Skip

All Your ***** Belong To Us
September 16, 2013 6:20 PM   Subscribe

Google knows almost every wi-fi password. Of course this means that the NSA also has access to them. Apple might not be much better.
posted by blue shadows (97 comments total) 24 users marked this as a favorite

 
They also know your email password.

And have your email.
posted by effugas at 6:24 PM on September 16, 2013 [50 favorites]


Mine is swordfish
posted by mattoxic at 6:32 PM on September 16, 2013 [9 favorites]


•••••••
posted by tomierna at 6:35 PM on September 16, 2013 [4 favorites]


psst you can change your wifi password .. and then sell your Android .. and buy a Newton
posted by RobotVoodooPower at 6:35 PM on September 16, 2013 [6 favorites]


mine is hunter2
posted by xbonesgt at 6:35 PM on September 16, 2013 [17 favorites]


Came to make a hunter2 joke. Was too late. As usual.
posted by etc. at 6:37 PM on September 16, 2013 [9 favorites]


And THIS is why I bought all that stock in tinfoil companies.

Really, people. You're sending all this data through the air, through wires, through your apartment building's wifi, through your college's wifi, through your neighbor's router (who forgot to password protect it and you're stealing his broadband). Your isp, your workplace, the airport, airplanes, etc, etc, etc..

If you want privacy, whisper in someone's ear, at night, in the desert, under a blanket...but only while the wolves are howling to cover the sound.
posted by HuronBob at 6:37 PM on September 16, 2013 [20 favorites]


ANY US company can be legally compelled to divulge any information they have from you to the NSA, and they can even be forbidden to tell you about it. That needs to END. Until it does, it's going to be a dark cloud over all American tech companies.
posted by JHarris at 6:37 PM on September 16, 2013 [14 favorites]


hasn't this been an ongoing thing people knew about for ages with their wifi snooping shit?

I keep only finding recent articles(probably because this just became news again), but i swear i remember hearing about that starting to become a known thing/court case maybe even 3 years ago.

I figured it was a pretty forgone conclusion that they had this type of info even then.
posted by emptythought at 6:42 PM on September 16, 2013


This does tend to be what happens when you tell them your wi-fi password, and have them remember it for later.
posted by CrystalDave at 6:44 PM on September 16, 2013 [18 favorites]


My wifi network is named "The Masturbatrix".
posted by nathancaswell at 6:46 PM on September 16, 2013 [12 favorites]


It seems to me that unbreakable encryption and private data is the same now as it was 60 years ago and will be the same 60 years from now: One-time pads and paper in a safe. Preferably hand written paper or failing that typed and printed on a computer that has no wifi capabilities and is physically disconnected from the internet.
posted by Justinian at 6:50 PM on September 16, 2013


If you think that's bad, the GOVERNMENT knows your SOCIAL SECURITY NUMBER, your DATE OF BIRTH and YOUR HOME ADDRESS.
posted by TrialByMedia at 6:55 PM on September 16, 2013 [60 favorites]


This was going around all the tech aggregators last week. It may be the dumbest tech article I've read all year. Certainly got them a bunch of pageviews though.
posted by markr at 6:56 PM on September 16, 2013 [4 favorites]


This explains a lot. Lately, I have noticed a serious degradation in my Internet speed, and through careful research, I have been able to determine that there has been continuous, unauthorized access to and use of my bandwidth by the Google. Luckily for me, I have fixed this issue simply byTHERE IS NOTHING TO SEE HERE, EVERYTHING IS NORMAL, CONTINUE TO GO ABOUT YOUR DAY.
posted by Debaser626 at 7:02 PM on September 16, 2013 [1 favorite]


It may be the dumbest tech article I've read all year.

That's saying something when 99% of tech journalism falls into one or more of the following stupid buckets:

1. Will Apple's next device solve world hunger?
2. The newest Apple device is stupid and I hate it.
3. Ballmer sucks.
4. Your weak security half-measures are weak and you should be scared.
posted by TrialByMedia at 7:06 PM on September 16, 2013 [10 favorites]


5. The NSA is the worst.
posted by Going To Maine at 7:07 PM on September 16, 2013 [2 favorites]


"hasn't this been an ongoing thing people knew about for ages with their wifi snooping shit?"

This is entirely separate from that.

" It may be the dumbest tech article I've read all year. "

Yeah, it's kind of silly. Like this bit quoted from a TechRepublic writer:

"The fact that my company can easily lose control of their own proprietary WPA2 encryption keys just by allowing a user with an Android device to use our wireless network is significant."

Dude, your company is giving every employee that key. It's clearly not the secret formula for Coca-Cola.

The fact that Google has Android users' wifi keys as part of the automatic backup to the cloud of user data is about 212th on the list of things to be concerned about because they're stored in the cloud. That government agencies can get your wifi key by subpoenaing Google is nothing to be concerned about, because the other information they can get is more immediately useful to them and probably as revealing and, in the event they are actually interested in your LAN traffic, you're in very deep shit, anyway.
posted by Ivan Fyodorovich at 7:07 PM on September 16, 2013 [6 favorites]


Wait... Google has the formula for Coke?
posted by HuronBob at 7:09 PM on September 16, 2013 [3 favorites]


Wait... Google has the formula for Coke?

You'd be surprised how many corporate leaks are due to someone accidentally tossing a search into Google, rather than corporate intranet search.

"Let's see if anyone's figured it (the recipe) out... Ah, shit."
posted by CrystalDave at 7:18 PM on September 16, 2013


"Wait... Google has the formula for Coke?"

Yes, and they're happy to share it.
posted by Ivan Fyodorovich at 7:19 PM on September 16, 2013 [1 favorite]


If you want privacy, whisper in someone's ear, at night, in the desert, under a blanket...but only while the wolves are howling to cover the sound.

In the current regulatory climate, that is true. No measures we can take as individuals can preserve our privacy. What could end intrusive practices by corporations and government is legislation. For that to happen we'd need privacy to become a significant election issue. In spite of everything that's coming to light, we seem to be a long way from that.
posted by justsomebodythatyouusedtoknow at 7:21 PM on September 16, 2013


I have no wi-fi password. SCREW YOU GOOGLES.
posted by fluffy battle kitten at 7:24 PM on September 16, 2013 [1 favorite]


Just the other day, I renamed our home WiFi network SSID to "FBI Surveillance 3".
posted by double block and bleed at 7:25 PM on September 16, 2013 [7 favorites]


My wifi network is named "The Masturbatrix".

Mine is "Surveillance Van #3"
posted by Brandon Blatcher at 7:26 PM on September 16, 2013 [4 favorites]


I thought it was pretty funny. Then I realized that my redneck neighbors probably don't know what "surveillance" means.
posted by double block and bleed at 7:28 PM on September 16, 2013 [2 favorites]


My SSID is "Social Security Data Extraction." Forreal.
posted by spikeleemajortomdickandharryconnickjrmints at 7:33 PM on September 16, 2013 [3 favorites]


I'm just going to watch The Lives of Others and wait for the 3:00 a.m. knock on the door.
posted by mecran01 at 7:36 PM on September 16, 2013 [1 favorite]


hasn't this been an ongoing thing people knew about for ages with their wifi snooping shit?

If you've enabled encryption, they can't read your password even if you log in while they're parked outside. If you haven't enabled encryption, there is no password and your neighbors are at this moment enjoying your porn. So no, this hasn't been an ongoing thing, this is something quite different.
posted by George_Spiggott at 7:42 PM on September 16, 2013 [1 favorite]


I like to stick with classic passwords like Joshua.
posted by Ad hominem at 7:42 PM on September 16, 2013 [11 favorites]


It scarcely matters anyway -- when the singularity comes and we all upload our consciousnesses into the cloud, whose servers do you think we'll be running on?
posted by George_Spiggott at 7:46 PM on September 16, 2013 [2 favorites]


Google can read the password assuming the configuration file is backed up to their system in unencrypted form, they don't encrypt your personal data on the server using something linked to your password, and they (or someone who has worked on the login process) is corrupt enough to grab the plaintext version of your password so that they can decrypt your personal data with it.

I mean, maybe they do make these things backdoor-accessible for law enforcement, but it seems kind of farfetched to me. What company wants to have a plaintext copy of any password? The liability is horrible.
posted by mikeh at 7:47 PM on September 16, 2013 [3 favorites]


This is why I only log in to the network at Flowers By Irene.
posted by The Whelk at 7:48 PM on September 16, 2013 [6 favorites]


"Wait... Google has the formula for Coke?"

Coke could hand out the recipe willy-nilly. Doesn't matter. The most important ingredient is illegal to obtain in most places, the coca leaves.
posted by Mister Fabulous at 7:55 PM on September 16, 2013 [1 favorite]


I mean, maybe they do make these things backdoor-accessible for law enforcement, but it seems kind of farfetched to me. What company wants to have a plaintext copy of any password? The liability is horrible.

My guess? This will prove to be a prescient comment.
posted by ryanshepard at 7:59 PM on September 16, 2013 [1 favorite]


You can choose to backup your iPhone to your computer, just like we used to do before iCloud and you can encrypt that backup. I'm sure the same thing can be done with an Android phone. If you're concerned, switch your backup strategy and change your wifi passwords.

What's going to be really interesting is Apple's forthcoming iCloud based keychain. It's going to take some convincing before I put all my passwords on Apple's servers, that's for damned sure.
posted by sfred at 8:00 PM on September 16, 2013


"Wait... Google has the formula for Coke?"

Coke could hand out the recipe willy-nilly. Doesn't matter. The most important ingredient is illegal to obtain in most places, the coca leaves.


Man, we keep talking about the secret recipe for Coke and no one has linked to the This American Life story where they revealed the recipe? Their most-downloaded episode of all time? I shall change that.
posted by Going To Maine at 8:00 PM on September 16, 2013 [1 favorite]


What company wants to have a plaintext copy of any password? The liability is horrible.

In order to use your restored password to connect to your access point, they either have to store it unencrypted or in an encryption that they themselves can reverse either on the server or the device.

An ideal solution would be if each device had a secure storage chip that nobody could access (without a JTAG-type physical connection to the board, anyway) with its own public/private keypair which is not erased when the device is reset. It would then be able to backup a separately encrypted keychain and have the ability to decrypt it when it was restored. This would allow your device to store and back up any amount of encrypted data.

This wouldn't prevent Google (or other malware) from putting code on the device to decrypt your data if they wanted to -- but it would allow them to provide this service without doing so.
posted by George_Spiggott at 8:05 PM on September 16, 2013 [2 favorites]


My downstairs neighbors went with the totally accurate but nonetheless disturbing "2Girls1Wifi" as their SSID. Google's probably gonna hold off on surveilling that one too hard.
posted by invitapriore at 8:15 PM on September 16, 2013 [6 favorites]


My Wifi password is suckitgoogle. Heh, owned.
posted by Ghostride The Whip at 8:24 PM on September 16, 2013 [5 favorites]


My password is DELETE * FROM SUPERSECRETTABLE ... hope that doesn't backfire.
posted by msbutah at 8:32 PM on September 16, 2013 [1 favorite]


My wireless access is open. If anybody sits in my driveway using it, my neighbor will come over and check them out. Excellent security.
posted by theora55 at 8:33 PM on September 16, 2013 [3 favorites]


Who would have guessed that when you check a box labelled "Back up app data, Wi-Fi passwords and other settings to Google servers" that it would lead to a situation where your Wi-Fi passwords were sent to and stored on Google's servers?

Quickly, to the Ric Romerocopter!

(Text from cm 10.2-20130916-NIGHTLY-flo. YMMV.)
posted by sourcequench at 8:36 PM on September 16, 2013 [7 favorites]


I'm trying to think of a scenario where it's worse for Google to have my wifi password than to have a copy of every email I've ever sent or received, and I'm not coming up with any.
posted by edheil at 8:39 PM on September 16, 2013 [15 favorites]



I know they have everything and I don't care, personally.

However, I feel like I should do something extra for security simply because I DO have nothing to hide.

I'm probably not making a sound logical argument here.

But I get so overwhelmed by security stuff these days because I have been out of touch with this issue.

And it seems like every new privacy thing is constantly becoming figured out by the govt. or shown to be inadequate.

I guess all i can do is write letters to my congressbots. I probably don't even have to send them if i type a draft in gmail...
posted by sio42 at 8:47 PM on September 16, 2013 [3 favorites]


If they have my WiFi password, I wish they'd tell me what it is - I can't remember it and it's become quite a pain.
posted by dotgirl at 8:55 PM on September 16, 2013 [11 favorites]


I should have been suspicious when the google camera car drove through my living room.
posted by cacofonie at 8:55 PM on September 16, 2013 [10 favorites]


You mean "All your ****** ARE belong to us".
posted by paladin at 8:59 PM on September 16, 2013 [4 favorites]


Assuming The Government does have wifi password, is that really going to be a problem? I mean seriously at that point they need to be physically near your location in order to sniff your internets, at which point they could just go across the street and tap the cable that, more or less, is connected to your wifi router.

Your wifi password isn't protection from the spooks anyway, it's to protect against the much less sophisticated attacker. It's more like a deadbolt lock on a door stops most burglars. Yeah they could kick the door down or pick the lock, but that's a pain in the butt so they move on to the next person.
posted by aspo at 9:18 PM on September 16, 2013 [5 favorites]


Who would have guessed that when you check a box labelled "Back up app data, Wi-Fi passwords and other settings to Google servers" that it would lead to a situation where your Wi-Fi passwords were sent to and stored on Google's servers?

Given that the box is checked as a factory setting, nested two menus deep, and at least some of us never even thought to look and see if Google was "offering" to back up our phone settings? Maybe fewer people than you think. (Yes, I know, it says Google right on it, so I should expect data-mining in the name of support. I just didn't expect that particular "convenience feature".)
posted by gingerest at 9:20 PM on September 16, 2013 [1 favorite]


Hate the concept, but lost a G3 replaced with a G4 and sure enough, as soon as I logged in as me, weeee! all my data and settings came flying through. I would like to be able to back it up to my own pc rather than the Google cloud. I hate that they have all this info, but this particular information is really, to me, not much of a big deal. I never use the same password for more than one login and if they want to get onto my Verizon router, I am quite confident Verizon will let them anyway. And not tell me.
posted by JohnnyGunn at 9:27 PM on September 16, 2013 [1 favorite]


Assuming The Government does have wifi password, is that really going to be a problem?

Since the government can legally put a tap on your computer if it suspects you of a crime, no.
posted by Going To Maine at 9:27 PM on September 16, 2013 [1 favorite]


Not really germane for this, but can't anyone who wants privacy in their emails run everything through PGP first? Or did I miss that being broken?
posted by klangklangston at 9:49 PM on September 16, 2013 [2 favorites]


What exactly would the NSA and/or our Google Overlords do with my wifi password? It's like the government having copies of all our front door keys. It's not as if the lock is what's stopping them coming into your house.
posted by BungaDunga at 9:51 PM on September 16, 2013 [9 favorites]


PGP should still be fine. I recommend checking out Bruce Schneier's blog post on how to remain secure against the NSA.
posted by Going To Maine at 9:53 PM on September 16, 2013 [1 favorite]


PGP protects the contents of the mail, not the information about who it was sent to, when, that the email is encrypted, or how big it is. In aggregate, this information can reveal a great deal. It is, as the name says, pretty good privacy, but perhaps not good enough privacy.
posted by wotsac at 9:55 PM on September 16, 2013 [1 favorite]


I.e. if you always see two coworkers talking to each other in an unfamiliar language, you can infer a fair bit from who they are, when they talk, whether they use the prevailing language or their own, and their tone of voice, without understanding a word of their conversations.
posted by wotsac at 10:00 PM on September 16, 2013 [2 favorites]


Of course they have my WiFi password. I contract for them. They also have my name, address, phone number, SSN, every bit of email I've sent and received since Gmail was invitation only, my CV, my photos, and they probably have a pretty good idea of my sleep schedule, based on when I log in and out for work. I cannot imagine why I should be upset that they have information I freely GAVE them.

The NSA? The NSA does not give a sugar-coated shit about my WiFi password. Which is xocolatl271, so there. If they're so hard up for WiFi access, they can ring my damned bell and come in for a cup of coffee. If they thought I had something nefarious going on, they'd already be into more than just my WiFi.
posted by MissySedai at 10:17 PM on September 16, 2013 [5 favorites]


I.e. if you always see two coworkers talking to each other in an unfamiliar language, you can infer a fair bit from who they are, when they talk, whether they use the prevailing language or their own, and their tone of voice, without understanding a word of their conversations.

This is true but (and I am not digging through the NSA threads to ferret this out) given that pen register/metadata info has long been available to police for phones and cell phones with minimal judicial involvement, you probably have a much longer row to how than turning over any recent NSA actions if you want the government to not have the right to peek at that info with minimal oversight.
posted by Going To Maine at 10:26 PM on September 16, 2013


Interesting and annoying. Given that their frenemy can figure out a NSA proof scheme for browsers, Google's explanation doesn't seem very airtight.

Anyways, I'm not so pissed about them having my home wifi password (although it will be annoying to retype the long random key my firmware generates into everything) but my employer has pretty clear polices that I not share my password with anyone. Not even Google -- we implement SSO for gApps and it's annoying to see their devices default to circumventing that policy.
posted by pwnguin at 10:26 PM on September 16, 2013


What exactly would the NSA and/or our Google Overlords do with my wifi password? It's like the government having copies of all our front door keys. It's not as if the lock is what's stopping them coming into your house.

We know where you are. We know where you've been. We can more or less know what you’re thinking about.

If you have something that you don't want anyone to know maybe you shouldn’t be doing it in the first place.

Just remember when you post something, the computers remember forever.

You can trust us with your data... In Britain, you all allow yourselves to be photographed on every street corner. Where are the riots?

We are willing to get it one way or another.

...

What exactly do you have to hide, anyway, citizen?
posted by Blazecock Pileon at 11:14 PM on September 16, 2013 [3 favorites]


Mine is PASSWORD4. A little techy tip here - if you change the number on the end every few years, they'll never guess it.
posted by Segundus at 1:34 AM on September 17, 2013 [3 favorites]


Why on goddess' green earth would they care about your wifi password when they're already getting the data from the wan port on the other side of the device? Your ISP has already let them do this, remember.
posted by mcrandello at 1:47 AM on September 17, 2013 [3 favorites]


Good. I look forward to them activating an entirely distributed shared wifi network one day when the cable companies work with their congressional partners to try to extort fees from websites for traffic.
posted by srboisvert at 1:49 AM on September 17, 2013 [1 favorite]


This is stupid. Why would google store the passwords unencrypted, or have provision to have access to them. It would be like sitting on a massive liability bomb waiting to go off. Google got crucified for inadvertently snooping unencrypted wifi data when gathering wifi metadata for its location services. What possible reason would they have to want the access to your encrypted wifi for, other than to prompt a massive shitstorm when that gets pulled with a subpoena someday?

The passwords would be hashed for storage like any other password online ever.

Running out of garbage to write scary articles about, I think.
posted by Thoth at 2:35 AM on September 17, 2013


If someone made safe encryption really easy to install and use with common apps such as Google Mail, and everyone started using this encryption as a matter of course and a matter of principle, would this make the NSA people cry?
posted by pracowity at 2:55 AM on September 17, 2013


My wifi password may or may not be:
3BHIZO4EcEXMHOGXzDdrNhxjb7zyrUTfgYf2QT9MKAEoLaTALJMMj1tBHXgvcW

Good luck with that one, hackers.

The point of the article isn't so much that google has the passwords, but that the big bad government can subpoena that information from them without anyone knowing. It's still silly, because the government can subpoena anything they want if they can convince a judge it is relevant.
posted by gjc at 3:31 AM on September 17, 2013


1. "Convincing a judge that it is relevant" is a decent barrier of importance, at least for courts that aren't FISA.

2. It's not just that it can be subpoenaed, but it can be done entirely secretly, and the company can be legally required to lie about getting the "national security letter" and whether they complied with it.

So no, it is not "silly."
posted by JHarris at 3:36 AM on September 17, 2013 [3 favorites]


Given that the box is checked as a factory setting, nested two menus deep, and at least some of us never even thought to look and see if Google was "offering" to back up our phone settings? Maybe fewer people than you think.

It comes right and asks you if you want to enable those backups when you first set up your phone, so it's not as if it's hidden. And Android does have at least one security benefit over iOS in that it actually tells you every single permission that an app requests before you approve installing it.
posted by zombieflanders at 3:42 AM on September 17, 2013 [1 favorite]


I have started creating passwords out of descriptions of horribly disgusting bodily functions. The way I see it, the NSA can figure out my password anyhow, but at least I have the smug satisfaction of knowing they had to throw up in their mouths a little to do so.
posted by 4ster at 3:52 AM on September 17, 2013 [2 favorites]


I've just thought of one way it might be a problem - when you use one password for everything, including your wifi, so now google and by extension the NSA potentially has full access to everything else, even if you don't use gmail. But that's a bad idea anyway for numerous other reasons. Don't do that.
posted by ArkhanJG at 3:52 AM on September 17, 2013 [1 favorite]


The United States has a seamless end-to-end product for eliminating people. It can gather private information on you, find you anywhere in the world, and then kidnap and imprison you forever, or even kill you with a drone strike, and do it all without the messy and expensive openness and court involvement that so many other countries require.
posted by pracowity at 4:15 AM on September 17, 2013 [3 favorites]


Lets assume that Google and the NSA (and hell, Apple, Microsoft, Oracle, the FBI, the CIA, the USDA, the Centers for Disease Control and NASA) all have my WiFi password. Does anyone out there think for a second any of these organizations or corporations are out there wardriving? This is of zero concern because it's not scalable. Wholesale, not local surveillance, should be our big concern.
posted by Kid Charlemagne at 4:24 AM on September 17, 2013 [3 favorites]


George_Spiggott: "An ideal solution would be if each device had a secure storage chip that nobody could access (without a JTAG-type physical connection to the board, anyway) with its own public/private keypair which is not erased when the device is reset. It would then be able to backup a separately encrypted keychain and have the ability to decrypt it when it was restored. This would allow your device to store and back up any amount of encrypted data.

This wouldn't prevent Google (or other malware) from putting code on the device to decrypt your data if they wanted to -- but it would allow them to provide this service without doing so.
"

This technology already exists. Such a secure storage chip is called a TPM, but a) they're uncommon on phones, b) software support for their capabilities is lacking, and c) there's some concern in the tech world that the same technology can also be used to prevent jailbreaking and provide hardware level DRM. We might see more hardware protected storage in the future though, and Chromebooks already have some TPM capabilities.

Thoth: "The passwords would be hashed for storage like any other password online ever."

Err, no. Unlike with ordinary login passwords, Google can't just store a hash because the plaintext password has to be available when the user restores from a backup. They're stored just like any other Android data backed up by Google. The passwords may be stored encrypted, but the kind of functionality we're seeing proves that Google can decrypt them.

The question is whether we're seeing a reasonable mistake—"Ok, let's back up all user data, whoops, we forgot that included wifi passwords," or something more nefarious, i.e., "Ok, let's back up all the user data so their passwords are available to the government. If anyone wonders why we have them in the first place, we can say it's an accident." As a programmer, I lean toward the former—I can easily imagine such an oversight—but conspiracy theories are becoming more and more plausible these days.
posted by Wemmick at 4:49 AM on September 17, 2013 [2 favorites]


I think a couple people have hit the nail on the head, but it bears repeating.

And I repeat that, because I said it on Gawker yesterday and on Reddit this weekend, because it bears repeating.

This only affects you if you believe that the NSA and/or Google is within range of your wi-fi router. The wi-fi password is only for things to connect to your wi-fi router, it doesn't do any good to someone who is not X number of feet from your house.

Assuming that the NSA, CIA, IRS, and or Waffle House already has all of your "data" that moved between your router and the rest of the internet... then your wi-fi password is really sort of moot.

Again, I'm going to repeat myself: If this piece of news frightens you then you are not thinking logically and you have already fallen victim to fear-mongering.
posted by Blue_Villain at 5:02 AM on September 17, 2013 [6 favorites]


Why would the NSA need your wireless password when Google, Apple, Dropbox, your ISP, your cellphone provider, etc. will gladly hand over any and all information they have on you when asked?
posted by Gev at 5:08 AM on September 17, 2013


> Assuming that the NSA, CIA, IRS, and or Waffle House already has all of your "data" that moved between your router and the rest of the internet... then your wi-fi password is really sort of moot.

Why you would be using your wifi password at the Waffle House? I mean, assuming you use your laptop or iPad at a Waffle House. You'd be using Waffle House's wifi password. Assuming Waffle House provides wifi and it isn't open.

I agree the article is scaremongering based mostly on speculation rather than knowledge, but don't fight overreaction with overreaction.
posted by ardgedee at 5:16 AM on September 17, 2013


mcrandello: "Why on goddess' green earth would they care about your wifi password when they're already getting the data from the wan port on the other side of the device? "

Knowing your wifi password would allow someone to sniff the interdevice communication (EG: between your computer and your NAS) that never hits the wan port.

Thoth: "The passwords would be hashed for storage like any other password online ever."

A hashed password in this case doesn't do any good; you need access to the orginal because the password is for a third party. IE: if your router password is 1234567890abcdefghijklmnopqurstvwxyz google has to store 1234567890abcdefghijklmnopqurstvwxyz (either in plain text or as a string google can decrypt) because if they only store a one way hash of the password, say fdsafdsfion, when the router asks your new phone for a password google has to be able to provide 1234567890abcdefghijklmnopqurstvwxyz not fdsafdsfion.
posted by Mitheral at 5:23 AM on September 17, 2013 [1 favorite]


Gev: "Why would the NSA need your wireless password when Google, Apple, Dropbox, your ISP, your cellphone provider, etc. will gladly hand over any and all information they have on you when asked?"

The NSA/CIA/FBI/whatever don't have access to internal network traffic that never goes through the ISP. That's the only thing I can think of. The only plausible scenario I can imagine is if they wanted access to the network of an overseas corporation, embassy, government facility, etc. with poor security policies. But no, it wouldn't be useful for widespread spying.
posted by Wemmick at 5:26 AM on September 17, 2013


Waffle House has WiFi now?
posted by kuanes at 5:27 AM on September 17, 2013


Someone in our neighborhood has a wireless network named 'Abraham Linksys.'

Please to be hacking that, Googs. I want to be in on that network.
posted by robocop is bleeding at 5:31 AM on September 17, 2013 [3 favorites]


I changed my password at work yesterday. When I came in this morning, reading this page on my phone, it told me I had the incorrect password for the work wifi. Spooooooky.
posted by thecaddy at 5:41 AM on September 17, 2013


> Please to be hacking that, Googs. I want to be in on that network.

You're welcome anytime to borrow my guest network. Look for NSA REMOTE SURV UNIT. For some reason it doesn't attract many randoms.
posted by ardgedee at 5:46 AM on September 17, 2013 [1 favorite]


None of you seem to recognize that Wifi isn't just the first hop between you and Teh Interwebz. This can just as easily provide effortless access to non-public networks that are normally protected by these passwords. If you can't see the potential for economic espionage (among other possibilities) from this, you lack imagination.
posted by indubitable at 5:48 AM on September 17, 2013 [1 favorite]


If a password on a router is your only point of security in a non-public connection, you're doing security wrong.
posted by Blue_Villain at 6:07 AM on September 17, 2013 [2 favorites]


Besides, we're not even talking about a Snowden released data point here... at this point it's all hypothetical.

Another reason I believe that this is mostly fear-mongering and not actually something to be terribly concerned about.
posted by Blue_Villain at 6:10 AM on September 17, 2013


Tech experts claim that the only safe way you will ever have from the govt being able to obtain any and all things it wants from any and all people using anything electronic, or phones, or regular mail, is to have Congress pass strong laws outlining what can and can not be gathered by NSA...Fat chance they will do that.
posted by Postroad at 6:31 AM on September 17, 2013


You are not interesting. All of you are interesting. Once I understand all of you, then you may be interesting, but only if you are anomalous in your behavior, comparative to your neighbors, your social circles, your internet traffic, your love of kittens, your preference for pirates over ninjas, the web sites you visit - but really it is only when you traffic odd sites.

Good news, I have it on good faith that there are tens of thousands of people worldwide that seem to click on many of the same links as you just because of a professional blue background. In other words, if we all click together our behavior is less likely to be flagged. Or they'll be coming for all of us - one or the other.
posted by Nanukthedog at 6:51 AM on September 17, 2013


Thinking of a router's range in terms of your signal dropping out in the upper story of your house isn't especially useful when you consider that you're probably using a device with a rather small antenna.

Range varies depending on what wifi standard, but I talked to some people who had completed a corporate security audit, including cracking down on unauthorized access points that people had stashed under their desk, and when using a 12" antenna they were able to pick up access points a couple miles away.
posted by mikeh at 8:30 AM on September 17, 2013


Given that the box is checked as a factory setting, nested two menus deep,

...in a disused lavatory with a sign on the door saying "Beware of the Leopard."
posted by George_Spiggott at 9:03 AM on September 17, 2013 [5 favorites]


I combat government surveillance by being brain-suckingly boring.

Honestly. If not for the gummint, I'd be, like, fascinatingly radical like a mofo.
posted by allthinky at 10:09 AM on September 17, 2013 [2 favorites]


Blue_Villain: "I think a couple people have hit the nail on the head, but it bears repeating.

And I repeat that, because I said it on Gawker yesterday and on Reddit this weekend, because it bears repeating.

This only affects you if you believe that the NSA and/or Google is within range of your wi-fi router. The wi-fi password is only for things to connect to your wi-fi router, it doesn't do any good to someone who is not X number of feet from your house.

Assuming that the NSA, CIA, IRS, and or Waffle House already has all of your "data" that moved between your router and the rest of the internet... then your wi-fi password is really sort of moot.

Again, I'm going to repeat myself: If this piece of news frightens you then you are not thinking logically and you have already fallen victim to fear-mongering.
"

And the funny part is that this is all due to the War on Terror.
posted by Samizdata at 11:52 AM on September 17, 2013 [2 favorites]


Mitheral: "mcrandello: "A hashed password in this case doesn't do any good; you need access to the orginal because the password is for a third party. IE: if your router password is 1234567890abcdefghijklmnopqurstvwxyz google has to store 1234567890abcdefghijklmnopqurstvwxyz (either in plain text or as a string google can decrypt) because if they only store a one way hash of the password, say fdsafdsfion, when the router asks your new phone for a password google has to be able to provide 1234567890abcdefghijklmnopqurstvwxyz not fdsafdsfion."

Not so much. WEP is susceptible to hash collision, seeing as that's basically how you hack a WEP AP. I know this from experience. I had been trying to convince a friend to lock up their WiFi better and they weren't having it. So, I dragged a lappy over to their house, and had the WEP password/colliding hash inside of about 15 minutes.
posted by Samizdata at 11:55 AM on September 17, 2013


> ANY US company can be legally compelled to divulge any information they have from you to the NSA, and they can even be forbidden to tell you about it. That needs to END.

Companies responding to subpoenas isn't likely to change, isn't limited to the U.S.A. (companies or law enforcement) and is probably a good thing. FISA courts, National Security Letters and broad collection powers are another.

What companies should stop doing is storing data that they don't need in a way that they can read it. Encrypt it with the user's password so law enforcement has to go to the user for the key. If law enforcement has enough PC for a sneak & peak to install a keylogger & get the password that way, they're doing actual detective work.

Backblaze offers you the choice to encrypt your backups to the cloud with a key they don't have. That's front number A in the struggle to reclaim privacy.

B: stop broad collection. C: allow A to continue. The FBI wants backdoors everywhere.

That's lazy policing. The FBI used to report the number of wiretaps they set up. It's tens of thousands per year and the number of time this proved useful in securing indictments or convictions is under 100/year.
posted by morganw at 12:24 PM on September 17, 2013 [1 favorite]


Subpoenas can be abused too -- generally (to my knowledge) they aren't, because the standard for issuing one is greater than what the NSA is doing. So I'm not (trying to) argue about subpoenas, just "national security letters." (God, that name. Sounds a lot like "free speech zones," doesn't it? I wonder if Frank Luntz has a role in naming these things too.)

I agree that companies store more information than they need in unencrypted forms. Police using keyloggers to get passwords, though, strikes me as iffy, as an intrusion, at least if the keylogger is being used on the accused's machine.
posted by JHarris at 1:09 PM on September 17, 2013 [1 favorite]


Are there any more secure Android distributions that replaces all the default apps that track you? CyanogenMod omits the Google Apps, yes?

I'm also curious if CyanogenMod launching a startup makes CyanogenMod more vulnerable to NSLs.
posted by jeffburdges at 1:52 AM on September 19, 2013




« Older It's been a year, and I still get questions about...   |   HEAPS OF BURGERS HEEEEAPS OF... Newer »


This thread has been archived and is closed to new comments



Post