Re: Wireless ISPs

[Mister Coffee <live4java () stormcenter net>]

On Tue, May 11, 2004 at 10:27:09PM -0700, D B wrote:
> erm
>
> merchant = https order from and there to a secure mail
> serverand from there to the ISPs insecure ...oops
> there goes all that SSL
Dan, as a couple of people (myself included) have pointed out, you're dealing with two separate issues here.  Three, 
actually.

First: Secure transactions through a web interface 
Second: Cleartext replies to said transactions including sensitive data.
Third: Inherent insecurity on the Wireless leg of these transactions.

> and no i dont know for sure if the merchant had secure
> mail ..point being there it wouldnt matter if the ISP
> secured their email or wireless transmissions
Using "secure email" (SSL, etc., to connect to your mail server) only helps on that link.  While it will protect your 
login information, it won't protect the leakage of sensitive information you mentioned in your first post.  The only 
way to protect that would be to encrypt the email body or, vaslty better, have cluefullmerchants who don't send 
sensitive information back in the receipt.

Most don't.  Even most pronted receipts don't include all the numbers of your credit card any more - but some still do. 
 Few, but a number >1.
 
> and ill be damned if i prove i have someones credit
> card # this way .. in fact i deny even knowing this is
> possible 
I don't think that's an issue here, Dan.  But it's like the Fax example I mentioned in the first round.  There are 
legitimate ways to accidently acquire sensitive information - grabbing a piece of scratch paper from the "toss it" 
stack at the fax amchine that just happens to have someone's credit card number on it.
 
> this is all hypothetical
>
> cept the part about the ISP not using any form of
> encryption anywhere
Most ISP's are operating on such thin margins that implementing wireless encryption is too painful for them.  I will 
note that a lot of ISP's offer secure conentions to their email servers, and all a user has to do is enable it in their 
client.

That they don't refects the fact that most users have the ID 10T flag set.
 
> > How about we hold the person responsible that
> > initially creates the
> > problem and not hand it off to someone who you
> already >seem to have a
> > vendetta against.
>
> vendetta ?
>
> k
>
> thats it ...everyone pack up and go home
>
> security is now a vendetta
I think the thread's grown long and convoluted enough that people are only seeing parts of it.  Your original desire to 
make the local wireless ISP aware of the holes in their system has been lost.


> quit being retarded
>
> this is a full blown ISP I tried to convince to use
> any form of encryption including  TLS / SSL email( the
> admin thinks simply using kismet is hacking ) ... i
> was ignored ( they do offer webhosting & mail services
> along with DSL & dialup.. they also  support many
> local businesses )
A noble effort, but probably a lost cause.  Either they're unaware of the risks, and seemingly don't want to become 
aware of them, or they have chosen to accept them.  In either case, it's not something you'll be able to force.  As 
long as the majority of their customers are happy, and they're running in the black, they'll stick with business as 
usual.
 
> http://www.effingham.net check them out....free
> internet at the intersection of I-57 and I-70 in IL
>
>
> when i posted the fact there was no protection for
> users  publicly ( on my own discussion board ) the ISP
> ( wireless ) accused me of harassment to my ISP ( i 
> hate talking to lawyers )
Sounds like a typical Fear reaction on their part, but I can't really comment since I haven't seen the thread.  Of 
course, having to protect 1st amendment rights against this kind of thing isn't something we want to go into here.
 
> i have now harvested several hundred client email
> addresses to whom i will be sending copies of their
> own email ( nothing else works so i suppose the direct
> approach should be tried )
That would be a Bad Thing (tm).  There is an anecdotal story about an employee at a medium/small company who'd been 
trying to make management aware of holes in their email system to no avail.  Eventually, he did essentially what you 
propose and was -arrested- for it.

It will certainly make people aware of the problem, yes.  But do you want to deal with the legal issues you'll bring 
down on your head?
 
> perhaps that will create  some awareness by DISCLOSING
> the facts to  endusers about the company trying to
> hide the fact their data is so easy to obtain
That's what public forums are for.
 
> are u aware of the definition of disclosure or are u a
> posing geek who likes to use big buzzwords and
> bullshit their way into something ?
Easy, Dan.  I've been following this thread since you first posted it and I'm surprised by the large number of replies. 
 There's a lot of information in these posts.  Some more relevant than others.  But the point is you've got people 
talking, and you can probably find some sort of resolution to your problem here.

Or at least the realization that the ISP in question probably doesn't care.
 
> Dan Becker
Cheers,
L4J

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html