Airport Experiment Shows That People Recklessly Connect To Any Free Wi-Fi Spot (softpedia.com) 197
An anonymous reader writes: Avast carried out a curious experiment at the Barcelona Mobile World Congress. They've set up 3 public Wi-Fi spots at the local airport and waited to see how many users would connect. In just 4 hours, more than 2,000 users used the free hotspots, despite the fact that they knew nothing about the WiFi network, if it was safe, or who was running it. Researchers randomly logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. They also recommended using a mobile VPN app when navigating the Web via public WiFi.
I have hitch hiked before (Score:5, Insightful)
Re:I have hitch hiked before (Score:5, Informative)
Here's the actual announcement from Avast:
https://press.avast.com/en-us/... [avast.com]
That has all you might need. No need to hitch off this softpedia site. They're not adding any value over reading the press release and they don't even include a link (or I didn't see it in their layout) to the original press report. It's the internet, linking is kind of important. Maybe they want to pretend it's exclusive content or real journalism? I dunno... Screw it, avoid entering the unknown and go to a verified source - like the message of the article.
Re: (Score:3)
And I was downmodded
Re: (Score:3)
I was just trying to point out that using an open wifi without https/vpn/whateve is like the good old hitchiking
I don't worry about connecting to public hotspots. My knapsack laptop is a $50 used Chromebook. Good luck "hacking" that, since there is basically nothing on it. They might be able to read emails going back and forth, so they will find out my wife wants me to buy some kitty litter on the way home. Whatever. I doubt if they are even going to get that, since pretty much everything is HTTPS these days.
Re: (Score:3)
I don't worry about connecting to public hotspots. My knapsack laptop is a $50 used Chromebook. Good luck "hacking" that, since there is basically nothing on it.
Exactly this! I'm at breakfast now, using my cheap Chromebook. Altogether too many people seem to think you should only have one device. And nothing of interest on it at all. just a gmail address specifically for the chromebook, and slashdot use.
Re: (Score:2)
you play along and wait for an opportunity for your .22
.22 works well on pests, not so much on 250lbs big rapist-robber dudes. If I had to choose between a .22 and some proper pepper spray to handle such situation, I'd go for the latter.
Re: (Score:2, Funny)
Funny thing is, me and two other military friends used to pick up hitch hikers when we were stationed in New England just for fun. You get to sit in the passenger seat, to your left right is a 9mm, behind you (me) is a .45acp, and driving is a USMC hand-to-hand instructor with an unhealthy fascination in blades.
You wouldn't have a prayer.
#KaBarLurv
I'm a bit curious, what is the track record against suicide bombers?
The Internet isn't "safe" (Score:5, Insightful)
Why should anyone expect some random WLAN to be "safe" - they are trying to get to the Public Internet, this is just another Public inter-Network along the way.
Re:The Internet isn't "safe" (Score:5, Insightful)
why should i expect it to be unsafe? email is via ssl/tls, chat apps are client-to-server encrypted, all eshops use ssl/tls, google search is by default via ssl/tls, cloud storage i encrypted in transit, so what could they have possibly gained by this devious man in the middle circus? list of websites i access and my http data?
Re: (Score:2)
s/i encrypted/is encrypted
Re: (Score:2)
so what could they have possibly gained by this devious man in the middle circus
Maybe they were hoping that you were a Windows weenie who'd compulsively click away any dialog that appeared, even though this this time it happened to be a warning about a mismatched certificate? In which case you would be the clown in that circus...
Re: (Score:2)
That would require them to get a signed signing cert. Which doesn't happen quite as often as the scare stories purport.
Re: (Score:2)
Yes, especially after watching Doctor Who [wikipedia.org]. :-)
we use roads in the same way (Score:5, Interesting)
Re: (Score:2)
can be sued (maybe by your next-of-kin)
Good point. Whereas with Wifi, you'll be able to do the suing yourself. Indeed, the worst that could happen with free Wifi is that your weird orange-haired-wankpuffin fetish comes to light, but there's no danger to life-and-limb.
Once you're on the plane, you at least know where the pilot and co-pilot are most of the time.
You might know where they are, but you don't know where they should be. Namely in sick-leave [independent.co.uk]...
and you absolutely won't like the Trojan they leave behind after the full cavity search.
That's not a trojan, that's a femidom!
Are people connecting to any free wifi hotspot? (Score:5, Insightful)
Or do their devices automatically do it for them?
Re: (Score:2)
Or do their devices automatically do it for them?
The only time I've ever had my Wifi connect to a strange access point without me asking it to were one's named "Linksys" and this was back in 2006. Seemed my old Windows XP lappy would interpret any open AP named Linksys as one I've connected to before because I had connected to one callled Linksys before.
I'm pretty sure modern OSes dont do this any more.
Yes, stop snickering, I called Windows "Modern".
Re:Are people connecting to any free wifi hotspot? (Score:4, Informative)
Umm no... That's still standard practice. It's actually one of the only ways I've found to get devices to correctly roam between APs. Works on APs with and without encryption set.
Best way to solve it? Set a key on the AP you connect to then if another has the same name your computer won't be able to connect to it because the AP doesn't have the right key.
Re: (Score:2)
I haven't experienced that with Windows 10 Enterprise and two APs from two different vendors in the house. My laptop connects to both APs depending (I'm assuming) on which one has the best signal. They're at opposite corners of the house, and you get none/marginal signal if you were to try to connect to the distant AP (which I why I added the second AP).
It's kind of surprising how broken the 802.11 spec is around these issues. One, you could have wanted a transparent but default system for encrypting rad
Re: (Score:2)
Devices by default do not connect to open access points that are unfamiliar. Actually not just default, I don't know any way to set any of my devices to allow this course of action. All my devices announce the presence of the network, but none will connect.
Re: (Score:2)
or both networks were called "home" and had the password "no1willguess"
Re: (Score:2)
Just how I do it.
I wander by several open or semi-open WiFi hotspots daily, and having my phone latch onto one, wait for me to sign on, and fail to get email, texts (yes, texts), etc until it figures out I am gone is not just annoying, it is a failure mode. My carrier hates me for this, and tries to force WiFi on by various means. I average 10-12GB mobile data, and use my mobile hot spot for my tablet when I'm in marginal WiFi signal areas, which is most of the time.
WiFi hotspots can be a serious pain - for
isn't gmail/google all https? (Score:3)
seems like avast missed the point when google, gmail, and youtube went 100% https
the bit about "detecting" devices is also retarded: just serve up a page to new connectors and log the agent and you should get stats on browsers/oses
Re: (Score:2)
What about people who use browsers which don't force an ssl connection to those URIs? Or, an IMAP email client, similarly. Users would still be subject to DNS hijacking.
And, you only mention Google services. There's way more to the Internet than that.
Re: (Score:2)
"seems like avast missed the point when google, gmail, and youtube went 100% https"
What about people who use browsers which don't force an ssl connection to those URIs?
This used to be a problem, because users might type in "google.com", and the browser would first go to "http://google.com" (ditto for other sites).
Along came HSTS: https://en.wikipedia.org/wiki/... [wikipedia.org]
That shouldn't be a problem anymore, so long as the users browser supports that, and the server is sending it (which many do these days, because of all the SSL kerfuffle).
Or, an IMAP email client, similarly.
This may actually be worse. In many cases, clients connect to the clear text port and then issue STARTTLS (or similar) if the server had said it
Re: (Score:2)
LOL. The fallacy is obvious.
Re: (Score:2)
HSTS support across browsers: https://www.owasp.org/index.ph... [owasp.org]
Current usage stats: http://caniuse.com/#feat=stric... [caniuse.com]
IE: 11 (windows 7 and 8.1+)
Edge: all versions
Firefox: 4+
Opera: 12+
Safari: 7+ Mavericks (Mac OS X 10.9)
Chrome: 4.0.211.0
That will cover the majority of users.
Regardless, there is still no fallacy. Users can easily protect themselves from that situation by using a browser that supports HSTS, which simply means using a system that has been updated within the past several years. It also greatly r
Re: (Score:3)
Why would anyone using exchange 2013 ever enable imap? You would be using activesync (which is ssl) or RPC over HTTP aka outlook anywhere (which is actually over HTTPS). For legacy support there is still MAPI, which is not over HTTPS, but can be configured to use encryption.
IMAP connectivity for exchange servers makes no sense today. Everyone has a phone that supports activesync or outlook anywhere. On the laptop, if you are willing to buy exchange but not a recent version of office you need to seek profess
Re: (Score:2)
Thunderbird and Evolution both have OWA support. You do not need IMAP.
Further more, if you are all linux laptops, why did you run a windows server? That is pretty backwards thinking.
Re: (Score:2)
So, user education is still needed, even if everybody switches to SSL.
Colour me unsurprised. (Score:3, Insightful)
People would still take candy from strangers if we didn't drill it into them from a young age. Stupidity isn't limited to Wifi, it pervades everything people do.
However airports are strange. A lot of people are stuck there for some time with little to do. So free Wifi is a godsend, I admit, despite being quite security aware, that I've been a bit free and loose with connecting to airport Wifi when bored out of my skull at various airports (mostly Australian ones who didn't have free Wifi until recently).
Free Wifi isn't inherently unsafe, but must be treated with suspicion. However most people wont, so back to my original point... People are dumb.
Re:Colour me unsurprised. (Score:4, Insightful)
Not always easy to know what the name of the freewifi service is in an airport you are not familiar with too. All you really know is you're not going to PAY for one, so it's either free or you're tethering. But which one is the free one?
Re:Colour me unsurprised. (Score:5, Insightful)
Not always easy to know what the name of the freewifi service is in an airport you are not familiar with too. All you really know is you're not going to PAY for one, so it's either free or you're tethering. But which one is the free one?
That's kind of my point.
/. but not for doing banking or anything else that could potentially harm me, but as a sysadmin, I'm mindful of such things where as the average Joe isn't.
How are you to know the difference between a legit and non legit network if they're both named "LAX Public Wifi".
You should really be suspicious of any Wifi network you dont control or at the very least, know the owners on a personal level. I use free wifi for browsing
Re:Colour me unsurprised. (Score:5, Insightful)
For random browsing of the news, it might be fine. But the other problem with free WiFi in places like airports is that kids will start streaming music and videos and it will be dog slow.
In reality, I am not sure if there is much difference between free WiFi at an airport and free WiFi at a hotel or a coffee shop. They are all effectively the same thing from an insecurity perspective.
Re:Colour me unsurprised. (Score:5, Interesting)
I use free wifi for browsing /. but not for doing banking
That's backwards. Your bank's web site is authenticated, so your browser can fairly strongly verify that it's legitimate, and the data is encrypted and authenticated so it can't be modified. Browsing /. (or any non-TLS web site), on the other hand, is dangerous because the Wifi operator can inject whatever they like into the stream. Exploits that target your browser, drive-by downloads, ads, tracking cookies (for any site)... whatever they like.
Unless your bank has screwed something up, you can safely do your banking on a hostile network, but browsing /. is risky.
Re: (Score:3)
Here's the thing, I dont really care about something as triv
Re: (Score:2)
Rouge? I suppose that HSBC's logo is red, yes... B^>
(We had a product at work that we delighted in calling RougeWave, is if a cosmetics explosion...)
Rgds
Damon
Re: (Score:2)
Here's the thing, I dont really care about something as trivial as a /. account. To expend efforts on securing that against all manner of threats wastes resources.
You missed the point, completely. It's not that someone may snoop on your /. browsing or credentials, it's that someone will inject arbitrary other content into what you're retrieving from the /. server, which can be used to compromise your machine, extract credentials from your browser, etc.
Also TLS is not immune to MITM attacks. It makes it harder, sure but not immune.
Unless the attacker has compromised a CA, and barring bugs in your TLS stack (which used to be a big problem, but has recently gotten cleaned up), yes it is immune to MITM attacks.
Besides this you've got the traditional methods of social engineering, for example, a user goes to hsbc.co.uk and the rouge access point is configured to send them to hsbc.malice.com which looks identical to HSBC's internet banking site.
Unless you look at your browser window
Re: (Score:2)
Honest question though-- can extended validation be spoofed by MITM?
Ultimately you have to trust someone-- if not the wifi then your VPN provider.
Re: (Score:2)
EV is sold to CTOs that are managers but not technical or even aware how customers think.
There's no technical security advantage, at all.
There might be a customer advantage if they even knew what an EV cert was, but they don't, and if you try to explain it to them, they don't care.
Re: (Score:2)
There's no technical security advantage, at all.
There is one slight technical advantage. For a domain-validated certificate, the intruder can obtain a fake certificate if he can hijack (even temporarily) all connections from the target web server to the internet, or if he can hijack (even temporarily) the target domain's DNS. Indeed, that way, he may be able to intercept any mails, DNS or web requests that the CA might send to the victim server, and be granted the certificate.
For EV, the intruder would additionally need to supply (or forge) some paperwo
Re: (Score:2)
Honest question though-- can extended validation be spoofed by MITM?
It depends on the security of the certification agencies' procedures, and on any vulnerabilities that might be present in the user's browsers. If the user's browser happens to still trust Diginotar, then yes, even extended validation can be spoofed by the MITM
But joking aside, extended validation protects against some types of attacks against the CA or the website you want to visit, so if the MITM used any of those vulnerabilities to get his fake cert, then extended validation is slightly more secure. Howe
Re: (Score:2)
If the above is true as you say, there's no way to securely do anything on the Internet.
Take e-banking. I control my network until the wall socket, where my ISP takes over. Arguably you can trust your ISP because it's in their interest to have you trust them. The same accounts for the network of my bank, I trust them because it's in their interest that I can trust them.
But how about the network(s) in between? I don't know how my local ISP links to my local bank. Same city - could have a direct link, but mor
Re: (Score:2)
HTTPS doesn't fall apart with a man in the middle. It's end-to-end. It's specifically designed to detect that kind of tampering.
Re: (Score:2)
What makes you think your HTTPS session is with your bank?
Re: (Score:2)
Re: (Score:2)
Re: Colour me unsurprised. (Score:2)
So, how did you recreate my bank's EV certificate with a CA that is in my trusted root certificates?
Re: (Score:2)
If you've got that, just use a keylogger and wait for common bank names to be visited before activating it.
No need to mess with certs and risk getting spotted if you have control of the box already.
Re: (Score:2)
Proxying HTTPS is non-trivial, unless "the right stuff" is access to a certificate authority or users that are stupid enough to accept bad certificates.
You might be thinking Blue Coat or the like, but that only works because you install your signing certificate on all the clients...
Re: (Score:2)
Re:Colour me unsurprised. (Score:4, Informative)
BULLSHIT!
See, if someone controls the network, they can also trivially do a man in the middle attack. Just like all the other crap.
It isn't trivial. To perform a successful MITM attack you would need to crack the chain of trust between the sites public key and root cert installed in the browser or invent a parallel chain linking back to a trusted root cert installed in the browser.
This requires obtaining the private key from CA, CA subordinate or bank server. Alternately you could compute a useful collision of signature algorithm and insert your own key into the trust chain as was done /w MD5 signatures using a playstation cluster many years ago.
None of the above is trivial or easy. It is very likely anyone with the capability (e.g. governments) would not elect to piss it away attempting to drain the average Joe's bank account. ROI would be quite negative in the extreme.
If you control the network and have the right stuff, there is nothing which is "safe". And HTTPS falls apart with a malicious actor in the middle who can control your connection and sit in the middle.
Sorry, dude. You're so wrong as to be dangerous. You should fix that.
Networks are not worth defending because their issues can so easily be sidestepped by deployment of end-to-end encryption. I believe various dogmas causing operators to waste money on network castle defenses is harmful. It takes resources away from defending the only thing that matters... systems.
Re: (Score:2)
wouldnt worry too much about the certificate problem, idiots will just click through.
BOAonline.com, WellsFargoBank.com, Wellfargo.com, (Score:2)
Victim types BOA.com into their browser. They see the BOA page, and if they bother to look they'll see the secure icon.
If they bother to look back at the address bar again, they'll see bankofamerica.net, BOAonline.com, or BOAbank.com.
Most people won't notice a problem. If some people notice, so what? The bad guy doesn't have to steal from EVERYBODY, just from SOMEBODY.
Re: (Score:2)
BULLSHIT!
See, if someone controls the network, they can also trivially do a man in the middle attack. Just like all the other crap.
You don't know anything about TLS and PKI, I see. Go read up on it and then come back and we can discuss like adults.
Re: (Score:2)
See, if someone controls the network, they can also trivially do a man in the middle attack. Just like all the other crap.
Most browsers will pop up a warning if somebody attempts a man-in-the-middle-attack with SSL. So, as long as the user is sufficiently educated to heed that warning, he should be ok. But then a sufficiently educated user would not run a browser or OS vulnerable to "drive-by downloads" either...
Re: (Score:2)
but as a sysadmin, I'm mindful of such things
Are you really? You talk about public WiFi as if private WiFi can be trusted. Your home connection goes to a third party that is in bed with the NSA, do do people who you know on a personal level. Your data is whisked away and routed across the internet through any number of points completely unencrypted.
Why would you be mindful of a public WiFi connection but not of the rest of the network?
Also why would you not use an encrypted and verified SSL connection but feel comfortable doing general browsing?
Re: (Score:2)
Re: (Score:2)
Re:Colour me unsurprised. (Score:5, Insightful)
People would still take candy from strangers if we didn't drill it into them from a young age. Stupidity isn't limited to Wifi, it pervades everything people do.
This "drilling" does very little to actually stop abductions. First off, most abductions are not strangers but rather someone they already know. Secondly, they've done experiments and kids will readily go with someone with a puppy/kitten if they tell them they have more in the back of their van.
The "don't talk to strangers" is completely silly. The one safety tip I try to teach my kids is that if they get lost to immediately walk up to the first stranger they see and ask for help. Don't wait for a stranger to come to you. If you pick the stranger then the odds of picking a bad person are slim to none but if they pick you then the odds of them being a bad person are significantly higher.
Re: (Score:2)
"The one safety tip I try to teach my kids is that if they get lost to immediately walk up to the first stranger they see and ask for help. Don't wait for a stranger to come to you. If you pick the stranger then the odds of picking a bad person are slim to none but if they pick you then the odds of them being a bad person are significantly higher."
Let them pick a mother stranger to further reduce the risks.
Re: (Score:2)
Re: (Score:2)
I agree, I told my kids to ask a mother or female for help first. It's sexist, but it's also playing the odds. Admittedly the chance of a random male wanting to harm your kid is minuscule, but a random female is even more minuscule. And just the fact that they are given some guidance may make them more likely to ask for help in the first place.
Re: (Score:2)
Let them pick a mother stranger to further reduce the risks.
And a white or Asian one, to reduce them still further.
(Is that racist? If so, the parent's comment is sexist.)
The parent's statement is at least true. A female is probably a safer pick than a male if you're worried about abduction as would an older person. And I would probably agree with the Asian but I'm not sure the white is a true statement. It's hard to find hard stats as most stats don't differentiate between strangers and acquaintances but there is very little statistical difference between blacks and whites when it comes to child abuse. On a side note, although women and asians are probably a safer pick
Re: (Score:3)
but if they pick you then the odds of them being a bad person are significantly higher.
In case of a child who looks obviously lost? I don't think that's significantly higher. There are a lot of people who would want to help a lost child.
If the odds are say 99% and 99.99%, then the odds of a good outcome is only increased 1% because usually either way is fine. But the risk of a bad outcome is increased by a factor of 100 from 0.01% to 1%. The latter is the significant number.
Re: (Score:2)
In case of a child who looks obviously lost? I don't think that's significantly higher. There are a lot of people who would want to help a lost child.
Yes, most people would be fine helping a lost child but they might not notice as most people go on with their day to day somewhat oblivious to their surroundings while a predator is actively looking and scanning the crowd and therefore are much more likely to notice them because they are looking for them. The odds are still really slim as stranger abductions are extremely rare but unless the person is in uniform and hired to scan the crowd, a predator (if present and in the area) will likely be the first p
Re: (Score:2)
False security (Score:5, Insightful)
Always assume all networks are insecure. You're always correct.
Re: (Score:2)
Always assume all networks are insecure. You're always correct.
True, but some are more "secure" than others and people don't pay attention to this, which is the point of this little social experiment.
Actually, IMHO the security issue of open WiFi needs attention at two points. First, you need a really good and effectively configured firewall on your device. Second, those providing services over the web need to secure all data in transit. It's helpful if the users are aware of the risks, but in today's day and age I don't see your average users able to comprehend th
HTTPS or SSL isn't enough? (Score:3)
So if you use HTTPS or SSL secured connections, how are these connection types vulnerable on unsecured wifi?
Re: (Score:2)
So if you use HTTPS or SSL secured connections, how are these connection types vulnerable on unsecured wifi?
Virtually all browsers contain root certificates which have been shown to be untrustworthy. It isn't really safe to trust SSL for your security anymore. You need a reliable Internet provider.
Re:HTTPS or SSL isn't enough? (Score:4, Insightful)
Who do you trust as a reliable Internet provider? You're better off just deleting all root certificates (if you're that kind of paranoid) and make exceptions for every single site you visit.
OR you could just do like me: you don't store information that matters in places you don't have full control over.
Re: (Score:2)
A friend of mine recently sent me these two links:
http://www.vpngate.net/en/ [vpngate.net]
http://www.vpnbook.com/feature... [vpnbook.com]
I've played with them both, they're not bad backups. They're as trustworthy as they are but they're free. They seem to be fairly legit. If I were just browsing at an airport, I'd be okay with that. I wouldn't do banking on 'em or anything like that. As I recall, the second one was better than the first as far as throughput and reliability. I played with 'em for a few days.
Re: (Score:3)
Neverthless, clickbaity summary is clickbaity. All the article mentioned was that traffic had analysed which sites users had visited, NOT that any of them had been compromised.
Does one trust the findings of a paranoid article at face value pimping avast and various VPN services?
That's not to say indiscriminate public wifi is legit but I don't think it's telling us anything we didn't already know.
Re: (Score:2)
Virtually all browsers contain root certificates which have been shown to be untrustworthy. It isn't really safe to trust SSL for your security anymore. You need a reliable Internet provider.
Yea, go find that reliable Internet provider that connects you to the same untrustworthy Internet.
Logging=hacking? (Score:4, Informative)
"logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. "
Logging is a long way from poisoning an arp table, serving tainted SSL and recording packets plain text.
Why shouldn't it be safe? (Score:5, Insightful)
The bigger question is, why shouldn't it be safe to connect to any random Wifi hotspot? Literally everything should be using https by now, SSL certs are even available for free, so there's no excuse not to. I often connect to public Wifi hotspots (and use a VPN since I know that everything is *not* secured with SSL) and there's really no other option (other than "never use public wifi hotspots") since there is no way to know whether the "Starbucks" or "Starbucks - SFO" or "Starbucks - Public" SSID is the legitimate one.
Re: (Score:3)
there is no way to know whether the "Starbucks" or "Starbucks - SFO" or "Starbucks - Public" SSID is the legitimate one.
And there's no way to know what these "legitimate" hotspots are doing with your data either. Treat everyone as the attacker and your options become far clearer.
Pretty much (Score:2)
When I'm traveling, I always connect to public WiFi in the airport. It is usually pretty easy to tell which is the "official" airport one but whatever. I just fire up my VPN and go about my business. I know it isn't encrypted, isn't secured, etc. However getting things encrypted is cheap and easy as you say.
Re: (Score:2)
Heck, I just do that no matter what WiFi I'm connected to out of habit. Even at the in-laws house where I'm the designated network administrator (the guy who configures the router and gets called when something breaks) I use the VPN to home for all my network traffic. About the only time I don't use VPN is when I'm at home and need to use the printer...
Re: (Score:2)
MS-Dos 5.0 with Windows 3.11, or if you really insist, OS2.
Please, Avast, continue! (Score:4, Interesting)
Please, continue this research and expand it to every airport! And make it a permanent thing!
Seriously: Avast is a "security" company that sells security to those feeling "insecure". So it's in their best interest to keep that feeling, seeing threats where there are none. In this case... why should a public WiFi network be more trustworthy than any other network in the middle of the big Internet? You should be doing SSL/TLS, SSH, etc. by now everywhere and that's it.
Aspire to be reckless. (Score:2)
Simple countermeasure! Just boot up your old Aspire One netbook with XP 'beast', an obsolete alternative distribution of XP where anything that stunk of bloat was omitted or disabled or covered with Hazmat stickers or XOR'd out and ridiculous excess like print spoolers are absent, and nothing is guaranteed but things just might load at all, eventually. This screaming monster only takes three times as long to boot as you'd expect. Then the many Atheros Wifi drivers which do not work fail to load successively
Always assume wifi is untrustworthy (Score:2)
Always assume wifi is untrustworthy and you'll be fine. You don't need to pay companies like Avast to cover your behind. Most websites these days with sensitive information use https/SSL. Slashdot does not. But I care little about my Slashdot account.
You cannot recognize "safe" WiFi (Score:5, Insightful)
In most circumstances you cannot recognize or verify that a given public WiFi network is safe. What you do instead is assume it is non-safe and use secure communication technologies, like SSH, VPN links, etc. This has been known for ages.
Incidentally, logging traffic is not "hacking".
Does Everyone Have State Secrets On Their Phone? (Score:2)
VPN Difficulties (Score:5, Interesting)
You know, I see constantly people advising that you use a VPN when connecting with pubic wifi, without anyone ever acknowledging the difficulty of this problem.
You see, between when I click "Connect" on the public wifi click-through, and when I have time to connect my VPN client, probably 50 different applications on either my laptop or my mobile phone HAVE ALREADY likely detected a positive connection and reached out to the internet. Any or all of these connections could already be compromised, BEFORE I can even get my VPN connected.
Until OS vendors like Microsoft, Apple, and Google recognize this problem and allow you to create a rule like "Never connect to non-local addresses over a route that traverses unencrypted wifi", this will continue to be a problem. I wish more people were discussing it, because I see no solution in sight. The closest thing to a solution is with Android you can use Tasker to automate connecting your VPN as soon as it can see the VPN server, but even at this point, at best it's a race against all the other processes on your phone firing up as well.
Re: (Score:3)
On Windows you just configure the firewall to block all apps from accessing the wifi (only allow connections to the VPN's TAP connection), except for a browser you keep installed specially just to access the wifi login page.
Presumably the same thing would work on Linux. On Android you can do it if you have root and install something like iptables for your firewall.
Re: (Score:2)
I use Cloak on iOS, and it supports this functionality. I configure it to allow unencrypted traffic on specific trusted networks, and the VPN auto-connects on any network that I haven't approved, blocking other traffic until the VPN comes up. It seems to use the enterprise features Apple has provided to do this via a VPN profile, and it works very well. I have no idea what features it supports on Android and/or Windows Phones, but I'm very happy with it on Apple devices.
Re: (Score:2)
Re: (Score:2)
RIght, I know about this option. But since you likely do not want to use VPN when not on unencrypted wifi - because it eats CPU for breakfast - this is still not the answer.
Re: (Score:2)
You know, I see constantly people advising that you use a VPN when connecting with pubic wifi,
The last time I tried this, she slapped me.
Windows Phone does this automatically (Score:2)
So I would be in a shopping centre and my phone would auto connect to the wifi (which was of course open but without internet unless you punch in some code you get on your receipt when you buy something). I'd then try to check my mail and find i
Funny they chose an airport... (Score:2)
Some airports have the worst wifi ever! People who are just passing through won't connect to roaming data services which are beyond expensive but will look for a working wifi anywhere. Passed through Toronto Pearson Airport late January 2016: Possibly the worst wifi ever. Hard to connect, frequent drops, basically no actual network connection. I was basically looking for *anything* to get connected and would most likely have jumped on any open network...
The fascination with proving ignorance. (Score:2)
So, a security company that makes a living creating software to protect the stupid and ignorant from the dangers of the internet, somehow needs to perform yet another test to prove just how stupid and ignorant consumers are about security.
Sorry, but it doesn't matter if it's political or technical. I grow very tired of pointless surveys proving how stupid consumers can be. It's pointless because consumers don't care. That's not going to change, and we have the statistics to prove it.
Consumers are ignora
Google VPN (Score:2)
I use Project FI, and on my Nexus phone google already automatically VPNs my data when using public wifi. So the only monster with my data is the same monster I already trust with my data, google.
Why would that be a reckless behaviour? (Score:4, Insightful)
Re: (Score:2)
Terrible use of hyphenation aside (it reads ... like .. it was ...spoken by ... Shatner): people should fear such things, because they're very real and present dangers in our lives. It's not some abstract thing, it's a real issue.
Yes, Avast wants to sell you security. But any halfwit who even pays a little attention to the news headlines on tech websites should be able to grasp that, yes, hacking and information theft is a thing, it happens all the
Re: (Score:2)
Just say "NO!" .... To Windows....
Unless you insist on running Windows 10, then just say "No" to the dialog during the setup..
Just in case it's lost on somebody, I'm making a joke....
Re: (Score:2)