Last weekend a good friend of mine who uses XP asked me about setting up a wireless network and as I have experience on both XP / Linux I gave him some pointers about security and recommended a netgear adsl wireless router.

He contacted me on Sunday saying he had the wireless network up but had not seen ANYTHING about security in the setup guide and bearing in mind our discussion previously, asked would I mind taking a look at the setup for him.

When I arrived he showed me the setup leaflet, it boldly claims you can be connected in just 5 clicks. He followed this guide and apart from the guide not being accurate to what the software actually did, he got the connection to his provider. No recommendation about security at all. There was information on the CD however, if you wanted to browse it yet I doubt many complete novices would do this.

Sure enough his network was broadcasting it's id and all security was disabled by default so I went through with him explaining what I was doing as I setup the security for him.

What's apparent to me is there is no substitute for an understanding, at least at a rudimentary level, when you are attempting something new; particularly when there is a security implication.

I was just amazed at how a Company like Netgear could be so irresponsible in not making it clear that, yes ok 5 clicks will get you connected, but hey you really ought to setup encryption etc because EVERYONE with a wireless PC can attach to your network.
In fact it would be better they ship with security enabled, by all means create a 'wizard' that walks you through what you are doing, but I guess they would rather keep support calls down by having people using unsecured networks 'that just work'.

Incidently, whilst we secured my friends network we could also see another unsecured wireless network in the vicinity...

I agree. "Easiness" encourages (or rather, fails to punish and correct) ignorance, and while this is sometimes a good thing - for example, I see no reason at all why a user should not be ignorant of the mode-line settings for her monitor, or even unaware that they even exist! - in the case of security, it is almost always bad.

I think OS X and Linux will, should they ever attain a large proportion of marketshare, enjoy a far better track record for security than Windows has, but one thing they can't guard against is a user ignorant of security issues with root access. Sadly, it can be very hard to educate users on issues of security - some seem to be actively opposed to the idea and bafflingly blase about who has access to their machines and data.

Edit:

PS - I was born in Kent (Margate to be precise)! :)

Oops, nevermind. I replied to the wrong thread

It's been the windows way from the begining unfortunately, ease of use over simple security. It's come back to bite them on the butt now though, serves them right IMHO!

Missing security is just plain wrong and evil. But even with security it has still to be as easy as possible, otherwise it wastes resources and users tend to not use it. Thing should be as simple as possible but not more; and this includes security.

I agree. "Easiness" encourages (or rather, fails to punish and correct) ignorance, and while this is sometimes a good thing - for example, I see no reason at all why a user should not be ignorant of the mode-line settings for her monitor, or even unaware that they even exist! - in the case of security, it is almost always bad.

Exactly.


I think OS X and Linux will, should they ever attain a large proportion of marketshare, enjoy a far better track record for security than Windows has, but one thing they can't guard against is a user ignorant of security issues with root access. Sadly, it can be very hard to educate users on issues of security - some seem to be actively opposed to the idea and bafflingly blase about who has access to their machines and data.
Yes unfortunately you can lead a horse to water but you can't make it drink; If a user doesn't give a hoot then they are setting themselves up for a fall unfortunately.


PS - I was born in Kent (Margate to be precise)! :)

hehe it's a small world sometimes - I'm amazed how often when abroad you meet someone who lives nearby, I was in Jamaica last year (remember hurricane Ivan? I was caught in that), one of the guys who worked on the watersports stuff on the beach had family / friends in Gravesend !

It's been the windows way from the begining unfortunately, ease of use over simple security. It's come back to bite them on the butt now though, serves them right IMHO!

Yep, I'm praying for the day that Linux takes a sizeable share of the desktop market.

There's nothing wrong with being easy, we should hide the nasty details away.

We should be secure by default, and it should be effortless to be secure, it's currently not. I don't agree that it encourages ignorance to be usable.

There's nothing wrong with being easy, we should hide the nasty details away.
We should be secure by default, and it should be effortless to be secure, it's currently not. I don't agree that it encourages ignorance to be usable.

Being easy is fine to a point and you can go as far as you can with this - where the user need not know - like Generalzod said about monitor lines as an example.

Secure by default you can do to a point as is common with Linux however, users are faced with choices to do with security on a day to day basis. Emails for example, websites that offer to download fixes that are diallers and trojans etc etc.

You see as much as we would like to know nothing about such things as security, it is a eutopian dream to suggest it can be achieved. That is for the likes of marketing departments at Microsoft and Netgear etal who would like us to believe they can do it all for you, and my original point stands, that Netgear are wrong to provide instructions on howto configure their hardware with no security.

As I originally pointed out, there is nothing wrong with providing a wizard to help you set up complicated features. In doing so they can point out what is happening in an easy to digest language.
That is not making it hard to use, it combines understanding with ease of use in a palatable way.

I did not say that it encourages ignorance to be usable, rather there is a limit to what one can achieve without any knowledge, particularly with regards to security. To think (or suggest) otherwise is folly.

Phew, now I'm going to have another cup of tea....

hehe it's a small world sometimes - I'm amazed how often when abroad you meet someone who lives nearby, I was in Jamaica last year (remember hurricane Ivan? I was caught in that), one of the guys who worked on the watersports stuff on the beach had family / friends in Gravesend !

Are I live in kent, horrible little Medway to be precise. Maybe us Ubuntu geeks in kent should arrange a meetup? If anyones interested then you might as stick a thread in general chat

Anyway back to topic, I wish developers would encourage and hep users to learn more about there system, its would save the trouble of people saying "can you fix my computer its got a virus", AARRRGGGGHHHHH

I think the technology is advancing fasting than the average person can keep up. And because of that companies are simplifying that it so that the average person can have that new technology. IMO computer stores etc are also pushing this techology on the average person, who it may not suit, just yet. I've seen people buy wireless kits who in general haven't got a clue about networking. I once read an article in the computer mag about how the author managed to steal his neighbours internet connection. He had notice the unprotected network and decided to try it, with the neighbours consent. It didn't take him long, he could walk round his house and get a good signal from anywhere. To think that could be your neighbour.

In the end the repsonsible is on the person buying it and the companies selling the kits. The person buying has to have a good knowledge of what they are doing and how to achieve it. The companies have to to some extent protect the customers to some extent.

I think OS X and Linux will, should they ever attain a large proportion of marketshare, enjoy a far better track record for security than Windows has,

Yes but better is not always the most popular, just look at the story of OS/2 and Windows.

http://www.linuxandmain.com/features/os2retro.html

For those of you who don't know the story. (and even for those who do this is a good read)

You will notice that I'm a strong proponent of proactive security, I'm all for belt and suspenders and I'm deeply disappointed that applications such as Evolution do not default to setting the SSL connection option and it's still not the default that all mail is signed (this might more be a distribution user setup thing to ensure that we actually have all these informations accessable). If this causes Evolution to throw up an error message, then really - is this Evolution' fault or is your ISPs mail server really not misconfigured?

In the same way that some of the memory allocation technics employed by the new OpenBSD system are all legal according to the spec, they will break already broken applications.

I think we need to find a medium of good security and breakage - I wouldn't mind such security features being enabled during the development cycles a distro, clearly if something breaks it's a bug and should be fixed. The first long time we could procede to disable it in the production release because of unforseen breakage and runtime overhead, but it would be a good debugging tool, just like the new fatal_warning code in GNOME, we need to catch bad code at the root. If a problem is fixed once, the chances of it popping up again are rare so we can slowly weed out the worst bugs this way.

But back to networking security has historically been ignored in networking, ipsec, dnssec, ipv6 all these have been promised but never delivered - As IT professionals, I think it's time we started demanding security by default to protect us from the misuse of average users ressources. It's certainly not my machine that's the problem, it's locked down rather well I have SELinux, several firewalls and good proactive security, the problem is my neighbors machine, the one who runs his ADSL line on a wireless connection and doesn't have a clue about the dangers out there. He's not in IT, he is however a highly paid CEO for an unnamed company, he's not dumb, hell he knows more than I will ever do about his field but 99% of all people are just like him, they just want their PCs to work. The only way to fix this is to force the network vendors to be accountable to attacks, the same way that phishing will go away once we make the banks accountable for loses.

If Netgear gets flipped the bill when a vanilla setup of theirs is exploited to harm some company or private person, you bet ya they will start pushing for security. A rather radical idea and probably not applicable in the real world - but could we not somehow force them to at least enable encryption by default or enforce some kind of identification with the access point. How we get to this point is the hard part, but I imagine that pressure on the companies in question would help, getting standards updated to require security to be built in would all help.

But security should be transparent, a bad example of security rollout is Windows XP SP2, it's very noisy and causes a typical users to just click okay on every pop up because it presents so many of them. This is the danger in making things to configurable and in presenting wizards to set things up, people will work around security if it's in their way. But if the default is security everyone has to play along and they have to make it easy for the user to get work done, take the mailserver SSL example - if the default was to enable SSL on all email clients (if the standard called for this e.g.), your ISP would have to take their time to set this up or it would be in the users way, added benefit safer computing without obstruction.

If Netgear gets flipped the bill when a vanilla setup of theirs is exploited to harm some company or private person, you bet ya they will start pushing for security.

Netgear has their "vanilla" setup created so it will interoperate easily with OTHER networks from OTHER vendors in a non-crippled fashion. Activating that security stops it from interoperating with other nets in the area. So if they set things up as you suggest from your ivory tower they would be changing the customer's initial perception from one of "it works" to "why does this netgear suck so badly?"

I agree security is far too overlooked - hell, I use fully encrypted hard drives and when I have discussed it here I have been met with everything from jeers to flames - but a wireless gateway is just another path into your computer. If your security is so bad you have something to fear from those on your wireless net, then your security is so bad you can just as easily be hacked from that ISP pipe, and encrypting the wireless signal is not going to protect you from that.

Setting up a wireless hub is also, for many, an ethical and moral decision. I am only on a 5k pipe and yet I have a wireless hub here so anyone in the area can piggyback in if they want. If 3 or 4 people in this area did that we could all enjoy a 25kbps connection to the net. That's still not broadband, but far better than regular dialup which is all that's presently available in my rural area.

Making vendors accountabe for their equipment being misused is liek making Ford accountable every time someone uses a Ford for a getaway car, or gets in a police chase. It's a dangerous precedent not only for those vendors, but more importantly for everyone who believes in personal responsibility and freedom of thought and expression. Already states have enacted reactionary "secure your networks" laws that REQUIRE businesses to lock down their own wireless networks! What if I have a coffee house and WANT to invite people in the area to share anonymous connectivity to the net? Better not try to do it in New York...

Hey, calm down - I already said it was a bad idea - not that I think actually making vendors accountable for their products is bad and security doesn't have to harm interoperability but that highly depends on the standards being well specified.

it wasn't just directed at you - look at other posts in this thread. People "stealing" an internet connection? WTF is that all about? It's an internet connection, it either works or it doesn't. I had broadband in LA and operated a wireless hub there as well - it's not like someone else using the connection (especially when I am not even home) costs me anything.

This stuff about the horrors of wireless networks is just fearmongering for the establishment. The providers don't want you sharing your home connections because it may cost them a few subscribers, the copyrighted old school publishers don't want to see pervasive broadband at all because they think none of us will watch tv, buy music or go to the movies anymore, and the government sure doesn't want you sharing your home connection anonymously because it infringes their control over society. These are the people you are aiding when you repeat their fear mongering. Isn't free expression what all this is about in the first place?

My two cents.

I secure my wireless network for two reasons.

1. I am the one shelling out the money to pay for my network therefore I am not about to make it available to some freeloader for free. If they want a broadband connection, they can pay for their own.

2. I do not want someones illegal activities on the internet coming back to bite me in the tush. (Like some pervert downloading child porn or someone running an internet scam from my connection.) Your ISP records all the sites you visited in their servers and can be forced to provide it to the authorities by a court order.

You have something that is designed to be easy to use and then you have irresponsibility by the manufactuer by not making it also easy to set up a secure connection. Why not have it 10 clicks to a secure connection instead of 5 clicks to a unsecure connection? It doesn't have to be hard to set up to make it secure. All the manufactuer would have to do is add extra steps and explain it in simple to understand languange when the consumer is making his or her choices during setup.

Perverts and child porn, the billy clubs of the oppressors... just think of the children.

The Bush administration would outlaw ALL pornography if it could. That would essentially make everyone who has ever entertained one of those "immoral thoughts" a pervert.

Either you believe in freedom or you don't. Perverts have a right to expression just as much as those offering "scams." I have known of people who operated gateways explicitly because the presence of the open wireless gateway essentially makes any and all records relating to their isp connection ambiguous and useless in a prosecution.

Nothing is wrong with to easy. To easy and inscure is another thing. Im sure it is possiable to do both a secure network and very easy so that the user dose not have to understand whats going on, because they shouldent.

All and end user should have to know is push power button and type.

Just like the alarm system in your house, type in pin number and leave house. It should be that simple. The problem here is not that it was to easy. It is that the company sacrificed security to make it easy, they could, and should have made it easy and secure.

but thats just what i think, im probaly wrong

Perverts and child porn, the billy clubs of the oppressors... just think of the children.

The Bush administration would outlaw ALL pornography if it could. That would essentially make everyone who has ever entertained one of those "immoral thoughts" a pervert.

Either you believe in freedom or you don't. Perverts have a right to expression just as much as those offering "scams." I have known of people who operated gateways explicitly because the presence of the open wireless gateway essentially makes any and all records relating to their isp connection ambiguous and useless in a prosecution.

I do not believe you have a right to harm a child to make porn and distribute it and I definately do not want them using my connection to do so. Your freedoms end when you deny a childs right to innocence and safety.

Where is there a "right to innocence?"

"Innocence" is itself immoral, as innocence is a form of ignorance. Ignorance harms society - we have agreed upon this fact to the degree we require education of our children - save this one, perfectly natural yet, by decree of the church, taboo part of our being. Those who speak most loudly of this "innocence" also would couch society in a greater ignorance - and just look at what fantastic effect that is having upon society in places liek the US and the UK - where teen pregnancy and illigetimacy is at its highest rate of anywhere in the so called "civilized" world.

All restrictions on speech only defend ignorance and are, therefore, unethical... and "evil."