Mumbai Police To Enforce Wi-Fi Security

caffeinemessiah writes "In the wake of the recent terrorist attacks in Mumbai, India, the local police are going to be sniffing out unsecured wi-fi access points and ordering the owners to secure them. The article notes that 'terror mails were sent through unsecured Wi-Fi connections' before bomb blasts in other Indian cities. No word on if they'll be walking around using Kismet, or if people who use pathetically weak WEP encryption will be ordered to switch to more advanced protocols. Unfortunately, a gesture like this does not take into account the insidious scenario of walking into a cafe, buying a coffee and then (legally) using the cafe's wi-fi. Or the fact that terrorists might actually be able to pay to use a cybercafe, and know what VPNs are." On the other hand, the Mumbai police may still be keeping track of the mandatory keyloggers that went into the area's cybercafes in 2007.

Cybercafe scenario is bogus

[yelvington]

Unfortunately, a gesture like this does not take into account the insidious scenario of walking into a cafe, buying a coffee and then (legally) using the cafe's wi-fi.

Wrong. You can't just walk into a cafe in Mumbai and use the wifi. You have to show a government ID (such as a passport), which is recorded, before you even get access credentials.

The point of this exercise is to shut down anonymous Internet access, which is illegal in India.

Similarly, you can't legally buy a SIM card for a mobile phone in India without providing identity credentials to the seller, who is responsible for recording the information for possible police followup.

Re:Easy Solution to Keyloggers

[1s44c]

Don't use keys. Copying and pasting messages, usernames, and passwords from a USB stick would work perfectly well for a terrorist at a cybercafe.

Thats just silly. The real answer is one time passwords.

However you really can't do much with a computer you mistrust, they know everything that happens in your session and they might be able to remote control it in the middle of your session.

Re:So who is going to secure the mobile network?

[blueg3]

The point is to limit anonymous Internet access. Mobile phone communications are all tied to a particular mobile phone, which cannot be acquired anonymously in India (for appropriate definitions of "cannot").

Re:Lame

[interiot]

Two problems:

1. Wifi uses a shared-communications medium, so various attacks like DNS spoofing, TCP hijacking, etc. that people have stopped studying because they "went away" once everyone replaced their hubs with switches... Surprise! They're back. It's trivial to spoof DNS over wifi, which means it's trivial to do HTTPS man-in-the-middle attacks. This is the very reason that Firefox tightened up their self-signed SSL certificate behavior recently.
2. Most home gateways have a layer2 bridge between the wifi and LAN networks, which means it's possible to do an ARP spoofing attack on the wired segment, which means that it's possible for someone on the wireless side to sniff traffic on the wired side.

Both of these issues have solutions (DNSSEC + IPSEC for the first, turning off bridging for the second), but the first is onerous enough that 99% of users won't do it, so having a "must use WPA encryption" policy is actually a good idea for in most cases.

Re:Easy Solution to Keyloggers

[Tsagadai]

Sorry kiddo, they closed that loophole in India. Many countries have banned prepaid phones now.