Maybe make it clear you are being sarcastic here. English is not my native language, and my initial interpretation was that "they" in your post referred to the "business grade closed source stuff", and that OpenWRT is really a dangerous bet because they are guilty of all the things you listed.
To be fair, that initial confusion is the intended effect of OP's humor. Poe's law and all, but you did figure it out so the joke seems effective. Prefixing or suffixing with sarcasm warnings neuters the joke.
Just why I love OpenWrt. They even ask the people that use screen readers like me to test the web interface to make sure that all is working as it should.
Whilst this is true, it looks like OpenWRT fixed the hash truncation but not the command injection.
I hope they're planning on fixing the command injection. As the blog post says, the created images are signed. Even without the signing, it's code execution from untrusted user input. And of course vulnerabilities can be strung together (just like in this hash collision case).
I have a router that from my ISP I am forced to use that has had a few CVEs ranging from not good to really bad. Most of which are years old. I can get a replacement but it's just the same model. They don't care about security at all and don't care about patching it, even though they have exclusive access rights to the router and can remotely log in to it. It's completely ridiculous.
The one I use looks scary too. And it came by default with a dumb password too. I wouldn't be surprised if it had a few CVEs hanging too.
> I have a router that from my ISP I am forced to use...
A friend of mine did impersonate the ISP's router's MAC address and used wireshark to sniff the traffic when the modem started. He then configured the ONT (which is physically inside a SFP plug, it's tiny) to establish the handshake/send the credentials.
It's a sad state of affairs, but anyone serious about security ought to consider the common ISP WiFi router to be a potentially hostile device and class it as part of the public side of the Internet. The usual advice is to put a firewall/router of your own running your preferred software, between the ISP device and your network.
Routers supplied by AT&T here in the US for their fiber gigabit service do RADIUS authentication with the carrier gateway using certs built into the device. There used to be an older version of this router that had known vulnerabilities which made extracting those certs possible but they've since been patched and those certs have been invalidated.
Note that you can still downgrade an existing gateway, extract certs[0], then bypass the device [1]. I had to do this with OPNsense to avoid the latency buildup issue, which has been ongoing for months[2].
I believe you can set those to pass through mode and put a router/firewLl behind it without any kind of double NAT. Other than some kind of MITM, you have at least minimized the likelihood of someone using it as an entry point to your network.
Ha was very user unfriendly when I last tried it ~3 years ago.
Yaml was necessary and it required a lot of fiddling to make z-wave work. Each blind was detected as ~5 things (2 useless or no idea what for)... Checking what was position, what power, ect was rather annoying.
I made work and something broke about a year later. I just replaced it with off the shelf stuff.
HASS configuration has gotten a lot better in the past few years. Almost everything can now be done via the UI, including automation and scripting, and it's one of the smoothest scripting GUIs I've used. It even supports cut/paste for visual blocks. And for those 5% cases, there's an inline YAML editor which will open (and validate) only the pertinent block of what I'm sure is a 1000-line YAML file for editing in-browser.
Z-Wave is still dodgy, but the migration to zwavejs has been an improvement and probably is as good as things will get with the state of Z-Wave being what it is.
It's still not perfect, but HASS has become one of my user-facing open-source success stories. Most of the remaining annoyances are out of their control at this point.
- they fixed the in 3 hours instead of making customers wait 6 months for a patch (if any)
- they did not try to sue the reporter of the issue
- they did not even tell the users to throw away the "outdated" but perfectly working devices, offering a small discount to buy new