Public WiFi - is it really a good idea?
seriously, i'm not trying to be tinfoil hat, here, but i see so many places cropping up with free wireless internet, inviting you to log in with your laptop, but aren't ALL of these hotspots insecure since NONE of them ask for a password? i cringed when i walked into coffee shops and saw 15 people all working away on a coffee shop router after hurricane katrina, knowing full-well that they were slinging back and forth precious info like social security numbers, insurance policies, e-mail passwords and the like, all of it accessible with not much effort for anyone nefarious to do so.
and i heard that, in order to counter the widespread loss of communications infrastructure in new orleans, you'll have city-wide wifi. i am assuming that will be UNencrypted wifi, right? i mean, how could it not?
if there's some sort of technical wizardry at work here i'm not aware of, i'd appreciate it if someone let me know. otherwise, the only thing i'll be using my laptop to surf in public is the usual -- porn.
and i heard that, in order to counter the widespread loss of communications infrastructure in new orleans, you'll have city-wide wifi. i am assuming that will be UNencrypted wifi, right? i mean, how could it not?
if there's some sort of technical wizardry at work here i'm not aware of, i'd appreciate it if someone let me know. otherwise, the only thing i'll be using my laptop to surf in public is the usual -- porn.
Comments
Originally posted by rok
seriously, i'm not trying to be tinfoil hat, here, but i see so many places cropping up with free wireless internet, inviting you to log in with your laptop, but aren't ALL of these hotspots insecure since NONE of them ask for a password? i cringed when i walked into coffee shops and saw 15 people all working away on a coffee shop router after hurricane katrina, knowing full-well that they were slinging back and forth precious info like social security numbers, insurance policies, e-mail passwords and the like, all of it accessible with not much effort for anyone nefarious to do so.
and i heard that, in order to counter the widespread loss of communications infrastructure in new orleans, you'll have city-wide wifi. i am assuming that will be UNencrypted wifi, right? i mean, how could it not?
if there's some sort of technical wizardry at work here i'm not aware of, i'd appreciate it if someone let me know. otherwise, the only thing i'll be using my laptop to surf in public is the usual -- porn.
I never understand the real problem in this regard. I use free broadband in all of these places as well as airports and other public spaces. The office next to mine at work (a separate business) has given me permission to use their wireless connection because the IT group where I work won't allow it and won't allow my Mac to access the network.
It's not like you are seeing anyones hardrive or they are seeing yours. As long as you aren't allowing sharing from your machine, what is the real issue?
Maybe if someone is really sneaky, they could do something but I've never seen it or heard it.
Our IT people get paranoid about it but they have never given me a reason. They just blankly say it ain't gonna happen.
Otherwise, I've spent many interesting hours watching what other people are browsing using EtherPEG in public areas.
Really fun sometimes.
Originally posted by Cake
Probably, there is no one trying to capture your traffic, but if you're freaked out just use a proxy.
Otherwise, I've spent many interesting hours watching what other people are browsing using EtherPEG in public areas.
Really fun sometimes.
Now that is interesting. You can see what they are browsing. Do you have access to anything else or just to what they are doing on the internet? If I access my company email via Microsoft Web Outlook, do you see my password login? Can you read my email along with me or just know what site I am on?
I just looked up etherpeg. Appears you can only see jpegs and gifs that fly by. Is that true? No text? No passwords?
Originally posted by kcmac
Now that is interesting. You can see what they are browsing. Do you have access to anything else or just to what they are doing on the internet? If I access my company email via Microsoft Web Outlook, do you see my password login? Can you read my email along with me or just know what site I am on?
yeah, i remember etherpeg being touted at machack one year. totally forgot its name, but i remember it just snagged random unencrypted stuff out of the air at the machack, and got a round of applause as a result.
my concern is that, if it's that easy to spy on packets in the air by someone just goofing around, then it can't be THAT hard for the semi-motivated to grab even more information from people at completely unencrypted coffee shop "we just bought a router and attached it and put up a sign, what do you mean security or password?' places.
for me at home, i have a bit more peace of mind knowing at least my stuff to and from my router is WEP encrypted, which would take a SERIOUSLY dedicated hacked to get at. sure, it could probably be done, but i'd say that's the minimum amount of security to expect from a wireless network.
Originally posted by kcmac
I just looked up etherpeg. Appears you can only see jpegs and gifs that fly by. Is that true? No text? No passwords?
Exactly. Just pictures overlapping one after another.
Google it or use FireProx, MultiProx etc.
At public wifi spots it goes out as basically plain text for anybody to intercept unless it is sent and received in an encrypted form.
Originally posted by Cake
So rok, you really don't know anything about using proxies?
Google it or use FireProx, MultiProx etc.
no, i don't, but i will look it up now that i've got a direction to start, but my point of my original post still stands... i consider myself pretty savvy, yet don't know how to keep my access to public hotspots fairly under wraps. there is absolutely NO WAY Joe/Joanne Consumer knows how to, or would even know where to start. So all their info is still fair game.
And more importent how would it work on my setup: Airport Express and some computers attached. What would I be able to see: All pictures recieved over the Airport Express?
And what exactly does it need to know to be able to work? The IP of the Airport Express? And how do I give it that info?
I think that the natural progression of events will be this:
1) Wifi spreads like crazy in public places
2) Credit card, password, and identity theft become a serious problem for those who use public access points
3) The companies with a major stake in this start investing resources in something they should have done years ago--developing a secure wireless protocol.
You would have to worry about email transmissions as almost all emails are sent in plaintext formats. I think easy to use public key encryption needs to be marketed so more regular people use it in an automatic way. Especially now here in the US when you just don't know what information the gov't is snagging on you.
If only a minority of people use encryption tech. then that gives the gov't specific targets of interest. But if encryption became used by everyone, then people who want privacy won't be bulls-eyed by the gov't.
Originally posted by PBG4 Dude
Credit card, password & identity theft will only occur if people are using unencrypted (read: non-SSL) websites when transceiving their data. Even on an unencrypted public wireless network if you log onto your bank's secure site, all transactions will be encrypted.
Good point. I suppose that outright spying is probably the much bigger concern.
Originally posted by Duckspeak
Good point. I suppose that outright spying is probably the much bigger concern.
I would be worried more about unencrypted email. If you put together important deals for your company, it wouldn't be a big deal for a competitor to try and snag emails you send while out of the office. They might get enough data to beat your best deal and increase their bottom line.
Originally posted by PBG4 Dude
I would be worried more about unencrypted email. If you put together important deals for your company, it wouldn't be a big deal for a competitor to try and snag emails you send while out of the office. They might get enough data to beat your best deal and increase their bottom line.
This is why most companies use things like Lotus Notes, which has inbuilt encryption, or PGP. I'm still surprised how poor a job some companies do with IP protection though. Contractors are often particularly bad.
Originally posted by Telomar
I've never quite understood why wifi hot spots don't send out a public key when somebody initially connects to enable all communication back to the router to be encrypted. Obviously it could be compromised still but it's better than nothing.
To the best of my knowledge, the current protocols don't support anything like this--correct me if I'm wrong, though.
I've never tried it, but AlmostVPN was recommended to me by a friend.
AlmostVPN provides simple to use alternative to "real" VPN. It allows you to gain access to computers and services on your private network via single secure connection. You can use it to access your private e-mail server while you enjoy your favorite caffeinated drink and WiFi connection courtesy of Starbuck. You can use it to mount volume from your office computer while you are at customer site to be able to get that latest fix you were working on until 3am last night (but consecutively forgot to bring with you). You can use it to run VNC session to computer of your less tech savvy coworker from your favorite vacation spot, to help him/her to conquer yet another problem with MS Office (poor soul...). So the real question is why would NOT you want to use AlmostVPN?
Originally posted by Duckspeak
To the best of my knowledge, the current protocols don't support anything like this--correct me if I'm wrong, though.
You're probably right. Networking was never my strong suit. I still find it odd that you wouldn't pursue that though as it is such a simple elegant solution. Of course there would be the problem of how does the computer know how to encrypt it. Great it might get the public key but then what then. Would there need to be a standard program running in the background and would every vendor want to make a different one...all of a sudden I see so many problems with this idea
It can be cracked in no time at all.
You are fooling yourself if you think your so safe with your WEP protected network. Anyone using Kismac could have your network opened in a very short while, depending on the strength of your password, and how many packets you generate on your network.
You would be much better off going with WPA, but even then you can still be had...
Just FYI...
Interestingly, there's a good reason for this. Our electricity company needs to build a wireless network to read its newfangled electricity meters, which encourage conservation by charging more for daytime hydro use. Every fourth or fifth hydro pole becomes an 802.11 gateway.
This has "disruptive technology" written all over it. It will have major implications for many industries:
1. Cellular - my next cell will be wifi-enabled, guaranteed. Welcome to Skype world.
2. Radio - Satellite radio is dead. For twenty bucks a month, we now have internet radio. Conventional radio is on life support.
3. Emergency response - police, fire and ambulance co-ordination just got much cheaper.
4. Transit - Every bus shelter in the city could be equipped to receive ads and GPS signals from buses.
There must be a million other applications. The big question around this is still Rok's: Is it safe?
Are there health risks to this many EM emissions? Do we really want police records flying about an open network? Would it be safe to use a Wi-fi enabled computer for credit card purchases, even in your own home?
Originally posted by kcmac
[B If I access my company email via Microsoft Web Outlook, do you see my password login? Can you read my email along with me or just know what site I am on?
[/B]
OWA should be configured to use ssl. The scary thing about OWA is that it normally authenicates users to an internal domain. This could lead to a DOS attack on internal accounts if the password policy is set to disable accounts after a number of failed login attempts.