[Cryptography] RSA recommends against use of its own products.

ianG iang at iang.org
Thu Sep 26 02:20:37 EDT 2013

On 26/09/13 02:32 AM, Peter Gutmann wrote:
> ianG <iang at iang.org> writes:
>> Well, defaults being defaults, we can assume most people have left it in
>> default mode.  I suppose we could ask for research on this question, but I'm
>> going to guess:  most.
> “Software Defaults as De Facto Regulation: The Case of Wireless APs”, Rajiv
> Shah and Christian Sandvig, Proceedings of the 33rd Research Conference on
> Communication, Information and Internet Policy (TPRC’07), September 2005,
> reprinted in Information, Communication, and Society, Vol.11, No.1 (February
> 2008), p.25.
> Peter.

Nice.  Or, as I heard somewhere, there is only one mode, and it is secure.


Today’s internet presumes that individuals are capable of configuring 
software to address issues such as spam, security, indecent content, and 
privacy. This assump- tion is worrying – common sense and empirical 
evidence state that not everyone is so interested or so skilled. When 
regulatory decisions are left to individuals, for the unskilled the 
default settings are the law. This article relies on evidence from the 
deployment of wireless routers and finds that defaults act as de facto 
regu- lation for the poor and poorly educated. This paper presents a 
large sample beha- vioral study of how people modify their 802.11 
(‘Wi-Fi’) wireless access points from two distinct sources. The first is 
a secondary analysis of WifiMaps.com, one of the largest online 
databases of wireless router information. The second is an original 
wireless survey of portions of three census tracts in Chicago, selected 
as a diversity sample for contrast in education and income. By 
constructing lists of known default settings for specific brands and 
models, we were then able to ident- ify how people changed their default 
settings. Our results show that the default settings for wireless access 
points are powerful. Media reports and instruction manuals have 
increasingly urged users to change defaults – especially passwords, 
network names, and encryption settings. Despite this, only half of all 
users change any defaults at all on the most popular brand of router. 
Moreover, we find that when a manufacturer sets a default 96–99 percent 
of users follow the suggested behavior, while only 28–57 percent of 
users acted to change these same default settings when exhorted to do so 
by expert sources. Finally, there is also a suggestion that those living 
in areas with lower incomes and levels of education are less likely to 
change defaults, although these data are not conclusive. These results 
show how the authority of software trumps that of advice. Consequently, 
policy-makers must acknowledge and address the power of software to act 
as de facto regulation.

More information about the cryptography mailing list