Even if one could consider WPA 'draconian' you've obviously never worked in a corporate environment.
You /really/ think that, say, a bank can run an open wifi hotspot with access to its internal networks, in the middle of a large city, surrounded by its competitors?
I read your comments. I commented on your comments. Why is that hard to understand? I never claimed to be commenting on the article.
Good point. That's why I didn't offer an opinion about the article's advice.
I haven't read the article. I know nothing of the content. That's why I didn't comment on the content of the article.
OTOH, I read your OP, and I commented on what you wrote. That's all.
That's correct, I questioned your logic and interpretations. I still do.
What do you mean, 'instead of commenting on the validity of [your] interpretations'? Just 2 lines above you seemed to understand that I was questioning your (logic and) interpretations.
We're making progress. In your first response, you denied making a conclusion. But yes, I was curious as to how you arrived where you arrived, since your position didn't logically follow from what you quoted in your OP.
No he didn't. John wrote the original post, you replied noting Bruce Schier's contentious article, and Jeff was commenting on the article.
And to reiterate - since you admit to not having read the article, to write a criticism of Jeff's comments on it seems.... arrogant.... for want of a better word.
Nice try, but no cigar. It looks to me like Jeff quoted a bit from that article, and then commented on it. I commented on his comments. It looked to me like he was completely missing the point (of the part that he quoted) and had come to a very faulty conclusion.
Would I have felt the same way if I had read the entire article? I don't know, but if the answer is yes then Jeff did a poor job of quoting from the article.
I disagree. I don't even know what the article's advice was. What I did comment on, (I feel like a broken record but a couple of folks seem to be particularly thick), was Jeff's comments following his quoted material.
Do you see something that isn't true?
Easy! Jeff quoted it! Did you even see his "I'm late for a free lunch post", or are you just coming into the thread now? Go back and read it and see for yourself. No need to make a fool of yourself like this.
Aux contraire, mon ami. I wasn't referring to WPA as draconian, but to implications that the same level of _network_ security is always indicated to be applied to internal users as to the outside world is often unacceptable to commercial customers. I also expected such a comment in reply and tend to resist the urge to mention experience, as analysis should stand on its own in a discussion, but I have done considerable U.S.G. and commercial networking.
In the interest of global harmony and universal peace, I'll explain how I derived my conclusion.
I read the article at:
from which I quoted and commented:
To generate the above, I disassembled the quotation in the order presented as:
which the author affirms and re-affirms that WPA is a good security protocol. I just noticed that his use of the word "new" is rather odd, especially since WPA was introduced in late 2002 and has been available since 2003. Also, not the double negative. From this, I initially concluded that the author thinks highly of WPA encryption and being a security expert, would advocate it's use.
However, that was countered in the next sentence:
which refers to his own previous praise of WPA. It implies that WPA
*MIGHT* have some fatal flaw in the future which hints that it might not be suitable for general consumption. If someone suggested that Brand X of some product *MIGHT* have some some fatal flaw, one would not generally consider such a testimonial as a recommendation.
At this point, I declared this to be FUD (fear, uncertainty, doubt) on the basis of the sentence in #3. No facts are presented. Only hints of doom and disaster. From my perspective, that's FUD.
Note that the original article (which you haven't read) would have been equally effective at making his points without this sentence. There's no connection between potential security flaws in WPA and running an open network. If you're going to run an open network, it's a non-issue. Yet, the author found it necessary to take a pot shot at WPA, which I find interesting. My guess(tm) is that he wasn't so sure of his recommendation to run an open network was all that good, and needed some more ammunition. So, he hints that the main method of securing a wireless network, is somehow useless because it *MIGHT* be flawed in the distant future.
At this point, I expected a discussion by the author of on wireless security. Instead, he instantly changes topic to:
Huh? What happened to wireless security? It's for this reason and similar abrupt topic changes that I suspect that the original article may have been heavily edited or grafted together from bits and pieces. In any case, this change effectively ended any discussion on WPA by the author.
There rest of the article is about various risks and methods of running an open network. In the last paragraph, he announces:
which I presume to be the authors conclusion based on prospective flaws in WPA and that he and others have successfully "gotten away with it" by running an open wireless network without incident. I concluded that he is recommending that we also do the same, however he doesn't have the guts to say that.
If you fail to appreciate my logic, that's fine. I don't expect everyone to think in precisely the same way. What I would find interesting is if you would conscend to read the original article, and comment on the authors advice, purpose, logic, and anecdotes.
Every election, some of my friends usually complain that this or that measure didn't pass or that their favorite politician wasn't elected. After listening to the logic and rationalizations, I ask "Did you vote"? Quite often, the answer is "no", at which point I follow with "Then you don't have a right to an opinion". Read the article.
On Fri, 28 Nov 2008 12:11:32 -0800, Jeff Liebermann wrote in :
On further reflection, methinks this might have something to do with him still being a bit miffed at the way his Twofish algorithm was soundly trounced by Rijndael (Joan Daemen & Vincent Rijmen) in the Advanced Encryption Standard (AES) competition. WPA is of course based on AES. ;)
If that's true, why did you post the Bruce Schneier URL in the first place?
John Navas started by posting a wireless security checklist that features WPA as the prime method of achieving security.
You then followed up with:
By implication, using WPA means that one is not running an open access point. If the Wired Magazine article not about running an open unsecured wireless system, precisely what is your "interesting counterpoint" all about?
Incidentally, I was going to write a satire in the style of the Wired Magazine article on driving the wrong way on the freeway. It's a great way to get anywhere fast. The risks are minimal because law enforcement is usually ineffective and besides, a good lawyer will get you off on technicalities and procedures. It also saves gasoline taking the shortest path. Ad nausium. I had planned to do this without ever advocating that anyone drive the wrong way on the freeway. Just vague implications and anecdotes of success stories.
However, I'm getting tired of all this. If you want to leave your house, car, business, or wireless wide open, by all means, please do so. Just don't tell other users that are not as technical astute, can't recognize an attack when they see one, and have no clue what's happening, to do the same. It should be Secure by Default.
Whatever. You've ceased to surprise me with your weaselly denials that you screwed up, and any lingering interest I might have had in getting you to see sense has died.
Following up to multiple posts at once ... I know that Jeff Liebermann is trying to put the thread to rest, and I'm risking waking up the horse just so I can beat it some more. I just want to clarify some points I've made and be sure that responses I've received are given their due ....
Jeff Liebermann wrote:
I prefer, and heartily recommend, regardless of wireless encryption, end-to-end encryption. If you don't trust your traffic in wireless space (because you can't control whether it can be intercepted in that space), why would you trust it travelling over wires you don't control?
Yes. That's precisely the point.
We differ here. I don't feel he trashed it, but rather put it in the same context as what I quoted from you just above ("no amount of security ..."), then pointed out that he operates his own wireless network without WPA, and makes a case why he believes this is a good thing.
Given a suitable definition of "security", perhaps, but then I would likely disagree with the definition of "security".
To get decent security, we must first understand what it is we are securing. Is it the data? Where is the data? What is the data's lifespan? Is it access to the computer(s)? Is it access to the network?
Securing each of these things is done differently than each of the others.
My sense on that is that it's case-by-case dependant, but more often than not, protecting the data regardless of access control on the network is warranted.
I agree that for most people it would not be advisable to leave network access open.
It controls access to, and encrypts *a portion* of the data transport, unless your data is residing strictly within an ad-hoc wireless network. At some point that data will travel on wires on its way to its ultimate destination. If you're concerned about protecting data in transit, you need to protect it end-to-end, not just over one (wired or wireless) link.
Agreed. I'm guessing, but I suspect the author assumes the reader is a regular reader and already knows about end-to-end encryption techniques. If my guess is correct, that's an unfortunate assumption.
For what it's worth, all of this is one reason why I don't like "op-ed", and I feel that such articles are frequently given much too much weight.
Bruce Schneier is respected among computer security professionals, but this article was quite obviously (to me, anyway) just an opinion piece. In my experience, Wired generally is.
I consider myself pretty good with computer and network security, perhaps even an "expert" (it is part of my job and has been for more than a few years). I'm not nervous about systems I manage (whether my own or managed for someone else).
I prefer security experts that are informed and prepared ... I don't want someone working with me who will do "anything" just for the sake of doing "something".
Only on that particular link. I see (and refer to) WPA as a form of access control. If you want to protect your data in transit, you need to protect it beyond that initial wireless link.
(quoting Bruce Schneier's statement about WPA)
Agreed.
John Navas wrote:
Not exactly. It's more like saying "condoms sometimes fail, and they're inconvenient" so I prefer to use a different (better) form of protection.
... and it does so by controlling access to your network.
WPA provides access control and encryption over one network link. It works well for that. Most people need their data protected between two endpoints that span multiple network links. WPA falls short on that.
Schneier points out in his article, however, that he feels he has the perfect alibi for such a case, precisely by keeping his wireless network access point unsecured. I wouldn't test that myself, by the way, nor would I recommend it, but it's relevant to the discussion in the context of the above quote.
Mark Mc> Then his article is highly disingenuous, or he really is a fool. Does
I'm not defending the article or its author. I was simply pointing out that one or more previous posters on this thread appear to have misinterpreted the point of the article. Your question would be best directed at the author.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.