Back to blog

let’s talk feelings!

02/11/2015 - Posted in security , society , standards Posted by:

Tags: , , , , ,

…from a security perspective

japan_wifi

If you take a look at the picture you might notice that there are quite a few badly secured and even open AP’s. When you go around Tokyo and check for wifi there are usually an absurd amount of them around. Many of the open networks are there for tourists and require a sign-up or another form of authorization before being able to use them. As for the WEP AP’s you can see ‘aterm’, which is a mobile network hotspot for travellers and widely popular by Japanese folks, and ‘NTT-SPOT’ which is the public hot spot by one of the largest networking companies within Japan. It seems Japan does not care deeply about wifi security.

Before coming to Japan i tried to find information about the security of ‘LINE’, a popular messaging app similar to ‘Whatsapp’. Here ‘LINE’ is as ubiquitous as ‘Facebook’ or ‘Whatsapp’ in Europe. Unfortunately gathering and understanding the information was limited by language barriers but I asked some friends of mine to translate at least the crucial parts of their security whitepaper. Unfortunately I can not find the reference anymore but basically in this document LINE corp stated that it was using the encryption standards as advised by the government. Unfortunately in this advisory document the  government stated that for example 1024bit RSA was sufficient until 2018 at least.

So whats up with the Japanese? Are they security agnostic? Are they even caring? I think the answer to that is more cultural than technical. In a country with 126 million people and a population density of 337 people per km^2 you would expect people to go crazy and commit crimes all the time. Surprisingly the crime rate of Japan is very low. Even so low that you can see people leaving their purse to reserve a seat in restaurants or leaving their stuff around at the table while going to the toilet. I think that this might also hold true for computer security. Why use strong protection for your wifi if there is no malicious party? When I first came to Japan and I was riding the crowded metro I always kept my hands on my pocket to prevent thieves from getting my phone or my wallet. I carried this behaviour over from Austria where I am very vigilant – especially in tourist places. After about a week I felt like the most paranoid person there is because of being overprotective of my stuff. I did not feel like I would fit in. Gradually I adapted and stopped worrying about something that will not happen to me. Now I even forget to lock my screen sometimes when I leave my desk to get something to drink. In an office environment in Austria where most people would happily change your wallpaper to something stupid this is unthinkable. Here in Japan it is the other way round. Nobody would dare to touch your stuff while you are away.

This leads me to the conclusion that security is not a purely technical issue. It is a cultural as well and I think as security researchers we have start thinking about security in a manifold way. Security is not purely technical, it is not even technical and societal in the sense of non expert users have to able to use secure tools. I think there are two solutions to the problem of security in the world. Either make it as transparent as possible so non technical people can be save without having to care about RSA, AES and the like or we have to enforce our efforts on educating the public and create awareness so security becomes a crucial part of our culture. Until we live in a utopia where nobody has a malicious intent I think it is best to design security tools and protocols to be as transparent and usable as possible while also educating people about why it is important that they care.

One Comment

adrian 3 years ago

try to connect to any of the open wifis… in most cases it does not work. For example, AU, NTT and SoftBank use Wifi-hotspots to offload traffic from their mobile phone networks. These hotspots only work, if you have the appropriate tunneling software installed (pre-installed on branded phones) and an active subscription with them.

As you wrote, many other “open” WiFi networks are actually captive portal. You either have to pay, or you have to register in advance.. etc. A few (restaurant) chains allow certain instant messanger traffic to pass without registration.

Setting up a (really) secure Wifi (WPA2-enterprise with certificates) is actually not that simple. You have to import the certificate, edit the wifi settings, add the correct certificate, the correct authentication method, etc.
For the 32C3 there was actually a own app that did nothing else, then making the correct wifi-entry. It is easier to install an app that installs the wifi-settings, than making the wifi setting by hand. This is very bad. 🙁

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *