Vektor Security/Privacy device thoughts?

[L&LD]

The very points you keep making over and over that this product is somehow worthy even at this point when we have no objective facts on it are the very same reasons it is 'unworthy' to me, at least at this point in time.

Just because other devices are capable of snooping, doesn't mean it is a reason to give even more devices access too, with even greater potential of damage to our privacy (which if we give them access to our internal LAN and WAN, our privacy is out the window and the notion of privacy at that point is laughable).

Just because they don't currently phone home, doesn't mean they can't start in the future. By allowing them to be installed in your home they have control of the LAN and WAN. You try to stop them from 'spying', or worse, then.

Just like the antivirus company that was caught creating viruses to prove its worth, this is just a solution with a problem waiting to happen.

 

[speedingcheetah]

They have announced planed update if they reach their stretch goal:
A few quick notes:

- This change will cost us more on the materials side of things but our team is going to eat the full cost of this upgrade.

- We need your patience, as this upgrade will add 3-4 weeks of production time to the original anticipated shipping date (May 2019). That said, we can’t think of ANYTHING that could be better than this - we’re very confident you’ll feel the same upon receiving your Vektor.

- We’ll also be able to include a new “monitor mode,” which has two main uses:

- Proximity detection: for example, you’ll be able to know that little Billy made it home from school because you’ll see that his iPhone has entered detection range (even if he is not connected to the home wifi signal!).

- Improved protection against ‘evil twin’ attacks: if someone is trying to pretend to be your wifi access point or trying to actually attack your wifi access point using a wifi protocol attack, Vektor will use one of the two chips to be a scanner for the entire wifi frequency band instead of operating as either a client or an access point.

More detailed notes for the techies among us:

- The original wifi module we had planned to use for the Vektor was the MediaTek 7668. The new plan is to create a similar (but better) dual radio system by adding an additional wifi chip.

- We already have well-tested drivers for the new chips that were developed by the team that was working on our drivers for the original MT7668 chip. We know we can push this set of two chips all the way up to the theoretical speed limit so performance should not be impacted compared to the original one chip option.

- We will also be adding an additional antenna for the new chip. While the new chips cannot operate in two modes at once, with two chips we will have no problems running as both an access point and a wifi client and will gain the ability to run one of the chips in monitor mode as an option instead of using it for wifi client mode.

 

[coxhaus]

You have to learn to trust somebody. There is no way to be on top of all aspects of networking and security. Pick your equipment wisely as you are in bed with them. Smart homes and Alexa are things we are learning as they are new with no history.

 

[sfx2000]

Some further details on encrypted/tunneled traffic.

Speaking from someone that has done time on the carrier side - pattern recognition is what is it - and DPI resources are more than what one would expect... and that's not a 3-letter agency.

 

[L&LD]

Speaking from someone that has done time on the carrier side - pattern recognition is what is it - and DPI resources are more than what one would expect... and that's not a 3-letter agency.

I don't think I'm understanding your reply here? Can you elaborate on this?

 

[sfx2000]

I don't think I'm understanding your reply here? Can you elaborate on this?

VPN traffic is very distinct in character, and the major VPN host providers are well known.

I will neither confirm nor deny that the ISP's can unroll a VPN connection, other than the technology exists, and with Law Enforcement (and similar agencies), information will be provided.

In any event - I would never trust a commercial VPN provider, as this negates the whole purpose of VPN - one must control both end-points to be safe.

TOR does provide some level of privacy... but like BlockChains and BitCoin, TOR has design vulnerability, and can be gamed by bad actors.

 

[L&LD]

VPN traffic is very distinct in character, and the major VPN host providers are well known.

I will neither confirm nor deny that the ISP's can unroll a VPN connection, other than the technology exists, and with Law Enforcement (and similar agencies), information will be provided.

In any event - I would never trust a commercial VPN provider, as this negates the whole purpose of VPN - one must control both end-points to be safe.

TOR does provide some level of privacy... but like BlockChains and BitCoin, TOR has design vulnerability, and can be gamed by bad actors.

Thank you sfx2000 for your reply. I agree with your commercial VPN provider statement 100%!

I also believe that any 'big enough' ISP can unroll a VPN connection at will (or at someone else's will).

Anyone and everyone that believes otherwise is not understanding how the internet connects from a bird's eye view. The details sometimes get in the way of the understanding.

Even when machines run the internet (and themselves!) with 'perfect privacy', there will still be someone able to tap into that illusion of 'privacy' at will.

 

[sfx2000]

t also appears to be CPU based for its tasks, no hardware offloading for routing/switching, I believe.
It has a beefy CPU though, AllWinner H5 (ARM Coretex-A53) 4 core 1.8ghz. with 2 GB ram.

AllWinner H5 is a nice little chip - one concern with the H5 is that it has a little documented OpenRISC sub-processor that has access to IO and main memory, and is transparent to linux.

http://linux-sunxi.org/AR100

Which might be a concern for someone working on Security Gateways with an SoC that originates from China.

I'm partial to the QCA and Marvell SoC solutions, and IPQ40xx kinda solves the host and WiFi solutions in a single chip (including dual band wifi).

 

[L&LD]

AllWinner H5 is a nice little chip - one concern with the H5 is that it has a little documented OpenRISC sub-processor that has access to IO and main memory, and is transparent to linux.

http://linux-sunxi.org/AR100

Which might be a concern for someone working on Security Gateways with an SoC that originates from China.

I'm partial to the QCA and Marvell SoC solutions, and IPQ40xx kinda solves the host and WiFi solutions in a single chip (including dual band wifi).

And.... there's the show stopper! There is nothing to be trusted 100% on your network. Especially 'security' devices that promise the moon.

 

[sfx2000]

More detailed notes for the techies among us:

- The original wifi module we had planned to use for the Vektor was the MediaTek 7668. The new plan is to create a similar (but better) dual radio system by adding an additional wifi chip.

- We already have well-tested drivers for the new chips that were developed by the team that was working on our drivers for the original MT7668 chip. We know we can push this set of two chips all the way up to the theoretical speed limit so performance should not be impacted compared to the original one chip option.

Part of a problem is that H5 is IO rich, but BW poor - the SDIO and USB interfaces have low BW - so putting on a WiFi chip like the MT7668 is of little benefit, as the best interface to H5 would be USB, which is USB2.0

Again, Armada 37xx is likely a better choice, as it has the right buses, and very good performance for a dual core A53.

IPQ40xx - similar, and one gets excellent WiFi performance with the QSDK (closed source) drivers, including 802.11ac Wave2 - the FOSS/community ATH10K does ok however.

The MT7668 FOSS drivers - perform ok, not the first choice, and the closed source drivers do work better.

 

[sfx2000]

And.... there's the show stopper! There is nothing to be trusted 100% on your network. Especially 'security' devices that promise the moon.

Yes and no - while I might have concerns about the HW choices, the H5 is not designed to be a comms processor like Armada 38x/37xx or IPQ40xx, it's a decent performer for applications like Set Top boxes, and is a fun processor to play with for single board computers.

The SW stack is much more important, and there, I will admit, they've done a decent job, and if they keep portability in mind with their build platform, they can extend it to better hardware choices.

 

[L&LD]

Yes and no - while I might have concerns about the HW choices, the H5 is not designed to be a comms processor like Armada 38x/37xx or IPQ40xx, it's a decent performer for applications like Set Top boxes, and is a fun processor to play with for single board computers.

The SW stack is much more important, and there, I will admit, they've done a decent job, and if they keep portability in mind with their build platform, they can extend it to better hardware choices.

I have mucho respect that with all that knowledge stuffed inside your head, you're still willing to give a non-biased answer! Thank you.

 

[sfx2000]

I have mucho respect that with all that knowledge stuffed inside your head, you're still willing to give a non-biased answer! Thank you.

It's all lessons learned the hard way - so happy to share the mistakes made