RE: Wlan @ bestbuy is cleartext?

[Ron DuFresne <dufresne () winternet com>]

On Fri, 3 May 2002, Matthew Leeds wrote:

> It turns out that Best Buy has confirmed the possibility of a risk:
>
> > Laurie Bauer, a Best Buy spokeswoman, said security officials ``were aware of the possibility'' and decided to 
> > suspend the wireless registers after the posting. She confirmed that credit card numbers were among the data 
> > potentially sent through the wireless system.
>
> See the full story, an AP wire item picked up nationally at:
>
> http://wire.ap.org/APnews/main.html?PACKAGEID=BIZwireless&SLUG=WIRELESS-INSECURITY
>
> This may be the first public confirmation of a possible risk presented by a non-anon person. Doesn't excuse the 
> earlier press coverage which lacked such a confirmation. My issue is with the press handling of this and many other 
> earlier 'security' stories.

I can understand your concern, and I have not really followed the press
stories on the issue.  But, if this is a real problem, then contacting
those that wrote up the stories would be the way to go.  I guess the
reporters in question must not have contacted anyy security related
persons directly for input, this would be a bad thing<TM> for sure, but
very common place, afterall, these folks are not techies.  Of course, we
see this in other areas all the time, like in government.  But, I think
the primary concern of most here, and which should be the concern of
consumers, is the issue of poor judgement and managemnt decisions that
resulted in these toys being deployed in such a deplorably insecure
fashion.

I'm shocked that corporate and governement managers can cry out how the
industry lacks professionals with the skills to properly determine such
deployments, while thousands of those persons with such skills are
jobless.  I think it does a disservice to the info-sec community to have
people tasked as 'security' aware administrators constantly doing thes
rollouts and constantly turning to the term VPN as a way to expand their
security perimiter and policy compliance outwards from the corporate
boundries to the homes of endusers and their cars on the road without a
full understanding of what they are doing to the defensive perimiters and
security policies they are trusted to maintain.  These are some of the
issues that concern me, as they focus upon my profession and personal
standards.  Afterall, I'm not a news reporter...

Thanks,

Ron DuFresne

> ---Matthew
> *********** REPLY SEPARATOR  ***********
>
> On 5/3/2002 at 12:05 AM Ron DuFresne wrote:
>
> > I  suspect there must have been something to the claims made.  Otherwise
> > we might well have seen Best Buy defend their secuirty integrity with
> > wireless, and not just close down the toys <smile>.
> >
> > Thanks,
> >
> > Ron DuFresne
> >
> > On Thu, 2 May 2002, Matthew Leeds wrote:
> >
> > > Unless I've missed it, I've yet to see anyone positively confirm that
> > credit card numbers or other data is flying around in the clear on these
> > networks. I've been amazed (and disappointed) to see press coverage that
> > appears to be little more than hearsay. Has there been independent
> > confirmation of credit cards numbers in the clear done by any member of
> > the press, or done by any individual or organization acting as a source to
> > the press with a methodology that allows for independent confirmation
> > (packet captures)?
> > > ---Matthew
> > >
> > > *********** REPLY SEPARATOR  ***********
> > >
> > > On 5/2/2002 at 1:01 PM OBrien, Brennan wrote:
> > >
> > > > Just so I'm clear... I know I remember the discussion of "security by
> > > > obscurity" going the way of the dodo bird, but when did we decide
> > > > "security through humiliation" was a good technique??
> > > >
> > > > From the Best Buy response below, it sure looks like they made an honest
> > > > mistake in their practices -- SOMETHING EVERY ONE OF US HAS DONE IN THE
> > > > PAST.  So, now we're going to raise fear, uncertainty and doubt in the
> > > > (already a little flighty) buying public which could scare away more
> > > > consumers and really hurt these guys.  Is this issue fact? Yes.  Does
> > the
> > > > public at large get it?  Nope, not really.
> > > >
> > > > Funny thing about guns... When you pull the trigger, you not only need
> > to
> > > > know what you're hitting, but what's beyond it in case the bullet goes
> > all
> > > > the way through..
> > > >
> > > > Sarah, it was really cool of you to send them your note.  Good job.
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > "Cutting the space budget really restores my faith in humanity.  It
> > eliminates dreams, goals, and ideals and lets us get straight to the
> > business of hate, debauchery, and self-annihilation." -- Johnny Hart
> >     ***testing, only testing, and damn good at it too!***
> >
> > OK, so you're a Ph.D.  Just don't touch anything.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.