What can we do to protect people from access via WAN?

[Yota]

Enabling WAN access will show an alert, warning you of the risks.

It just shows on a specific page, maybe we can make it more obvious. like the concept pic. and, what do you think that ideas about showing running scripts and SSH being enabled?
Thank you.

 

[Ronald Schwerer]

Hello 911, we have a bad guy here. lol

No, I'm just a Darwinian. I think of it as fine-tuning the gene pool.
People who depend on any technology (be it a bicycle, an auto, a computer, and especially the internet) need to take responsibility to learn and understand the risks - and how to mitigate them.

 

[Yota]

No, I'm just a Darwinian. I think of it as fine-tuning the gene pool.
People who depend on any technology (be it a bicycle, an auto, a computer, and especially the internet) need to take responsibility to learn and understand the risks - and how to mitigate them.

Please don't mind, the previous reply was just a joke.

I agree with you that the more protection we provide, the more they will forget the risks of the Internet, and who knows what will happen when no one protects them. however, I just don't want to see so many people make mistakes, just hope webui may remind them, that's all.

Thanks for your reply.

 

[L&LD]

@Jack Lee while I agree with you in principle I don't think there is any way to effectively implement your idea(s).

You can put a full-screen warning out and it won't stop anyone from doing silly things like opening up the router to the WAN.

@thelonelycoder is correct that the core issue in your example is that the kid was either given, guessed or simply read the password from the bottom of the router. Game over.

I too like to help out family and friends and I give them a printed copy of their router settings and security options to put in their safe box, but I also give them a few copies of the 'guest' networks credentials to be used by not just guests, but their kids and the kids friends too.

The minute I see the teenagers have access to the router? My 'support' has expired. And they already have in writing what that entails with regards to security (with the router settings I print off for them, there is also an overview of what and why their router is 'more' secure with the setup I delivered).

The 'kids' in my example above are younger (up to 15 years old), with a 'public' computer(s) in the living room for homework and no need on their personal gadgets to access the LAN at all). This may not be the same for all families. But I like to educate my family and friends on what they can do (while they can) to protect not just their kids, but also their own digital assets too.

 

[Yota]

@Jack Lee while I agree with you in principle I don't think there is any way to effectively implement your idea(s).

You can put a full-screen warning out and it won't stop anyone from doing silly things like opening up the router to the WAN.

@thelonelycoder is correct that the core issue in your example is that the kid was either given, guessed or simply read the password from the bottom of the router. Game over.

I too like to help out family and friends and I give them a printed copy of their router settings and security options to put in their safe box, but I also give them a few copies of the 'guest' networks credentials to be used by not just guests, but their kids and the kids friends too.

The minute I see the teenagers have access to the router? My 'support' has expired. And they already have in writing what that entails with regards to security (with the router settings I print off for them, there is also an overview of what and why their router is 'more' secure with the setup I delivered).

The 'kids' in my example above are younger (up to 15 years old), with a 'public' computer(s) in the living room for homework and no need on their personal gadgets to access the LAN at all). This may not be the same for all families. But I like to educate my family and friends on what they can do (while they can) to protect not just their kids, but also their own digital assets too.

Thank you for writing these, this is helpful, the problem with this post seems to come from that kid, which means it's not my problem. however, do you think it would be better to take the initiative? like #3?

 

[L&LD]

@Jack Lee, I don't see how that initiative could be easily implemented (if at all)? If someone has full control of the router, they'll just put the 'virus' they write into the 'safe' zone, correct? And for them to be a threat, they need full control first.

Not to mention that these implementations will annoy the users more than any hacker.

I don't give anyone full access to my network (no, not even family). I don't let my phone be touched by anyone else (even when locked). This is the best and first line of defense.

Good/Basic security protocols are always the best defense. Proven time and again that it's not by magic that systems get hacked, its when the basics are ignored/taken for granted or in most cases, completely abandoned by either the system engineer or the user(s) of that system.

The point is, the proper basics will keep you secure to a 99.9999% capacity. Things like 'secure' scripts? Probably too little and too late if that is the last defense.

 

[jrmwvu04]

You can lead a horse to water but you can't make it drink.

 

[Yota]

@Jack Lee, I don't see how that initiative could be easily implemented (if at all)? If someone has full control of the router, they'll just put the 'virus' they write into the 'safe' zone, correct? And for them to be a threat, they need full control first.

Not to mention that these implementations will annoy the users more than any hacker.

I don't give anyone full access to my network (no, not even family). I don't let my phone be touched by anyone else (even when locked). This is the best and first line of defense.

Good/Basic security protocols are always the best defense. Proven time and again that it's not by magic that systems get hacked, its when the basics are ignored/taken for granted or in most cases, completely abandoned by either the system engineer or the user(s) of that system.

The point is, the proper basics will keep you secure to a 99.9999% capacity. Things like 'secure' scripts? Probably too little and too late if that is the last defense.

You are right, the best protection is to let them learn how to protect themselves. so I think I'm too worried, thanks for letting me know that.

 

[Yota]

You can lead a horse to water but you can't make it drink.

I like this statement. thanks

 

[OzarkEdge]

I done the same thing. but, I will not stop them from using the asus router app because it is not my business and I think I paid for the development of this app, so why should I reject it? even it is really bad.

The entire Android platform is suspect. The touch interface can cause unwanted actions. Apps update and do whatever they want and you have no control over this. The restricted UI leaves much information unexplained and not understood. And as for the Asus app, it's a careless tool for network administration... it doesn't care that it is a marginal at-risk tool for network management. You should not recommend it, even if it seems only a little bad... imo.

OE

 

[Yota]

The entire Android platform is suspect. The touch interface can cause unwanted actions. Apps update and do whatever they want and you have no control over this. The restricted UI leaves much information unexplained and not understood. And as for the Asus app, it's a careless tool for network administration... it doesn't care that it is a marginal at-risk tool for network management. You should not recommend it, even if it seems only a little bad... imo.

OE

If no one uses it, and no one feedback, then there will be no improvement.

 

[OzarkEdge]

If no one uses it, and no one feedback, then there will be no improvement.

You can add that to the list.

Maybe Chrome OS will help the matter some, someday. But I'm doubtful... as long as Google develops its products to suit its purposes first and foremost, I'm not much interested in investing myself in their platform and apps that take that ride. Google and Android and Android apps are a disposable proposition... easy come, easy go.

OE

 

[RMerlin]

It just shows on a specific page, maybe we can make it more obvious. like the concept pic. and, what do you think that ideas about showing running scripts and SSH being enabled?
Thank you.

The person enabling it will be warned. If whoever enables it isn't responsible enough, then they shouldn't have the password to the router to begin with. Beyond that, writing and maintaining any supplemental warning code will only lead to bloat, and other people then complaining that "I *DO* want to enable WAN access, stop warning me about it". I have seen it happen with the Guest Sharing access being enabled, I got a few users complaining about the constant warning being shown.

And also once there are too many innocent warnings, people just stop paying attention to them, so they miss out the real critical warnings (like a low nvram warning, which can lead to a complete router crash and loss of settings). That's why warnings should only be used when actually necessary.

 

[sfx2000]

Enabling WAN access will show an alert, warning you of the risks.

Yep, and be mindful of third party scripts - hobbyists there have good intents, but may not understand the larger impact.

AsusWRT-RMerlin without the scripts - I would trust it.

 

[Yota]

The person enabling it will be warned. If whoever enables it isn't responsible enough, then they shouldn't have the password to the router to begin with. Beyond that, writing and maintaining any supplemental warning code will only lead to bloat, and other people then complaining that "I *DO* want to enable WAN access, stop warning me about it". I have seen it happen with the Guest Sharing access being enabled, I got a few users complaining about the constant warning being shown.

And also once there are too many innocent warnings, people just stop paying attention to them, so they miss out the real critical warnings (like a low nvram warning, which can lead to a complete router crash and loss of settings). That's why warnings should only be used when actually necessary.

You are right, I think I may care too much, thank you.

 

[Yota]

Yep, and be mindful of third party scripts - hobbyists there have good intents, but may not understand the larger impact.

AsusWRT-RMerlin without the scripts - I would trust it.

I don't like Merlin firmware without scripts, because this will only be closed. the power of Merlin firmware comes from the openness and flexibility of the community. so don't destroy it

However, each time the script is installed, the author of the script will not tell you to remember to turn off SSH. Maybe a third-party script author can prompt people to do this.


Then don't forget that SSH and custom scripting features of Merlin firmware are disabled by default, and those who enable it need to understand the risks here.

Thank you.

 

[RMerlin]

AsusWRT-RMerlin without the scripts - I would trust it.

What would be the point then, might as well just run stock firmware...

Would you run Linux without init.d/systemd?

 

[ColinTaylor]

What would be the point then, might as well just run stock firmware...

You do not give yourself enough credit.

Even without running scripts your firmware enhances and improves on the stock firmware.

 

[TechTinkerer]

@RMerlin for turning on wan access etc could you not have a add a password\pin prompt that would stop any possible security breaches by those using the app and unknowingy openingup the router to the internet?

 

[Ronald Schwerer]

I don't run with ssh completely disabled - I'm logging in many times a day. I leave it set to LAN only. So any attacker would need to be physically present at/near my home. Someone attacking via wifi would need two passwords and guess my root user id. I think I can live with that.