RE: Wlan @ bestbuy is cleartext?

["OBrien, Brennan" <BOBrien () columbia com>]

Just so I'm clear... I know I remember the discussion of "security by obscurity" going the way of the dodo bird, but 
when did we decide "security through humiliation" was a good technique??  

> From the Best Buy response below, it sure looks like they made an honest mistake in their practices -- SOMETHING EVERY 
> ONE OF US HAS DONE IN THE PAST.  So, now we're going to raise fear, uncertainty and doubt in the (already a little 
> flighty) buying public which could scare away more consumers and really hurt these guys.  Is this issue fact? Yes.  
> Does the public at large get it?  Nope, not really. 

Funny thing about guns... When you pull the trigger, you not only need to know what you're hitting, but what's beyond 
it in case the bullet goes all the way through.. 

Sarah, it was really cool of you to send them your note.  Good job. 


-----Original Message-----
From: Sarah Kenna Groark [mailto:sarah () procinct com] 
Sent: Thursday, May 02, 2002 9:53 AM
To: 'vuln-dev () securityfocus com '
Subject: Re: Wlan @ bestbuy is cleartext?

> From BestBuy:

> Thank you for contacting Best Buy's corporate headquarters with your
> concerns.  Regarding this issue, Best Buy has deactivated our temporary
> wireless cash registers that transmit information via LAN connections.
> These registers are not Best Buy's main register terminals and represent a
> small percentage of the transactions processed within our stores.  Please be
> assured that customer privacy is of the utmost importance to Best Buy and we
> will further investigate this matter.
>
> We do appreciate your taking the time to share your concerns with us.
>
> Respectfully,
> Alex Reynolds
> Contact Center Escalations 
> Best Buy Enterprise Customer Care

I have no way of assessing their explanation for the limited nature
of their exposure.

// Sarah


"Duffy, Shawn" wrote:
> This was exactly the point I was trying to make in my first email.
>
> -----Original Message-----
> From: Michael Cunningham
> To: H C; vuln-dev () securityfocus com
> Sent: 5/1/02 6:05 PM
> Subject: RE: Wlan @ bestbuy is cleartext?
>
> This information is already going public.
> I have gotten several emails from newspapers
> and online websites (big names to).
>
> The faster it is exposed the less damage people
> with not the best of intentions can do. Realisticaly
> the underground community probably makes up
> half or more of this mailing list.
>
> I personally am going to scan my local stores tonight
> to see if I can detect this problem. I cant trust
> a company with my credit card info who cant even
> setup a 802.11b lan correctly. I will let everyone
> know what I find.
>
> Thanks,
> Mike
>
> > > When you consider that it's names like Wal-Mart and
> > Best
> > > Buy, both large retailers, the benefits of making
> > > this information known
> > > has been a equally weighed against what said
> > > retailer would do to us in
> > > the courts if we made the information public.
> >
> > Thus far on the thread, I'm not aware of anyone asking
> > you to make the information public.
> >
> > However, let me ask you this...since you've now been
> > doing this for 2 yrs, what steps have you taken to
> > address the situation?
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Health - your guide to health and wellness
> > http://health.yahoo.com