The real lesson here: If you're successful, don't skimp on security/software! Also, don't abandon software/firmware security support for your products so quickly.
If I was in charge over at TP-Link, getting news that tens of thousands of MY company's routers were compromised would have me furious! I'd be freaking out, making sure that we take immediate steps to improve software/firmware quality and to make sure we're in a constant state of trying to compromise our own hardware... To ensure no one else finds vulnerabilities before we do.
Instead, TP-Link seems to have just laughed and focused strictly on profit margins.
This is like seeing a food poisoning outbreak at a fast food restaurant and concluding that it must be CIA/FSB/Mossad bogeymen trying a bioweapon. These breaches are things like not validating authentication tokens (at all, not just correctly) and that would be a big drop in professionalism from what we’ve seen from nation-state level attacks:
Hanlon's razor, paradoxically, is the perfect cover for surreptitious malice. We've already got a perfectly reasonable razor telling people not to assume malice, after all.
And to be clear, let's not forget that the US government did intentionally and secretly conduct surreptitious biological warfare tests against entire US cities that deliberately inflicted disease upon and killed American citizens. There was an entire formal program that spanned decades - https://en.wikipedia.org/wiki/United_States_biological_weapo...
Of course, the US government doesn't have any secret programs anymore and never lies to us, so everyone can rest easy knowing nothing like this could ever happen again.
It occurred to me recently while driving in a high traffic area that (a) this area is congested every single day at this time and (b) if I shipped a piece of software that literally crawled to a stop for a two hour period every morning and a two hour period every evening that I would be deeply ashamed of myself and my work and that if I ran a department that did that I would have no priorities other than fixing this bug until it was fixed.
Yet we all know so many industries and products that just do not work like that and in fact the longer something is broken and it doesn’t seem to stop people from using it, the more it is accepted that it is ok for it to remain broken. I think that is somehow just a part of human psychology.
> It occurred to me recently while driving in a high traffic area that (a) this area is congested every single day at this time and (b) if I shipped a piece of software that literally crawled to a stop for a two hour period every morning and a two hour period every evening that I would be deeply ashamed of myself and my work and that if I ran a department that did that I would have no priorities other than fixing this bug until it was fixed.
The hubris of the spotless software engineer mind.
We have a solution for the traffic problem but you won't like it.
There is no "traffic".
YOU ARE THE TRAFFIC.
Cars and roads for cars don't scale well past very rural or very small suburban areas.
The solution to traffic is extremely hard and it involves:
* you and lots of other drivers voting to allow densification of highly serviced areas (close to central business districts, public transportation, hospitals, schools, ...) - at least mid rise apartment buildings, 4-6 stories high
* you and lots of other drivers voting to allow funding of public transit
* you and lots of other drivers voting to allow funding of reduction of car infrastructure (fewer car lanes, fewer parking spots, fewer highways, fewer car only bridges, tunnels, etc)
* you and lots of other drivers voting to allow funding of safe bike infrastructure
* you and lots of other drivers voting to allow congestion pricing in ... congested places
* you and lots of other drivers voting to allow funding for anti bike theft measures (police training, bike theft prioritization, bike serial number databases, ...)
* you and lots of other drivers taking public transit
* you and lots of other drivers riding bikes for medium length trips
* you and lots of other drivers walking for short trips
I used to live near and work in Boston (near Fenway). My solution was a bit more radical than yours: passenger cars should basically never be allowed inside Boston proper. The city was not meant for cars and it shows. Instead, build moving walkways and fix the issues with for example the Green Line averaging 6mph (walking speed).
Truck deliveries can happen 3am to 6am every Tuesday and Thursday, or by paying $1,000/day toll fee.
Yes it is radical and yes people would get used to it and think it is superior after a time.
It is sometimes better to not ship a product at all instead of shipping a completely and fundamentally broken product.
The thing is, customers really want cars because they're like fast fashion or fast food: the benefits are obvious and the downsides are slow and insidious, while people selling them get repeat business worth huge amounts of money.
I think this is you seeing the faults of other industries but being blind to yours.
No single person created the traffic jam "bug", the "users" are the biggest part. In many industries "the fix" isn't a few lines of code that you can one-click push to all users. You can't fix that traffic jam in code or even in infrastructure, you need to change society itself on top of everything else. It may not even be a defect as much as a supply and demand issue where supply is very scarce and impossible to ramp up, while demand is super high and growing. Cloud providers run out of capacity in some regions, their developers should be ashamed?
Software can be fixed quickly if broken. Capacity not so much. Software is also routinely launched broken, and subsequently stays in various degrees of broken or not usable enough throughout its lifecycle, with new and unpredictable issues replacing old ones.
If too many people wanting to drive a car in the same place, at the same time despite the predictable outcome due to the limited capacity is purely a failure of the city, country, road builder, then isn't a user not being able or not knowing how to properly use the software the fault of the developer? Is demanding more from the software than it can deliver the fault of the developer? How much cumulated time does this cost, sometimes for absolutely no reason whatsoever than an arbitrary decision of the developer?
You aren't "deeply ashamed" because you downplay the issues you (or your company) create as a developer and pretend they aren't problems for the users. A "part of human psychology" tells you 1000 smaller cuts are fine.
But people don't drive randomly. They drive in predictable locations where the city, county and country have decided they should drive. Building all the homes over there, building all the offices over here, and having the whole population go from there to here at 8-9 in the morning and back at 5-6 in the evening was not an individual choice. The government (collectively, all parts of it) made those choices for us. And if you think it's an individual choice to commute at all - consider that you'd get arrested if you slept on the street outside of your office.
It’s worse than that because let’s say you have people commuting to their office from a suburb and let’s say it takes an hour. So you increase the road capacity so it takes 30 minutes instead. This just lets people from even farther away to take 60 minutes to commute. This means the employers have access to more employees who live farther away and pay less in their cost of living. This means more business can open and more employees can be hired for overall less money. Overall the problem is that any time you increase capacity you are just inviting more cars.
Imagine if we did not have congestion control in TCP and instead every time we got congestion we just upped the bandwidth. Do you think at some point our ability to increase capacity would outpace the demand for what is for the most part a free resource (I know neither roads nor network badwidth are free but the cost is amortized such that it “feels” free to the users)? Or do you think demand would grow as fast or faster than capacity?
The real answer is to reduce demand. You can do this by introducing something like congestion pricing: make it expensive to use the resource when demand is close to capacity. Or you add some form of congestion control. For example you could dynamically set speed limits on secondary roads and when the freeway traffic flow slows down you slow down cars as they try to get to the on ramp of the freeway. Or you could raise the price of gas by $1/gallon to discourage car use and use the revenue to build more public transit. You could charge single person car use fees. You could keep roads free but make parking downtown extremely expensive and use the proceeds to build more public transit. You could reduce speed limits in the cities to no more than 10 miles per hour and strictly enforce that; obviously this only works if you have much faster and higher speed public transit: imagine choosing between buying a car, car insurance, gas, and still taking 3x as long to get to where you want to go compared to buying a $50-100 monthly pass and using public transit.
Define "not working". The one and only function of a road is to support the wheels on top of it. Are you saying that there's regularly cars falling through the asphalt, or cars veering off the road when they meant to go straight ahead?
Your car is the traffic on that road. Every system has limited capacity, you loaded it beyond that point, you are the problem. The roads are designed for an advertised capacity and more people like you said "it's fine, we'll all jam in there and then blame the road". Then you complain and point fingers at anyone but yourself?
You were talking about reasons to be ashamed? How about that as a developer you don't understand system design and capacity/performance limits, and you don't understand that intentionally loading a system beyond its rated capacity is not the problem of the system. Even an LLM knows that.
I bet you only build systems with infinite capacity and performance.
It was a completely Chinese company until last year. Then it split in 2. The US headquartered half has 11,000 employees in mainland China and 500 in the US based on what I could find when I googled it. It’s solely owned by the founder of the original company and his wife who are Chinese citizens.
I don’t know whether it’s worth banning them or not, but putting your hands up and saying “what Chinese company?” is just absurd.
1. The company was founded Zhao Jianjun and Zhao Jiaxing who are brothers, I don't know where you got the husband/wife sole ownership from.
2. As you admitted, they have completely separated into 2 separate companies, claiming that it is still Chinese is akin to saying "tea is Chinese", that's completely absurd, yes, it was at some point in history, that point is not now.
1. I got the idea from the Tp-Link website. Zhao Jianjun is known in the US as Jeffery Chao. Him and his wife are the sole owners of the US company.
“in October 2024, established TP-Link Systems Inc., based in Irvine, CA, as its global headquarters and parent company with Jeffrey (Jianjun) Chao and his wife Hillary as sole owners. Jeffrey is CEO of the company.”
2. The sole owners are Chinese citizens, 95% of their employees are Chinese citizens living in China, most of the R&D happens in china, and the majority of the components of their products are manufactured in China.
They have an HQ building in the US, but 90% of it is leased to other companies.
This is a US based company in name only. It’s essentially a shell company designed to bypass a potential US ban.
The reality is the only part that matters, the chipsets, are produced in Chinese factories owned by TPLink.
They moved everything that doesn’t matter to the US recently in an effort to give the illusion that they aren’t putting chips manufactured under the control of the Chinese government into the majority of routers used in the US.
I’m not agreeing with banning them, but I can certainly see how it creates significant risks that I would want to mitigate somehow.
I agree with you that they shouldn't be banned, but the US casting aspersions against another country is pretty rich considering the involvement of the CIA, and NSA around the world.
It's hard to believe you're saying 2 in good faith. Companies don't change that fast, and you skipped the part where so many of the employees are still in China.
Three years would be an impressive timescale to move a company from one country to another.
Except they didn't do that. They moved the HQ.
I'll accept for the purpose of this argument that they fully split the company into two separate companies. But both of those companies are still mostly Chinese, going by the numbers in this thread.
> Did you not read the article? It's hard to take your comment in good faith if you didn't.
This is a weak attempt at turnabout. The article doesn't present any evidence of separation or non-Chinese-ness, it just quotes the company (and even that quote admits a bunch of Chinese assets). But even if it did, it wouldn't be bad faith to skip reading it.
> This is a weak attempt at turnabout. The article doesn't present any evidence of separation or non-Chinese-ness, it just quotes the company (and even that quote admits a bunch of Chinese assets). But even if it did, it wouldn't be bad faith to skip reading it.
1. Who else would document a company's restructure if not the company itself?
2. Yes, not reading an article and commenting on it is bad faith.
> going by the numbers in this thread.
3. So you have no evidence of it not being as the company says, just the vibes of others on this thread, okay Senator.
> 1. Who else would document a company's restructure if not the company itself?
If the company wants to give numbers, I'll listen to them. But the company made vague/unproven claims and that's not enough. Journalists can investigate.
> 2. Yes, not reading an article and commenting on it is bad faith.
Commenting on something talked about in the article doesn't require reading that specific article. You can use other sources.
> 3. So you have no evidence of it not being as the company says, just the vibes of others on this thread, okay Senator.
Other people brought objective numbers. Not vibes.
Why should I not use those numbers? You have not claimed any of those numbers are wrong, you're just calling people's conclusions wrong.
> TP-Link's Headquarters are in California, they have a branch in Singapore and they manufacture in Vietnam
"TP-Link is a Chinese company that manufactures network equipment and smart home products. The company was established in 1996 in Shenzhen. TP-Link's main headquarters is located in Nanshan, Shenzhen; there is a smaller headquarters in Irvine, California"
Just because a company changed its headquarters to US all of a sudden they are a US company? Even if 99.9% of its decision, operation and R&D are still in elsewhere?
That is like people saying Nothing is a UK company, when all I see is a Chinese company registered in UK.
> The real lesson here: If you're successful, don't skimp on security/software! Also, don't abandon software/firmware security support for your products so quickly.
Yea, in the real world, the CEO gets news that tens of thousands of his company's routers were compromised, and calls up his General Counsel and asks "are we liable for damages?" And if the answer is NO, he goes back to enjoying the house party in his luxurious third home.
> This might be one of the only cases where subscription model would work well to cover the maintenance cost.
Or -hear me out on this one, it is wild take- if you come out with a device, system or software that has fundamental flaws, you fix them at your own cost or get fined to oblivion if you don't.
If a company is not able to come up with reliable, quality products, then perhaps it shouldn't be in the business of creating said products to start with.
The fact that you suggest subscriptions to fix fundamental issues is a good reflection of how companies have managed to skew the general perception on what is "acceptable" as a product. In fact, they have pushed it so far, that they are feeding it to us backwards.
Pushing out minimal viable products and have subscribers pay to (perhaps, one day) get something that works shouldn't be the norm.
A car info/entertainment system that is too slow and buggy because the manufacturer couldn't be bothered to take the steps necessary to make sure it worked reliably? -> fix it
A phone manufacturer that throttles your system after a year because they couldn't be arsed to properly size their batteries originally? -> fix it
A router manufacturer shipping software so buggy their hardware needs to be rebooted periodically? -> fix it
Etc.
"Software is hard" or "product design is hard" are no excuses. Building airplanes that don't fall out of the sky is also hard, and yet we manage to do so. (Or, rather ironically, the ones that follow the "minimal viable product" software mentality do fall out of the sky. Looking at you, Boeing).
Those are the companies that abuse the customer trust and sell them something cheap under the guise of high quality, but in fact really cheap and not well thought.
Respectfully, I think you have too much faith in the ability and general desire of individuals to protect themselves. Consider how successful scams and security breaches are. Consider, too, the unequal bargaining power between vendors and individual consumers (have you ever tried to negotiate a form contract with a megacorporation?).
We protect people because they have failed. These regulations tend to follow actual injuries; they are rarely promulgated in anticipation of them.
> Consider, too, the unequal bargaining power between vendors and individual consumers (have you ever tried to negotiate a form contract with a megacorporation?).
You don't negotiate the contents of your burger with McDonald's. If you don't like it, you go to Burger King or have a Döner Kebab.
There's plenty of tacit negotiations here.
> We protect people because they have failed. These regulations tend to follow actual injuries; they are rarely promulgated in anticipation of them.
Homeopathic medicine tend to follow actual health problems, too. That doesn't mean they are a good idea.
> You don't negotiate the contents of your burger with McDonald's. If you don't like it, you go to Burger King or have a Döner Kebab.
Not every industry is a competitive one with practically unlimited choices. Natural monopolies or industries with high barriers to entry tend to have the most leverage over their customers. Most people have only a single electricity provider, and there are only two major mobile OS vendors worth speaking of.
> Homeopathic medicine tend to follow actual health problems, too. That doesn't mean they are a good idea.
Some work; some don’t. The key is figuring out which solutions are effective and which aren’t. Nobody is proposing keeping fixes around whose costs aren’t worth the benefits to society.
If you sell the computer with the software preinstalled it would still fall under the selling a product part. So if you'd want to actually have a loophole you'd at best be selling the product without any software, and we both know how well that would go with the masses.
People in the comments are defending TPLink for how 'solid' their products are. As someone who just switched to UniFi APs from a Deco Mesh (wired), I have to admit that the difference is deep dark hole and bright sunshine day. Maybe people are comparing to spectrum charter modem combos but I definitely don't see how a router that loses firmware updates in a year can be praised. And it needs reboots so frequently. The Deco has an option now to reboot 'everyday'. This sounds something maybe needed for rare cases where the ISP expects a reboot, but the fact that your routers have that as a feature to keep it stable is a big red flag.
I was so used to this that when I started looking for this setting in UniFi OS I had forgotten the part 'networks are not supposed to be rebooted frequently!'.
First, all of the TP-Link devices I use still have firmware updates regularly. I can't talk about Deco series, which I don't own.
Second, mesh capabilities are not consistent across different brands, that's true. On the other hand, comparing TP-Link, which is a home/SOHO brand to UniFi, which is essentially a prosumer/enterprise offering is not fair. I have a small mesh (three devices) at one of the places I run these devices, and it hands-off nicely, extends coverage, and gives me the speeds written on the tin.
Do I expect it to compare to a UniFi or Aruba mesh where the smallest element has more processing power than my router? Of course not. Do I expect it to run on a 300 sqm house with 10+ devices? Again, no. But as long as my network runs, I can access the devices with good connections and speeds they advertise, I'm golden.
Lastly, "restart everyday at this time" setting is present since forever on many devices. The feature is to help home-downloaders / data hoarders to renew their IP periodically. Heck, even JDownloader has a feature to reset your modem remotely if your modem supports to renew IPs (since 2004?). Assumptions don't help here.
I never had to automatically restart any of the routers/modems I used regardless of the manufacturer sans a couple Cisco/Linksys devices. E4200 which had two processors, one for the switch and one for the router. The router one stopped responding randomly to cut whole network off from internet, and my E900's processor crashed flooding whole home network with packets basically paralyzing it. Oh, that same E900 failed to negotiate with the on board RTL8139 Ethernet controller, so I had to buy another "Cisco/Linksys" RTL8139 card.
TP-Links I had never done anything remote. They even have the best latencies and WAN recovery when things go south on ISP side. My TP-Link 802.11AX extender works flawlessly with my ISP supplied WiFi6 modem, and despite having no mesh communication going on, running on the same SSID and handing off pretty reliably.
Yes, a home product with a dedicated controller unit, Fx networking support, cloud based management with ability to self-host, traffic shaping and SDN capabilities.
People can dedicate a small cabinet to UniFi rack-mountable gear plus the network center of their house. TP-Link has none of those, and not aiming for that market, even.
It's comparing a Peugeot 3008 with a Mercedes-Benz G Class and adding that, Mercedes has serious off-road trucks like Unimog, but G Class is their end-user product.
Apples to Pineapples.
BTW, it's not hard for me to install and manage a high capacity UniFi network in any way. I don't use their devices, because I don't want to manage yet another network.
A 3 pack WiFi 7 BE65 mesh from TPLink at launch costed 1500$. They seem to have done their usual hardware switching to now sell a similar BE63 for 500$. But if you are going to compare the two compare the actual hardware equivalent product. For 500$ You can get a controller and a couple of APs from UniFi, the setup will be far better than a 3pack BE63.
From what I see, Deco BE series have multiple models, with slightly different port configuration. Looks like BE65 comes with 4x 2.5gbE and BE65 comes with 2x5gbE + 1x2.5gbE. Moreover the site has multiple other Deco BE models. Both BE63 and BE65 is on sale and can be purchased.
From my experience, TP-Link makes hardware changes with "H/W versioning" in their model numbers. I have many RE220 extenders with different hardware revisions, earlier ones doesn't supporting OneMesh. However, I don't find later versions performing worse w.r.t. earlier ones.
However, $500/unit, the backbone of the devices doesn't look underpowered, esp. when looking to both wireless and wired specs. Considering my RE700X is saying what's written on the tin, and being rock-solid despite working with a non TP-link device and and being behind two 30cm walls.
I expect these Deco devices to live up to their specs.
I couldn’t figure out what was wrong with my WiFi. Turns out all I had to do is power restart it. All my problems went away after setting up weekly reboots. It is stupid that it works and it is stupid that it is the only solution for stable WiFi. Shame on tplink
its usually either low memory which basically crashes the devices or buggy software which works until you hit the bug at which point it requires a restart to get it working again. Most common is memory problems though because these devices have just enough memory to make it work.
I have not used the Deco access points but the Omada ones have web rock solid for me for about 4.5 years now and I used UniFi before that with no real issues either.
> I definitely don't see how a router that loses firmware updates in a year can be praised
My Deco M4 mesh units from 2019 are still receiving regular firmware updates (to be fair, I think more to bring compatibility with new features than for security updates, but regardless).
The Ubiquity hardware might be good, but the firmware is so shit, especially for IPv6, that I had to replace it with OpenWRT to get it to work (offer IPv6 prefixes for delegation).
> Instead, TP-Link seems to have just laughed and focused strictly on profit margins.
Wait, what? TP-link provides security updates for about as long as their competitors - including providing security patches for devices that are officially out of their support window.
For example, last year they provided a critical security patch for a number of out-of-support routers, including the 14-year-old TL-WR841ND [1].
I really miss AirPort, it was the only router/ap with totally solid and easy software. Took the consumer market years to catch up with its mesh features, and they're still annoying with online registration.
Until it hits their wallet, they will not do a thing. Now if they were more concerned about longer profits and how this could impact their image, maybe they would change but it is rare you see that nowadays.
TP-link are definitely the worst of the worst. My cousin insisted they were fine as long as you kept the firmware updated, but then he lost all his bitcoins to hackers. TP-link, never again.
Yeah, that's not the lesson here at all. We're still in an era where you will suffer absolutely zero consequences for security lapses and breaches.
Everything that is happening with this administration is simply because it suits American foreign policy or the interests of one of the oligarchs. I mean this with absolutely no hyperbole: the pretense of there being any rule of law for the ultra-wealthy is gone. The White House is openly selling pardons, which have the added effect of cancelling out debts to the US government.
Tiktok getting banned? It had nothing to do with "national security". The government simply had less control over the content and the algorithm on Tiktok than they do on Meta and Google platforms.
Reading through this article, you have Microsoft pointing the finger at TP-Link. That's... rich. Becvause Microsoft has historically been horrible for security. It would take further investigation but I really wonder if TP-Link isn't just a convenient scapegoat.
I don't mean to be hateful with this, but what's the point of your post besides random conjecture and a sort of rant about something only vaguely related to the story?
I see the comment as quite on point. There are many longstanding real problems that have been allowed to fester (in this case, embedded security). While these problems are now being talked about, there is still zero intention to actually address them. Rather they're merely being abused as talking points by fascists pretending that "something is being done" when really the "solutions" are merely the consolidation of autocratic control.
Real reform here would be something like prohibiting tying software and hardware together as one product, source code escrow, etc. Things that actually create security and consumer choice, rather than merely one less vendor to pick from.
Sometimes I wonder if people talking about corruption in the US have ever been to a country that is as corrupt as they say the US is.
Pardons are not being openly sold. There is absolutely not great stuff going on with them but, really, the major difference I see is that it's happening during the administration, rather than in the last few hours.
The US is moving the wrong direction when it comes to corruption but let's not act like we're bottom of the barrel ir that this slide just started in 2024 (or 2016, if you'd like).
So far Trum pardons have wiped out over $1 billion in decided and sought fines [1]. There are pardons for the likes of Geore Santos (convincted for a whole host of crimes) for no other reason than he was a reliable Republican vote. clearly sending the message that if you are loyal, you can commit crimes and you will be pardoned. There's also the Teenessee House Speaker convicted for corruption [2] and the Binance founder [3] who allegedly aided in Trump's rug pull (sorry, "crypto offering").
Now this sort of thing isn't new. Famously on Clinton's last day in office he pardoned Marc Rich [4], who was convicted (before fleeing the country) on breaking sanctions by trading with Iran. It was widely rumored his ex-wife, Denise Rich, who had a lot of access to the Clinton's brokered a deal.
But what changed is the disastrous Trump v. United STates [5] decision last year that granted almost absolute presidential immunity. Now there's not the slightest fear of repercussions so the whole operation has gone into overdrive and it's so incredibly brazen.
I stand by my original claim: the TP-Link ban isn't technical. It's political. And I would bet all th emoney in my pockets that if the CEO had "donated" $1 million to the inauguration (like all the Tech CEOs did including Bezos and Cook) we'd likely have a very different outcome.
> But what changed is the disastrous Trump v. United STates [5] decision last year that granted almost absolute presidential immunity. Now there's not the slightest fear of repercussions so the whole operation has gone into overdrive and it's so incredibly brazen.
That really has nothing to do with it. The pardon power and it's discretion is well established to rest solely in the hands of the President. There can be no consequences for pardons otherwise, the Clinton things you mention would have led to something.
As far a fines go, if the 2B savings under DOGE was nothing, 1B of lost fines (which would probably have never been collected anyway due to negligence or bankruptcy) is nothing as well.
No, I'm saying that the slide didn't start with Trump. I also don't think much of what Trump is doing is much, if at all, worse than his predecessors but he has zero shame about it.
Since he's in the news and it's on my mind, I'm not sure the Cheney and the whole Iraq/Haliburton situation has been topped since then. Then there's ever member of Congress suddenly becoming a multimillionaire after they get into office.
The only norm Trump is breaking is that he doesn't care to sweep it under the rug
If I was in charge over at TP-Link, getting news that tens of thousands of MY company's routers were compromised would have me furious! I'd be freaking out, making sure that we take immediate steps to improve software/firmware quality and to make sure we're in a constant state of trying to compromise our own hardware... To ensure no one else finds vulnerabilities before we do.
Instead, TP-Link seems to have just laughed and focused strictly on profit margins.