lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040511194644.39700.qmail@web60609.mail.yahoo.com>
From: geggam692000 at yahoo.com (D B)
Subject: Wireless ISPs

Hi Mr Coffee

Im using this venue to influence several wireless ISPs
to use WEP

They claim the internet is insecure anyway so they
wont use it.

I do understand the implications but yes wireless is
totally legal to eavesdrop.

The bottom 6 channels run on HAM frequencies and that
is specifically mentioned as legal to eavesdrop.

Tis a big can of worms this wireless garbage, I'm just
using whatever I can to motivate ISPs ( especially the
local one ) to encrypt data.

Thank you for your reply

Dan Becker

--- Mister Coffee <live4java@...rmcenter.net> wrote:
> On Tue, May 11, 2004 at 11:33:25AM -0700, D B wrote:
> > I'm not real sure how to post this, nor am I sure
> of
> > the scope. I am still learning about computers.
> > 
> Ok, no worries.  We all start somewhere, right?
> 
> > 
> > All transactions done via secure websites are
> secure,
> > however the auto mailing feature to confirm orders
> > sometimes contains sensitive data.
> >
> All transactions done via secure websites are
> _supposed_ to be secure, but the fact is that
> information leakage, poor configurations, MitM
> attacks, and user error, amungst other issues, can
> render a supposedly secure site insecure.
> 
> You are right though.  Too many sites will send TMI
> back in a confirmation email.
> 
> > When the customer
> > is on a wireless connection, be it ISP or home LAN
> > that data is broadcasted in the clear for anyone
> > within range to eavesdrop.
> >
> Not always.  The wireless link itself may be
> encrypted between the AP and the user's portable
> device - with various levels of security.  Also, if
> they are using a secure website, the SSL traffic is
> encrypted separately from the transport medium. 
> That is an end-point to end-point system, so even
> sniffing "clear" wirelss traffic will only gain the
> attacker cyphertext.
> 
> > A wired internet connection
> > limits the number of people who have access to
> this
> > data simply by the nature of the internet putting
> it
> > within acceptable risk.
> > 
> Define acceptable risk?  A wired connection is
> inherently more secure than a wireless connection,
> but there are going to be points where the traffic
> can be compromised as long as the traffic is going
> over the public internet.  Both wired and wireless
> suffer from that.  The wireless is only inherently
> less secure because of the broadcast element
> somewhere in the data path.  That makes the traffic
> easier to eavesdrop on, but it's not extraordinarly
> difficult to eavesdrop on wired traffic either.
> 
> > It is legal according to US law to eavesdrop on
> > wireless connections. 
> > 
> The safe answer is "No."  The real answer _may_ be
> more complex depending on your circumstances.  For
> example if there's an open AP that's not WEP
> enabled, the users would have no reasonable
> expectation of privacy.  However, if it came down to
> how a US Court would see it, the safe answer is
> usually "no."
> 
> This is similar to overhearing conversations on
> portable phones.  You're not supposed to listen in,
> but if you and another user are sharing the freq, it
> would be hard to charge either side with
> eavesdropping.  This is NOT the same thing as
> pointing a high gain 900Mhz antenna at the
> neighbor's house with the intent to listen in.
> 
> Intent does matter in the eyes of the law.
>  
> >
>
http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm
> > 
> > The only solutions I can offer are one of two
> things. 
> > 
> > 1. Quit sending auto confirmations with sensitive
> data
> >
> Agreed.
>  
> > 2. Encrypt all wireless transmissions at least
> making
> > someone who gains access to this data
> prosecutable. 
> >
> Encryption is a good idea in any case.  But it only
> changes slightly what a malicious user could be
> charged with.  If someone steals your credit card
> information and uses it, they are guilty of a crime
> whether they grabbed it from a cleartext email,
> sniffed it off the wire, or stole a carbon copy
> receipt.  
> 
> Simply having the data isn't really criminal.  EG. 
> You print out an email that has that information and
> leave it by the fax machine for some reason.  If I
> pick up the paper to use as scratch paper or
> something, I haven't done anything immoral,
> unethical, or illegal - but I DO have your data.
>  
> > Please direct all flames to /dev/null
> > 
> No flames.  Not even warm, really...
> 
> > Dan Becker
> > 
> Cheers,
> L4J



	
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ