Avast Suckers GOP Delegates Into Connecting To Insecure Wi-Fi Hotspots

Avast conned more than 1,200 people into connecting to fake wi-fi hotspots set up near the Republican convention and the Cleveland airport, using common network names like "Google Starbucks" and "Xfinitywifi" as well as "I vote Trump! free Internet". An anonymous reader quotes this report from The Register: With mobile devices often set to connect to known SSIDs automatically, users can overlook the networks to which they are connecting... Some 68.3 percent of users' identities were exposed when they connected, and 44.5 per cent of Wi-Fi users checked their emails or chatted via messenger apps... In its day-long experiment Avast saw more than 1.6Gbps transferred from more than 1,200 users.
Avast didn't store the data they collected, but they did report statistics on which sites were accessed most frequently. "5.1 percent played Pokemon Go, while 0.7 percent used dating apps like Tinder, Grindr, OKCupid, Match and Meetup, and 0.24 percent visited pornography sites like Pornhub."

Will you do the same at the Democrat convention?

Results will be skewed, because the Dem convention delegates will know that somebody is (probably) waiting to entrap them. The Pubs won't have had the same emphasis placed on cyber security before their convention.

And if the results are bad for the Dems, will you all publish?

Re:BREAKING NEWS

[phantomfive]

That is not being a moron. There is no way to be sure that a particular SSID belongs to who it claims (unless you do some kind of certificate exchange).

I look forward to DNC results

[SuperKendall]

Surely they plan to do the same thing at the Democratic convention - does anyone doubt the results would be similar? People in general, no matter political affiliation, are prone to connect to insecure WiFi. How is that even news?

Kids these days

[Areyoukiddingme]

People use free WiFi without encryption. Not only is this unremarkable, it should not be in any way remarkable. The Internet Protocol and its children, UDP and TCP, were designed from the very beginning with one overriding goal: the intelligence is at the edges. Only the nodes matter. Everything else is just transit. Whether or not Layer 2 is encrypted is irrelevant. Only Layer 6/7 encryption can be trusted.[1] It is equally as safe to use any random wifi hotspot as it is to use your cable modem at home.

Knowing what we know about NSA spying, let me repeat that: it is equally as safe to use any random wifi hotspot as it is to use your cable modem. Historically, the various protocols that were designed to run over TCP/IP and UDP[2] largely assumed that transit would be benign. That's because IMAP and POP and HTTP were designed by engineers who were unaccustomed to designing a world that's proof against flaming assholes. Those days are over.

Now that the whole world uses the Internet, engineers have to design protocols and systems that are proof against flaming assholes. It's no longer optional. Avast saw identity leakage because not all software has come to grips with the new reality. Eventually, when all the software is updated, there will be nothing to report. The grand strength of the design of the Internet will once again make itself felt: upgrade the nodes to use encryption (math is your friend) and transit is just transit, as was and ever shall be. You and I already have the ability to upgrade the nodes under our control to be proof against flaming assholes. Eventually the nodes that Jane and John Q. Public buy will come configured that way out of the box.

We just want our packets routed. The SSID will be totally irrelevant. People who already treat it as if it is aren't wrong. They just need to use a slightly smarter node. Apparently 30% of users already have one.

---
[1] Or possibly you can squeeze it all the way down to Layer 4, if you use Authentication Header and Encapsulating Security Payload. (IPSEC)
[2] Why does no one ever write UDP/IP?