Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

UN Advised on Wireless Insecurity 81

otisaardvark writes "There's an article on the BBC about how the UN is being briefed on the problems of wireless networks. Predictable conclusions - security is mainly compromised through human, not technological factors."
This discussion has been archived. No new comments can be posted.

UN Advised on Wireless Insecurity

Comments Filter:
  • Secure? (Score:2, Interesting)

    by vidarlo ( 134906 )
    What would be secure?
    Although it is encrypted, it is most likely that within two years, it will be possible to crack this.
    Cables are securer.
    • Although it is encrypted, it is most likely that within two years, it will be possible to crack this.
      Cables are securer.


      With a wire cutter I can crack a cable today. Cables are not more secure. They are just slightly less accessible.
    • No way.

      Chances are I could walk into you company, put a box on a desk, plug it into the wall and come back next week to collect it without anyone noticing.

      Your cables are just as naked as your wireless is.

      You want real security? Think biometrics. Think Faraday Cage.
      • > You want real security?
        > Think biometrics.

        Not even close. Biometrics are horrible for data security. In fact biometrics are horrible for almost all security situations. Consider the attack you put forth (walk in company, place box, plug in, collect later). Biometrics won't stop you from walking in, although it will make it marginally more difficult, you will still have to wait for someone to open a door, and then you follow them in. Placing the box will not be any more difficult, it is your box, the only protection is what you want on it. Plugging the box in will be no more difficult, a wall plug is just a wall plug. Collecting later will be marginally more difficult because you have to gain access again. Biometrics will not cause problems with the data you retrieve since biometrics cannot (yet) be used for encryption. Biometrics fails the very attack you put forth. Biometrics fails.

        > Think Faraday Cage.

        Simply infeasible. The closest you would get is the NSA building, and it leaks trace amounts through the windows. At the time of it's construction the window leakage was considered below useful threshholds, now I have strong suspicions that it is possible to detect and decode the emissions. The only saving grace you have is the proliferation of computers this pollutes the leaked streams making them significantly more difficult to decode.

        On the original topic. The solution I've had in place for about a year is to run everything in house over IPSec. There is a wireless connection, but unless you can log into the VPN you won't get any further. Turns out to be pretty easy to setup, and while I have had the wireless "hacked" they didn't get any further. Of course this is a bit heavy handed for a major installation, but as a cryptographer I am working on a tear out and replace protocol without all the extra cr*p that 802.11 keeps trying to put into WEP, instead I'm basing it more on a secured IP network.
      • Not realy. Because wireless you could track down from another building without that I got the fainthest idea of it ever was someone tracking my net.
        If I just strode over the box, I most certainly would know someone where trying to get data from me. Then I could go to the police. But If I did not know about it, it would be a bit lame.
        Imaginine an ordinary day at a police station;
        Me:Hello. It might be that someone is tapping my wireless ethernet.
        Police: What makes you belive so?
        Me: Nothing...But indeed they could. They could be standing outside the building. And if they do, how should I detect...
        Police:Well...As long as the crime is not done yet, it is not anything we can do.
        Me: But it is important. I am dealing with secure stuff. You have to post at least 10 man searching everyone who pass inside a 150 yard circle around the builing.
        Police: Sorry. We canæt do that.
  • by wackybrit ( 321117 ) on Saturday November 30, 2002 @11:32AM (#4783977) Homepage Journal
    Back in the 80s you could buy a cellphone and then by using a scanner, could tune into the frequency used by the phone to intercept calls. If you were really clever, and had the right *cough* 'dodgy' software you could send control messages to the phone to activate the mouthpiece, so you can literally tap people.

    Cellphones were new, and people just wanted them for the coolness/convenience factor and didn't realize the security ramifications.

    In the corporate world there's a certain apathy to hackers. Many execs think.. 'No hacker would be interested in our data, it's just boring business stuff'. That may be so, but when the cops are sniffing your CEO downloading kiddy porn and some script kiddie has just deleted all of your mail, you will think again.

    Wireless networks are similar to cellphones in this regard. Companies think they're cool and convenient, so they're hopping on the bandwagon.

    So, we need to do what they did with cellphones. Digitally modulate the data over the wireless network and encrypt it within the hardware. Waiting for people to install their own security systems is futile. The manufacturers should make wireless devices encrypt on the fly, just like cellphones do.

    This will benefit most companies, since they can dabble in inside trading, downloading warez, etc, and the Feds won't be able to track it, so it benefits everyone really.
    • by LostCluster ( 625375 ) on Saturday November 30, 2002 @11:39AM (#4784005)
      It always seems to go that every new technology is designed to be a straightforward as possible at first, and we all realize that there's a need to encrypt for the sake of security.

      Why doesn't anybody ever release the secure version in the first place?
      • you'd really rather have to *cough* reverse engineer the encryption first, then the protocol?? I think not for advancements sake..

      • Why doesn't anybody ever release the secure version in the first place?

        Then they won't be able to charge you twice.
      • Are there any mainstream 802.11b cards without WEP? (Granted, WEP is fatally flawed, but that's different from not TRYING to provide security.)
      • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Saturday November 30, 2002 @12:09PM (#4784100) Homepage Journal
        Let me take this a step further. It seems like it always turns out that IP traffic should have been encrypted. Why don't we encrypt all IP traffic to begin with?

        This has been pointed out before by a zillion different people but some might be new to the thought; If all traffic were encrypted in the first place then we wouldn't ever have had all these problems with sniffing. Of course any packet sniffing you want to do would have to be done on the destination or the endpoint, so perhaps only the significant part of the payload should be encrypted while the control messages (at least those for handshaking) should be let alone.

        If ALL traffic were encrypted the difficulty of intercepting "important" encrypted messages would go up and become much more difficult.

        • Let me take this a step further. It seems like it always turns out that IP traffic should have been encrypted. Why don't we encrypt all IP traffic to begin with?

          Probably because when IP traffic was developed, computers weren't fast enough. You do know TCP/IP has been around before 1993, right? :)

          Even if encrypted IP was put in place before the Internet went public, 386/486 class computers that were common at the time could barely keep up with unencrypted traffic over fast modems. Remember when your browser rendering speed was more important than your connection speed?

          As far as cell phones go, I might be talking out of my ass here, but I know the FCC has rules against encrypted transmissions on many bands. I wouldn't be surprised if it was (still is) illegal to encrypt cell phone traffic.
          • As far as cell phones go, I might be talking out of my ass here, but I know the FCC has rules against encrypted transmissions on many bands. I wouldn't be surprised if it was (still is) illegal to encrypt cell phone traffic.

            GSM has encryption as part of the protocol. It isn't very good encryption - it has been cracked - but I guess it would at least deter casual sniffers. There are now several GSM providers in the US, although they operate on a different frequency from most of the rest of the world.

            • GSM uses an encryption algorithm called A5 which is fairly weak, with an effective key length of at most 5 bytes.

              As this page [leeds.ac.uk] says, "A5 is a stream cipher, and the keystream is the xor of three clock
              controlled registers. The clock control of each register is that register's
              own middle bit, xor'ed with a threshold function of the middle bits of all
              three registers (ie if two or more of the middle bits are 1, then invert
              each of these bits; otherwise just use them as they are). The register
              lengths are 19, 22 and 23, and all the feedback polynomials are sparse.
              ... there is a trivial 2^40 attack (guess the contents of
              registers 1 and 2, work out register 3 from the keystream, and then step on
              to check whether the guess was right). 2^40 trial encryptions could take
              weeks on a workstation, but the low gate count of the algorithm means that
              a Xilinx chip can easily be programmed to do keysearch, and an A5 cracker
              might have a few dozen of these running at maybe 2 keys per microsecond
              each."
              There is some code as well for the crack itself.

              Enjoy!
        • Why don't we encrypt all IP traffic to begin with?

          well, that would be what the security part of IPv6 is for.

          it's been backported to IPv4 (the current TCP/IP we all know and love) as IPSEC

          you can get the freeswan version for Linux for free, then
          make yourself a VPN and refuse to route data from the
          wireless that doesn't come over the VPN address range

          that will stop 'em
        • Seems to me that if everything was encrypted there would be more money being spent by [insert favourite government agency here] to crack the encryption. This would suck, because we'd continually need to come up with new encryption methods, generate larger keys, etc. in order to keep out prying eyes.
          So I say, let most of the traffic be unencrypted so that the [insert same favourite government agency here] doesn't have a hard time finding illegal activity so that their "need" to crack encryption (at least from [government agency]'s point of view) is small.

          That said, most of the really bad evils already use encryption, so maybe it's a moot point. Maybe.
      • by DarkZero ( 516460 ) on Saturday November 30, 2002 @12:14PM (#4784116)
        Why doesn't anybody ever release the secure version in the first place?

        Why sell anyone the secure version when you can sell them the insecure version AND the secure version, in that order?
      • Version 1.0 of nearly all products are:
        1. Very insecure (no passwords, all users can do everything).
        2. Have a bad GUI (noone knows how the users will use it yet).
        3. Filled with bugs.
        And since noone ever has time for a complete refactoring of the code (not a rewrite from scratch)... then that stuff usually never gets fixed in future versions.
        --
      • every new technology is designed to be a straightforward as possible at first ... Why doesn't anybody ever release the secure version in the first place?

        Like BlueTooth, for example? With a specification so incredibly complex that none of the potential manufacturers have a clue how to make compliant products...

        Then compare that with POP or HTTP, where you could probably write the server in a single line of code, with the right programming language. Seems to be easier to support, and you can add an optional security layer later without much problem.

    • Manufacturers of any consumer electronics aren't going to add security features without a quantum shift in the way consumers evaluate technology, for the following reasons:

      1. People are stupid. Consumers don't want security, they want "cool". A cool product that is insecure will always beat a less cool product that is secure. And security isn't cool. The average consumer evaluating a product for purchase will simply get the glazed-eye drools when reading something about security, put down the box and pick up the shiny, candy-like box next to it containing a similar but insecure product.
      2. People are miserly. They won't pay more for security until they've been burned. Since a company that makes secure products would have to charge more for them, they'd basically be putting the barrel of the shotgun in their own mouth and inviting the consumer to pull the trigger by buying the other guy's cheaper, but insecure, product.
      3. Consumers are stupid- I know I said this once, but it bears repeating. Companies that make consumer electronics will continue to make shoddy, insecure products as long as the first-stringers for the dung-flinging Olympics keep buying them. And there's no reason to suspect they won't keep doing so.
  • by LostCluster ( 625375 ) on Saturday November 30, 2002 @11:36AM (#4783993)
    Whenever any product ships with pre-set default passwords or settings, there is always a segment of the population who will plug it in, see that it's working, and walk away. When a user plugs in a WiFi router, it should require the user to either turn on WEP, or make the user very aware that using the router in its default mode allows any other WiFi device that comes within range to connect, and that includes people who you might not want to let in.

    Some people actually want to provide free bandwidth to the community, and I can't blame them for that. However, users need to know when they set themselves up with no security, that will be interpreted by the world as an open invitation for the public to come on in. If you want to block that, enable some sort of security.
  • by Trane Francks ( 10459 ) <trane@gol.com> on Saturday November 30, 2002 @11:37AM (#4783994) Homepage
    Yeah, back in the late-'70s, I had a multi-band radio that could pick up cellular conversations. As a teenager back then, I had an absolute blast listening to calls. It was better than TV. And I promise you, covertly listening in to a hot call between a guy and his girl when you're 16 years old is pretty impressive stuff! :lol:

    I never got into blue-box stuff, but pre-scrambled cellular was heaps of fun.
    • Damn. Sorry, this was supposed to be a reply to " It's like cellphones all over again" up above. My bad. :rolleyes:
    • And I promise you, covertly listening in to a hot call between a guy and his girl when you're 16 years old is pretty impressive stuff! :lol:
      My two favorite overheard calls from the early celphone days:
      1. A pissed-off shopper calling Amex while standing at a checkout counter. Yes, I even got his mother's maiden name.
      2. A cop talking to an informant. Early on, the cops had no clue that we might be listening to them.
      Ah, what fun.

  • by John Fulmer ( 5840 ) on Saturday November 30, 2002 @11:39AM (#4784001)
    Last time I checked (and it's my job to) WEP and wireless security are still broken, as far as standards are concerned. 802.1x (PEAP, LEAP, whatever you want to call it) isn't appropriate in all (or even most, IMHO) situtations, and fixes to WEP like TKIP aren't widely deployed.

    Wireless will continue to have security issues as long as the underlying security technology is broken and is hard to deploy in a secure, stable, and manageble fashion.

    That's a technology factor in my book.
    • by LostCluster ( 625375 ) on Saturday November 30, 2002 @11:42AM (#4784012)
      Even a flawed security method works better than broadcasting every bit in the clear. Missed patches mean nothing when we can't even convince people to turn it on in the first place.
      • At least with cleartext, people who care about security, but might not know how secure something is, will turn on encryption via SSL or SSH.

        With WEP, people may think that since it isn't sent in the clear, they don't have to go and encrypt their IP traffic which is going over it.
  • by skinfitz ( 564041 ) on Saturday November 30, 2002 @11:40AM (#4784006) Journal
    Predictable conclusions - security is mainly compromised through human, not technological factors.

    Presumably this is referring to the human failing that was responsible for the flaws in 802.11b design? 802.11b simply *cannot* be made secure. Beacon frames are not encrypted, MAC addresses are not encrypted. Capture approx 1Gb of network traffic and you can decrypt the WEP key. Once you do that, you are in. There is little difference between the time needed to crack 40bit and 128bit WEP keys.

    Do not deploy an 802.11b network in an environment where you would not fix cabled LAN ports to the outside of your building with flashing neon signs pointing to them with "PLUG IN HERE!" written on them.

    Roll on a truly secure standard.
    • Relying on link layer security is stupid anyway. What you need to do, as a network admin, is to view wireless access as any other access mechanism that is not physically in your control. Use end-to-end IPSEC or VPN to secure it.
  • by MarvinMouse ( 323641 ) on Saturday November 30, 2002 @11:45AM (#4784019) Homepage Journal
    Is that it is so darned easy to listen into the communications. If you can listen in, and interfere with little effort, instantly many attacks become available to you, especially man in the middle attacks.

    But, not only can you break into the network, most of the time, you can actively listen in, and just record everything until you get the encryption code in the future (which is actually a pretty easy thing to do with some social engineering.)

    If you want the data to be secure use fiberglass wiring, it is the most secure, but if you want convinience, then you'll have to trade off some of the security in enchange for a easier system to use. It's really as simple as that. It's not the human factor, is the human desire for convinience that commonly leads to the largest security breaches.
    • It is always this way -- with security and convienience. You will never be able to have an optimum amount of both. When you want convienience, at least some security must be sacrificed. Works the other way too. You have to find that "happy medium"
  • Why is it insecure (Score:3, Interesting)

    by goombah99 ( 560566 ) on Saturday November 30, 2002 @11:46AM (#4784024)
    I hear referecnes to wireless security issues but I dont understand why wireless is insecure. Can anyone offer a primer or a few good examples?

    For example, are the data links insecure--I dont think so as most are now 128bit encrypted, right?

    could it be that access to the local net offering a way around the firewall? Dont some, or maybe all, wi-fi links have built in capabitlity for password protected connections. If so does this not make them as good as any firewall?

    So is the whole problem just people not activating these feature? if so is this not just the same as any other unprotected wired network when people dont turn on their firewall?

    • > Beacon frames are not encrypted, MAC addresses are not encrypted. Capture approx 1Gb of network traffic and you can decrypt the WEP key.

      COuld someone elaborate here. Why is a WEP key more vulnerable than say an SSH key? Why is it insecure to have unencrypted Beacon frames and MAC addressses. What info is being given up by these or how can these be exploited in a way particular to wireless?

      and given encrypted transmissions why is WiFi more suceptible to man-in-the-middle attacks than any SSH connection?

      • First thing in a Google search for WEP:
        http://www.isaac.cs.berkeley.edu/isaac/wep-f aq.htm l

        The difference is that openssl is implemented more rigourously than WEP. IANAC (I am not a cryptographer), but it sound like the WEP folks put it into place without sufficient review and now we are stuck with a less-than-robustly-designed standard.

        Sometimes, combining two encryption methods can result in something weaker than either of the two original methods, in that they kind of partially decrypt each other.

    • by John Fulmer ( 5840 ) on Saturday November 30, 2002 @11:58AM (#4784056)
      >For example, are the data links insecure--I dont
      >think so as most are now 128bit encrypted, right?

      128-bit encryption without knowing the cryptographic algorithm used is meaningless as a definition of crypto strength, especially if the encryption is badly designed and broken; both of which are true for 128-bit WEP. Do a google search on it and you'll find the papers that describe the vulnerablility, and the tools to exploit it.

      WEP is what hapens when non-crypto people design crypto.

      Here's a starter link [counterpane.com] Look at the '802.11 Encryption" section
  • Why the UN? (Score:1, Funny)

    by Anonymous Coward
    Ok... that's it now, I'm gonna sit on my roof watchin for those black helicopters, the UN world government ain't gonna get any wireless network of mine, that's if I had one, anyway, nobody is taking my dirt farm off me!

    Hrm... where's that foil hat, I hope I don't find another of those inside out cows.

    Over and out.
  • I'm no expert... (Score:5, Informative)

    by Boss, Pointy Haired ( 537010 ) on Saturday November 30, 2002 @12:00PM (#4784069)
    But surely if you want to provide wireless capabilities on your corporate network you put the access point in a DMZ and have users come in via a VPN, just as if they were working from home and connecting over the "public" Internet.

  • by MacAndrew ( 463832 ) on Saturday November 30, 2002 @12:03PM (#4784075) Homepage
    I'm using an 802.11b network with 128-bit encryption, meaningless passwords (not "admin" or "router"), and the WAP will recognize only the MAC of the portable (yes, that can be spoofed, but it keeps out random strangers). Finally, the access point is in the basement, so its reception zone is mostly up, not horizontal.

    There could be specific weaknesses in my brands of hardware, but that's another problem.

    Am I mistaken that this provides reasonably good security? I don't expect to screen out the NSA, but do most snoops. If not, can someone type up a checklist for the well-meaning but slight clueless 802.11 administrator?

    Human error certainly includes misconfiguration, but if configuration is too hard for most people to understand I think it is the technology that is faulty -- human factors design and all that.

    I'm glad they're making these weaknesses more public. Doonesbury did a good job in the Sunday strip a while ago.
    • nope, Your open to the closed source of the access point, of wich there might be expliots ranging from poor IP spoofing due to pooor incrments of even +1 of backdoors put into the software that just mean even the 22mb 256 WEP chipsets fall victim to a simple UDP packet to a certain port and they spit out all your keys and connection details. Now if you treat wireless connections like an internet connection and VPN , firewall your data across it as well then I'd say that was good enough. Mind you only good.
      • One more time, in regular English? I understoon everything up to "nope." :)

        VPN does raise the security bar, but isn't a direct answer to wireless security. I'd prefer all of my wireless communications to be private.

        I also posted a follow-up to the original post which may clarify my intent.
    • by dsouth ( 241949 ) on Saturday November 30, 2002 @01:13PM (#4784336) Homepage

      I'm using an 802.11b network with 128-bit encryption, meaningless passwords (not "admin" or "router"), and the WAP will recognize only the MAC of the portable (yes, that can be spoofed, but it keeps out random strangers). Finally, the access point is in the basement, so its reception zone is mostly up, not horizontal.

      There could be specific weaknesses in my brands of hardware, but that's another problem.

      Am I mistaken that this provides reasonably good security?

      Short answer: Yes, you are mistaken.

      Longer answers: Here, [berkeley.edu] here, [weblogger.com] or here. [shmoo.com]

      Assuming your neighbors are clueless luddites who have to call you when their printer runs out of paper, WEP will prevent them from borrowing you Internet uplink bandwidth. Against a determined attacker, WEP, MAC filtering, and most of the other features built into modern 802.11a/b APs are ineffective.

      On the other hand, you may not care.

      Eg, my home machines are all secured and I do regular audits and scans. Any sensitive communication (eg, logging into a machine at work) happens over ssh and so is protected. So the only thing a script kiddie can do is watch my web traffic (which he is welcome to do), borrow my bandwidth (which would probably be noticed, and maybe try DoSing my home network (which is easy to fix).

      All of the above was also true when my home network was wired. The move to 802.11b just traded a decrease in security for an increase in convenence (ah, reading /. while sitting on the deck).

      As Schneier has said, security just buys you time. In the case of 802.11 (or for that matter, any wireless protocol), it takes significantly less time for the security to be breached than it would if the wired protocol was in use. If that worries you, don't use 802.11 networking, cordless phones, or cell phones, or adjust the sensitivity of your traffic to suit the medium.

    • by Garin ( 26873 ) on Saturday November 30, 2002 @01:53PM (#4784481)
      Security is about risk management, nothing more. Is it possible that some kid can break your connection? Yeah. Sure. Are they going to? I *seriously* doubt it. Why would they bother? To sniff your traffic? Ooooh. They'll see me reading slashdot. They may even get my slashdot password! Darn. They'll steal my Visa number! Um, nope, because that's over SSL. And my terminal connections are SSH. Email? Maybe, but I consider that a "public postcard" anyways, and I can and do use GPG when necessary. There is no traffic from my network that would make me a deliberate target of a snoop. Nobody would ever -plan- to hit my network and snoop my traffic or attack my boxes. Of course, if I was a business or had some kind of trade secrets, maybe they would (and this would change the situation).

      So what does that leave? That leaves people who happen on my network at random, and decide to try to use it for access or for kicks.

      Maybe your area is different, but in my neighbourhood, I can't drive more than half a block without finding a completely wide-open wireless lan. The usual density is much higher -- three or four to a block. And this is just me driving with my iBook propped open! Imagine if I actually used an external antenna! What does this mean? Nobody is going to go bother randomly cracking my network just to get bandwidth, when they can simply select another network and get it instantly.

      The moral of the story? Consider your risks. I feel I have very little to risk: I have no "intellectual property" to protect, really. My email is essentially public anyhow. My boxes are up to date and as secure as they can be (I think). Wireless network has the benefit of amazing convenience. It is a small risk that I mitigate to an acceptable level. Therefore, it's a managed risk. That's all that matters in security.
    • To the responders, thank you. I'd like to draw folks' attention to the "good enough" portion of my query. After all, encryption is just a game of staying a step ahead of the decrypters.

      Because any practical encryption can be cracked -- I assume SSL and whatever underlies ssh and, with difficulty, PGP -- what is "adequate" under what is currently readily available? ANything? I get the sense that breaking into a secured (not "secure") 802.11 link at least requires more than just getting a scanner to tap analog cellphones. (Remember Newt Gingrich's indiscretion? :)

      Last, it should be reiterated that human weakness such as social engineering and administrator goofs is the most likely and traditionnal sources of security breaches. Thus a need for regular independent audits by trusted (gasp) humans.
  • by Anonymous Coward
    I haven`t trusted WEP since it was introduced because I didn`t know how it worked. When the flaws were discovered it really came as no suprise to me to be honest.

    I think it makes sense to treat your WLAN like a direct Internet connection, ie. all packets could be snooped/intercepted/changed etc. If you want security use ssh or https.

  • as secure as wired (Score:3, Informative)

    by nurac ( 629942 ) on Saturday November 30, 2002 @12:57PM (#4784259)
    You can make wireless (802.1x) as secure as wired by putting all your wireless users on a VPN. Unsecured wireless users are just like having open access to the insides of your network and completely bypassing peripheral security measures like firewalls. The real question is how to make *all* your computing and networking resources more secure. Wirelessness per se won't be the problem.
  • by coj ( 20757 )
    CERIAS is part of Purdue University, not Indiana University. I'm sure heads will roll when Coach Keady finds out about this. 8)

    --
    Ed
  • The paper by Fluhrer, Mantin & Shamir talks about several weaknesses in the key scheduling algorithm of RC4. The paper by Borisov, Goldberg and Wagner "Intercepting Mobile Communications" talks about keystream reuse. I am quite puzzled between the two. I believe the earlier is a direct weakness to RC4 but Borisov's paper does not reference this at all. Can somebody please fill me in?
  • by anarchima ( 585853 ) on Saturday November 30, 2002 @01:54PM (#4784488) Homepage
    My favourite quote from the whole article:

    "Wireless technology is going to be deployed across the globe either securely or insecurely" --David Black, Accenture

    Now that doesn't seem obvious does it?
  • I dont' get what the fuss with relying on WEP for wireless security is. Regular ethernet is not encrypted. You could just plug a laptop into a hub and run tcpdump to sniff if you really wanted to. If we use the same security measures over wireless that we do over wired ethernet (VPN, SSL/SSH, Kerberos), who cares about WEP?
    • Wired security builds on top of the physical security you already have, while wireless security can pass through many physical boundaries, and so needs more protection to be equally secure.

      For example, to tap into my wired network at home, you'd need to first get access to my house. This is dangerous, and there's a real risk of getting arrested. To tap into my wireless network, you'd need to sit outside my house for a few hours in a truck. It's much less likely you'd get caught doing that, and if you did the consequences would be much smaller.

      Because of this, people who wouldn't dream of going on a burglary spree will cheerily drive around in a truck looking for wireless access points to use.

      In other words, the barrier to breaking into a wireless network is much lower than for a wired network, so there are many more people who are willing to do it, so it's more likely to happen.

    • Yes, that is true. You could just plug a computer into an ethernet port and look at some of the traffic. The difference is, for wired, you need access to a port! For wireless, you just need to be in the area. If you're random joe hacker, you probably can't just walk in and plug in your computer to a wired network. If it's a wireless network, you just hide in the bushes with your laptop.
  • by Anonymous Coward on Saturday November 30, 2002 @03:25PM (#4784754)
    How many heists of credit card numbers are done online? Compare this to how many heists of credit card numbers are done meatside.

    Meatside wins. You know why? It's a hell of a lot easier to make Joe Blow think you're someone you're not, than it is to neutralize computerized security.

    Remember kids, Mitnick "hacked" the minds of people more than he did computers. So did the other famous 'ev1l l33t h4x0rZ!'.

    "Code Red!" you shout. "Nimda!" you cry. These incidents and others aren't even related to the above. These were the result of script kiddies and the weakness of human security. Any dolt who got nailed by Code Red, for example, deserved it - Microsoft had a patch out long before the shit hit the fan.

    Wireless is a nightmare waiting to happen. It isn't secure out of the box. It isn't 'as secure' as hard wire, even if it is encrypted. One can just pull data out of the air with wireless; one needs to actually defeat rent a cops with water pistols to jack into a hard-wired system with a laptop.

    What happens when the clueless do a wireless install at the office, fail to utilize encryption, and pretty much leave things wide open? Won't happen? It's happening now, and if the infamous Microsoft worms weren't enough of a display that it *will* happen..

    Security. Ahh, blessed security. Fire your damnable MCSE's, take the donuts out of the rent-a-cop office and give out higher salaries all around.

    Oh, and remember, make sure the 'computer-knowledgable' secretaries know NOT TO GIVE OUT THEIR FRIGGIN PASSWORDS TO ANYONE.

    K thx bye.
  • Thank God (Score:1, Funny)

    by Anonymous Coward
    Thank God, the UN has finally been briefed. I guess we can look forward to some sort of wireless security "task force", perhaps a number of UN Conferences on Wireless Security, and then some resolutions blaming wireless insecurity on the US and Israel.
  • It is an important and popular fact that things are not always what
    they seem. For instance, on the planet Earth, man had always assumed
    that he was more intelligent than dolphins because he had achieved so
    much -- the wheel, New York, wars and so on -- whilst all the dolphins
    had ever done was muck about in the water having a good time. But
    conversely, the dolphins had always believed that they were far more
    intelligent than man -- for precisely the same reasons.

    Curiously enough, the dolphins had long known of the impending
    destruction of the of the planet Earth and had made many attempts to
    alert mankind to the danger; but most of their communications were
    misinterpreted ...
    -- Douglas Admas "The Hitchhikers' Guide To The Galaxy"

    - this post brought to you by the Automated Last Post Generator...

"Show me a good loser, and I'll show you a loser." -- Vince Lombardi, football coach

Working...