Saturday, November 19, 2011

UK Internet Blackhole

I have family in Motherwell (for those that don't know it's in scotland). After seeing this article about the town's lack of facebook users (the town has always been a bit delipidated) so I decided to keep my techno-eyes peeled for technology mishaps or goodies on my recent visit to the town. I stayed at two hotels, obviously not at the same time, the first hotel had no WiFi it wasn't a surprise. Second hotel had WiFi it was unsecured, I wasn't surprised. It seemed to take a seriously long time to obtain a DHCP lease from the network so I did a little digging. It seems that the hotel's network was being managed remotely, probably has part of a block with other hotels within the same ADSL ISP. This surprised me a little; I would have thought, given the setup, that the ISP obviously providing a service to business would have the knowledge and sense to secure the AP. I encrypted anything mildly sensitive through an SSH tunnel, SSL would probably cover my email login, but I was feeling paranoid.

Next stop, the local library. Unsurprisingly their access points were unsecured, very well you say as it's meant to be public. Yes, and, no. A public network should be accessible, but shouldn't each separate link (wifi-user) be encrypted from other users to avoid sniffing? Well I that's my take, it seems to be a question few people asking  when it comes to security of intentional-open public networks accessible to everyone (e.g. libraries, major transport hubs, etc., etc.). Whilst SSL, will in most cases, help a user protect credit card details, email logins etc., all other internet bound traffic can be sniffed easily. With the advent of 4G I'm expected the ISPs and Mobile telecoms to converge somewhat, and, hopefully develop viable solutions to this problem. The mobile telecoms already did this for GSM (and presumably 3G and HPSA are also encrypted but I don't know enough about them to say for sure), albeit weak encrytion by today's standards but they did achieve it. Now the same technology is required for WiFi points.

In summary, in the past we sent information via emails and MSN messenger that we perhaps might not wish others to get their ends on, and, we (or rather those of us who are tech-savvy) did this with the knowledge it was sent in clear-text. In those days, it was an acceptable risk (as long as you weren't given your credit card details to a mate) you could see the cable to your internet modem and you were happy that no one was siphoning your data from there. Then you were happy that no-one at your ISP was that interested in your data (they should be earning enough from the $£ you send them once a month). Once it was there, you were reasonably happy that fred-next-door doesn't know you called him a c**t  to your sister on MSN. The difference now-a-days is that the node closest to you is no longer secure, so those in your immediate area can snoop were they couldn't before wifi came along. Particularly because, attackers can now be yards away from you, there is an enhanced social-security issue. Vulnerable individuals, such as children, could be put at greater risk. For example given the library scenario, a child may message a friend using an IM such as MSN, if they have a photo of themselves and their IM alias is their real name, a wifi sniffer could easy intercept this through an unsecured wifi point. Once a stranger can put a name to a child's face, the child is at a much greater risk. This example is one of many, I'm sure this is one of the more convoluted examples but I hope it is understandable to most.

As for Motherwell, I know that most of my, or at least most of the younger, relatives are using Facebook. In fact, a 15yo relative posts at least three public fb messages a day, complete with scottish accent. So, I can't pass too much judgement on the town with regards to social media, but as wifi points go I think hotels should restrict wifi to patrons only, and, libraries should restrict theirs to members only. To be honest, I wouldn't be surprised if Motherwell was the UK's most gravitating internet blackhole.

Or you can ignore me completely and join the campaign beneath:
http://www.dansdata.com/gz080.htm




No comments:

Post a Comment