On Mon, 1 Dec 2008 21:13:31 +0000 (UTC), Sylvain Robitaille <s...@alcor.concordia.ca> wrote in <slrngj8krr.qcm....@charlotte.concordia.ca>:
>Jeff Liebermann wrote:
>> As I've mentioned several times, the computer can be almost totally >> protected, but without encrypting the wireless traffic, a simple >> sniffer can capture unencrypted traffic, passwords, email, etc.
>I prefer, and heartily recommend, regardless of wireless encryption, >end-to-end encryption. If you don't trust your traffic in wireless >space (because you can't control whether it can be intercepted in that >space), why would you trust it travelling over wires you don't control?
While your point in valid in principle, in practice it's far more difficult to snoop wired Internet traffic than open wireless traffic.
>> ... No amount of security is ever sufficient. Given sufficient time, >> resources, and technology, any level of security can eventually be >> compromised. ...
>Yes. That's precisely the point.
What point? That the NSA can do it, so why bother with security?
>I consider myself pretty good with computer and network security, >perhaps even an "expert" (it is part of my job and has been for more >than a few years). I'm not nervous about systems I manage (whether my >own or managed for someone else).
You should be. No matter how good you are, those systems are still vulnerable.
>> Again, wireless security (WPA) will not protect your computer. It >> will protect your network from sniffing.
>Only on that particular link.
True, but that can be quite valuable as a part of the overall solution.
>I see (and refer to) WPA as a form of >access control. If you want to protect your data in transit, you need >to protect it beyond that initial wireless link.
Not necessarily -- it's a matter of relative risks, and the risk of open wireless is orders of magnitude greater than the risk on the Internet backbone.
>> It's a bit like saying, condoms sometimes fail, so don't bother to use >> them. ...
>Not exactly. It's more like saying "condoms sometimes fail, and they're >inconvenient" so I prefer to use a different (better) form of protection.
Abstinence? That's actually a pretty good analogy. If you're not going to bother with WPA, then abstain from wireless.
>> WPA does protect your computer from attack over the wireless network.
>... and it does so by controlling access to your network.
Actually it encrypts the traffic.
>> That would not be a valid point -- WPA does provide real and valuable >> security. ....
>WPA provides access control and encryption over one network link. It >works well for that. Most people need their data protected between two >endpoints that span multiple network links. WPA falls short on that.
I disagree on both counts. Feel free to provide real evidence to back up those contentions.
>> There's ample evidence that open wireless will be abused, with >> potentially negative consequences. All it takes is for the kid next >> door to use your wireless to file share illicit materials (imagine >> that); the RIAA and MPAA trace it back to your account; your computers >> get seized and you get sued.
>Schneier points out in his article, however, that he feels he has the >perfect alibi for such a case, precisely by keeping his wireless network >access point unsecured. I wouldn't test that myself, by the way, nor >would I recommend it, but it's relevant to the discussion in the context >of the above quote.
There's ample evidence that he's wrong -- whether he prevails or not in the end, he can still go through hell in the meantime.
>Mark McIntyre wrote:
>> Then his article is highly disingenuous, or he really is a fool. Does >> he run an encrypted VPN between every computer on his network? Is all >> traffic to the internet encrypted, including email?
>I'm not defending the article or its author. I was simply pointing out >that one or more previous posters on this thread appear to have >misinterpreted the point of the article. ....
John Navas wrote: > While your point in valid in principle, in practice it's far more > difficult to snoop wired Internet traffic than open wireless traffic.
That really depends on which side of the network you're sitting on. Where I sit, they're both equally trivial. Where the average script-kiddie sits, perhaps you're right, but the really serious threats are usually "on the inside", where, once again, they're equally trivial.
>> I'm not nervous about systems I manage ...
> You should be. No matter how good you are, those systems are still > vulnerable.
Of course they're "vulnerable", in one form or another. I've taken measures, however to reduce _known_ vulnerabilities to a minimum, to limit the potential avenues of intrusion, and to increase the likelihood that a compromise will be detected. That last one matters, and is what permits me to not worry. Can undetected intrusion occur? Of course, at least in theory. Is it likely? No.
>>> Again, wireless security ... will protect your network from >>> sniffing.
>> Only on that particular link.
> True, but that can be quite valuable as a part of the overall > solution.
Only if your traffic isn't encrypted end-to-end by other means, which means someone trying to sniff needs only to park himself somewhere between the wired side of your wireless access point, and the sensitive data's destination.
> ... it's a matter of relative risks, and the risk of open wireless is > orders of magnitude greater than the risk on the Internet backbone.
Consider the layers above the backbone. Your traffic does not pass from personal wireless link, to backbone, to destination host. There are other layers involved. The security of the data in transit is only as good as the weakest form of security applied to it within the entire end-to-end trajectory.
>>> WPA does protect your computer from attack over the wireless >>> network.
>>... and it does so by controlling access to your network.
> Actually it encrypts the traffic.
Encrypting the traffic (over a single short network link) has nothing to do with the previous statement of protecting the computer from attack over the wireless network.
>> WPA provides access control and encryption over one network link. It >> works well for that. Most people need their data protected between >> two endpoints that span multiple network links. WPA falls short on >> that.
> I disagree on both counts. Feel free to provide real evidence to back > up those contentions.
Try getting onto a WPA-secured network for which you don't know the "key", and see "evidence" that it works well at providing access control. Start examining some packet traces, of traffic over both the WPA-secured wireless network, where you'll see that WPA works well at encrypting traffic over that link, then the same traffic over the wired portion of the network after it leaves the AP, and see WPA fall short. Need more evidence than that?
Systems analyst / AITS Concordia University Faculty of Engineering and Computer Science Montreal, Quebec, Canada ----------------------------------------------------------------------
On Tue, 2 Dec 2008 06:33:25 +0000 (UTC), Sylvain Robitaille <s...@alcor.concordia.ca> wrote in <slrngj9lll.rvv....@charlotte.concordia.ca>:
>John Navas wrote:
>> While your point in valid in principle, in practice it's far more >> difficult to snoop wired Internet traffic than open wireless traffic.
>That really depends on which side of the network you're sitting on. >Where I sit, they're both equally trivial. Where the average >script-kiddie sits, perhaps you're right, but the really serious threats >are usually "on the inside", where, once again, they're equally trivial.
>Of course they're "vulnerable", in one form or another. I've taken >measures, however to reduce _known_ vulnerabilities to a minimum, to >limit the potential avenues of intrusion, and to increase the likelihood >that a compromise will be detected. That last one matters, and is what >permits me to not worry. Can undetected intrusion occur? Of course, at >least in theory. Is it likely? No.
It's actually likely. The vast majority of intrusions go undetected, even by folks with serious expertise. Your assumption is unwarranted, and probably giving you a false sense of security.
>Only if your traffic isn't encrypted end-to-end by other means, which >means someone trying to sniff needs only to park himself somewhere >between the wired side of your wireless access point, and the sensitive >data's destination.
It's hard if not impossible to encrypt *all* traffic end-to-end.
When browsing websites that don't support HTTPS for all traffic, as most don't, then traffic is unencrypted over the public Internet even when using VPN -- since the remote VPN endpoint isn't at the remote website, part of the Internet path is unencrypted. Thus I use VPN when at an open public hotspot (very high risk), but not when I'm using a wired connection (very low risk).
To be clear, I do protect the transmission of sensitive information (passwords, bank account numbers, credit card numbers, social security number, etc), but I don't know of any practical way for me to encrypt *everything*. If you really do know how to do it, then please educate me... ;)
But then even with end-to-end encryption you are still vulnerable to compromise of and at the other end, which is a far more likely risk. I worry much more about the security of businesses on the Internet than I do my own security and wired Internet security, and with good reason. One of a great many cases in point:
"This week also saw the personal information of almost 1,000 bank customers lost by an employee of Bank of Ireland, after the data was copied onto an unencrypted USB memory stick."
>Consider the layers above the backbone. Your traffic does not pass from >personal wireless link, to backbone, to destination host. There are >other layers involved. The security of the data in transit is only as >good as the weakest form of security applied to it within the entire >end-to-end trajectory.
Sure, but I think you're worrying about the wrong problem. I don't take precautions against struck by meteorites while walking around outside, but I do take precautions against getting hit by cars. I might be killed by a meteorite, but I won't get hit by a car while worrying about meteorites. ;)
>> Actually it encrypts the traffic.
>Encrypting the traffic (over a single short network link) has nothing to >do with the previous statement of protecting the computer from attack >over the wireless network.
Of course it does, since malware traffic can't be successfully injected into the encrypted transmissions.
>> I disagree on both counts. Feel free to provide real evidence to back >> up those contentions.
>Try getting onto a WPA-secured network for which you don't know the >"key", and see "evidence" that it works well at providing access control. >Start examining some packet traces, of traffic over both the WPA-secured >wireless network, where you'll see that WPA works well at encrypting >traffic over that link, then the same traffic over the wired portion of >the network after it leaves the AP, and see WPA fall short. Need more >evidence than that?
John Navas wrote: > I respectfully disagree. Snooping of wireless traffic is orders of > magnitude more likely than snooping of wired traffic, and the really > serious threats aren't hard things like snooping of wired Internet > traffic -- they are relatively easy things like website compromise, > cross-site scripting attacks, and the like.
Ummmm.... and WPA on the local wireless link protects against these? How? I think you're drifting off the point.
>> Can undetected intrusion occur? Of course, at least in theory. Is >> it likely? No.
> It's actually likely. The vast majority of intrusions go undetected, > even by folks with serious expertise. Your assumption is unwarranted, > and probably giving you a false sense of security.
Who's making the unwarranted assumption here? You know nothing about my systems or about what I know or can detect about them. The thing about undetected intrusion, of course, is that by definition, you never know if one has happened. However, if you know your systems well, and you know how to protect them, you can be pretty sure of raising the bar of the skill level that would be required for an undetected intrusion. You raise that bar high enough, and the question becomes whether or not it's worth the effort for the would-be intruder.
Would I claim that I can single-handedly properly secure financial data or medical data on a database server? (well, I did do one of those in the past) No; I'm not trying to be arrogant. However, I have plenty of experience protecting what I would consider non-critical personal information (mine and others') on computer systems. Could I have done even better? Probably, yes. Have I ever had a system compromised? Once, many years ago, via a then-recently discovered vulnerability in FTP server software on a system I was managing. Undetected? Only briefly ...
> It's hard if not impossible to encrypt *all* traffic end-to-end.
Not *all* traffic contains sensitive data. Do I really care if you can sniff my Google searches and their results? Protect what's worth protecting.
Does WPA on a single network link do all that much to protect your username and password if you use POP or IMAP to read mail? I suppose it does if your only concern is protecting your credentials from the neighborhood teens. I prefer to avoid unencrypted protocols like POP or IMAP. If you use "secure POP" (POP/TLS) or "secure IMAP", it wouldn't matter if WPA wasn't available.
> But then even with end-to-end encryption you are still vulnerable to > compromise of and at the other end, which is a far more likely risk.
It isn't "end-to-end" if it isn't "application-to-application". WPA, as you know, won't protect your data at the other end. If the risk is far more likely, what protection does WPA offer?
> I worry much more about the security of businesses on the Internet > than I do my own security and wired Internet security, and with good > reason.
That's a big part of the problem, yes: people ("businesses") making false assumptions about computer and network security, and those false assumptions lead to compromised data, usually because not enough emphasis was placed on protecting that data in the right places. "hard crusty exterior with a soft chewy center ..." Businesses "believe" their data is "secure" because they've deployed a "firewall". How is that different than individuals believe their personal computers are "secure" because they've enabled WPA on their wireless access points?
> One of a great many cases in point:
> "This week also saw the personal information of almost 1,000 bank > customers lost by an employee of Bank of Ireland, after the data > was copied onto an unencrypted USB memory stick."
I bet they had HTTPS for authenticated access to their web servers, and WPA-protected wireless local networks, though. They took the steps recommended to them by computer security "experts", yet still failed to protect their sensitive data. Thank you for helping make my point. :-)
> Sure, but I think you're worrying about the wrong problem.
No, I'm worrying about understanding what it is I'm protecting, where, from what or whom, and why. I use WPA on my wireless network at home (and incorporated EAP-TTLS with dynamically negotiated encrytion for a large wireless network I did in my previous employment), because it keeps outsiders from being able to use my network, not because it encrypts any personal information that might pass over that link. The protection of the sensitive data passing over the wireless link is taken care of by other means, and that data would be protected regardless of the encryption on the wireless link. That's been my point all along, and it is that which I feel others missed from Schneier's article (recall that's what caused me to join the discussion), largely because the article makes no explicit mention of it. It is, however, quite visible in its absence.
>>> I disagree on both counts. Feel free to provide real evidence to >>> back up those contentions.
> ... I need real evidence that snooping of traffic over the wired > Internet is a *significant* (not just theoretical) risk, especially as > compared to other risks.
Wait a minute ... The points that you disagree with above, and for which I explained a simple means by which you can observe them in action ("evidence") are the following:
>>>> WPA provides access control and encryption over one network link. >>>> It works well for that. Most people need their data protected >>>> between two endpoints that span multiple network links. WPA falls >>>> short on that.
Now you want evidence that *wired* connections are vulnerable to snooping. See HTTPS (and other TLS-tunneled protocols) for such evidence. It long predates WPA, and even WEP. Are you suggesting that it's really a no-op and is protecting against an insignificant threat?
See also the above quote you provided about Bank of Ireland's customer data. Would WPA have helped there, or would better protection of the data in transit have been warranted?
Systems analyst / AITS Concordia University Faculty of Engineering and Computer Science Montreal, Quebec, Canada ----------------------------------------------------------------------
On Wed, 26 Nov 2008 20:01:42 -0800, John Navas <spamfilt...@navasgroup.com> wrote in <jn6si4l656r696ui322pgi31jj7kdib...@4ax.com>:
>* Make your wireless SSID unique. This helps avoid network collisions. A >good way to do this is to use your address, phone number, and/or name >for your SSID (making it easy for you to be contacted if something is >wrong with your wireless network).
* True story of network collision problem:
A client complained to me that the home office wireless Internet had always been very flaky, that even having the (shudder) Geek Squad come out hadn't really helped, and asked me if anything affordable could be done about the problem. Sure enough I had trouble getting and keeping a connection with a laptop. Even moving closer to the wireless access point didn't help. That was sufficiently odd that I decided to start over from scratch, loading the latest router firmware, resetting to factory defaults, and then running through my standard initial setup routine for wireless networking. And voilà! Strong, solid connection, excellent performance.
While I was working my client gave me a rundown on the Geek Squad, how they had come out to fix the first wireless, couldn't get it working, had to come back out to swap the wireless router for a different brand, got that working albeit poorly, told my client it was poor because the laptop was old, and left.
I probed a bit and learned the first wireless router had been brand L, that the Geek Squad had swapped it for brand N when they couldn't make it work, and that the laptop had then started working so they didn't even touch it. Thus the laptop was still configured for brand L, and what was actually happening was that it was connecting to a neighbor's open wireless, not the new brand N wireless router, because the Geek Squad were using factory defaults and no security. In 1-1/2 years of paying for broadband my client had never actually used it, or the expensive wireless router for that matter.
That wouldn't have happened, of course, if the Geek Squad had configured a unique SSID in the first place, any sort of wireless security, or otherwise had any real clue about wireless networking. (Likewise the neighbor.) But I guess I shouldn't complain -- puts food on my table. :)
* True story of network identification problem:
Before installing a wireless network for another client I did a site survey (my normal practice), and found a strong signal on channel 1 and another strong signal on channel 9 (go figure), leaving me with no clear channel to use. The "easy" solution, of course, would be to persuade the neighbor on channel 9 to switch to either channel 6 or channel 11. Actually not so easy since the default SSID gave no clue as to who was running that wireless network. Worse, my client was in a multi-unit complex that left us with quite a few possibilities, which meant knocking on a lot of doors, which had to wait until evening. It would have been much faster and easier if the SSID identified the network operator. -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
On Tue, 2 Dec 2008 21:42:15 +0000 (UTC), Sylvain Robitaille <s...@alcor.concordia.ca> wrote in <slrngjbatn.ike....@charlotte.concordia.ca>:
>John Navas wrote:
>> I respectfully disagree. Snooping of wireless traffic is orders of >> magnitude more likely than snooping of wired traffic, and the really >> serious threats aren't hard things like snooping of wired Internet >> traffic -- they are relatively easy things like website compromise, >> cross-site scripting attacks, and the like.
>Ummmm.... and WPA on the local wireless link protects against these?
Straw man argument: I didn't say or even suggest that.
>How? I think you're drifting off the point.
I was rebutting *your* claims.
>>> Can undetected intrusion occur? Of course, at least in theory. Is >>> it likely? No.
>> It's actually likely. The vast majority of intrusions go undetected, >> even by folks with serious expertise. Your assumption is unwarranted, >> and probably giving you a false sense of security.
>Who's making the unwarranted assumption here?
I'm making no assumption there.
>You know nothing about >my systems or about what I know or can detect about them.
You have no way of knowing what you cannot detect or have not detected.
>The thing >about undetected intrusion, of course, is that by definition, you never >know if one has happened. However, if you know your systems well, and >you know how to protect them, you can be pretty sure of raising the bar >of the skill level that would be required for an undetected intrusion. >You raise that bar high enough, and the question becomes whether or not >it's worth the effort for the would-be intruder.
Again, your assumption is unwarranted, and probably giving you a false sense of security. You have no way of knowing how high you've raised the bar relative to potential attackers, or even if you've raised the bar at all. All you can do is be as thorough as you can, *hope* it's enough, and keep checking that hope in different ways.
>... Have I ever had a system compromised? >Once, many years ago, via a then-recently discovered vulnerability in >FTP server software on a system I was managing. Undetected? Only >briefly ...
Again, your assumption is unwarranted, and probably giving you a false sense of security. You have no way of knowing if you were compromised or not. All you can say is that you don't know you were compromised.
>> It's hard if not impossible to encrypt *all* traffic end-to-end.
>Not *all* traffic contains sensitive data. Do I really care if you can >sniff my Google searches and their results? Protect what's worth >protecting.
Putting aside the fact that you've just backed away from your sweeping claim, Google searches *can* be worth protecting. Should (say) a prospective employer or insurer get wind of the fact that you're repeatedly searching for cancer treatments, there might well be negative consequences. Again, your assumption is unwarranted, and probably giving you a false sense of security.
>Does WPA on a single network link do all that much to protect your >username and password if you use POP or IMAP to read mail? I suppose >it does if your only concern is protecting your credentials from the >neighborhood teens. I prefer to avoid unencrypted protocols like POP >or IMAP. If you use "secure POP" (POP/TLS) or "secure IMAP", it >wouldn't matter if WPA wasn't available.
Another straw man argument: What WPA protects is *all* wireless traffic, not just *some* wireless traffic.
>> But then even with end-to-end encryption you are still vulnerable to >> compromise of and at the other end, which is a far more likely risk.
>It isn't "end-to-end" if it isn't "application-to-application".
You missed the point. Read what I wrote more carefully.
>WPA, as >you know, won't protect your data at the other end. If the risk is far >more likely, what protection does WPA offer?
None for that risk. What WPA does (as I'm sure you know) is protect against the much higher risk of wireless snooping.
>... Businesses "believe" their data >is "secure" because they've deployed a "firewall". How is that >different than individuals believe their personal computers are "secure" >because they've enabled WPA on their wireless access points?
They hopefully just believe their *wireless* is secure, which is true.
>> One of a great many cases in point:
>> "This week also saw the personal information of almost 1,000 bank >> customers lost by an employee of Bank of Ireland, after the data >> was copied onto an unencrypted USB memory stick."
>I bet they had HTTPS for authenticated access to their web servers, and >WPA-protected wireless local networks, though. They took the steps >recommended to them by computer security "experts", yet still failed to >protect their sensitive data. Thank you for helping make my point. :-)
Doesn't prove your point, but you are of course free to think and claim whatever you want.
>> Sure, but I think you're worrying about the wrong problem.
>No, I'm worrying about understanding what it is I'm protecting, where, >from what or whom, and why. ...
I think we'll just have to agree to disagree.
>> ... I need real evidence that snooping of traffic over the wired >> Internet is a *significant* (not just theoretical) risk, especially as >> compared to other risks.
>Wait a minute ... The points that you disagree with above, and for >which I explained a simple means by which you can observe them in action >("evidence") are the following:
Nope. Still waiting for your evidence.
>Now you want evidence that *wired* connections are vulnerable to >snooping.
Assuming you're not deliberately resorting to straw man arguments, read what I wrote more carefully.
> I translated it as, he doesn't feel it's worthwhile to secure *HIS* > wireless network, not *A* wireless network. Pretty big difference,
Come now. The man, allegedly a security expert, allegedly writes an article dissing wireless security, and ends up saying he doesn't see the point in securing his network, given what he's said above. What conclusion would the innocent draw from that?
John Navas wrote: > Sylvain Robitaille wrote >>Now you want evidence that *wired* connections are vulnerable to >>snooping. > Still waiting for your evidence.
Are you really that sanguine concerning well-documented and likely but undocumented domestic surveillance?
John Navas wrote: > * True story of network collision problem:
(snip story which boils down to 'uniquely identify your network so you /know/ you're connecting to it'.)
> That wouldn't have happened, of course, if the Geek Squad had configured > a unique SSID in the first place, any sort of wireless security, or > otherwise had any real clue about wireless networking. (Likewise the > neighbor.)
Absolutely agree.
> Before installing a wireless network for another client I did a site > survey (my normal practice), and found a strong signal on channel 1 and > another strong signal on channel 9 (go figure), leaving me with no clear > channel to use. The "easy" solution, of course, would be to persuade > the neighbor on channel 9 to switch to either channel 6 or channel 11. > Actually not so easy since the default SSID gave no clue as to who was > running that wireless network. Worse, my client was in a multi-unit > complex that left us with quite a few possibilities, which meant > knocking on a lot of doors, which had to wait until evening. It would > have been much faster and easier if the SSID identified the network > operator.
What wireless needs is a way to say "who the heck are you?" and for end-users to be able to configure a response. Oh, wait, snmp... :-)
>On Tue, 02 Dec 2008 17:46:55 -0600, msg <msg@_cybertheque.org_> wrote in ><l6-dnVFvGrBHVajUnZ2dnUVZ_gCdn...@posted.cpinternet>:
>>John Navas wrote:
>>> Sylvain Robitaille wrote
>>>>Now you want evidence that *wired* connections are vulnerable to >>>>snooping.
>>> Still waiting for your evidence.
>>Are you really that sanguine concerning well-documented and likely >>but undocumented domestic surveillance?
>Only a very small fraction of Internet traffic is screened by the >government, and while I strongly object to the practice, I have nothing >directly to fear from it.
On Tue, 02 Dec 2008 23:18:35 +0000, Mark McIntyre <markmcint...@TROUSERSspamcop.net> wrote in <fnjZk.175743$ZM7.68...@en-nntp-08.am2.easynews.com>:
>John Navas wrote: >> Before installing a wireless network for another client I did a site >> survey (my normal practice), and found a strong signal on channel 1 and >> another strong signal on channel 9 (go figure), leaving me with no clear >> channel to use. The "easy" solution, of course, would be to persuade >> the neighbor on channel 9 to switch to either channel 6 or channel 11. >> Actually not so easy since the default SSID gave no clue as to who was >> running that wireless network. Worse, my client was in a multi-unit >> complex that left us with quite a few possibilities, which meant >> knocking on a lot of doors, which had to wait until evening. It would >> have been much faster and easier if the SSID identified the network >> operator.
>What wireless needs is a way to say "who the heck are you?" and for >end-users to be able to configure a response. Oh, wait, snmp... :-)
Oh, wait, SNMP won't work when you can't connect to the network. Or when the user isn't running suitable software and paying attention. ("What a router log?")
John Navas wrote: >>> I respectfully disagree. Snooping of wireless traffic is orders of >>> magnitude more likely than snooping of wired traffic, and the really >>> serious threats aren't hard things like snooping of wired Internet >>> traffic -- they are relatively easy things like website compromise, >>> cross-site scripting attacks, and the like.
>> Ummmm.... and WPA on the local wireless link protects against these?
> Straw man argument: I didn't say or even suggest that.
The discussion at hand is about Bruce Schneier's article regarding his unsecured wireless network, with most participants agreeing that such a configuration is generally unadvisable. Perhaps you missed that part. We seem to be disagreeing on the details of *how* the secured network is beneficial, leading to the discussion above where you stray further from the main point of discussion. Your response to an attempt to maintain the focus of the discussion, apparently is to declare "straw-man", presumably so you can continue adding more tangential points to the discussion. Ok.
>>How? I think you're drifting off the point.
> I was rebutting *your* claims.
My "claims" were that a WPA secured wireless network does not protect (potentially sensitive) data in transit beyond the wireless link, therefore that data is better protected by other means (such as end-to-end encryption of the data). Which part of the above is a rebuttal to that claim?
> You have no way of knowing if you were compromised or not.
Oh no. That's definitely not true. I can tell you with certainty that a compromise happened if I find one. If I *don't* find a compromise, however, all I can tell you (with certainty) is that I've not found one.
> Putting aside the fact that you've just backed away from your sweeping > claim, ...
I don't recall making a "sweeping claim". Care to remind me?
>> Does WPA on a single network link do all that much to protect your >> username and password if you use POP or IMAP to read mail? ...
> Another straw man argument: What WPA protects is *all* wireless > traffic, not just *some* wireless traffic.
Yes it encrypts all the traffic on that one link. *All* the traffic then (usually) travels on wired networks to its destination. The question stands.
> ... What WPA does ... is protect against the much higher risk of > wireless snooping.
WPA protects the access to the wireless network. Those are the "P" and the "A" in WPA. I'll leave it to you to sort out the "W". One can't "snoop" a network that one cannot access, but that's only part of the equation.
>> ... Businesses "believe" their data is "secure" because they've >> deployed a "firewall". How is that different than individuals >> believe their personal computers are "secure" because they've enabled >> WPA on their wireless access points?
> They hopefully just believe their *wireless* is secure, which is true.
Yes, hopefully, but that's not what I've been reading in this thread ...
I've been reading about "protecting computers from attack" by securing access to the wireless network. I've been reading how protecting the wireless link with WPA is easier than end-to-end encrypting data in transit, so that's the security that must be in place. I've been reading that sensitive data won't be intercepted if it's encrypted over a single wireless link (with no mention of protecting that data beyond the wireless link).
> I think we'll just have to agree to disagree.
Yes, on that we can agree.
>> Wait a minute ... The points that you disagree with above, and for >> which I explained a simple means by which you can observe them in >> action ("evidence") are the following:
> Nope. Still waiting for your evidence.
Well, then your disagreement was placed within the wrong context, and the evidence you seek isn't clear.
> Like Jeff I'm getting tired of this increasingly pointless debate, so > I'm going to give you the last word and be done with it.
Systems analyst / AITS Concordia University Faculty of Engineering and Computer Science Montreal, Quebec, Canada ----------------------------------------------------------------------
John Navas wrote: > On Tue, 02 Dec 2008 23:18:35 +0000, Mark McIntyre >> What wireless needs is a way to say "who the heck are you?" and for >> end-users to be able to configure a response. Oh, wait, snmp... :-)
> Oh, wait, SNMP won't work when you can't connect to the network.
Indeed. I didn't say it was a fully formed solution, I was merely pointing out that technologies exist to do this properly.
> Or when the user isn't running suitable software and paying attention. > ("What a router log?")
Indeed - however if router makers were clueful, their "setup" CD could solve this problem by asking for the relevant info.
> My suggestion is much simpler and more practical.
Sure - its a hack though. A proper solution shouldn't rely on misusing an identifier field that isn't really long enough and which is freeform text. Professionally I encounter this all the time 'there's nowhere to put the UK post-code and the US Zip field is sanity checked so lets use the "alternate email" field instead'. Terrific - until someone needs two email addys... :-)
On Wed, 03 Dec 2008 23:00:40 +0000, Mark McIntyre <markmcint...@TROUSERSspamcop.net> wrote in <scEZk.151182$c47.131...@en-nntp-06.am2.easynews.com>:
>John Navas wrote: >> On Tue, 02 Dec 2008 23:18:35 +0000, Mark McIntyre
>>> What wireless needs is a way to say "who the heck are you?" and for >>> end-users to be able to configure a response. Oh, wait, snmp... :-)
>> Oh, wait, SNMP won't work when you can't connect to the network.
>Indeed. I didn't say it was a fully formed solution, I was merely >pointing out that technologies exist to do this properly.
Except they don't. What's needed is something that can work *without* a working connection. Like identification in the SSID. Fully formed. Works well. Makes sense. Just too low tech for you? ;)
>> Or when the user isn't running suitable software and paying attention. >> ("What a router log?")
>Indeed - however if router makers were clueful, their "setup" CD could >solve this problem by asking for the relevant info.
Some wireless routers do at least now setup reasonable security, but I doubt that any manufacturers will see sufficient payback in your suggestion -- after all, the security issue only got addressed when the problem got to be overwhelming.
>> My suggestion is much simpler and more practical.
>Sure - its a hack though.
Like many good solutions. :) But not really -- SSID is actually an "ID" string.
>A proper solution shouldn't rely on misusing >an identifier field
There's no misuse. SSID is actually an "ID" string.
>that isn't really long enough
64 characters gets the job done for me. What would you have to say that needs more than that?
>and which is freeform >text.
[shrug]
>Professionally I encounter this all the time 'there's nowhere to >put the UK post-code and the US Zip field is sanity checked so lets use >the "alternate email" field instead'. Terrific - until someone needs two >email addys... :-)
John Navas wrote: > On Wed, 03 Dec 2008 23:00:40 +0000, Mark McIntyre > <markmcint...@TROUSERSspamcop.net> wrote in > <scEZk.151182$c47.131...@en-nntp-06.am2.easynews.com>:
>> John Navas wrote: >>> On Tue, 02 Dec 2008 23:18:35 +0000, Mark McIntyre >>>> What wireless needs is a way to say "who the heck are you?" and for >>>> end-users to be able to configure a response. Oh, wait, snmp... :-) >>> Oh, wait, SNMP won't work when you can't connect to the network. >> Indeed. I didn't say it was a fully formed solution, I was merely >> pointing out that technologies exist to do this properly.
> Except they don't.
You just can't resist, can you. I've already agreed that SNMP isn't a full solution, how about just stopping being so superior?
> What's needed is something that can work *without* a > working connection. Like identification in the SSID. Fully formed. > Works well. Makes sense. Just too low tech for you? ;)
You just can't resist being offensive can you?
> Installed a wireless network last week with the SSID containing name, > street address and phone number. Seems sufficient to me, but as always, > YMMV.
>John Navas wrote: >> On Wed, 03 Dec 2008 23:00:40 +0000, Mark McIntyre >> <markmcint...@TROUSERSspamcop.net> wrote in >> <scEZk.151182$c47.131...@en-nntp-06.am2.easynews.com>:
>>> John Navas wrote: >>>> On Tue, 02 Dec 2008 23:18:35 +0000, Mark McIntyre >>>>> What wireless needs is a way to say "who the heck are you?" and for >>>>> end-users to be able to configure a response. Oh, wait, snmp... :-) >>>> Oh, wait, SNMP won't work when you can't connect to the network. >>> Indeed. I didn't say it was a fully formed solution, I was merely >>> pointing out that technologies exist to do this properly.
>> Except they don't.
>You just can't resist, can you.
When you blow smoke I can't.
>I've already agreed that SNMP isn't a >full solution, how about just stopping being so superior?
It's not any sort of solution, since it presupposes a connection that's the whole point of the issue.
>> What's needed is something that can work *without* a >> working connection. Like identification in the SSID. Fully formed. >> Works well. Makes sense. Just too low tech for you? ;)
>You just can't resist being offensive can you?
Just a funny dig, but you apparently have a very thin skin. In other words, you can dish it out, but you can't take it.
>> Installed a wireless network last week with the SSID containing name, >> street address and phone number. Seems sufficient to me, but as always, >> YMMV.
>We've been over this ground. I'm not interested.
Why am I not surprised. -- Best regards, John Navas <http:/navasgroup.com>
"A little learning is a dangerous thing." [Alexander Pope] "It is better to sit in silence and appear ignorant, than to open your mouth and remove all doubt." [Mark Twain] "Being ignorant is not so much a shame, as being unwilling to learn." [Benjamin Franklin]
