"Be afraid. Be very afraid."
July 1, 2010 4:40 PM   Subscribe

Starting today, Starbucks is offering free wifi in all of their US and Canadian stores. This has computer security folks a little edgy, since it could allow hackers and computer miscreants new opportunities to steal the data of unsuspecting computer users, and prompted Steve Gibson, computer security guru, to advise people to "just be afraid. Be very afraid." This applies to people who use laptops, wifi enabled cellphones and pdas. But there are ways to protect yourself.

The biggest threat comes from packet sniffers. This is a program that hackers can use to analyze all of the traffic on the Starbucks store's (or any open wifi) network. They just sit and wait for people to connect up to email, amazon, or financial institutions and hope they send their passwords over a non-encrypted connection. They can also set up something called a "man in the middle" attack, where they sit and wait for you to try to connect to a server, and they intercept the communication, recording everything, and then passing it onto the legitimate destination without you being the wiser.

One of the more popular activities you'll probably want to do on the open wifi is checking your email. By default, the iPhone uses a secure connection to hook you up with a normal email server (POP, IMAP, and SMTP). On your PC or Mac notebook, you will probably need to specifically tell it to connect using a secure connection. And regardless of the device you use, if you use an online service for your mail, chances are, your password may be sent in a secure manner, but once you're past that, the messages you read will be sent in the open from services like Yahoo, AOL, .MAC, or Gmail (though you can force gmail to work securely by connecting to https://gmail.com as opposed to http://gmail.com. There's also a setting in your preferences that force it to work securely.) One other option is to use a service called HushMail (previously), and have all your email sources forward to your hushmail account, which is always encrypted.

One way you can keep everything you do secure is to set up a virtual private network (or 'vpn') tunnel between you and a secure computer elsewhere on the net (like your home or office). That way, all of your communication is encrypted, no matter what the status of your connection to your website. Open VPN is a good example of the software you could use, and it's free and open source, but it can be tricky to set up. There are other programs you could use that are easier to install, but they usually cost money (examples: gotomypc which requires you to set up a remote pc with a program to monitor and receive your connection; hidemyass and securetunnel which let you use one of their computers which they set up and control (called a proxy)).

Short of that, there are Firefox add-ons that can help protect you. SSLPasswdWarning provides a warning if you click on a password input field that will transmit insecurely over a non-HTTPS connection. Facebook Secure forces Facebook to use a secure connection.

And while you're thinking about computer security, you should probably make sure your browser plug ins are all up to date. Mozilla has a web page that will check all of your plugins, regardless of the browser you're using.
posted by crunchland (92 comments total) 203 users marked this as a favorite
 
Yep, no joke... years ago at a conference I was bored. I ran Ethereal and was able to see all kinds of things on what people in the audience were doing and which websites they were looking at. Theoretically I could have seen all their form inputs and so forth (except for the secure sites). Not sure how much easier that is nowadays but I would bet not much has changed. That made me a lot more careful about things like checking e-mail and so forth.
posted by crapmatic at 4:44 PM on July 1, 2010 [1 favorite]


Yeah, this sounds like a security threat from 2003.
posted by chunking express at 4:59 PM on July 1, 2010 [8 favorites]


"just be afraid. Be very afraid."

Slogan for modern life, innit?
posted by wilful at 5:03 PM on July 1, 2010


This is why I always setup an ssh tunnel to my home PC and run my traffic through that.
posted by knave at 5:04 PM on July 1, 2010


More users have marked this as a favorite post so far than have commented on it. My guess is that just because two and a half comments have been about how old-news this is, more people are going to be finding this to be genuinely valuable information to keep themselves safe.
posted by DoctorFedora at 5:04 PM on July 1, 2010 [15 favorites]


I thought Starbucks has been offering this forever. All the ones around here have for a few years.
posted by Miko at 5:04 PM on July 1, 2010 [2 favorites]


It's not news, but this is an excellent post. I didn't know about those plugins, and I've been wondering what my VPN options are.

Thanks, crunchland.
posted by heathkit at 5:08 PM on July 1, 2010 [2 favorites]


Gmail has used HTTPS by default since January.
posted by me & my monkey at 5:08 PM on July 1, 2010 [3 favorites]


Sure, it is a security threat from 2003. It's also a security threat in 2010. In fact, it's more of a security threat due to the greater use of wifi, especially among those who aren't aware that it is a security threat. Most people do not know these things. Most people would want to know these things.

"Starbucks has free wifi now" is just a hook to get people to think about this and see it as relevant. It's been relevant for a long time on all of the other free, open wifi networks at all of the other coffeeshops, libraries, pubs, and wherever elses around the world. But Starbucks changing over to free is news, and it can't hurt to piggyback a useful message on that news.
posted by whatnotever at 5:09 PM on July 1, 2010 [5 favorites]


I hate this chicken little shit. What does this have to do with Starbucks finally letting go of its pay access? Between Steve Gibson's Twitter page (tweets about iPhones and the .xxx) and website, I'm not seeing how this has anything to do with the Starbucks announcement. Even when Starbucks required a username and password at its hotspots, the traffic could be sniffed and those spy novel man-in-the-middle attacks could happen. Open hotspots are nothing new, nor are the dangers of using them. If you're not using encrypted email and websites (when necessary) after all these years and warnings, then shame on you.
posted by birdherder at 5:10 PM on July 1, 2010 [13 favorites]


I'm behind 7 proxies so I'm not worried.
posted by sourwookie at 5:15 PM on July 1, 2010 [10 favorites]


I thought Steve Gibson stopped using the internet years ago, back when raw sockets in Windows XP were going to destroy the world.
posted by ubernostrum at 5:16 PM on July 1, 2010 [23 favorites]


I thought Starbucks has been offering this forever. All the ones around here have for a few years.
posted by Miko


No they haven't. They've offered wifi access IF you pay for it or IF you used your starbucks card once a month.

This opens it up to everyone. You simply have to check that you agree to the terms.
posted by Dennis Murphy at 5:16 PM on July 1, 2010


computer security guru, to advise people to "just be afraid. Be very afraid."

But why would he say it? WHAT WOULD HE POSSIBLY HAVE TO GAIN????
posted by drjimmy11 at 5:18 PM on July 1, 2010 [13 favorites]


My guess is they'll offer a 'secure pay access' connection as well.

But fuck it, this just gives me one more excuse not to go there (I'm pretty sure I'm the only one in my group of friends who can say I've never consumed Starbucks).
posted by mannequito at 5:18 PM on July 1, 2010


My guess is that just because two and a half comments have been about how old-news this is, more people are going to be finding this to be genuinely valuable information to keep themselves safe.

Besides this being a solid post, one can't remind people enough about computer security. And I'm habitually slacking off about mine, despite constantly talking this talk with my even less security-scrupulous friends.
posted by Doktor Zed at 5:22 PM on July 1, 2010 [2 favorites]


email, amazon, or financial institutions and hope they send their passwords over a non-encrypted connection

There are some people who don't use "https" for their email. Amazon's sign-in page is secure. And I can't imagine any "financial institution" whose primary form of currency wasn't live pigs would use an insecure sign-in page.
posted by drjimmy11 at 5:23 PM on July 1, 2010 [3 favorites]


With a solar panel, the right enclosure, a low-power nano-ITX box, and airpwn, one could hopefully Goatse Starbucks more or less at random.
posted by adipocere at 5:24 PM on July 1, 2010 [2 favorites]


Except for the Starbucks having WiFi part this is common knowledge, and most of it isn't too much to worry about anymore unless you're doing something really iffy over the web in the first place. Any legit site nowadays should be going through https for logins, email, personal data, financial transactions, and whatnot by default. Even MySpace goes through a secure connection for logins now.

For the average person who stops in and sends a few emails while updating their Facebook and tweeting about their latte, I think this more like "be hardly afraid, in fact, don't even worry about it." If you're repeatedly plugging your life's history and credit details into shady web forms, conducting multi-billion dollar business deals, or prostituting yourself over craigslist for drugs, I suppose you should take precautions.

One thing MitM attacks are good for is annoying that perv who has been in the corner for hours watching porn. A little ARP poisoning, a little IP forwarding, a litle DNS spoofing, and voila! All he gets is kittenwar.com!
posted by Avelwood at 5:24 PM on July 1, 2010 [4 favorites]


Starbucks seems to be the last coffee shop around here to have free wifi. And it's usually the last place that I would go for coffee since there are so many alternatives.
posted by octothorpe at 5:25 PM on July 1, 2010


GYOB. I mean, it's sorta kinda half way news that starbucks is offering free wifi. But the rest of it? Yes. We know. Not related to Starbucks at all.

is this a joke? this is one of those comments that makes me wonder if my sarcasmometer (pronounced sarkazz mahmehtur.) is broken.
posted by shmegegge at 5:26 PM on July 1, 2010 [2 favorites]


Snarkers: your massive superiority is noted. Please go somewhere else.

I didn't see any direct secure option for Yahoo Mail (just the VPN to your home computer). Is there such a thing? Gmail seems covered, and I appreciate the FireFox FB plugin.
posted by msalt at 5:27 PM on July 1, 2010 [1 favorite]


Hey now, some of us aren't as up to date on what's happening in the wifi world. Thanks for the post, it's always a good reminder how dangerous a freebie like free wifi can be.
posted by zardoz at 5:27 PM on July 1, 2010 [1 favorite]


I think this is a fine post, but it's basically identical to a post today on Lifehacker.

Still a good post, though.
posted by devinemissk at 5:35 PM on July 1, 2010 [1 favorite]


Thanks crunchland! This is pretty much the most useful mefi post in ages.

A sort-of related question: does the hive approve of Identity Cloaker as another tunneling option? I use it, but sometimes I wonder if I should have vetted it better.
posted by CaptApollo at 5:38 PM on July 1, 2010


The comments for the FireFox Facebook plugin mention a more general plugin called Force-TLS, which is apparently going to be worked into core FireFox eventually.

Can any knowledgeable folks suggest if this is true? Would Force-TLS be a good overall solution that would include FaceBook? Thx
posted by msalt at 5:41 PM on July 1, 2010


If you want to keep yourself safe, fine, but please don't look to Steve Gibson as a "computer security guru". He's big on fear-mongering to sell his products, and has little to no credibility in the IT security world.
posted by L. Ron McKenzie at 5:42 PM on July 1, 2010 [12 favorites]


I thought it was established years ago that Steve Gibson was a complete crank. Anyway, yeah a lot of us around here have known about this stuff for years, but there's a lot of other people here that didn't so I don't see any reason to shit on this post.
posted by dead cousin ted at 5:45 PM on July 1, 2010 [9 favorites]


One of the things that amuses me about this "OMG Starbucks free wifi" and the security implications is that McDonald's wifi went free about six months ago in about twice as many locations (6800 for Starbucks vs 11,500 for McD), as mentioned in this randomly picked news story about the Starbucks wifi going free. Obviously the wifi chattering classes a la Lifehacker are a bit too upscale for the golden arches.
posted by immlass at 5:49 PM on July 1, 2010 [4 favorites]


Besides this being a solid post, one can't remind people enough about computer security. And I'm habitually slacking off about mine, despite constantly talking this talk with my even less security-scrupulous friends.

This again - I've been working in a field dealing directly with online design and coding for going on 14-ish years, and still get lazy every now and then.

Plus, I consider the local Starbucks my office's annex, not because I admire them as a company, nor because there aren't several establishments with better coffee up and down the street (there are), but because it's the nexus of my friends' and neighbors' morning routines (Hi! How are ya?!) and it's the most pleasant space (seating and lighting wise) to decamp for a few hours while I get some work done and drink too much coffee.
posted by jalexei at 5:52 PM on July 1, 2010


Gibson is a Windows Security Guru. In fact he is the foremost Windows Security Guru. He may not be up on Unix but he knows his shit when it comes to Windows.
posted by Sukiari at 5:55 PM on July 1, 2010


He's big on fear-mongering to sell his products, and has little to no credibility in the IT security world.

Steve Gibson does sell a disk recovery program, but hasn't yet published anything to do with internet security, so I'm curious what makes you say this.
posted by crunchland at 5:56 PM on July 1, 2010


Yeah, this sounds like a security threat from 2003.

Sounds exactly like Steve Gibson's MO.
posted by Talez at 5:57 PM on July 1, 2010 [1 favorite]


Wow, hater brigade got to this thread early.

None of this is shocking new news, but I'm glad to have a good overview of it all in one place, because I rarely do a good enough job about online security. Thanks for this post.
posted by paisley henosis at 5:59 PM on July 1, 2010


Snarkers: your massive superiority is noted. Please go somewhere else.

This, yeah. It doesn't have to be "news" to be a mefi post. It has to be a good post with interesting links. Which this is.

Most of the people who use computers and smartphones know very, very little about how to take additional steps to make sure their connection to the internet is secure. It's awesome that snarkers are above all of this, but most people - even lots of people who read metafilter - could use a good walkthrough like this. Even people who Do Know Better get complacent.
posted by rtha at 6:01 PM on July 1, 2010


Besides this being a solid post, one can't remind people enough about computer security.

well said.
posted by archivist at 6:10 PM on July 1, 2010


Hacking the Gibson - This could happen to you!
posted by Bonzai at 6:10 PM on July 1, 2010 [1 favorite]


Don't get me wrong, I love my local coffee shop, and I never go to Starbucks - but at the end of the day, shouldn't I be a lot more worried about the security of the router-connected-to-wall WiFi at the local shop than the serious-legal-liability-if-this-were-ever-hacked WiFi at Starbucks?

Also, as long as our cities are painfully slow about adopting free WiFi networks, I will always be grateful for more available wireless downtown, just like I'm grateful when developers use new urbanist principles regardless of their profit motives to do so.
posted by l33tpolicywonk at 6:34 PM on July 1, 2010


Gibson does promote himself as a security guy, see his security now podcast. His MAC address hysteria was particularly annoying. For a while, his website even had a tool where you could see that someone could see your MAC address, which might even work right, if you were on the same switch, maybe. And then there was the whole "IPv6 tools with Vista will cause the death of the Internet" bit.

I'm told SpinRite is good. However, his security track record indicates a lot of early, unwarranted panic.
posted by adipocere at 6:40 PM on July 1, 2010 [1 favorite]


For people who are into Starbucks, it seems that their "treat receipt" program is back. A receipt from a purchase before 2pm will be good for a $2 grande after 2pm.
posted by hippybear at 6:48 PM on July 1, 2010 [2 favorites]


perhaps someone could have told them at Starbucks that it is easy to configure your wi-fi to encrypt the network, yet let it be open access, by openly advertising the network key at least. Then the sniffers would need lots of time to pick your packets
posted by nervousfritz at 6:53 PM on July 1, 2010


Free Wifi! Take that Finland!
posted by mecran01 at 7:06 PM on July 1, 2010 [4 favorites]


l33tpolicywonk: The problem isn't in hacking the routers. Even when the router is perfectly secure, the traffic can be sniffed and subverted in various ways.

nervousfritz: Encrypted wifi is only secured against people who don't have the key. If the key is shared, anyone who has it can see anyone else's network traffic.
posted by whatnotever at 7:07 PM on July 1, 2010


Coffee shops. Plonk your ass in a chair and never leave.
posted by ovvl at 7:22 PM on July 1, 2010 [1 favorite]


Huh. I thought they were just switching from paid wifi to free wifi. There's no reason to think that a new security hole is being opened. Most coffee shops offer free wifi so this is just something they're doing to compete.

This post seems more then a little hysterical. It would be good if you could have per-mac crypto on public networks to prevent sniffing, though.
posted by delmoi at 7:26 PM on July 1, 2010


I had no idea McDonald's had wifi. Now I stay online as long as I keep pounding down Egg McMuffins!
posted by msalt at 7:38 PM on July 1, 2010


There are two big things here.

1) Free Wifi from Starbucks will mean everyone will be using it all the time.

2) By default, both Macs and PCs will save the wireless connections the laptops have connected to in the past and then try to rejoin them when they are in an area that has them available. In OS X there is a managed list of which AP's to join first, I don't know how you can manage the priority under windows, but it is entirely possible for your machine to auto join, without you knowing, the a starbucks wireless network by accident instead of the one in your house or your office, if you were close enough to one. If you were just using it to get online, you may not even notice it (besides the agree to terms page).

It used to be if you wanted to setup a rogue wireless network that people's laptops would autojoin to get internet access, you could use linksys or netgear, but those networks are usually already swamped, and are starting to be harder to find as people wise up. Now you can setup a wireless network that matches Starbucks, and people would join it automatically again, since thats what their laptops have learned to do when at the coffee shop. Or even folks who have that off would just assume that there was a starbucks nearby and hop on that network.

You can then redirect DNS to your hearts content, if possible acquire a 'testing' ssl certificate for a few banks (possible from some signed authorities, by default Windows as something like 200+ authorities in it now), pipe all your traffic through an ssl logging proxy you setup. And this is just a harvesting attack. I know of some offices that have just issued their users 3G/4G cards and enforced them to use those for internet access, since that can also enable serious point to point encryption that may not always work through coffee shop and other free wireless services.

Nothing is really new, except more people will be using the Starbucks free wireless network, which isn't encrypted, and is now a bigger target. They could even get around some of the fake access point stuff by including the street name in the wireless network name, so the networks are different, atleast then there wouldn't be this ubiquitous wireless network name you could anticipate on laptops trying to join all the time.
posted by mrzarquon at 7:44 PM on July 1, 2010 [3 favorites]


Encrypted wifi is only secured against people who don't have the key. If the key is shared, anyone who has it can see anyone else's network traffic.
posted by whatnotever


right you are, sorry. I thought the encryption allowed "switching" independently of the question of access
posted by nervousfritz at 7:54 PM on July 1, 2010


If you believe that your choice of coffee franchise is the most interesting aspect of your personality, you're probably right.
posted by signal at 8:03 PM on July 1, 2010 [2 favorites]


It'll also allow limited-use smartphone and iPad customers to log on without using their data, and will let iPhone 4 people to do FaceTime while having their coffee.
posted by hippybear at 8:14 PM on July 1, 2010


I thought Starbucks has been offering this forever. All the ones around here have for a few years.
posted by Miko

No they haven't. They've offered wifi access IF you pay for it or IF you used your starbucks card once a month.


Dennis Murphy, your statement may be true near you, but at EVERY Starbucks I've been at with my laptop, Miko's statement is true. Free Wifi, no purchase/id/card required.

NBD.

Oh, and BTW: if you click on popups, sometimes it leads to virus-laden attack sites. The more you know...
posted by IAmBroom at 8:18 PM on July 1, 2010


One thing MitM attacks are good for is annoying that perv who has been in the corner for hours watching porn. A little ARP poisoning, a little IP forwarding, a litle DNS spoofing, and voila! All he gets is kittenwar.com!

But what if he just wanks harder?
posted by me & my monkey at 8:35 PM on July 1, 2010 [1 favorite]


Always chaff important passwords regardless. Assume there is a keystroke logger in your computer already.
posted by Brian B. at 8:37 PM on July 1, 2010 [5 favorites]


Yes, please use secure sockets and VPNs whenever and wherever you can.

That being said, if you have some idea what you're doing, try to keep your own node open. It's just a neighborly thing to do, and I'm kind of sick of all this "OMG HAX" hurf durf scaring people away from being nice to each other.
posted by phooky at 8:48 PM on July 1, 2010


As a guy who runs an open network at home, I really don't care about any of this. Life's too short.
posted by marvin at 9:16 PM on July 1, 2010 [1 favorite]


Wait, they weren't doing this before? Starbucks Australia/Malaysia/Singapore has had free wifi for years.
posted by Xany at 10:05 PM on July 1, 2010


You are in only a tiny bit more danger today than you were yesterday. People have always been able to sniff your network traffic on the same wireless network. Anyone in the Starbucks who is connected to the network can see any traffic you send, because while it's encrypted, they have the key. You have been transmitting your data on the radio for years to anyone else who paid for access that day.

VPN services are not a panacea, either. While the modern protocols are very secure, they only encrypt data from your wireless client (probably a laptop) to the other endpoint of your connection. This typically means that the radio broadcast can't be reasonably intercepted, but as soon as your packets hit the VPN server and are forwarded on, they're unencrypted again, and there many entities that can see them, including the government with its huge snoop facilities in (at least) AT&T's networks.

You need end-to-end encryption (typically HTTPS) for the data not to be interceptable, and even at that, there are persistent rumors that the government has compromised access to one or more root keys. If true, this means they can generate false verification signatures for their own encryption keys, saying that they're, for instance, Amazon.com. Your browser will trust them, because it trusts the root keys, even though it's not really Amazon.

One way to avoid this kind of attack, called man-in-the-middle, is to get the key fingerprint ahead of time via a separate channel, like a phone call. But that's also a weak point. A verbal reading of the key fingerprint would verify that the matching certificate was issued by the person on the phone, but how can you be absolutely sure who you're talking to?

Short answer: without physically visiting their facility and getting their key, you can't; you remain susceptible to man-in-the-middle attacks. However, spoofing a voice call would require so much personal attention that you would likely fall prey to easier attacks before anything like that became necessary.

Good security is really difficult. It is extremely easy to get wrong, and you have to make only one tiny mistake to blow encryption wide open. You have to balance the cost of a compromise against the cost of trying to mitigate it. In general, if you can make an attacker spend more resources to get data than the data is actually worth, you win. This is why there are huge teams in governments that don't do anything else, because the potential cost of a compromise at a national level has historically included the possibility of wholesale destruction of countries.

You have to think about it in these terms: how much damage would it do to you to have your communications exposed, and how mitigation are you willing to pay for? You can never get the cost of compromise to zero, but you can certainly improve your odds, if you're willing to spend enough time and attention.

How much time and attention is worthwhile? Only you can decide that. I'd suggest that someone in, say, Falun Gong would be very foolish to be anything other than maximally paranoid at all times. But a suburban American housewife would likely lose only aggregate data as the government watched to see what the general tone of online conversations were.

This is probably not dangerous enough to warrant major attention, but trying to use SSL whenever possible certainly wouldn't hurt. It would, at least, make routine interception of your traffic difficult. It would require targeted surveillance, and that's expensive.

In short: SSL, without significant extra attention to avoid MITM attacks, probably won't stop government-class entities from listening in, but it'll certainly stop routine fishing by the creepy guy three tables down at the Starbucks.
posted by Malor at 10:07 PM on July 1, 2010 [2 favorites]


I have Hotspot Shield and I run it occasionally when I am on an alien wifi location (free windows vpn). I am now guessing that someone here will tell me why it is a bad idea. Yeah, the ad sponsored stuff can be annoying, but it is free.
posted by cgk at 10:15 PM on July 1, 2010


The problem with running an open access point is, particularly if you live in an urban environment where someone could use your AP more or less continuously without your knowledge or awareness, it's not hard to imagine inviting a lot of unwelcome attention from law enforcement, since anything anyone does on that open AP is going to point back at you.

You might never know that your neighbor was hoovering down CP (or more likely, doing some sort of solicitation) until the goon squad shows up at your door with a search warrant and confiscates everything in your house with more intelligence than a toaster. GodLawyers help you at that point if you aren't a paragon of clean digital living.

Sure, you might not get convicted of anything, but it's not like it takes a conviction to ruin your life; a good-sized fortune's worth of legal bills and the merest whiff of pedophilia will do that just fine. (And you'll be lucky if you ever see the confiscated gear ever again; a friend who had a computer search warrant served on them by the local gestapo -- charges dropped, thankfully -- got back among other things a evidence baggie full of loose hard drive platters.)

Ten or so years ago when people first started to get broadband and wireless routers it was different. Law enforcement was so far behind the technology curve that there really wasn't any chance that what you'd do, or someone else might do on your connection, would result in anything happening in the real world. That is distinctly not the case today. Agencies run honeypots and ISPs have been forced to provide high-volume, automated systems for providing subscriber information when given connection (IP address and timestamp) info. The writing is pretty clearly on the wall: this is the direction we're headed in.

As much as I hate it, I suspect we're only a few years away from unencrypted connections being made illegal (I suspect the analogy will be to "attractive nuisances"). But even today, unless you are doing it to Make A Statement, the path of least resistance and least legal exposure is just to use WPA with some sort of password (I recommend writing it on the router) and only giving it out to people you know aren't going to invite trouble. It's sad, but unless you live in a very rural area (where someone would have to be on your property to borrow your connection), leaving your home wifi open to anyone just seems imprudent.

All this said, for a business who wants to attract customers, having open wifi is a very good thing and is really the only connection method that's guaranteed to work with everyone's hardware. So by all means go for it there. But you'll have a much easier time convincing the guys in cheap suits that you really weren't downloading all that CP if you're running a legitimate business advertising public wifi than if you're just Joe Probablepedo in his apartment.
posted by Kadin2048 at 10:21 PM on July 1, 2010


> In short: SSL, without significant extra attention to avoid MITM attacks, probably won't stop government-class entities from listening in, but it'll certainly stop routine fishing by the creepy guy three tables down at the Starbucks.

To be clear, there are commercially available SSL logging proxies, they generate and sign SSL certs on the fly as users request them, decrypting the inbound traffic from https://www.yourbank.com, logging it, and then wrapping it back into it's own SSL cert signed by the devices internal root CA. A lot of large organizations do this already to monitor their traffic, since they just have to install the trusted root CA on their users workstations, and unless they actually inspect the SSL cert, they wouldn't get an error. Honestly, getting a user to install your root certificate on their machine may have higher payoff over time for a malware system more than any other thing, since then you can start selling blackmarket ssl's to any interested phisher, and depending on what your malware's payload is, the certificate might take a long time to be discovered / removed in the 'cleanup' processes that would be deployed against it.

I remember reading about a defcon talk a few years back where folks were able to convince a CA to issue them something along the lines of a wildcard cert for a popular mail service (*.live.com or similar), on the ground that it was for internal testing purposes spoofed emails from inside the company.

Or of course, you could just use this utility which swaps any HTTPS links or packets with HTTP ones, not to far to have a router that intercepts a HTTPS request pass it to a proxy which does the HTTPS connection, and redirects you to a HTTP based request.

Currently my google foo is failing me, but I'll see if I can dig up a link to the real time SSL generating proxy.
posted by mrzarquon at 11:15 PM on July 1, 2010


Steve Gibson is a total hack. If he's saying something, it's probably bullshit.
posted by ioerror at 11:52 PM on July 1, 2010


This is an interesting thread if only because it reminds those of us who work in technology how much of an information disparity still exists between network/IT geeks and otherwise hugely intelligent people who happen to not specialize in this sort of thing. We technology types live and work in something of an echo chamber and sometimes we forget that this stuff isn't common knowledge.

Having said that - really and truly, please don't hold up Steve Gibson as any kind of security authority. He's the network security version of Fox News and hasn't been relevant for many years. Maybe we need a new post on *good* sources of information about network security for the layman?
posted by Two unicycles and some duct tape at 12:18 AM on July 2, 2010 [1 favorite]


Currently my google foo is failing me, but I'll see if I can dig up a link to the real time SSL generating proxy.

This is a fairly common feature for enterprise proxy appliances, I think. I know I've seen that bullet point on a datasheet from at least a few different places. Bluecoat proxy appliances come to mind, but I'm pretty sure there are many others.

I've always wondered about WiFi in big chain stores like Starbucks. Does IT just deploy a simple router to every franchise and sign them up for DSL link, or do they do something fancy? It makes sense in my brain to concentrate connections into datacenters to save on management and keep shit locked down (if they filter things at all), but the costs must be high for how many clients they are dealing with. I guess this kind of thing might get outsourced too. There must be thousands and thousands of access points to manage, how do they deal with the complexity I wonder?
posted by tracert at 12:29 AM on July 2, 2010


Just in case anyone wants to get one over the guys using EtherPEG to sniff for image files sent over an unencrypted wifi LAN: there is a wonderful site for this (NSFW, in a way).
posted by PontifexPrimus at 12:37 AM on July 2, 2010 [2 favorites]


*opens up browser preferences, clicks all the tabs, looks for the "no goatse" checkbox*
posted by yoHighness at 12:54 AM on July 2, 2010


me & my monkey: "Gmail has used HTTPS by default since January."

Unfortunately, this doesn't get you as much as you would like. What happens when you type in gmail.com in your browser, or use your http://gmail.com bookmark? Google replies with a a 301 error (moved permanently) and the new https address. All the MitM has to do is not forward that on and hope nobody notices. Yes, packet injection it's more work than eavesdropping, but sslsniff is already in Debian, and I think it's not too hard to just generate canned responses for a few popular websites asking for credentials unencrypted.
posted by pwnguin at 1:04 AM on July 2, 2010 [3 favorites]


Can anyone recommend a VPN service that is reliable and reasonably priced?
posted by wuwei at 2:04 AM on July 2, 2010


"Steve Gibson is a total hack. If he's saying something, it's probably bullshit."

Name a more competent Windows security expert. I have all week.
posted by Sukiari at 2:13 AM on July 2, 2010


One way to avoid this kind of attack, called man-in-the-middle, is to get the key fingerprint ahead of time via a separate channel, like a phone call. But that's also a weak point. A verbal reading of the key fingerprint would verify that the matching certificate was issued by the person on the phone, but how can you be absolutely sure who you're talking to?
If you go to that length, presumably you know the person and recognize their voice.
posted by delmoi at 2:41 AM on July 2, 2010


Steve Gibson, computer security guru

has made a living making overblown predictions of certain doom (much like this one), and is better described as "punchline to a computer security joke". If he says to "be afraid" it's a pretty good indication that you shouldn't be.
posted by DecemberBoy at 2:55 AM on July 2, 2010 [1 favorite]


I can't really understand someone criticizing a security expert for being too cautious. I've listened to Gibson's podcast for a year or so, and he's definitely a "belt-and-suspenders" kind of a guy. When it comes to security, computer or physical, you dwell in the world of the worst-case-scenario, and sure, he certainly has his "chicken little" moments. But his podcast is free, and I think it's accessible, and I've found it informative and entertaining, but maybe that's a generational thing. His knowledge of computer security seems pretty deep, though there are definite gaps when it comes to Mac and Linux. I think we can all agree that more personal computer security and awareness can't be a bad thing, can't we?

Maybe we need a new post on *good* sources of information about network security for the layman?

I look forward to it.
posted by crunchland at 3:02 AM on July 2, 2010


Um, Russinovich?
posted by Rhomboid at 3:44 AM on July 2, 2010


Name a more competent Windows security expert. I have all week.

Do they have to be Windows-only? Because that would rule out a lot of the really competent infosec people I've heard.
posted by wenestvedt at 7:00 AM on July 2, 2010


Name a more competent Windows security expert. I have all week.
Someone who knows Windows inside and out in a way that Gibson can only dream of? How about Mark Russinovich, for a start...

What is a 'Windows security expert', exactly? Many security issues, wi-fi packet sniffing included, have very little to do with a specific platform. And if I wanted to know the technical details about the latest Windows-specific buffer overflow or other exploit, Steve Gibson is pretty close to the last person I'd be looking to. He is consistently a day late and a dollar short.

The burden of proof is most definitely on you to provide some useful examples of how he is in any way, shape, or form an expert -- most people who have been around the block in networking / security dismissed him as a strange, self-aggrandizing crank a very long time ago. And that in a field full of strange, self-aggrandizing cranks.

He has interestingly enough deleted two of his most often-cited and famously stupid grc.com pages (his XP raw sockets == the end of the intarwebs crusade, and his breathlessly self-satisfied account of tracking down an amateur botnet operating over IRC). They are easy enough to dig up.

He sells snake oil, and provides a number of "security tools" which could charitably be described as useless toys, many of them simply being trivial applications which detect well-documented vulnerabilities long since patched (along with a lot of clueless and/or received commentary). I am struggling to find any original work or original thinking of his that might warrant designating him an 'expert'. Feel free to help me out here - I have all week too.

This is a good post. The more that people learn about how easily wi-fi traffic can be sniffed by other users, and what good and effective countermeasures exist, the better. But Gibson's pronouncements on the matter are just his usual Chicken Little shtick. If he is famous for anything, it's for punching far, far above his weight as an engineer.
posted by blackberet at 7:24 AM on July 2, 2010 [2 favorites]


crunchland: "Steve Gibson, computer security guru... "just be afraid. Be very afraid.""

Yes. Echoing all the other, earlier Gibson comments, this is the same Gibson that said the intertoobs would collapse in a "Christmas of Death" in 2001 because of something to do with XP's socket handling. And the same guy that reinvented SYNcookies ten years too late and claimed he could use them to, once again, Save the Internet. And the vendor of a utility designed to light up your hard disk busy LED while being simultaneously divorced from some basic physical principles of ferromagnetism and magnetoresistance, and ignoring some basic crisis recovery protocols for dealing with complex, failing technological systems.
posted by meehawl at 7:59 AM on July 2, 2010


Oh hey, after I hit "Post", I saw this link, which sums Gibson up better than I could ever.
posted by meehawl at 8:00 AM on July 2, 2010


Alternatively, you could try the security system I've been using for a few years; I transmit everything unsecured and in clear text, I just make sure that data is nothing but random, unconnected statements full of paranoid ranting and threats of physical violence against an anthropomorphized Mother Nature.

Sure, it's possible that somewhere out there, people are pulling my stuff out of the ether, but I smile when I think to myself about them trying to parse the statement:

"Green bitch tried to kill me with a poisoned chipmunk. But I have LASERS! I'll show them... I'll show them all!"

Good luck getting my bank info out of that, sucker!
posted by quin at 8:11 AM on July 2, 2010


Well, I think you're being too hard on the guy. I think he's trying to make a difference, and I wonder about the motives of his detractors. (That Radsoft site, especially, looks like one crank doing battle with another crank via the internet.)

I think it's unfair to call his disk recovery program "snake oil." I've seen it work, so I know it's not just pretend. It's as much snake oil as Spybot S&D, or McAfee AV. If you don't want to use it, don't.

Look, when I framed this post, I tossed that quote from him in at the last minute, not realizing what a lightning rod the guy is. I didn't realize it would set off this penis-measuring geek storm of who is better as a security guy. So just give it a rest. It's a sideshow.
posted by crunchland at 8:17 AM on July 2, 2010


Doesn't matter what you do... all your data is subject to Van Eyck Phreaking anyway.
posted by Eideteker at 8:20 AM on July 2, 2010 [1 favorite]


Can you use SSH tunneling to a secure connection you trust then just tell firefox to use the SOCKET? That's what I do.
posted by yoyoceramic at 8:51 AM on July 2, 2010


> This is a fairly common feature for enterprise proxy appliances, I think. I know I've seen that bullet point on a datasheet from at least a few different places. Bluecoat proxy appliances come to mind, but I'm pretty sure there are many others.

Yeah, exactly. I haven't had a chance to deploy one of them, but the fact that it is now just a feature bullet point, means it no longer needs complicated 'government level' organizations to acquire. It's a call back to when Mac address spoofing was considered so hard, and now almost every consumer router features it on their WAN port to make setting up your internet connection easier so you don't lose your IP when you install your router.
posted by mrzarquon at 9:34 AM on July 2, 2010


It's a case of 'in the country of the blind, the one-eyed man is king'. Apart from a few narrowly applicable skills in a small area of software development, he's a reasonably well-informed power user passing himself off as an expert, in part by spot-treating the vast areas of his ignorance with made-up crap, a shit-ton of self-promotion and opportunistic, misdirected alarmism. He's not actually malevolent, but he operates way out of his league, doesn't stop talking when he runs off the end of what he understands, and so isn't taken seriously by anyone who actually knows shit from shinola. Not everything he says is untrue, and if he'd confine himself to dispensing good common sense advice to his self-selected audience of people who know less than he does he'd be a net good. But he keeps getting out of his depth and then doubling down on the hysteria when he's called on it.

This latest is a good example, because the takeaway seems to be not that "if you don't take careful security measures when using open WiFi your data can be compromised", it's "Starbucks dropping the charge for WiFi is a big new threat." If the real message is in there it gets lost, in large part because of his sensationalist tactics. And he is to blame for this because his self-promoting motives are behind these tactics.
posted by George_Spiggott at 9:36 AM on July 2, 2010 [4 favorites]


Can you use SSH tunneling to a secure connection you trust then just tell firefox to use the SOCKET? That's what I do.

That would work, and I've done that, too, but I don't want to speak outside of my narrowly applicable skillset and risk treading in the area of ignorance and made-up crap. That said, it's probably more esoteric and beyond the skills of the average internet user.
posted by crunchland at 10:55 AM on July 2, 2010


've always wondered about WiFi in big chain stores like Starbucks. Does IT just deploy a simple router to every franchise and sign them up for DSL link, or do they do something fancy?

Starbucks actually doesn't do anything except for collect checks from AT&T for providing their wifi (the checks may be smaller now that the 2 hour cap and need for a AT&T wifi account is gone). No one in the store or Starbucks corporate has anything to do with it. The hotspots are managed by AT&T (which it does via its acquisition of Wayport). Back in the day when I was paying attention to the business part of this relationship (when the deal was with T-Mobile USA) each store had a T-1 for connecting to the internet (for its own systems) and the router setup for providing wifi.

I'm sitting in a Starbucks right now and the only difference between logging in today and before this big change is I didn't have to enter the login credentials. I was assigned an IP address from Wayport (a block that Wayport/ATT seems to assign to Southern California). This is part of ATT's big fancy network of hotspots. The only difference is at Starbucks (and McDonalds) you don't need to have a stupid ATT account (people with ATT DSL or Uverse have been able to use the network for no charge for years).

Most Starbucks are company owned and operated so their IT deployments are more controlled. There are some licensees like grocery stores, some airport locations, corporate cafeterias, etc that serve the coffee but don't have the hotspots or accept the Starbucks card. Franchise outfits like "Its a Grind" or other coffee places tend to just have a router and is hooked up to a cable or DSL modem. But larger chains like CoffeeBean seem to outsource their wifi.

I've been using these evil unsecured hotspots in Starbucks since Wayport started tests of it in a few Austin Starbucks a decade ago. In that time, I've never been subject to any attacks. My email has been SSL for years and most webpages that matter have been secure forever. The only webpage I have open right now that doesn't have the little padlock in the upper right corner is this one. Metafilter uses https for logins but the various and sundry posts and commenting are in the clear. I can live with that risk.
posted by birdherder at 12:27 PM on July 2, 2010 [2 favorites]


So, forgive my ignorance, but what is the real world risk of someone sniffing for wifi traffic in an American coffeeshop that's not in a hotspot (say, Redmond or Silicon Valley)? Clearly they could; but it makes a big difference if the risk is 1 in 10 visits, in in 1,000, or 1 in a million.

Also; is shell access to a web server via putty always unsafe? Always safe? Thx.
posted by msalt at 6:37 PM on July 2, 2010


Putty is a secure terminal program if you use it in SSH (secure shell) protocol, which is encrypted and is the default connection setting. If you use it (or any other terminal program) in simple telnet mode (which is not encrypted), everything you send and receive goes in the clear, meaning that anybody who has access to a router, switch, hub or gateway located on the network between you and your host can intercept the packets and see everything that is typed, included login information.
posted by crunchland at 7:06 PM on July 2, 2010 [2 favorites]


Yikes! You mean, if I send stuff out on the Internet, unencrypted, other people might be able to intercept it? This shocking new security threat is just too much. I'm going back to using the telephone for all communications. That's still safe from hackers, right?
posted by sfenders at 9:05 PM on July 2, 2010


Just ran across this little piece that summarizes & collects the best advice from everybody's comments here: "Wireless Securityā€¯ is an Oxymoron, But There is Hope. As for SSH, ssh2 is better than ssh1 & public/private keys are better than static passwords. Also, Steve Gibson is a putz. He may know a little more than the average user but he thinks he knows a lot more than he does, & that's what makes him dangerous. I don't know everything but one thing I do know is where the limits of what I know are. He doesn't.
posted by scalefree at 2:17 AM on July 3, 2010


This shocking new security threat is just too much. I'm going back to using the telephone for all communications. That's still safe from hackers, right?

No.
posted by scalefree at 2:20 AM on July 3, 2010


I only communicate in person. With people I have known for more than five years and upon whom I have conducted background checks. We use handsigns of my own devising.

I didn't type this, for example! The internet is for rubes.
posted by everichon at 9:41 AM on July 3, 2010


EFF has a plug-in for Firefox that will automatically rewrite urls and redirect you to secure encrypted urls, on the fly for many websites. It's called HTTPS EVERYWHERE. It currently works on links for certain domains (Google Search, Wikipedia, Twitter, Facebook, most of Amazon, GMX, Wordpress.com blogs, The New York Times, The Washington Post, Paypal, EFF, Tor, Ixquick) , but you can add domains using a ruleset tool.
posted by crunchland at 2:27 PM on July 5, 2010


And after thinking about it over the weekend, I want to provide a bit of a defense of Steve Gibson. He's been in the computer industry for decades. I think he wrote a fairly influential column in Infoworld magazine before some of his critics were still in diapers. I think it's fair to say that in all those years, he's entitled to make some mistakes. He may have been wrong about some of his prognostications. I think that's true of everyone who is human. I mean, back in 1999, there were many famous experts who were suggesting that companies spend millions of dollars to prepare for the great Y2K bug. Some of those experts even headed for the hills with cases of creamed corn to sit out the predicted end of the world. I don't know if those guys are still out in the hills, or if they managed to save face and live on in society. Apparently, if it was up to some of you, then they'd be doomed to oblivion. I hope you don't ever suffer the same fate of a person who over-reacted and made a mistake.
posted by crunchland at 2:41 PM on July 5, 2010


« Older Art Of Akira   |   This is not your father's fag-hating god! ...is it... Newer »


This thread has been archived and is closed to new comments