[52238] in North American Network Operators' Group
Re: Wireless insecurity at NANOG meetings
daemon@ATHENA.MIT.EDU (Randy Bush)
Sun Sep 22 07:49:37 2002
From: Randy Bush <randy@psg.com>
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: nanog@merit.edu
Date: Sun, 22 Sep 2002 04:49:08 -0700
Errors-To: owner-nanog-outgoing@merit.edu
> The trouble is that not using WEP looks like you're not bothering
> with the low level of security that's available in wireless. The
> fact that WEP only adds a 15 second - 15 minute delay to full
> access to the network both for legitimate and not-so-legitimate
> users means it offers more annoyance than security, but that
> doesn't alter the perception.
but it adds annoyance for the intended users. in the case of non-
techs, considerable annoyance. and it gives negligible privacy.
>> There are also people ssh'ing to personal and corporate machines
>> from the terminal room where the root password is given out or
>> easily available.
> Are you saying people shouldn't SSH?
a prudent user does not ssh _from_ a machine they don't control or
strongly trust whover controls it. and a public machine should be
presumed to be dangerous. i don't ssh from the laptop of a friend
to whom i would not give root access to all of my machines.
the common attacks at nanog/ietf/... are
o intentional from the outside. one should be very prudent with
measures on servers etc, and install and monitor an ids such
as bro. this is bog standard net and system adminstration.
o intentional over the wireless.
- the users need to be told how to operate more safely, use
end-to-end authentication and privacy, etc. it's a matter of
education. and the education will stand them in good stead
when they use 802.11 at starbucks, airports, etc. we do this
at ietf, but it is not allowed at nanog.
- users need to be told when they're operating unwisely. we
post passwords or other embarrassing, but not revealing,
data. we will do this at the atlanta ietf, but it is not
allowed at nanog.
- and we need to monitor the air traffic to detect when users
are actually being exploited. this is an ops/research area,
but is being played with at ietf, but is not allowed at
nanog.
o unintentional dos of the wireless. this is caused by users'
mis-configurations of various kinds, win/mac configured as
access points, ad hoc mode, ... detecting and dousing these
are still an ops/research araa.
as far as i can determine, the reason standard education and
defenses are not allowed at nanog is because we fear the nanog net
operators monitoring traffic. i.e. we would rather have users
raped than have prudent folk notice them in their skivvies. hear
no evil, see no evil, speak no evil. it's a comfortable feeling.
randy
