Wi-Fi: Essential Checklist

Even if one could consider WPA 'draconian' you've obviously never worked in a corporate environment.

You /really/ think that, say, a bank can run an open wifi hotspot with access to its internal networks, in the middle of a large city, surrounded by its competitors?

These are part of the answer, yes.

Reply to
Mark McIntyre
Loading thread data ...

Thanks, but you're talking to the wrong person. Jeff wrote the OP and he alone controlled its context.

Reply to
Char Jackson

I read your comments. I commented on your comments. Why is that hard to understand? I never claimed to be commenting on the article.

Good point. That's why I didn't offer an opinion about the article's advice.

I haven't read the article. I know nothing of the content. That's why I didn't comment on the content of the article.

OTOH, I read your OP, and I commented on what you wrote. That's all.

That's correct, I questioned your logic and interpretations. I still do.

What do you mean, 'instead of commenting on the validity of [your] interpretations'? Just 2 lines above you seemed to understand that I was questioning your (logic and) interpretations.

We're making progress. In your first response, you denied making a conclusion. But yes, I was curious as to how you arrived where you arrived, since your position didn't logically follow from what you quoted in your OP.

I can see why.

Reply to
Char Jackson

No he didn't. John wrote the original post, you replied noting Bruce Schier's contentious article, and Jeff was commenting on the article.

And to reiterate - since you admit to not having read the article, to write a criticism of Jeff's comments on it seems.... arrogant.... for want of a better word.

Reply to
Mark McIntyre

Yes you did - when you asserted that Jeff was either misinterpreting or misrepresenting it.

But you did.

if the above were true...

... then you were in no position to do this. How can you possibly question someone's intrepretation of something you've not read yourself?

No, strike that, it was a rhetorical question. Politicians do it all the time, its called "making stuff up to suit a personal agenda".

There's no point debating this further tho - you've been caught in a lie and are too bull-headed to admit you screwed up. Lesson learned.

Reply to
Mark McIntyre

You're right. I thought Jeff's "I'm late for a free lunch" post was the start of the thread. I stand corrected.

I didn't note any articles, I only commented on Jeff's conclusions, with which I didn't agree.

I don't understand why you'd feel that way, but I respect your opinion and will give it all the consideration it deserves.

Reply to
Char Jackson

Nice try, but no cigar. It looks to me like Jeff quoted a bit from that article, and then commented on it. I commented on his comments. It looked to me like he was completely missing the point (of the part that he quoted) and had come to a very faulty conclusion.

Would I have felt the same way if I had read the entire article? I don't know, but if the answer is yes then Jeff did a poor job of quoting from the article.

I disagree. I don't even know what the article's advice was. What I did comment on, (I feel like a broken record but a couple of folks seem to be particularly thick), was Jeff's comments following his quoted material.

Do you see something that isn't true?

Easy! Jeff quoted it! Did you even see his "I'm late for a free lunch post", or are you just coming into the thread now? Go back and read it and see for yourself. No need to make a fool of yourself like this.

Nice.

Reply to
Char Jackson

Aux contraire, mon ami. I wasn't referring to WPA as draconian, but to implications that the same level of _network_ security is always indicated to be applied to internal users as to the outside world is often unacceptable to commercial customers. I also expected such a comment in reply and tend to resist the urge to mention experience, as analysis should stand on its own in a discussion, but I have done considerable U.S.G. and commercial networking.

Michael

Reply to
msg

In the interest of global harmony and universal peace, I'll explain how I derived my conclusion.

  1. I read the article at:

from which I quoted and commented:

  1. To generate the above, I disassembled the quotation in the order presented as:

which the author affirms and re-affirms that WPA is a good security protocol. I just noticed that his use of the word "new" is rather odd, especially since WPA was introduced in late 2002 and has been available since 2003. Also, not the double negative. From this, I initially concluded that the author thinks highly of WPA encryption and being a security expert, would advocate it's use.

  1. However, that was countered in the next sentence:

which refers to his own previous praise of WPA. It implies that WPA

*MIGHT* have some fatal flaw in the future which hints that it might not be suitable for general consumption. If someone suggested that Brand X of some product *MIGHT* have some some fatal flaw, one would not generally consider such a testimonial as a recommendation.
  1. At this point, I declared this to be FUD (fear, uncertainty, doubt) on the basis of the sentence in #3. No facts are presented. Only hints of doom and disaster. From my perspective, that's FUD.
  2. Note that the original article (which you haven't read) would have been equally effective at making his points without this sentence. There's no connection between potential security flaws in WPA and running an open network. If you're going to run an open network, it's a non-issue. Yet, the author found it necessary to take a pot shot at WPA, which I find interesting. My guess(tm) is that he wasn't so sure of his recommendation to run an open network was all that good, and needed some more ammunition. So, he hints that the main method of securing a wireless network, is somehow useless because it *MIGHT* be flawed in the distant future.
  3. At this point, I expected a discussion by the author of on wireless security. Instead, he instantly changes topic to:

Huh? What happened to wireless security? It's for this reason and similar abrupt topic changes that I suspect that the original article may have been heavily edited or grafted together from bits and pieces. In any case, this change effectively ended any discussion on WPA by the author.

  1. There rest of the article is about various risks and methods of running an open network. In the last paragraph, he announces:

which I presume to be the authors conclusion based on prospective flaws in WPA and that he and others have successfully "gotten away with it" by running an open wireless network without incident. I concluded that he is recommending that we also do the same, however he doesn't have the guts to say that.

If you fail to appreciate my logic, that's fine. I don't expect everyone to think in precisely the same way. What I would find interesting is if you would conscend to read the original article, and comment on the authors advice, purpose, logic, and anecdotes.

Every election, some of my friends usually complain that this or that measure didn't pass or that their favorite politician wasn't elected. After listening to the logic and rationalizations, I ask "Did you vote"? Quite often, the answer is "no", at which point I follow with "Then you don't have a right to an opinion". Read the article.

Reply to
Jeff Liebermann

On Sun, 30 Nov 2008 11:26:52 +0000, Mark McIntyre wrote in :

How about "ignorant"? "Lazy"? "Judgmental"?

Reply to
John Navas

On Sun, 30 Nov 2008 05:07:00 -0600, Char Jackson wrote in :

I've added "pedantic" and "supercilious" to the list.

Reply to
John Navas

On Sun, 30 Nov 2008 11:30:37 +0000, Mark McIntyre wrote in :

Yep.

Reply to
John Navas

On Sun, 30 Nov 2008 09:52:23 -0800, Jeff Liebermann wrote in :

Amen.

Reply to
John Navas

On Fri, 28 Nov 2008 12:11:32 -0800, Jeff Liebermann wrote in :

On further reflection, methinks this might have something to do with him still being a bit miffed at the way his Twofish algorithm was soundly trounced by Rijndael (Joan Daemen & Vincent Rijmen) in the Advanced Encryption Standard (AES) competition. WPA is of course based on AES. ;)

Reply to
John Navas

If that's true, why did you post the Bruce Schneier URL in the first place?

John Navas started by posting a wireless security checklist that features WPA as the prime method of achieving security.

You then followed up with:

By implication, using WPA means that one is not running an open access point. If the Wired Magazine article not about running an open unsecured wireless system, precisely what is your "interesting counterpoint" all about?

Incidentally, I was going to write a satire in the style of the Wired Magazine article on driving the wrong way on the freeway. It's a great way to get anywhere fast. The risks are minimal because law enforcement is usually ineffective and besides, a good lawyer will get you off on technicalities and procedures. It also saves gasoline taking the shortest path. Ad nausium. I had planned to do this without ever advocating that anyone drive the wrong way on the freeway. Just vague implications and anecdotes of success stories.

However, I'm getting tired of all this. If you want to leave your house, car, business, or wireless wide open, by all means, please do so. Just don't tell other users that are not as technical astute, can't recognize an attack when they see one, and have no clue what's happening, to do the same. It should be Secure by Default.

Reply to
Jeff Liebermann

From my point of view it was interesting to read a contrarian view that included some discussion of the risk analysis process.

Probably should have included a bit of my own text in with the reply to stage it in the manner that I meant.

John

Reply to
John Mason Jr

Whatever. You've ceased to surprise me with your weaselly denials that you screwed up, and any lingering interest I might have had in getting you to see sense has died.

Which was impossible without reading the article.

Exactly.

Reply to
Mark McIntyre

On Mon, 01 Dec 2008 08:42:31 -0500, John Mason Jr wrote in :

The risk analysis was seriously flawed.

Reply to
John Navas

Following up to multiple posts at once ... I know that Jeff Liebermann is trying to put the thread to rest, and I'm risking waking up the horse just so I can beat it some more. I just want to clarify some points I've made and be sure that responses I've received are given their due ....

Jeff Liebermann wrote:

I prefer, and heartily recommend, regardless of wireless encryption, end-to-end encryption. If you don't trust your traffic in wireless space (because you can't control whether it can be intercepted in that space), why would you trust it travelling over wires you don't control?

Yes. That's precisely the point.

We differ here. I don't feel he trashed it, but rather put it in the same context as what I quoted from you just above ("no amount of security ..."), then pointed out that he operates his own wireless network without WPA, and makes a case why he believes this is a good thing.

Given a suitable definition of "security", perhaps, but then I would likely disagree with the definition of "security".

To get decent security, we must first understand what it is we are securing. Is it the data? Where is the data? What is the data's lifespan? Is it access to the computer(s)? Is it access to the network?

Securing each of these things is done differently than each of the others.

My sense on that is that it's case-by-case dependant, but more often than not, protecting the data regardless of access control on the network is warranted.

I agree that for most people it would not be advisable to leave network access open.

It controls access to, and encrypts *a portion* of the data transport, unless your data is residing strictly within an ad-hoc wireless network. At some point that data will travel on wires on its way to its ultimate destination. If you're concerned about protecting data in transit, you need to protect it end-to-end, not just over one (wired or wireless) link.

Agreed. I'm guessing, but I suspect the author assumes the reader is a regular reader and already knows about end-to-end encryption techniques. If my guess is correct, that's an unfortunate assumption.

For what it's worth, all of this is one reason why I don't like "op-ed", and I feel that such articles are frequently given much too much weight.

Bruce Schneier is respected among computer security professionals, but this article was quite obviously (to me, anyway) just an opinion piece. In my experience, Wired generally is.

I consider myself pretty good with computer and network security, perhaps even an "expert" (it is part of my job and has been for more than a few years). I'm not nervous about systems I manage (whether my own or managed for someone else).

I prefer security experts that are informed and prepared ... I don't want someone working with me who will do "anything" just for the sake of doing "something".

Only on that particular link. I see (and refer to) WPA as a form of access control. If you want to protect your data in transit, you need to protect it beyond that initial wireless link.

(quoting Bruce Schneier's statement about WPA)

Agreed.

John Navas wrote:

Not exactly. It's more like saying "condoms sometimes fail, and they're inconvenient" so I prefer to use a different (better) form of protection.

... and it does so by controlling access to your network.

WPA provides access control and encryption over one network link. It works well for that. Most people need their data protected between two endpoints that span multiple network links. WPA falls short on that.

Schneier points out in his article, however, that he feels he has the perfect alibi for such a case, precisely by keeping his wireless network access point unsecured. I wouldn't test that myself, by the way, nor would I recommend it, but it's relevant to the discussion in the context of the above quote.

Mark Mc> Then his article is highly disingenuous, or he really is a fool. Does

I'm not defending the article or its author. I was simply pointing out that one or more previous posters on this thread appear to have misinterpreted the point of the article. Your question would be best directed at the author.

Reply to
Sylvain Robitaille

Not enough information to tell, as he doesn't detail the extent of other controls on his home network.

John

Reply to
John Mason Jr

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.