Free internet in trains is unsafe
Today, the headlines in the dutch press especially nu.nl say that the internet in the trains is unsafe. It is possible to read mails people send and see what invoices get paid using online banks and they blame the dutch provider KPN.
There are so many things wrong with this piece that i’m annoyed by it. I hate journalists which just copy some press announcement, without verifying the facts at all or even make a simple call to some random specialist. Go home and don’t call yourself a journalist.
Every single bank in NL uses a https connection to communicate with the users, so it is simply not possible to eavesdrop the communication and see the actual invoices get paid. Eavesdropping on mail and MSN-conversations is not the responsibility of the provider of the internet connection. Their responsibility is to provide Internet, not build the security layer of the applications.
So, nu.nl, get your act together, fire the trainee who copied the press release and try to be real journalists. I see it a lot in news sites. It has no added value to copy press-releases. You can only be successful when you add value.
Maybe they were not referring to the internet itself being unsafe, but the fact that you now have access, and are now sending emails, so some passer-by could glance over :P Maybe they were just unclear on what they meant ;)
Never heard of Copy&Paste journalism before? It is what the “professional journalists” do these days, unlike those “uninformed bloggers”…
The annoying part is that we’re technology experts, so we can recognize when the newspaper is full of bullshit on technology issues. But think about all the issues that we’re not an expert in that the newspaper reports on. How would we know when they’re full of bullshit then? Scary!
I also came across the article yesterday and was just as annoyed as you.
If KPN would have provided security the article would complain that you have to get registered etc before you can use the internet.
And MSN messenger conversations are not secure. I must say that is a shock. MSN is never secure. If would do some packet sniffing on my router I could easily read all the messages my family is sending. But to blame the ISP for that is not really a solution.
So like I said. I totally agree with you.
I do not know the technical details of Dutch railroad internet, but the provider has WIFI hotspots everywhere, all based on registering at a portal and then unencrypted Wireless, no WEP, no WPA, nothing. Just like T-Mobile in Germany, and just like the expensive providers in hotels. So what is so especially dangerous with internet in train? Someone shouts something and journalists publish….
I agree with your comment about journalists, taken in general, because, luckily, there are exceptions.
But the situation depicted here isn’t so strange, if we take into account the average user behavior.
Most users connect to their mail servers through an unencrypted connection, so it’s easy for a cracker in the same subnet, and using the right tools (ettercap, for instance), to sniff the network traffic and extract all sort of user information. Even if users are using a “secured” wifi, encryption can be cracked after some time of statistical traffic analysis.
In case of https connections, they are far more difficult to crack, but is relatively easy (using ettercap again) to fake the bank’s certificate presented to the user. The user will receive a notification about “untrusted site”, but most users ignore it and from this point all encrypted traffic will be between the user and the attacker…
So, with a little “collaboration” from users, the article’s statement is not so inaccurate. But you cannot blame any internet provider for this, only users (and attackers, of course).
While I do agree that picking on a free wifi provider is plain stupid, I’d like to bring you the bad news that it actually IS possible to eavesdrop on those SSL connections (google sslstrip, sslsniff …)
I think you are a bit too strict in your ideas on what is who’s responsibility. You are right that banks use https of course, and that there is no problem there. However, I think most users of such a wireless service do expect some amount of privacy when they use it. That may strictly speaking not be the job of the connection provider, but who in practice cares about that? If the connections get eavesdropped, then people are unsafe. Unfortunately, you can not expect that the users of the service are aware of it’s risks, at least not without educating them on the topic. I think it can be expected from the provider to make at least an effort into this direction, if they are not going to try to supply a safer connection for the unwary users.
While I support your plea for better journalism, it is unfortunately not true that a service like nu.nl can not be successful because they add no value. The fact of the matter is that they are successful. I wish they were not, but it seems that the large majority of people don’t care about a lack of depth. It is frightening to see how many errors, omissions and outright lies you can find in paper articles on topic you know a bit about yourself. It really makes you wonder what bullshit you are fed on the topic you don’t know about from other sources…
I would only use free wi-fi networks that are secure if I wanted to log into online banks, brokerage accounts, and any site with confidential information. You never know if some unsavory individual is around with sophisticated sniffing equipment – particularly around popular free wi-fi spots. Just surf to sites where you don’t care if people see what you are doing.