NEWS: Google's Wi-Fi snoop nabbed passwords and emails
in [Wireless Internet]
|
Prev: NEWS: Cheap Smartphones Will Help Android Overtake the IPhone
Next: NEWS: Google to integrate PDF reader into Chrome (in addition to Flash)
From: NeilG on 20 Jun 2010 13:10 On 6/19/2010 11:10 PM, JC Dill wrote: <snip> > > They don't have to be experts. They only have to ask the question - is > this the most secure way to setup my system? > > jc > JC, As a (now-retired) tech partner at a law firm, I was the person who had to ask that question to our computer consultant for a firm of twenty people. I also had to deal daily with computer problems of my less computer-literate partners and staff, so I feel qualified to comment on your opinion. You presume too much about the average user, and particularly the average older user. (By older, I mean over about age 35, before computers were available in most elementary schools.) Many users expect their computers to work the way their TVs work: turn them on, and turn the channel to the program they want. They don't know enough to ask your question, much less answer it. It's not the ISPs' fault that many people don't bother to learn everything there is to know about computers; it's just human nature. The problem is not only with the ISPs, but also the equipment manufacturers. Both of them have historically understated security risks, to sell more services and equipment by avoiding scaring away consumers. I know that my solution is not popular among tech people, who are notoriously libertarian. However, IMHO, one good role for the FCC would be to standardize security UIs and protocols (including updating procedures) so that it would be easier for consumers to keep up with their security needs. (I am not against an industry committee coming up with, and maintaining, the standards, but there should be standards.) Of course, that would not stop a determined hacker, but it would reduce the likelihood of wardriving and of what Google did. Neil
From: Jeff Liebermann on 20 Jun 2010 16:47 On Sun, 20 Jun 2010 10:10:12 -0700, NeilG <nmg1217(a)teranews.com> wrote: >Many users expect their computers to >work the way their TVs work: turn them on, and turn the >channel to the program they want. True. Perception is everything. Users expect things to be secure out of the box and without any (or much) effort on their part. A worst case example are the commodity wireless routers, which if installed using the default configuration, are as insecure as one could possible be. The default passwords are well know. There's no encryption enabled. The SSID is not unique. Yet, the same product has security inscribed on the package, documentation, and advertising literature multiple times and in multiple places. Looking at the packaging and literature, one would assume that it's secure based solely on the number of security related buzzwords that encrust the packaging and literature. No so, but (to my knowledge) the concept of vendor liability for security breaches on consumer electronics has not been tested in court. Email security is similar. The perception is that email is secure because nobody knows the users password. Never mind that some systems still send the POP3 and FTP passwords unencrypted. Never mind that the password may be secure, but the contents are easily sniffable. >They don't know enough to >ask your question, much less answer it. They do after a security breach. Few people take security seriously until after it fails. >However, IMHO, one good >role for the FCC would be to standardize security UIs and >protocols (including updating procedures) so that it would >be easier for consumers to keep up with their security >needs. (I am not against an industry committee coming up >with, and maintaining, the standards, but there should be >standards.) Of course, that would not stop a determined >hacker, but it would reduce the likelihood of wardriving and >of what Google did. The FCC does not specify the details of transmission standards. It merely specifies that there should be encryption, security, or some protocol. The details of these are produced by industry standards organizations (NIST, EIA, IEEE, APCO, etc) and adopted by manufacturers to be compliant with the FCC guidelines. For example, FCC Part 15 does not specify anything about wi-fi encryption except that it's allowed. The IEEE wrote 802.11(a-z) specifications. The Wi-Fi forum provides certification. I'm not sure which organization would be the proper standards manufacturer. Since the IEEE inscribed most of the industry standards now running the internet, methinks such a security protocol should be well within their area of expertise. All the FCC needs to do is demand that all public data network transmissions be encrypted. -- Jeff Liebermann jeffl(a)cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: Jeff Liebermann on 20 Jun 2010 16:58 On Sat, 19 Jun 2010 08:22:43 -0700, JC Dill <jcdill.lists(a)gmail.com> wrote: >Malcolm Hoar wrote: >> In article <ec4o165c3s0ac1n3u4ifmv5unffkholfuf(a)4ax.com>, John Navas <jncl1(a)navasgroup.com> wrote: >> >>> "However, we can already state that [...] Google did indeed record >>> e-mail access passwords [and] extracts of the content of email >>> messages." >> >> That's not good but if folks are using cleartext passwords >> over a wireless connection, they really shouldn't have a >> "reasonable expectation of privacy". > >Not just using cleartext passwords over wifi, using cleartext passwords >over UNPROTECTED wifi. (If they had any protection on their wifi, then >Google wouldn't have connected or recorded anything.) In that case they >absolutely have no expectation of privacy. It's like shouting your >password to your friend across the street. >jc Not all parts of wi-fi transmissions are encrypted. The headers, source and destination MAC addresses, system management packets, control packets, and some broadcast packets are not encrypted. One could easily map a network by simply collecting the source and destination MAC addresses. I have not seen anything from Google indicating exactly what data they were collecting, but my guess(tm) is that it was MAC addresses, SSID names, and possibly sniffing broadcasts to determine the type of connectivity. They were apparently only logging uncrypted data, but from the vague wording, could include payload data. From the unencrypted data, they'll get a user count, network map, equipment type, and a good guess as to the backhaul type. If that data was NOT encrypted, they would get IP addresses, payload type, service number, and RIP broadcasts, which would reveal considerably more information about the system and its topology. -- Jeff Liebermann jeffl(a)cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: John Navas on 21 Jun 2010 19:29 "30 states may join probe of Google Wi-Fi snoop" 'As many questions as answers' As many as 30 states may investigate Google for surreptitiously sniffing traffic traveling over open Wi-Fi networks over a three-year span, Connecticut's top law-enforcement official said on Monday. Connecticut Attorney General Richard Blumenthal said his office will lead the multi-state investigation into the unauthorized data collection by Google Street View cars. A �significant number of states� are expected to participate, according to a press release issued by his office that claimed representatives from more than 30 states joined a recent telephone conference call to discuss the probe. �While we hope Google will continue to cooperate, its response so far raises as many questions as it answers,� Blumenthal said in the release. �The company must provide a complete and comprehensive explanation of how this unauthorized data collection happened, why the information was kept if collection was inadvertent and what action will prevent a recurrence.� MORE: <http://www.theregister.co.uk/2010/06/21/google_wifi_snoop_inquiries/>
From: Nemesis on 21 Jun 2010 19:48
On Sat, 19 Jun 2010 01:44:26 +0000, Malcolm Hoar wrote: >>"However, we can already state that [...] Google did indeed record >>e-mail access passwords [and] extracts of the content of email >>messages." > > That's not good but if folks are using cleartext passwords over a > wireless connection, they really shouldn't have a "reasonable > expectation of privacy". > > If I were one of those "victims" I'd be more worried about the other > folks who may have recorded that info (and not very worried about > Google). But, of course, Google represents a much more attractive target > for those seeking financial reward for their own stupidity. I sleep with a twelve bore and a 9mm. Nobody's going to accuse me of stupidity when I get a break-in. PS ... on my tenth wife. I TELL them to whisper "it's me" when they go to the bathroom, but in the end they always forget .... BTW, you don't need to collect the emails and passwords to map MAC addresses for the NSA. Airodump with the write option set to csv collects the mac, no content at all. They'll have to think of a better excuse. []'s |