Psst
you forgot to tick the "Post anonymously" box
Google has said that its world-roving Street View cars have been collecting information sent over open Wi-Fi networks, contradicting previous assurances by the company. This means that Google may have collected emails and other private information if they traveled over Wi-Fi networks while one of the cars was in range. …
"Who cares!
Since then Ive been through 3 wifi routers and 4 computers.
Also I format my pc once every 3 to 6 months.
So any data spooks may be looking for has been gone replaced thrown away drive plattters made worthless even to data recovery experts.
I am a spooks worst nightmare..... nothing around to incriminate me except to incite hate against Lars Vilks."
You are probably already screwed and too stupid to realize it. Probably botted to the hilt.
If there is a possibility this data was collected deliberately then there should be an investigation.
An INDEPENDENT investigation.
Not a promise of "We will review it internally and ask a third party to verify it for us." Who will they invite to do this for them? Agnilux? Bumptop?
It seems a bit strange to get caught doing something after 4 years and then claim, "Oh yeah, we didnt spot that," when you clearly own a multitude of systems who's sole purpose is to collect data and analyse usage patterns.
If you take a photo and put it on your computer it might take up 1% more space than you expected. That's probably fine.
But when you are an international corp who's business model is "collect data, store data, sift data, generate ads, give away data, sell ads" then you need a lot of storage space and for this you employ teams of people who estimate data usage patterns and build massive amounts of storage medium accordingly.
When they estimate that Google Voyeur-View will need 1000 TB of space and they build the storage arrays, then a Google Data-Usage-Pattern-Analyser-Specialist employee thinks, "Every time one of our Stalker-Cars comes back to offload it's daily collection we get all this data off it but we seem to get 101% of the data we were expecting and when it all get processed and released to Voyeur-View, not all of the data was collected is actually used."
"And that means that when we spend £10,000,000 on hardware, £100,000 of this is for storage which is unaccounted for."
Of course they knew what was happening. Especially for Google, they wouldn't just buy hardware because it looked like they needed more hardware - they would first analyse the data that appears to be requiring more hardware and see if it could be streamlined.
I really dont think the problem is the guy who wrote the code in the first place, after all he was just doing his job. I think it lies more with the people who are exployed to monitor data usage patters in the chocofac.
Why did it take them 4 years to notice and even then only when they got caught? Because they already knew.
I think I should be allowed to walk round all their data-centres with a powerful magnet.
Every wireless-enabled computer I have ever used reports to me what networks are in range and whether they are secured or not. I'm assuming that the routers recorded by Google were broadcasting their SSIDs, and broadcasting by definition means you will be heard.
Again, if you use an open, unencrypted wifi system, then you are broadcasting information to anyone who is listening. It's like having a conversation with the windows open, and then complaining that people in the street can hear you.(My netbook originally had a distressing preference for logging into the open network two houses away.)
Not sure what Google was recording this information, and agree it is creepy, but it's nothing but collating information which is not only freely available, but actively pushed on to listening computers.
So Google has been collecting information on private WIFI networks? Here's a thought...
If I understand it correctly, the MAC address of a WIFI router is available to anyone within range.
The Google StreetView cars travel the length and breadth of major cities geolocating routers.
If someone posts something of interest to the internet then intelligence agencies will now know (with access to Google's data and the logs of ISPs, which admittedly is pure assumption) the physical location from which the information originated.
Very useful.
You need a new tin-foil hat - the one you're wearing now has sprung a leak!
If the intelligence agencies already has access to the ISPs logs, they already know the physical location from which the information originated, even without Googles WiFi data!
The "Where's the IT angle?" logo is for all the people who don't seem to know anything about Wireless networking who are commenting on thing story!
Will somebody please file a FOIA (which covers "Persons", not "Individuals" as defined by Title 5 USC - "The Privacy Act") on the NSA asking if they've got the 600 GB, and, if so, did they ask for it ? (you need to sue an "Agency" of the Government or get at the Contract that Google signed saying that they would abide by OMB collection rules) and are there any Title 5 "Individuals" (US Citizens and Resident Aliens) mentioned in the "records" (You need to prove it's a "system of records").
The NSA will not be mad at you. They have plenty to do without dealing with amateurs like Google. If the NSA didn't ask for it they don't need to protect it and don't want to anyway as the data is tainted.
Now, if you can find a US Attorney to file 3 x 200 Billion counts of a Criminal Trespass Charge ... I believe 3 strikes will put every Director and Corporate Officer in jail for life. Of course that would be mean. So as an alternative, 3 RICO Convictions of Google, Inc. works for me. But that is still pretty mean, so turn them over to the tender mercies of 50 State Attorney Generals like the Tobacco Industry and we can all live happily ever after.
...I'm struggling to understand why this is such a big issue, especially in Germany. Yeah, I know, intercepted emails and all that. But, people, please remember that Germany (and France, I might add) want to make it YOUR liability if somebody hijacks your open WiFi connection to download copyrighted stuff (re. http://www.theregister.co.uk/2010/05/13/open_wifi_fines_germany/ ). Remember also that this attempt at wardriving wasn't actively cracking WEP/WPA networks (er, or at least they've not admitted to such a thing...), it was intercepting stuff from OPEN networks. Surely, surely, SURELY this should come as a suggestion to everybody to secure their damn network, no? And if a WiFi router with hotspot capabilities cannot differentiate between public (insecure) and private (encrypted) communications, I'd disable the hotspot or ask for a different ADSL box.
Is Google at fault here? Very much so. But, then, so are all the people with open networks. I've done some small-scale wardriving around here (eePC 901 and NetStumbler) and I've found numerous boxes are unencrypted (mainly those by a specific ISP). Some of the open links detect you are 'unknown' and ask you to log into the hotspot. On more than one occasion, trying to access 192.168.1.1 brought up the router's administration login. On more than one occasion the username "admin" and the password "admin" (or "secret", or "motdepasse") worked. On a friend's (previously wide open) box, I tried a dozen incorrect passwords. It didn't even attempt to reject my IP address for a certain length of time after getting it wrong more than 3 times.
So don't go on all "OMFG, Google is SO evil" without also being all "OMFG, some people are SO stupid" as well.
What Google has done is the equivalent of someone walking up with the Streetview car and trying all the door handles, entering where they found the door open and taking the letters on the doormat.
You should NOT have to defend your network from a foreign company. They have no business accessing a network that isn't theirs without permission, full stop. The why and how are immaterial. As far as I know they are toast in the UK as it amounts to a clear breach of the Computer Misuse Act. There are no excuses, and "oops" isn't going to cut it either.
Furthermore, the fact that they came out with such a pathetic excuse is to me more evidence that they were caught with their pants down - this was no accident. You need quite a mistake to "forget" both the mobile AND the back end storage component of such surveillance.
Simply put, if you still believe the "no evil" bit you need your head examined. I just want to know when Facebook and Google finally merge so I can avoid both in one go.
is still being discovered. It is still too soon for most people to truly believe it and that is what the expressions of outrage are about, attempting - knowingly or not - to reinforce the acceptance of evidence. That some people are stupid is genuinely old news, all that can be done there is damage limitation. People who don't believe that either never will or will when the time is right.
From t'article, but moved a bit for some sort of effect:
There's some question whether Google was violating US wiretap laws by collecting such data. Federal wiretap law criminalizes interception of communications only if it was intentional, and that requirement is generally read fairly strictly[...]
[from Google} A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software — although the project leaders did not want, and had no intention of using, payload data."
So.. they wrote some code to effectively wiretap. Remember that they didn't just store some SSID data. Surely they would have known what code was running in their camera cars. It's not like Google will have rubbish code management processes, I'm sure. Their code seems quite well managed and tested from my use of it. How can that not be intent?? Especially when you realise that Google Maps subsequently uses this data to help you locate yourself via WiFi SSIDs... Cause AND effect.
Still I'm not going to hold my breath that anything will happen. There are some serious double standards going on here, and regulators are playground bullies - they'll whack a member of the public for this sort of behaviour, but when they come up against a big, hairy-arsed, muscular Rugby-playing boy named Google in the playground they'll have all the balls of Sheik Abdullah's favourite Eunuch.
How do you accidently snoop wifi networks?
How do you accidently harvest data from your accidental snooping?
How long do you wait after having such information before making it public?
These are all questions you wouldn't be asking if you weren't google since you'd of already been arrested and shutdown.
... I don't understand enough about this.
On the one hand you have your typical Reg Ranter like heyrick calling everybody stupid, but I'm willing to bet that there's a proportion of Reg readers who don't fully understand the security implications of setting up their wi-fi routers, let alone in the presumably less technical world beyond.
When I set up my wi-fi router I secured it with a password. I know this will prevent other wi-fi users from accessing and using the router without the password, but does this encrypt or protect the data in any other way?
It encrypts all the traffic - your "access" is effectively the ability to read the traffic. Anyone can see the transmissions, but only those with the password can make sense of it.
Having said that, seeing enough traffic means you can deduct the password, takes a couple of days on your average WiFi.
You're missing the point, though. Google has no business accessing your network, full stop. Encrypted or not, without permission they should not access your Wifi network. Leaving your front door open is still not an open invite to steal bits from your house, however much it is taken as such..
I think you'll find there's a world of difference between calling SOME people stupid, and calling everybody stupid. It is unfair to rant and rage at Google, while justified, without looking at the bigger issue. We, sadly, live in a blame culture where there's always got to be a soft target to point the finger at lest things go badly wrong. The person taking the blame is, well, anybody other than the person pointing the finger. To be sure, Google is doing itself NO favours here, but to give a real world comparison, how far would an insurance claim for burglary get if it transpires you never bothered to lock your doors? WiFi is no different. There are keys, and a lock. Use them.
.
To answer your question, there are three sorts of protection build into your WiFi router. The first is the admin password. This is good to have, and make sure you change it to something other than the default setting. The second is filter by MAC address, so only known computers can access. This is actually worse than useless as it provides a sense of security when there is none, MAC address spoofing isn't difficult. The final is the one you want to concentrate on, the sort of encryption used between the router and the computer. You will have four options: None, WEP, WPA/TKIP, and WPA2/AES. WEP is pretty poor, but sadly a fairly common "default". WPA/TKIP is better, but suffers from a number of flaws which I believe to be hangovers from WEP. The best, which isn't perfect but is the best we have, is WPA2/AES. Choose that, but note that some older equipment may not work. If you have older WiFi kit, you might need to decide between upgrading or stepping back the encryption to one that is supported. Then comes the password. I believe the strength of the encryption process is related to the length of the WiFi password key - so "1234" will be pretty easy to sniff and crack, even with WPA2/AES, while a password such as "E9F3921C93AE5972E99B595423" will be much more difficult to crack. I wouldn't bother getting rid of the SSID, that's only a human-readable ID. There's another ID intended for machines that you can't switch off, thus you can't really "hide" your WiFi kit. I don't know if this is common or not, but the Orange Livebox will create a "profile" for any equipment connected, so you can give it a name and/or a location in the house, plus pick a pretty icon to represent it. These names can also be used in the firewall rules or the access permissions (like the kid's computer has internet access disabled at 9pm or suchlike). If your router offers this, and you live in a built-up area, periodically (like once a week) check to see if anything new has appeared. If so, block it from internet access (don't delete it) and change the WiFi keys.
Hope this helps!
Sorry heyrick - "ranter" was harsh. However it did prompt you to send a very informative reply.
When I set up the router I did change the admin password and set up a WEP key, but I've pretty much left it alone since I set it up (sounds like I need to at least upgrade to WPA2). I do have some sympathy for the large number of basically non-technical users out there. They are not all stupid, but they don't necessarily have the time or incilination to understand web security in what is bascially a non-technical consumer marketplace.
One poster described picking up data on an unencrypted network as similar to hearing a conversation through an open window. I disagree - it's more like squatting under the window with a recording device.
This is all very relevant to us as we are about to be "street-viewed" shortly (in fact I think it has been delayed because of the current issues). And this is a place where a lot of people do still leave their front doors unlocked.
When setting up a router (wireless or otherwise) it is also a good idea to set the following options if possible:
- disallow admin access from the interwebs (e.g. LAN access only)
- disable telenet access
- change the default password for the admin account on the router. Some devices also allow you to change the user name, if they allow this do so.
- Use WPA, not WEP, and change the key to something long and complicated. Write this down and stick it somewhere safe, e.g. to the bottom of the router - if someone has physical access to the router then and obscure password is likely to be a moot point anyway.
- if possible, set all devices that will be attached to the router to have a static IP address, and disable DHCP on the device, if possible limit the range and number of IP addresses the router handles to those you have assigned.
Not all routers will necessarily support all of the above configuration options but in my experience, most will.
You must either live in the back of nowhere, or Canada. :-)
.
To be honest, if anybody should take on liability for this mess, it should be the ISPs providing WiFi-enabled boxes with zero security. Okay, granted, I have had to go set up people's Liveboxes as the system not only has a horrendously long key, but you also need to *press* a button on the box before it'll even consider recognising your connection attempt. But some ISPs figure on the "less hassle" approach, which - if forthcoming legislation changes push the onus on to us to secure our equipment - could rapidly become rather more hassle.
As you're using WEP, it is pretty lame, but it's a start. WPA2/AES, for sure. Glad to have been of help!
"Separately, the company will soon offer SSL encryption for its core search service."
That will put a spanner in the works of Kent Ertugrul, Stratis Scleparis, and Ian Livingston's Phorm spyware.
Now all we have to do is protect ourselves from illegal communication surveillance by Google Streetview cars.
..but wouldn't WEP and WPA be very easily crackable, given you collect enough or the right data from the wirless network... Do we know that their gear didn't send packets that prompted to re-associate with APs thus allowing to capture the handshake while driving by ?
If I would do it, it's called wardriving and I will end up at a locked up place.
OTOH, should you trust a company that pretends to have no clue what its equipment actually does ?
WEP can be cracked if you gather enough packets (but 90 seconds when you are in range is probably not enough time, even if you engage in aggressive packet injection).
WPA/PSK, you have to gather enough packets during the initial key setup using the fixed key. This is very short. Once the keys start changing dynamically, you have very little hope regardless of how many packets you snarf, because by the time you have enough, the key you are trying to crack has changed. And if you are using WPA/TKIP with a Radius server, for example, you do not even have the initial window of oportunity.
I realize that what I say here is simplistic, and there are known attacks for both PSK and TKIP, in general they take 10's of minutes, and I don't think that the google cars or bikes were traveling that slowly.
My router uses a user-specified MAC, is encrypted, and does not broadcast an ID. Plus, at the time they were looking, I was probably at work and there was no traffic on it. Not that it would have been particularly exciting traffic anyway...
But WTF? It certainly doesn't breed trust. As an IT worker, when I setup a browser upgrade, I have stopped choosing Google as the default provider, leaving it at BING or choosing someone else. I doubt it affects Google in any measurable way, but it makes me feel better, 'striking back' for their dishonesty. (though they at least admitted what they were doing)
If everyone in IT did the same as me, choosing another provider for their customers, I wonder if it would begin to affect Google in a measurable way?
The Computer Misuse Act 1990.
Section 1.
Unauthorised access to computer material, punishable by 6 months' imprisonment or a fine "not exceeding level 5 on the standard scale".
There has been multiple repeated access to UK private WIFI (regardless of whether it is open or not this is immaterial to the offense).
Currently they're looking at about GBP 5000 per offense.
But, given that Google have grabbed, lets say, 90s of data you were transmitting whilst the car went past (lets ignore SSID, because they are publicly broadcast, so irrelevant wrt privacy). So, 90s, maybe one or two emails at the most.
What benefit do Google have from this - what data could possibly have been swipped that would be of benefit to them in order to make money legally? Everyone seems so het up about the fact that Google are (allegedly) swipping all this data, but I still fail to see how ANYTHING I do on the net could be of pecuniary advantage to Google. How can they make money (legally) from knowing my mac address, or from knowing my predilection for Badger porn? [Not true about the badger porn].
Serious question - I really do want to know what benefit Google would have from doing this deliberately.
By knowing where you are browsing from they can target advertising at you depending on your location. There is no point advertising something that is not available in your town/region/whatever to you as you'd hardly be likely to bite.
They're an advertising company, how do you think they make money? The better targeted the ads, the more revenue.
I suspect that if the network is open for Google to snoop, there are probably more dubious people who would also like to see. It would be my instinct, therefore, that if people didn't want their data shared then they need to make some effort to secure the network or be educated on how to.
I don't however, understand what google might want with the data it was trying to collect. I'm not sure I want my router to be located. What use would this be to Google? Or rather, why are they saying it's okay for them to collect it?
This post has been deleted by its author
Their car doesn't sit outside your house long enough to get enough of a sample to crack your WEP, and WPA2, etc, don't even bother.
So they snapshot your BROADCASTED SSID, who's fault is it for broadcasting the SSID?
So they snapshot the MAC address of your wifi router, SO WHAT!
They've made a tasty mapping somewhere of open WIFI spots (probably for open access cafe's, pubs, etc) that will be released as an overlay, if your WIFI was open then you get what you deserve.
Me?
Mines the one with the SSID masked, broadcasts switched off and MAC authentication ONLY to permit access to my DMZ. Anything less, and its your own fail.
You can't not Broadcast your SSID. Even if you turn off the beaconing, your router will respond to requests for the SSID when requested to:
Page 324, Cisco Press CCENT/ICND1 by Wendel Odom:
"SSID cloaking is an AP feature that tells the AP to stop sending periodic Beacon frames.
This seems to solve the problem with attackers easily and quickly finding all APs. However,
clients still need to be able to find the APs. Therefore, if the client has been configured with
a null SSID, the client sends a Probe message, which causes each AP to respond with its
SSID. In short, it is simple to cause all the APs to announce their SSIDs, even with cloaking
enabled on the APs, so attackers can still find all the APs."
Its not important -- its about as relevant as logging the color of your front door. Its not private, its not secret, its just a way of telling one network from another.
All this fuss leads me to believe that the technology has got beyond those who make it their business to understand -- and worse still, control -- it.
People have been mapping wireless access points from the beginning of time. Google's just doing what everyone else has been doing. Leave them alone.
In the USA we have laws against wiretapping and 3rd parties intercepting point to point communications. Google is no better than a perverted scanner freak listening to the neighbors "doing it" with the baby monitor on.
http://www.lctjournal.washington.edu/Vol1/a009Ramasastry.html#_Toc107030428
.