Network Security and the N00b Meter

This morning I read an article in which the writer thought that wireless security was too inconvenient and difficult, so he simply disabled it, leaving his network wide open. He was tired of his complex password being too hard for guests to use and made the comparison that they didn’t have to use these kinds of security measures when asking for a glass of water, so why go to all this trouble? He also didn’t seem to be all that concerned about his ISPs “acceptable use” policy. I was beyond annoyed and left the following response:

Cool, could you send me your address too so that I can use your AP for hacking and pentesting? I get sooooo tired of war walking for an open access point. How about your email and banking passwords, because while I could MITM all your traffic and get those too,  I’d rather not waste my GPU cycles or take the trouble to set up my Pineapple router.
Dude, you’re not only protecting your network from teenagers, but from Black Hats and douchebags who war drive neighborhoods looking for access points of uninformed schmucks who have weak or non-existent security. Your network bandwidth isn’t the same as water, because your confidential information traverses it, unless you equate network traffic to human waste and don’t much care who sees that either. Oh and could you leave your front door unlocked, because I’d rather sit on your couch and watch cable TV, than sit outside when I use your network.

Sure, like the others who posted messages, I could have brought up how to configure a guest network or maybe all the problems with SSL, but this guy is a tech writer and probably knows all this. The problem is that, like most security implementations, it couldn’t pass the n00b meter score for ease of use, so the guy finally gave up out of exasperation.

As security professionals, we spend way too much time in love with our solutions (and ourselves). We forget that average Joes and Janes have to use and understand them, going into a kind of anaphylactic shock when we find out (horror) that a user has bypassed the measure because it’s too complicated and gets in the way of real life. While I’m not very happy with the obvious oversimplification the writer made,  I’m going to remember to apply the n00b meter score to my next design.

angry_wifi_cat

Mrs. Y
Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.
Mrs. Y
Mrs. Y
  • What Lies Beneath

    I don’t know about the US but in the UK most broadband ISPs supply a combined ADSL/cable modem and wireless router to consumers when they sign up. These come pre-configured with the required PPoA username and password, a not so random SSID and WPA key. These cheap consumer devices are mostly highly insecure in nature and lacking in even basic functionality that may help improve security.

    I recently finally bit the bullet and bought a ‘business’ product that allows for multiple SSIDs and isolation etc. of guest SSID connected hosts and so on. It’s taken me years to get to a point where I could justify the cost; in this case £140, around a third of the average UK weekly wage. Most families, no matter how conscious of security are going to find it hard to justify this cost. When you’re being pressured into buying an iPhone for your kid(s), coughing up that kind of money to replace something you get for free is a hard sell.

    Of course, based on the reaction of most of the public in the UK at least; no-one really cares one bit about either security or privacy. Considering the not too distant past here of multiple high-profile miscarriages of justice and police corruption and racism I’m quite surprised. My reasons for closing my FB, Skype and other accounts down recently, even among my technical associates, has drawn mostly nonplussed reactions. Freedom, the power of government and privacy are not topics for debate. Convenience seems to rule supreme over and be far more significant than liberty and other fundamental rights.

    • Joshua Walton, CCIE #19763

      “I don’t know about the US but in the UK most broadband ISPs supply a
      combined ADSL/cable modem and wireless router to consumers when they
      sign up.”

      The US does as well.

      • What Lies Beneath

        Thanks. A shame but no surprise.

    • Robin St.Clair

      In the UK, you could have bought an Asus DSL-N55U Annex A for under £100 which is pretty competent for most domestic applications.
      Most of the young English (note the restrictive use of the word) I meet are becoming vaguely aware that FB might not be the universal benison they greeted it as.
      I find that the further down the soacial scale a family is in Britain, the more likely they are to have sky, xboxes, enormous TVs and heaps of other kit, what’s an ‘undred quid router in all this?

7ads6x98y