Safer Home Networks

As each day passes, home network security becomes more important for many of us. Working from home in the pandemic lockdowns boosted home networks from conveniences to necessities. Although returning to the office is now considered safe, many of us have discovered that we prefer to work from home some, if not all the time. Savvy employers have begun to insist on security standards when home networks are used for work and those of us who are self-employed at home must tend to our own safety.

Do home networks need to be segmented? Not always, but as our lives become more and more wired, the benefits of segmentation have increased.

Much can be done to increase safety. A key network security principle is network segmentation.

Segmentation is a cybersecurity concept derived from the same principle that governs ships built with watertight compartments. If a single compartment springs a leak, the ship still floats. If the security of one network segment is breached, the rest of the network is still safe.

Businesses and other organizations have long practiced segmented physical security. All employees may have a key or code to open the employee entrance, but smart organizations have separate keys for each department. Widely distributing keys that open all the locks in the business are dangerous. A criminal or rogue employee with the key to everything can steal everything.

In a typical physically segmented business, one section of the office is accounting. Only people from the accounting department have keys to accounting offices. Only shipping employees have access to the shipping room and warehouse, only some shipping staff have keys to the warehouse. And so on.

Risk averse businesses segment their computer networks in the same way. Typically, an air-conditioning technician will not be able to access accounting files, nor will an accountant have access to heating and air-conditioning controls. Unsegmented networks have been the scenes of devasting attacks, such as the Target heist of a few years ago in which an air-conditioning subcontractor’s account was used to steal customer credit card information. A better segmented network would have prevented that catastrophe.

Do home networks need to be segmented? Not always, but as our lives become more and more wired, the benefits of segmentation have increased.

Folks may remember that in the dark days before we were touched by the wireless light, each computer in the house had a modem attached to a phone line. While the computer modem was connected, anyone who picked up a phone was treated an earful of painful screeches. Compute intensive households had separate phone lines for each computer. DSL (Digital Subscriber Line), which is still around but no longer as common, got rid of the necessity for separate phone lines and introduced routers to home computing. The day you install a home router, you have a home network.

Home networks today are seldom as complicated as those of large businesses and other organizations, but many still require sophisticated administration.

I remember well when we got our first DSL modem and wireless router. How luxurious it felt to wander into the living room in stocking feet, sit down on the couch, and connect to the office on a laptop without plugging anything in. Never mind that it was the beginning of twenty-four-seven working days for many of us. Now broadband connections via cable or fiber often replace DSL for higher bandwidth connections but the home wireless router still prevails.

Critical Changes For Home Networks

  • Everyone, including the kids, now have smartphones that pack a computer considerably more powerful than the beige box home desktop computers that started home computing. Smartphones connect to home wireless routers whenever they have the chance.
  • Homes have embraced the “Internet of Things” (IoT). We now have doorbells, entrance locks, and security and heating systems that connect to our wireless routers so we can control them remotely through our smart phones.

At our house, the refrigerator, the kitchen range, and the microwave all want to connect to the world wide web. Network-connected speakers like Amazon Alexa, home entertainment systems, and health monitors are now common.

For the last decade, one of the cheapest and easiest features to add to a household appliance has been an interface for remote control via an app on a smartphone. Too often, these devices are from product designers with scant training in network security. Many of these devices are easily hacked. A hacker thief might use your internet connected video doorbell to detect when you are not at home and break and enter your house while you are away. Your smart lock might just pop open when the thief arrives.

Home networks today are seldom as complicated as those of large businesses and other organizations, but many still require sophisticated administration. A segmented network protects each segment from damage from other segments and each segment can be configured to permit activities that could be dangerous in other segments.

Typical Home Network Segments

Cyber security experts agree that typical home networks, especially when residents work from home some of the time, would benefit by dividing the network into at least three segments: 1) home computing, 2) Internet of Things (IoT), and 3) guests.

The home computing segment is a home network before our computing life got complicated. It contains the desktops, laptops, tablets, and phones of the primary residents. Within this segment, peripherals such as files and printers can shared, and, when necessary, one computer can access another within this segment. Most people keep their email, financial records, and financial accounts here. For a writer like me, my manuscripts are stored locally in this segment. The segment often holds home business records. For folks with online storefronts, they administer their storefront and access their business records through this segment.

The IoT segment is the wild west. The devices there are not quite trustworthy. It’s bad enough that a criminal might hack into your smart doorbell, but giving the miscreant access to your bank account and business documents doubles down on trouble. Isolating this segment allows you to take advantage of the convenience of networked devices without quite opening a vein in your arm for the crooks.

The guest segment is valuable when you have teenagers in the house who bring in friends. Sharing internet connections with visitors is basic hospitality these days, but keeping your home network secure can be a problem. You may not mind sharing your network password with your brother, but you have to worry about your kids’ squirrelly friends who just might leave their smartphone with access to your home network on a park bench or in the video arcade. Worse, even good kids might use the colossal bad judgement of adolescence to hack your system just to see if they can.

Even if kids don’t visit, you can’t be sure that all your friends are as careful as you are about keeping phones free from dangerous apps and criminal bots waiting to rob your network blind. A network segment with a special password that permits connections with the outside world, but not to the devices in your home, protects you from the mistakes of your guests.

Next Steps

In the best of all worlds, I would now give you quick and easy instructions for implementing a segmented home network. I can’t. The market is still catching up and implementing a segmented home network is not simple enough to describe here. For our house, I have a jury-rigged setup that reuses an old router and a network switch that I happened to have lying around. I did some fancy configuration that I would not wish on anyone but myself.

For most people, investing in professional help may be the solution. Expect to pay for some new equipment. If you want to try setting up your own segmented network, this link contains some specific information: An Updated Guide to Do-It-Yourself Network Segmentation . I caution you that newer hardware may be available but the link will get you started.

You’ll end up with a password for each part of your home network, but you will be safer.

Password Managers

Why use a password manager?

In an earlier post, I recommended strong unique passwords for all accounts, which is good advice, but hard to follow.

I made the decision to switch to a password manager about a decade ago.

Today, most people have hundreds of online accounts ranging from old hobby accounts they haven’t signed on to for years to financial accounts that control their life’s savings. Maintaining strong unique passwords on all those accounts can be a nightmare. The worst part is that some of those old accounts may have pitifully weak security. A criminal targeting a weak site could grab your password. If you happen to have reused that password for your savings account, you could fall into a real mess causing substantial loss or embarrassment.

As an aside, rather than manage the passwords of old, unused accounts, it’s easier and safer simply to close the accounts.

My evolving password management systems

Thirty years ago, I kept a list of passwords in a private notebook.

Those were the days when conscientious IT administrators forced new passwords on you every month and ordered you not to write them down. Yeah. Right. My limited memory for random facts has little room for passwords. It was either a notebook or never get any work done.

At that time, I was a contract software engineer at Boeing. Enough time has passed that I can tell you what happened in the epic password battle between the engineers and the IT admins. Programmers find ways around passwords. Not nearly as many ways now as thirty years ago, but given time and motivation, they find ways. The engineers had a workaround for every password in our division of Boeing Computer Services. Maybe there still is. When I moved on to a startup, secret workarounds remained in place.

This is the lesson that DSH and NIST took to heart when they relaxed best practices for passwords as I described in my Password Bliss post.

At home, the password notebook for my private desktop was soon cluttered with erased or crossed out passwords. As I added new accounts, finding them became more and more difficult. I switched to a box of 3×5 cards, which I could keep in alphabetical order and replace cards as they became illegible with changes. That worked, but the system was still took effort and iron discipline to keep current, and, I confess, my stock of iron discipline is smaller than my memory for random facts.

Switching to a manager

Password managers were available, but I resisted using them because I was afraid of putting all my password treasures into one basket vulnerable to a single criminal break in. Many of my colleagues in the software industry agreed, but now, almost all have changed their minds, as have I, because we have concluded that password managers are safer despite being a single point of failure.

Security is always relative. A password manager vendor’s database should at least as well protected from intrusion as your system. The password manager should easily provide strong unique passwords for all your accounts and offer easy and convenient access to those passwords to you, your designated agents, and no one else. Reputable password managers meet these criteria and, therefore, I am eager to use them.

Nothing is completely secure, but some situations are securer than others. If you have a system for managing passwords like my box of 3×5 cards that you can maintain and keep safe and not be tempted to use reuse passwords or create weak passwords and variants on multiple accounts, stick with what you have. But if you succumb to weak and duplicate password temptations, or you find yourself toting your system to libraries or coffee shops where it could be stolen, a password manager is a safer choice.

I made the decision to switch to a password manager about a decade ago.

Free password managers

There’s a saying “if the service is free, you are the product,” which is supposed to be a warning that free services target ads and outright sell information about you. This is true. But paid services do the same thing. Always check the privacy policy of any computing product you use.

In this age of ultracheap data storage and abundant computing capacity, a business can offer free services to entice you to purchase paid services and still rake in fat profits.

The European Union and some of the states have regulations that require vendors to inform users of some forms of information sharing and allow you to opt out. Because identifying where these laws apply is difficult, vendors almost always follow the most stringent regulations and treat all users the same. Paid does not equal private.

Since password managers hold some of your most private data, caution is required. Check their privacy policies and opt out of those you don’t like when you can.

I’m an insider. I’ve sat on corporate product committees that decided to offer free services to the public. In this age of ultracheap data storage and abundant computing capacity, a business can offer free services to entice you to purchase paid services and still rake in fat profits.

Vendors carefully consider offering free products or services. Generally, selling a service is preferable to selling a product because services are recurring revenue sources. The vendor’s goal is a mix of free features that hook the consumer and paid features that entice the user to upgrade to a profitable paid service. The consumer who can get by on the free subset of features wins big, although they must accept that the vendor will court like a lovesick swain to woo free riders to upgrade. And free riders are always subject to the threat that the free services will be curtailed or eliminated at the whim of the vendor.

Therefore, I’ll readily accept free password managers, although I scrutinize the privacy policy of the service and realize that I may be persuaded to upgrade to a paid service after I start using the free service. This is exactly where I sit now. I started with a free manager and upgraded to paid. Also note that I always check the privacy policies of paid services as well as free services.

In a future post, I’ll go into more detail on how to evaluate password manager features.

Password Bliss

Ah, the blissful days on my first programming job. We had no passwords. A cipher lock on the employee entrance was enough security. Those days are as gone as last winter’s snow days in August.

Breaking into a password protected system is in the league with hot wiring a 1957 Buick.

I don’t know anyone who likes passwords. The best I can say for them is that they protect computer systems better than nothing and they are relatively easy to implement. The truth is that password protected systems are breached all the time. Passwords are better than no protection, but that’s all. Breaking into a password protected system is in the league with hot wiring a 1957 Buick.

The end of passwords has been predicted for decades and the computer industry is inching closer, but I don’t see the end of passwords in sight.

Why? Because the alternatives also have flaws and most have high implementation costs. There are no sudden changes on the horizon. Any transition away from passwords will be gradual. The most likely change is more and stiffer nudges toward multi-factor authentication, the two-step process that is already insisted upon in many high risk systems. Multi-factor authentication, systems that usually involve your cellphone or email, are annoying but much more difficult to hack than a password alone.

If we are stuck with passwords, we ought to follow practices that increase security and maximize ease of use for users. Fortunately, NIST, the division of the federal Department of Homeland Security that makes recommendations for password security, has noticed that the password policies that annoy users also encourage them to work around the rules, usually in unsafe ways. The most recent recommendations are actually easier to follow than the old rules.

The old rule was to change passwords frequently. That’s out. When people are forced to change their passwords frequently, they resort to common passwords that are easy to remember, use simple spelling variations to reuse passwords, or write them down in obvious places, all of which make password theft easier, not harder.

The old rule about password complexity (a mixture of letters, numbers, symbols, and upper and lower case) is also out. Password crackers know that “$” substitutes for “s” and zero substitutes of the letter “o” and all the rest. Short complex passwords are not much more difficult to crack than an uncommon but short all lowercase password. Passwords over twelve characters are difficult to crack. Planning and executing a trip to Jupiter probably consumes fewer resources than cracking a eighteen character password that is not a common phrase.

Therefore, a long nonsense phrase that sticks in your memory is a strong password, unless the phrase is commonly used. A phrase that gets zero hits on a Google search is very safe. When you have a strong password, DHS recommends that you stick with it unless it gets compromised in some way. That long password will make you a tough customer to break.

The rest of the new guidelines are rules for processing and storing passwords that apply to programmers, not end users.

But there is another catch: password spraying. Hackers know that people tend to use the same password on multiple accounts. As soon as a bad guy gets a password, he sprays (tries) it on all your accounts. Most passwords are not cracked; they are obtained by trickery. For example, a bogus phone call from a fake IT guy asks for your password and you give it to him without thinking. The hacker then tries the stolen password and a hundred variations on your bank account within seconds. In order to limit the damage from such a mistake, never reuse the same password or an easy variant on different accounts.

Unless you are prodigiously organized and blessed with the memory of a crossed mother elephant, password managers are the answer.

Just when you thought the new guidelines made your life easy, it all falls in when you consider the hundreds of accounts you probably have.

Unless you are prodigiously organized and blessed with the memory of a crossed mother elephant, password managers are the answer: One long, strong, and memorable password for a password manager that generates and stores random passwords for all your accounts. Although they are not perfect, most people are safer with a password manager.

Choosing a password managers are a subject for another post.

Twitter Annoyances

I have lost all patience with Elon Musk. Up until last week, I could see some rationale and a ray of hope in his Twitter monkeyshines, but renaming Twitter blew away any lingering spell.

I’ve never been a Twitter fan. I have no quarrel with folks who enjoy an adrenaline and dopamine thrill during a hot online exchange, but dashing off few characters and blasting them out to the world does not excite me, nor do I much enjoy reading blurted tweets. However, scientists, journalists, and many others have all appreciated a decade of Twitter’s rapid and live flow of opinion and information. Twitter established its usefulness for many users.

Some folks like to toss spit wads at the Twitter wall to see what sticks. That’s fine too, but it points the way to the downside of Twitter. I’m too old not to have noticed that attention-seeking, greed, and choler is always present in this world. Given the way people are, some of those spit wads will be mean and treacherous fire balls. Some heat improves a dish, but too much ruins it.

If it were easy, or even possible, to distinguish good and bad posts like sorting sheep and goats, I could see that managing a platform like Twitter would be an interesting and satisfying job. But we all have good days and bad days. My notion of good is only to a rough approximation of yours. On most points, we will differ. Sometimes we will differ a lot.

Anyone who has tried to keep peace in a family, lead an elementary classroom, or push a project team toward a goal knows how mind-stretching and frustrating taming the discourse on a platform like Twitter must be.

Did pre-Musk Twitter meet that difficult challenge? Not especially well. They were in trouble with the European Union and the FTC. Both the right and the left accused them of bias.

As a service system management product developer who has seen outfits like Twitter both succeed and fail, up to the last few weeks, I didn’t think Musk did too badly.

Musk always struck me as a little too hot for everyday consumption, but Tesla and Starlink are undeniable accomplishments. Unfortunately, massive layoffs at Twitter made sense.

Twitter has all the marks of a company that has struggled and failed to address issues. Instead of fixing problems with solutions, Twitter took the last century MBA route and hired more staff, thinking held over from the era when a coal shortage could be solved by hiring more miners.

Technology does not work that way. Typically, adding more staff delays a technical project. Twitter appears to have added bodies instead of engineering and administrative discernment, and that led to a flailing technical organization. They desperately needed trimming. Musk’s judgement was correct. A massive layoff, however cruel and harsh, was the only choice.

I’ve gone through the process of trimming a bloated staff and know how hard it is, akin to a brain surgeon extracting a tumor, but instead of a scalpel, you are stuck with a sledgehammer and pickaxe. If the result of your effort is vaguely in the direction of your goal, you haven’t done so bad.

There’s no question that Musk paid far too much for Twitter. At first, I was willing to give him a pass on that. The world’s richest man can tap his bulging piggybank and survive. Wasting money is a gazillionaire’s prerogative. Accumulating vast wealth offers experience on how much extravagance one can bear. One would assume.

The last few weeks have been bad for Twitter. It appears to have fallen into a descending spiral. Stiffing critical suppliers like landlords and cloud providers has affected operations, which decreases revenues, which further curtails resources. This is the way corporations die.

Yet another nail in the coffin: rumor says some employees still cash in vesting stock options at Musk’s inflated price of $54 per share. That will end soon. I wonder if those employees will continue to work for Musk when that fountain of gold turns into trickle of dry sand?

I expected that naming an advertising executive as CEO would inject some reality into Musk’s advertiser management and stabilize revenues, but the last change, renaming Twitter to X looks like another round of playground gags instead of advertising management skill.

Which brings me to my point: I’m an old Unix hand. X, for me, is the X Windows system developed at MIT that was the foundation for distributed graphic interfaces. Graphic user interfaces (GUIs) opened computing to a wide swathe of users. Without GUIs, computers would be impossible for most people to use.

And now, venerable X has been permanently tied to Elon Musk driving his Twitter Tesla into a bridge abutment.