NEWS: Google's Wi-Fi snoop nabbed passwords and emails
in [Wireless Internet]
|
Prev: NEWS: Cheap Smartphones Will Help Android Overtake the IPhone
Next: NEWS: Google to integrate PDF reader into Chrome (in addition to Flash)
From: Bob on 19 Jun 2010 12:16 On 19/06/2010 16:40, John Navas wrote: > On Sat, 19 Jun 2010 08:22:43 -0700, in<hvinc0$4k0$3(a)speranza.aioe.org>, > JC Dill<jcdill.lists(a)gmail.com> wrote: > >> Malcolm Hoar wrote: >>> In article<ec4o165c3s0ac1n3u4ifmv5unffkholfuf(a)4ax.com>, John Navas<jncl1(a)navasgroup.com> wrote: >>> >>>> "However, we can already state that [...] Google did indeed record >>>> e-mail access passwords [and] extracts of the content of email >>>> messages." >>> >>> That's not good but if folks are using cleartext passwords >>> over a wireless connection, they really shouldn't have a >>> "reasonable expectation of privacy". >> >> Not just using cleartext passwords over wifi, using cleartext passwords >> over UNPROTECTED wifi. (If they had any protection on their wifi, then >> Google wouldn't have connected or recorded anything.) In that case they >> absolutely have no expectation of privacy. It's like shouting your >> password to your friend across the street. > > The problem is hardware manufacturers that marketed insecure wireless > devices, not the unsuspecting victims that bought them -- users are not > required to become computer security experts just to use Internet > services safely. The industry has at last faced up to its > responsibilities, and is now doing much more to ensure that wireless > networks are secure by default: Wi-Fi Protected Setup. > <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup> > The NFC option has been suspended due to lack of test bed support. "Notice on 9th June, 2010: Test bed device support for the NFC (Near Field Communication) test option for Wi-Fi Protected Setup has been discontinued. Additionally, no member has responded within the past 30 days to a request for new NFC candidate devices for the test bed. Due to the lack of test bed equipment support and in accordance with the MRD requirements for NFC testing, Wi-Fi Alliance staff has suspended NFC option testing and will be removing the test feature from the WSC1.0 test plan and certification system testing menu. Reinstatement of NFC as an optional certification feature will require a new initiative within the task group and associated blind poll/plugfest work." <http://www.adt.com.tw/english/indexNewsData.phtml?NEWSID=278>
From: John Navas on 19 Jun 2010 13:50 On Sat, 19 Jun 2010 17:16:33 +0100, in <O-SdnSyjvrf9cIHRnZ2dnUVZ8q-dnZ2d(a)bt.com>, Bob <bob(a)invalid.invalid> wrote: >On 19/06/2010 16:40, John Navas wrote: >> On Sat, 19 Jun 2010 08:22:43 -0700, in<hvinc0$4k0$3(a)speranza.aioe.org>, >> JC Dill<jcdill.lists(a)gmail.com> wrote: >> >>> Malcolm Hoar wrote: >>>> In article<ec4o165c3s0ac1n3u4ifmv5unffkholfuf(a)4ax.com>, John Navas<jncl1(a)navasgroup.com> wrote: >>>> >>>>> "However, we can already state that [...] Google did indeed record >>>>> e-mail access passwords [and] extracts of the content of email >>>>> messages." >>>> >>>> That's not good but if folks are using cleartext passwords >>>> over a wireless connection, they really shouldn't have a >>>> "reasonable expectation of privacy". >>> >>> Not just using cleartext passwords over wifi, using cleartext passwords >>> over UNPROTECTED wifi. (If they had any protection on their wifi, then >>> Google wouldn't have connected or recorded anything.) In that case they >>> absolutely have no expectation of privacy. It's like shouting your >>> password to your friend across the street. >> >> The problem is hardware manufacturers that marketed insecure wireless >> devices, not the unsuspecting victims that bought them -- users are not >> required to become computer security experts just to use Internet >> services safely. The industry has at last faced up to its >> responsibilities, and is now doing much more to ensure that wireless >> networks are secure by default: Wi-Fi Protected Setup. >> <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup> >> >The NFC option has been suspended due to lack of test bed support. That's only one of four methods -- there are three other methods. Every Wi-Fi Protected Setup certified product must support the PIN method. -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: Bob on 19 Jun 2010 14:16 On 19/06/2010 18:50, John Navas wrote: > On Sat, 19 Jun 2010 17:16:33 +0100, in > <O-SdnSyjvrf9cIHRnZ2dnUVZ8q-dnZ2d(a)bt.com>, Bob<bob(a)invalid.invalid> > wrote: > >> On 19/06/2010 16:40, John Navas wrote: >>> On Sat, 19 Jun 2010 08:22:43 -0700, in<hvinc0$4k0$3(a)speranza.aioe.org>, >>> JC Dill<jcdill.lists(a)gmail.com> wrote: >>> >>>> Malcolm Hoar wrote: >>>>> In article<ec4o165c3s0ac1n3u4ifmv5unffkholfuf(a)4ax.com>, John Navas<jncl1(a)navasgroup.com> wrote: >>>>> >>>>>> "However, we can already state that [...] Google did indeed record >>>>>> e-mail access passwords [and] extracts of the content of email >>>>>> messages." >>>>> >>>>> That's not good but if folks are using cleartext passwords >>>>> over a wireless connection, they really shouldn't have a >>>>> "reasonable expectation of privacy". >>>> >>>> Not just using cleartext passwords over wifi, using cleartext passwords >>>> over UNPROTECTED wifi. (If they had any protection on their wifi, then >>>> Google wouldn't have connected or recorded anything.) In that case they >>>> absolutely have no expectation of privacy. It's like shouting your >>>> password to your friend across the street. >>> >>> The problem is hardware manufacturers that marketed insecure wireless >>> devices, not the unsuspecting victims that bought them -- users are not >>> required to become computer security experts just to use Internet >>> services safely. The industry has at last faced up to its >>> responsibilities, and is now doing much more to ensure that wireless >>> networks are secure by default: Wi-Fi Protected Setup. >>> <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup> >>> >> The NFC option has been suspended due to lack of test bed support. > > That's only one of four methods -- there are three other methods. Every > Wi-Fi Protected Setup certified product must support the PIN method. > PBC is also mandatory and as far as I am concerned a pain in the neck. I have found a number of people, including myself, who have had difficulty getting this to work with some routers and have had to eventually input the encryption manually. If manufacturers are not prepared to support present test beds to make things easier for users then wonders what the future will bring.
From: John Navas on 19 Jun 2010 15:04 On Sat, 19 Jun 2010 19:16:41 +0100, in <B9adnagrM-0VlIDRnZ2dnUVZ8u-dnZ2d(a)bt.com>, Bob <bob(a)invalid.invalid> wrote: >On 19/06/2010 18:50, John Navas wrote: >> On Sat, 19 Jun 2010 17:16:33 +0100, in >> <O-SdnSyjvrf9cIHRnZ2dnUVZ8q-dnZ2d(a)bt.com>, Bob<bob(a)invalid.invalid> >> wrote: >> >>> On 19/06/2010 16:40, John Navas wrote: >>>> On Sat, 19 Jun 2010 08:22:43 -0700, in<hvinc0$4k0$3(a)speranza.aioe.org>, >>>> JC Dill<jcdill.lists(a)gmail.com> wrote: >>>> >>>>> Malcolm Hoar wrote: >>>>>> In article<ec4o165c3s0ac1n3u4ifmv5unffkholfuf(a)4ax.com>, John Navas<jncl1(a)navasgroup.com> wrote: >>>>>> >>>>>>> "However, we can already state that [...] Google did indeed record >>>>>>> e-mail access passwords [and] extracts of the content of email >>>>>>> messages." >>>>>> >>>>>> That's not good but if folks are using cleartext passwords >>>>>> over a wireless connection, they really shouldn't have a >>>>>> "reasonable expectation of privacy". >>>>> >>>>> Not just using cleartext passwords over wifi, using cleartext passwords >>>>> over UNPROTECTED wifi. (If they had any protection on their wifi, then >>>>> Google wouldn't have connected or recorded anything.) In that case they >>>>> absolutely have no expectation of privacy. It's like shouting your >>>>> password to your friend across the street. >>>> >>>> The problem is hardware manufacturers that marketed insecure wireless >>>> devices, not the unsuspecting victims that bought them -- users are not >>>> required to become computer security experts just to use Internet >>>> services safely. The industry has at last faced up to its >>>> responsibilities, and is now doing much more to ensure that wireless >>>> networks are secure by default: Wi-Fi Protected Setup. >>>> <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup> >>>> >>> The NFC option has been suspended due to lack of test bed support. >> >> That's only one of four methods -- there are three other methods. Every >> Wi-Fi Protected Setup certified product must support the PIN method. >> >PBC is also mandatory and as far as I am concerned a pain in the neck. ... Only for the access point, not for the client devices. -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: JC Dill on 20 Jun 2010 02:10
John Navas wrote: > On Sat, 19 Jun 2010 08:24:04 -0700, in <hvinei$4k0$4(a)speranza.aioe.org>, > JC Dill <jcdill.lists(a)gmail.com> wrote: > >> John Navas wrote: >>> On Sat, 19 Jun 2010 01:44:26 GMT, in >>> <hvh7dqg3aa002malch(a)news.sonic.net>, malch(a)malch.com (Malcolm Hoar) >>> wrote: >>> >>>> In article <ec4o165c3s0ac1n3u4ifmv5unffkholfuf(a)4ax.com>, John Navas <jncl1(a)navasgroup.com> wrote: >>>> >>>>> "However, we can already state that [...] Google did indeed record >>>>> e-mail access passwords [and] extracts of the content of email >>>>> messages." >>>> That's not good but if folks are using cleartext passwords >>>> over a wireless connection, they really shouldn't have a >>>> "reasonable expectation of privacy". >>> I respectfully disagree -- the problem is the fundamentally flawed POP3 >>> protocol that many (most?) ISPs still use -- it shouldn't take a >>> computer science degree to use basic Internet services. Shame on us. >> Most ISPs offer protected protocols. > > Some do, some do not, Correct. When "most do" then obviously "some do not". > and there's no excuse for those that still market > and provide unsafe and insecure service. Bullshit. > >> I use protected protocols with all >> my email accounts on 3 different ISPs. > > You're not typical. > >> Most end users don't bother to learn how to setup their software to use >> the protected protocols. This is not the ISPs fault. > > It absolutely is the fault of the ISP to market and provide an unsafe > and insecure mail protocol to non-experts, More bullshit. Many users use software that can only fetch email with POP3. There's absolutely nothing wrong with offering this protocol for those who request it. > just as it would be the fault > of a car manufacturer to make a car without enough bolts to hold on the > wheels. That's a very stupid analogy, but I'm not surprised you brought it up because it's exactly what I expected of you. A much better analogy is like selling a car where you can't easily lock all of the doors with one button or twist of the key. Where you have to actually take the time to lock each door individually. > Average users are not required to become computer experts just to use > standard Internet services safely. They don't have to be experts. They only have to ask the question - is this the most secure way to setup my system? jc |