Re: Wireless Security

[Austin Murkland <amurkland () merydion com>]

Herman Frederick Ebeling, Jr. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ----Original Message----
> From: Alloishus BeauMains [mailto:all0i5hu5 () gmail com]
> Sent: Tuesday, 18 October, 2005 09:34
> To: hfebelingjr () lycos com
> Cc: security-basics () securityfocus com
> Subject: Re: Wireless Security
>
> : Good points.
> :
> : A good level of paranoia isn't bad, as it will normally lead people to
> : take at least rudimentary precautions and take those reasonable
> : measures I mentioned.
>
> Yep, gotta agree that a little paranoia isn't a bad thing.  It's only when one
> reaches the "foil hat" stage that things
> have been taken to too far of an extreme. . .;-)
>
> : However, I note that there is a difference between the two analogies.
> : In the situation you mentioned, a person was allowed to use the car.
> : In that case, of course, the person who allowed an untrustworthy
> : person to use the car could be held accountable.
>
> Ok, this one I think we need to disagree to.  Just because person a) loans
> person b) his/her car doesn't mean that they
> should be held accountable for what that friend does.  Let's say that the friend
> in question instead of using the
> borrowed car to "run" drugs gets involved in a hit-and-run accident killing an
> innocent bystander.  Does that mean that
> the owner of the car should be held responsible?
>   

I'm not a lawyer, but in quite sure that in some circumstances, that's 
EXACTLY what happens.  Welcome to the American legal system.
>  The same is true with
> : a wireless connection. If you explicitly give someone permission to
> : use the wireless connection, and then they use it for nefarious
> : purposes, then you could be held liable.
>
> On this one too, I'd have to think that we'll have to again, disagree.  That's
> like saying that someone who has say an
> account with NetZero and they d/l "tons" of kiddie porn.  Does that make NetZero
> "guilty" as well???  I don't think so,
> and I think that their lawyers would agree with me.  Or that'd be like saying
> just because the criminals use the roads
> conduct their illegal activities that those who built the roads are also somehow
> "guilty" because of it.
>   
NetZero and similar services have indemnity clauses that you sign/agree 
to before using the service to protect it from EXACTLY what you mentioned.
>  If you give someone
> : permission to use your mailbox, and they decide to slip a brick of
> : coke in there, then you might be held liable.
>
> I would think that one would have to have an idea of WHY someone was wanting to
> use their mailbox and allow it to
> happen.  Or another way to look at it is like this.  Say someone rents a mailbox
> at a private company and they get
> "10-keys" of coke delivered to them at THAT address.  Does that make the private
> company just as guilty, as the persons
> who placed the order?
>   

Again Waiver/Clauses protecting them that you, *YOU* have to sign.  The 
absence of those waivers means YES, they are liable. 
> :
> : On the flip side, if you didn't give them permission, then they are
> : stealing. If your friend did not give his other friend permission to
> : use the car, and it is found to have drugs, then your friend would
> : report the car as stolen, which should, in a normal circumstance,
> : absolve him of any wrongdoing.
>
> Sadly the Military doesn't work the way that "normal" people think that it
> should. . .
>   
that...doesn't make sense.  he's right, by reporting it stolen he 
absolves himself from any wrongdoing that occurred while he was not in 
possession of his property.
> :
> : I would imagine that if you came home from work, and checked you
> : mailbox and found a brick of coke, then the most appropriate action
> : would be to call the police (No, not keep it and snort it, and no, not
> : sell it......the other dude might come looking after all). I would
> : also imagine that if you told the police the situation...that you just
> : checked your mail and there is a brick of coke, then they would
> : probably leave you alone after a few questions and probably send some
> : patrol cars to check out your neighborhood, stake out your
> : mailbox...etc etc.
>
> Unless the person who put the brick of coke in your mailbox was dumb enough NOT
> to wrap it in a "plain brown" wrapper
> how would one know that it was coke until AFTER they opened the package???
>   
I'm not sure what this analogy has to do with Wireless security...
> :
> : Likewise, many cities/states now have cybercrimes units that you could
> : call if you suspected someone using your network, and you can normally
> : call your isp and let them know of unauthorized activity.
>
> That's good to hear.
>   
abuse () domainofipaddressyoudidaWHOISon com is where you usually wanna 
send that stuff... after a 2 weeks with no response and repeated 
attempted, contact the local police, then the FBI.
> :
> : Lastly, the solution to this is the same as the solution to many other
> : issues....simply awareness. Many 70+ elders, for instance, would not
> : imagine that using their credit card over an unsecure network might
> : pose a risk. Most people simply need to be educated. In some cases, it
> : actually takes a bad occurrence (such as ID theft) to make someone see
> : the light.
>
> Yep, education IS the key to everything, which is why I started this in the
> first place.  And I've learned that just
> because something is "too" fantastic doesn't mean that someone won't have
> thought of it.  Which is/was something that
> we were told when I was in the Army.  If captured don't even make up any "plans"
> to tell the captures cause ya never
> know IF someone hasn't already put those "plans" to work. . .
>   
Educating people on security risks is a losing battle.  i refer you to 
the creator of the firewall, Marcus J. Ranum for more on that.
> :
> : PS: On a side note, I noticed that this did not get posted to the
> : Internet, or web. Am I posting this to the mailing list? Or am I
> : responding just to you? Is everyone seeing this, or just you? Do I
> : need to do anything other than reply? reply all? Or do I need to put
> : security-basics () securityfocus com in the send address?
>
> I think that ya need to hit the reply all button, and IF the
> security-basics () securityfocus com address isn't there then
> ya need to add it.
>
> Herman
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
>
> iQA/AwUBQ1VmWx/i52nbE9vTEQK05wCfW0Voy4JMHhBBaZMqYBsOxMXrsioAn3yW
> ZM086qyScefvvqP/zPbg2lIp
> =kiJo
> -----END PGP SIGNATURE-----
>
>
>
>
>