[wsfii-discuss] Fwd: [india-gii] poor WiFi encryption a security risk

Tue Sep 23 10:53:39 UTC 2008

Average people is used on dealing risks in their daily life.

If you refuse dealing with any risk at all, you can't even go out of 
your home: You might have a traffic accident, a plane can crash, someone 
can stole your pocket on the streets... etc etc. So you will simply 
become sick of paranoia.
Technology doesn't make a difference at all, and can develop best 
practices, make them available to the users, but those practices should 
not compromise people accessibility to open networks, have to be  a 
complement. Prohibit people for being at the streets and therefore 
exposed to others, will never be a good solution. And at the streets you 
might like to do a tons of things which you do consider that doesn't 
expose you to an unreasonable risk you can't afford.

Ms. Palin, as a Governor, or Bin Laden should be much more concerned 
while exposed to the public, or not, but that's their problem, not the 
average people problem. So that depends in who you are and what you do, 
but is wrong to talk in general terms because of Ms. Palin or someone 
personal concerns.

En/na wlanmac ha escrit:
> What is considered trivial *enough* to do on an insecure LAN? I'd argue
> that most people get on-line to check e-mail. Well, you get your e-mail
> hacked, and you have all kinds of problems. Just ask Gov. Palin :)
>
> This also doesn't address the fact that most people have their computers
> setup for a relatively secure LAN (often for home or office). So, they
> might have a file share or other services running which can be exploited
> easily on an insecure LAN. And, like my mom who's office IT staff setup
> her computer, *she* wouldn't really know about that risk... 
>
> In fact, I'd argue that things become less trivial when you add
> 'location awareness'. So, even an attacker 'listening' into a seemingly
> innocent chat might learn someone is leaving for (or on) vacation, their
> address, or even phone number. They might even be able to look around
> and pick out the "target". That is a little more threatening (in my
> book) than someone doing something similar from China... 
>
> Yes, it does all come down to ease of use. We make ease of use decisions
> every day. Some reasonable, some probably bad. My underlying fear is
> that we are asking people to use WiFi more, without really understanding
> the *increased* risks. As things like city wide networks roll out, more
> people who normally don't take their computers off their "secure" LANs
> will start connecting. So, the problem *will* get worse. 
>
> I totally agree that people should be taught to better protect
> themselves in general. But, doing so by increasing their risk isn't
> really doing them any favors.. 
>
> I wonder what kind of law the US will pass when the first big organized
> crime ring is busted (take your pick of crimes: harvesting personal
> information, cracking other visitor computers, launching Internet crime
> attacks, sending massive spam, or swapping child pornography). 
>
> I know, I know... you will not stop these things. But, that doesn't mean
> you should make them easier to do and less traceable (well, it is
> traceable, just likely to the wrong person). 
>
> BTW, thanks for letting me be the Devil's advocate in having this
> discussion. :) 
>
>
> On Mon, 2008-09-22 at 21:13 +0200, Ramon Roca wrote:
>   
>> We don't have to expect that your mom, like any other average user, know 
>> about WPA/IMAP or whatever TLA we do use.
>>
>> However, be sure that they can distinguish between having to take care 
>> while doing things like giving credit card information to someone and 
>> doing something trivial which doesn't require any protection at all, so 
>> to do certain things they have to do in a way which they know is 
>> trusted, and if they don't know and there is a potential risk, don't do it.
>>
>> Common sense.
>>
>>
>>
>>
>> En/na wlanmac ha escrit:
>>     
>>> I agree that these are valuable lessons, and that people are learning
>>> them to some degree. I'm not saying people are too stupid to know about
>>> the increased risk of insecure WiFi. They read about it in the news and
>>> perhaps have taken available precautions (like WPA at home). 
>>>
>>> However, I do think it is too much to expect your average user to know
>>> what to do about it. Those of us with IT skills, access to IT support
>>> staff, or the money to spend on personal firewall and VPN software and
>>> services have some options... what about everybody else? 
>>>
>>> If I asked my mom whether or not she is using POP or IMAP and if it goes
>>> over SSL, she would have to call Dell support to ask. Yet, she is
>>> expected to know how to protect herself on an insecure LAN? Her only
>>> realistic options are to either ignore security concerns or to not use
>>> the network at all. Somehow I doubt most WiFi operators promote that
>>> last option in their literature :)
>>>
>>>
>>>
>>> On Sun, 2008-09-21 at 22:52 +0200, Ramon Roca wrote:
>>>   
>>>       
>>>> En/na wlanmac ha escrit:
>>>>     
>>>>         
>>>>> What is the lesson we are hoping to teach people?
>>>>>
>>>>>
>>>>>   
>>>>>       
>>>>>           
>>>> Very simple,
>>>>
>>>> Teach the people to distinguish between a private network, and the 
>>>> public networks.
>>>>
>>>>     * Private networks very lokely should be protected.
>>>>     * At public networks, others can be listening, so depending of what
>>>>       you are doing, users might want to encrypt their communications.
>>>>
>>>>
>>>> Same logic as internet or many other things. Quite understandable.
>>>>
>>>> What's wrong to be under the assumption that people is stupid.
>>>>
>>>> _______________________________________________
>>>> wsfii-discuss mailing list
>>>> wsfii-discuss at lists.okfn.org
>>>> http://lists.okfn.org/mailman/listinfo/wsfii-discuss
>>>>     
>>>>         
>>> _______________________________________________
>>> wsfii-discuss mailing list
>>> wsfii-discuss at lists.okfn.org
>>> http://lists.okfn.org/mailman/listinfo/wsfii-discuss
>>>
>>>
>>>   
>>>       
>> _______________________________________________
>> wsfii-discuss mailing list
>> wsfii-discuss at lists.okfn.org
>> http://lists.okfn.org/mailman/listinfo/wsfii-discuss
>>     
>
>
> _______________________________________________
> wsfii-discuss mailing list
> wsfii-discuss at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/wsfii-discuss
>
>
>   