07.28.06
Verizon’s Dangerous Internet Setup
First off, let me just state that the ordering of DSL from Verizon was a surprisingly painless procedure. The support and sales people I talked to were courteous and helpful. I called up to get a “dry loop” (no phone service) DSL line, and they got me squared away (with one small error in my address, which was quickly remedied). I took their installation kit, followed directions, and had working Internet in about an hour. From first call to them to surfing the Internet took about ten days.
However, I’ve noted that Verizon leaves people in a bit of a precarious situation. Let’s have a tech dissect the procedure:
Windows Firewall is disabled. In order to get things working, they tell you to disable any firewall programs. They don’t force you to do so, but tell you to do so to prevent issues during setup. Fair enough. However, in the beginning they also just mention that you should re-enable the firewall post-setup — and never remind you. Net result: many will probably leave the firewall disabled. Sure, they offer security suites for free, which often come with their own firewall, but it’s still a risky way to leave the customer.
Wireless networking is by default ON. I ordered their wireless DSL modem, on the recommendation of one of the folks at Verizon. However, they shipped it with the wireless networking on. This may be a nitpick, but it seems to me that they should ship this off, and ask if it should be set to on. That, or make sure the next doozy isn’t the case…
Wireless networking uses WEP. This one is unacceptable. Wireless networking is on, with encryption set to WEP. I believe they might have set a WEP key, with the key printed on a sticker on the bottom of the unit, but WEP must die. It’s not secure. It only gives the illusion of security to the less tech-savvy. WPA was available, but not WPA2. (Read why I care.)
No suggestion to change default password on the router. This is another no-no. After running setup, I was able to get straight online with no issues. This was all fine and good, but I knew that there was a password on the router, and that it’d be a good idea to change. Sure enough, there was, AND it was a default user / password that’s available for all wireless routers of the same make and model. I had to dig around in Help on Verizon’s web site for details on this, as they didn’t provide that in the installation kit documentation. In fact, they never mention it.
So, many a new Verizon user may end up having a fairly insecure wireless network, with a default password on the router and no firewall. It would be pretty trivial for someone to come along, wardrive to find my access point, crack the WEP, and start listening in on all my IM and email conversations. Or worse, hack my PC. Plus, once on the network, if I hadn’t changed the password to my router, they could easily pop in there and break my wireless network access altogether. They could theoretically do all of this inside of half an hour — which, incidentally, I might spend in the initial setup. Plus, if they were on the network, they could technically capture plaintext passwords, which include things like IM, message boards, email, and site logins.
I understand Verizon’s challenge: they have to provide rather technically detailed service to people who are unfamiliar with it. In that regard, I think their setup kit does very well. I think most people could take this kit, follow the instructions, and be up and running online in little time. However, the next step is security: getting people to actually secure their network should be of vital importance, both to Verizon and the customer. People like to believe that their Internet surfing is private. With Verizon opting for this sort of setup, people are getting wireless networks online, without realizing how very insecure they might be. What’s more, since Verizon is setting them up in this manner, their customers will just tend to trust that Verizon has set things up acceptably. It’s that validation from a position of authority thing: people will think they know better.
So, I leave off with a dual message: Verizon, focus more on security. Consumers: get better educated. Of course, I think Verizon should also step up the hardware side of things. Where’s the WPA2 support? WPA is so 2003. I think I’m going back to my old wireless gear.
Andy said,
February 9, 2007 at 6:13 pm
Everything you say is true.
However, as someone who implemented many parts of not only that installation, but also those for Bell Canada, SouthWestern Bell, Telus, and a number of others, you probably need a little greater context.
It’s true of all of the DSL setups that you pretty much have no idea what kind of OS, service pack, browser version etc you may encounter and the code has to be designed to support every minor configuration variant from Windows 98 IE4.01 onwards through (well, maybe not Vista), but certainly XP SP2, IE7. Now that is a lot of variants. Factor in the hardware variants on the modems and it’s a serious validation tree. There simply isn’t the cost justification to provide fine-grained support for the absolute best practice wireless setup on every system under the sun. DSL is a margin-based commodity and the only practical way to deliver it is to stick to most commonly available OS features. Factor in the unfortunate fact that Microsoft basically made the useful parts of the wireless setup only available to the dialog-using public with just about zero programatic access (turning aside from the issue of the competing wireless configuration managers – FOUR different ones can be installed simultaneously on any given system, THREE of which are on the machine as part of the default OS setup). WEP setup is all that can be accomplished and that is only possibly using hacking and guesswork in the registry.
End result is: if you are capable of setting up your own modem, you can tweak it more easily that the setup CD can. They should remind the user to turn the firewall back on, but if we turned off the Windows Firewall and you’re all burned about that, remember that it’s just a toy anyway. The more serious firewalls are detected but not turned off automatically because they too do not expose an API (You’ll see a reminder screen instead).
Techie said,
February 12, 2007 at 11:12 am
Hey Andy,
I understand what you’re saying, but reducing security to the lowest common denominator gives the illusion of privacy, which may be worse than no illusion at all. By being the official setup for most customers, and the notion that customers stop tweaking their setup when things appear to work, the net result is that many people are configuring their networks in this manner, and just leaving it.
Unfortunately, there is no good solution right now, because you have to be a tech to get things acceptably secure. The lowest common denominator thing will get the largest number of people successfully online wirelessly. It’s just building in an incredible amount of insecurity into the customer base.
Andy said,
February 20, 2007 at 9:38 am
Agreed.
However, we’re talking about Verizon here. These people aren’t too tech savvy, particularly around security. As an example, I built them the notification system that allows them to broadcast system outage bulletins and assign alert popups to errors in IE or Outlook. This is a secure JSP-based system with single sign on. Verizon got on my case because they were able to spoof the pages and make them crash. Of course, you couldn’t get into the system unless you had a password, but they were concerned that someone with a password would come in and spoof the pages and maybe do something unauthorized. It took a LOT of pointing out that someone with a password could simply use the system as designed (based on their own requirements) to broadcast vile filth to the entire Verizon customer base without the possibility of recalling the bulletins. So, at the end, I simply fixed the minor issue of JSP parameter overruns to prevent all spoofing but last I checked, a disgruntled employee can still report that “Verizon sucks” to every man, woman and child on the network.
Brigitte said,
June 11, 2007 at 4:01 pm
Verizon convinced me to changed to FIOS for both internet and telephone service. Verizon techs set up my network = 3 PCS – wirelessly and swore the network was secure. Not so fast!!! I found out that the network is wide open and accessible to anybody with little computer knowledge. When I complained to Verizon I was told that they ONLY support WEP nothing else!!! Go figure! This is criminal on Verizon’s part. They use an encryption that has been obsolete for years, yet Verizon lies knowingly to its customers!!! What can we do????
Jay said,
November 29, 2007 at 9:12 pm
I am so upset, I have verizon FIOS internett and I come home to find that someone or something has added a PUBLIC network to my setup and I am alreadyy running a private “home network”. Because of this I can not get to the intenet AT ALL. Why the HE*L is this so much trouble. YOU are right about the deafult password and WEP encription. Its a joke.