| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <40A14BE7.4000405@arhont.com> From: mlists at arhont.com (Konstantin Gavrilenko) Subject: Wireless ISPs WEP will not help you in this situation, since the same key will be assigned to every client, making it virtually a "protected hub". What you need to do is to persuade your ISPis to implement per-session key, possible solution WPA+Radius. cheers, kos -- Respectfully, Konstantin V. Gavrilenko Arhont Ltd - Information Security web: http://www.arhont.com http://www.wi-foo.com e-mail: k.gavrilenko@...ont.com tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0x4F3608F7 PGP: Server - keyserver.pgp.com D B wrote: > Hi Mr Coffee > > Im using this venue to influence several wireless ISPs > to use WEP > > They claim the internet is insecure anyway so they > wont use it. > > I do understand the implications but yes wireless is > totally legal to eavesdrop. > > The bottom 6 channels run on HAM frequencies and that > is specifically mentioned as legal to eavesdrop. > > Tis a big can of worms this wireless garbage, I'm just > using whatever I can to motivate ISPs ( especially the > local one ) to encrypt data. > > Thank you for your reply > > Dan Becker > > --- Mister Coffee <live4java@...rmcenter.net> wrote: > >>On Tue, May 11, 2004 at 11:33:25AM -0700, D B wrote: >> >>>I'm not real sure how to post this, nor am I sure >> >>of >> >>>the scope. I am still learning about computers. >>> >> >>Ok, no worries. We all start somewhere, right? >> >> >>>All transactions done via secure websites are >> >>secure, >> >>>however the auto mailing feature to confirm orders >>>sometimes contains sensitive data. >>> >> >>All transactions done via secure websites are >>_supposed_ to be secure, but the fact is that >>information leakage, poor configurations, MitM >>attacks, and user error, amungst other issues, can >>render a supposedly secure site insecure. >> >>You are right though. Too many sites will send TMI >>back in a confirmation email. >> >> >>>When the customer >>>is on a wireless connection, be it ISP or home LAN >>>that data is broadcasted in the clear for anyone >>>within range to eavesdrop. >>> >> >>Not always. The wireless link itself may be >>encrypted between the AP and the user's portable >>device - with various levels of security. Also, if >>they are using a secure website, the SSL traffic is >>encrypted separately from the transport medium. >>That is an end-point to end-point system, so even >>sniffing "clear" wirelss traffic will only gain the >>attacker cyphertext. >> >> >>>A wired internet connection >>>limits the number of people who have access to >> >>this >> >>>data simply by the nature of the internet putting >> >>it >> >>>within acceptable risk. >>> >> >>Define acceptable risk? A wired connection is >>inherently more secure than a wireless connection, >>but there are going to be points where the traffic >>can be compromised as long as the traffic is going >>over the public internet. Both wired and wireless >>suffer from that. The wireless is only inherently >>less secure because of the broadcast element >>somewhere in the data path. That makes the traffic >>easier to eavesdrop on, but it's not extraordinarly >>difficult to eavesdrop on wired traffic either. >> >> >>>It is legal according to US law to eavesdrop on >>>wireless connections. >>> >> >>The safe answer is "No." The real answer _may_ be >>more complex depending on your circumstances. For >>example if there's an open AP that's not WEP >>enabled, the users would have no reasonable >>expectation of privacy. However, if it came down to >>how a US Court would see it, the safe answer is >>usually "no." >> >>This is similar to overhearing conversations on >>portable phones. You're not supposed to listen in, >>but if you and another user are sharing the freq, it >>would be hard to charge either side with >>eavesdropping. This is NOT the same thing as >>pointing a high gain 900Mhz antenna at the >>neighbor's house with the intent to listen in. >> >>Intent does matter in the eyes of the law. >> >> > http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm > >>>The only solutions I can offer are one of two >> >>things. >> >>>1. Quit sending auto confirmations with sensitive >> >>data >> >>Agreed. >> >> >>>2. Encrypt all wireless transmissions at least >> >>making >> >>>someone who gains access to this data >> >>prosecutable. >> >>Encryption is a good idea in any case. But it only >>changes slightly what a malicious user could be >>charged with. If someone steals your credit card >>information and uses it, they are guilty of a crime >>whether they grabbed it from a cleartext email, >>sniffed it off the wire, or stole a carbon copy >>receipt. >> >>Simply having the data isn't really criminal. EG. >>You print out an email that has that information and >>leave it by the fax machine for some reason. If I >>pick up the paper to use as scratch paper or >>something, I haven't done anything immoral, >>unethical, or illegal - but I DO have your data. >> >> >>>Please direct all flames to /dev/null >>> >> >>No flames. Not even warm, really... >> >> >>>Dan Becker >>> >> >>Cheers, >>L4J > > > > > > > __________________________________ > Do you Yahoo!? > Win a $20,000 Career Makeover at Yahoo! HotJobs > http://hotjobs.sweepstakes.yahoo.com/careermakeover > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists