I’m a student of Sheffield Hallam University, Sheffield, UK, pursuing MSc. Information Systems Security. The reason behind creating this post is I’m conducting a survey on wireless security.
I’ve created a simple questionnaire based on wireless security which is accessible through this link. Please take the survey and help me understand more closely what you guys think about securing wireless world and also it help me achieving the objectives of my coursework.
I promise, it won’t take more than 5 min. of your valuable time. Moreover, I’ll be very much grateful for your participation.
One of the moderators there claims to have somewhat vetted the survey site.
I took the survey, though I did put my browser into private browsing mode to do that. I did not see any reason for suspicion. It was a relatively simple survey. I was not asked to provide SSID or similar information. It was more a survey on user attitude toward questions related to WiFi security.
On Mon, 15 Apr 2013 21:26:02 +0000, nrickert wrote:
> I took the survey, though I did put my browser into private browsing
> mode to do that. I did not see any reason for suspicion. It was a
> relatively simple survey. I was not asked to provide SSID or similar
> information. It was more a survey on user attitude toward questions
> related to WiFi security.
I had a look at it myself, and my thought regarding security (which Henk
was referring to) was that with an IP address it might be possible to
track a home user, and now you’ve got a location and an idea what kind of
security is in place at that address.
It’s a longshot to find an open/not well protected wifi connection,
perhaps, but for me it tripped that warning.
On 04/15/2013 06:23 PM, Jim Henderson wrote:
> On Mon, 15 Apr 2013 21:26:02 +0000, nrickert wrote:
>> I took the survey, though I did put my browser into private browsing
>> mode to do that. I did not see any reason for suspicion. It was a
>> relatively simple survey. I was not asked to provide SSID or similar
>> information. It was more a survey on user attitude toward questions
>> related to WiFi security.
> I had a look at it myself, and my thought regarding security (which Henk
> was referring to) was that with an IP address it might be possible to
> track a home user, and now you’ve got a location and an idea what kind of
> security is in place at that address.
> It’s a longshot to find an open/not well protected wifi connection,
> perhaps, but for me it tripped that warning.
As there are at least 6 networks in my neighborhood with lower security than
mine, I’m not worried.
On Tue, 16 Apr 2013 00:29:30 +0000, Larry Finger wrote:
> On 04/15/2013 06:23 PM, Jim Henderson wrote:
>> On Mon, 15 Apr 2013 21:26:02 +0000, nrickert wrote:
>>> I took the survey, though I did put my browser into private browsing
>>> mode to do that. I did not see any reason for suspicion. It was a
>>> relatively simple survey. I was not asked to provide SSID or similar
>>> information. It was more a survey on user attitude toward questions
>>> related to WiFi security.
>> I had a look at it myself, and my thought regarding security (which
>> Henk was referring to) was that with an IP address it might be possible
>> to track a home user, and now you’ve got a location and an idea what
>> kind of security is in place at that address.
>> It’s a longshot to find an open/not well protected wifi connection,
>> perhaps, but for me it tripped that warning.
> As there are at least 6 networks in my neighborhood with lower security
> than mine, I’m not worried.
Yeah, I had that thought as well - and I run one of the networks that has
lower security than my normal one (a guest network with nodogsplash in
front of it that is bandwidth-limited and restricted to specific outbound
I have the idea that my question was fore some reason (using the wrong wording by me?) not very clear to some of you.
I asked the OP here for information. I wanted to know what his thoughts about what the security aspects of his survey are on innocent people. And innocent people are IMHO people who nerver even heard of things like “private browsing”, “VPN”, etc. I, in fact did not see any of the people above, who know how to care for themselves in casu security, as possible victims. I thought about thousends of members (and non-members) here that may think that the very fact that the survey is posted here (the forums being an important and trustworthy source of information on the operating system they use) without any comment may mean that it is secure by definition.
This morning I got a neat mail from Paypal (so it says) that asks for all my credentials including my Credit Card numbers. I never used Paypal The world is full of these things. Why does the OP here think that anybody will trust his survey.
As we want to keep the several (sub)forums dedicated to their subjects as good as possible and this is not a thread that asks for technical help on Wireless, this thread will be moved to Surveys/Polls.
It would already increase trust to a certain degree to host such a
survey directly at the university site instead of wufoo.
Also there is no verifiable contact address (university email or similar).
I do not say that the survey is not what it says it is, I just say that
is just something which leaves a bad taste in my mouth that someone who
creates such a survey for a MSc would not even take such simple things
into account and behaves like a telemarketer who calls you and asks you
arbitrary questions for a “survey” without proof who he is or what the
info is really for and where it ends up.
PC: oS 12.3 x86_64 | firstname.lastname@example.orgGHz | 16GB | KDE 4.10.0 | GTX 650 Ti
ThinkPad E320: oS 12.3 x86_64 | email@example.comGHz | 8GB | KDE 4.10.0 | HD 3000
HannsBook: oS 12.3 x86_64 | SU4100@1.3GHz | 2GB | KDE 4.10.0 | GMA4500
You have seen well, and I thought about this afterwards.
Probably (hopefully) the OP did not think at all about this aspect and therefore your objection is a valuable one also for academic purposes. So the next time the survey can take maybe care of this aspects.
Your comment made me think also about the possible “commercial value” (that is an euphemism to say the minor) of the wlan data and traffic snippets "accidentally gathered by the cars of Google street view. Honit soit qui mal y pense…
However this might be a good place to discuss some of the things the survey did ask. I.e. is it better hidden ssid or not. In fact (I recall this was a critique of “the H”) there is the argument that a lot of clients, once the hidden ssid was authorized do not really check for MAC address and just probe the hidden SSID login with the password, being easily fooled by a fake access point (aircrack-ng). How does KDE network manager behaves in this aspect?
BTW, I was wondering if openSUSE does offer any well done “from the scratch” manuals for things like setting up a DMZ and network security for “dummies” in general.
Sheesh, anyone would think that you guys don’t take the obvious security approach of lying selectively when filling in any survey. (I’ve heard about some of the ‘password security’ surveys, which have been superficially ridiculous (but then, everything about what people do with passwords seems ridiculous), and everyone seems to take them as if they are literally, exactly, true: Why? With no actual evidence, why?)
Anyway, it seems that the survey is now closed, so at least currently, the problem seems to have gone away.
The participation in a survey is voluntary. There is an obvious bias in what people that are more prone to be informed about security are also more prone to take surveys or at least when they take them, they are more up to date with their knowledge. There is therefore no sense it what you say. If one is concerned with security the most obvious way to comply is not to take any survey.
The survey is still open, the thread was closed and was transferred to the survey pages. I do not think that the survey is of trouble given the content with an exception of two values. He asks about which type of security are you using. If you really use “none” or “wep” with an open SSID you are anyway target of whatsoever hacker. The rest are questions about “how safe” users belief to be.
But here the problem appears to be another. To avoid double posting the survey screens the unique identifier of the FireFox browser and therefore is quite invasive. I had the survey (as in reality I have my WLAN switched off for security reasons) twice to find out. Once normally and second time to see if the page would have been able to identify me as a user. Well, although I have caching disabled, java disabled, flash disabled (all this by default!), no third party cookies, cookies emptied on exit …I was told I cannot take the survey twice with a fresh browser. So you get an idea how he does this, not with the IP (I am on an anonymizing VPN) but with all evidence he reveals the unique identifier of FireFox (that has been shown to be subject to continuous tracing).
As for methodology, it is good, because it allows to avoid quite some double answering. But for privacy it appears actually troublesome, as these conditions should be clearly pointed out in the very beginning before handing over the survey page, and a contact address, as well as an identifying contact with the tutor of the respective University is missing as well (as Henk noted before). Under these conditions it could be prudential to take off, by moderation, the link right away, rightly because of the non respect of these points.
It is probable that the author is having a look from time to time where he posted, so it would be nice to have his statement on these aspects (Dear souti2006 you are therefore officially invited to give answer to questions as: where is the survey data stored. Which privacy rules and legislation do you therefore follow. Why is there no University contact address in your survey).
If there is no point in the TORs about this, I would raise the proposal to edit them in order to clearly define under which conditions and circumstances an external survey can be posted. A contact address and a clear definition to what legislation the survey-data is subject to, seems a minimum requirement.
BTW, privacy. Here a nice link to find out what you actually “loose” in terms of identity data, while being on the web: https://ip-check.info/description.php (Useless to say that I do not endorse the products eventually associated with this, nor do I say that any of the claims of this producer are right, but the amount of data you are shown by this screening is nevertheless impressive).
Quite despairing isn’t it.
Actually, that’s true; for a variety of reasons, I went via a search engine, and was taken to another survey of exactly the same name, and on the same site, which had been closed. Maybe someone who had been doing the same course previously? Maybe the same individual has had a reason to do this data collection several times?
Firstly, their is sense in the sense that such surveys can have little or no value unless there is some means to validate the answers. Random numbers of people will have lied, so the answers will all be as good as guessing, for the putative purpose. But if the results are not being used for the supposed purpose, but as part of some attempt to get data to leak, then this wouldn’t necessarily be a big problem…
Secondly, there are the problems of what will be done with the results and whether the survey is being conducted in good faith.
Thirdly, there is essentially no way of knowing whether the author is collecting, eg, data from linux users, mac users and Windows users separately and the information that one set of users is more sloppy than another, and is therefore easier to hack could be used for good or for ill. Given the lack of information, I’m going for ‘for ill’, unless and until there is evidence to the contrary.
Just because it is obvious, that doesn’t mean that it is what everybody will do. There is no evidence that filling in this survey will do, or has the potential to do, anything positive for Suse or Linux or anything that I care about. Maybe I should be more generous, but it is quite possible that this survey has been constructed with an agenda of doing something negative for something that I care about (eg, publishing a result that says ‘Linux users are more careless about security’; it would not be the first time that this kind of survey has been constructed in such a way), so why should I help in that end?
I agree completely that there are problems, and it seems quite typical that people in this situation are happy to abuse the goodwill of the Linux community in this way. I really, really don’t like this and would have hoped that the academic community could have been persuaded to behave in a better way than this by now. (Well, assuming that the survey actually has anything to do with the academic community, and this isn’t just being used as a cover story.)
I am a bit disturbed by the fact that these surveys always seem a bit ‘cookie cutter’ and bland, in that set-up is usually the same (It is academic, but no contact details (and it isn’t usually one of the bigger academic institutions, for which confirmation might be easier), it is part of something bigger, but there won’t be anything at all about the overall aim, and the inference is that you are helping some deserving soul towards a qualification, but without anything on which you could judge whether they really are deserving).
At lest, so far, I have never seen any response like ‘I got 73 responses from Linux users and 125 from Windows users, so percentage-wise Linux users were the most helpful; thank you for that!l’. Or even the reverse. This makes my feel that either:
the person carrying out the survey just wants a tick in that box and doesn’t really care, once other people have done the work that they can put in their report
the real aim is rather different from the superficial aim, and they want to keep that secret
I’d really like to hear back on this occasion; I might not take the response at face value, but at least it would be something.
You would have thought that, in such cases, the author would look back, whether this is legit or whether it is an attempted scam. Having seen these things before, I can say that it is surprising that in such cases that frequently the author fails to make any post beyond the first one. You might have thought either ‘thanks’ or ‘go away and die’ (roughly) would have been appropriate. It may be that this is evidence of some kind of class exercise in which they aren’t really interested, or it may be something else. And this survey may be different from the rest. Or, not.