On 26/09/13 02:32 AM, Peter Gutmann wrote:
ianG <i...@iang.org> writes:
Well, defaults being defaults, we can assume most people have left it in
default mode. I suppose we could ask for research on this question, but I'm
going to guess: most.
“Software Defaults as De Facto Regulation: The Case of Wireless APs�, Rajiv
Shah and Christian Sandvig, Proceedings of the 33rd Research Conference on
Communication, Information and Internet Policy (TPRC’07), September 2005,
reprinted in Information, Communication, and Society, Vol.11, No.1 (February
2008), p.25.
Peter.
Nice. Or, as I heard somewhere, there is only one mode, and it is secure.
http://www-personal.umich.edu/~csandvig/research/Shah-Sandvig--Defaults_as_de_facto_regulation.pdf
Today’s internet presumes that individuals are capable of configuring
software to address issues such as spam, security, indecent content, and
privacy. This assump- tion is worrying – common sense and empirical
evidence state that not everyone is so interested or so skilled. When
regulatory decisions are left to individuals, for the unskilled the
default settings are the law. This article relies on evidence from the
deployment of wireless routers and finds that defaults act as de facto
regu- lation for the poor and poorly educated. This paper presents a
large sample beha- vioral study of how people modify their 802.11
(‘Wi-Fi’) wireless access points from two distinct sources. The first is
a secondary analysis of WifiMaps.com, one of the largest online
databases of wireless router information. The second is an original
wireless survey of portions of three census tracts in Chicago, selected
as a diversity sample for contrast in education and income. By
constructing lists of known default settings for specific brands and
models, we were then able to ident- ify how people changed their default
settings. Our results show that the default settings for wireless access
points are powerful. Media reports and instruction manuals have
increasingly urged users to change defaults – especially passwords,
network names, and encryption settings. Despite this, only half of all
users change any defaults at all on the most popular brand of router.
Moreover, we find that when a manufacturer sets a default 96–99 percent
of users follow the suggested behavior, while only 28–57 percent of
users acted to change these same default settings when exhorted to do so
by expert sources. Finally, there is also a suggestion that those living
in areas with lower incomes and levels of education are less likely to
change defaults, although these data are not conclusive. These results
show how the authority of software trumps that of advice. Consequently,
policy-makers must acknowledge and address the power of software to act
as de facto regulation.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography