At 06:41 PM 9/22/2002 -0400, William Allen Simpson wrote:
... But, it is still the only
Access Control widely available. So, it should be used, in addition to
the better methods.
Using a supposed security mechanism that is known to be essentially useless
does nothing but lull people
10-15 minutes. None of the doors of that class is in your house. Why do you
have a door on your house?
It keeps honest people honest, and opportunists from taking advantage of
easy opportunity.
Rubbish.
There are only two or three types of locks that cannot be picked from the
outside by a lockpicker within 10-15 minutes. None of those locks is on your
outside door. Why do you bother to lock your house?
But in the case of public WLAN, who is the one that you´re trying to
Someone stood at your front door with lock picking tools for more than a
couple of minutes is going to arouse suspicion, and hopefully cause someone
to call the police.
Someone sat in the hotel lobby with a powerful laptop isn't going to cause
anyone to look twice, at a NANOG conference.
Thus spake Sean Donelan [EMAIL PROTECTED]
The wireless networks at NANOG meetings never follow what the security
professionals say are mandatory, essential security practices. The NANOG
wireless network doesn't use any authentication, enables broadcast SSID,
has a trivial to guess SSID,
Actually, from a legal standpoint, you put locks on the door same
reason as u would on the wireless. Otherwise an invitation could be
implied. It's hard for someone to argue that they were invited if
they had to use breakin tools. Otherwise I dont think anyone would
have a case, public
In message 006a01c2630a$19725020$[EMAIL PROTECTED], Stephen Sprunk wr
ites:
I can't say without a sniffer, but I'd bet that most NANOG participants are
doing the same: SSH or IPsec VPN's back to home (wherever that is).
Experience doesn't support this, I fear. How many passwords were
On Mon, 23 Sep 2002 14:52:41 +0100 Simon Lockhart [EMAIL PROTECTED] wrote:
Someone sat in the hotel lobby with a powerful laptop isn't going to
cause
anyone to look twice, at a NANOG conference.
ok, i think we need to talk about the actual threats at a nanog conference.
1) some otherwise
10-15 minutes. None of the doors of that class is in your house. Why do you
have a door on your house?
It keeps honest people honest, and opportunists from taking advantage of
easy opportunity.
Thank you. Why is it different from putting even rudimentary security in
place on
On Sun, 22 Sep 2002, Iljitsch van Beijnum wrote:
On Sun, 22 Sep 2002, Richard A Steenbergen wrote:
On Sun, Sep 22, 2002 at 01:11:07PM +0200, Iljitsch van Beijnum wrote:
There are also people ssh'ing to personal and corporate machines from
the terminal room where the root password
On Sunday, Sep 22, 2002, at 15:41 US/Pacific, William Allen Simpson
wrote:
I will agree that the security in WEP is almost useless, and have
personally campaigned to change it for years. But, it is still the
only
Access Control widely available. So, it should be used, in addition to
the
Rowland
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Chris Adams
Sent: Sunday, September 22, 2002 11:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Wireless insecurity at NANOG meetings
On Sunday, Sep 22, 2002, at 15:41 US/Pacific, William Allen Simpson
How about just plainly blocking the most obvious holes, that is
telnet and POP? If someone wants a direct telnet connection to a
route server or something similar - open a hole with a web-based tool?
Ok, then you say all unencrypted www traffic with plain username/pw..
SSH'ing everything back
On Mon, 23 Sep 2002, Huopio Kauto wrote:
How about just plainly blocking the most obvious holes, that is
telnet and POP? If someone wants a direct telnet connection to a
route server or something similar - open a hole with a web-based tool?
Ok, then you say all unencrypted www traffic with
On Sun, Sep 22, 2002 at 01:11:07PM +0200, Iljitsch van Beijnum wrote:
There are also people ssh'ing to personal and corporate machines from
the terminal room where the root password is given out or easily
available.
Are you saying people shouldn't SSH?
I've seen far too many people get
On Sun, 22 Sep 2002, Richard A Steenbergen wrote:
On Sun, Sep 22, 2002 at 01:11:07PM +0200, Iljitsch van Beijnum wrote:
There are also people ssh'ing to personal and corporate machines from
the terminal room where the root password is given out or easily
available.
Are you saying
The trouble is that not using WEP looks like you're not bothering
with the low level of security that's available in wireless. The
fact that WEP only adds a 15 second - 15 minute delay to full
access to the network both for legitimate and not-so-legitimate
users means it offers more
At 05:06 PM 9/22/2002 -0400, Sean Donelan wrote:
Has anyone volunteed to conduct a Sunday tutorial on wireless security
for users of public wireless networks?
Although I think it is a mistake to think a wireless network security
is different than using any other network you don't control.
In
Having been a past host of 2 NANOG's
I would state the following:
1. There should be CLEARLY POSTED SIGNS that state this is a
conference network, access is permitted only to registered
attendee's, and that all traffic on this network is subject
to monitoring.
2. The wireless or wired
Use VPN technology, Use 802.11a/b as the media and nothing else.
Encrypte Tunnel your connections.
On Sun, Sep 22, 2002 at 05:06:27PM -0400, Sean Donelan wrote:
On Sun, 22 Sep 2002, Randy Bush wrote:
- the users need to be told how to operate more safely, use
end-to-end
On Sun, Sep 22, 2002 at 04:49:08AM -0700, Randy Bush wrote:
a prudent user does not ssh _from_ a machine they don't control or
prudent users don't get hacked. non-prudent users hopefully learn
or darwin happens.
On Sun, Sep 22, 2002 at 01:37:22PM +0200, Iljitsch van Beijnum wrote:
On Sun, 22 Sep 2002, Richard A Steenbergen wrote:
I've seen far too many people get into trouble because they have some
flawed thinking that ssh == always secure, even against compromises of
one of the endpoints. If
On Sun, 22 Sep 2002, John M. Brown wrote:
a prudent user does not ssh _from_ a machine they don't control or
prudent users don't get hacked.
Really? Care to list the bulletproof hardware and software these god-like
creatures use, rather than the bug-ridden stuff we lesser folk have to
make
John M. Brown wrote:
On Sun, Sep 22, 2002 at 04:49:08AM -0700, Randy Bush wrote:
a prudent user does not ssh _from_ a machine they don't control or
prudent users don't get hacked. non-prudent users hopefully learn
or darwin happens.
Ahem! I'm usually considered a prudent user (once
Same bug-ridden stuff, just better understanding, staying up with
patches, and understanding the human engineering side of things.
so maybe my absolute statement should have been..
s/prudent users don't get hacked/prudent users get hacked much less often
On Mon, Sep 23, 2002 at 12:27:52AM
a prudent user does not ssh _from_ a machine they don't control or
prudent users don't get hacked.
as easily
Access control should be used when you need access control. Sometimes
engineers need to step back from solving the problem, and look at whether
the problem needs to be solved.
Yes...
What access control do you need for a public drinking fountain?
Today, none, that was different in
At 06:41 PM 9/22/2002 -0400, William Allen Simpson wrote:
... But, it is still the only
Access Control widely available. So, it should be used, in addition to
the better methods.
Using a supposed security mechanism that is known to be essentially useless
does nothing but lull people into a
On Sat, 21 Sep 2002, Iljitsch van Beijnum wrote:
Anyway, in our efforts to see security weaknesses everywhere, we might be
going too far. For instance, nearly all our current protocols are
completely vulnerable to a man-in-the-middle attack. If someone digs up a
fiber, intercepts packets and
I'm waiting for one of the professional security consulting firms
to issue their weekly press release screaming Network Operator
Meeting Fails Security Test.
The wireless networks at NANOG meetings never follow what the
security professionals say are mandatory, essential security
On Sat, Sep 21, 2002 at 05:46:27PM -0400, Sean Donelan wrote:
I'm waiting for one of the professional security consulting firms to issue
their weekly press release screaming Network Operator Meeting Fails
Security Test.
The wireless networks at NANOG meetings never follow what the
bank's customers. Banks rarely check the signature on a check. Is
security just perception?
Yes.
And I would expect that those people who cared about things
assumed the wireless network was insecure (just like internet)
and had secured their hardware and were using secure connection
On Saturday, 2002-09-21 at 17:46 AST, Sean Donelan [EMAIL PROTECTED]
wrote:
I'm waiting for one of the professional security consulting firms to
issue
their weekly press release screaming Network Operator Meeting Fails
Security Test.
The wireless networks at NANOG meetings never follow
Date: Sat, 21 Sep 2002 17:46:27 -0400 (EDT)
From: Sean Donelan [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
On Sat, 21 Sep 2002, Iljitsch van Beijnum wrote:
Anyway, in our efforts to see security weaknesses everywhere, we might be
going too far. For instance, nearly all our current
is something most people fail to realize
consistantly.
Sameer
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Sean Donelan
Sent: Saturday, September 21, 2002 2:46 PM
To: [EMAIL PROTECTED]
Subject: Wireless insecurity at NANOG meetings
On Sat, 21 Sep
I agre security is sadly lacking, but it is probably impossible to
implement in a conference environment.
Look this is a very simple issue. Sean's first post really pointed out that it's bad
form for a set of operators to run an insecure network. I would believe that it's
good form to at
On Sat, 21 Sep 2002, Martin J. Levy wrote:
I agre security is sadly lacking, but it is probably impossible to
implement in a conference environment.
Look this is a very simple issue. Sean's first post really pointed out
that it's bad form for a set of operators to run an insecure network.
37 matches
Mail list logo