

Routers and Ethics - IsaacSchlueter
http://foohack.com/2008/07/routers-and-ethics/

======
rit
The last statement, "As software and hardware engineers, if our defaults put
users in an unsafe situation, where their credit and savings are placed at
risk, then we’ve failed them, and we’ve acted unethically."

is excellent.

Unfortunately, it's not easy to get people out of the mindset described [plug
it in, download porn, rinse, repeat].

Part of the issue is making it easy to initially connect, and as a corollary -
easy to reconnect once you've changed settings. This seems to be the big
issue.

There is however a standard established for doing this:
<http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup>

My newish dlink router supports it. There's a button on the side that you push
to put it in setup mode [I think you probably need Windows for the "easy"
parts]. By DEFAULT it is setup secure, and requires you to change the
password.

The trick of course is getting this pushed across the board.

------
cmos
Sounds like an opportunity..

Why don't we design one that is foolproof? i.e. security is always enabled,
and it requires a complex password? Perhaps there is even a readout + little
keyboard built into it so the end user can go through a simple wizard to
ensure security. The readout would give them the keys to type into their PC.

And on top of it there would be a large green + red indicators.. Red would
glow if there was any security issue, with the error on the readout + sent to
the end user as a text message. Green would indicate all is secure.

The only real question is what to name port forwarding. While I'm a huge fan
of the obvious and clear "Applications and gaming", being a router
manufacturer I would be obligated to create yet another new name for it, like
"wormhole port" or "you fool, just call your geek nephew already".

Seriously, I have trouble going from a linksys to a netgear to a dlink, not to
mention the OEM routers sold by ISP's now that often lock down features.. How
can we expect these pieces of fail to be installed correctly?

~~~
briansmith
AT&T already does the most important parts of that. In my complex every
network is named and secured uniformly because AT&T sells cable models with
built-in wireless routers. They have an installation process that is totally
automated and automatically configures them for WPA or WEP. The users don't
even (get to) choose the network name. As a result, I couldn't leech off
another network even if I wanted to.

Secure networks make perfect business sense for internet providers; otherwise,
they'd end up with customers with wide-open networks that neighbors could
share together (unwittingly or otherwise).

As for port forwarding, typical users never need to configure that, and when
they do, UPNP usually can do it for them.

~~~
IsaacSchlueter
Yes, AT&T's DSL setups are a triumph of proper defaults. They come in, plug
everything in, give you the password (or set up your computer), and go away
once everything is working and safe. Easy setup, safe installation.

Of course, I've had WPA and WEP hacked enough times to not trust either of
them. MAC address filtering is a bit safer if you want to lock down access to
the internet, but _at least_ the password has to be changed. Default router
passwords put users so badly at risk, there's really no excuse.

------
bprater
I think many vendors may now use encrypted Wifi by default, but I wonder if
doing something as simple as creating a "random" password and printing it on
the user's manual would have done the job?

------
akd
His counterexamples are very bad. If you don't practice proper car
maintenance, you can get into a very unsafe situation with e.g. underinflated
tires. Prescription medication? My dad almost put "otic" (ear) drops in my eye
when I was a kid -- I pointed out that there was a typo on the box and he gave
it a second glance.

If users aren't going to put a minimal investment into using a product safely,
there's only so much you can protect them.

~~~
IsaacSchlueter
That's true, if you want to be as safe as possible, then it pays to be
attentive to all the instructions you receive.

But, my point was that we receive so many complicated instructions about
complicated things that we don't really have time to understand fully, and
there are only so many hours in a day. You simply must prioritize. The fact
is, I expect that my doctor and my mechanic are going to tell me what to do,
and that I can pretty much just trust them. In this case, Netgear violated
that trust.

