We need a SOHO replacement for APU2 routers: x86 open schematic hardware with coreboot open firmware, ECC memory resistant to Rowhammer, 6W TDP fanless, TPM 2.0 and DRTM secure launch. PC Engines was a Swiss company with Taiwan manufacturing, run by one talented human with a consistent ethos for ~30 years.
Since APU2 schematics are open, rebooting PC Engines in US/UK/AU could be initiated by industry leadership requesting AMD to restart production of the ancient AMD GX-412TC SoC, until AMD can ship a Ryzen Embedded alternative with comparable power efficiency. Ryzen Embedded includes dual 10GbE.
We hear all the time about promising kickstarters that fail and everyone just nods their heads in agreement that "shipping hardware is hard". And surely it is. But yet, here was one guy shipping thousands of custom-designed modern-ish computers to hobbyists and businesses around the world at a very fair price for multiple decades.
I think it wasn't just AMD winding down production of that SoC, but also that the Intel NICs being used on the APU2s (i210 and i211) were also getting hard to come by. Given how well designed and built those devices were, _especially_ at the price point Pascal sold them at, it's incredible to me that they're not everywhere. There really is no alternative, even at 2-4x the price point, and I'm surprised that AMD and Intel aren't trying to build more hardware to facilitate these sorts of devices, given how much pressure ARM has kind of put on lower power devices.
I definitely hoarded a bunch of APU2s when the final run was announced. There's just little or nothing you can get your hands on that works as well as they do.
Hopefully the re-industrialize [1] movement can inspire a new generation of board designers, learning from Pascal and research hardware like NetFPGA [2], which lead to commercial DPUs/SmartNICs.
Yes, also Ivanti. And Palo Alto. And Cisco. And Dell (unless they spun that off already).
Most of the devices that rely on a scheme similar to inkjet printers (but with an even shorter shelf life) are going to be that way. This is because the money is not in the software, but in administrative choices (licensing, support contracts based on lifespan of hardware etc).
Since most deployment scenarios don't really need a proprietary ASIC to handle filtering, you'd almost universally be better off with a system that is built around generic white box hardware and an OS that is kept up-to-date. But that requires more knowledge and skills, and most people and companies would rather not invest in that for various reasons.
As for where you'd get your money's worth: it's mostly in the threat feeds. A well-tested, verified feed of known bad things (subnets, packet contents, behaviour) is much more useful than paying someone to keep a spare fan on the shelf so they can bring it to you "just in case".
The main thing the commercial players offer that open source doesn't do well is application level filtering. I want to be able to allow RTP across this giant port range but not just any UDP, or allow TLS exchanges with only certain SNI domains, not Cloudflare's entire address space.
If you want to do this, you need to select the least bad vendor.
In my experience, site categorisation is about the only 'feed' worth paying for.
Yeah. Majority of their devices can be found on breached. I saw my ex employer on there. Not that hard to decrypt the hashes stored on the config files. Base64 from what I could tell.
Anything that you can buy off the shelf is compromised.
I use OpenBSD on all my edge devices. It's not perfect but it is superior to 99% of everything else. That combined with poisoning the replies to nmap scans (fingerprinting) puts me in the 'much harder' to compromise category.
"Security through obscurity" isn't security. But "Don't be where your enemies expect you to be" is still good advice.
Also, relying on 1 layer of security is insanity. You need multiple layers, you need isolation.
I'm not quite as hardcore in that I use OPNSense (FreeBSD-based), but I still rate that as a good level above consumer-level and ISP-provided modems / routers.
I'm not sure what vulnerabilities I have from the Ali Express multi-LAN-port hardware that OPNSense runs on, but I don't have the motivation / money for nation-state level paranoia.
The myth BSD is more secure comes from the frequency of unreported zero day exploits. One of my former managers ran the platform for years... right up until the institutional router was compromised.
The lesson here is that if the device was made by an external firm, than the responsibility wouldn't have fallen on him politically. One may assume it is operator/administrative error, but this guy wasn't YOLO'ing by any stretch of the imagination. He was replaced 3 months later for unspecified reasons.
Critical systems are a different problem domain with different rules. =3
Since APU2 schematics are open, rebooting PC Engines in US/UK/AU could be initiated by industry leadership requesting AMD to restart production of the ancient AMD GX-412TC SoC, until AMD can ship a Ryzen Embedded alternative with comparable power efficiency. Ryzen Embedded includes dual 10GbE.
2023 EoL discussion, https://news.ycombinator.com/item?id=35635900 & https://pcengines.ch
I definitely hoarded a bunch of APU2s when the final run was announced. There's just little or nothing you can get your hands on that works as well as they do.
[1] https://www.reindustrialize.com/resources/attendees
[2] https://netfpga.org
A network slug[1], for instance, had almost zero attack surface.
[1] https://john.kozubik.com/pub/NetworkSlug/tip.html
Joking of course (but also not).
I take this to mean "don't buy Fortinet products."
https://www.cvedetails.com/vulnerability-list/vendor_id-3080...
Most of the devices that rely on a scheme similar to inkjet printers (but with an even shorter shelf life) are going to be that way. This is because the money is not in the software, but in administrative choices (licensing, support contracts based on lifespan of hardware etc).
Since most deployment scenarios don't really need a proprietary ASIC to handle filtering, you'd almost universally be better off with a system that is built around generic white box hardware and an OS that is kept up-to-date. But that requires more knowledge and skills, and most people and companies would rather not invest in that for various reasons.
As for where you'd get your money's worth: it's mostly in the threat feeds. A well-tested, verified feed of known bad things (subnets, packet contents, behaviour) is much more useful than paying someone to keep a spare fan on the shelf so they can bring it to you "just in case".
If you want to do this, you need to select the least bad vendor.
In my experience, site categorisation is about the only 'feed' worth paying for.
https://zvelo.com/about/company-history/
https://www.cvedetails.com/vulnerability-list/vendor_id-1283...
https://www.theregister.com/2025/01/14/miscreants_mass_explo...
I think the only good options are something flashed with up-to-date OpenWRT, or a PC running something like Opnsense.
I use OpenBSD on all my edge devices. It's not perfect but it is superior to 99% of everything else. That combined with poisoning the replies to nmap scans (fingerprinting) puts me in the 'much harder' to compromise category.
"Security through obscurity" isn't security. But "Don't be where your enemies expect you to be" is still good advice.
Also, relying on 1 layer of security is insanity. You need multiple layers, you need isolation.
I'm not sure what vulnerabilities I have from the Ali Express multi-LAN-port hardware that OPNSense runs on, but I don't have the motivation / money for nation-state level paranoia.
The lesson here is that if the device was made by an external firm, than the responsibility wouldn't have fallen on him politically. One may assume it is operator/administrative error, but this guy wasn't YOLO'ing by any stretch of the imagination. He was replaced 3 months later for unspecified reasons.
Critical systems are a different problem domain with different rules. =3