Slashdot Mirror
"Free Wi-Fi" Scam In the Wild
DeadlyBattleRobot writes in with a story from Computerworld about a rather simple scam that has been observed in the wild in several US airports. Bad guys set up a computer-to-computer (ad hoc) network and name it "Free Wi-Fi." You join it and, if you have file sharing enabled, your computer becomes a zombie. The perp has set up Internet sharing so you actually get the connectivity you expected, and you are none the wiser. Of course no one reading this would fall for such an elementary con. The article gives detailed instructions on how to make sure your computer doesn't connect automatically to any offered network, and how to tell if an access point is really an ad hoc network (it's harder on Vista).
Connecting to the "Free Wi-Fi" and having your passwords and data sniffed is one thing, but how easy is it for the attacker to turn a Windows XP system into a zombie, merely by connecting to an attacker's wireless network?
Assumption #1. You run Windows XP, SP2, up to date with security patches
Assumption #2. You have Windows Firewall installed and configured for maximum security
Assumption #3. You are not sharing your folders on the network, or if you are, you're not allowing guest write access
(Now, I know how many Windows users do not follow #1,#2,#3 above..) but assuming they do, is a zero-day exploit required in order to zombify their PC?
Personally, I'd try to gather evidence and report it to the police if I felt they'd do anything worthwhile. The fact that this person's behaviour happens to be driving people towards my OSs of choice is purely incidental. You probably realise this, and I doubt that you were serious about thanking the guy, but I bet that your f****d up zealotry, morality and ideology are genuine; you really would place a microscopic (and questionable) "blow" against Microsoft over thieving scum like this escaping justice.
As noted, reporting to the police would be ineffectual.
I'm not looking for a "blow" against Microsoft as much as something that moves people to more secure systems, whatever those happen to be. And unfortunately it happens to be true that people only seem to care about things like that when bad things happen to them - as with backups.
So I feel empathetic, but not sympathetic, towards people affected by things like this - and while I don't condone the actions of those engaging in this behavior I do at least recognize that some good can come from even criminal activity such as this.
What I feel is really poor is your apologetic stance, basically playing whack-a-mole with security issues by trying to stomp down every security breach as it pops up without considering the broader picture and how to reduce the fundamental security problems instead of blaming only the people who take advantage of security flaws like this while doing nothing to advance a cure to the deeper problem. I think you need to reexamine what is zealotry and what is a healing approach for the industry as a whole.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What I find amusing is that you think most computer users have a "Choice" in which OS they run... my shop runs Windows XP, that means all 250 of my supported users run Windows XP, they don't get to choose.
Unfortunately I can also say without a doubt that wireless connectivity is so convoluted that the average user would fall for this. Explaining to Joe Salesman to view wireless networks and trying to explain to him the different types of authentication he may run into while traveling from Iowa to Texas (I found 4 in my one way trip) is just horrible.
Zanthor