[wsfii-discuss] Fwd: [india-gii] poor WiFi encryption a security risk

[Kaplan L. Aaron]

On Sep 22, 2008, at 9:13 PM, Ramon Roca wrote:

>
> We don't have to expect that your mom, like any other average user,  
> know
> about WPA/IMAP or whatever TLA we do use.
>
> However, be sure that they can distinguish between having to take care
> while doing things like giving credit card information to someone and
> doing something trivial which doesn't require any protection at  
> all, so
> to do certain things they have to do in a way which they know is
> trusted, and if they don't know and there is a potential risk,  
> don't do it.
>
> Common sense.
>
>
>

Yes, I agree with Ramon.

People even without technical knowledge do understand psychology (*).  
And psychology is what is being used most of the time in IT security  
incidents.
So they can actually start to defend against that - by being a bit  
more aware and a bit more trained.

*However* I can assure you that when a law is passed that APs must be  
encrypted, then the effect that you will get is that most people will  
use WEP (because that works with every card and causes the least  
problems) PSK. So, what would the effect be for city wide WLAN networks?
Well, one key for the whole city???
Great! ;-))

Smart people at funkfeuer and my job really also convinced me - the  
currently best way to go is a) train psychology and b) use and offer  
end to end encryption when you need encryption (think: SSL  - that  
would be a much better start. Do I dare to send e-banking over the  
unencrypted funkfeuer.at network? Of course I do! :) )



best regards +  interesting discussion,
Aaron Kaplan
CERT.at


(*) usually... except for us nerds :)