Re: Wlan @ bestbuy is cleartext?

[Ron DuFresne <dufresne () winternet com>]

On Wed, 1 May 2002, Jonathan Bloomquist wrote:

> --- Ron DuFresne <dufresne () winternet com> wrote:
>
> -- snip --
>
> > And I know alot of the discussion here so far has
> > been directed at Best
> > Buy and others that have rolledout insecured
> > wireless inplmementations,
> > and with some right to be not only shocked at these
> > toys being placed as
> > they are into use by the companies in question.
>
> -- snip --
>
> > But, if we are going to
> > direct efforts at blame and how to make such toys as
> > semi-secure as we can
> > at present, let's make sure we point fingers at
> > those ultimately
> > responsible for unsafe open default configurations
> > and hiding information
> > deep in CDROMS from the endusers attention about how
> > to attempt to
> > semi-secure these toys, the vendors, Lucent, Cisco,
> > and the others pushing
> > out wireless capabile toys without safe default
> > configurations to begin
> > with.
>
> -- snip --
>
> Fair enough.  But there is a difference between home
> users and corporate users.  Home users want sexy
> hardware and they want it now.  Vendors can hardly be
> blamed for selling products when a market exists and
> it is hardly in their best interest to say, "Here it
> is but it may not be a good idea to use it if you like
> to keep your data secure."


If folks had not harrassed M$ over the years about how poory they dealt
with security, do you think we'd now see them now at making security a
prime concern, well, at least tyhey are marketing the idea they are, and
it will soon be known if there is follow thru...

The problem is though, if you look at the various mapping ventures that
have taken place about the country, you'll note that home networks in
those map tend to be far fewer then the corporate AP's deployed.


> Corporate IT staff are paid to know better than to put
> insecure technology into production and they need to
> be held accountable if they make such a boneheaded
> move.

Again, view some of the mapping efforts made available.  Corporate IT
staff are *supposed* to know better, but really do not seem to.  This
follows with another paper soon to be pushed out on the current state of
security in corporate and governement America <TISC Insight newsletter>.

We all know that IT has been notoriouly understaffed and underfunded.
consider also, despite the claims of corporate management types and those
in government that therejust are not enough security knowledgeable techies
available, the current unemployment rollcalls show otherwise.  Both gov
and corp side are not willing to pay for and fund security.  They are
trying to push more tasks upon over worked jack-of-all-trades admins.
Admins tend to do and not to advise.  To advise puts them in the hotseat
too often, makes their job tougher if they do get an ear and funding to
do it right, and so they spend less time at home being family folks.  So,
security lags and remains mostly a lip-servive common vocab issue.  It's a
reflection of what we see with issues in the travel industry now, as well
as the recent GAO infiltration of federal buildings in Atlanta.  In
reality, the costs of security are still to high for most to take it
seriously, especially when folks as we've seen in this thread have a
tendency to shirk personel responsibilty and push all accountability to
someone else, say the credit card issuers...


> > Now, rather then
> > hint at and push excerpts from, lets just be done
> > with it and push our
> > venture to warn of the problems out to the public
> > now, folks are just not
> > alarmed enough to do the research and fear these
> > toys being deployed in
> > their environments even after the work of many we
> > reference and site in
> > this paper which follows the original post prompting
> > it's release here:
>
> I agree; how better to educate/scare people into
> researching their decisions than by media attention.
> This is another argument for full disclosure - let 'em
> see what can happen and they might sit up and take notice.

We need bigger Larts <smile>...not all lusers sit at the desktop, many are
in the competer room next to you while others manage your department!

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.