Government Use of WiFi Not Secure 220
Terremoto writes "A Congressional report indicates that the use of WiFi by government agencies is being done with little regard for security. The article says, "Government Accountability Office investigators were able to pick up Wi-Fi signals from outside all of the six agencies they tested, and they were able to find examples of unauthorized activity at all six as well.""
Unauthorized access? (Score:2, Interesting)
YEah, breaking an auth scheme could be grounds of breaking/entering, but when its open invite, isnt it allowed?
You know, public airwaves and all..
Re:Unauthorized access? (Score:2, Informative)
huh?
Every corporation with any sense of security uses MAC filtering. The FCC doesn't license the 900 MHz, 2.4 GHz and 5.x GHz bands (ISM), but they also don't enforce anyone's access. They used to restrict the kind of amplification that was allowed, but now, AFAIK, there is only a wattage limit.
Re:Unauthorized access? (Score:5, Informative)
Every corporation with any sense of security uses a DMZ + a VPN into the real network.
Re:Unauthorized access? (Score:2, Informative)
Once you have swapped your MAC address to match another on the network, what happens next? How does the conflict resolve between two machines with the same MAC address? Not nicely...
To be stealthy you need to observe MAC addresses, then identify when a machine has disconnected from the network. Then you can walk up and take it's place at the table and eat its porridge - until it comes back. Then there's conflict again.
Re:Unauthorized access? (Score:3, Insightful)
On a switched network, it could be a problem. Switches don't like seeing the same MAC address on two different ports. It would indicate a loop, in which case STP will shut down one of the ports. 50/50 chance of killing off the person you intended to duplicate.
In a wireless or hubbed environment, it's a radio broadcast.. Both MAC's would receive the signal as if they were the same machine. If you **REPLY** to them, that's a different matter.
If two machines were 192.168.1.10 with HW Addr 01:01
Re:Unauthorized access? (Score:3, Interesting)
As far as I know, STP only kills ports that STP decides are causing a loop. Seeing a MAC address on two ports just makes it think that the system has moved (think about what happens if you roam between APs) so it will direct all future packets to that MAC address to the last port it saw data come in from. So if both hosts are sending a lot of data, then the ensuing packetloss (because packets are going to the wrong place) makes it pretty miserable. If only one has a lot of traffic going, the
Re:Unauthorized access? (Score:2)
I was describing both switched and non-switched environments, where I'd make my machine identical to another (same IP and MAC).
I just saw the error on a Cisco switch on Sunday, regarding the STP loops. Lots of fun, especially since they were coming in on an impossible port. Level3 had screwed up. I still haven't figured out how they did it. The only GigE line coming in from them was throwing the error, even after I unplugged everything else.
I think I'm going to play with it a bit more, so I'l
Re:Unauthorized access? (Score:3, Interesting)
Standing up WiFi on a federal network is a lot like herding cats ;-)
I'm the project manager responsible for standing up WiFi access on a fair-sized Department of Defense installation. If the wireless network is configured according to DoD security technical implementation guides (STIGs) it can be fairly secure.
You're correct that MAC filtering alone isn't
Re:Unauthorized access? (Score:4, Informative)
Re:Unauthorized access? (Score:2, Informative)
Re:Unauthorized access? (Score:3, Funny)
Re:Unauthorized access? (Score:2)
Indeed. For instance, from the OpenBSD manual page for ifconfig (option lladdr) :
Re:Unauthorized access? (Score:2)
I live in an apartment building and am amazed at the number of improperly setup WAPs. But what intrigues me more is that running Airsnort against any of the existing encrypted WAPs I get very little information.
Re:Unauthorized access? (Score:4, Interesting)
4 were encrypted, named "2wire###", where ### is a 3 digit number. I've been informed that those are SBC DSL routers, which *ALL* have the wireless enabled but encrypted by default.
1 was a very weak signal
1 was a moderately strong signal (60% to 70%), unencrypted, named "DEFAULT". Kismet said it was a DLink (if I remember right).
I asked for an IP by DHCP, and I was on. I didn't do anything but started up ethereal, and logged everything for a few minutes.. I was trying to show my girlfriend the problems with unencrypted traffic on the Internet, and how important network security is.
There are two machines on their network, which were both sending SMB traffic with their machine names (or descriptions). I got their Yahoo! Messenger username. I know they have weatherbug running, and saw he specific zip code. They didn't browse the net, but in one of the rare instances that my girlfriend's own cablemodem was working, I sent a message by Yahoo! Messenger, and she saw it go by in clear text. Based on the information I gathered, I knew exactly which apartment it was.
At an unnamed casino in Vegas, I saw everything about their display boards. It would have been trivial for me to pretend to be their host, and change all the boards (winners, potential winnings, etc). I didn't though. I just emailed them when I got home, with the logs. They thanked me for pointing out the oversight. They were very good about it, so I won't say the name.
Once in a while, I'll fire up Kismet, and go driving. Not really wardriving, just to get an idea of what the area looks like. I can see about 200 AP's from my house with a high gain antenna (24db). I can pick up about 300 driving about 10 miles with a low gain antenna (4db) stuck to the back of my laptop screen. In both cases, more than half of the AP's found are unencrypted. Random samplings showed I could get online with no problems.
MOD PARENT UP!! (Score:2, Insightful)
Re:Unauthorized access? (Score:2)
Still can't figure out why I was seeing so little "interesting" packets.
Re:Unauthorized access? (Score:2)
Re:Unauthorized access? (Score:2)
Re:Unauthorized access? (Score:2)
I've done it with an Orinoco Gold card too. I just didn't have it with me last night to try it.
Re:Unauthorized access? (Score:3, Funny)
+1 for most bizarre method to determine the zip code you are in right now...
Re:MACs are trivially reconfigurable. (Score:2)
It does require additional resources on the spoofing (and spoofed) PC, but that won't be the bottleneck 99.x% of the time.
Re:Unauthorized access? (Score:2)
1) sniff the traffic.
2) change your MAC address over to theirs
3) change your IP over to theirs.
4) become them.
root @ evil (/root) ifconfig eth1 hw ether 01:01:01:01:01:01
root @ evil (/root) ifconfig eth1 | head -1
eth1 Link encap:Ethernet HWaddr 01:01:01:01:01:01
root @ evil (/root) ifconfig eth0 | head -1
eth0 Link encap:Ethernet HWaddr 10:10:10:10:10:10
root @ evil (/root) ping yahoo.com
PING yahoo.com (2
Re:Unauthorized access? (Score:2)
Re:Unauthorized access? (Score:2, Insightful)
Aren't those the ones you REALLY want to keep out of a government agency?
If MAC filtering is your security layer, then your network is accessibly by anybody willing to spend relatively little money to access it.
Re:Unauthorized access? (Score:2)
Re:Unauthorized access? (Score:2)
You're confusing this with another issue (Score:2)
This has usually come up in the context of landowners (airport operators, universities acting as landlords to "off campus" housing, etc.) trying to enforce a monopoly on wireless internet access while on their property. However, in the US the F
Re:Unauthorized access? (Score:2)
Hardly.
Re:Unauthorized access? (Score:2)
I guess the way I figure it is its all public UNLESS:
--they ask for no un-auth'ed users (yeah a simple banner)
--have encryption above and beyond basic protocol (like how 802.11b is proto but WEP is encryption)
--faking credentials (like attempting replay attacks on SSHv1)
--just using logins/passwords that you dont have legit access to.
I figure it fair game if those dont occur as long as you "do no harm".
Though, I'd consider servers secured fair game if they harbor MY INFORM
Unauthorized Activity (Score:4, Interesting)
It wasn't clear in TFA either, but do they mean a little pr0n surfing/p2p going on or active hack attempts were found?
Re:Unauthorized Activity (Score:2)
Of course! (Score:4, Funny)
"I didn't hit porn, must have been some drive-bys on our wireless network"
why are they using local 802.11b at all? (Score:2)
Those who don't, have no business incorporating a technology they don't understand. But, I suppose they have to spend their budget on something, even if it has nothing to do with making their job easier.
Re:why are they using local 802.11b at all? (Score:3)
Could you expand upon that comment please? Why don't government workers need laptops? They seem to make private sector high-tech workers more efficient, why shouldn't the government have access to these efficiencies? After all, government workers were the original Information Technology workers. They didn't just invent digital computers, but also made extensive use of pre-computer information te
Re:why are they using local 802.11b at all? (Score:3, Interesting)
Of course it prevents you from bringing the laptop to the bathroom.
If this were 2003..... (Score:5, Interesting)
I would consider it to be criminally negligent.
It is a shame that they allow these agencies to recieve funding or for their IS / IT departments to still have jobs.
Lets stop talking about Filibusters and start talking National Security
Re:If this were 2003..... (Score:5, Informative)
I work for a large IT department for a government-based organization. The users don't call us when they get new equipment frequently unless it doesn't work. With all of these wireless devices coming 'ready to go' out of the box we don't usually find them unless we physically stumble across them or unless the DHCP server in the device is handing out address on the LAN at the site and therefore breaking connectivity for the users.
Yes, it is technically possible to note the MAC address of a device when it comes on the network and compare it to a table of kinds of equipment, but there are 11 field technicians, four network engineers, and two cable/infrastructure technicians for 25,000 machines. We don't get the funding for supplies, equipment, or manpower that we need, we don't get support from higher-ups in the organization, and we are left being reactionary. Even worse yet, some of the agency-level higherups are all about 'new technology' without giving us the resources to thoroughly investigate it and how it will impact our network, and half of the time they don't even figure out why the users need such technology for before allowing them to order it.
We have machines running from average as low as Windows 95 (though I do still encounter Windows for Workgroups 3.11 in rare cases) and MacOS 7.5.3. Most days I'm astounded that things work as well as they do, let alone at all.
Thin client (Score:4, Informative)
I don't suppose you really have any control left but when things are getting that bad it's your only sane option. (It's the only sane option when you're getting to 100+ clients anyway). Allowing users to design your IT infrastructure is pure madness, entropy inevitably turns your network to mush.
Even Windows Terminal Server expensive as it is, is better than 25,000 desktops. We use LTSP and an array of Linux and Sun servers[1] tied together with Sun Grid Engine[2] to provide what the users think of as a single system, "The Grid". It was a remarkably easy sale to management, but we were coming from a largely Unix environment. It's a bit more difficult with Windows, the array smallish servers approach is is far more expensive to implement than Linux.
[1] many of them ex workstations and desktops.
[2] Though Condor looks like a good option.
Re:Thin client (Score:2)
On top of which gov't agencies require things like Access and hell some even require *gasp* Dos to run their interdepartmental reporting applications. Possible to run in a TS environment, but not quite a cakewalk to manage the tens (hundreds?) of such applications 25,000 users would requi
Re:Thin client (Score:2)
Or think they do. It's all about control, either you have it or you don't. With desktops the amount of effort you have to put in to manage and maintain control increases directly in proportion with the numbers of machines, even with management tools like SMS. By the time you get to 25,000 you need a staff of hundreds or you lose control of basically everything as chaos sets in. You have lost control and ar
Re:If this were 2003..... (Score:2)
the place where I work has gone to a simple policy: ALL computer-related purchases MUST go through the IT department then the accounting department. If one doesn't squash it the other usually does.
It makes gettting random things like a wireless AP a pain in the but for the users, but for those of us in IT (who work in the same small building as accounting), it is great.
In your case, MAC filtering and requiring all IT related purchases to be approved through your department would make lif
Re:If this were 2003..... (Score:2)
So no, we haven't, but that isn't necessary.
Re:If this were 2003..... (Score:2)
Re:If this were 2003..... (Score:2)
That's a maintaince nightmare. Trust me.
I knew a guy who did that on a network of just 20 workstations. He was anal, and wouldn't give anyone else access to authorize MAC addresses. The other techs got rather irate, when they'd change a NIC, add a new machine, or whatever.
Moreover, when the boss brought in his new laptop and couldn't get online, that was the end of MAC address filtering.
Re:If this were 2003..... (Score:2)
Thing is, I know exactly which vendors we have ethernet chipsets (and therefore MAC addresses) from. I don't have to disallow all except certain specific addresses, I have to allow certain ranges that conform to known assets. Admittedly this list is fairly lengthy, but th
Re:If this were 2003..... (Score:2)
Actually, I was doing it a couple years ago, when I wanted to hide on random wireless networks, but still be blatently obvious that I was there.
I found myself without an Internet connection someplace I was staying. I found a point to point network about 4 miles across, with two high gain antennas pointing at each other. I happened to be sitting right between them, so I stuck up my low gain antenna, and got online with no problem. No MAC filtering, they had DHCP on, and I stayed online for a we
Re:If this were 2003..... (Score:3, Informative)
There's several issues here.
First - the money tends to be tight in government IT. This leads to some impact on hardware but a much, much larger impact on personnel. Government IT shops just don't pay what they should. So you either end up with a staff of the best you could afford (but far from the best) and / or a select few dedicated, really good people who are vastly over-worked.
Se
This problem is a lot more common (Score:5, Informative)
Indeed, NetStumbler's help file even suggests such a scenario as one possible use for the program:
" Wireless LAN Auditing
A corporate network administrator needs assurance that the wired LAN is not being exposed to unauthorized users. This can often happen when users set up their own wireless LANs for convenience. Such wireless LANs often have little or no security, which poses a risk to the entire LAN. The network administrator can use NetStumbler to detect the presence of these "rogue" wireless LANs."
At least now that this story has hit the news, perhaps more people will wake up to the danger and try to secure their critical networks (as long as they leave open at least one for me to use as a wi-fi hotspot ;-)).
Really? (Score:4, Interesting)
Re:Really? (Score:5, Interesting)
CP
Is VPN enough? (Score:2)
However, what about the risk that a laptop may not have a decent personal firewall? It gets cracked (or runs malware in the first place), it connects over the VPN since I trusted the user the last time he visited - suddenly the malware has a route to my servers. Or theoretically a cracker could attack the client machine thro
Re:Really? (Score:2)
This sentence made me stop caring:
In other news, your computer may be broadcasting an IP address that hackers could use to attack you.
I mean if government agencies have fully open networks, and people can connect, get an IP (or find out enough about the netblock to make one up), and see data, sure that's bad. But then say that, don't waste time with s
No surprise, Sherlock... (Score:4, Funny)
Re:No surprise, Sherlock... (Score:2)
Watergate (Score:3, Funny)
Obviously, that sets up Forrest Gump II where the Forrest character spots a couple of geeks trying to jump start their van because their surveillance equpiment drained the battery.
porp
Re:Watergate (Score:3, Insightful)
Of course they may just label the people who intercepted the unencrypted information terrorists and use it as an excuse for why you must elect them ...
Are there any safe (hardware) protocols? (Score:4, Interesting)
About the only solution I've seen is the airFortress product that utilizes a client that encrypts all data and decrypts it through a hardware device that interfaces with the access points. Military has been using it for a bit.
Re:Are there any safe (hardware) protocols? (Score:4, Interesting)
Re:Are there any safe (hardware) protocols? (Score:5, Interesting)
Re:Are there any safe (hardware) protocols? (Score:3, Informative)
In other words, the crypto doesn't protect you against choosing weak passwords or against choosing a stupid combination of configuration settings in IPSEC.
The crypto algorithms themselves seem to be holding up OK. If you use WPA as intended (with a Radius serve
Re:Are there any safe (hardware) protocols? (Score:2)
big deal (Score:3, Interesting)
Re:big deal (Score:2)
It sounds to me like "some" means "every one they tested".
That might or might not be a real security issue, depending on if they're using their wireless network for sensitive applications and if those applications aren't using end-to-end encryption for their applications and if their wireless networks aren't firewalled away from the rest of their network.
Well sure they
Re:big deal (Score:2)
Interestingly, there is a wireless network called "MI5 Network" that appears to be located in an apartment near the MI5 headquarters in london. It's just some guy's home network, but because of it's name and location people might mistake it for something else.
Open WIFI == Good (Score:4, Interesting)
Re:Open WIFI == Good (Score:5, Insightful)
That sounds great, right up to the point where some pervert uses your open wi-fi to download child porn which is then traced back to your IP, or some l33t hax0r d00d tries to crack into military servers. And of course all of this is ignoring the fact that most ISPs specifically deny you the right to share your access this way. There are a few like Speakeasy that don't care or even encourage it, but Speakeasy's service sucks (I know, I had DSL with them for two years), and none of them legally protect you if someone using your connection doesn't something illegal or at least against their AUP.
You could go hardcore setting up a walled garden, authentication system, and the whole nine yards, but you really don't have to. Even doing something as simple as enabling WEP on your AP is enough for the casual browser. It's certainly not 100% secure, and anybody with malicious intent could easily crack your key in minutes, but that's not the point. It's a deterrent and a source of plausible deniability. A thief could easily pick the lock on your door, but the simple act of locking your door will keep most people out (the end goal). As well, the fact that you took some measure means that you can't be held responsible when the thief who picked your lock and stole your shotgun later goes on to shoot up a school or convenience store.
Re:Open WIFI == Good (Score:2)
(running an open access point) sounds great, right up to the point where some pervert uses your open wi-fi to download child porn
Right now, there are a zillion anonymous proxies on wired connections. It's far more likely and convenient for J. Random Hacker to connect to one of these always-on proxies that are available from anywhere in the world than to get within 100' of your fiddly little access point.
If you're really worried about someone within 100' of your house doing some
Re:Open WIFI == Good (Score:2)
It's actually pretty hard to _guarantee_ you are anonymous on the internet. If you use an anonymous proxy then your IP will be hidden from the end web server you are contacting, but there is *no way* to know if the anonymous proxy is keeping logs. The authorities can track your web accesses back to the proxy, and if the proxy is keeping logs then it's very easy for the authorities to get the logs through a court order and tie the web
Re:Open WIFI == Good (Score:2)
Not at all (Score:2)
Issues (Score:2)
This is the fault of consumers and the WiFI makers (Score:5, Insightful)
802.11i
802.11i not only plus all of the holes in WEP, it also uses AES encryption to get around all of the potential problems with RC4.
Right now, as I speak, err write, I can not buy an 802.11i complient router with AES encryption. I've looked at Netgear's site. I've looked at Linksys's site. I've looked everywhere. There was a bunch of discussion about how 802.11i was going to be the next great thing in mid-2003, then a deafening silence.
If I want 802.11i right now, I can't get it.
I think the fact of the matter is the your average user is not willing to pay for than $50 for a wireless router. It is, of course, possible to make AES work fine with a router of that costs, but it is going to take good deal of economics of scale in action to make a 1,000,000-transistor chip for implementing AES affordable at that price point.
802.11i is just not a buzzword in the buzz machine that all the tech magazines use. Until it becomes a buzzword, wireless networks will continue to be insecure.
(There is also a lot to be said for 802.11i being deployed on a wide enough scale that AES becomes ubiquitous. I would like to see special AES-specific op codes on x86 chips and have $5 co-processors available that can do AES at 100Mbps)
Re:This is the fault of consumers and the WiFI mak (Score:2)
Sure, it is not AES at the low level as 802.11i, but it is AES instead of RC4.
Some devices DO support 802.11i RIGHT NOW (Score:2)
ftp://ftp.linksys.com/sg/support/download/broadba n d_router/WRT54G_WRT54GS/WRT54GWRT54GSBeta_Firmware _for_Wireless_Transfer_Issues/ [linksys.com]
You'll need to have a card that supports wpa2 in the drivers as well. There are a few out there.
Re:This is the fault of consumers and the WiFI mak (Score:2)
I've been thinking of getting one for a long time. SSH, SSL, TLS, they all use AES as their strongest chipher. I also have IPsec and loop-aes setup, so I have even more reason to have one of those cards.
Do /.'s consider WPA "good enough"? (Score:3, Insightful)
Clearly unencrypted wireless is out, WEP too. But how about WPA? I personally feel that running VPN over WiFi would be best, but for many small businesses, the added complexity is hard to justify.
Let me put this another way, what do
Secure Wireless for Government (Score:4, Informative)
Solutions exist to implement secure WiFi, but it comes with a cost.
Harris makes an encrypted PCMCIA 802.11b based card that has high grade encryption built in. It certainly makes the system impossible to get into, but they're far from cheap ($2k+).
Product: SecNet11 [harris.com]
In the end, a lot of the exploitable networks comes from either poor management, lack of information or lack of control within government areas.
No (Score:2, Interesting)
Army does it a bit better. (Score:3, Informative)
http://www.igov.com/informationtech/contracts/BBP
I can't link to the original because it's behind Army infrastructure, but I found a link out in the real world. It's not too bad. On Army installations, you are required to do layer 2 encryption, which is pretty good. However, the "road warriors" are not required to do layer 2 on the road. Layer 2 is not an easy thing, as we are finding...
And you trust your retirement to these folks? (Score:2)
My 2.5M, trailer mounted dish... (Score:2)
It's radio. It's not held back by windows. The 'good stuff' happens in the 'big guys' office. His office is high in the building with the nice view. The view goes both ways. The new Athlon 64 box is damn fast!
Now all I need is some surplus 'camo' paint.
Well.. (Score:2)
News at 11 (Score:3, Funny)
and in other news
The government is still a bloated inefficient model of stupidity
Water is still wet
and
New study proves that Fish's skin is wet
Not surprised. WiFi's too effin' complicated. (Score:3, Interesting)
Quite apart from the security aspect, which was handled by slapping WEP on it, its a mess.
It can and does work with extremely simple networks (one transmitters, many receivers,) but it is absolutely terrible at topologies with repeators.
Apple's Airport and 'Bonjour' (previously called 'RendezVous') is one of the worst at letting you build network topologies.
I have scrapped my AirPort base and a couple of 'pucks' because I, a friend AND a network guy I paid for were unable to set up my network.
I am now running a network of Macs and Windows PC on a single LinkSys wireless router because I'd had one since moving to my new place and NOT laying down some cable.
It was simple, secure (WEP & destination addresses so only a few IP addresses are actually exposed and port filtering,) and easy to install.
As for AirPort, Apple's vaunted skills at GUI utterly failed them this time. Its a dogs breakfast of confusing and seemingly contradictory options, 'build' directions and concepts which just don't friggin work.
I'm out $300 bucks on the Airort equipment but two guys and myself are much wiser when it come to wireless. Friends don't let friends buy Airport.
Nice try Apple, but building networks should not be magic where you're never sure if doing one thing just undid another.
Your current GUI approach is totally inadequate, TOTALLY.
Not the FDA though (Score:3, Interesting)
If they can ever get away from the "use two consulting firms in an adversarial role" implementation model, they might see some benefits to their IT advances.
Wifi Blocking Paint (Score:2)
Re:Wifi Blocking Paint (Score:2)
Wonders for lead paint
Link to the actual report. (Score:3, Informative)
Not at NASA (Score:4, Interesting)
How does one do this? (Score:2)
Well no wonder the wireless security is a flop! If they can plug in they need wired security. Some people, sheesh..
Re:It is the US government (Score:3, Insightful)
2. $20,000 for a toilet seat breaks down into this:
$19975 for secret black-ops projects nobody will ever hear about.
$24 for the Toilet Seat
$1 for the liability insurance. You know, from the dangers a toilet seat can cause.
Re:It is the US government (Score:2)
$10,000 for the prime contractor who subs it out to MRAS.
$4,500 for MRAS who subs it out to a sub
$300 for the sub to build the seats
$50 ea for shipping
$50 for paperwork
$100 for the inspector (contractor) to make sure it meets the spec and upload the dimensions to DCA (or whatever the Defense Dontracting Agency calls themselves these days) using their UNAUTHORIZED wireless network... I was begining to wonder if I could still work the topic in here somewhere
Re:It is the US government (Score:3, Informative)
Re:It is the US government (Score:3, Informative)
1. integrated structural part of the airframe,
2. not release toxic gases on contact with combustion,
3. upon catastrophic failure not pose a physical hazard to the aircrew,
Re:It is the US government (Score:2)
You haven't been in a uber-cool office, have you? Executive types always want to show off that they got a $5000 laptop on the company's dime (or in the case, the gov't), so they want to be able to carry it around to various desks, ad nauseum. They want to sit down in the conference room, and/or move to their desk, without reconnecting wires.
Government suits are just as bad as business suits.
Lets not forget all the other associated uber-cool equipment they could have, like PDA's. I'm sure othe
Re:It is the US government (Score:2)
Boy, and I thought they just wanted to show everybody that they have a Blackberry.
Wrong metal!Re:The Pentagon Needs Aluminum Siding. (Score:2, Funny)
Some of the older posters might point out that "tin foil" caps were good enough to protect them from the gov
Re:Wrong metal!Re:The Pentagon Needs Aluminum Sidi (Score:2, Funny)
Re:WiMax (Score:3, Informative)
CP
Re:Can't blame them the unauthorized entries. (Score:2, Interesting)
Sadly, I really do not blame those that come in through the back door when so many are simply stealing from the front door.
WindBourne has a technical point, at the end of his non-slashdot-compative rant: even before wireless became useful/cheap/widespread, many folks feared any physical connection to a nework that was "insecure"....for example, a Sun JumpStart server allowed (gasp) annonymous ftp access for images.