[wsfii-discuss] Fwd: [india-gii] poor WiFi encryption a security risk

Sun Sep 21 16:00:27 UTC 2008

> >
> > Are you seriously suggesting that because of security weaknesses (like
> > bad default passwords), that security in general is 'the wrong  
> > choice'?
> >
> I am seriously suggesting that looking at security needs to take more  
> into account that just "closing open APs and replacing them by WEP  
> encrypted APs" because the law things that will prevent terrorist  
> attacks.
> 
> :) I hope that was clearer now.
> 

Actually, no. I can't say that is any clearer. Who are you quoting? Not
me. I haven't suggested WEP or really any solution, other than perhaps
informing the public better about the risks and the use of a captive
portal to help reduce that risk (by stopping POP, IMAP, etc. from
leaking data before a user time to think). 

I don't think there is any one solution. But, if I were to offer a
suggestion, it would be more like an WPA/802.1x network where any login
will work. Though, that isn't very practical given how many supplicants
(notoriously Windows) aren't very user friendly. Yet, I don't think that
means "give up"... it's a challenge to make things better.  

I don't know the answer. But, I'm pretty sure the answer is not rolling
out inherently insecure wireless signals city wide and encouraging
people to access it anywhere and everywhere they can. 

> > I believe Bruce would agree that security is more than technology,  
> > it is
> > social awareness and behavior. As such, I go back to my original issue
> > with city wide open access... as it results in people becoming more
> > comfortable and trusting of open access. By saying these people  
> > need to
> > protect themselves with VPNs is just passing the responsibility to an
> > uneducated (about the risks) public.
> >
> nope.
> I do not agree. Because technically the point still remains - just  
> adding a WEP with pre shared key
> gives people the *wrong* sense of security!

Don't agree with what? Who said anything about adding WEP? 

I also don't think people assume absolute security when they use WPA.
They know the Internet isn't a 'secure' place. But, I do think they
believe it is a form of 'wireless security'. And, sure, it may improve
their comfort level. 

> Did you ever consider this is much to often a *shared*key* ?
> 
> And yet, that will be the most common use case of the "newly secure  
> closed WIFI APs". Besides - when you can attack these devices from  
> the WAN side, then what is the point of securing the airwaves? You  
> will be able to sniff everything anyway...
> 

I really don't understand that argument; that because it may be
vulnerable from the WAN side, you might as well disregard any
vulnerabilities on the LAN side. What???

> ok, enough discussions for me . I think I made my point clear.
> And agreed on the point that security must deal first-most with the  
> psychology of people. But adding the standard WEP pre shared key is  
> not an option. And exactly when you think about psychology first  
> ("people want easy solutions") then you will find out that just  
> passing a law that APs must be encrypted, will simply give you WEP  
> encrypted pre shared key APs.

"And agreed on the point that security must deal first-most with the
psychology of people" -- then we do agree...

What is the lesson we are hoping to teach people?