Wall of Sheep Only Proves Acceptance of Risk
October 16, 2009Participants at the SecTor security conference had their traffic sniffed in a kind of ‘Wall of Sheep’ stunt according to this article in the Register.
So the organisers have shown up some attendees to be security noobs or worse still completely ignorant, or have they?
Apparently users of the conference wireless network were informed that the network was being sniffed, but only by announcements between talks, which is probably when people were chatting or had their snouts in the buffet.
There was no notification given upon connection, and users were required to get a shared key from one of the conference booths so they could log on to the WPA protected network. Finally, the SSID was ‘Sector2009Secured’. Of course it may as well have been ‘ThisIsCompletelySafe’ because it makes no difference what the network is called.
So all the indications were that the network was not being monitored/sniffed/hacked/exploited or whatever else perpetrators of such stunts may call it.
Now sure, security bods should know better than to completely trust a wireless network (even though this particular network was sniffed once the traffic was on the wire and not in the airwaves). And some are quite rightly pissed off now that they know what the conference organisers were up to. But to expose those who still used the network as ‘sheep’ is a bit premature.
Remarkably, one of those to have his credentials exposed was actually the conference organiser Brian Bourne of Black Arts Illuminated. His Twitter credentials were sniffed and here is the point. Participating in Web 2.0 comes with some inherent risks. Your personal info, your opinions, your very thoughts can all be exposed and your reputation put on the line. Most tech savvy people are aware of this, but they accept the risks because they are outweighed by the benefits.
So sure, the bods at the conference should have known the wireless network came with no guarantees of security, but maybe they did, and they used it anyway. Yes, those whose credit card details were sniffed should have known better, but those whose Tweets or email addresses got out were just getting on with it. They were ‘fooled’ by the confidence tricksters who were running the network. All this dirty little exercise proves is that even amongst security professionals the simplest attack vector is still through the user rather than the technology.
