[wsfii-discuss] Fwd: [india-gii] poor WiFi encryption a security risk

Sat Sep 20 18:02:46 UTC 2008

Guys, I want to add something important to the discussion.

Presently  in security circles we are discussing how the blackhats  
could "take" over the typical embedded linux wifi router or SOHO router.
That means the "bad guys" can turn that into a zombie server which  
will be used to send out spam, attack other servers etc. The usual  
thing.

And the best part about it: it does not relate *at*all* to if the  
wifi router is unencrypted or not.
You can do that kind of thing from the WAN side.

So, closing the open signal is really the wrong choice. First you  
have to seriously ask, what you want to protect.
Is it physical locations against explosions? Well, there are a lot of  
choices to protect against that. No matter if the letter came via  
email or snail mail :))

When you want to protect from eavesdroppers , then you should use end- 
to-end encryption (VPN) anyway!
Simply adding a WEP crypto layer is not going to help. WPA maybe a  
bit. but... why should an attacker try to crack WPA when he can brute  
force your default password on the linksys on the WAN interface? And  
then install a packet sniffer :)

security is not easy to get right. One in my opinion very good source  
for getting it right is to read Bruce Schneiers blog.

a.

On Sep 19, 2008, at 8:37 AM, Ramon Roca wrote:

>
> IMHO, you are mixing things.
> We do have about 6,000 thowsands of open links in Catalonia, all of  
> that
> outdoors, which means public locations.
> I assume there are some criminals at the region like any other  
> region in
> the world.
> If you see, by having open and free networks that doesn't make ant
> difference at all. Criminals would still have tons of ways to
> communicate. In fact has been used much more often mobiles for bombing
> than open wifi accesses.
>
> "Security" in the terms of user "safety" you are referring happens  
> when
> you have firewalls avoiding others to get into your private  
> segments of
> the network which really requires security, or enabling VPN  
> connections
> when you are trespassing the open networks (that's the real  
> function of
> the VPN). Not by closing open networks/accesses.
>
> To encrypt the network itself to close it, creates a false idea of
> safety and you loose performance and usability, and that is much more
> worst for the average user.
>
> You must educate the users on security, not to lie them or  
> propagate the
> paranoia that open networks do compromise the safety.
>
>
>
> En/na wlanmac ha escrit:
>> Don't get me wrong, I'm not against open WiFi... I just happen to
>> believe people over simplify it's lack of security and  
>> accountability.
>>
>> I think there has to be a distinction between people anonymizing by
>> actively breaking the law (stealing passwords, phones, passports,  
>> cars,
>> buses, etc) and those just opening up their laptop. I also think  
>> there
>> is a difference when talking about individual locations vs. city wide
>> coverage.
>>
>> With all of Alex's tricks for avoiding surveillance, I wonder, do you
>> keep your home access point open? If so, why *don't* you worry about
>> those smart criminals watching your traffic. If you *do* use  
>> security at
>> home, why is the security concern lessened away from home?
>>
>> Btw, a lot of campuses in eduroam use 802.1x. Those who are security
>> minded might use a VPN at public locations. But, what about the  
>> average
>> person? You are all happy with them believing that the city wide  
>> network
>> is free, safe, and secure?
>>
>> David
>>
>> On Fri, 2008-09-19 at 00:16 +0200, Kaplan L. Aaron wrote:
>>
>>> On Sep 18, 2008, at 3:16 PM, wlanmac wrote:
>>>
>>>
>>>> True, but your analogy isn't complete, in my opinion.
>>>>
>>>> Roads are patrolled by police and sometimes cctv. You need a  
>>>> license
>>>> to drive and are subject to random inspection. The postal system  
>>>> puts
>>>> safeguards in place to deal with threats. Cellular networks are
>>>> not free and open and they also monitor and track usage.
>>>>
>>>> What safeguards are put into open WiFi networks?
>>>> How are they patrolled and/or monitored?
>>>>
>>>> Closing the 'networks' you pointed out would indeed have serious
>>>> implications to business, life, and liberty. Does closing down
>>>> (or securing) WiFi have the same kind of consequences? hmm...
>>>>
>>>>
>>> the problem with securing wifi is that WEP is still crackable  
>>> anyway.
>>> WPA is just as good as the passwords the user chose.
>>>
>>> So the whole security topic should be seen more on an "internet  
>>> level".
>>>
>>> you could just as well replace "open wifi network" in the
>>> argumentation above by
>>> "internet cafe" or "university campus" or "DSL uplink". Why?
>>> Because we live in times of tor or other strong crypto anonymizers.
>>>
>>> So...
>>>
>>> no reason to bash at open wifi networks in particular in my opinion.
>>>
>>> a.
>>>
>>>
>>> _______________________________________________
>>> wsfii-discuss mailing list
>>> wsfii-discuss at lists.okfn.org
>>> http://lists.okfn.org/mailman/listinfo/wsfii-discuss
>>>
>>
>>
>> _______________________________________________
>> wsfii-discuss mailing list
>> wsfii-discuss at lists.okfn.org
>> http://lists.okfn.org/mailman/listinfo/wsfii-discuss
>>
>>
>>
>
>
> _______________________________________________
> wsfii-discuss mailing list
> wsfii-discuss at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/wsfii-discuss