Slashdot Log In
Mumbai Police To Enforce Wi-Fi Security
Posted by
Soulskill
on Sat Jan 10, 2009 01:22 PM
from the taking-a-stand-against-e-loitering dept.
from the taking-a-stand-against-e-loitering dept.
caffeinemessiah writes "In the wake of the recent terrorist attacks in Mumbai, India, the local police are going to be sniffing out unsecured wi-fi access points and ordering the owners to secure them. The article notes that 'terror mails were sent through unsecured Wi-Fi connections' before bomb blasts in other Indian cities. No word on if they'll be walking around using Kismet, or if people who use pathetically weak WEP encryption will be ordered to switch to more advanced protocols. Unfortunately, a gesture like this does not take into account the insidious scenario of walking into a cafe, buying a coffee and then (legally) using the cafe's wi-fi. Or the fact that terrorists might actually be able to pay to use a cybercafe, and know what VPNs are."
On the other hand, the Mumbai police may still be keeping track of the mandatory keyloggers that went into the area's cybercafes in 2007.
Related Stories
[+]
Mandatory Keyloggers in Mumbai's Cyber Cafes 240 comments
YIAAL writes "Indian journalist Amit Varma reports that Mumbai's police are requiring the city's 500 Internet cafes to install keystroke loggers, which will capture every keystroke by users and turn that information over to the government — nearly in realtime by the sound of it. Buy things online, and the underpaid Indian police will have your credit card number. 'Will these end up getting sold in a black market somewhere? Not unlikely.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Not enough (Score:5, Interesting)
Unless this policy is applied throughout the country, the city of Mumbai getting rid of unsecured wifi access points will not solve much. A terrorist can take a 3 hour bus ride to Pune to get unsecured wifi access. Mumbai itself is too big, are they talking about only the city or the whole suburbia included? Thane? New Mumbai?
Sounds like a scare tactic to me. A publicity stunt to make people more aware of consequences of unsecured wifi.
Re:Not enough (Score:5, Insightful)
Calling it a "scare tactic" is a bit harsh. I'd say its more the police wanting something to point to when their bosses ask what they've done to "make Mumbai safe from this happening again".
Parent
Re: (Score:2)
Calling it a "scare tactic" is a bit harsh. I'd say its more the police wanting something to point to when their bosses ask what they've done to "make Mumbai safe from this happening again".
Big brother waltzes in, and you think he's just there for show?
I'm not saying this will have any terror-reducing qualities as ascribed to them by the official channel, but it's not just song and dance like the water bottle thing, it's another way of removing anonymity. Making sure that all ctivity can be monitored, all citizens controlled...
Re: (Score:3, Insightful)
It's very easy to make Mumbai safe from a repetition...
The problem is making it safe from the next DIFERENT thing.
And a small detail, the city must be kept working...
Re:Not enough (Score:5, Funny)
3 hour bus ride? That's a lot of time taken out of a terrorist plot. Do you have any idea how much evil can HAPPEN in three hours? Hot dang. That's a whole 8th of a season. Just ask Jack Bauer.
Parent
It is A publicity stunt (Score:4, Insightful)
Parent
Will this even help? (Score:5, Insightful)
I honestly don't know. If this were in effect before the attack, what difference would it have made? I can't help but think "not a heck of a lot". Terror has a way of routing itself around obstacles. While it's good to have a secure network, should it be mandated?
Is a network "unsecure" if you intentionally keep it open? Does this outlaw sharing access then?
Re: (Score:3, Insightful)
The joke of an article simply refers to "terror mails" sent before the bombings. Are they saying that the bombings were planned via email through these open APs?
If so, then I feel that the police's actions give insight as to their real drives: get a conviction, secure that pay-rise and promotion. If an AP is open it gives a pretty good defence to the owner, but if it is secure then that defence may not fly. The police get a successful conviction, even though it might be totally the wrong person.
If you don't
A very insidious scenario... (Score:4, Insightful)
the insidious scenario of walking into a cafe, buying a coffee and then (legally) using the cafe's wi-fi
This is the first (and I hope the last) time I have heard such a scenario described as "insidious".
Lame (Score:5, Insightful)
Unless i'm at university I always leave my network unsecured. My neighbors use it on occasion (i check logs). And I use theirs on occasion, with us being on separate ISPs we get at least 5 9s of uptime. It frustrates me that secured is become standard or in this case enforced. It was much better a few years ago when i could get wireless access in most places to check emails and such. Why do have to have such a community of locked doors? If someone has a laptop they likely have their own wireless internet which you could use, it is a perfectly fair deal. If my neighbours did a few gigs a day i'd stop it but it never went over a few megs.
Standard security should not allow access to lan. It should be allowed to set limits for outsiders and should have a message redirect when you first open FF/IE/Opera saying the rules and so forth. Thats it. Making sharing and redundancy illegal is ridiculous and as the summary suggests it doesn't help anything.
Re: (Score:2)
Well I don't want people on my network as yet another layer to prevent access to data shared on my network between the three computers I have on the network.
Or am I missing something here? and I mean that sincerely. If there is something I'm missing about protecting your data and the openness of my network please tell me.
Re: (Score:2)
I guess the most dangerous thing that can happen that, if somebody has unauthorized access to your network and that they can do something illegal like child porn and le
Re: (Score:2)
Making sharing and redundancy illegal is ridiculous and as the summary suggests it doesn't help anything.
It helps the government keep an eye on everyone.
"Who said that about the justice minister?"
"That guy, we'll go fuck his life up now..."
But, you know, think of the children, if you don't give the gvmnt all they want, terrorist will kill jesus (or Rama, depending on what gets people emotional where it's being said)!
Re: (Score:2)
He is referring to india's mandatory key logging program in net cafe. There is a growing concern in india that this will spread to modems or routers. As evidenced by government being comfortable to set rules with how you use your home internet (enforced wpa)....
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Cybercafe scenario is bogus (Score:5, Informative)
Wrong. You can't just walk into a cafe in Mumbai and use the wifi. You have to show a government ID (such as a passport), which is recorded, before you even get access credentials.
The point of this exercise is to shut down anonymous Internet access, which is illegal in India.
Similarly, you can't legally buy a SIM card for a mobile phone in India without providing identity credentials to the seller, who is responsible for recording the information for possible police followup.
Re: (Score:3, Interesting)
Yup, gotta keep those citizens down, or they might rise up and blow something up in protest...
On a more serious note, since they are so against anonymity do they also outlaw personal use of encryption technologies?
Re:Cybercafe scenario is bogus (Score:5, Insightful)
You can't just walk into a cafe in Mumbai and use the wifi. You have to show a government ID (such as a passport), which is recorded, before you even get access credentials.
Exact. And since terrorists would NEVER steal a passport, it means that this will keep the children safe, and not at all only serve to mess with regular citizens while being a mere inconvenience for true criminal intents.
*sigh*
Parent
Re:Cybercafe scenario is bogus (Score:4, Insightful)
You're right. Nobody should ever check IDs for anything because they can all be faked.
In fact, why even have laws? Terrorists can just go around shooting everybody anyway.
Parent
Re: (Score:2)
It's funny though, it's illegal enough if you don't do this, but easy enough to get away with. Even today.
Re:Cybercafe scenario is bogus (Score:5, Funny)
Okie... so...
1. Terrorists don't use satellite phones,
2. They don't use any kind of walkies-talkies,
3. And specially, they abide by ALL laws!
Parent
Re: (Score:3, Insightful)
The smart ones do. The less attention you draw to yourself the better.
A bit short sited article ... (Score:3, Interesting)
Yes there are still going to be other ways for baddies to use the inter-tubes without being tracked, but limiting those access points can help. Instead of having a nearly limitless, and randomly distributed, source of connections they will now be funneled into a small set of access point which are also KNOWN access points.
Does this mean I agree ... I don't know yet ... but as with all security measures (both cyber and safety related) there is no such thing as a 100% solution. But we all know defense should be in depth, and each layer should be effective in accomplishing what it is meant to do. In many cases we all read about here, the proposed solution is nothing more than security theater, but shutting down the plethora of open wifi access points IS an effective way to limit the ability of bad actors (terrorists, kid-touchers, black-hats, etc) to access the internet at will; not a solution, but a factor.
As for law abiding citizens, since most of us use our own account anyway or walk into a cyber-cafe, and I assume few bother trying to use an insecure wifi, it really doesn't impact that much (well except when I'm at my sister's place and she has inexplicably jacked her wifi router forcing me to use someone else's wifi :O ).
I'm still not thrilled with the idea of the gov riding around with netstumbler looking for open wifi and then knocking on my door, but the idea of wanting to limit open-wifi is, imo, a good one. The execution is another issue entirely.
Now if you REALLY want to have fun thinking about it ... consider an area with known terrorists / suspects, you make sure all open wifi points are closed ... then you open your own as a honeypot ... BAM you get to see all their traffic ... well anything that isn't encrypted beyond the wifi encryption. It is a very effective technique to shut down all method of comms except one in an effort to intercept all comms.
Re: (Score:2)
Re: (Score:2)
Sure it does ... now instead of having the option either 1 free open anonymous wifi or a coffee house you only have the coffee house. A place that is KNOWN, and not exactly anonymous. Clearly this is not a 100% solution, but nothing is. The point here is to make it harder for baddies to get access without being noticed, tracked, or snooped. If you were law enforcement would you want to worry about a million access point, that you don't even know where they all are? or a few thousand/tens of thousands a
What it would do (Score:2)
No, but it would help to narrow down the places from where potential terrorists could anonymously communicate to a number of places that might be manageable -- which is closer to what they want. If most access points were secured, it'd be that much harder to find an unsecured access point in a place unlikely to be covered by police or cameras.
Re: (Score:2)
the police are trying to make things harder for terrorists so they can't just do whatever they want to do with total simplicity.
You seem to have a strange view of the problem. This kind of system is doomed to failure. Does anyone _really_ think this will do squat to stop "The Terrorists"? "The Terrorists" will simply pick another means of anonymous communication. There's hundreds of ways to do that, and you can't stop all of them.
Only fixing symptom not real problem (Score:3, Interesting)
This is Useless (Score:4, Interesting)
I think this is a big waste of time for the Mumbai police. If the terrorists can't send an e-mail with their threats, they will just send it by postal mail (just as they were doing before e-mail). Stopping them from sending anonymous e-mail won't stop the acts of terror. The Mumbai police should focus on investigating the actual attacks and preventing further attacks, rather than shooting the messenger.
Some people think that this can prevent them from coordinating their attacks, but I don't think so. Their attacks can be coordinated using various other techniques that may even be illegal - won't mention them, use your imagination.
Fundamentally, creating new rules will not stop terrorists - remember that there are already laws that prevent people from acquiring AK-47s & explosives. New rules will only inconvenience law abiding citizens - not terrorists.
Also, on another note - I don't like Times of India because they selectively prevent some comments from being displayed. I specifically mentioned this point in their comments and they have not published it, even after 2 days.
So who is going to secure the mobile network? (Score:2)
Re: (Score:3, Informative)
The point is to limit anonymous Internet access. Mobile phone communications are all tied to a particular mobile phone, which cannot be acquired anonymously in India (for appropriate definitions of "cannot").
Re: (Score:2)
Good Luck with that! (Score:5, Insightful)
Newsflash: Mumbai has 17 MILLION people. Granted at most 500,000 have computers.
But still the level of computer literacy in Mumbai in police force is complete joke. Hey, their government offices don't even have computers.
I think the most ridiculous thing is that there's countless MILLIONS starving on the streets and now they are going to equip police with laptops to chase after unprotected WiFi signals?
Didn't they get the memo a few months ago that even WPA2 was cracked with Nvidia CPU/GPUs?
What are they going to do, enforce people to implement breakable security? Where's the sense in that.
Indian stock market is down over 60%, I think the police should be focusing their efforts on preventing civil unrest. And government spending their money far more wisely. People are starving everywhere you look in Mumbai, not to say the same thing in just about every other Indian city.
But that's just my 2 cents.
Security Theatre (Score:2)
I suppose that's easier and cheaper than replacing the Mumbai police's ancient Enfield rifles and providing adequate weapons training to the police force.
It will never work... (Score:2)
The messages can just come and go... and even if they are saved and stored... they will mean nothing... ..unless you are on the knowing of how the message is.
Seams to me that people just don't know anything about cryptography...
Alas...
*security* - pathetic excuse (Score:3, Insightful)
The blatant power grab / security theatre is so funny it's untrue!
The transcripts of the sodding terrorist cellphone calls are available online and on the news and *what* different did that make?
So, how often is this supposed sweep going to take place? If you'd been to Mumbai you'd be laughing till your sides ache. Any sort of WiFi is very low on the list of things most of the people about, this is a place where people live next to open sewers and shit into newspaper and leave it on the pavement - and not just in some ghettoised area. You have to watch where you tread for most of your day.
Where I'm living atm. (Goa) we're supposed to be on high terror alert. So it now costs Rs. 100 ($1) to cross the checkpoints unsearched instead of the normal Rs. 10. They claim pride in no terror attacks yet there are rapes every few days and unnaturally caused dead bodies found regularly. The driving test is driving 20 yards, going round a traffic island and coming back. Btw. if you do get raped here you will be told it is your own fault and the best thing you can do is to go back to where you came from (if you can find a police station that will listen to your story).
The biggest threat to your safety here as a local are the govt. officials. They are likely to be known murderers or their children can rape and murder with almost impunity a couple of times.
India likes to project an image of a wonderful progressive country but it will remain mostly a third world corruption riddled shit hole for my lifetime. Esp. as the GDP growth is about to end and they already spend minimal amounts on the welfare of the people (less than 2% of GDP on healthcare) 25% of whom are illiterate.
Re: (Score:2, Insightful)
It is as easy to capture the data from a Copy and paste as it is from key-input.
Heck, that text file used to copy and paste could just as easily be e-mailed and then you lose all your passwords at once.
Re: (Score:2)
Re: (Score:2)
Or use steganographic [wikipedia.org] messages.
Are you really suggesting creating or decoding them on a computer you don't trust? There is no security in that.
Re:Easy Solution to Keyloggers (Score:5, Interesting)
Create/encode on a trusty laptop, use USB key to transfer it to an internet cafe's rented computer to actually send it, have the other guy receive it at some other access point and then use a USB key to get it to his trusted computer where the message can be decoded. Simple without having to use suspicious VPNs and SSH and encryption and whatnot.
Parent
Re: (Score:2)
Use of keywords is another way.
Don't make it harder than it has to be. You may do a phone call and have a conversation and then you end it with something like "Send my regards to Bill" and it means something special only for those that holds the conversation.
Methods like that is old, but still works because it's a legitimate context.
Re: (Score:2)
They were just too cheap to pay, just use any phone with a prepaid card and throw it away when done.
Re: (Score:3, Informative)
Re: (Score:2, Interesting)
Or use steganographic [wikipedia.org] messages.
Are you really suggesting creating or decoding them on a computer you don't trust? There is no security in that.
Is this the end then? Has the government cryptofascism got so bad that even normal geeks are designing terrorist plots just as response to the outrage of hearing the latest news criminalising anyone who disagrees with the policies?
Re: (Score:2)
Encryted zip the file.
You can't be serious. The weak XOR on encrypted zips can be broken with script kiddie tools.
Re:Easy Solution to Keyloggers (Score:4, Informative)
Don't use keys. Copying and pasting messages, usernames, and passwords from a USB stick would work perfectly well for a terrorist at a cybercafe.
Thats just silly. The real answer is one time passwords.
However you really can't do much with a computer you mistrust, they know everything that happens in your session and they might be able to remote control it in the middle of your session.
Parent
Re: (Score:2)
and to be honest, its not like WPA is uncrackable, and if someone knows how to get through WEP they can probably figure how to get through WPA in the end. I think that for most people, secur
Re: (Score:2)
and to be honest, its not like WPA is uncrackable, and if someone knows how to get through WEP they can probably figure how to get through WPA in the end.
This is incorrect. WEP has a well-known attack that uses statistical properties of captured packets to limit the search space of the brute-force search. With enough captured packets, it takes under a few minutes to crack a WEP key. WPA does not have this vulnerability, although some variants of WPA are still less secure than other. In other words, all you have to do to crack WEP encryption is put most cheap $20 wireless cards into "monitor" mode, capture WEP encrypted packets and with enough packets, crack
Re: (Score:2)
You can secure both wired and wireless connections very well. It's just not convenient or cost-effective.