I can't see this working - mfrs would have to set each unit to a different random passphrase, and provide documentation of that to the buyer. Its pretty likely that this will add a fair bit to the cost.
Its a very slick site, so slick I can't find any details of how it should be done. And indeed some of the information seems positively misleading - the suggestion that you can get instant secure links without typing in any passphrase for instance. Really? How do they magically force non-2wire clients to reconfigure themselves into the right mode then?
Anyway I don't propose to trawl my way through 2wire's horrible salespitch to pick out a few gems, should htey be there. Either post a working link to the relevant info, or don't mention the company, the way you did it makes it look almost like a product placement.
Yes it is ... plus it occurs in other newsgroups...where he asks a question, and then answers the question by directing people to his own web site. This falls into the blatant self serving spam category.....
Ho hum. I can break WEP in 15 minutes, no skills required. Really, if I can break WPA in 5 minutes it still isn't, in any real sense, less secure than WEP. I've got no problem with you posting answers to unasked questions, but there's absolutely no cause to be alarmist. You're encouraging people to use WEP, because most of them won't _bother_ to read further and find out that there's nothing inherently insecure with WPA. WEP _cannot_ be made secure. Simple steps can make WPA quite secure. WPA cannot - experts aside - be less secure than WEP, though the particular passphrase you use may weaken it.
Impractical? 2wire.com can do it on every wireless router they ship. They attach a label to the bottom of the router with the router password, unique SSID, and WEP encryption key. The SSID is pre-assigned as "2WIRExxx" where xxx is the last 3 digits of the serial number.
However, if the cost of an additional label will cause the wireless manufacturers undue financial harm, it can be done in firmware by changing the default setup:
Upon a hard reset or as shipped, the router will not work until the user assigns a unique router password.
Upon a hard reset or as shipped, the wireless is disabled until the user sets the SSID and either sets up WEP/WPA, or intentionally disables encryption.
Yep. See 2wire.com They've only been doing exactly that since the beginning.
They are shipped with a router password, SSID, and WEP key pre-assigned. They appear on a label on the bottom of the router. They include setup software on a CD and a connectivity monitor program, but these are not required to get things working.
Y're right that they don't have a decent example on their web site. The best I can do is the client installation guide at:
formatting link
shows a sample of the label (with the bar code) on page one. Also on the user guide on page 8 at:
formatting link
if these are too much to dig through, I extracted the photo and posted it to:
formatting link
Huh? I think they're referring to the router being secure, not the clients or the entire system. That makes sense if the router is shipped secure by default.
Sigh. I'm apparently the only one that's touting the "right way" to do wireless security. Not even 2wire is advertising the fact that they're routers are secure out of the box, while everyone else is shipping theirs insecure by default.
I guess we'll just have to wait for someone to sue claiming that all the lovely acronyms on the package and in the literature create a "perceived expectation" for the average customer that the router is secure on arrival.
(don't get me wrong, I totally agree with the principle of better preconfigured wireless security schemes, I just happen to consider what you've said so far to be simplistic and possibly disengenuous)
requiring an extra step (ie cost) in manufacturing and packaging...
Excuse me while i snort into my coffee. They stick a label on the box with the password written on it? And this is considered secure ?
Remind me, is it currently recommended security practice to write your password on a post-it note on the underside of your keyboard?
I agree, this is what should happen. But this is precisely what you pooh-pooed in your earlier mail when you said that it was wrong to expect the user to run hrough a setup process.
And they're right up there with linksys, cisco, 3com, netgear, in terms of units shifted, cost comparison etc... :-)
Here's what they say:
"Our exclusive FullPass instant connection technology enables any computer, and other service provider supported wireless devices, to automatically connect to the correct wireless network with the highest level of Wi-Fi security available."
Sounds to me like a claim to be able to reconfigure client devices. Mark McIntyre
I see. But an extra CD, and a worthless push button on the front of the router, along with the license fees to the sortware author, to provide *LESS* security, is considered a good thing. Got it.
Yes. Nobody has even mentioned physical security. If I have access to the machine or router, I can do incredible amounts of damage and not just to the security. I think we can assume that there's little the manufacturer can do to prevent breaches of physical security.
Actually, I do just that except on the bottom of the router. This is for a home installation and I do not expect the owner to remember anything from the initial setup. I don't like it but it works well enough. Were you planning to burglarize the house, memorize the passwords, and then attack via the wireless. If so, you're guilt of far more than "unauthorized" wireless access.
Pardon me if I don't recall the specific message. If you search Google groups in alt.internet.wireless and some other groups, you'll find my postings with almost exactly the same litany. If I've varied from my recommendations that manufacturers ship their routers secure by default, and that users be forced (not encouraged) to do it right, then I would welcome seeing the message ID.
Not even close. 2wire OEM's to the big DSL ISP's and ships about 4 million routers so far, about 1/3 of which are wireless. Linksys has shipped 15 million routers so far with about 1/4 of which are wireless. Linksys effectively owns about half the small router market.
Nope. Probably the same as Microsloth Wireless Zero Config. If you try to connect to an inscure wireless router (i.e. no encryption) it will warn you. I haven't actually tried FullPass so I don't know if this is accurate. Note the comment on the "correct wireless network" which implies that it will accidentally connect to anything, which is what WZC does by default.
I never ever said that, but feel free to put words in my mouth.
snorts again.
They could start by not putting any external indications of passwords, security codes etc. Heck, I can /see/ my neighbour's router from my study window, and with my trusty 10x50s I can read the serial number off the back.
It would help also if the reset button didn't reset routers to "I'm wide open, ravish me" mode. I hope we can agree on that.
I rest my case. Actually, I find this a pretty shocking admission from a someone whose advice I normally consider excellent.
Earlier on you said "Adding another layer to the installation ordeal process is only a band-aid " and in another thread, I recall you wrote something similar, suggesting that the install CDs were a waste of time.
This is kinda my point...
I strongly disagree, and fail to see how anyone can read that marketing blurb as anything other than "press the green button for instant secure connections", which in turn pretty much obligates them to reconfigure my 5-year old 11b network card automagically. Obvoiusly however YMMV.
2wire puts the WEP key on the bottom. Unless your binoculars have x-ray vision, you're not going to see it. I also put my post it notes on the bottom.
Yep. Reset should return it to the factory default, secure by default mode. See my first comments in this thread.
I do many worse things in the name of expediency and convenience. I don't like the idea of putting post it notes under the routers, but that's about the only way I've found to avoid the chronic phone calls asking "what's my wep key". Again, the issue is whom I'm trying to potect against. It's effective against drive by hackers and war drivers. It's useless against the neighbors 16 year old porno collector.
That's correct. The built in web server in the router is fully capeable of running the entire setup ordeal including the client setup. A decent status page that shows connection progress would be a big help, but it can be done with what's currently available. For example, Netgear WGR-614 has a setup wizard that does a fair job of autodetecting the WAN setup. This can easily be expanded to include setting up the clients. I see no reason to add an additional setup program when the tools already are there and are 90% complete.
Searching the support page finds nothing under FullPass.
formatting link
"2Wire has simplified connecting computers wirelessly with the exclusive FullPass secure instant set up, a technology which establishes a secure wireless Internet connection with the push of a button; FullPass alleviates the need to enter wireless encryption keys while providing the highest level of security available. The GuestPass feature allows friends and family to access the broadband connection wirelessly without gateway owners having to divulge their wireless security key or risk virus infection from their guests? computers."
I have no idea how this works as I haven't seen the FullPass product in action yet as it's only in the HomePortal 2000 line as a "GreenLight" button on the front panel. Probably similar to Linksys SES, or Buffalo AOSS, which is what I've been complaining about. Just push the button and you're instantly secure.
Newsflash: clients have been known to reorientate equipment to get better reception or to fit it in better to their furniture.
My neighbour's router is balanced on top of what looks like a stereo speaker (though it could be a CD rack), and the window is elevated slightly relative to my position. I can imagine him standing it on one end (in fact is /designed/ to be stood on its end, it comes with a handy stand for doing that).
Make it a chargeable request, then either you don't care or your clients remember better. :-)
I agree with this. I personally can't recall the last time I did anything with a router or modem install CD except turn it into a bird-scarer.
I'll not hold my breath. I can't see how they can do this frankly, unless you buy all new kit from the same maker.
I can do that too. Its called the "off switch" :-) Mark McIntyre
Well, Linksys' WRt54g install CD certainly is. There's stickers on the router, warnings on the box, warnings on the CD: everything saying that you _must_ use the install CD. When you actually _use_ the CD, you find that it tells you there's nothing you can't actually do without it... I wasted half an hour on the CD, trying to set up the router on my wife's Windows box, before I discovered that it was unnecessary and finished setup from my Linux laptop.
I wish more people who set up routers for other folks would do this. I get a lot of calls from people who don't know their router's admin passwords, or their {WEP,WPA} keys, or their PPPoE username/password combinations, where resetting the box and starting over is the only solution. Recently Verizon's computers were down, and they _couldn't_ reset PPPoE passwords for a couple of days! The clients wouldn't have been able to find a piece of paper, but a sticker on the bottom of the router would have been a real help, and no security hole at all.
The number of people pointing their password out the window is insignificant, IMHO...
If you've ever seen a 2wire 1000 series router, it would be rather difficult to mount in any manner other than vertically. However, I'll admit that some routers can be mounted in creative manners which would expose my post-it note. However, since I'm in charge of the installation, and always optimize it for best coverage. It's most commonly located up in an office suspended ceiling, high on a bookshelf, or mixed in with the hi-fi stuff. You would have little difficult finding the router and reading the WEP/WPA key. My guess is that there are about 50 local wired and wireless installations that I've done like this. No security breaches so far (and yes, I do monitor and read logs). Interestingly, some of these are in local coffee shops, where you would only need to hop over the country, climb up a small step ladder, remove the cardboard box I placed over the router, and read the setup password from the bottom of the WRT54G. Out of 5 such installations, nobody has done it yet (except the owner when they have forgotten the passwords). Of course, nobody can read my handwriting, which might present another problem.
Probably a Netgear. Yes, it is possible to expose a written password to the public. It hasn't happened yet to any of my customers and I don't expect it to happen in the future. However, if it does, I'll probably revert to my previous method of putting it in an envelope (which tends to get lost).
I'm still in business largely because I don't bill by the millisecond and charge for such things. Customers and friends (the difference is the customers pay me) call at all hours asking all manner of trivial and ridiculous things. I don't encourage this, but I also don't micro-invoice them. However, the interruptions drive me nuts as it seriously disrupts whatever I'm working on. I have various ways of dealing with this, but retaliatory billing is not one of them.
Agreed. I tried Linksys SES (by Broadcom) recently and was seriously disappointed. It only worked with WPA and not WPA2 or WEP. It really did change the settings on the client but only if it used Wireless Zero Config. It didn't bother to change the router config password. If I turn off SSID broadcasting, nothing works. I had to do it several times before I got it right. I suspect 2wire's system is similar. Comparison of SES with AOSS.
formatting link
Actually, it's quite easy with WZC. The Windoze registry keys for holding the WPA key and SSID are easy to find. I presume that the stored WPA key is encrypted somehow. It would be a fair assumption that both the router and the client radio need to be "supported" and that it probably only runs on XP SP2. However, both Buffalo and Linksys require support from the client manager/driver/utility so it's probably more complex than I suspect. Chuckle.... The above review notes that they had to uninstall the previous working version of the Broadcom client driver in order to just try SES and AOSS and that it disabled the ethernet driver in the process. All this to just change exactly two items (SSID and WPA key). Like I previously ranted, we don't need yet another layer of software to add to the installation ordeal process.[1]
If you have read my previous rants on the subject, you'll probably find where I been recommending a "component" system instead of an integrated modem/router/wireless/switch. Part of the benefits to separate boxes is being able to turn off the wireless part of the puzzle when it's not in use without killing the rest of the network. Two of my coffee shops do that in the evening to get rid of the wireless table hogs and make room for paying customers.
[1] I've seen far too many products where the source of a problem was never really fixed or even attacked, but where multiple layers of band-aids were applied to treat the symptoms. I've even helped precipitate such abominations. My instructions were "fix it, but don't change it", which I interpreted to mean "Ignore the obvious cause, and add anything you want". In most cases, it was because the original designers feelings might be hurt if I dared to suggest they his design was defective and needed rework. That's what I think SES and AOSS are doing.
I've no idea about Linksys but it seems that a large part of the time, the CD is merely a means for the manufacturer to get some spyware^wmonitoring s/w onto your box, ostensibly to 'help' maintain your connection, more generally to get in the bl**dy way of it.... Mark McIntyre
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
The cost difference is insignificant. Manufacturers already deal with unique serial numbers in this way.
You bet. If physical security can't be maintained, then all bets are off.
No, because that's a different issue. My system password is unique to me, not my network. My recommended practice is to memorize a good passphrase (e.g., six or more diceware words ) for the system password, and configure guest and/or restricted accounts for others to use.
2wire is actually a significant player in the OEM part of the market.
Other vendor solutions for this problem:
Broadcom SecureEasySetup
formatting link
* Buffalo AirStation One-Touch Secure Setup
formatting link
* Atheros JumpStart
formatting link
I'd like to see units with multiple concurrent security options; e.g.,
WPA for regular users and devices that support it, indeally using EAP instead of PSK.
WEP for non-WPA devices and for guests, with access only to the WAN, firewalled from accessing the LAN.
I couldn't resist a quick experiment. I scribbled a phrase on a yellow post-it note and plastered it to the side of my computah. I then took my 7x35 binoculars and started walking until I could no longer read the phrase. The big problem was finding a place where the glare from the window glass didn't cause problems. I didn't measure it accurately, but my guess is about 20ft. I also tried it with two digital cameras, which were readable to about 15 ft. A proper telescope or spotting scope should work much better. Perhaps write in a small font and security will be improved.
Incidentally, I recently attempted (and messed up) a variation of a previous security exploit. In a previous "security audit" I arranged for the server room video security camera to tape the system administrator logging into a system. When we played back the video in slow motion, the fingers could be seen typeing the password. My neighbor, the 15 year old (at the time) finger hacker, got all but one letter correct when run at full speed. (This is the same kid that can read ROT13 encoded text at full speed).
Anyway, I had my digital camera with me set to record an MPEG movie when I stomped on the button. I successfully recorded a different system administrator logging into his system. When played back, the login and passwords were easy to extract. However, I screwed up and ran out of storage space plus my camera emitted a loud warning beep when the CF card filled up. Oops.
Never mind using the binoculars to read the post-it note. Just video tape your neighbor doing banking or email.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.