lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0HXK000ORIIAE1@mta6.srv.hcvlny.cv.net>
From: amilabs at optonline.net (amilabs)
Subject: Wireless ISPs

I have been researchign the wisp industry and I am planning to start one
also. I assure you that most use some form of authentiction and enctyption.
I would be very bad business to leave it open not only for hacking and dos,
but also for users gaining free access. Most WISP gear supports wep and aaa
type systems. 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of D B
Sent: Tuesday, May 11, 2004 3:47 PM
To: Mister Coffee
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Wireless ISPs

Hi Mr Coffee

Im using this venue to influence several wireless ISPs to use WEP

They claim the internet is insecure anyway so they wont use it.

I do understand the implications but yes wireless is totally legal to
eavesdrop.

The bottom 6 channels run on HAM frequencies and that is specifically
mentioned as legal to eavesdrop.

Tis a big can of worms this wireless garbage, I'm just using whatever I can
to motivate ISPs ( especially the local one ) to encrypt data.

Thank you for your reply

Dan Becker

--- Mister Coffee <live4java@...rmcenter.net> wrote:
> On Tue, May 11, 2004 at 11:33:25AM -0700, D B wrote:
> > I'm not real sure how to post this, nor am I sure
> of
> > the scope. I am still learning about computers.
> > 
> Ok, no worries.  We all start somewhere, right?
> 
> > 
> > All transactions done via secure websites are
> secure,
> > however the auto mailing feature to confirm orders sometimes 
> > contains sensitive data.
> >
> All transactions done via secure websites are _supposed_ to be secure, 
> but the fact is that information leakage, poor configurations, MitM 
> attacks, and user error, amungst other issues, can render a supposedly 
> secure site insecure.
> 
> You are right though.  Too many sites will send TMI back in a 
> confirmation email.
> 
> > When the customer
> > is on a wireless connection, be it ISP or home LAN that data is 
> > broadcasted in the clear for anyone within range to eavesdrop.
> >
> Not always.  The wireless link itself may be encrypted between the AP 
> and the user's portable device - with various levels of security.  
> Also, if they are using a secure website, the SSL traffic is encrypted 
> separately from the transport medium.
> That is an end-point to end-point system, so even sniffing "clear" 
> wirelss traffic will only gain the attacker cyphertext.
> 
> > A wired internet connection
> > limits the number of people who have access to
> this
> > data simply by the nature of the internet putting
> it
> > within acceptable risk.
> > 
> Define acceptable risk?  A wired connection is inherently more secure 
> than a wireless connection, but there are going to be points where the 
> traffic can be compromised as long as the traffic is going over the 
> public internet.  Both wired and wireless suffer from that.  The 
> wireless is only inherently less secure because of the broadcast 
> element somewhere in the data path.  That makes the traffic easier to 
> eavesdrop on, but it's not extraordinarly difficult to eavesdrop on 
> wired traffic either.
> 
> > It is legal according to US law to eavesdrop on wireless 
> > connections.
> > 
> The safe answer is "No."  The real answer _may_ be more complex 
> depending on your circumstances.  For example if there's an open AP 
> that's not WEP enabled, the users would have no reasonable expectation 
> of privacy.  However, if it came down to how a US Court would see it, 
> the safe answer is usually "no."
> 
> This is similar to overhearing conversations on portable phones.  
> You're not supposed to listen in, but if you and another user are 
> sharing the freq, it would be hard to charge either side with 
> eavesdropping.  This is NOT the same thing as pointing a high gain 
> 900Mhz antenna at the neighbor's house with the intent to listen in.
> 
> Intent does matter in the eyes of the law.
>  
> >
>
http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm
> > 
> > The only solutions I can offer are one of two
> things. 
> > 
> > 1. Quit sending auto confirmations with sensitive
> data
> >
> Agreed.
>  
> > 2. Encrypt all wireless transmissions at least
> making
> > someone who gains access to this data
> prosecutable. 
> >
> Encryption is a good idea in any case.  But it only changes slightly 
> what a malicious user could be charged with.  If someone steals your 
> credit card information and uses it, they are guilty of a crime 
> whether they grabbed it from a cleartext email, sniffed it off the 
> wire, or stole a carbon copy receipt.
> 
> Simply having the data isn't really criminal.  EG. 
> You print out an email that has that information and leave it by the 
> fax machine for some reason.  If I pick up the paper to use as scratch 
> paper or something, I haven't done anything immoral, unethical, or 
> illegal - but I DO have your data.
>  
> > Please direct all flames to /dev/null
> > 
> No flames.  Not even warm, really...
> 
> > Dan Becker
> > 
> Cheers,
> L4J



	
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ