RE: Wireless ISPs

[amilabs <amilabs () optonline net>]

I have been researchign the wisp industry and I am planning to start one
also. I assure you that most use some form of authentiction and enctyption.
I would be very bad business to leave it open not only for hacking and dos,
but also for users gaining free access. Most WISP gear supports wep and aaa
type systems. 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of D B
Sent: Tuesday, May 11, 2004 3:47 PM
To: Mister Coffee
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Wireless ISPs

Hi Mr Coffee

Im using this venue to influence several wireless ISPs to use WEP

They claim the internet is insecure anyway so they wont use it.

I do understand the implications but yes wireless is totally legal to
eavesdrop.

The bottom 6 channels run on HAM frequencies and that is specifically
mentioned as legal to eavesdrop.

Tis a big can of worms this wireless garbage, I'm just using whatever I can
to motivate ISPs ( especially the local one ) to encrypt data.

Thank you for your reply

Dan Becker

--- Mister Coffee <live4java () stormcenter net> wrote:
> On Tue, May 11, 2004 at 11:33:25AM -0700, D B wrote:
> > I'm not real sure how to post this, nor am I sure
> of
> > the scope. I am still learning about computers.
> Ok, no worries.  We all start somewhere, right?
>
> > All transactions done via secure websites are
> secure,
> > however the auto mailing feature to confirm orders sometimes 
> > contains sensitive data.
> All transactions done via secure websites are _supposed_ to be secure, 
> but the fact is that information leakage, poor configurations, MitM 
> attacks, and user error, amungst other issues, can render a supposedly 
> secure site insecure.
>
> You are right though.  Too many sites will send TMI back in a 
> confirmation email.
>
> > When the customer
> > is on a wireless connection, be it ISP or home LAN that data is 
> > broadcasted in the clear for anyone within range to eavesdrop.
> Not always.  The wireless link itself may be encrypted between the AP 
> and the user's portable device - with various levels of security.  
> Also, if they are using a secure website, the SSL traffic is encrypted 
> separately from the transport medium.
> That is an end-point to end-point system, so even sniffing "clear" 
> wirelss traffic will only gain the attacker cyphertext.
>
> > A wired internet connection
> > limits the number of people who have access to
> this
> > data simply by the nature of the internet putting
> it
> > within acceptable risk.
> Define acceptable risk?  A wired connection is inherently more secure 
> than a wireless connection, but there are going to be points where the 
> traffic can be compromised as long as the traffic is going over the 
> public internet.  Both wired and wireless suffer from that.  The 
> wireless is only inherently less secure because of the broadcast 
> element somewhere in the data path.  That makes the traffic easier to 
> eavesdrop on, but it's not extraordinarly difficult to eavesdrop on 
> wired traffic either.
>
> > It is legal according to US law to eavesdrop on wireless 
> > connections.
> The safe answer is "No."  The real answer _may_ be more complex 
> depending on your circumstances.  For example if there's an open AP 
> that's not WEP enabled, the users would have no reasonable expectation 
> of privacy.  However, if it came down to how a US Court would see it, 
> the safe answer is usually "no."
>
> This is similar to overhearing conversations on portable phones.  
> You're not supposed to listen in, but if you and another user are 
> sharing the freq, it would be hard to charge either side with 
> eavesdropping.  This is NOT the same thing as pointing a high gain 
> 900Mhz antenna at the neighbor's house with the intent to listen in.
>
> Intent does matter in the eyes of the law.
>  
> >
http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm
> > The only solutions I can offer are one of two
> things. 
> > 1. Quit sending auto confirmations with sensitive
> data
> >
> Agreed.
>  
> > 2. Encrypt all wireless transmissions at least
> making
> > someone who gains access to this data
> prosecutable. 
> >
> Encryption is a good idea in any case.  But it only changes slightly 
> what a malicious user could be charged with.  If someone steals your 
> credit card information and uses it, they are guilty of a crime 
> whether they grabbed it from a cleartext email, sniffed it off the 
> wire, or stole a carbon copy receipt.
>
> Simply having the data isn't really criminal.  EG. 
> You print out an email that has that information and leave it by the 
> fax machine for some reason.  If I pick up the paper to use as scratch 
> paper or something, I haven't done anything immoral, unethical, or 
> illegal - but I DO have your data.
>  
> > Please direct all flames to /dev/null
> No flames.  Not even warm, really...
>
> > Dan Becker
> Cheers,
> L4J



        
                
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html