Video High-Security, Open-Source Router is a Hit on Indiegogo (Video) 112
This is not only an open-source project, but non-profit as well. A big motive for it is heightened security, as the interview (and transcript) make clear. It's also apparent that the hardware here is overkill for a router; it can run a complete Linux distro, no problem, so it can function as a server, not just as a router. Interested? You might want to put a reservation in soon. This isn't the cheapest router (or even server) out there, but a lot of people obviously think a Turris Omnia, with its crypto security, automatic updates, and server functions would be nice to have.
Timothy Lord for Slashdot: So Ondej if you could start by just introducing yourself and give us a little bit of background about your role with this project?
Ondej Filip: Okay. So my name is Ondej Filip. I’m CEO of CZ.NIC which is quite a strange company in some sense because we're public domain in the Czech Republic. More than half of our company is a huge R&D department. We do a lot of open sourc, e mainly software stuff. For example, I am the original author of routing Daemon BIRD, which is going to run in more than two thirds of Internet Exchange Points in the world. So it’s quite huge software. And we started this hardware project, it started like two years ago and we want to do some security project and because there was no suitable hardware for it, we built it. And then we realized that there was public demand outside Czech Republic for that, so that’s why we decided to make a new version, new generation of the device. So that’s how this started.
Slashdot: Could you start talking a little bit about the name of this project and what’s the significance of the name?
Ondej Filip: Yeah. Since there was security research project, the original idea was to create 1,000 of those boxes and spread them around and give it to people in the Czech Republic, I’d say for free. It was technically for at least for one crown a year, which is less than a dollar. And we were collecting security information from those devices and then the overall – sorry I apologize for that.
Slashdot: No, that’s fine, just if you want to start at any point.
Ondej Filip: So the original idea was to create 1,000 boxes and give them to people inside the Czech Republic like home routers and then collect some security information from those devices making some analyzes and then creating some grey lists, some black lists and try to track some botnets and stuff like that. So that was the original idea. And because it was meant as a protection of people, that's why we chose the Latin name Turris, which means the tower actually. And that’s how the project started. And when we came with this new version, it was actually original name Turris Lite because we thought it's a lighter version of the previous generation, but at the end of the day unfortunately or fortunately the hardware is much stronger than the previous version and it has certifications, it’s more advanced, so that's why we realized that probably the word Lite is not appropriate for that. So we chose again a Latin name Omnia, which means like every single stuff like that.
Slashdot: Let's talk about a little bit since you mentioned the security aspects and how important this is to be sort of a protective device for networks. It has some built in capabilities that other routers don't typically have, in particular, for instance can you talk about the crypto chip that it has by default?
Ondej Filip: Yeah. That is one important thing, because we are afraid that the current routers that are on the market has one weakness and that's mainly the firmware update. There’s not many routers that updates automatically or instantly. And that was one of the thing we wanted to concentrate or rather updates instantly. Whenever there's some security issue, we fix it in days if not hours. And all the well known attacks like Heartbleed for example they are fixed very, very quickly on this router. So the thing is that we wanted to have a secure channel from the router to do updating server and also you know some secure channel for submitting the security information we were collecting. So that's why there's a crypto chip that has some key material. That was for the old project. In Turris Omnia of course because it will not be given for free, it's just a optional thing you can reuse for any of your project. You can store key material there. So you can use it for some BPM things and transferring some files or whatever we want. And also it can be used if you want to receive all updates with this hardware again.
Slashdot: The other thing about this hardware is I have to say as a router it seems like you have included some overkill. You've got let’s say 4 gigs of flash. That's quite a bit for a router. What do you anticipate people will actually use that kind of space?
Ondej Filip: Well, look at it rather from a different angle. It's the only device in your house that runs 24 hours, maybe except fridge, that we probably will agree that we don't have much smart fridges in our house, right. So this is the only device that runs. And what it does for you, just we’re running packets. What it does when you sleep? Nothing basically. So the idea was let's make it more flexible. That's why there's an open source operating system on top of it. And that's why we put some storage because we expect that you will install some system application. And with the first generation of Turris many of the participants of the project are doing really funny stuff. They are making sound server for the bathroom. They were doing like DVB-T recorder and also making a precise time quotes and stuff like that. So we know it's a very robust device and of course obviously it can be an NAS server like for file sharing and storing your photographs and videos. So that's why we put enough memory, enough CPU power, not just forward gigabit of traffic, but also for doing other stuff like the activities I have mentioned.
Slashdot: Now you have actually a sample of the hardware that's in front of you now. Can you show us a little bit both of the industrial design? What does the case look like and what are the external features that we see?
Ondej Filip: Okay. So this is the board. This is the size of the board. Then it has six Ethernet ports, one is metallic and also SFP cage, so you can also use like an optic model into that. It has two USB 3.0 ports. It has three mini PCI express slots, two of them will be occupied by Wi-Fi, we expect that the device will serve like 5 gigahertz and 2.4 gigahertz Wi-Fi. That is upgradable for the future. That is going to be some new standard also, some improvement of the Wi-Fi standard. It has battery backup RTC clock because the precise time is important for this device. There’s also those very, very funny RGB LEDs. There is more than we need actually for the router, because many people in the previous generation of router used those LED diodes for signaling some stuff, for example, I don't know, you have an appointment or there’s something wrong you should look at and stuff like that.
So that's why there are some of them or all of them are actually customizable, but two of them are just really just for your fun. They don’t have any purpose at this moment. That's probably all those connections. It has ARMADA 385. So very powerful ARM based chip from Marvell. And inside there’s a switch chip and there’s one good thing for the network geeks. This switch chip is connected by 2 gigabit lines to CPU and one port that is one that has a metallic and SFP option is connected also by single line. So basically you have enough capacity for 1 gigabit. And you can for example do some ____8:04 or stuff like that if you want to play with your network. And you have, as I said, two separate gigabit lines to your LAN ports actually. And it has some flash for booting and as you mentioned, the 4 gigabytes of other flash for storing the operating system. And also the plan is not just on the all operating system based on OpenWrt but also you can run some of your custom operating system, for example Debian infotainer. So the idea is that you take care of the base operating system so it's going to be up to date. And you can use your container for anything you want and we want to be able to touch it and you can run some of your custom application on it.
Slashdot: And that's what you referred to as a virtual server functionality?
Ondej Filip: That's what we meant by that, yeah.
Slashdot: Okay. Can you talk a little bit about what it's like to be making essentially not a start-up certainly, because it's part of a larger group, but it seems like a start-up project. What is it like to be doing that in the Czech Republic? Is it a friendly environment for that sort of activity?
Ondej Filip: Well, originally we were a little bit afraid of it, but surprisingly it's quite beautiful, I mean there’s quite a lot of companies that are involved in that. So that means it's quite easy for example to make a prototype here because there are companies making PCB and putting all the stuff on it and so that was not a complicated thing. It's a little bit more expensive. We are inside Europe ____9:28, so we cannot be as cheap as the companies in Southeast Asia, but it works very well, especially for small series like 1,000 pieces that we’re working on. It's probably a little bit different when you want to create huge series like 100,000s but we are not at this point yet, so that’s another question.
Slashdot: How many people have been involved with using the generations of Turris, so far?
Ondej Filip: Well, you mean the end users?
Slashdot: That's right.
Ondej Filip: Yeah. So we created 1,000 pieces and then for next year – it was last year actually, we created another batch of 1,000. So, currently there is 2,000 pieces somewhere in the road, but 95% of them are in the Czech Republic.
Slashdot: Okay. Do you see any huge advantage to someone taking this router, add some additional hardware, but most of the benefits, is there anything unique to this router that you don't get by running OpenWrt on other hardware? Is it primarily the crypto chip? Is it just that it's a very high end networking? What is the best thing you could tell someone who says,” I already have a router right now, why should I change?”
Ondej Filip: Maybe, we should call it a server. It’s not just a router. It has capacity to run normal Linux distribution. So, you can run your web server or anything like that. So, it's more universal device than just a router. Then I think the network capacities, I think, it’s non-standard, it's better than usually, especially in the sphere of the home routers. And also the extensions, we have three PCI Express slots, so you can use it for anything. You can use it for OT backup if you really kind of survive any problem in your network and you have to be connected to every second. Or you can put the SSD disk and you can run this as a quite good mask, quite reasonable mask. And also we have some extension connector, like SPI, IC, this can be extended. So, you can put some custom hardware. We were discussing with some local companies that are working in IoT field because this router would be perfect base for the central point for your smart homes, so that's the plan but there is nothing at the table at this moment.
Slashdot: Okay. This seems like it should appeal to a lot of hardware hackers. Will people be able to buy it without a case? Can you just buy the board, so you could then integrate it into your own shape?
Ondej Filip: Yeah, exactly. We just plan to launch an Indiegogo campaign because we would like to see if there's a demand for the device. And you can buy just a single board. The plan is that we will be shipping those devices by April next year. So, actually that’s like I can see that there will be nothing else, no boxing, nothing else. You need to find your own power source and your books, so whatever you want. And the other option will be to buy the complete router, which will be roughly like that. It's just a plastic prototype. So, it might change slightly, but that's the idea, at least you can see the size and this is the original plan. And with that box, you will have like two Wi-Fi accounts included, power source and everything else around.
Slashdot: Can you talk a little bit about your Indiegogo campaign? The money you raise with that? What will that go toward?
Ondej Filip: So, as I said, the main purpose of this campaign is to see if there's a demand for the product. We don't want to spend money, manufacturing the product that nobody will actually buy, so it doesn't make sense. And it's even more complicated as everything is open source. Everything is open source software and open source hardware. So, after some period, anybody can prepare it. So, that’s why this will give us a little bit advantage that we will create a batch that we will be sure that we will be sure that we are able to sell. So, the goal is to raise like US$100,000 and the products in this campaign are the routers and the boards, of course.
Slashdot: One thing that seems different about this campaign versus some crowd-funding campaigns is you're actually using this day to day. This is an existing product.
Ondej Filip: Well, the previous version, it's run day to day, but the new version it's just in prototype, but it's fully functional prototype. Actually, we are very sure that we can make it, there shouldn’t be any hidden problems because we went this way at least twice before, so we absolutely know that we will be able to make it. The main reason is, despite all this, there's a demand for that, yeah.
Slashdot: Okay. Well, Ondej, I think this has been a good talk. What else should I be asking you about?
Ondej Filip: Well, maybe why we do that actually?
Slashdot: Okay.
Ondej Filip: Because many people ask me why we do it. Actually everything open source and why we do that and it's quite strange thing because not many companies are doing it. Everybody who is doing some hardware has some plans, some tries to hide the designs. Even Raspberry Pi is not fully open source. You don't get the production plans, which unless it's something different Turris you can just download it if you wish. The plan was to make something, some universal device, and also the plan was to help the community because that's the main mission of the organization. We do a lot of open source software, which is really run in important places of Internet. Another example, it's not DNS, or DNS server which is run by root servers like DNS root servers, so the key servers, that the Internet rely on.
And this is another project that fits in that mission. We would like to make the Internet secure, safer and better. So, that's why it's open source, so you can verify that there is nothing hidden and it doesn't report to anybody you don't want to. And also you can build some new solution on top of it and you can extend it, you can play with that. We would like to give this device to people that would like to play with networking, make it like an educational device, simply bring more people to networking and technology related to that.
Slashdot: Is there a pricing that's set or expected right now?
Ondej Filip: Oh, yeah. The price of the board will be $99 plus some shipping and I apologize we will ship it from Europe, so the shipping will be added to that, and the price of the board, the delivered price will be about $179.
Slashdot: Okay. And again you said if someone gets the bare board, they just need to supply power supply in their own case, it's otherwise a functional piece of hardware.
Ondej Filip: And probably cooling but otherwise it's fully functional piece of hardware.
Slashdot: Okay, alright. Hey, I think that's actually not a bad price at all. I wasn't sure what you're going to say on how much this is going to cost, interesting.
Ondej Filip: Yeah. Again, we don't want to make a profit on this. This is more let’s say a project for the good of the Internet. So, there is almost no margin on this product, it's really just to help the people around.
Slashdot: But again, like you say, since it's open source, someone could take the design extend it and sell their own version. So, if you put out a version like this, then the same hardware can go quite a few places.
Ondej Filip: Yeah, and we will be happy, and of course, we hope we will make another version soon, so if someone will take it, I hope we will still have some relevance into this.
Slashdot: Okay, can you talk a little bit about the licensing? I mean, it is open source, but can you talk a little bit about what licenses, different aspects are under? For instance, if you really think hardware designs, are they under Creative Commons license or what sort of licensing?
Ondej Filip: It's a good thing and since I'm more software guy, I have to look at our pages, I apologize because I don't remember exactly the name of the license. I need a few seconds, I apologize for that.
Slashdot: Sure, not at all.
Ondej Filip: I can get the name of the license, basically everything we do in software is GPL. And its license is slightly different, I forgot the name, something with E at the beginning.
Slashdot: Oh, we can always look at that up later, so don’t worry too much about that.
Ondej Filip: I got it. No, pardon, I don’t know. Oh yeah, it is CERN Open Hardware License.
Slashdot: Oh, okay. I've not heard of that, so that sounds like an interesting thing for me to look up, great.
Ondej Filip: But I hope this guy was smart enough to design good license for that.
Slashdot: CERN have pretty smart guys. That seems like a fair bet.
Ondej Filip: Okay.
Slashdot: Well. Ondej, this has been great conversation as far as I'm concerned. Just, again, at this point is there anything else, any other topics you think we should touch on here?
Ondej Filip: I hope no, I think it's enough for the people to have a good picture of the project, and hopefully they will help us to support it, yeah.
Re: (Score:2)
You parallel my own thoughts. There have been a large number of "secure" router projects funded on indiegogo and kickstarter, but most (all?) proved to be laughably bad in that regard under competent close examination.
Re: (Score:2)
The Dude is a bit of proprietary Mikrotik software.. IIRC for router management and discovery?
automatic updates ... lifetime of the device (Score:1)
Or the company whichever goes up (or just fucks off for something better to do) in smoke first.
Re:automatic updates ... lifetime of the device (Score:5, Informative)
Re: (Score:2)
Re:automatic updates ... lifetime of the device (Score:4, Informative)
Err... I just ran HTOP a minute ago to see what was spiking a CPU core. I snapped a screen shot with Shutter just to make a record of it. I stored it on an ext4 formatted disk drive. I used inxi -Fxz to check some specs a little while before that. Slurm is giving me a nice display of my network activity. Leafpad is open with my notes. Terminator stands idle awaiting my commend.
Nope, you're right, in practice that doesn't happen. None of that open source code is ever maintained and nobody ever puts any work into helping the community. Those old hacked wifi drivers that didn't initially work? Those were written by underpants gnomes or magic - I don't know which. They keep updating those realtek drivers to work with the newer versions and that hardware is still useful. Hell, I just clone git and use a little make magic and I'm good to go. But no, you're right! It never, ever, happens.
IPv6 support (Score:2)
Is this router based on Linux, or one of the BSDs? How good is its IPv6 support, and does it have any IPv6 specific security features, such as not automatically assigning IP addresses to anything that may just be loitering about in the vicinity of the network?
What exactly is the hardware that this router is based on? Maybe it's not the cheapest, but I'd like to get an idea about whether the firepower of this router is worth it.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Reading's not your strong suit, is it? No wonder you believe the bizarre things you post on Slashdot. It all makes sense now.
Re: (Score:2)
Re:IPv6 support (Score:4, Informative)
Is this router based on Linux, or one of the BSDs?
OpenWRT based per the project's site, which should answer a number of your question, albeit not all of them. I'm curious for more details as well.
Re: (Score:2)
Re: (Score:2)
I didn't see any mention of this being a wireless router, so I'd expect the simples way of not having random devices connect to it would be to not plug a cable into the router.
Waste of time and effort (Score:5, Insightful)
If you want a secure router just use pfsense.
Re: (Score:1)
Re: (Score:3)
Why would you assume you can only run pfsense on x86? Besides, if you have a successful FreeBSD hack you could make yourself famous by sharing it now. What processor you run has very little impact on security.
https://www.freebsd.org/platfo... [freebsd.org]
Re: (Score:2)
You're bordering on insane! I like that. I'm gonna help you out. See, the same is true with an ARM CPU as well. What? You say!!! No way! They will let you view the source. True. That doesn't mean there's no other source that is purposefully kept hidden.
I think, if you want to be safe - safe enough to be this paranoid without being hypocritical, you should absolutely turn off your computer and stop using the internet. It's the only way to be sure! You're just asking to be hacked by using an ARM CPU that's pr
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Right, because running the same code compiled for ARM or similar processors is any more secure?
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
I get the idea that the project makes all of this pretty straight forward for less technically inclined users. Not totally clueless maybe but not elite hackers such as yourself. Sure, if you have the skills you can roll your own set up. This just gives you everything you need in a nice package. Not for everyone for sure.
Re: (Score:3)
There aren't any turn-key devices that run OpenWRT out of the box. There are some Buffalo devices that run DD-WRT, but that's not the same thing at all. DD-WRT's approach to security and updates is even worse than some router manufacturers.
Also, I did buy a Buffalo router [newegg.com] with DD-WRT and Atheros chipset (so it would have open-source drivers), expressly so I could wipe DD-WRT and install OpenWRT. What I discovered is that customizing a router means lots of research, which you have to do again and again when
Re: (Score:1)
I sometimes think that those that make the loudest complaints are those who've never actually done it and have no intention of ever doing so. Well, they may be fooling themselves and telling themselves that they're capable and that they'll get to it someday. But, the people who bleat the loudest aren't actually the target market and don't actually know what they're talking about. Instead, they once read a post where someone described something similar and they've extrapolated and concluded they're capable o
Re: (Score:1)
Re: (Score:2)
I'm a long time OpenWRT user and have been running it on 3 or 4 devices over the years. Admittedly it has been a few months since I have checked out the router hardware market, but last time I checked, you couldn't get comparable hardware specs to this (1.6GHz dual-core ARM, 4GB flash, 1GB RAM, gigabit on all ports, USB3, SATA) for anything close to $95 (half of the cost of this router). I'm doubtful you can get that today for even the full asking price of $189 although I'd be pleased to hear otherwise.
Re: (Score:2)
> Agree. I also wonder what about this project makes it more attractive than picking up a $59 Asus router and throwing open-wrt on it.
wrt is still very limited. Want multiple WAN IPs? Command line. You may as well just run Linux on a cheap box from goodwill at that point.
Re: (Score:1)
Re: Waste of time and effort (Score:2)
I also wonder what about this project makes it more attractive than picking up a $59 Asus router and throwing open-wrt on it.
All the Asus routers I've looked at use Broadcom SoCs, which means closed source drivers and pathetic performance in OpenWRT. Also, for $59, you're not getting 802.11ac, plenty of RAM and storage for other tasks, or even enough processing power to route more than double digit Mbps (except maybe with hardware acceleration and no security).
Re: (Score:1)
And what does that cost for gigabit routing? (Score:2)
The problem PFSense has as compared to consumer routers is that running on normal Intel CPUs it needs more CPU power (and thus cost) to be able to forward a given amount of traffic. Plus all the NICs and such are separate silicon. Boradcom makes little all-in-one chips that have a couple of ARM cores that have acceleration for routing and so on. Also they have things like an ethernet switch and ethernet PHYs on the chip so they needn't be added. Have a look at a BCM4709A for an example that is popular in ro
Re: And what does that cost for gigabit routing? (Score:2)
The problem Broadcom has in comparison with other SoC makers is they never open source their drivers except under extreme duress. The practical impact is that you can never fix problems in the firmware and you can never upgrade the kernel. It looks like they're building this thing on top of the Marvell Armada 385.
I don't know of any 802.11ac WiFi radios with open firmware, but the Qualcomm 9880 at least has an open driver. It looks like this Turris router will have Qualcomm radios.
Re: (Score:2)
The problem Broadcom has in comparison with other SoC makers is they never open source their drivers except under extreme duress.
Broadcom absolutely sucks to work with in every way. They are truly awful, even if you are doing closed source development and sign all their NDAs ad nauseum.
Re: (Score:2)
Re: Waste of time and effort (Score:1)
Re: (Score:2)
By 'secure', they mean 'has automatic updates.' Which is cool, but it's kind of like bandaid security.
Re: (Score:2)
That's entirely not what they mean by security. Not even close. I suggest you read the project's description again, as you seem to have missed most of it.
Re: (Score:2)
It's still vulnerable to SSID spoofing.
Re: (Score:2)
Re: (Score:2)
Only Time Will Tell (Score:2)
High Security? Only time can tell. Until the router has been out in the wild for a bit and people have had a chance to look for vulnerabilities, it's impossible to say whether or not the router is actually secure. It's similar to the "Blackphone" which was touted for people who wanted a very secure phone. Once they released it, they found all sorts of security problems [zdnet.com] with it.
Re: (Score:2)
It's called pfsense...
The perfect storm (Score:4, Insightful)
Great. So maybe this thing really is pretty secure out of the box. But if your going to stick something that capable\configurable on a business LAN, it is inevitable that some junior admin will be assigned to set it up and in the process create a gaping security hole. I have seen it happen on lesser devices. A secure router should have a limited set of well documented functions, not the ability to run Sendmail.
Re: (Score:2)
I have shared, via torrents, a very large number of distros. I already have a seed box that does nothing but run headless and seed torrents all year long. It consumes more power than it probably needs to and while I could, easily, set up a Pi to take care of this - I'm very unlikely to do so. I could see this being handy a a device that can do things like that. I'd be unlikely to get around to setting up a Pi but I'd probably do it in a browser and just share it to NAS like I already do.
Meh... I do keep my
Re: (Score:2)
so wait, you are unhappy that we can setup our own OS on that thing? And to fix that, you are proposing to *restrict* the software you can run on it so that you can't modify it... that doesn't keep cisco routers from getting owned, or any other proprietary device from getting hacked, as far as i know.
there are litterally millions of home routers that run a "limited set of well documented functions" that are regularly abused for DDOS attacks [krebsonsecurity.com] to a complete port scan of the entire internet [bitbucket.org]. and there are hundr
Re: (Score:2)
OpenVPN support (Score:2)
Great to see an open-source project for the router side of the network
Thanks.
Re:OpenVPN support (Score:5, Informative)
It runs OpenWRT which supports OpenVPN, USB and bittorrent.
Aaron Z
Re: (Score:1)
Maybe if it were on kickstarter... (Score:1)
It seems like Indiegogo is where tech projects go when they cant meet the criteria of Kickstarter (e.g. having a working prototype). Putting money into optimistic (but plausible) tech projects on Kickstarter seems a lot like betting, but putting money into the same on Indiegogo seems like burning money.
Re: (Score:2)
With some types of projects, it takes way too many resources to have a working prototype before getting funding.
But with this particular project, this isn't their first router anyway, so there's not much of a question of whether they'll deliver or not.
Re:Maybe if it were on kickstarter... (Score:5, Informative)
Like this criteria:
Project creation is currently available to individuals in the US, UK, Canada, Australia, New Zealand, the Netherlands, Denmark, Ireland, Norway, Sweden, Germany, France, Spain, Italy, Austria, Belgium, Switzerland, and Luxembourg who meet the requirements below.
No Czech Republic listed there.
Re: (Score:2)
You make a convincing point.
Needs more RAM ( and CPU? ) to be a decent NAS (Score:2)
I don't think 1GB & dual-core ARM is going to cut it for respectable NAS performance. That's pretty much what older versions of the LaCie NAS had under the hood and the performance was lame.
And they'd better get the security right. Nothing like having someone root your router AND have access to your porn stash in one hack.
Made in CZ (Score:2)
Does it have a jtag header? (Score:2)
Existing Turris user here (Score:1)
It'd be nice if we could see the video... (Score:2)
I guess you folks didn't get the memo - the Internet doesn't like Flash. But even at a laptop which has Flash, the video still doesn't load.
Would you like help hosting the video?
Re: (Score:2)