Hacker News new | past | comments | ask | show | jobs | submit login

To be honest, this makes a lot of sense. The time saved in support is probably worth way more that costs of dealing with any security fallout



For that I think having a remote "reset password" option is more sensible. It would avoid issues coming from password reuse.


…and help the customer reconnect all devices on the WiFi?


Yes. It would be the same as resetting your email password and needing to login again on your devices.

If a password is so precious that you share it plaintext with third parties it is a bad usecase for a password.


The level of effort and obviousness of an email reset is nothing compared to helping someone figure out how to reconfigure every smart device ever made.


So it's a bad usecase for a password, then. Perhaps every router should ship with a preconfigured VLAN for shitty smart home stuff that is a lot more open, or maybe we should stop trying to stick internet into everything ever created.


Why should it be just the IoT devices that get the insecure network? Why not just stop trusting the LAN altogether and instead use technologies like HTTPS and DoH to ensure privacy on the important devices? That seems to be the way the tide is turning anyway.


Personally I'm all for that but people & packages seem to be pretty promiscuous about listen address defaults and assuming everything behind a routers NAT is trusted.

Treating the network as untrusted is good but as long as some people are paying for service, traffic and bandwidth there are reasons to not allow anything to use your network. And there is also a legal question of liability if someone is not quite above board from your IP.


Tell me you've never done help desk work without telling me you've never done help desk work.


I've actually worked help desk for about 3 years.

I've had calls lasting over an hour helping customers configure their email on their phone and computer.

I learned not to laugh when people called "the internet" either "that e-thingy", "mozarella foxfire" or "googlé charome".

I dealt with explaining to people why IE6 did not understand SNI when we decided to give all our customers websites HTTPS.

Just saying that I've been in that and seen that.


They can change it back after logging in if they insist.


they forgot the password, so they can't


Right, good point. There is of course the option to see saved wifi passwords on most devices... but I can see how an engineer decided to bypass all this bikeshedding and just send the damn password haha.


There's always the reset to factory defaults button. The vast majority of WiFi users have never adjust any of the settings anyways.


Verizon does not get to decide what's an appropriate tradeoff for other people's security.


For Verizon owned routers? For company owned and supported equipment, I can understand it. I might not like it, but I can understand it. Especially if they are on the hook for support.

But, that’s why I run my own router for internet access. It’s my router and I can control what it does. If it goes down, then that’s on me. And I’m okay with that. Would I necessarily want the same setup for my parents? Probably not…


Do the own they rest of the equipment on the network that they're putting at risk?


I'm not concerned with this question as it implies that people haven't got a choice between "rent modem, ez for noobs" and "buy own equipment, fully control it." They do have that choice still, it must be some leftover regulation (from back when the US did that) in the case of cable companies, but I have zero problem with the ISP making those tradeoffs. The people who would trust the ISP-owned device likely have already typed that wi-fi password into things like $99 smart TVs which probably transmit their wifi password, location, and microphone data directly to China. Verizon having the wifi password is not cause for concern here.

Those who are security conscious enough to have concerns about their LAN security do not buy "internet + routers + desktop support as a service" by renting the endpoint equipment -- they buy just the internet connectivity and furnish equipment they can control and trust.


> I'm not concerned with this question as it implies that people haven't got a choice between "rent modem, ez for noobs" and "buy own equipment, fully control it."

If you buy the equipment from Verizon, I will bet you a significant amount of money that it still sends your passwords to them [on edit: with exactly zero disclosure that's detectable to 99.99 percent of users]. In fact, I'll bet you Verizon treats customer-owned equipment exactly like rented equipment except in billing. But anyway.

> The people who would trust the ISP-owned device likely have already typed that wi-fi password into things like $99 smart TVs which probably transmit their wifi password, location, and microphone data directly to China. Verizon having the wifi password is not cause for concern here.

You park your car in bad neighborhoods. Had I not stolen your car, somebody else would have done it.


OK, I forgot we're talking about FiOS here. For sure that is slightly weirder than DOCSIS (which is all I've ever known personally). Since it's not really a standard like DOCSIS you probably "must have" some piece of Verizon-proprietary gear whether rented or otherwise and I'm sure Verizon remote-manages those in the same basic ways like you said. But I am pretty sure that still, security-conscious or advanced users can disable the Verizon device's WiFi and drop it into bridge mode and provide their own router and APs. To me this provides a way to opt out of this that is well within the capabilities of anyone sophisticated enough to understand the risks.


A good argument why the fines for this kind of behavior need to be orders of magnitude higher.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: