Nick’s post yesterday showed just how easy it can be to get a user to give up a password. For most homes (and probably many small businesses), you don’t even need to go that far. Many device manufacturers have decided to sacrifice security for ease of use, specifically being able to plug in a device and have it “just work”.

The worst example of this that comes to mind is the wireless router. More often than is reasonable, you can connect to someone’s network without any authentication and have your way with the internal network. Or, maybe you just want to engage in some questionable activities on the Internet. Perhaps, you can hijack their DNS records to make mybigbank.com point to your Apache server. Most people don’t even bother to change their wireless router’s default administration password.

Now, if home users don’t want to secure their own networks, that would ideally be their own problem. While they don’t deserve to have their identities compromised, I certainly am not surprised or outraged when it happens. But, with the increasing number of people taking their work home with them, non-techie types using company laptops on insecure networks are a risk not only to themselves, but to anyone who patronizes their businesses. Some of this can be mitigated by various means such as secure VPNs, SSL tunneling, and anti-wireless company policies…but from my experience with policies, they’re generally not all that useful for protecting end users from themselves. End-User Policy is like DRM; it only affects the people you don’t need to worry about in the first place. But, that’s a rant for another day…

edited 3/28 at request of our insurance agent

This entry was posted on Thursday, March 13th, 2008 at 10:15 pm by Walt Turnes and is filed under rants. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.