War-driving at CeBIT: Big deal?

Kaspersky Lab has a report out this morning touting the results of a war-driving test the security outfit conducted at the recent CeBIT conference in Germany. The upshot: Employees of the IT companies on hand at this show won’t win any blue ribbons when it comes to protecting the wireless nets that have become ubiquitous at such events.

The results bring to mind a recent New York Times story (subscribers only) about wireless piggybacking and a subsequent proposition on this blog from frequent Network World contributor Joel Snyder suggesting what might possibly be done to minimize such impositions on — as Joel so delicately described them — Mr. and Mrs. Stupid. After reading the Kaspersky press release, I fired off an e-mail to Snyder asking this question: If the CeBIT experience is indicative of how techies behave with their wireless, might we be being a tad hard on Mr. and Mrs. Stupid for not doing any better?Joel says not at all and here’s why:

Well, don’t let the Kaspersky guys deceive you as to the population they were sampling. Their results are very much the same as what we saw at Interop years ago when we were doing our own wireless security testing. We built a cantenna and used it to grab far-away access point data. But calling those people ‘IT’ people is a SERIOUS misnomer. Who gets sent to trade shows? Is it developers? Is it technical people? No, not at all. It’s marketing people. It’s sales people. What are their interests? Is it technology? No. Is it security? No. It’s lead generation. They want to talk to people and sell them things.The people at trade shows like Interop or CeBit are exactly the SAME people as Mr. and Mrs. Stupid. In fact, for all I know, Mr. & Mrs. Stupid probably are marketing or sales people for a technology company.But, honestly, even that is misdirecting from the real point.What would have been much, much more interesting is asking … so what? Are these people sending unencrypted POP3 passwords out there? (Yes, we saw a tiny bit of that at Interop). Are they using the open AP so that their VPN clients can get back home? (Yes, we saw a HUGE amount of that.)Saying that people should not have open APs at a trade fair is, honestly, a stupid assertion by itself. It’s not the AP that’s important in this picture (which is somewhat different from what the issue was in the Time article; its the data stream. If the AP is simply a convenience so that people can use their same VPN clients to get back to wherever, or so that they don’t have to run wires from the demonstration hardware in the front of the booth to the demonstration hardware in the back of the booth, what is the issue here?In other words: is there a requirement for security that is not being met? Because I don’t see any evidence here that open APs at a trade show are lowering any security anywhere. The Kaspersky guys say really dumb thing like the most effective defense against war-driving is disabling SSID [broadcast]. So what? Is the fact that I have an AP something that I consider a security issue? Is the fact that it’s open a security issue? At a trade show, I don’t see it. Is it war driving that I care about? Or security of the data?– Joel Snyder