[wsfii-discuss] Fwd: [india-gii] poor WiFi encryption a security risk

wlanmac wlan at mac.com
Tue Sep 23 05:15:40 UTC 2008


What is considered trivial *enough* to do on an insecure LAN? I'd argue
that most people get on-line to check e-mail. Well, you get your e-mail
hacked, and you have all kinds of problems. Just ask Gov. Palin :)

This also doesn't address the fact that most people have their computers
setup for a relatively secure LAN (often for home or office). So, they
might have a file share or other services running which can be exploited
easily on an insecure LAN. And, like my mom who's office IT staff setup
her computer, *she* wouldn't really know about that risk... 

In fact, I'd argue that things become less trivial when you add
'location awareness'. So, even an attacker 'listening' into a seemingly
innocent chat might learn someone is leaving for (or on) vacation, their
address, or even phone number. They might even be able to look around
and pick out the "target". That is a little more threatening (in my
book) than someone doing something similar from China... 

Yes, it does all come down to ease of use. We make ease of use decisions
every day. Some reasonable, some probably bad. My underlying fear is
that we are asking people to use WiFi more, without really understanding
the *increased* risks. As things like city wide networks roll out, more
people who normally don't take their computers off their "secure" LANs
will start connecting. So, the problem *will* get worse. 

I totally agree that people should be taught to better protect
themselves in general. But, doing so by increasing their risk isn't
really doing them any favors.. 

I wonder what kind of law the US will pass when the first big organized
crime ring is busted (take your pick of crimes: harvesting personal
information, cracking other visitor computers, launching Internet crime
attacks, sending massive spam, or swapping child pornography). 

I know, I know... you will not stop these things. But, that doesn't mean
you should make them easier to do and less traceable (well, it is
traceable, just likely to the wrong person). 

BTW, thanks for letting me be the Devil's advocate in having this
discussion. :) 


On Mon, 2008-09-22 at 21:13 +0200, Ramon Roca wrote:
> We don't have to expect that your mom, like any other average user, know 
> about WPA/IMAP or whatever TLA we do use.
> 
> However, be sure that they can distinguish between having to take care 
> while doing things like giving credit card information to someone and 
> doing something trivial which doesn't require any protection at all, so 
> to do certain things they have to do in a way which they know is 
> trusted, and if they don't know and there is a potential risk, don't do it.
> 
> Common sense.
> 
> 
> 
> 
> En/na wlanmac ha escrit:
> > I agree that these are valuable lessons, and that people are learning
> > them to some degree. I'm not saying people are too stupid to know about
> > the increased risk of insecure WiFi. They read about it in the news and
> > perhaps have taken available precautions (like WPA at home). 
> >
> > However, I do think it is too much to expect your average user to know
> > what to do about it. Those of us with IT skills, access to IT support
> > staff, or the money to spend on personal firewall and VPN software and
> > services have some options... what about everybody else? 
> >
> > If I asked my mom whether or not she is using POP or IMAP and if it goes
> > over SSL, she would have to call Dell support to ask. Yet, she is
> > expected to know how to protect herself on an insecure LAN? Her only
> > realistic options are to either ignore security concerns or to not use
> > the network at all. Somehow I doubt most WiFi operators promote that
> > last option in their literature :)
> >
> >
> >
> > On Sun, 2008-09-21 at 22:52 +0200, Ramon Roca wrote:
> >   
> >> En/na wlanmac ha escrit:
> >>     
> >>> What is the lesson we are hoping to teach people?
> >>>
> >>>
> >>>   
> >>>       
> >> Very simple,
> >>
> >> Teach the people to distinguish between a private network, and the 
> >> public networks.
> >>
> >>     * Private networks very lokely should be protected.
> >>     * At public networks, others can be listening, so depending of what
> >>       you are doing, users might want to encrypt their communications.
> >>
> >>
> >> Same logic as internet or many other things. Quite understandable.
> >>
> >> What's wrong to be under the assumption that people is stupid.
> >>
> >> _______________________________________________
> >> wsfii-discuss mailing list
> >> wsfii-discuss at lists.okfn.org
> >> http://lists.okfn.org/mailman/listinfo/wsfii-discuss
> >>     
> >
> >
> > _______________________________________________
> > wsfii-discuss mailing list
> > wsfii-discuss at lists.okfn.org
> > http://lists.okfn.org/mailman/listinfo/wsfii-discuss
> >
> >
> >   
> 
> 
> _______________________________________________
> wsfii-discuss mailing list
> wsfii-discuss at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/wsfii-discuss





More information about the wsfii-discuss mailing list