lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: frank at knobbe.us (Frank Knobbe)
Subject: Wireless ISPs

On Tue, 2004-05-11 at 16:15, D B wrote:
> The level of knowledge it takes to penetrate a SSL
> style transaction puts it beyond most peoples scope of
> abilities

Agreed. But the blanket statement "secure [ssl implied] websites are
secure" is just not correct.

> [...] and on a switched network odds are if you
> spoof to that MAC  / IP you will confuse the network
> enough to be noticeable

Depending on where on the inside, that may not be true. But I agree that
it is more noticeable. This is a good point to highlight as intrusion
detection capabilities in WiFi clouds are lower (dare I say much lower)
than in wired networks.

> a high gain antenna attached to a laptop / PDA and a
> wireless AP such as an internet provider would mount
> would give access in some cases up to 17 miles away
> with no trace 

Point taken. It's probably easier to get away too :)

> > Maybe, INAL. But it is illegal to commit fraud with
> > the data gathered by
> > eavesdropping.
>
> and someone after credit card #'s is worried about
> legal ?

Sorry, you brought it up.

> point being it is preventable and not being done so
> ... or at least preventable to a level beyond the
> scope of running a program and watching the data flow

Oh, yeah, I agree whole heartedly. And I know what you are trying to do
(having read your response to Mr. Coffee), and I agree and support your
cause. But your statements that wired networks are secure is just not
correct. There is no absolute security. SSL web sites are not secure.
And the people you are trying to convince (wireless ISPs) may respond
with that as well. It's all a matter of what level of risk is accepted.

The difference here is that on wired networks, SSL and such are step to
improve security, not fool proof mind you. Wireless ISPs that do not
encrypt just don't do that, and should be held legally responsible for
negligence. Wireless ISP should encrypt the data just like wired ISPs
put locks and chains on their switching facilities. 

I'm with you. I just don't agree to some of the reasons you gave (or how
you worded them) to justify it. Call me a nit-pick :)

Cheers,
Frank


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040511/b1ceedae/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ