close and didn't even think about naming him Saint NIC?!?

Prepare to be visited by the Ghost of Slashdot Past....

For VPNs, or for routing?

[dgatwood]

The answer depends on what you mean. As far as I'm concerned, a hardware router can probably be trusted to be a basic firewall/router. It's pretty unlikely that anyone will come up with a useful attack on a device that's just doing port blocking, NAT, and basic routing. At worst, somebody might DOS it or turn it into a well-connected zombie to aid in DDOSing somebody's server, but neither of those is compromising your data.

Now if you're passing unencrypted data across that router, you might have a problem, but then again, passing unencrypted data across any router outside your own intranet is a bad idea, so nothing new there. And if you're expecting the commercial router to provide a VPN, then the answer to whether it is trustworthy becomes "no", because its crypto implementation cannot readily be audited and verified to be trustworthy.

Re:For VPNs, or for routing?

[FlyHelicopters]

I am pretty sure if they are interested enough they will get the data one way or another.

This...

Or has no one ever heard of rubber-hose cryptography?

If all else fails, they can break in at night and steal the information locally, or simply put a gun to your head.

When it comes to computer nerds, that last option probably has a 99.99% success rate.

Re:For VPNs, or for routing?

[RR]

As far as I'm concerned, a hardware router...

There is no such thing. A device that moves data from one location to another, using some policies to examine and transform it, is not just a "hardware" device. It's also software. And if it interfaces with software, then it can be compromised. Or haven't you noticed the news about D-Link routers? A lot of these routers have 2MB or less of flash, which makes it difficult to find a useful exploit, but "difficult" doesn't mean "impossible."

It's pretty unlikely that anyone will come up with a useful attack on a device that's just doing port blocking, NAT, and basic routing. At worst, somebody might DOS it or turn it into a well-connected zombie to aid in DDOSing somebody's server, but neither of those is compromising your data.

With just a little paranoia, I can imagine someone finding a way to get those routers to copy your traffic, or at least the headers, to some hostile entity. It doesn't take full knowledge of your traffic to destroy your privacy.

A router is a type of computer. It's subject to all the same concerns about trustworthiness as any debate about proprietary and free software.

Re:For VPNs, or for routing?

[dgatwood]

There is no such thing. A device that moves data from one location to another, using some policies to examine and transform it, is not just a "hardware" device.

That's completely immaterial. A hardware router is distinguished from a software router by whether it is or is not a general-purpose computer. Hardware routers range from that little D-Link all the way up to Cisco boxes. In the most extreme designs, the hardware provides a dedicated I/O processor that performs the actual routing functions, allowing it to route data considerably faster than a general-purpose computer can.

With just a little paranoia, I can imagine someone finding a way to get those routers to copy your traffic, or at least the headers, to some hostile entity. It doesn't take full knowledge of your traffic to destroy your privacy.

I think you missed my point, which was that yes, you could do exactly what you're suggesting, but it would be just as easy to do that at any router along your data's path to its destination. As soon as the data leaves your intranet, it's like sending a postcard. You should assume that it can and will be monitored by everyone and his mother. Therefore, there is no security concern because the data in question was never secure to begin with.

How are you going to roll your own?

[kasperd]

If you replace a hardware router with a PC, you have to trust

• CPU
• Motherboard
• BIOS
• Storage device
• Storage controller
• Network interface
• Operating system

If any of the above is compromised, you are no better off than with a hardware based router.

If you by hardware router mean a device that truly forwards packets in hardware without involving any sort of CPU, then your best guarantee is the economical one. It is cheaper for the vendor to manufacture hardware without snooping capabilities than with.

How about open-source firmware?

I'm definitely in the "no" camp on this one, but how about after-market, open-source firmware? I run DD-WRT on my good ol' WRT54G, which I trust a heck of a lot more than the OEM code. How far does replacing the stock firmware go towards securing my home network?

The Wrong Question

[agwadude]

You shouldn't have to trust your upstream routers. Instead you should assume they're compromised and use end-to-end encryption. HTTPS and SSH, for example, specifically protect against active attackers such as malicious routers.

Re:The Wrong Question

[storkus]

This! Mod parent way up! The question isn't whether your [insert endpoint here] is safe, but if the intermediate points are. Even if your own router is safe, what about the one upstream? I've assumed for a long time (way before Snowden) that all electronic communications are monitored, and when you realize that, and the insane difficulty of getting around that monitoring, you kind of give up. You have to decide what is important enough to secure from a worthy (non script-kiddie) adversary and versus letting them see what kind of pr0n you like. IMHO this has been the reality for years (probably before 9/11 thanks to CALEA and friends), but it took Snowden to wake most people up to the fact.

Now securing your own machine, that's whole other level: again, how secure to do need it to be? I'm *HOPING* that keeping the browser cache clean/disabled, using Linux and FF and shutting down the browser when accessing bank account info and such is enough to keep the CC guys from getting my info; OTOH, if you're doing something that the intelligence agencies (regardless of country) is interested in, your only real hope is to use the the 100% open software/firmware like the FSF advocated, and (of course) even then there's no guarantee the hardware doesn't have a compromise or some CIA/FBI/whatever spy doesn't physically attack your machine when you're not looking (which is normal if you're actually under investigation).

As others have pointed out, its you versus agencies with BILLIONS of US$ (or equivalent) funding: you can resist, but if they really want you, you have no chance of winning: think the end of Half Life when Freeman refuses--that's what you face, proverbially.

tl;dr YOU ARE SCREWED, and your barely computer-literate family and friends have probably already been pwned and not even know it.

Re:The Wrong Question

[deconfliction]

where is my "+1:alien" moderation button...

routerpwn

http://www.routerpwn.com/

Re:It can be a good thing too

[SB9876]

Like RSA or Microsoft?

Re:It can be a good thing too

[PopeRatzo]

Remember that "commercial" can sometimes also be a guarantee that you do not get fucked: screw with your customers and that kind of company will soon be out of business.

See, that's the theory, but it can not work in practice the way things are today..

Today, you will notice that an increasing number of business models reject the notion of "I'm the seller and you're the buyer". Most of the corporations with whom you do business don't really see you as the customer any more. For example. If you use Google, are you the customer or are the advertisers? If your data is compromised, that doesn't change anything about the relationship between the seller and the buyer. Same goes for banks, and for Microsoft, Apple, and most of the big tech corporations. While they may sell products to you, they have significant income streams that are deals with the government. In the next six years, Apple computers could have almost a trillion dollars in cash-on-hand. Are they a tech company or a bank? The money they make from their intellectual property doesn't come from you. The money they make from their "strategic partnerships" doesn't come from you.

You're going to buy their products regardless, so it's a lot more important to Apple that they have a good relationship with the government than with you. Because their beneficial sweetheart tax deals could bring in as much as the profit from selling consumer electronics.

Same goes for the telecommunications industry. When you've got telecoms involved in creating content, you're no longer the customer. You're not the consumer, you are the consumable.

This new relationship circumvents every aspect of the notion of "free market", at least any "free market" that involves you. And make no mistake: this new relationship where there is a third party that inserts itself between you and the company from whom you purchase an item is the model of the future. Video gaming, food, intellectual property (of course), transportation, right on down the line. You are being cut out of the equation. There is more profit in making the government happy than there is in making you happy.

Re:It can be a good thing too

[Miletos]

NSA: Plz backdoor because terrorists. K thx bai.
Company: No! We can't lull our customers into a false sense of security. It's unethical and the stockholders will destroy us if they find out.
NSA: But, but...$10 million contract?
Company: ...I'll call you back monday.

Re:It can be a good thing too

[PopeRatzo]

Bottom line is this: there is no longer a division between the corporate world and government. They are one in the same. They rely on each other and have no reason to take you into consideration.

This makes dealing with the problem as citizens ten times harder. Because if you attack one of the heads of this snake, the head at the other end comes around to bite you. And the current setup is sweet for both corporations and government so they've got no reason to want to change it.

Would that the IETF knew

[mbone]

This is a big (and, I personally fear, unfixable) problem for the IETF and associated Internet bodies. Of course, router security is only a tiny piece of it. Given that RSA has been revealed as taking money from the NSA to weaken security protocols, who knows how deep the rot goes.

One big fight right now is in over the removal of NSA employed Chair of the Crypto Forum Research Group. There will be more.

Re:Personally, I took the consequences.

[rubycodez]

I'm afraid my cat decreased your throughput by 5%

Trust for what purpose?

[vadim_t]

For ensuring the safety of your outgoing traffic, it doesn't matter at all whether you can trust your router or not. It's just one step away from a router at your ISP, which you can't trust, and which can be assumed to be malicious.

It's a bit different for ensuring the safety of your internal network, though. If you think there might be any reason why the NSA, government or whoever might want to reach inside your personal network, then you certainly should avoid any closed solutions and keep it under as much control as possible. That router might well hiddenly allow people that know how to access your network without permission.

Router manufacturers also have been caught rewriting pages to insert ads. Here is one example of such a thing.

Not trusting vendors = you give up a lot

[davidwr]

One solution is to simply not communicate outside of a domain you trust. Go offline. I the extreme, use pen and paper to store information you don't want others to see, and if you need to share that information with others, memorize it and tell it to them in person. As a compromise, use a trusted courier. But even that requires trusting someone.

Basically, adopt the same "off the communications grid" techniques that Osama bin Laden was thought to use.

As I said, you give up a lot, and for 99+% of us, that's not going to be the best option out there. But for a few, it is.

Re:Not trusting vendors = you give up a lot

He died non-violently in December 2001 of kidney failure.

Re:X-Files

[davidwr]

Trust No One!

And I should believe you why?

You're doing it wrong.

[BitZtream]

If you're worried about a router and if you can trust it, you've already done it wrong.

Your data should have been encrypted before it let the original application if its something you care about.

It shouldn't MATTER if you can trust the router, if it does, you've already failed.

Amish

[smittyoneeach]

Actually, the obvious answer is that you don't have a choice.

There is always subsistence farming.

Re:I wouldn't

[vadim_t]

Some comments:

"Upliink"? Took me a while to notice there are two "i"s there for some bizarre reason. As a result, googling for it failed. If you're going to make up words, at least don't make them confusingly similar to normal ones.

Half a million is an awful lot of money. $430 is a lot for a router.

It's not clear at all what it does. IPv6 internet? What is that?

Sharing the connection with nearby people? Why would I want to?

Mesh networking. How is this going to scale? What performance and latency do you expect? How likely is it that two users will find one another? You need a huge amount of deployed devices for this to work, especially for ones in fixed locations.

There's some nonsense in the video about the number of people in the world without internet access. A $430 device sold in first world countries won't do anything to address that.

It's an enormous mish-mash of things. Android, mesh networking, some nebulous IPv6 internet, a web browser, an API for I don't know what... seriously, I'm well versed in tech, but I have no clue what is all this about. And that is a bad sign.

TL;DR: it's unclear what it does, why would I want to participate, and it's very expensive. Why aren't you developing alternative firmware for cheap wifi routers, for instance?

What airgap?

[Skewray]

It doesn't matter. Either there's an airgap, where nothing can get out regardless, so it doesn't matter, or their's a hop along the path you don't control so the security of your device doesn't matter.

If you have an Intel processor, then there is already a radio backdoor built in. See http://www.intel.com/content/www/us/en/enterprise-security/what-is-vpro-technology-video.html

It's not just the hardware, it's the algorithms

[Mr.+Protocol]

All the crypto software I've looked into depends on big internal arrays of special numbers to do its work. If those numbers are compromised (which is what NSA contracted RSA to do, basically), then the whole end-to-end crypto channel is compromised.

And that's the problem. You can build an open-source hardware router with open-source software, to keep the possibility of hardware backdoors to a minimum, but if the basic crypto algorithm you use has been compromised from the get-go, none of it matters. I think that's going to be the next really difficult intellectual load to lift: vetting ALL of the current crypto algorithms in use today to make sure the algorithms don't have built-in compromises. Since that vetting has to be done by crypto experts, not just software engineers, that pushes the trust back up one step: which crypto experts do you trust?

And they ARE compromised.

[Ungrounded+Lightning]

Modern laptops and desktops come with remote administration tools built into the chips on the board. (The vendors tout this as a feature, simplifying administration of a large company's workstations. It's easier and cheaper to build it into everything than to be selective, so it's in the machines sold to individuals, too.)

One example: Intel Active Management Technology (AMT) and its standard Intelligent Platform Management Interface (IPMI), the latter standardized in 1998 and supported by "over 200 hardware vendors". This is built into the northbridge (or, in early models, the Ethernet) chip).

Just TRY to get a "modern laptop" (or desktop), using an Intel chipset, without this feature. (I suspect the old Thinkpad is how far back they had to go to avoid it.)

You can't disable it: Dumping the credentials or reverting to factory settings just makes it think it hasn't been configured yet and accept the first connection (ethernet or WiFi, whether powered up or down) claiming to be the new owner's sysadmins.

If the NSA doesn't know how to use this to spy on, or take over, a target computer, they aren't doing their jobs.

Some of the things this can do (from the Wikipedia articles - see them for the footnotes):

Hardware-based AMT features include:

Encrypted, remote communication channel for network traffic between the IT console and Intel AMT.
Ability for a wired PC (physically connected to the network) outside the company's firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console. Examples of an open LAN include a wired laptop at home or at an SMB site that does not have a proxy server.
Remote power up / power down / power cycle through encrypted WOL.
Remote boot, via integrated device electronics redirect (IDE-R).
Console redirection, via serial over LAN (SOL).
Keyboard, video, mouse (KVM) over network.
Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.
Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.
Agent presence checking, via hardware-based, policy-based programmable timers. A "miss" generates an event; you can specify that the event generate an alert.
OOB alerting.
Persistent event log, stored in protected memory (not on the hard drive).
Access (preboot) the PC's universal unique identifier (UUID).
Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through power-on self-test (POST).
Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information

Alternatives to being spied on?

[unixisc]

If you wish to skirt the NSA, get your router from Huawei, and let the Chinese spy on you instead. If you don't want the Chinese to spy, get something from the usual NSA contributors. Or see if there's anything made in Russia or any country that's totally independent of the US.

How easy is it to get a standard router from Cisco or Juniper, and replace IOS or JunOS w/ something like pFsense, m0n0wall or OpenWRT?

While at it, switch to IPv6, and within a group of people, share a /64 subnet so that even if the NSA spies, they'll find it impossible to source the original source/destination, particularly if dynamic IPs are used.

Want to be 100% safe? Then forget the Internet.

[kheldan]

The only way to obtain 100% safety from being hacked by a government agency, as well as anyone else, is to place an air gap between your system(s) and the public Internet. Think of it like trying to protect your house from burglars breaking in: The best you can do is slow them down. Given enough time, skill, and resources, any burglar can defeat any security arrangement in any house. Same goes for your computers. Therefore there is an implied level of risk involved if you wish to continue using the internet, and if you cannot accept that risk, even after taking reasonable precautions against your system(s) being compromised by whoever might wish to, then you must re-evaluate whether or not it's worth it to you to continue using the internet at all. Now, some people are going to flame me for saying this, because they're convinced that life cannot continue without internet access, but that's simply not true, just ask anyone who was an adult about 25 years ago how they managed to get along without the World Wide Web (hint: they got along just fine without it).

Re:X-Files

[currently_awake]

I don't recognize your sig quote, but the math is wrong. 6x9=54.

No, don't go offline !

[Taco+Cowboy]

Go offline.

If you do that they win !

Internet is a threat to them. Internet is the one thing that can expose their evil deeds.

If there was no Internet, Edward Snowden's revelation will never get known to many of us.

The obvious answer is FPGA routers, made with fully open-sourced VHDL files.