Toronto, The Naked City 212
PunWork writes "In an effort to promote wireless network security, Toronto consulting firm IpEverywhere (pun intended) has published a map of downtown Toronto, showing the location of both encrypted and unencrypted ('naked') wireless networks. Is this going to help spread awareness, or is this just going to encourage people to abuse the (apparently) ignorant? The Toronto Star has a story about the map and the consulting firm here."
its not an "or" situation (Score:4, Insightful)
1. the idiots will try and hack and abuse.
2. the companies will slowly gain awareness, try to figure out how to secure themsleves, secure funding, initiate sucurity protocols, fix holes, etc.
gee, i wonder who will get going first. the company or the idiots.
That's lame (Score:2, Insightful)
Maybe someone should make a new insecure Linux distro called "Naked Linux". It will be great for the desktop to compete with Windows whom has always been naked. (Maybe that's Red Hats secret Plan). In the mean time Windows is trying to get dressed. Stupid 2 legged pants!
Spammers (Score:5, Insightful)
Re:Its obvious! (Score:4, Insightful)
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!
oh man that is really funny!
Most IT people dont know squat. and very very few of them know much about, let alone even understand security.
If your statement were true then corperate break ins and virus's would be a much smaller problem.. 99% of all virus attacks I get are from INSIDE corperate coming from the T1 ties to the NOC not from any of my users or the internet gateway I have. Whenever there's a discussion about Virus scanners and basic virii security.. over 1/2 the IT professionals on the conference call have no idea how to ensure that all the machines are up to date or protect their networks.
Also, I have had to resort to firewalling the corperate side to protect my network... Yes, the TRUSTED corperate network T1 tie is firewalled by me to keep out attackers and virii.
I am one of about 700 IT professionals in my corperation... and I have to spend valuable time securing my network from the bungling boobs that this company hired.
Re:its not an "or" situation (Score:4, Insightful)
However, with so many consumer-based 802.11 access points out there, I doubt that Joe Homeoffice will even realize how to lock down their networks. In this case, the vendors should start by having as much default security as possible, as well as some helpful reading in the instruction manuals for how to secure your wireless setup.
Unencrypted != unsecured (Score:5, Insightful)
And after you've secured your network on a higher level than OSI 1, you can be less paranoid about WEP. So much less, that some claim that DISabling WEP is not a bad thing at all. Think about it, you already have encryption taken care of, so why not make your network more stable, robust and fast by disabling WEP?
Those 'wardriving' pictures should make a distinction between "secured with WEP", "no WEP, but I cannot use the network because of IPsec/VPN/whatever" and "no WEP, and I can surf freely through it".
-Leto2
Re:Unencrypted != unsecured (Score:2, Insightful)
WEP Enabled (Worse, false sense of security) instead of:
WEP Enabled (Good)
Aluminum siding better than WEP (Score:4, Insightful)
Basically this stops any war drivers from seeing my network unless they get really lucky and creep up to the bushes outside one of the few windows that faces the street. If they do that I'm more at risk that they see ME naked than my network!
Anybody else notice specific physical obstacles that clobber reception?
Naked != unprotected or insecure (Score:5, Insightful)
That means that many of the "unsecured" nodes in this report may have had other means of securing themselves, from switch- or AP-based MAC filtering to captive portals such as NoCat. Moreover, the protocol for this study did not establish whether the open APs in question were handing out DHCP leases (or, indeed, whether they were connected to the Internet at all).
Finally, this study did not investigate in any depth whether the open APs were deliberately or accidentally left open. Many of us run open "community" networks around the world (I operate one in Toronto at King and Niagara, and three in San Francisco, two at 19th and Shotwell, and one on Sycamore near 17th and Mission). These networks are deliberately "unsecured" and are provided out of public-spiritedness, or even out of a political commitment to providing tools for anonymous speech on the Internet -- anonymous speech being fundamental to democratic discourse.
Since WEP is such a poor "security" measure, the best practice for wireless users is to use SSH and/or SSL tunnels to secure sensitive traffic to a proxy (either remote or on your own network). In fact, if you're a promiscuous user of any network -- conference centers, airport lounges, hotel rooms, schools, etc -- you should assume that unless your messages are encrypted, they will be sniffed on the wire.
The primary "security" concern about open wireless seems to be that a "rogue" AP will be installed behind a firewall. The firewall, of course, is hardly sufficient in and of itself for securing a network. It's based on the presumption that everyone on one side of the firewall is trustworthy, and everyone on the other side is untrustworthy. We know, though, that this is a fallacy. Getting inside the firewall -- either through physical intrusion (think of visitors to your office plugging into the the network to check mail) or virtually, by 0wning a box on the network with a trojan -- is not difficult for a determined intruder. Meanwhile, the legitimate users of your network resources are often outside your firewall (mobile execs at a client site, for example) and thus not only walled off from the rest of the network, but also vulnerable to attack, since their machines' first line of defense is the firewall, which they are suddenly out of.
Security is hard. The proper place to draw your network perimiter isn't around your office, but around each machine. Personal firewalls, regular applications of security patches, good passwords and user education provide genuine security. Firewalls (and FUD about open APs) doesn't.
This is the wrong approach (Score:2, Insightful)
In fact I would go so far as to say this is an unauthorised pen-test, in that part of a pen-test is in finding hosts/networks in the same way the physical location has been found, but not only found, also published.
I dont know where liability and juristiction come into play here, i'm surprised these guys/gals are prepared to go this extreme and risk finding out.
Surely a CNN interview would do their careers good and promote the issue far wider than a website could?