Previous month:
December 2015
Next month:
February 2016

January 2016

The Still Sad and Deplorable State of Internet Security

I came across an article colleague Stephen Kent and I wrote in 2003. The Sad and Deplorable State of Internet Security, and was struck once again at how little progress we've made on issues we were lamenting over a decade ago.

The issues that most concerned us in 2003 were:

Insecure Architectures. In 2003, we said that security problems frequently arise  due to "time-to-market priorities, inadequate security understanding by product architectures and the (perceived) conflict between ease of use and security." 

Lack of User Awareness or complacency. In 2003, we said "Many non-technical users are entirely unaware that their systems are easily exploited and their sensitive data are left vulnerable..."

Persistently lame authentication. In 2003, we described password authentication as "fundamentally flawed".

Poor Software Engineering and Sloppy Management. We lamented the slow or no adoption of secure coding practice and a persistent inability to rigorously configure to secure software and computers.

Have we shown substantive progress to mitigate any of these issues? I think we can say "some progress" in some areas; for example, we do see more adoption of two factor authentication. This success is arguably a derivative benefit of mobility: more users have a device that can host a second factor method, but I'll take a win. We can also claim progress in user awareness. Consumer-focused projects like STOP.THINK.CONNECT. have global reach and impact. SANS' Secure the Human project is spot on and I'm encouraged by the number and variety of organizations that are participating. 

But we remain mired in a security mentality that masks rather than mitigates architectural, software or hardware shortcomings with "protection" software. We are on the verge of adopting an Internet of Things and I see little evidence that we won't haste-to-market with what's available and cheap rather than innovative and developed with secure practices. 

We are locked still in a "what will sell" mindset. Given the potentially globally disruptive effect that the Internet of Things suggests, isn't it time we think "what will serve, securely"? 

You can read the full text of the article in the frame below:


or download Sad and Deplorable State of Internet Security (pdf)

How to Turn a NEXX WT3020 Router into a Tor Router

IMG_0914My colleagues Sandro Rosetti and Paolo Dal Checco introduced me to a tiny, inexpensive little wireless router and shared a post that explains how to install Tor on the router. Operating anonymously is ideal for conducting investigations so I bought a NEXX WT3020F, visited the post, and followed the installation. The NEXX is one of many tiny routers to choose for investigating from home, office, or on the road and most can support WiFi, Ethernet and even 3G/4G.

Unfortunately, like many posts, including some of mine I'm sure, the instructions included broken external hyperlinks or mistyped scripts. Fortunately, by reading comments from folks who'd run into similar problems and by consulting with Sandro and Paolo, I was able to get my OnionWRT up and running.

Here's a chronology of how I did this on 13 January 2016. As of this date, the links here work. Your future mileage may vary.

Assumptions and Caveats

You must purchase a NEXX model that has 8 MB RAM. The simplest installation choice for me was to power the WT3020 through a laptop USB, connect the laptop to the WT3020 LAN port using Ethernet, and to connect WT3020 WAN port to my switch/firewall. To do as I did, open a browser window and connect to the NEXX Web interface at and configure for Internet connectivity using the Home and Work option. (Note: I had limited success using the WiFi repeater alternative. My Internet connection kept dropping.)

Important. I am not aware of any efforts to confirm that the router hasn't been back-doored. If you know, please share. I've elected to use it but use with eyes wide open.

Install openWRT

Once you have an Internet connection, telnet to the WT3020 at using the default Nexx account credentials I show here. I've copied the commands I used and the output from the scripts below:

$ telnet
Connected to
Escape character is '^]'.

(none) login: nexxadmin
Password: y1n2inc.com0755

BusyBox v1.12.1 (2015-02-05 18:04:51 HKT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cd /tmp
# wget
Connecting to (
openwrt-15.05-ramips 100% |*******************************| 3328k 00:00:00 ETA
# mtd_write -r write openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin mtd3
Unlocking mtd3 ...
Writing from openwrt-15.05-ramips-mt7620-wt3020-8M-squashfs-sysupgrade.bin to mtd3 ... [e]

Warning. Your Nexx may force close telnet. Don't panic. Reboot via a power cycle.

At this point, you should be running the openWRT software. Note that openWRT assigns the IP address to the internal LAN port. This is different from what NEXX assigns. If you're still able to connect to, something went awry: lather, rinse, repeat.

Install OnionWRT

Telnet to openWRT and change the root password:

$ telnet
Connected to openwrt.lan.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH

BusyBox v1.23.2 (2015-07-25 03:03:02 CEST) built-in shell (ash)

CHAOS CALMER (15.05, r46767)
* 1 1/2 oz Gin Shake with a glassful
* 1/4 oz Triple Sec of broken ice and pour
* 3/4 oz Lime Juice unstrained into a goblet.
* 1 1/2 oz Orange Juice
* 1 tsp. Grenadine Syrup
root@OpenWrt:/# passwd
Changing password for root
New password: 
Retype password: 
Password for root changed by root

At this point openWRT blocks telnet. You can configure SSH if you haven't logged out (TL;DR and logged out? openWRT warned you... learn to read). You can also use the web interface, LuCI.

Configure your Internet connection via LuCI. Take a moment to admire how superior this interface is compared to the original software.

You'll want to install the OnionWRT software. Kudos to Paolo's students, who posted a link to a working script at

The page is in Italian but simply search for "onionwrt", use Google translate, or learn Italian:-)

At your root prompt enter the following wget command. I've again illustrated the script output below:

root@OpenWrt:/# wget -qO - | sh -
Installing tor ( to root...
Installing libevent2 (2.0.22-1) to root...
Installing libopenssl (1.0.2e-1) to root...
Installing zlib (1.2.8-1) to root...
Installing libpthread ( to root...
Installing librt ( to root...
Configuring libpthread.
Configuring libevent2.
Configuring librt.
Configuring zlib.
Configuring libopenssl.
Configuring tor.
Warning: Unable to locate ipset utility, disabling ipset support
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing IPv6 raw table
* Flushing conntrack table ...
Warning: Unable to locate ipset utility, disabling ipset support
* Populating IPv4 filter table
* Zone 'lan'
* Zone 'wan'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule #7
* Rule #8
* Forward 'lan' -> 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 raw table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 filter table
* Zone 'lan'
* Zone 'wan'
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule #7
* Rule #8
* Forward 'lan' -> 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 raw table
* Zone 'lan'
* Zone 'wan'
* Flushing conntrack table ...
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'

You're done. Confirm that you're on the Tor network by visiting


I take no credit for any of the brilliance here. I have really smart friends.

I will also take no abuse for broken external links, but if you find one on this page, contact me.