Slashdot Mirror
Mumbai Police To Enforce Wi-Fi Security
caffeinemessiah writes "In the wake of the recent terrorist attacks in Mumbai, India, the local police are going to be sniffing out unsecured wi-fi access points and ordering the owners to secure them. The article notes that 'terror mails were sent through unsecured Wi-Fi connections' before bomb blasts in other Indian cities. No word on if they'll be walking around using Kismet, or if people who use pathetically weak WEP encryption will be ordered to switch to more advanced protocols. Unfortunately, a gesture like this does not take into account the insidious scenario of walking into a cafe, buying a coffee and then (legally) using the cafe's wi-fi. Or the fact that terrorists might actually be able to pay to use a cybercafe, and know what VPNs are."
On the other hand, the Mumbai police may still be keeping track of the mandatory keyloggers that went into the area's cybercafes in 2007.
Unless this policy is applied throughout the country, the city of Mumbai getting rid of unsecured wifi access points will not solve much. A terrorist can take a 3 hour bus ride to Pune to get unsecured wifi access. Mumbai itself is too big, are they talking about only the city or the whole suburbia included? Thane? New Mumbai?
Sounds like a scare tactic to me. A publicity stunt to make people more aware of consequences of unsecured wifi.
I honestly don't know. If this were in effect before the attack, what difference would it have made? I can't help but think "not a heck of a lot". Terror has a way of routing itself around obstacles. While it's good to have a secure network, should it be mandated?
Is a network "unsecure" if you intentionally keep it open? Does this outlaw sharing access then?
It is as easy to capture the data from a Copy and paste as it is from key-input.
Heck, that text file used to copy and paste could just as easily be e-mailed and then you lose all your passwords at once.
the insidious scenario of walking into a cafe, buying a coffee and then (legally) using the cafe's wi-fi
This is the first (and I hope the last) time I have heard such a scenario described as "insidious".
Unless i'm at university I always leave my network unsecured. My neighbors use it on occasion (i check logs). And I use theirs on occasion, with us being on separate ISPs we get at least 5 9s of uptime. It frustrates me that secured is become standard or in this case enforced. It was much better a few years ago when i could get wireless access in most places to check emails and such. Why do have to have such a community of locked doors? If someone has a laptop they likely have their own wireless internet which you could use, it is a perfectly fair deal. If my neighbours did a few gigs a day i'd stop it but it never went over a few megs.
Standard security should not allow access to lan. It should be allowed to set limits for outsiders and should have a message redirect when you first open FF/IE/Opera saying the rules and so forth. Thats it. Making sharing and redundancy illegal is ridiculous and as the summary suggests it doesn't help anything.
Wrong. You can't just walk into a cafe in Mumbai and use the wifi. You have to show a government ID (such as a passport), which is recorded, before you even get access credentials.
The point of this exercise is to shut down anonymous Internet access, which is illegal in India.
Similarly, you can't legally buy a SIM card for a mobile phone in India without providing identity credentials to the seller, who is responsible for recording the information for possible police followup.
Yes there are still going to be other ways for baddies to use the inter-tubes without being tracked, but limiting those access points can help. Instead of having a nearly limitless, and randomly distributed, source of connections they will now be funneled into a small set of access point which are also KNOWN access points.
Does this mean I agree ... I don't know yet ... but as with all security measures (both cyber and safety related) there is no such thing as a 100% solution. But we all know defense should be in depth, and each layer should be effective in accomplishing what it is meant to do. In many cases we all read about here, the proposed solution is nothing more than security theater, but shutting down the plethora of open wifi access points IS an effective way to limit the ability of bad actors (terrorists, kid-touchers, black-hats, etc) to access the internet at will; not a solution, but a factor.
As for law abiding citizens, since most of us use our own account anyway or walk into a cyber-cafe, and I assume few bother trying to use an insecure wifi, it really doesn't impact that much (well except when I'm at my sister's place and she has inexplicably jacked her wifi router forcing me to use someone else's wifi :O ).
I'm still not thrilled with the idea of the gov riding around with netstumbler looking for open wifi and then knocking on my door, but the idea of wanting to limit open-wifi is, imo, a good one. The execution is another issue entirely.
Now if you REALLY want to have fun thinking about it ... consider an area with known terrorists / suspects, you make sure all open wifi points are closed ... then you open your own as a honeypot ... BAM you get to see all their traffic ... well anything that isn't encrypted beyond the wifi encryption. It is a very effective technique to shut down all method of comms except one in an effort to intercept all comms.
If you can't be good, be good at it!
Don't use keys. Copying and pasting messages, usernames, and passwords from a USB stick would work perfectly well for a terrorist at a cybercafe.
Thats just silly. The real answer is one time passwords.
However you really can't do much with a computer you mistrust, they know everything that happens in your session and they might be able to remote control it in the middle of your session.
Surely the fact terrorists have anonymous access to physical roads and footpaths is a bigger issue? If that was restricted it would make their intentions measurably harder to pursue.
I think this is a big waste of time for the Mumbai police. If the terrorists can't send an e-mail with their threats, they will just send it by postal mail (just as they were doing before e-mail). Stopping them from sending anonymous e-mail won't stop the acts of terror. The Mumbai police should focus on investigating the actual attacks and preventing further attacks, rather than shooting the messenger.
Some people think that this can prevent them from coordinating their attacks, but I don't think so. Their attacks can be coordinated using various other techniques that may even be illegal - won't mention them, use your imagination.
Fundamentally, creating new rules will not stop terrorists - remember that there are already laws that prevent people from acquiring AK-47s & explosives. New rules will only inconvenience law abiding citizens - not terrorists.
Also, on another note - I don't like Times of India because they selectively prevent some comments from being displayed. I specifically mentioned this point in their comments and they have not published it, even after 2 days.
Newsflash: Mumbai has 17 MILLION people. Granted at most 500,000 have computers.
But still the level of computer literacy in Mumbai in police force is complete joke. Hey, their government offices don't even have computers.
I think the most ridiculous thing is that there's countless MILLIONS starving on the streets and now they are going to equip police with laptops to chase after unprotected WiFi signals?
Didn't they get the memo a few months ago that even WPA2 was cracked with Nvidia CPU/GPUs?
What are they going to do, enforce people to implement breakable security? Where's the sense in that.
Indian stock market is down over 60%, I think the police should be focusing their efforts on preventing civil unrest. And government spending their money far more wisely. People are starving everywhere you look in Mumbai, not to say the same thing in just about every other Indian city.
But that's just my 2 cents.
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
A computer need not be bugged and/or connected to the internet to create or decode a steganographic message.
Create/encode on a trusty laptop, use USB key to transfer it to an internet cafe's rented computer to actually send it, have the other guy receive it at some other access point and then use a USB key to get it to his trusted computer where the message can be decoded. Simple without having to use suspicious VPNs and SSH and encryption and whatnot.
Or use steganographic messages.
Are you really suggesting creating or decoding them on a computer you don't trust? There is no security in that.
Is this the end then? Has the government cryptofascism got so bad that even normal geeks are designing terrorist plots just as response to the outrage of hearing the latest news criminalising anyone who disagrees with the policies?
The point is to limit anonymous Internet access. Mobile phone communications are all tied to a particular mobile phone, which cannot be acquired anonymously in India (for appropriate definitions of "cannot").
Your kidding right? The whole point and stated goal of mandating secure wifi is to stop anonymous communication. Did you not read the article? This isn't a case of the government claiming to do something different. This is a case of the government saying "we need to be able to keep eye on everyone." Did you read something else into the plan to require secured wifi?
They want ppl to feel like they are doing something to help the nation. It is no different than when W has been saying that American airports, ports and harbors are secure. They are not. It is more work, but it is still possible to smuggle weapons on-board aircraft (in fact, far too easy). The same is true of Mumbai. Assume that these guys want to attack again. So what? They simply rig an encrypted wifi close by and then use it for themselves. VERY easy to do. In fact, they can even set up some systems where they are 5KM away and use an antenna to beam to the top of the hotel. From there, plug in various antenna's just prior to the attack. It is that simple.
I prefer the "u" in honour as it seems to be missing these days.
Sorry kiddo, they closed that loophole in India. Many countries have banned prepaid phones now.
The blatant power grab / security theatre is so funny it's untrue!
The transcripts of the sodding terrorist cellphone calls are available online and on the news and *what* different did that make?
So, how often is this supposed sweep going to take place? If you'd been to Mumbai you'd be laughing till your sides ache. Any sort of WiFi is very low on the list of things most of the people about, this is a place where people live next to open sewers and shit into newspaper and leave it on the pavement - and not just in some ghettoised area. You have to watch where you tread for most of your day.
Where I'm living atm. (Goa) we're supposed to be on high terror alert. So it now costs Rs. 100 ($1) to cross the checkpoints unsearched instead of the normal Rs. 10. They claim pride in no terror attacks yet there are rapes every few days and unnaturally caused dead bodies found regularly. The driving test is driving 20 yards, going round a traffic island and coming back. Btw. if you do get raped here you will be told it is your own fault and the best thing you can do is to go back to where you came from (if you can find a police station that will listen to your story).
The biggest threat to your safety here as a local are the govt. officials. They are likely to be known murderers or their children can rape and murder with almost impunity a couple of times.
India likes to project an image of a wonderful progressive country but it will remain mostly a third world corruption riddled shit hole for my lifetime. Esp. as the GDP growth is about to end and they already spend minimal amounts on the welfare of the people (less than 2% of GDP on healthcare) 25% of whom are illiterate.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter