However, we’re talking about Verizon here. These people aren’t too tech savvy, particularly around security. As an example, I built them the notification system that allows them to broadcast system outage bulletins and assign alert popups to errors in IE or Outlook. This is a secure JSP-based system with single sign on. Verizon got on my case because they were able to spoof the pages and make them crash. Of course, you couldn’t get into the system unless you had a password, but they were concerned that someone with a password would come in and spoof the pages and maybe do something unauthorized. It took a LOT of pointing out that someone with a password could simply use the system as designed (based on their own requirements) to broadcast vile filth to the entire Verizon customer base without the possibility of recalling the bulletins. So, at the end, I simply fixed the minor issue of JSP parameter overruns to prevent all spoofing but last I checked, a disgruntled employee can still report that “Verizon sucks” to every man, woman and child on the network.

I understand what you’re saying, but reducing security to the lowest common denominator gives the illusion of privacy, which may be worse than no illusion at all. By being the official setup for most customers, and the notion that customers stop tweaking their setup when things appear to work, the net result is that many people are configuring their networks in this manner, and just leaving it.

Unfortunately, there is no good solution right now, because you have to be a tech to get things acceptably secure. The lowest common denominator thing will get the largest number of people successfully online wirelessly. It’s just building in an incredible amount of insecurity into the customer base.

However, as someone who implemented many parts of not only that installation, but also those for Bell Canada, SouthWestern Bell, Telus, and a number of others, you probably need a little greater context.

It’s true of all of the DSL setups that you pretty much have no idea what kind of OS, service pack, browser version etc you may encounter and the code has to be designed to support every minor configuration variant from Windows 98 IE4.01 onwards through (well, maybe not Vista), but certainly XP SP2, IE7. Now that is a lot of variants. Factor in the hardware variants on the modems and it’s a serious validation tree. There simply isn’t the cost justification to provide fine-grained support for the absolute best practice wireless setup on every system under the sun. DSL is a margin-based commodity and the only practical way to deliver it is to stick to most commonly available OS features. Factor in the unfortunate fact that Microsoft basically made the useful parts of the wireless setup only available to the dialog-using public with just about zero programatic access (turning aside from the issue of the competing wireless configuration managers – FOUR different ones can be installed simultaneously on any given system, THREE of which are on the machine as part of the default OS setup). WEP setup is all that can be accomplished and that is only possibly using hacking and guesswork in the registry.

End result is: if you are capable of setting up your own modem, you can tweak it more easily that the setup CD can. They should remind the user to turn the firewall back on, but if we turned off the Windows Firewall and you’re all burned about that, remember that it’s just a toy anyway. The more serious firewalls are detected but not turned off automatically because they too do not expose an API (You’ll see a reminder screen instead).