Re: About War Driving ..

[FatalSaint <admin () linuxniche com>]

Ansgar -59cobalt- Wiechers wrote:

This is really becoming a discussion far beyond what is necessary here.  
I just wanted to tap a few points and then I'll back off.  You and I 
have a different idea of how to implement security and that's fine.
> Then you simply failed to understand my objections.
>   
Your first email consisted mostly of "Pointless." Over and over.  How is one to understand that without a more detailed 
explanation? It looks more like attack than constructive criticism.   Andrew Aris had a similar idea as you, but his presentation 
was better, IMHO.

> *thousand passphrases per second* 
>   
With computers today it's actually quite a bit more though I don't have 
specific numbers.  (especially if you can run a cluster or multiple SMP's)

However, the point of your argument is still sound that it requires time 
to do.  The bigger better machinery you have the less time is required.
> If you wanted to protect your information from the government you'd use
> a VPN and still not use on MAC address filtering.
>
>   
Well.. I would personally.  Especially when discussing a VPN connection  
and not wireless that is broad casted.. but that goes off subject.
> *Ummm... you *do* realize that the WPA passphrase is something you store*
>   
Yes.  Thanks.  That was more a blanket explanation of passwords in 
general - like the other idea's of implementing a Proxy would also be 
susceptible to this.

> It seems that you don't understand what the SSID's purpose is....
>   
In order to connect a user needs to have the SSID.  I didn't mean his 
network will appear "invisible" .. it will just show a wireless signal 
with no name.  A Program like Kismet -will- detect a hidden ssid if 
there is enough traffic - sure.  But when I was reading up on this I 
remember seeing some wireless sniffers wouldn't.  So.. depends on the 
quality of tool being used by the attacker.  Why give them the benefit 
of the doubt - when all this requires is ticking a radio button?
> Stop being an idiot and at least try to understand what
> I'm writing.
>   
Again.. wasn't much to understand. You said everything was pointless and 
then said why implement something -after- the attacker got on, when the 
idea is to prevent him.  I was simply stating security can't afford 
tunnel vision.  I was just a little more upset when writing it - as I 
expected more from fellow administrators.
> Limiting bandwidth does not stop the attacker from doing Bad Things(tm),
> not to mention that it doesn't depend in any way on "static routing". Do
> you even understand what routing is?
>   
This is why i used the word "and".. not a / or "otherwise known as".  
They are different approaches - i just happen to include them in the 
same paragraph.
> There. Are. No. Breadcrumbs.
>   
You're still giving your attacker the benefit of the doubt and just not 
trying.  At the least the admin should attempt.  It could very well be 
an inside user using their own laptop (not corporate)- having no idea 
how to crack wep or spoofing anything.  Or it could be someone who knows 
how to crack WEP and set their IP using Red Hat's cutesy GUI having no 
knowledge of ifconfig or the HW option.  Etc... these people -do- 
exist.  I've met  them.  There are still people who think spoofing the 
MAC is a difficult endeavor.  I don't know how in Windows, personally, 
but in Linux it's a simple matter of 1 command - but you can't assume 
*everyone* knows that command.

At least try - why tell the guy he's doomed?
> It's already clear *where* the system is vulnerable: the use of WEP.
>   
Again that was a blanket statement.  I personally would argue there is 
more vulnerabilities here than *just* the use of WEP.. but at this point 
it's irrelevant.
> More layers also mean increased complexity, thus making the network
> (and its security) harder to maintain. Which, in consequence, can
> *reduce* the network's security.
>   
Only if you're untrained/uneducated in what you are implementing.. or 
just afraid of a little work.  Any security measure implemented 
incorrectly can be a security flaw.  Even your almighty WPA if the pass 
phrase is just "aaaaaaaa".
> Bottom line: your suggestions are either ineffective or don't address
> the OP's original problem. Which is what I was objecting to.
>   
Not the way it sounded to me.  And why -just- tell him the one thing 
when you can offer suggestions on damage mitigation as well?  It's 
simply called 'helping'. If he doesn't understand what you're talking 
about he'll either research it more to do it right - or ignore and 
determine it to be not what he needs.  This also applies to you saying 
"without telling him *in which way* to do this segmentation."  That 
requires more knowledge of his LAN than I have - thus I simply offered 
it as an idea.  It's up to him to look it up if he cares. 
> True, but goes far beyond the OP's question, and also far beyond what
> can be covered in a single mail on this list.
>   
I actually agree with you here.   Far to much for an email discussion.
> Why even bother about additional measures that don't
> add any significant amount of security, but do require (significant)
> additional maintenance? It's - as I said before - pointless.
>   
Firstly, enabling those items don't require a 'significant' amount of 
work.  Secondly - why stop building your security diagram once you've 
done just one item? 

Anyway.. I don't foresee us getting anywhere with this.  This was much 
longer than I had expected it to be.  We're probably just going to have 
to agree to disagree on these topics.  Fact is, enabling these things 
aren't going to hurt your net - and I'll continue to use them on mine as 
I don't mind the extra work.  If you choose not to that's your call.  
Hell, I enabled all of this  and still require an SSH tunnel across my 
wireless network to even hit the internet from my house.. so *shrug*.  
My wife adapted..so can users.

Very Respectfully,
Layne N. Fink

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------