Is upgrading router firmware hard to do?

Usually you just push the "upgrade" button, and point the thing at the file you've downloaded. Make a backup of your settings first, then load them back in after the upgrade (if necessary).

DON'T DO IT OVER WIRELESS. I repeat: DON'T DO IT OVER WIFI.

If it ain't broke...........don't fixit !

Can't argue with that, in general. Unless there's some security fix or some added feature that you want, you might as well stay with the firmware that's been chugging away on your router.

On the other hand, I use Arch Linux, where updated software is a tenet of the cult ...

Most Firmware Updates for digital cameras are useful, hence my question re the router, anyway the Cisco router update seems to have installed the latest firmware along with it, does not seemed to have made any difference.

There was a UPNP bug in a lot of firmware. Some even kept it enables when the software was set to disable it. This could possibly be the source of the firmware update.

Yeah, there was the UPnP problem. However, I think your description more correctly fits the WPS problem.

Incidentally, the Cisco/Linksys/Belkin RE1000 is a range extender, repeater, or jammer depending on your point of view. I subscribe to the latter description, and find such repeaters to be an abomination and plague upon the LANscape. Rather than upgrading the firmware, I suggest that it be placed on the barbeque for a ritual immolation, so that other wireless devices can operate without disturbance or jamming.

I mis-typed the Model Number = it is E1000, a router, not the RE1000 extender.

No, the problem I described is the UPNP. Basically the warning went out twice. Once to just turn it off, then after Steve Gibson wrote his verification webpage, it was found that the firmware in some routers was so defective that UPNP was on even if turned off!

A lot of routers didn't even fix the WPS problem. You didn't have to set the password that way, so there were other alternatives without a firmware change.

One of those IP poking websites has the stats on how many routers are in the wild with the UPNP problem. It is the kind of problem you measure with a 'bot.

After going dd-wrt, I don't look back. These damn router companies have no incentive to fix their old routers when it is much more profitable to sell you a new one. I published my story about the damn GPL violation that left an expensive Linksys router with buggy firmware. Hell with getting updated firmware, the lawsuit left me with a router where I could even get the original firmware if I wanted it.

I understand that businesses need all the fancy management that Cisco can provide, but hell if I buy another Cisco router after they screwed me.

You have to wrap the link to use it.

I totally get Cisco paying money blah blah blah, what I don't get is Cisco never updating the code on those routers after they lost the lawsuit. That just screws the customers, not Cisco.

Water under the bridge. The Bufallo kick arse and never needs a boot.

I don't know much about the UPNP bug, but your description fits the WPS bug to a T. First, people were warned to turn it off, but later it was revealed that in some cases turning it off actually left it turned on (and vulnerable to attack).

On some routers, being unable to turn off WPS means that the vulnerability is there regardless of its apparent on-off status. It's not about having other ways to connect, it's about having a big gaping security hole and no easy way to close it.

My choice, as well.

The WPS bug had to do with the poor implementation to create passphrases. How exactly is this the same as the UPNP problem? Again, I repeat, one element of the UPNP problem is when you turned off UPNP, it wasn't turned off.

The WPS bug that got widespread attention was related to a weakness that allowed an attacker to coax the router to cough up its passphrase. Before that, the advice had always been to use a long passphrase, but if the router is going to willingly cough it up upon request, then it doesn't matter how long and hairy it is. The worst part was that, with some routers, turning WPS off resulted in WPS actually remaining on (and therefore still vulnerable).

Likewise with the widely reported WPS bug.

OK, I see that similarity (turning something off when but it is still on), but the basic problems are different.

I know someone who used to work in software QA. When I first met the guy, my response was "Oh, they QA software?? You mean letting the customer find the bugs then QA writes them down?" Expense EDA software ships with bug lists so you don't bother them with bugs they know about.

Coming from a hardware background, hardware could never get away with the bug level that is perfectly acceptable in software. While I'm not so sure I'd want analog flight controls in the 21st century, I don't get the warm and fuzzy feeling when these aircraft manufacturers boast about how many line of code are in their flight control system. I've seen stories on the net about Airbus having to boot computers while in flight. Here is a recent fubar report: