Security sins in computer products
So I got a new wireless router for my house today and was absolutely appalled at the way they have treated security in the thing. Now, this is not unique at all. I have tried most of the other common home routers as well, and they all sin in about the same ways. Frankly, I have yet to find a wireless product that does security as well as the venerable Microsoft MN-500 802.11b router. Of course, the MS device only does WEP, which is pretty much equivalent to no security at all these days, but when it came out, that was all there was, and it was on by default, and ordinary mortals could actually set it up. Not so with the recent crop of products. Here are some particularly egregious issues:
- This is an excerpt from the manual
Administrator Password
The Router ships with NO password entered. If you wish to add a password for more security, you can set a password here. Keep your password in a safe place, as you will need this password if you need to log into the router in the future. It is also recommended that you set a password if you plan to use the Remote management feature of this Router.
Let me get this straight; if I wish to have security, I may optionally configure it? Why is security optional? What kinds of passwords might this thing support? There is no mention of it in the manual. However, since it is web-based, I presume it can’t have special characters in it since those get to be URL encoded. Oh, and the walkthrough configuration wizard thingie, that ensures you get a wireless network that is shared with every neighbor that can find it (which is a large number with a MIMO router like this one) does not allow you to set a password.
Hmm, even stranger. When I try to set the password and at the same time told it not to use NAT it actually does not take the password. Weird. It restarts the router, but I can still log in with the default blank password.
The wireless network is on by default, with no security, and that handy blank password on the router. 'Nuf said. From what I saw in my testing anyone could connect to it and manage it as long as they were on the internal side of the network, but of course, all that takes is a pringles can and a convenient spot to park within about five miles of the router. I have said many times that one of these days I am just going to turn off my wireless network and use one of my neighbors. On any given day I can see at least 6 of them from my home office. I just think there is a company policy against that sort of thing.
The use terms like “computer hackers use what is known as “pinging” to find potential victims on the Internet.” A hacker is not a criminal! Why is it that we keep using the term "hacker" when we really should be using "attacker" or "criminal"? Hacker is a proud term that was originally used in the computer world to refer to those who really loved computers and everything about them. Then some misguided journalist decided to equate it to criminal and it went downhill from there. Why can't we just refer to them as the criminals they are? If someone goes in and robs a bank branch there would be no question about which labels to put on him, but because the crime involved stealing someone's bank account details and electronically transfer all the money to some place you've never heard of they are somehow different than traditional robbers? I've even seen cases where prosecution was called off for fear of destroying the criminal's "career and chances of getting into the university of his choice." This is just appalling. Maybe if we used more descriptive terms to refer to these people we'd start actually putting them where they belong.
Oh, but the fact that criminals use ping as a way to discover your system is not sufficient reason to block ICMP echo by default. You have to actually turn that blocking on. I wonder if the router blocks portscanning? They use that too. I suppose I need to find out.
“Your Router is equipped with a firewall that will protect your network from a wide array of common hacker attacks including Ping of Death (PoD)”
Wow!!! It protects me against a really scary sounding attack!!! I guess I don’t need that patch Microsoft issued 8 YEARS AGO to fix that problem. BTW, exactly how many people are still running NT 4.0 on their home wireless network so they would be vulnerable to this? I guess the original release of Windows 95 was vulnerable too, but putting a firewall in front of those is not likely to help much.IP Address Lease Time: Forever. Yeah, that makes sense, because we will never ever change computers!
The driver for the network cards that go along with the router is not signed. Not to worry, the manual explains it:
You might see a screen shot similar to this one <screenshot of unsigned driver approval screen here>. This DOES NOT mean there is a problem. Our drivers have been fully tested and are compatible with this operating system.
Good idea!!! Let’s train people to click “yes I want to install the malicious software” (or the equivalent) in every dialog that pops up and asks them to do so. Why is it so hard to understand that driver signing is about trust in the source of the driver, not about whether it has been tested to work or not. I don't think anyone expects a vendor to release a driver they have tested only insofar as to make sure it compiles.
People complain about Microsoft security, but frankly, the state of security in the rest of the industry scares me sometimes.
Comments
Anonymous
January 01, 2003
Lousy security is all around us, and I'm not even thinking about airport security here (which, I admit,Anonymous
January 01, 2003
Lousy security&nbsp;is all around us, and I'm not even thinking about airport security here (which, I...Anonymous
January 01, 2003
Lousy security&nbsp;is all around us, and I'm not even thinking about airport security here (which, I...Anonymous
January 01, 2003
PingBack from http://proxy.11a.nu/2005/09/14/device-driver-signing-bypasses/Anonymous
September 12, 2005
Jesper – I couldn’t agree more with your opinions! I too was concerned, and recently blogged about securely setting up home wireless networks.
But your comment about clicking on “unsigned” drivers illustrated the confusions that consumers face daily – another big “security” confusion are the pop-ups asking users to decide between the “Allow” & “Block” buttons for their Firewall or AntiSpyware programs?
There’s simply no way for “Mom & Dad” to truly know when its save to “Click!”Anonymous
September 12, 2005
The comment has been removedAnonymous
September 12, 2005
The comment has been removedAnonymous
September 13, 2005
Just regarding the whole driver signing issue... is there some sort of exhorbitant cost associated with getting drivers signed? I've always thought that the only plausible reason companies don't get their drivers signed was somehow money related.
If that is the case, it would probably go a long way towards user education if Microsoft dropped any costs associated with driver signing. Probably shaving 1% the Windows marketing budget would cover it :-DAnonymous
September 13, 2005
All you need to sign drivers is a code signing cert. Yes, those cost money, but it is $400 (from Verisign, you may get them cheaper elsewhere). More information on the digital signature program is available athttp://go.microsoft.com/fwlink/?LinkId=36678.
You do not need to pay Microsoft any money to code sign. Now if you want logo certification, then there are additional charges. I'm no expert on this, but fromhttps://winqual.microsoft.com/download/WHQLPOLICY.doc it appears it costs $250 per OS for the testing. Full Windows Hardware Quality Labs (WHQL) details are available athttp://www.microsoft.com/whdc/winlogo/default.mspx.
In other words, the cost should not really be prohibitive for any vendor.Anonymous
April 04, 2006
Jeg hilser til klovnen. Jeg liker klovner veldig godt! Jeg har vrt p sirkus og sett klovner.