So I got a new wireless router for my house today and was absolutely appalled at the way they have treated security in the thing. Now, this is not unique at all. I have tried most of the other common home routers as well, and they all sin in about the same ways. Frankly, I have yet to find a wireless product that does security as well as the venerable Microsoft MN-500 802.11b router. Of course, the MS device only does WEP, which is pretty much equivalent to no security at all these days, but when it came out, that was all there was, and it was on by default, and ordinary mortals could actually set it up. Not so with the recent crop of products. Here are some particularly egregious issues:
Administrator PasswordThe Router ships with NO password entered. If you wish to add a password for more security, you can set a password here. Keep your password in a safe place, as you will need this password if you need to log into the router in the future. It is also recommended that you set a password if you plan to use the Remote management feature of this Router.
Let me get this straight; if I wish to have security, I may optionally configure it? Why is security optional? What kinds of passwords might this thing support? There is no mention of it in the manual. However, since it is web-based, I presume it can’t have special characters in it since those get to be URL encoded. Oh, and the walkthrough configuration wizard thingie, that ensures you get a wireless network that is shared with every neighbor that can find it (which is a large number with a MIMO router like this one) does not allow you to set a password.
Hmm, even stranger. When I try to set the password and at the same time told it not to use NAT it actually does not take the password. Weird. It restarts the router, but I can still log in with the default blank password.
People complain about Microsoft security, but frankly, the state of security in the rest of the industry scares me sometimes.
Jesper – I couldn’t agree more with your opinions! I too was concerned, and recently blogged about securely setting up home wireless networks.
But your comment about clicking on “unsigned” drivers illustrated the confusions that consumers face daily – another big “security” confusion are the pop-ups asking users to decide between the “Allow” & “Block” buttons for their Firewall or AntiSpyware programs?
There’s simply no way for “Mom & Dad” to truly know when its save to “Click!”
I've always used NetGear's wireless products and found them to be pretty good, all in all. They ship with a default password set (OK - everyone knows what it is - but at least it's there) and its default firewalls rules are pretty much OK for the majority of home users:
Everything Out - Allow
Everything In - Block
However, the wireless AP is turned on, with the SSID set to something obvious (NETGEAR, I think) and all forms of wireless security disabled. The model I have is actually pretty powerful, function-wise, even supporting VPN termination, Dynamic DNS and various other things.
But the problem with wireless security, just like most other types of security, is that your average home user does not understand it, care about it or worry about it: just up until the time his machine gets a keylogger installed and his bank balance disappears off to Nigeria. Although the hardware manufacturers could make life easier for the user, their support department would be swamped from day one.
I think you are both right. Dan, as you said, there is a support cost associated with providing secure networking, but only if you do it sloppily. The fact is that the wizard could do it all for you. They already have the wizard, even though it does almost nothing useful. Why not make it do something useful?
Blake, you are spot on about Mom & Dad. This is one of my major beefs. We are asking users to make a security decision, yet we give them no information, no context, no skillset, which will help them do so. We may be asking them whether they want to allow the foo server to connect to the bar service or install the fubar software, but in reality, all the users sees is a dialog that says: "If you want to see the naked dancing pigs you must make this dialog go away. Do you want this dialog to go away." As Steve Riley says, given the choice of security and naked dancing pigs, security doesn't stand a chance. Hardware vendors are only making this worse by making a mockery out of the protections Microsoft put into the OS to explain, albeit poorly, to people that installing a driver from evilCriminalSyndicate.com is probably not a really bright idea!
Marcus Ranum posted a brilliant piece the other day at http://www.ranum.com/security/computer_security/editorials/dumb/. I tend to agree with just about everything Marcus says, and I do think I have probably said just about all of it in one forum or another over the years (but Marcus was the one who had the bright idea of writing it up first). However, there is one part in there where he basically says that we should give up on teaching users security and stop them from being capable of infecting themselves instead. While I have often advocated the same approach (create a group called "stupid morons", put the whole marketing department and anyone who has double-clicked an e-mail worm in the past in it, and stop them from getting e-mail attachments) the fact is that doing so would probably have a negative impact on business, and would only solve the e-mail problem anyway. The fact remains that the folks we refer to with disdain as users are really pretty sharp people. They have been able to learn how to read, sometimes how to write, how to drive a car (Boston drivers notwithstanding), and how to do a whole lot of other really complicated things. Why is it that when faced with a security decision they all of a sudden revert to being four-year olds that say "I am not at all computer literate." There has to be something they can learn about using computers, and if not, then we probably should take Marcus advice (which I do believe I gave before he did!).
Just regarding the whole driver signing issue... is there some sort of exhorbitant cost associated with getting drivers signed? I've always thought that the only plausible reason companies don't get their drivers signed was somehow money related.
If that is the case, it would probably go a long way towards user education if Microsoft dropped any costs associated with driver signing. Probably shaving 1% the Windows marketing budget would cover it :-D
All you need to sign drivers is a code signing cert. Yes, those cost money, but it is $400 (from Verisign, you may get them cheaper elsewhere). More information on the digital signature program is available at http://go.microsoft.com/fwlink/?LinkId=36678.
You do not need to pay Microsoft any money to code sign. Now if you want logo certification, then there are additional charges. I'm no expert on this, but from https://winqual.microsoft.com/download/WHQLPOLICY.doc it appears it costs $250 per OS for the testing. Full Windows Hardware Quality Labs (WHQL) details are available at http://www.microsoft.com/whdc/winlogo/default.mspx.
In other words, the cost should not really be prohibitive for any vendor.
Lousy security&nbsp;is all around us, and I'm not even thinking about airport security here (which, I...
PingBack from http://proxy.11a.nu/2005/09/14/device-driver-signing-bypasses/
Jeg hilser til klovnen. Jeg liker klovner veldig godt! Jeg har vrt p sirkus og sett klovner.
Lousy security is all around us, and I'm not even thinking about airport security here (which, I admit,