Extending your home network... insecurely

I reorganized my house this week and gained a private office space, though one without a coaxial jack. This makes it impossible to immediately replicate my previous setup of a whooping three feet of CAT 6 between my main workstation and the FiOS router. Unfortunately a WiFi connection isn't an option as the box isn't compatible.

Options for connecting a new room to your home network

1. Add CAT 6 Ethernet cabling: Doing this cleanly requires running cables through the walls and cutting holes for new outlet boxes with a face plate. Highly suggested if you own your house, but I'm in a rental. Pass.
2. Reuse an extra wireless router as a wireless bridge: I tried this one for a few hours (hours that the wife was not happy I was spending!) but the only router I had sitting around was an Actiontec MI424WR Rev I which is not compatible with DD-WRT firmware.
3. Power-line networking: Add a device to connect Ethernet networking over the existing power lines within the house. The guy I talked to at Best Buy recommended the Actiontec Powerline Ethernet Adapter Kit [PDF] over the WiFi extender I was looking at. At $39.99 instead of $99.99, I decided to try it.

Fast and easy...setup in less than 5 minutes

The box claims a quick and easy set-up, just plug the single adapter into the wall and wire it to the router. Plug the four port adapter into the wall near your machines and wire them up. So I did, and almost immediately my workstation was connected to the Internet... success! Or so I thought.

Verify that the network is up

Along with my main workstation, my office is home to a server which provides multimedia and intranet web hosting. Once I had Internet access, the next step was to check for the rest of the intranet machines. I navigated to http://192.168.1.1 (default MI424WR address) and the expected page pulled up, but my login failed. Double checking my password typing, the login failed a second and third time. More information needed now!

Check Windows' "Network" page

Under Printers there was a Lexmark, under Computer there was a name I didn't recognize. This is a problem, and one that needed addressed immediately! My workstation was connected to someone else's network.

**generic encryption key**

Ease of setup security hole

The problem was documented right there in the manual, the adapters come pre-provisioned with a default, generic encryption key. This is great for easy set up because you can just plug it in and go. It is bad for security because it means you can just plug it in and join any network that is already there! Turns out my neighbors already had expanded their network with a similar, compatible product. They plugged it in and it just worked. I plugged mine in and it just worked... with their existing network.

I don't understand why the manual in the box doesn't tell how to update the encryption key, it just directs you to their website. Which pretty much guarantees that a random person directed by their Best Buy clerk will never update it.

From the Actiontec website:

How do I change the encryption key on a PWR500 Powerline Adapter?
To reset and change the encryption key on the PWR500, follow the steps below:

1. Plug the Adapters into electrical outlets on the same circuit.


2. Press and hold the Security button on each unit one at a time for exactly 10 seconds. On the 10th second, let go of the button. When you release the button, the Power LED's will turn off very briefly and turn back on. The LK LED's will not turn back on at this time.


3. Then on one of the units, press and hold the Security button for exactly 3 seconds. On the 3rd second, release the button. When you release the button, the Power LED will begin to flash.


4. Now on the other unit, press and hold the Security button for exactly 3 seconds. On the 3rd second, release the button. When you release the button, the Power LED will turn off and back on breifly, and then the LK LED should be lit on both units. Provided the LK lights on both units are lit, the encryption key has been changed and the two Adapters are now connected on the same Powerline network with a new encryption key.

The blonde in the bar

In A Beautiful Mind Russell Crowe plays a brilliant mathematician John Nash. Part way through he has a moment at a bar which inspires him to write. His bar moment gave him insight into his field and he left after thanking the blonde in the bar. I have been inspired to write about what I've recently learned from a night in a bar. To my blonde in the bar, thank you.

At some level, everyone knows that their privacy is at best only as safe as the protect it. People also tend to be really bad at doing that protection. When a gorgeous, dashing gentlemen lonely, bored drunk in the bar asks for a dance can be an awkward moment, since both parties are keeping the physical contact to less than that of a middle school formal. Small talk fills the few minutes of the dance.

What has you in town? School.
Study? Interesting sounding topic.
Prompt for information. Chat, including a brief, slightly bragging mention of a great internship.

Part way through the song her friend cuts in and the dance ends. Part ways, no names given. Anonymous.

How anonymous? Not at all. The school, the program of study, and the internship was all that was given. When searched appropriately online, that tuple points initially to a person. One that just happens to share the same first name which was overheard in the bar, said by the blonde's friends. Even without that tidbit, that first entry contains a full name. Searching for that full name on another site provides a picture along with the results. Match.

The friend that cut in, the only information she ever provided was her face and her association with the blonde. Solid anonymity? No more than the first. The online trail included her full name and even a friendly nickname. Hometown? High school? Interests? All exposed based entirely off a chance meeting with her friend, the blonde in the bar.

What is the appropriate amount of information to share and what is the information that must be held close to the chest? A brief, anonymous chat with a stranger in a bar can potentially have wide rippling effects. How much do you say without thinking about if it exposes you, your friends, or your family? In The Art of Deception, Mitnick poses a challenge which should be trained into employees: "If I gave this information to my worst enemy, could it be used to injure me or my company?" (2002, pg 53) This is a question that should probably be employed by all of us about all our information.

Once again, thank you. I never before had thought as deeply about what information I may be exposing just by chatting away.

I can't not leave you without the clip that I began by discussing...