[wsfii-discuss] Fwd: [india-gii] poor WiFi encryption a security risk

Sun Sep 21 07:07:49 UTC 2008

> And the best part about it: it does not relate *at*all* to if the  
> wifi router is unencrypted or not.
> You can do that kind of thing from the WAN side.
> 
> So, closing the open signal is really the wrong choice. First you  
> have to seriously ask, what you want to protect.

Are you seriously suggesting that because of security weaknesses (like
bad default passwords), that security in general is 'the wrong choice'? 

> When you want to protect from eavesdroppers , then you should use end- 
> to-end encryption (VPN) anyway!
> Simply adding a WEP crypto layer is not going to help. WPA maybe a  
> bit. but... why should an attacker try to crack WPA when he can brute  
> force your default password on the linksys on the WAN interface? And  
> then install a packet sniffer :)

Still, your attacker is actively breaking the law by gaining
unauthorized access to a computer system. If you leave your access point
wide open and someone is sniffing that network, it is questionable
whether or not this attacker is breaking the law (yet). They are just
scanning the airwaves and there was no "notice" of their activity being
unauthorized. I can just picture you calling the police about someone
running a packet sniffer and them replying: why don't you protect your
WiFi and call us when a law has been broken. 

> security is not easy to get right. One in my opinion very good source  
> for getting it right is to read Bruce Schneiers blog.
> 

I believe Bruce would agree that security is more than technology, it is
social awareness and behavior. As such, I go back to my original issue
with city wide open access... as it results in people becoming more
comfortable and trusting of open access. By saying these people need to
protect themselves with VPNs is just passing the responsibility to an
uneducated (about the risks) public. 