Full Disclosure mailing list archives
Re: Wireless ISPs
From: D B <geggam692000 () yahoo com>
Date: Tue, 11 May 2004 17:32:23 -0700 (PDT)
Everyone is so busy trying to outgeek the other they are missing the issue. An 8 year old with a laptop who downloads netstumbler could read peoples emails with no difficulty from an ISP who offers no encryption ( god knows that 8 yr old can kick my ass on a video game ) My main issue is preventing the casual observer from stumbling in, similar to locks on a screen door. Not really a security issue to be relied on but does prevent casual entries. Always hate debates with geeks unless they are close enough to break their nose when they start trying to outgeek the next. Dan Becker --- Kurt Seifried <listuser () seifried org> wrote:
Folks. WEP is POINTLESS for public access points. You have to share the password. Let's see locally: Coffee shop #1 has Telus hotspot (local telco), no WEP, SSL gateway redirect, plug your CC in and buy access. Login through SSL encryped web site to access. Not sure how access is enforced (probably MAC address), I haven't bothered to test this yet. Coffee shop #2 has homebrew, the SSID is the name of the place, the password is in a small duotang (labeled "do not remove from bar") and I'm guessing it never changes. You buy $5 (cdn) of whatever, you get to use the wireless inet (or wired, they provide several stations and a conference table). Coffee shop #3 has homebrew, the SSID is posted on the wall upstairs, no password is required (i.e. no WEP). Which is more secure? None of them really. The SSID is public. They either do not use WEP, or they use WEP and any attacker will trivially be able to find the WEP key (hint: buy a cup of coffee and ask). The most secure option is likely the wired access at coffee shop #2. Now a technical person can do something like SSH port forwarding and stuff all their email traffic and web browsing through a secure system on the outside. But someone like my mother is supposed to do what exactly? Have a colocated machine somewhere she can VPN off of, or SSH port forward? Now ideally the coffee shop would provide security from your machine to their gateway, however: WEP is useless. See above. VPN based solutions generally require client software (which isn't always possible, corporate laptops, etc.), and configuration and client account management. A PPTP or IPSec solution would result in a non trivial amount of help required for your average customer. Other wireless encryption protocols may solve this, WAP? Who knows. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
__________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Wireless ISPs, (continued)
- Re: Wireless ISPs D B (May 11)
- Re: Wireless ISPs Sean Milheim (May 11)
- Re: Wireless ISPs Jeff Workman (May 11)
- Re: Wireless ISPs Maarten (May 11)
- Re: Wireless ISPs Valdis . Kletnieks (May 11)
- Re: Wireless ISPs Ron DuFresne (May 12)
- Re: Wireless ISPs KUIJPERS Jimmy (May 12)
- Re: Wireless ISPs Sean Milheim (May 11)
- Re: Wireless ISPs Frank Knobbe (May 11)
- Re: Wireless ISPs D B (May 11)
- Re: Wireless ISPs Kurt Seifried (May 11)
- Re: Wireless ISPs D B (May 11)
- Re: Wireless ISPs Chris Adams (May 11)
- Re: Wireless ISPs Sean Milheim (May 11)
- Re: Wireless ISPs D B (May 11)
- Re: Wireless ISPs Valdis . Kletnieks (May 11)
- Re: Wireless ISPs Scott Taylor (May 11)
- RE: Wireless ISPs Aditya, ALD [Aditya Lalit Deshmukh] (May 12)
- Re: Wireless ISPs Valdis . Kletnieks (May 12)