lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040512162741.GA18855@tempest.stormcenter.net>
From: live4java at stormcenter.net (Mister Coffee)
Subject: Wireless ISPs

On Tue, May 11, 2004 at 10:27:09PM -0700, D B wrote:
> erm
> 
> merchant = https order from and there to a secure mail
> serverand from there to the ISPs insecure ...oops
> there goes all that SSL
> 
Dan, as a couple of people (myself included) have pointed out, you're dealing with two separate issues here.  Three, actually.

First: Secure transactions through a web interface 
Second: Cleartext replies to said transactions including sensitive data.
Third: Inherent insecurity on the Wireless leg of these transactions.

> and no i dont know for sure if the merchant had secure
> mail ..point being there it wouldnt matter if the ISP
> secured their email or wireless transmissions
>
Using "secure email" (SSL, etc., to connect to your mail server) only helps on that link.  While it will protect your login information, it won't protect the leakage of sensitive information you mentioned in your first post.  The only way to protect that would be to encrypt the email body or, vaslty better, have cluefullmerchants who don't send sensitive information back in the receipt.

Most don't.  Even most pronted receipts don't include all the numbers of your credit card any more - but some still do.  Few, but a number >1.
 
> and ill be damned if i prove i have someones credit
> card # this way .. in fact i deny even knowing this is
> possible 
>
I don't think that's an issue here, Dan.  But it's like the Fax example I mentioned in the first round.  There are legitimate ways to accidently acquire sensitive information - grabbing a piece of scratch paper from the "toss it" stack at the fax amchine that just happens to have someone's credit card number on it.
 
> this is all hypothetical
> 
> cept the part about the ISP not using any form of
> encryption anywhere
>
Most ISP's are operating on such thin margins that implementing wireless encryption is too painful for them.  I will note that a lot of ISP's offer secure conentions to their email servers, and all a user has to do is enable it in their client.

That they don't refects the fact that most users have the ID 10T flag set.
 
> 
> 
> >How about we hold the person responsible that
> >initially creates the
> >problem and not hand it off to someone who you
> already >seem to have a
> >vendetta against.
> 
> vendetta ?
> 
> k
> 
> thats it ...everyone pack up and go home
> 
> security is now a vendetta
> 
I think the thread's grown long and convoluted enough that people are only seeing parts of it.  Your original desire to make the local wireless ISP aware of the holes in their system has been lost.


> quit being retarded
> 
> this is a full blown ISP I tried to convince to use
> any form of encryption including  TLS / SSL email( the
> admin thinks simply using kismet is hacking ) ... i
> was ignored ( they do offer webhosting & mail services
> along with DSL & dialup.. they also  support many
> local businesses )
>
A noble effort, but probably a lost cause.  Either they're unaware of the risks, and seemingly don't want to become aware of them, or they have chosen to accept them.  In either case, it's not something you'll be able to force.  As long as the majority of their customers are happy, and they're running in the black, they'll stick with business as usual.
 
> http://www.effingham.net check them out....free
> internet at the intersection of I-57 and I-70 in IL
> 
> 
> when i posted the fact there was no protection for
> users  publicly ( on my own discussion board ) the ISP
> ( wireless ) accused me of harassment to my ISP ( i 
> hate talking to lawyers )
>
Sounds like a typical Fear reaction on their part, but I can't really comment since I haven't seen the thread.  Of course, having to protect 1st amendment rights against this kind of thing isn't something we want to go into here.
 
> i have now harvested several hundred client email
> addresses to whom i will be sending copies of their
> own email ( nothing else works so i suppose the direct
> approach should be tried )
>
That would be a Bad Thing (tm).  There is an anecdotal story about an employee at a medium/small company who'd been trying to make management aware of holes in their email system to no avail.  Eventually, he did essentially what you propose and was -arrested- for it.

It will certainly make people aware of the problem, yes.  But do you want to deal with the legal issues you'll bring down on your head?
 
> perhaps that will create  some awareness by DISCLOSING
> the facts to  endusers about the company trying to
> hide the fact their data is so easy to obtain
>
That's what public forums are for.
 
> are u aware of the definition of disclosure or are u a
> posing geek who likes to use big buzzwords and
> bullshit their way into something ?
>
Easy, Dan.  I've been following this thread since you first posted it and I'm surprised by the large number of replies.  There's a lot of information in these posts.  Some more relevant than others.  But the point is you've got people talking, and you can probably find some sort of resolution to your problem here.

Or at least the realization that the ISP in question probably doesn't care.
 
> 
> Dan Becker
> 
>
Cheers,
L4J


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ