Re: [SOCALWUG] 'Evil twin' fear for wireless net

[Claudia de Luna]

This is the kind of thinking that leads people to expect that the network will solve all of their security issues.  Networks were never designed to do that. Networks, whatever the transmission medium, should be simple and fast and have sufficient controls to safeguard the service. Trust is a fallacy from a security perspective.  Sure, as M.D. pointed out, there are basic things you can and should do but attributing "trust" to any part of the data path is a slippery slope. We need to divorce transport from data security. Trust no one. Secure your data.  Expecting that to come from others is a mistake. Networks are designed for transport.  Making them do things like authentication and fine grained access control is possible but not desirable.  Its like entering a NASCAR race with a bus.  Not what it was designed to do.    To continue with the automotive analogies,  it is the equivalent of making the highway responsible for not getting injured in a car accident.  Rather than looking to the car manufacturers to build better, stronger, more resilient cars, its like looking at CalTrans and asking them to provide this function.  Doesn't quite fit.  Not their job.  Certainly they need to fix potholes and keep the access ways obstruction free but if I decide to drive 110 MPH down the road and kill myself...Not their problem. I have very strong feelings on this topic so I apologize in advance for any excessive fervor. (too late you say?...) We need to start thinking about building systems that are network and location independent.  In 5 years or sooner we will all be running around with some type of data and application access computing device that is transport service aware and automatically puts you on the "best" transport service given your preferences (I prefer speed over cost, etc...).  We have to stop caring about "how" we get to the data and need to start focusing on 1) proving who we are and what we can access and 2) protecting the data at its source.  In that environment, we no longer care how or from where we access our data.    The further away these controls are from what you are trying to protect, the less effective they are and the more risk you assume.  You don't put the vault around the bank, you put it around the money. Thanks M.D....nice to know I'm not alone out there! Mike Outmesguine wrote: The reason wireless security is of more concern than wired is that untrusted people are sitting in between you and the server you are visiting. When I surf the web over a wired connection, my data goes over lines buried outside my house, to a telephone or cable company with a locked building, over T1 lines to other telecom companies, hopping on several routers run by ISPs and broadband providers, eventually to the server I am surfing on. I trust the people between here and there. For example, I trust that Google will resist the urge to hack into my account. just like I trust my network administrator at the office. I trust PacBell that they do not want to read my email or steal my identity. But in a wireless network, you now introduce "anyone with a laptop and some free software" into the mix. Sitting between my laptop and the wi-fi access point could be someone watching for any purpose. I don't trust everyone in Los Angeles with technical abilities. But I do trust network carriers and service providers for most of my surfing. I even trust the government sniffers employed at my ISP... Well, for most of my transmissions ;) -Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael A. Dickerson Sent: Thursday, January 20, 2005 2:35 PM To: SoCal WUG Subject: Re: [SOCALWUG] 'Evil twin' fear for wireless net On Thu, 20 Jan 2005, Charles Felts wrote: http://news.bbc.co.uk/2/hi/technology/4190607.stm This part seems to always get overlooked in these stories: "Naturally, people may have security concerns," said Chris Clark, chief executive for BT's wireless broadband. "But wi-fi networks are no more or less vulnerable than any other means of accessing the internet, like broadband or dial-up." I'm not saying that you shouldn't apply as many layers of security as you can reasonably afford, but I've never understood why people worry so much about the first hop (from your wifi card to the hotspot) when your data has 20 or 30 more unprotected hops to go. (Of course it's a different concern if you have WAPs attached to an internal "trusted" network.) But if you were sending "financial transactions or anything that is of a sensitive or personal nature" in the clear over the Internet, you were already screwed before you ever got 802.11. M.D.