[LINK] Google's WiFi bungle

[Kim Holburn]

On 2010/May/18, at 6:56 PM, David Vaile wrote:

>> Date: Tue, 18 May 2010 17:38:08 +1000
>> From: Stephen Wilson <swilson at lockstep.com.au>
>> Subject: Re: [LINK] Google's WiFi bungle
>>
>> This is a classic case of the worlds of privacy and technology being
>> totally blind to one another.  Craig's world view doesn't recognise
>> privacy principles, and typical privacy policy wonks don't know how  
>> IT
>> works.
>
> It's also a bit of fantasizing and loose thinking from the techno- 
> determinists.
>
> 1. Whatever is technically possible is not necessarily expected,  
> ethical, moral or legal. Generally what you are allowed to do is  
> related to your motives, the circumstances, what others expect, and  
> the consequences.
>
> For example: you are physically able shoot anyone nearby with a  
> loaded gun you happen possess, even if you are licenced to use it in  
> certain circumstances. That is the grossest misuse, and pretty  
> universally deprecated crime of murder or the like.
>

> 2. If this happened to be undetectable at the time (for instance, an  
> experimental silent X-ray gun you just invented which later caused  
> harm to your victims), the fact that they were unaware and did not  
> protest at the time does not change anything much, except the  
> practicalities of discovery.
>
> Eg in civilised society, everyone is expected to restrain themselves  
> from causing harm or interfering with the rights of others, even if  
> they can do something, even if they can get away with it.

And they are expected to look after themselves.  Australia has lots  
more nanny state laws than most countries but it doesn't always stop  
people doing really dumb things like broadcasting their personal  
details by radio around their suburb.

> So just because this stuff is out there, regardless of Privacy Act  
> or other law, does not mean you can do with it as you see fit.
>
> 3. WiFi is licenced under Radiocommunications (Low Interference  
> Potential Devices) Class Licence 2000 under sections 132 and 135 of  
> the Radiocommunications Act 1992. The whole point is that it is  
> deliberately of very limited range. It is not broadcasting in the  
> broader sense. It is Narrowcasting with the Broadcasting Services  
> Act meaning, intended to be limited, not open to all, aimed at  
> particular people or a particular place, not everyone.

I was a wannabee radio ham a very long time ago, in a time when you  
had to have either considerable skill (and learn morse;-( ) or  
considerable money to be able to legally transmit almost any radio  
signals at all.  Radio broadcasts - it's what it does.   Narrowcasting  
is usually done with a non-broadcasting medium like cable, or possibly  
tight directional beam microwave or physical media.  Broadcasting and  
narrowcasting are unidirectional and the terms do not really cover a  
radio technology that to work needs information going in both  
directions like wifi.  None-the-less all sides in a wifi LAN broadcast  
radio signals.  They broadcast them in some cases for miles, err  
kilometres.  They can be received miles away by the right equipment.   
This really *is* broadcasting.  We can listen to radio signals from  
other stars for goodness sake, picking up the Jones's is not that hard.

> This means it is perfectly reasonable for people to think its  
> intended use is not for everyone, but for themselves.

It's perfectly reasonable for people to think this is somehow private  
when their local LAN traffic can be picked up by passing satellites or  
cars or google vans.  It is not private and neither legislation nor  
intention is going to make it so.  (Well governments in the past have  
legislated that pi equals 3.)  Lots of people in the electronics  
industry may have an interest in selling equipment that their  
customers don't understand the ramifications of.  Doesn't make it right.

If I put a neon sign outside my house with personal details on it  
*intending* for it only to be for my use would I be surprised that  
anyone going past my house had read it?  Would I be surprised that TV  
stations came and put footage of my sign on TV?  Could I justify  
myself that it was not my intention that anyone should read it?  I  
don't think so.

> Google's use potentially does not fit this expectation.


> 4. You used to need an engineering degree to operate networks and  
> wireless links.

Not quite.

> They are now a bit easier,

To get them working, yes a bit easier.  To get them secure, not so  
much.  To limit wireless information leakage out of your own home,  
very, very difficult.

> but for ordinary people it is not reasonable to expect them to keep  
> up with developments in encryption, network security, range  
> varations etc etc. The technology is constantly changing, and  
> probably needs to be made easier to install as the user intends,  
> namely just for local people. It is the equivalent of a complicated  
> lock - just because someone accidentally leaves the door open, this  
> is not an open invitation to burgle their house or listen in to  
> private communications from the door.

Yes it should have good defaults, force people who have no clue to  
change the default password etc etc.  Still basic physics says it  
broadcasts radio waves possibly for miles and basic IT says the  
majority of systems are never changed from the default so are not  
secure.  There are secure ways of connecting devices in your home.   
It's not even that difficult, in fact the tech is simple and well  
known.  It's called ethernet.

On top of all that all wifi systems broadcast some information in the  
clear, the SSID for instance and possibly MAC addresses.  (Even if you  
have SSID broadcasting turned off your AP will still broadcast the  
SSID in the clear when queried.)

As Bruce Schneier says, "no matter how good the encryption it will  
have faults."  Your neighbours can take their time.  Even the best  
encryption for wifi: WPA2-AES can be cracked if it has a bad  
password.  Actually you can make an open wifi system much more secure  
than the best built-in wifi encryption.

Some countries in Europe have laws that say you cannot run wifi  
without encryption.  These have not really helped the situation in any  
way.  Any level of wifi encryption with bad passwords is still insecure.

Kim

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request