Thursday, March 15, 2007

More bad advice from Walter Mossberg

In the March 8, 2007 Mossberg Mailbox column in the Wall Street Journal, a reader asked how he could make sure that no one could piggyback on his WiFi wireless connection. Walter's response was:

"Turn on the password feature in your router, and don't tell anyone the password. You'll usually find the password setting in the installation software that came with the router."

Not quite.

When discussing wireless routers, there are two passwords. I can just imagine the poor reader of the newspaper changing the wrong password and thinking he is safe. False security is worse than no security.

The first password is needed to login to the router itself. Routers have internal websites that you use to make configuration changes, and access to the internal website requires a userid and password. This password has nothing to do with WiFi wireless signals/connections.

By the way, this password should be changed when a new router is installed because all the bad guys know the default passwords. I have an earlier posting on this blog about how important it is to change this router password.

The password that prevents someone from piggybacking on your wireless connection is referred to in all the technical literature as a "key". If the reader looks around the internal router website or the router documentation for a "password", he won't find this. All references to "passwords" refer to the first password, not to the key.

Not to get too technical, but this "key" relates to an encryption standard, either WEP (bad) or WPA (good) or WPA2 (good). And there are good keys and bad ones, an important concept omitted from the response.

So, which password was Mr. Mossberg referring to? Did he have the right concept and use the wrong term, or did he have the wrong concept and use the correct term? Beats me. The PC industry is too new to have a concept of malpractice, but if the shoe fits...



Update: On March 15, 2007 Mr. Mossberg issued a clarification. See Securing a Wireless Network. Certainly a step in the right direction, but...

Quoting: "To enable the encryption key, use the router's setup software to turn on security".

There are multiple mistakes in this sentence.

You enable encryption, you do not enable the encryption key. Encryption is the lock, without the lock, having a combination does nothing.

This ignores the fact that the older type of encryption, WEP, has multiple keys/passwords. Only the newer type (WPA) has a single key/password.

Once the router is working, there is no need to use its setup software. Instead you log in to the internal website in the router to make changes.

You don't "turn on security". What he meant to say was you turn on one of the three types of encryption. Routers have multiple types of security, a point he makes later. Mac address filtering, for example, is a security feature having nothing to do with encryption. So too, disabling remote administration, turning off UPnP and not broadcasting the SSID.

Quoting again: "On newer models, the strongest security system is called WPA..."

WPA is not a security system, it is an encryption system (see above). And, the strongest system is actually WPA2, not WPA.

There is a big omission here: for WPA and WPA2, the length of the key/password is critical. Short is bad, long is good. To encourage long keys/passwords you sometimes see references to a "pass phrase". This means the key/password can be an entire sentence. And it should be. A very long key/password is not an ongoing typing annoyance because it only has to be entered once on each computer that want to access the WiFi network. If your WPA key/password is "dog" or "rose" you have no defense at all from a determined bad guy.

And, WPA is not a single thing. There are multiple types of WPA and the people Mr. Mossberg claims to write for need to be told this. Simply put, home users want WPA-PSK. This is also called WPA Pre-Shared Key and WPA Personal. They do not want WPA with a RADIUS server.

Finally, anyone serious about WiFi security should turn off the WiFi network when not in use. There is an option in the router to turn off the radio transmitter that is the wireless network. No hacker can break into a network that doesn't exist.

Mr. Mossberg is loose or sloppy with words/terminology. When nerds are talking amongst themselves, they can be sloppy with terminology because they all understand anyway. But when writing for a non-technical audience, it is important to be very precise when describing something technical because they don't know the ropes.

And there is no excuse for making technical mistakes, something the editors at the Journal share the blame for. Apparently no one reviews his work.

1 comment:

Tom said...

you hit the nail on the head with that comment........

"When nerds are talking amongst themselves, they can be sloppy with terminology because they all understand anyway. But when writing for a non-technical audience, it is important to be very precise when describing something technical because they don't know the ropes."