Hi Mr Coffee Im using this venue to influence several wireless ISPs to use WEP
They claim the internet is insecure anyway so they wont use it. I do understand the implications but yes wireless is totally legal to eavesdrop. The bottom 6 channels run on HAM frequencies and that is specifically mentioned as legal to eavesdrop. Tis a big can of worms this wireless garbage, I'm just using whatever I can to motivate ISPs ( especially the local one ) to encrypt data. Thank you for your reply Dan Becker --- Mister Coffee <[EMAIL PROTECTED]> wrote: > On Tue, May 11, 2004 at 11:33:25AM -0700, D B wrote: > > I'm not real sure how to post this, nor am I sure > of > > the scope. I am still learning about computers. > > > Ok, no worries. We all start somewhere, right? > > > > > All transactions done via secure websites are > secure, > > however the auto mailing feature to confirm orders > > sometimes contains sensitive data. > > > All transactions done via secure websites are > _supposed_ to be secure, but the fact is that > information leakage, poor configurations, MitM > attacks, and user error, amungst other issues, can > render a supposedly secure site insecure. > > You are right though. Too many sites will send TMI > back in a confirmation email. > > > When the customer > > is on a wireless connection, be it ISP or home LAN > > that data is broadcasted in the clear for anyone > > within range to eavesdrop. > > > Not always. The wireless link itself may be > encrypted between the AP and the user's portable > device - with various levels of security. Also, if > they are using a secure website, the SSL traffic is > encrypted separately from the transport medium. > That is an end-point to end-point system, so even > sniffing "clear" wirelss traffic will only gain the > attacker cyphertext. > > > A wired internet connection > > limits the number of people who have access to > this > > data simply by the nature of the internet putting > it > > within acceptable risk. > > > Define acceptable risk? A wired connection is > inherently more secure than a wireless connection, > but there are going to be points where the traffic > can be compromised as long as the traffic is going > over the public internet. Both wired and wireless > suffer from that. The wireless is only inherently > less secure because of the broadcast element > somewhere in the data path. That makes the traffic > easier to eavesdrop on, but it's not extraordinarly > difficult to eavesdrop on wired traffic either. > > > It is legal according to US law to eavesdrop on > > wireless connections. > > > The safe answer is "No." The real answer _may_ be > more complex depending on your circumstances. For > example if there's an open AP that's not WEP > enabled, the users would have no reasonable > expectation of privacy. However, if it came down to > how a US Court would see it, the safe answer is > usually "no." > > This is similar to overhearing conversations on > portable phones. You're not supposed to listen in, > but if you and another user are sharing the freq, it > would be hard to charge either side with > eavesdropping. This is NOT the same thing as > pointing a high gain 900Mhz antenna at the > neighbor's house with the intent to listen in. > > Intent does matter in the eyes of the law. > > > > http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm > > > > The only solutions I can offer are one of two > things. > > > > 1. Quit sending auto confirmations with sensitive > data > > > Agreed. > > > 2. Encrypt all wireless transmissions at least > making > > someone who gains access to this data > prosecutable. > > > Encryption is a good idea in any case. But it only > changes slightly what a malicious user could be > charged with. If someone steals your credit card > information and uses it, they are guilty of a crime > whether they grabbed it from a cleartext email, > sniffed it off the wire, or stole a carbon copy > receipt. > > Simply having the data isn't really criminal. EG. > You print out an email that has that information and > leave it by the fax machine for some reason. If I > pick up the paper to use as scratch paper or > something, I haven't done anything immoral, > unethical, or illegal - but I DO have your data. > > > Please direct all flames to /dev/null > > > No flames. Not even warm, really... > > > Dan Becker > > > Cheers, > L4J __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
