Chris Szurgot's Blog

(Caveat: I've only had experience with a few wireless routers, and Windows XP and my Tivo, but there are an awful lot of Open access points in my neighborhood, so I can imagine the problems are still out there.)

(There was a great article on Securing a wireless network from MS, but I can't find it. Here's another one that outlines the same steps, however: http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm)

I've worked on a few wireless networks recently, and all of them have been unsecured (except mine), and there are a lot of Access Points popping up from around my neighborhood, almost all of them unsecured. Whenever I encounter a wireless network, I always lock it down, but it's a pain (especially on the client side) And as with most things, people aren't going to research Wireless Security, so most Networks are going to remain unsecured because they just stick with the default.

So here's my request to the Wireless Networking Industry. Fix it! Make it secure by defaut.

To wireless router and acess point manufacturers:

1. Don't allow the defaults. When the user first logs in, have them change the password. When they setup wireless networking, step them through picking a SSID and WEP password.
2. Encourage the user to disable SSID broadcast.
3. Encourage WEP. (See above about WEP password)

To Microsoft: It's difficult to setup wireless security on Windows XP, especially when SSID broadcast is disabled. Make it easier.

1. Create a Wizard to step through connecting to a wireless network. It'll allow them to enter the SSID, security type (most likely WEP, but still), and password/passkey.
2. Allow them to type in the password used to enter the WEP key. Not the 26 HEX characters (or however long it is) generated by the router.
3. If you must require the HEX string, create a popup that allows them to see it as they are typing. I usually have to go through it 3 or 4 times before I can get it right, and not being able ot see it is a real pain. Even if you have the password blanked out on detail screens, it should be easy to enter somewhere. The person is going to have a piece of paper or email with the key in front of them anyway, so it's not like anything is being hidden.
4. Make the password boxes long enough to show all of hte digits of the string. (This wouldn't be necessary if 2 or 3 is done, but...) The first couple of times I typed in my passcode, I bumped into the fact that the password box displays two less than the total # of characters in the string. And since they are all starred out, you can't see that it allows more than what it displays. And when I've already typed in the password a couple of times, this is frustrating.
5. Do something to make it easy to set and change the passwords. If the password on the router is changed, you have to go through the darn 26 digit key all over again.

The Tivo gets it right. It's easy to set up, and enter the passwords, even with just a remote. Windows should be just as easy to set up or extend to a new network.

   I've setup a personal blog on Community Server 1.0 here just so I can post personal stuff like book and movie reviews. I'll still be posting .NET and business oriented stuff here (or maybe cross-posting, not sure yet)

For those who care. <grin>

Update: Always check you link targets. I forgot the default.aspx, and it returned a 403 error. Sheesh...

Two recent articles (Are You Too Old to Code and Teach Yourself Programming in Ten Years) made me realize that the Peter Principle is alive and well and living in New York, um, the Software Industry. The software industry (Information Technology in general) is unique in that it's got no real barrier to entry, especially for such an important infrastructure field. (I still don't have a college degree, even after 15 years in the industry) No formal education necessary, many of the tools are free (Java, .NET Framework SDK, Perl, etc...) so the only cost is a computer, situation where demand outstrips supply (or there was) So you've got a field where it's easy to start young, and yet still be viable for a long time to come. (Viable here meaning able to code, I'm not referring to marketability)

That lack of barrier to entry, I think, is what skews the whole industry for veterans. The ability for a shop to hire a kid off the street for a low salary makes it difficult to want to spend more, especially when it's difficult to understand the nature and complexity of IT. ("If I can pay this guy $XXX, why should I pay you $YYY?") Add to that the upward nature of corporate structure, and you've got a recipe for disaster.

I beleive in the Peter Principle. Some people are coders, some people are developers, some people are architects, some people are team leads, some people are managers, etc... (And that's not to imply that manager is the next step after architect) (Me, I beleive I'm an architect.) In fact, I beleive that IT demonstrates the Peter Principle better than the examples from the original work, considering the complex layers that make up a good software shop. (Compounded with the fact that many organizations don't fully understand the nature of their own IT department) A good developer/architect is not likely going to be a good manager or even team leader. Sure, he may understand the nature of the work his underlings do, and have a good grasp on it, but that doesn't mean he's got the temperment to manage them, and deal with all the paperwork necessary. Nor should they. Let the architects design, let the managers manage, put the two of them in a room together to make sure the project is staying on track both design and time/resource-wise and you've got a recipe for success.But make that architect manage, and the project may be doomed from the outset. (Conversely, put in a manager with no technical skills, and it might be just as doomed) I've even worked with a "Coder" who sucked at design work. Put him on a well-defined task, and let him go, and you'd have fast, fast code. But don't let him near the design, or you'd be in trouble. (Or ask him to test, or debug... but that's another story.)

So where does that leave us? We, as an industry, need to address the attitudes of the corporate mindset.

• Don't take a promotion if it's going to put you out of what you love to do. Ask for a raise instead, especially if it's just a reward they are looking to give you.
• Find someone else more suited for the management posistion. I've help people get promoted "over" me several times.
• Demonstrate your value of staying as a developer as opposed to being management. The more time you can spend coding, the better your value, right?
• If age discrimination is an issue, demonstrate that it's not. Show that you can work in new technologies, even if you don't do it full time. There's nothing worse than working with a programmer who refuses to learn and grow. (Which leads to my next point)
• Continuing education is a must. My wife works as a counselor/therapist, who already has a master's degree, and she has to demonstrate 36 hours of continuing education a year. Why should we, whose programs and networks provide the infrastructure for everything, get by with anything less. Make learning something new a goal, even if it's just something new within your chosen ideology. (C#, Java, C/C++, whatever)
• Read. If you don't understand something, pick up a book, and read it through. I learned XML and Unit Testing just because I wanted to learn what all the fuss was about.
• Do. As mentioned in the article about programming above, it's one of the best ways to learn. *And* to demonstrate your talents. If you can't write something you want at work, do it in your off-time.

The real developers in the crowd probably already do this, but it's still bears thinking about.The only way to change the mindset about IT is to demonstrate what's wrong about it, and what could be better.

And that's something worth developing.

With all the recent talk about Fiddler (Here, and here for example), I decided to give it a try. Imagine my suprise when nothing would show up in Fiddler. A little checking around shows that the proxy isn't enabled for VPN connections. This won't apply to me, I think, I've disabled the VPN gateway so it's only used for connections to those machines, and I'm not checking those machines... but it does.

Even if you disable the gateway on the VPN so the only traffic flowing through the VPN is to the corporate network, the entire proxy setting is disabled. This really sucks. If I want to use Fiddler, I either have to disable the VPN connection every time, or rework my entire network to put the VPN connection on another machine or router. <frown>

Some days, high level business rules in the systems just suck. (This is an IE problem, not fiddler, but it's still sucks)

For the last couple months, I've had 6 gmail invites to give away, which I haven't done anything with. Today, I've got 50 to give away. (And, no, I'm not, just because I don't have time to mess with it) My question is why they don't just open it to a public beta.... If every person who has it has 50 to give away, they should be able to just open it up to anyone who wants to login.

I don't know about anyone else, but I don't have time to much with 50 email invites, and by this point, I've given them to all the people I know anyway <grin>

I live on the populated edge of the suburbs, but here I ended up in the rural area because that's the center of the zip code<grin> Nifty idea though

Update: Moved blog image to my own server.