On Wed, 2005-08-24 at 07:44 -0500, Adam Maloney wrote:
> The issue of knowingly shipping products with a default insecure 
> configuration has been hashed to death on many lists, but you must have 
> missed them all.  I'll bring you up to speed...

Thanks.

> 
> Why not ship it with wireless disabled, so at least it's not a gaping 
> security hole the minute it's plugged in?

Because it's not a gaping security hole. 

Joe Clueless just went from having their Windows PC wired directly into
their cable modem to putting it behind a NAT device, if the wireless is
unencrypted that just means that someone can drive up and (attempt) to
exploit the bug of the week on his Windows PC.

Are you sharing files across your network without password protection?
Failing to secure your systems because you think they're safe behind
NAT? 

I think you're concerned as an ISP who doesn't want customers sharing
their Internet connection accidently (or purposely =), that's fine, but
don't try to claim it's for their security.

I have plenty of devices that cannot do much more than 64 or 128 bit
WEP, shipping a wireless AP in such a way that it forces me to choose
some advanced encryption (that I do not wish to use) will cause whatever
company does it to lose my business. If you need security you should not
be relying on the wireless encryption method of the week, you should be
using a VPN, SSL, etc.

What kind of network administrator allows "the helpdesk" to recommend a
consumer wireless device like this to a "remote site". If you don't have
someone with half a clue managing the remote site it's probably not
important enough to cry about. Set an encryption key, turn down the
power, take off the antennas, etc. If giving anyone nearby a direct
connection to your LAN is that much of an issue then you should have mac
address ACL's on your switch ports that prevent people from plugging in
random devices.


All that said, when we install wireless APs at customers homes I have
instructed our installers to setup the best encryption available between
the PC and the AP being installed, you would be surprised at the number
of customers who DO NOT want it enabled for one reason or another.