James Galvin

After all the coverage that Eircom got over their security problems, Irish Broadband have attempted to capitalise on the situation with this press release: “Irish Broadband routers are totally secure”. I don’t know whether they are trying to lure any confused/misguided Eircom customers to switch providers, or whether this is an attempt to console their existing customers, but this is an irresponsible message to send at a time when the public has finally begun to take note of internet security.

This line in particular is rotten to the core:

This password, being set by the customer, is not derived from the serial number of the modem or the network name and is therefore completely secure.

Ignoring the 58,700 results that I get in Google for “crack wpa”, even if the encryption method is somehow 100% unbreakable, just ask Paypal what happens when you allow the user to pick his own password.

When Eircom responded to their security issue last week, their reply was responsible and honest (for the most part). They qualified their statements with the standard disclaimer known to every first year computer science student and network technician: “it is widely recognised in the industry that no wireless access can be deemed 100% secure”, noting that through policy and advice to customers, they are making an effort to minimise the potential vulnerability. This is the textbook response.

Eircom gave their customers a false sense of security because some programmer made a genuine mistake (and he would have got away with it if it weren’t for those pesky kids). Irish Broadband are doing the same thing - unnecessarily allowing their customers to overestimate their security - but what is their excuse? Either they’re completely ignorant, or they’re blatantly lying.

 del.icio.us   |    digg it

This entry was posted on Tuesday, October 9th, 2007 at 23:14 pm and is filed under Ireland, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.