Drilling Down on Uncle Sam's Proposed Tp-Link Ban
Postedabout 2 months agoActiveabout 2 months ago
krebsonsecurity.comOtherstoryHigh profile
heatednegative
Debate
85/100
Tp-Link BanUs-China Tech TensionsNetwork Security
Key topics
Tp-Link Ban
Us-China Tech Tensions
Network Security
The US government is considering banning TP-Link due to alleged security risks and ties to the Chinese government, sparking debate about the motivations behind the move and its potential impact on the tech industry.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
19m
Peak period
53
0-6h
Avg / period
16
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Nov 9, 2025 at 1:17 PM EST
about 2 months ago
Step 01 - 02First comment
Nov 9, 2025 at 1:36 PM EST
19m after posting
Step 02 - 03Peak activity
53 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 12, 2025 at 12:05 AM EST
about 2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45867717Type: storyLast synced: 11/20/2025, 8:18:36 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
So, the plastic bits?
And also passives like SMD resistors. They are also refining copper and iron from raw ore. /s
Until we have desk side silicon fabrication/placement, with accompanying tunnelling microscope features, we simply cannot trust our silicon in any way other than through utterly peaceful means, which is to say, through systems of human trustworthiness.
Technology never allows us humans to advance sufficiently well to do without it .. unless it is evenly distributed.
Right now we are all at the mercy of the masters of silicon. This is no joke!
They were... not great...
I have no idea if that's still the case, especially post AMZ, but worth looking into if so.
I doubt the old guard was super pleased with the acquisition and many probably left voluntarily after seeing their dreams of profitable exit abruptly become acquihired by AMZN. But I don't actually know anything about what happened then. (I'm presently at eero, joined long after the acquisition... FWIW my experience isn't really consistent with your claims)
Addendum: looks like rank-and-file employees were screwed and the execs cashed in hard[1]. There was a lot of attrition after that. So I guess Amazon didn't have to lay people off, they did it themselves.
[1]https://mashable.com/article/amazon-eero-wifi-router-sale
Working there is interesting. AMZN corporate can be a drag but I imagine that's true for any FAANG or part of any large company.
They are. "Profit oriented". I bought a D-Link router once. Only one (1) port out of 4 was working. Great product, i never want to see something like this again. /s
Did you return that obviously damaged merchandise for an undamaged replacement? If not, why not?
TP-Link is the best for the same reason Apple is the best. They just have the momentum of being in the lead.
I would also say that TP-Link isn’t wildly and unrealistically cheaper or anything.
Their prosumer/business Omada lineup is clunky and kinda sucks compared to Ubiquiti.
Zyxel WiFi 7 APs are more competitively priced than basically anything last I checked.
I mean, in the case of actors like Huawei, you can at least credibly make the argument that the continued access of their support staff to internal provider networks is a significant risk, but that vector is entirely absent here.
Sure, embedded firmware has been, is, and will continue to be a tire fire prone to embarrassing compromises, but containing those is mostly about notification and containment by government agencies (which the current US administration is doing their utmost best to kneecap) and/or large ISPs (which in the US have traditionally never cared).
Forcing "foreign" products off the market in favor of "domestic" replacements with the exact same, if not worse, flaws won't fix a thing, unless you put some pretty significant controls into place that nobody is willing to enforce or even outline.
If I was in charge over at TP-Link, getting news that tens of thousands of MY company's routers were compromised would have me furious! I'd be freaking out, making sure that we take immediate steps to improve software/firmware quality and to make sure we're in a constant state of trying to compromise our own hardware... To ensure no one else finds vulnerabilities before we do.
Instead, TP-Link seems to have just laughed and focused strictly on profit margins.
This whole thing is reminiscent of the TikTok CEO Chew Shou Zi - "But, I'm Singaporean, Senator".
I don’t know whether it’s worth banning them or not, but putting your hands up and saying “what Chinese company?” is just absurd.
2. As you admitted, they have completely separated into 2 separate companies, claiming that it is still Chinese is akin to saying "tea is Chinese", that's completely absurd, yes, it was at some point in history, that point is not now.
Did you not read the article? It's hard to take your comment in good faith if you didn't.
Except they didn't do that. They moved the HQ.
I'll accept for the purpose of this argument that they fully split the company into two separate companies. But both of those companies are still mostly Chinese, going by the numbers in this thread.
> Did you not read the article? It's hard to take your comment in good faith if you didn't.
This is a weak attempt at turnabout. The article doesn't present any evidence of separation or non-Chinese-ness, it just quotes the company (and even that quote admits a bunch of Chinese assets). But even if it did, it wouldn't be bad faith to skip reading it.
1. Who else would document a company's restructure if not the company itself?
2. Yes, not reading an article and commenting on it is bad faith.
> going by the numbers in this thread.
3. So you have no evidence of it not being as the company says, just the vibes of others on this thread, okay Senator.
If the company wants to give numbers, I'll listen to them. But the company made vague/unproven claims and that's not enough. Journalists can investigate.
> 2. Yes, not reading an article and commenting on it is bad faith.
Commenting on something talked about in the article doesn't require reading that specific article. You can use other sources.
> 3. So you have no evidence of it not being as the company says, just the vibes of others on this thread, okay Senator.
Other people brought objective numbers. Not vibes.
Why should I not use those numbers? You have not claimed any of those numbers are wrong, you're just calling people's conclusions wrong.
The reality is the only part that matters, the chipsets, are produced in Chinese factories owned by TPLink.
They moved everything that doesn’t matter to the US recently in an effort to give the illusion that they aren’t putting chips manufactured under the control of the Chinese government into the majority of routers used in the US.
I’m not agreeing with banning them, but I can certainly see how it creates significant risks that I would want to mitigate somehow.
So are more than half the chipsets in the world. https://en.wikipedia.org/wiki/Category:Microprocessors_made_...
I agree with you that they shouldn't be banned, but the US casting aspersions against another country is pretty rich considering the involvement of the CIA, and NSA around the world.
“in October 2024, established TP-Link Systems Inc., based in Irvine, CA, as its global headquarters and parent company with Jeffrey (Jianjun) Chao and his wife Hillary as sole owners. Jeffrey is CEO of the company.”
https://www.tp-link.com/us/landing/fact-sheet/
2. The sole owners are Chinese citizens, 95% of their employees are Chinese citizens living in China, most of the R&D happens in china, and the majority of the components of their products are manufactured in China.
They have an HQ building in the US, but 90% of it is leased to other companies.
This is a US based company in name only. It’s essentially a shell company designed to bypass a potential US ban.
From your linked fact sheet.
That is like people saying Nothing is a UK company, when all I see is a Chinese company registered in UK.
"TP-Link is a Chinese company that manufactures network equipment and smart home products. The company was established in 1996 in Shenzhen. TP-Link's main headquarters is located in Nanshan, Shenzhen; there is a smaller headquarters in Irvine, California"
https://en.wikipedia.org/wiki/TP-Link
Everything that is happening with this administration is simply because it suits American foreign policy or the interests of one of the oligarchs. I mean this with absolutely no hyperbole: the pretense of there being any rule of law for the ultra-wealthy is gone. The White House is openly selling pardons, which have the added effect of cancelling out debts to the US government.
Tiktok getting banned? It had nothing to do with "national security". The government simply had less control over the content and the algorithm on Tiktok than they do on Meta and Google platforms.
Reading through this article, you have Microsoft pointing the finger at TP-Link. That's... rich. Becvause Microsoft has historically been horrible for security. It would take further investigation but I really wonder if TP-Link isn't just a convenient scapegoat.
Real reform here would be something like prohibiting tying software and hardware together as one product, source code escrow, etc. Things that actually create security and consumer choice, rather than merely one less vendor to pick from.
Pardons are not being openly sold. There is absolutely not great stuff going on with them but, really, the major difference I see is that it's happening during the administration, rather than in the last few hours.
The US is moving the wrong direction when it comes to corruption but let's not act like we're bottom of the barrel ir that this slide just started in 2024 (or 2016, if you'd like).
Did I read the last sentence correctly?
Since he's in the news and it's on my mind, I'm not sure the Cheney and the whole Iraq/Haliburton situation has been topped since then. Then there's ever member of Congress suddenly becoming a multimillionaire after they get into office.
The only norm Trump is breaking is that he doesn't care to sweep it under the rug
Now this sort of thing isn't new. Famously on Clinton's last day in office he pardoned Marc Rich [4], who was convicted (before fleeing the country) on breaking sanctions by trading with Iran. It was widely rumored his ex-wife, Denise Rich, who had a lot of access to the Clinton's brokered a deal.
But what changed is the disastrous Trump v. United STates [5] decision last year that granted almost absolute presidential immunity. Now there's not the slightest fear of repercussions so the whole operation has gone into overdrive and it's so incredibly brazen.
I stand by my original claim: the TP-Link ban isn't technical. It's political. And I would bet all th emoney in my pockets that if the CEO had "donated" $1 million to the inauguration (like all the Tech CEOs did including Bezos and Cook) we'd likely have a very different outcome.
[1]: https://www.aljazeera.com/news/2025/6/8/fact-checking-claims...
[2]: https://www.nbcnews.com/politics/donald-trump/trump-pardons-...
[3]: https://www.reuters.com/world/us/trump-pardons-convicted-bin...
[4]: https://www.pbs.org/newshour/show/clintons-pardon-of-marc-ri...
[5]: https://en.wikipedia.org/wiki/Trump_v._United_States
That really has nothing to do with it. The pardon power and it's discretion is well established to rest solely in the hands of the President. There can be no consequences for pardons otherwise, the Clinton things you mention would have led to something.
As far a fines go, if the 2B savings under DOGE was nothing, 1B of lost fines (which would probably have never been collected anyway due to negligence or bankruptcy) is nothing as well.
https://labs.watchtowr.com/get-fortirekt-i-am-the-super_admi...
And to be clear, let's not forget that the US government did intentionally and secretly conduct surreptitious biological warfare tests against entire US cities that deliberately inflicted disease upon and killed American citizens. There was an entire formal program that spanned decades - https://en.wikipedia.org/wiki/United_States_biological_weapo...
Of course, the US government doesn't have any secret programs anymore and never lies to us, so everyone can rest easy knowing nothing like this could ever happen again.
This might be one of the only cases where subscription model would work well to cover the maintenance cost.
1) Company takes your subscription money.
2) Company finds a vulnerability that's difficult to fix.
3) Company announces your device is EOL and ends your subscription, taking your money for doing nothing, and not helping when you need it.
Almost all software everywhere comes with a 'no liability' clause. And arguable, open source couldn't exist without it.
The exceptions where liability is wanted negotiate that specifically.
We protect people because they have failed. These regulations tend to follow actual injuries; they are rarely promulgated in anticipation of them.
You don't negotiate the contents of your burger with McDonald's. If you don't like it, you go to Burger King or have a Döner Kebab.
There's plenty of tacit negotiations here.
> We protect people because they have failed. These regulations tend to follow actual injuries; they are rarely promulgated in anticipation of them.
Homeopathic medicine tend to follow actual health problems, too. That doesn't mean they are a good idea.
Not every industry is a competitive one with practically unlimited choices. Natural monopolies or industries with high barriers to entry tend to have the most leverage over their customers. Most people have only a single electricity provider, and there are only two major mobile OS vendors worth speaking of.
> Homeopathic medicine tend to follow actual health problems, too. That doesn't mean they are a good idea.
Some work; some don’t. The key is figuring out which solutions are effective and which aren’t. Nobody is proposing keeping fixes around whose costs aren’t worth the benefits to society.
Couldn't you just include selling a product or a licence for it as a requirement?
Generally most GPL'd software isn't sold (terms and conditions may apply).
The only industry with a broad "no liability for torts" is gun manufacturing.
Or -hear me out on this one, it is wild take- if you come out with a device, system or software that has fundamental flaws, you fix them at your own cost or get fined to oblivion if you don't.
If a company is not able to come up with reliable, quality products, then perhaps it shouldn't be in the business of creating said products to start with.
The fact that you suggest subscriptions to fix fundamental issues is a good reflection of how companies have managed to skew the general perception on what is "acceptable" as a product. In fact, they have pushed it so far, that they are feeding it to us backwards.
Pushing out minimal viable products and have subscribers pay to (perhaps, one day) get something that works shouldn't be the norm.
A car info/entertainment system that is too slow and buggy because the manufacturer couldn't be bothered to take the steps necessary to make sure it worked reliably? -> fix it
A phone manufacturer that throttles your system after a year because they couldn't be arsed to properly size their batteries originally? -> fix it
A router manufacturer shipping software so buggy their hardware needs to be rebooted periodically? -> fix it
Etc.
"Software is hard" or "product design is hard" are no excuses. Building airplanes that don't fall out of the sky is also hard, and yet we manage to do so. (Or, rather ironically, the ones that follow the "minimal viable product" software mentality do fall out of the sky. Looking at you, Boeing).
I was so used to this that when I started looking for this setting in UniFi OS I had forgotten the part 'networks are not supposed to be rebooted frequently!'.
First, all of the TP-Link devices I use still have firmware updates regularly. I can't talk about Deco series, which I don't own.
Second, mesh capabilities are not consistent across different brands, that's true. On the other hand, comparing TP-Link, which is a home/SOHO brand to UniFi, which is essentially a prosumer/enterprise offering is not fair. I have a small mesh (three devices) at one of the places I run these devices, and it hands-off nicely, extends coverage, and gives me the speeds written on the tin.
Do I expect it to compare to a UniFi or Aruba mesh where the smallest element has more processing power than my router? Of course not. Do I expect it to run on a 300 sqm house with 10+ devices? Again, no. But as long as my network runs, I can access the devices with good connections and speeds they advertise, I'm golden.
Lastly, "restart everyday at this time" setting is present since forever on many devices. The feature is to help home-downloaders / data hoarders to renew their IP periodically. Heck, even JDownloader has a feature to reset your modem remotely if your modem supports to renew IPs (since 2004?). Assumptions don't help here.
I never had to automatically restart any of the routers/modems I used regardless of the manufacturer sans a couple Cisco/Linksys devices. E4200 which had two processors, one for the switch and one for the router. The router one stopped responding randomly to cut whole network off from internet, and my E900's processor crashed flooding whole home network with packets basically paralyzing it. Oh, that same E900 failed to negotiate with the on board RTL8139 Ethernet controller, so I had to buy another "Cisco/Linksys" RTL8139 card.
TP-Links I had never done anything remote. They even have the best latencies and WAN recovery when things go south on ISP side. My TP-Link 802.11AX extender works flawlessly with my ISP supplied WiFi6 modem, and despite having no mesh communication going on, running on the same SSID and handing off pretty reliably.
People can dedicate a small cabinet to UniFi rack-mountable gear plus the network center of their house. TP-Link has none of those, and not aiming for that market, even.
It's comparing a Peugeot 3008 with a Mercedes-Benz G Class and adding that, Mercedes has serious off-road trucks like Unimog, but G Class is their end-user product.
Apples to Pineapples.
BTW, it's not hard for me to install and manage a high capacity UniFi network in any way. I don't use their devices, because I don't want to manage yet another network.
From my experience, TP-Link makes hardware changes with "H/W versioning" in their model numbers. I have many RE220 extenders with different hardware revisions, earlier ones doesn't supporting OneMesh. However, I don't find later versions performing worse w.r.t. earlier ones.
However, $500/unit, the backbone of the devices doesn't look underpowered, esp. when looking to both wireless and wired specs. Considering my RE700X is saying what's written on the tin, and being rock-solid despite working with a non TP-link device and and being behind two 30cm walls.
I expect these Deco devices to live up to their specs.
Not convinced that’s “home” or “soho”, unless you have a very generous meaning of “small” which leaves the 5 person office somewhat undefined.
Even our largest buildings at of multi billion dollar revenue company only get upto 2500 wifi devices.
My Deco M4 mesh units from 2019 are still receiving regular firmware updates (to be fair, I think more to bring compatibility with new features than for security updates, but regardless).
Yet we all know so many industries and products that just do not work like that and in fact the longer something is broken and it doesn’t seem to stop people from using it, the more it is accepted that it is ok for it to remain broken. I think that is somehow just a part of human psychology.
No single person created the traffic jam "bug", the "users" are the biggest part. In many industries "the fix" isn't a few lines of code that you can one-click push to all users. You can't fix that traffic jam in code or even in infrastructure, you need to change society itself on top of everything else. It may not even be a defect as much as a supply and demand issue where supply is very scarce and impossible to ramp up, while demand is super high and growing. Cloud providers run out of capacity in some regions, their developers should be ashamed?
Software can be fixed quickly if broken. Capacity not so much. Software is also routinely launched broken, and subsequently stays in various degrees of broken or not usable enough throughout its lifecycle, with new and unpredictable issues replacing old ones.
If too many people wanting to drive a car in the same place, at the same time despite the predictable outcome due to the limited capacity is purely a failure of the city, country, road builder, then isn't a user not being able or not knowing how to properly use the software the fault of the developer? Is demanding more from the software than it can deliver the fault of the developer? How much cumulated time does this cost, sometimes for absolutely no reason whatsoever than an arbitrary decision of the developer?
You aren't "deeply ashamed" because you downplay the issues you (or your company) create as a developer and pretend they aren't problems for the users. A "part of human psychology" tells you 1000 smaller cuts are fine.
You were talking about reasons to be ashamed? How about that as a developer you don't understand system design and capacity/performance limits, and you don't understand that intentionally loading a system beyond its rated capacity is not the problem of the system. Even an LLM knows that.
I bet you only build systems with infinite capacity and performance.
Imagine if we did not have congestion control in TCP and instead every time we got congestion we just upped the bandwidth. Do you think at some point our ability to increase capacity would outpace the demand for what is for the most part a free resource (I know neither roads nor network badwidth are free but the cost is amortized such that it “feels” free to the users)? Or do you think demand would grow as fast or faster than capacity?
The real answer is to reduce demand. You can do this by introducing something like congestion pricing: make it expensive to use the resource when demand is close to capacity. Or you add some form of congestion control. For example you could dynamically set speed limits on secondary roads and when the freeway traffic flow slows down you slow down cars as they try to get to the on ramp of the freeway. Or you could raise the price of gas by $1/gallon to discourage car use and use the revenue to build more public transit. You could charge single person car use fees. You could keep roads free but make parking downtown extremely expensive and use the proceeds to build more public transit. You could reduce speed limits in the cities to no more than 10 miles per hour and strictly enforce that; obviously this only works if you have much faster and higher speed public transit: imagine choosing between buying a car, car insurance, gas, and still taking 3x as long to get to where you want to go compared to buying a $50-100 monthly pass and using public transit.
The hubris of the spotless software engineer mind.
We have a solution for the traffic problem but you won't like it.
There is no "traffic".
YOU ARE THE TRAFFIC.
Cars and roads for cars don't scale well past very rural or very small suburban areas.
The solution to traffic is extremely hard and it involves:
* you and lots of other drivers voting to allow densification of highly serviced areas (close to central business districts, public transportation, hospitals, schools, ...) - at least mid rise apartment buildings, 4-6 stories high
* you and lots of other drivers voting to allow funding of public transit
* you and lots of other drivers voting to allow funding of reduction of car infrastructure (fewer car lanes, fewer parking spots, fewer highways, fewer car only bridges, tunnels, etc)
* you and lots of other drivers voting to allow funding of safe bike infrastructure
* you and lots of other drivers voting to allow congestion pricing in ... congested places
* you and lots of other drivers voting to allow funding for anti bike theft measures (police training, bike theft prioritization, bike serial number databases, ...)
* you and lots of other drivers taking public transit
* you and lots of other drivers riding bikes for medium length trips
* you and lots of other drivers walking for short trips
Truck deliveries can happen 3am to 6am every Tuesday and Thursday, or by paying $1,000/day toll fee.
Yes it is radical and yes people would get used to it and think it is superior after a time.
It is sometimes better to not ship a product at all instead of shipping a completely and fundamentally broken product.
Why? Microsoft and Cisco also skimp on security.
Wait, what? TP-link provides security updates for about as long as their competitors - including providing security patches for devices that are officially out of their support window.
For example, last year they provided a critical security patch for a number of out-of-support routers, including the 14-year-old TL-WR841ND [1].
[1]: https://www.tp-link.com/us/support/faq/4308/
cough Microsoft, Google, Apple cough
I would buy only Hue but that's because I have more money than sense, and they don't actually make smart plugs last time I looked, they make plugs but label them all as lights in the app, which is more annoying than it sounds.
The real problem to solve ditching TP-Link _routers_ is that all routers are uniformly fucking awful, and all you are doing is choosing your particular poison. This is especially true after Apple exited the game so long ago. I use Google Wifi because it mostly works most of the time, but that's not glowing praise. But the world has become trained that rebooting a router once a week and praying that it works when it comes back is a perfectly normal state of affairs and we couldn't possibly do this any better.
Ikea makes Zigbee smart plugs with power monitoring (Inspelning) that are ~10 Euro here (probably $10 in the US). Also Zigbee does not have all the security issues, since it is purely local and will talk with whatever hub/bridge you choose, e.g. Homey, Hubitat, or if you want to go free software Home Assistant or zigbee2mqtt.
It's somewhat insane to me that people use WiFi plugs for actuating things that actuate real-life electrical devices. Even more from companies that have a bad security reputation. Zigbee or Z-Wave all the way or possibly Matter over Thread, but the only Matter device that I had (an upgraded Eve Energy plug) has been a pain.
The real problem to solve ditching TP-Link _routers_ is that all routers are uniformly fucking awful, and all you are doing is choosing your particular poison. This is especially true after Apple exited the game so long ago.
I switched to Unifi gear (Cloud Gateway Max, two of their U7 access points, and a bunch of their managed switches) and they are a dream to set up. Making VLANs, associating VLANs with SSIDs, etc. is so easy. I had a TP Link managed switch and the interface was a huge pile of crap and I saved it several times after misconfiguration by virtue of it having a serial console. I only used it for two months or so because it was so frustrating.
At any rate, Matter over Thread is still much better than WiFi security-wise (even though it's IPv6 routable) and Ikea's Matter over Thread plug will probably be similar price-wise. And the good thing is that probably even more people have a thread border router (Apple TV, HomePods, some Amazon Echo, Google TV Streamer 4k, etc.).
Still, these Ikea plugs are so cheap and Zigbee is extremely nice, so it doesn't hurt to buy and stock ten now for the future :).
My OPNsense router currently has 74 days of uptime, and that's just because I ran an update 74 days ago. I've never rebooted it to solve a problem. The only wrinkle is OPNsense (and pfSense) is at least an order of magnitude more complicated than your average consumer router.
OTOH, my ubiquity access point reboots itself every time I change any setting at all.
The mikrotik I've been using has been pretty solid, and super super customizable.
I installed their mesh Wi-Fi system for my parents recently and was really impressed how seamless the process was. It did involve making a cloud account which I wasn’t thrilled about, however.
I bought a cellphone from them many years ago and they never really supported it and I couldn't even buy a replacement battery.
Recently I bought a router with the firm intent of installing OpenWRT, but I received a newer revision that had a different CPU, less RAM, and less flash memory.
These events left a bad impression, but they do make affordable stuff with reasonable quality.
This also happened many years ago with Linksys (prior to Cisco). It’s not that uncommon for manufacturers to release new revisions of hardware without necessarily making it clear to the purchaser. If their purpose is to deliver a router and they can shave a few cents off the BOM with less RAM, but it still works with their software, why would they care. And once new revisions have been released into the supply chain, it can be hard to know exactly what version you are buying.
In the Linksys case, IIRC they eventually re-released the first revision WRT54G as the WRT54GL (for Linux), so that people who wanted different firmware could get the exact hardware they wanted.
We see this all the time with SSDs, where a high-spec model is released to reviewers, then a low-spec model is mass-produced and sold under the same model number. That's fraud, isn't it? Shouldn't it be?
In my experience, TP-Link always has the hardware revision on a label on the outside of the box.
This is even a common product development strategy: ship to market asap, optimize the margins later.
I want the most important performance characteristics that would be on a good datasheet to be maintained, even if there is no datasheet.
I'm getting ready to set a mesh network for my older parents as well. Do you have any suggestions for hardware and software? I live a ways away from them so I need this to be pretty much faultless. I don't want to drive 4 hours for IT support.
209 more comments available on Hacker News