lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: fulldisc at ultratux.org (Maarten)
Subject: Wireless ISPs

On Tuesday 11 May 2004 20:33, D B wrote:
> I'm not real sure how to post this, nor am I sure of
> the scope. I am still learning about computers.

I'm not sure this is the right list for you. But while we're here...

> All transactions done via secure websites are secure,
> however the auto mailing feature to confirm orders
> sometimes contains sensitive data. When the customer
> is on a wireless connection, be it ISP or home LAN
> that data is broadcasted in the clear for anyone
> within range to eavesdrop. A wired internet connection

Who, in their right minds, will read their email anyhow over an unencrypted 
wireless link ?  That's asking for trouble, ie. information-leakage.

This doesn't just apply to sensitive CC / billing information, you know. It 
applies to your pop3 email password too, and to any and all email you 
wouldn't want in the open.  
Besides, do you actually surf exclusively to SSL-enabled websites ? Or do you 
consider normal surfing containing solely non-sensitive data ? Cause you may 
get a nasty surprise, then. Think about cookies, or even just surf-habits 
alone. 

> It is legal according to US law to eavesdrop on
> wireless connections.
>
> http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm
>
> The only solutions I can offer are one of two things.
>
> 1. Quit sending auto confirmations with sensitive data

'Do you want a blank receipt with that ?'  ;)

> 2. Encrypt all wireless transmissions at least making
> someone who gains access to this data prosecutable.

Oh, to slap the eavesdropper with a DMCA lawsuit you can just ROT-13 all your 
mail.  That law does not call for any high level of "encryption", however 
stupid that may sound.  Funny things that, laws...   ;)

> Please direct all flames to /dev/null

Okay.
Well then, on a more serious note: Either look into SSL encrypting your mail 
( pop3s / imaps / ... ), or encrypt your entire wireless traffic, either by 
WEP (trivially crackable but may deter amateurs and / or people afraid of the 
DMCA) or a VPN (more or less uncrackable, depending on the setup) 

Maarten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ