Australian Police To Go Wardriving, Telling People To Lock Up Their WiFi
from the but,-why? dept
Last fall, we wrote about some plans by the police in Austin, Texas to go wardriving to find open WiFi networks and pressure people into locking up those networks. After a bunch of people got upset about this, noting that open WiFi isn’t a crime, the police backed down. However, it appears other police don’t have any such qualms. As pointed out by Slashdot, police in Queensland, Australia are doing a similar wardriving campaign. The official announcement of the program greatly exaggerates the risk here:
Detective Superintendent Brian Hay said police have identified a large number of homes and businesses within the greater Brisbane area with wireless connections that are not secure or have limited protection. These people may as well put their bank account details, passwords and personal details on a billboard on the side of the highway.
Except that’s really not necessarily true. Banks and most sites that require passwords have long known to make use of SSL encryption. It’s not perfect, but it’s not posting your password on a billboard on the side of the highway by a long shot.
“Unprotected or unsecured wireless networks are easy to infiltrate and hack. Criminals can then either take over the connection and commit fraud online or steal the personal details of the owner. This is definitely the next step in identity fraud.”
That could be true in some cases, but it’s not absolutely true, and plenty of people can be perfectly safe using open WiFi with a few common sense precautions. It’s sad that the police would exaggerate like this.
Filed Under: australia, security, wardriving, wifi
Comments on “Australian Police To Go Wardriving, Telling People To Lock Up Their WiFi”
I would love that
Cops: Your WIFI is open you need to close it.
ME: Great you can do that for me right?
Cops: Nothing to see here we will just move along now.
Re: I would love that
That is just asking for a three-strikes-style law to be put into effect.
Crime Rates
Dang… the supply/demand balance of crime must be off.
Hopefully the cops won’t take up being on the ‘supply’ side as well.
And how much does one want to bet that their own network is very secure?
Is it also the job of the police to have everyone shred their bank statements before throwing them away? It’s nice that they seem to be acknowledging that extralegal steps can be taken to prevent crime, but this also sounds like an extension of the “everything becomes worse if the Internet is involved” meme that governments seem to have taken to using.
Also, ‘secured’ wifi isn’t hard to crack, so .. yeah.
Re: Re:
Indeed…. and WEP is about as “protective” as putting a soggy tissue over one’s bits before sex. Even WPA2 doesn’t present much of a challenge these days.
Re: Re: Re:
I look at it like locking your door that has a glass panel on it. Anyone can break the panel and come in. It’s security via politeness.
It just says “I’m not giving you direct entry here”, as opposed top open that says “Come get your network connection here”.
Re: Re: Re: Re:
Or, if you’re slightly less charitable, this… 🙂
Question Mike, is your home wireless open? How about work?
Re: Re:
Bruce Schneier’s wireless is open.
Re: Re:
I can’t speak for Mike, but I (and some people I know) have an open (throttled) wifi connection with my personal network behind a firewall box that separates it from the open wifi.
It’s the neighborly thing to do, you know?
Re: Re: Re:
Added bonus: the firewall box can double as a honeypot, if you’re so inclined (mine’s a linux box, so I could just let a couple of nasty windoze viruses run about on it as well). 🙂
Re: Re: Re:
Bingo, this is what I had setup previously (and will again soon).
Dual hotspots, one on the public internet, one behind a NAT firewall.
That allows guests, neighbors, and people strolling by to make use of my wifi if they wish.
I do live in a rural area, however, and don’t expect much abuse – if it ever becomes a problem, I’ll use QoS to throttle it.
I really wish it was easy to have an open hotspot which is also encrypted. This would prevent random individuals from snooping traffic from other random individuals.
Re: Re: Re: Re:
Gents,
The issue is silly. In this review of the top ten wifi home gateways:
http://wireless-router-review.toptenreviews.com/
FOUR of the 10 routers offer what they call a “guest network” (under the “Security” heading). This is actually a security feature that allows users to segregate guests from their own LAN.
The guest networks are normally separate SSIDs and login credentials, which allow guest and public access to the Internet, but not the users’s computers or Internet traffic.
And, yeah, I have one and leave it open. Before this was an available feature, I had a separate wifi router that I used for guests.
This police policy is stupid, misguided, and bucks 2 general trends towards securing one’s personal wifi, and overall more available open wifi.
Re: Re: Re:2 Re:
Sorry. Should have written ‘Ladies and Gents’.
Re: Re: Re:2 Re:
Thanks for the link, very useful.
I just happen to have 4 linksys WRT54G’s , one of which I bought years ago, and 3 that were given to me by friends who bought N-routers to replace them. 5 minutes to flash each one with DD-WRT, and…voila!
The More Likely Risk ...
… is they are transferring files between their own machines using insecure protocols like SMB, FTP or HTTP, leaving themselves open to eavesdroppers and man-in-the-middle attacks. As you point out, internet access itself is less likely to be a problem, because on the Internet the security is implemented at the endpoints, the assumption being that the connection between them is going to be insecure anyway.
These people may as well put their bank account details, passwords and personal details on a billboard on the side of the highway.
Except that’s totally fucking wrong. Open wifi is open communication. And maybe, just maybe, I have it open for a reason that’s none of your business, officer.
Now get the fuck out of my office. NOW.
Re: Re:
+2
Re: Re:
Out of interest I ran a packet sniffer on my laptop for the 46 secs it took me to login to my bank account. I was going to make a mock billboard with the data.
According to word I have 11,100 pages of flat text (and of course my password is encrypted somewhere in there) I *can’t fit* that on a billboard.
Get out of my sandbox!!! It’s open for a reason. I want to see how many idiots I can catch!!!
You know, for a smart guy Mike, you often seem to miss things.
If you have an open wireless, chances are equally strong that they still have the default admin password on the device as well. What does that mean? Well, it’s easy enough to change the DNS servers to point somewhere else, creating your (greatly feared) man in the middle attack. You could also gateway all the traffic, and look at it that way as well.
While it’s a pain to do it one wireless at a time, I am sure that a “crowdsourced” wi-fi hack could get tons of people onto an alternate DNS system very quickly in most cities. Let’s break the internet!
We won’t even mention the potential of shared network drives, open computers, and the ability to install viruses and such.
Re: :eyeroll:
If the default wireless router settings are in place; then the router’s settings can only be changed by a computer connected via ethernet cable. (duh)
In short: nuh-uh!!
Re: Re: :eyeroll:
Not 100% true. There’s plenty of places where I go that have unsecured open wifi. I’ve been able to get in the admin settings and look around. Don’t really need to go change anything, but I could if I wanted to.
Re: Re: Re: :eyeroll:
Huh… well it’s been true in my experience.
I’ll keep that in mind though–thanks.
Re: Re: Re:2 :eyeroll:
Actually, you may be correct. None of the routers I connected to had the default pw. They either had the pw set to the same as the SSID, or actually had it as part of the SSID
Re: Re: :eyeroll:
Actually, that’s technically (and probably) only true if all the settings are still at their defaults which means the wireless network wouldn’t be running anyway. If the wireless network is running then it’s possible only rudimentary setup changes were done and it’s entirely possible that the default password is still set and accessible now wirelessly.
On the bigger point, I agree that people taking “proper precautions” have less to worry about but the reality is that most people leaving their wireless network open don’t know how to take the proper precautions and therefore they are at greater risk anyway. I don’t know if I think it’s a wise use of tax dollars to have the cops going around scanning for open wireless networks, unless they have some information that shows that there is a lot of cyber crime which could be prevented by doing so. I doubt that is the case.
Another small point is that I had a new neighbor move in a few months ago and a few weeks ago I got a new cellphone which I was setting up to use my (secured) wireless network. I could see that “mikes” SSID was showing up as an open network so I just happened to mention it to him the next day. It was his first wireless router and he had no idea about the security setup so I helped him do it and he was pretty grateful (to the tune of 3 or 4 beers on his patio). Not everyone is going to feel offended when offered a suggestion to secure their network.
Re: Re: Re: :eyeroll:
I’ll start with a disclaimer – I’m very, very fuzzy on the details of setting up networks.
I’m Australian, and with Telstra, one of the largest ISPs. I’ve never purchased or upgraded my modem/router without it being automatically set up with a WPA/password on it. It doesn’t mean others don’t, but I’ve always assumed they do.
If Australian ISPs set this up out of the box, wouldn’t that mean that those with open wifi have done that out of preference? Or am I just severely confused and ignorant on the matter?
Re: Re:
kchkt.. what? open. varying degrees of ‘open’ shouldn’t be narrowed down into your little world view there chuckchuck.
Doing something like what you’re talking about is a computer hacking crime. Allowing someone to communicate should they fall into range is not.
Re: You know, for a smart guy Mike, you often seem to miss things.
1) If you?re going to make a point, try to make it without coming across as a douchebag, particularly when
2) Your point is stupid anyway.
Re: Re: You know, for a smart guy Mike, you often seem to miss things.
1) The point is that Mike got all pissy about things like SOPA because of the “massive” risk of man in the middle attacks, and yet, he doesn’t seem to see any issue with wide open wireless networks. Seems like an invitation for hackers, crackers, and other naughty people to have a field day. Most people with “open wi-fi” are open because they are clueless about it. They took it out of the box, plugged it in, and turned it on.
2) The point is very important – the best hacks are social or “human nature” type things, and that includes not putting passwords on shared directories in a network, leaving your wireless open, and things like that. It’s a wide open security problem if you are not careful.
I just think it’s funny to read Mike with his panties in a bunch about something in one place, and then glossing over or ignoring the potential in another because it doesn’t suit his agenda. (in case you don’t know, Mike is pro “open wi-fi”, but I doubt his home wi-fi is open… do as I say, not do as I do).
Re: Re: Re: You know, for a smart guy Mike, you often seem to miss things.
Edgar Bronfman Jr., one of the top personnel at Warner Music, was adamant on his stance for severely fining children for music downloads. When asked if his children downloaded his response was that they probably did, and he’d already given them a stern talking-to.
Why is it that Mike’s alleged do-as-I-say-not-do-as-I-do is disallowed but the above confirmed do-as-I-say-not-do-as-I-do isn’t, eh?
Re: Re: Re: You know, for a smart guy Mike, you often seem to miss things.
If you cannot see the differences i feel sorry for you.
In the first case (SOPA, other bad legislation) you have unelected government agents (and/or corporations required to obey them) opening up vast holes in security (and freedom of other kinds). This top-down insecurity would be there despite your best efforts.
In the second you have private citizens, sometimes uninformed, making less-then-optimum security decisions For Themselves. This can be solved with simple information campaigns and is ultimately their responsibility.
See the difference?
and re: human nature “hacks”
I am more worried about the (inevitable) social engineering hack that compromises the bureaucratic machine that inserts itself into the middle of the network then i am worried about the (equally inevitable) social engineering hack that get a virus on Joe Blow’s computer.
Re: Re: Re: You know, for a smart guy Mike, you often seem to miss things.
Mike didn’t get “all pissy about things like SOPA because of the “massive” risk of man in the middle attacks”. He got “pissy” about SOPA because of the HUGE opportunity for abuse, as well as the ignoring of technical problems pointed out and brought up by technical experts (ala THE GUYS WHO LITERALLY INVENTED THE INTERNET), and the problem that SOPA was being railroaded in secret and based upon misinformation.
I think it’s funny that you try and twist every article/thing Mike writes/says into some kind of pro-piracy stance. Despite the fact that he’s adamantly against piracy. There are quotes made by him and easily findable attesting to THIS FACT.
Mike isn’t necessarily pro-open wifi. He just thinks about things from a logical and reasonable perspective if you ask me. What makes more sense? Cops telling people to lock up their wifi (for the obvious reason, they’re not doing it cause they care but because copyright cartels are hammering the point to them and their superiors) or cops actually, you know, solving and preventing legitimate crimes (like actual theft, murders, rape, drug trafficking, etc)?
Also, what you “doubt” and what you “know” are two different things. Unless you have proof that Mike’s wifi is not open, it isn’t “do as I say, not do as I do” in regards to this article or what he’s saying. In fact, it wouldn’t be even if it was closed. Mike has the right to leave his wifi open or closed. That’s his prerogative. But being told by the police to “secure your wifi” when there is no such law on the books mandating such an action is a bit much. As I said, there are better things they can do with their time rather than waste tax payer dollars to go around doing such notifications.
But hey, keep grasping at straws to paint Mike as some something or other. People really believe the comments you make and the points you point out. [rolls eyes] Have a good weekend Trolly McTrollerson. Maybe Monday you’ll get a clue and up your game. Or, you know, get lost. Since you don’t like Mike or his “agenda”. I know when I don’t agree with someone’s stance or what they say, I spend all day every day hounding them (like a stalker) and trying to twist things around on them (futilely). It’s really the grown up thing to do. It sure beats something like… I don’t know… walking away… never visiting a site again… etc.
Re: Re: Re:2 You know, for a smart guy Mike, you often seem to miss things.
How embarrassing that Mike has to send a toady out to defend him.
+ 2 lickspittles and a pat on the head.
Re: Re: Re:3 You know, for a smart guy Mike, you often seem to miss things.
I’m not a Mike toady. In fact, I do on plenty of occasions find myself at odds with what he says in regards to a few things. But in this case, the AC I replied to was making claims that are based on no facts whatsoever and are completely ridiculous based upon easily verifiable information (regarding why Mike got “pissy”).
It’s nice to see how you ACs seem to not be able to understand that some people want facts and evidence that back up your unsubstantiated claims. I see “Mike says one thing and does another” yet no proof being offered to back that up. Which I pointed out.
I also pointed out that if I have a problem with someone, I do the adult thing and avoid them entirely, rather than act like a child/stalker and keep coming back for more and hurling insults/”ha! got ya!” like remarks day in and out.
It’s okay, I know you’re a troll and your comment was the best you can do in general. I wouldn’t expect an adult like reply from you. Do run along now. [doesn’t pat you on the head, because he might catch your stupidity]
Re: Re: Re:2 You know, for a smart guy Mike, you often seem to miss things.
All that, but you still miss the point.
What gets pushed around here? Open up your wireless and making things insecure.
Move to a “darknet” and make things insecure.
Use alternate DNS system and make things insecure.
All this to avoid, ready, the POSSIBLITY that SOPA might have made things insecure.
The cure is worse than the cause, but there isn’t much angst and anger to be had railing against people trying to break the internet (by breaking the DNS into “alternate” DNS systems).
As for “Trolly McTrollerson”, all I can say is that all I am doing is providing Mike’s views back all the in the same place. I feel truly sorry for you if you aren’t able to think for a minute and realize the contradictions in his views.
Oh and for you, while the job of Mike’s bidet is taken by Marcus, toady is still open. I guess that’s your job now.
Re: Re: Re:3 You know, for a smart guy Mike, you often seem to miss things.
No, again, you’re putting YOUR spin on what’s said around here. Nowhere have I read “open up your wireless and making things insecure”. If you have a link to an article or a comment made by Mike saying EXACTLY that, present it.
Nor has it been said, “move to a “darknet” and make things insecure”. What has been said is that censorship and abuse of power by those wanting to control information WILL lead to such a move. But it’s not advocated for or recommended, just merely pointed out that it will be a reaction to such actions (as previously stated).
Ditto the DNS system. You do this, people will do this. Thus creating insecurity in both systems because of measures being advocated and lobbied for in the interest of a select few, at the expense of the many.
And yet again, you’re overlooking the part where the people who created the internet, the security experts who work with the DNS system on a daily basis, etc all said SOPA WOULD HAVE made things insecure. Not possibly. Not maybe. WOULD HAVE. They presented facts and evidence attesting to the fact.
And it was ONLY after the public uproar (not led by Google) that the DNS bits of SOPA were removed. But it should be noted, removed is not the same thing as COMPLETELY TAKEN OFF THE TABLE. They were merely taken away, for the time being. To possibly, although “most definitely” would be the more appropriate term given those behind this, be implemented at a later date.
“The cure is worse than the cause”, interesting choice of words. That perfectly describes SOPA and such measures to combat piracy. They’re not actually stopping the problems or eliminating the reasons for why piracy exist, as has been noted before it is a service problem and an unwillingness to meet consumer expectations or move forward with the times and technology.
You are doing everything but providing Mike’s views back in the same place. You’re portraying Mike’s views only insofar as you think they are and going “aha! got you Mike!” Which is not at all the same thing. I’ve yet to see any contradictions in his views, but as I said, present some evidence. Not what you think or feel he’s saying/doing. Actual verifiable proof. Otherwise, you are acting like a “Trolly McTrollerson”.
Also, I have several jobs, so toady or bidet I can pass on. As I stated once already, I’m not a Mike fan. But I do call out stupidity/incorrect information when needed. Be it against Mike or trolls such as yourself. If Mike’s wrong or I don’t agree with him I’ll say so. But as far as this article and what you’re saying goes, the only one who’s wrong here is YOU.
It must suck to be openly called out for being full of shit. It must also suck hating someone and their views so much that you can’t get enough and obsess over them as much as you do. There are professionals who can help you with that, if need be they can provide medication to further aid with the obvious mental issues you appear to have. Do seek help, for your sake as well as ours. There’s enough loonies in the world already, don’t add to their number (as obviously “too late” as that is).
Re: Re: Re:4 You know, for a smart guy Mike, you often seem to miss things.
Mike supports open wireless:
http://www.techdirt.com/blog/wireless/articles/20100611/1234429783.shtml
In fact, there are plenty of stories on Techdirt about open WiFi (particularly because his co-workers at EFF are very supportive of the idea). As always, Mike uses a few nice qualifying terms to let him weasel out of things, but in the end, he likes open WiFi. He tends to agree with EFF that an opwn WiFi is some sort of service provider, and thus not liable for what happens on the connection. So why not?
He glosses over the fact that inviting someone into your network on THIS side of any firewall is a very insecure idea.
“And yet again, you’re overlooking the part where the people who created the internet, the security experts who work with the DNS system on a daily basis, etc all said SOPA WOULD HAVE made things insecure.”
Actually what was said was that SOPA *might* harm the current iteration of DNSSEC, which is a system which isn’t widely used, and wouldn’t be able to be used universally anyway because plenty of countries already have exception lists, DNS redirects, and the like in place.
Pushing people off onto “off brand” DNS systems, with little or no oversight or control is many times worse than dealing with the current system that we have, which is what SOPA would have left us with. People seem to forget that small point.
“”The cure is worse than the cause”, interesting choice of words. That perfectly describes SOPA and such measures to combat piracy.”
SOPA wasn’t just about piracy, at least not in the music and movie piracy way. It was about companies operating offshore to avoid US law, and purposely selling otherwise illegal products into the US, including pirated and counterfeit goods. The hiding illegal businesses offshore deal is a real issue, and something that will have to be dealt with. Because the speed that many countries deal with these things are VERY slow (if at all), the US is sort of in a position to have to take action at the levels it controls to try to solve the issues.
“You are doing everything but providing Mike’s views back in the same place. You’re portraying Mike’s views only insofar as you think they are and going “aha! got you Mike!” Which is not at all the same thing.”
I point out when Mike’s views don’t add up. I bring them back, and say “look, you can’t have it both ways”. His response generally is dismissive, pointing sometimes to weasel words used, or when really caught, to try to insult me personally.
A couple of guys with laptops, a car, and decent wireless equipment (like an external antenna on the car) could wander around town, modify wireless units, and quickly set up a pretty solid man in the middle attack system without anyone noticing. Don’t you think that is something to be concerned about?
Re: Re: Re:5 You know, for a smart guy Mike, you often seem to miss things.
I’m guessing you’re doing it deliberately purely because so you don’t like Mike so you won’t care about the distiction but:
Open WiFI != Insecure network.
I have open WiFi on my home connection and it’s very secure thankyou.
And:
2 (obvious) things on this one:
1/ Open WiFI != to insecure wireless access point. Conflating the 2 is either deliberately obtuse or you have no clue how the technology works. and
2/ If they are skilled enough to set up such an attack then a “secured” wireless connection is going to present little more challenge than an open one.
Re: Re: Re:5 You know, for a smart guy Mike, you often seem to miss things.
So I guess you missed that part of the article where Mike wrote the following:
“Finally, a side note, because this has come up before from commenters who think that I’m being inconsistent: supporting open WiFi does not mean that you support individuals not protecting themselves when using the open WiFi. In past threads, it was suggested that supporting open WiFi while pointing out how silly it is for people to complain about their own poor security habits was in disagreement. It is entirely reasonable and consistent to support open WiFi (at the access point level) while suggesting that individuals (at the user level) encrypt their own data. In fact, that’s quite a useful situation: more open WiFi, but security at the user level, is really a situation that works best for everyone.”
So, from what I read in that article you linked to, that DID NOT AT ALL support any of what you’re claiming against Mike, is that the use of open WiFi was illegal, but setting up open WiFi, in Finland at least, was perfectly okay. With Mike commenting on it, then pointing out that there’s nothing wrong with having an open WiFi access point, but if you’re going to do so, there’s nothing wrong with making sure you’re secure.
“He glosses over the fact that inviting someone into your network on THIS side of any firewall is a very insecure idea.”
No, he doesn’t. At all. He says in that same article that you can have open WiFi, but “encrypt your own data”. I.e. make sure YOUR stuff if safe, if you do decide to do so (have an open WiFi connection that is).
“Pushing people off onto “off brand” DNS systems, with little or no oversight or control is many times worse than dealing with the current system that we have, which is what SOPA would have left us with. People seem to forget that small point.”
No one was pushing anyone onto “off brand” DNS systems. Which is a point you seem to be thinking Mike was making. It wasn’t. Mike merely pointed out in a few SOPA related articles what would potentially happen if the U.S. can do as it wants and force censorship to become commonplace. People would move onto other DNS systems. Think of it like this. I’m going to put it very simply, for you. You’re a business owner. You run a restaurant. You act like a douchebag. Constantly. I get tired of your stupidity and rudeness and thinking you can treat your customers as you please. I take my business to the place down the street that serves up a much broader menu, at the risk of knowing it may not be as clean. That’s my choice. But a choice, acted upon due to YOUR actions. Perfect 1:1 example? No. But it’s as simple as I can make so you might understand. No one is promoting going to other DNS systems. Such systems MAY be insecure. Emphasis on MAY. But, it will happen and people will move to avoid such totalitarian control on the part of one country and a few special interest groups.
“SOPA wasn’t just about piracy, at least not in the music and movie piracy way. It was about companies operating offshore to avoid US law, and purposely selling otherwise illegal products into the US, including pirated and counterfeit goods. The hiding illegal businesses offshore deal is a real issue, and something that will have to be dealt with. Because the speed that many countries deal with these things are VERY slow (if at all), the US is sort of in a position to have to take action at the levels it controls to try to solve the issues.”
SOPA was specifically about piracy. Trying to throw in the counterfeit good portion was BS. There are already laws in place to deal with such things. You say Mike uses weasel words, you and the people you support do the same (if not more so than anyone else). Be men, stand by your position. Don’t be afraid. We get it. You hate piracy. So just be up front about it. SOPA WAS about piracy, pure and simple. Anything else was just thrown in to say “nuh uh… but counterfeit goods…”
The long and short of it is the U.S. is not the world. It might be a big part of it in some ways, but the other countries can decide for themselves what laws they need or do not need and what is or isn’t illegal. “They act too slow.” Boo fucking hoo. That’s their prerogative. Let them deal with whatever is taking place IN their country and we’ll do the same. Overreach wins you no friends and turns the ones you do have on you. The people were complacent up until SOPA. The minute they realized the internet, which is a world thing and is great at the moment in it’s openness was under attack, they let it be known they wouldn’t stand for such a thing. Look what happened. SOPA shut down, for the time being.
“I point out when Mike’s views don’t add up. I bring them back, and say “look, you can’t have it both ways”. His response generally is dismissive, pointing sometimes to weasel words used, or when really caught, to try to insult me personally.”
No, again, you don’t. You try and point out when Mike’s views don’t add up, and go “aha!” That’s what you constantly do. Mike has called you out on this and so have a number of others, myself included. Mike doesn’t want things both ways, in regards to anything. But you try and conflate his position on one thing with his position on something else and, again, say “aha! but what about your previous stance on THIS Mike?!” That’s what you do. I’ve seen him ask you, assuming you are who you obviously seem to be, for proof of this or that or to explain yourself and you weasel word your way out of it as well. You expect more from Mike than you’re willing to offer of yourself. And it is for that that you get called out and insulted. Besides, if you don’t want to get personally insulted, maybe you should stop acting like such a troll/jerk. You’re personally taking shots at Mike and what he says and saying “weasel word his way this and that”. Guess what? That’s you making personal insults, although you try to make it appear like you’re not. Essentially insulting someone, but weasel wording your way through it so it doesn’t seem like you are. As I said, you’re either trolling/obsessing/etc. But you’re in no way acting like an adult/reasonable/respectful/logical.
“A couple of guys with laptops, a car, and decent wireless equipment (like an external antenna on the car) could wander around town, modify wireless units, and quickly set up a pretty solid man in the middle attack system without anyone noticing. Don’t you think that is something to be concerned about?”
No. As someone else said, those same couple of guys could do the same thing to even a secure connection. I don’t see you acknowledging or even pointing out that. Maybe we should do away with WiFi entirely, since you’re so concerned about the safety regarding it and man in the middle attacks. Heck, I can launch a man in the middle attack FROM MY CELL PHONE. And do so to secured connections easily. Maybe we should warn of the perils of people with smartphones. Everyone, for the most part, has one. Heck, there’s millions of potential man in the middle attacks from that alone.
Either way, you’re overlooking the important part, yet again, where the police are wasting time telling people to close their WiFi when they could be solving real crimes. And doing so, just to attack Mike’s positions/statements. Not because it appears you care one way or another. Because if you did, you’d acknowledge my previous bit and be calling for a flat out end to WiFi in general. If you’re so concerned and worried about the safety of other’s information that is.
Re: Re:
“If you have an open wireless, chances are equally strong that they still have the default admin password on the device as well. What does that mean? Well, it’s easy enough to change the DNS servers to point somewhere else, creating your (greatly feared) man in the middle attack”
Strictly speaking, a DNS hijack is not a man in the middle attack. Additionally, I think you meant to say that it would be easy to change which DNS server(s) the gateway looks to for address resolution.
Oh yeah – and wth does “chances are equally strong” mean? Is this some bizarro form of statistical analysis?
Re: Re: Re:
You can change the DNS servers, and create a man in the middle attack by routing normal site requests through a portal in that manner. It’s the easiest way to “break” someone’s computer, by having common sites like facebook, cnn, twitter and such first go through another system first, and it is most easily achieved at the router level by changing the DNS servers… thus creating a man in the middle type deal.
The alternate is to change the gateway entirely, but that would mean all traffic would go through the new gateway, which is less desirable, just from the standpoint of volume.
Re: Re: Re: Re:
“You can change the DNS servers”
Sure, I suppose you could. But lacking proper credentials, changing configuration of a well secured DNS server is no small task. For example, I imagine Google protects their DNS servers rather well. Where do you point your gateway – or maybe you run your own DNS?
“most easily achieved at the router level by changing the DNS servers… thus creating a man in the middle type deal.”
Changing the address of what DNS server the gateway looks to for address resolution is not a man in the middle attack.
Re: Re: Re:2 Re:
No it’s not. But what I think he was attempting to get at is that most home routers forward DNS requests on to whatever DNS the ISP offers them.
Change the DNS server addresses on the router and you could point at a different malicious DNS server that for example happens to define “whatevermybankis.com” to point at an address that’s actually a pass-through proxy that’ll capture the traffic on it’s way to a legitimate website. Yes it’s not quite that simple – certificates etc – but it’s a faily powerful attack vector.
Of course, none of that has anything much to do with open wifi as such as we’re talking about a router change, which is a completely different thing as you rightly pointed out.
Many routers, including mine, now have guest wireless options which easily allow you to share an open wireless network while maintaining your own security.
it’s gonna end up as a way for the police to blame individuals if something does happen. we all know the rules, if the buck can be passed, pass it!
Re: Re:
Maybe but right now it is likely naught more than the entertainment bunch complaining so loudly that the police are being directed by loud squeaky fuckers.
In 6 months to a year, the article will read, “Police in Australia driving around arresting people with open networks”.
Give the police a break!
Average Joe or Jane, who don’t have secured wireless because some inept but techy nephew/niece set it up, probably don’t have AV or auto-update turned on, possibly have an incorrectly configured firewall and have admin access to their PC but not password protected. They are a prime target for malicious war-driving. Surely Joe and Jane need to be pointed in the right direction. What the police are doing is better than nothing. The rest of us can look after ourselves – and perhaps think of ways to help Joe and Jane.
Re: Give the police a break!
Locking up and securing are separable. The ability to connect to a network is a courtesy, an oversight or a service. Perhaps if the police were educating with a nice note about “your network has been discovered as open, if this is not intentional please take steps to remedy this otherwise please remember to take steps to secure your computer and data from prying eyes.”
The police do not deserve breaks, they deserve education.
Re: Give the police a break!
Ever tried it? In a corporate environment where the senior management theoretically cares about data security it still takes months if not years to change insecure behaviours and that takes regular attention. Wandering up to the door and saying to someone who knows nothing about computers “Oh you should have a password on your WiFi” is very firmly in the “Window dressing and pointless waste of police time and taxpayer money” category.
huh, you sure this is a new episode? i remember this story on /. a year or three ago.
Mostly right
When WiFi is insecure, 99.9% of the time, the router’s password is the factory default. Nothing to prevent you from changing to DNS servers to something else. Most users studies show don’t know SSL from non-ssl (this is the primary principle behind phishing these days). So attacks are trivial once that’s done.
Heck there are even viruses that spread this way.
More than likely though you can get bank info indirectly… many email accounts, especially businesses are insecure and use POP/IMAP or SMTP without SSL. It’s pretty much the norm for small businesses using shared webhosting to get @yourdomain.com email addresses. Needless to say, sniff and gain access to the email address, and that’s effectively key’s to the kingdom.
Bottom line: don’t use insecure WiFi if you care about your security.
Re: Mostly right
“When WiFi is insecure, 99.9% of the time, the router’s password is the factory default.”
89.9 percent of all statistics are made up on the spot.
Re: Mostly right
“Bottom line: don’t use insecure WiFi if you care about your security.”
Well… duh
The question is how you legislate this kind of knowledge. The basic answer is: you can’t. Even if people with insecure connections “secure” them, they’re likely to pick WEP encryption or easily guessed/hacked passwords so you’re back to square one, only with an added false sense of security on the user’s part…
Its the MAFIAA again!
It seems most likely to me that the copyright trolls/big media etc. are pushing this in order to eliminate or weaken the “someone else must have been using my wifi” defense when accused of file sharing or downloading. It would be interesting to examine the police forces in question re their involvement with MAFIAA groups.
Don't they have anything better to do?
“It’s sad that the police would exaggerate like this.”
No, what’s sad is that a bunch of violent crimes will go unsolved because cops are wasting time checking peoples wi-fi!
security
If security through obscurity is all you have, then you have no security.
The world is coming to fascism again.. oh wait!
Most people who have their wifi open either
A: Use devices that either don’t support encryption or don’t work well with encryption (unfortunately, this is a very common problem. The Microsoft Zune, among many other devices, don’t properly support wifi encryption. They either forget the password often or it’s difficult to insert the password or it just won’t work if the password is too long or complicated, they just barely support WPA just enough to advertise that they do on the box but it doesn’t work well)
B: They’re technically clueless
For A: most new routers have a button that lets you turn on and off wifi, the older ones require you to login through the web interface which is too much of an inconvenience for most.
and people who buy a device that advertises WPA support and doesn’t work well with it should either demand the manufacturer fix the problem (via an update) immediately (before the return policy ends, obviously, which doesn’t give them much time, but hey, if we get a short return policy they get a short time to fix the problem before we return it, it’s only fair) or take it back (and sue the heck out of them if the problem isn’t fixed and they refuse to take it back on grounds of false advertising).
For B: I do think educating people about their wifi insecurity and the potential risks is a good thing, and letting them decide, but I’m not sure if it’s really worth the resources and taxpayer money expended on having the government do it. The service is a good one, but so is universal healthcare and so is a government that gives everyone free housing and free medicine and free cars and free everything, is it worth the cost? Is it the governments responsibility? That’s for society and us, as voters, to decide.
Re: Re:
Maybe a better, more efficient, solution than having (mostly clueless) police driving around wasting taxpayer money chasing open wifi spots is for students to be taught this stuff either in grade school or high school as a requirement. Teaching them the risks of unencrypted wifi and how to encrypt it and various password dynamics and the logic behind these dynamics shouldn’t be too difficult.
Unfortunately, much of what is taught in school is lacking in what is needed in the real world of today. (Public) schools are very slow to adopt new curriculum to accommodate (technological and other) changes in the real world. So, in a sense, we could consider it the governments job to educate people, but I don’t think having cops drive around and harassing people with open wifi is the best approach to this end. We should incorporate our educational strategy in our existing educational system.
Re: Re:
and for A, I would rather law enforcement focus their efforts on forcing device manufacturers who advertise WPA support to make sure that these devices work properly with WPA or else sanction them for false advertisement. That’s better than what law enforcement is doing in the OP. Many people who get a device that doesn’t work well with encryption will just decrypt their wifi, at least for the time that they need to use the wifi with that device.
Re: Re: Re:
false advertising *
Re: Re: Re:
I agree with you on this. Manufactures should be required by law to enable at least some form of encryption on new wireless devices, and that there should be no simple way to make them “open”. While some here will argue that all encryption of this type can be broken, it’s the same to me as closing and locking the door to your house. Yes, a determine thief can still break in and steal your stuff, but for the most part people will respect it.
Re: Re: Re: Re:
“Manufactures should be required by law to enable at least some form of encryption on new wireless devices, and that there should be no simple way to make them “open”.”
How would that work – exactly?
Re: Re: Re: Re:
Because the government has such a fantastic track record of determining what’s secure? Or what one would define as “no simple way”?
So what you’d get out of such an attempt would be the usual mish-mash of poorly understood concepts and knee-jerk stipulations that have little to do with real security and make it harder for genuine uses. E.g. most hotels and other “guest” uses are unencrypted but use a portal-type authentication to use the service. Can you see a law coping well with the concept of network segmentation? I can’t.
Re: Re: Re:2 Re:
Hotels and apartments perhaps as well.
Re: Re: Re:3 Re:
(not to mention schools)
Re: Re: Re:4 Re:
(libraries, etc…)
Re: Re: Re: Re:
“I agree with you on this. Manufactures should be required by law to enable at least some form of encryption on new wireless devices, and that there should be no simple way to make them “open”. “
No, this is not at all what I am suggesting.
A: It will lead to all sorts of compatibility issues, especially backwards compatibility, but compatibility in general. Encryption is already a mess.
B: Someone may wish to broadcast a LAN in the open for anyone to access, a LAN that has no access to the Internet, perhaps because they put data on a network drive that they want anyone to be able to access. It could be for an event where information about the event and videos are available, there could be all kinds of non-infringing reasons for this.
C: Businesses and some people may have negotiations with their ISP’s that enable them to share internet connections with the general public.
Harbinger....
” being told by the police to “secure your wifi” when there is no such law on the books mandating such an action”
I won’t be surprised when such a law is proposed. And what of free public wi-fi then? What about people who don’t have a credit card or “credentials”?
What do the copperz do when by chance they happen upon an SSID which they find offensive?
Does anyone know what software they will be using for this task? Also, do they make their own directional antenna?
Re: Re:
For the software.. take your pick from here http://www.wardriving.com/setup.php
They will be mostly using WIN and *nix systems with commercial antennas. Knowing QPS I’d even guess they might have some hand held scanners (ie:Android systems).
and if they Find an SSID they find offensive they wont do anything since most “offensive ones” are from people who are normally tech savvy in first place.
Mine is “FRED_Unwired” at home.. FRED = Fucking Ridiculous Electronic Device
Ok for clarification I am Australian and like most Police Community drives in this country, this is more to inform and educate than anything else.
The Queensland Police are NOT going to go around fining people, or somehow making them do what they legally do not have to do.
All they are doing is informing the wider community who might not be as technology savvy as they should be that unless they specifically choose to have an open WIFI that it could be a cause for concern.
Also they will be educating people on the uselessness of WEP encryption (most Android phones can decrypt WEP in under 5mins now).
It is part of a National Consumer Fraud Week campaign and not some sinister plot by some nefarious authority to tell people what they can or cannot do.
In Australia we have numerous campaigns like this at the state and federal levels and the community likes and supports them, and their are NO civil liberty problems with them.
Re: Re:
You’ll have to forgive us not being as trusting the motives considering the actions of the **AA’s during this time as well. Much of the concern over this would have been dispelled had they published a copy of the note they plan to drop off. Remember in the US they were pushing SOPA/PIPA as laws to just protect truck drivers and florists….
This could be contributing to the concern…
http://boingboing.net/2012/03/22/australias-government-wont.html
Re: Re: Re:
That article by BoingBoing (and Glynn being quoted by BoingBoing is awesomeness *grin*) is all based on an Article originally By Renai LeMay from Delimiter which I commented on and supplied an update about how one Senator has asked for release under Senate order… Not good for our Lower House & current Govt (think congress + president).
SOPA/PIPA and IP/Copyright review has no relevance whatsoever to what the Police are attempting as an educational campaign in regards to the Fraud, Phishing and unauthorised usage that can occur by people unknowingly allowing their WIFI connections to be unsecure.
I guess its a difference in both our countries cultures.. For example we agree on the following that the US doesn’t in regards to Govt and LEOs
* major advertising restrictions on alcohol
* mandatory (and criminal sanctions) on wearing of vehicle seat belts
* NO advertising of tobacco products in any way
* Tobacco products have huge warnings (graphical imaging too) on packaging
* We had major AIDS advertisements in 90’s that scared everyone into practicing safe sex. ie: Wear condoms
* Our kids are actually taught sex education from a early age in state schools
* Educational campaigns by LEO’s and Governments are asked for constantly and the governments actually spend a lot of time, money, and resources to mostly get them correct, unbiased, and relevant to the situation. Minority gorups like Religions etc be damned.
It’s not always a conspiracy here, though I agree the situation with the FOI and secret talks with ISPs/Industry is of a concern, I am actually pessimistic that it will all come out in the end since people like myself (who played a role in bringing down the last idiotic *AA attempt at litigation by Media Rights Group in Australia – I’m the Thompson in the article) are constantly looking over their shoulder in both a professional and personal manner. ie: We try to keep the bastards honest. I said try! 😉
Re: Re: Re: Re:
Damn, it took two days to look at this comment since it was somehow sent to the moderator to look at queue.
Whats up with that Mike, It’s not like it was a weekend and you all have Lives outside of Techdirt or something.. I mean sheesh.
*runs now*
Re: Re:
No surprise that Masnick’s paranoid ravings are unsupported by fact.
Re: Re: Re:
Except, of course, that if you read the article Mike’s not saying anything of the sort. He simply states “Queensland police are going around telling people to lock up their wifi and are using some shaky facts as justification”. Nowhere in his article does he suggest that encryption is to be enforced, and the criticism is about the justifications they’re giving, rather than the actions themselves.
But, hey, why let facts get in your way of another pointless personal attack, right?
Re: Re: Re:
They are not paranoid if you place it in the vein of what the USA is currently trying to do with certain State based LEO’s etc and moralistic campaigns.
Credit
Give people some credit …. they’re not stupid! . These Cops have nothing better to do with their time?
Canadian doors...
You don’t see the police driving around and trying to open every door and then force you to lock it.
Re: Canadian doors...
ok, it’s a bad analogy. Better if I’d written ‘curtains and police able to see into your living room.’. If you have your bank PIN number or safe combination in plain sight that’s your problem.
I wonder if all those berating the Police would feel the same if their MAC/Laptop/PC were hacked and they had their Bank Accounts emptied or their I.D. Stolen.
We know most end users don’t have a clue about setting up security on their systems, including their WiFi and only the Geeks and Techno know and understand how to set it up to create security whilst still being able to allow others to make use of their WiFi.
Maybe the Police are trying to get the point across that these days, the burglar doesn’t need to enter your home to steal all your personal information if you are leaving a ‘Digital’ door open?
It is all part of New World Order.
Response to: Anonymous Coward on Mar 23rd, 2012 @ 3:17pm
I just wish more people would USE that option instead of hogging their router all to themselves! It’s not like I would download a billion gigabytes of kiddie porn and throttle the connection and get them arrested, I just want to view some Websites!
and whats yout POINT
I. Don’t. Live. There
and whats yout POINT
I. Don’t. Live. There