Ask HN: Dangers of Unsecured WiFi?
Connected to an unsecured WIFi network last week from my MacBook. When I restarted I couldn’t login and had to go through safe/recovery mode and use reset password utility from the terminal to get back in (thankfully I could log in to my Apple ID.
Now I’m not able to login to my Firebase console even from another laptop.
What’s going on here?
41 comments
[ 4.2 ms ] story [ 96.0 ms ] threadIf you get to login, check your compute resources since most of these bots just deploy tons of compute and use them for DDOS. This can be in the hundreds of dollars per hour figure.
It is possible to have your session hijacked when using any wifi really, its a lot harder on secured wifi though.
I only tether to my phone now in public, and never use unsecured wifi for anything.
Google did send me two Security alerts (one for each laptop) when I tried signing in yesterday with my old pwd. So they must have reset my password or something?
In any case, lesson learned: never connect to an unsecured Wi-Fi again! (I rarely do, but I was at this conference last week trying to demo Appomate AI, and was wanting it to be as snappy as possible. Bad decision!)
In case of an unsecured WiFi connection this is of course much more dangerous even.
I would’ve thought they would let devs handle it because if anything they’re more capable of these kinds of things (not counting myself ofc :-))
It's like how doctors and nurses are notoriously bad at getting their own health checkups. They're experts, they know better!
Pfft. How many of us actually spend time (and have the knowledge for) auditing the security of our OS, cert chains, HTTPS setup, etc.? I've seen experienced senior devs share private keys over Slack for the whole team to reuse, manually disable HTTPS checks with a comment like "too much trouble", etc. It's pretty scary.
No more anti-virus protection for the directories that you as a developer should be most concerned about. What could possibly go wrong?
I'd be more concerned if I hadn't already done that, I suppose. Because compiles run so much faster when you do. But I was amused, nonetheless. :-/
Fwiw, though, when I used Python behind a corporate proxy some 5-6 years ago nothing was configured to ignore the HTTPS warnings.
I really need to let go of these self-sabotage tendencies fast!!
https://www.cisa.gov/news-events/alerts/2024/09/18/apple-rel...
This is well known within both the security community and Mac Sys Admin community.
I don’t upgrade to the latest version when it comes out thinking it may not be stable enough yet. And then I remember about it when I’m about to start working or in the flow. I know, silly excuses!
Thanks for letting me know that’s not correct!
I started panicking, going over to people around me asking if they've ever experienced such a thing. All I got was a bunch of "huh? no never"s.
I found out a couple hours later that by pure coincidence my friend pranked me right then by signing my email address up for all the spam newsletters etc. he could find....
But I definitely panicked too and still a worried if I carried something over to my home network.
I’m a developer and at least superficially aware of the issues. Can’t imagine what non techies go through when faced with such situations!!
By default, I tether my phone. In the places that's not possible, the public WiFi is typically part of large scale infrastructure like an airport.
The biggest practical advantage of tethering is not security. It's repeatability. Sure security matters and I trust my phone's security. But not having to navigate other people's ideas of internet access is why I tether.
Good luck.
I always tell him he is being paranoid, because every app, especially the ones het finds important (like banking) encrypt their traffic. So who cares if the WiFi layer is encrypted or not.
For the people that do use WiFi away from home: It's easy to create an access-point that is malicious and has wpa2. Also, wpa2 isn't that great anymore, right?
I could tell him to just use a (trustworthy) free vpn (ie protonvpn, or just pay for mullvad) if he really needs to connect. That would take care of his concerns.
Am I wrong?
While it may be paranoid, there are still risks involved with connecting a device to an untrusted network
Unless I’ve looked at the app myself i wouldnt touch public wifi - even then there are other risks to consider
Edit: I would for my personal devices, unless I knew the app did something horrendous in advance- but I guess the core problem is you really have no way of knowing unless you check the app yourself or there is a known and reported vulnerability.
Is it for backward compatibility with old devices?
Why isn't the standard that when connecting to a wifi without password, everything would be just like if there was a (fake) "public password" like the string "password", so that traffic is still encrypted?
If you have a password, it means that you select who can be part of that network (and hence who can reach your computer). If you don't have a password (e.g. a guest network somewhere), then there is no selection at all.
Now, if you let anyone connect and have a "fake" password, you still don't have any filter and should know that you are on a "public" network (i.e. you should not blindly trust other devices). So it's actually better to be able to see that you are on a "public" network (versus a "trusted" network like your home LAN).
Or did I misunderstand your question?
The only difference with "unsecured WiFi" is its lack of key and encryption.
You've said nothing about who provided that WiFi service, where it was, or anything. Plenty of reputable and well-managed WiFi networks are unsecured these days. Even my ISP runs them; they're perfectly safe. I don't use a VPN.
We're not your tech support department, and it's impossible for us to troubleshoot your bugs with so little information. Your local machine got messed up somehow. It sounds like PEBKAC. What leads you to believe that the WiFi network was to blame? No, I don't care.
Take your machine to an Apple store or something. Contact the administrator of the WiFi network. Go to Geek Squad. Factory reset and reinstall your computer. Who knows how you've shot yourself in the foot?
I have negative feelings towards this sort of long winded holier than thou garbage.
And it's a documented self inflicted "why does nobody want to contribute to $project?" By burned out devs.