Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Wlan @ bestbuy is cleartext?

From: "Oliver Petruzel" <opetruzel () cox rr com>
Date: Thu, 2 May 2002 02:20:35 -0400
FYI: local circuit cities suffer too, or the one near me atleast... (I
heard!: they have a lan at the local CC that has ssid "CCsecurelan" and
no WEP... all cleartext and dhcp... rumor though=not MY findings!)
perhaps just a demo wlan...?

/oliver p.



-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Thursday, May 02, 2002 12:27 AM
To: Jonathan Bloomquist
Cc: vuln-dev () securityfocus com
Subject: Re: Wlan @ bestbuy is cleartext? 

On Wed, 01 May 2002 18:21:23 PDT, Jonathan Bloomquist said:

Corporate IT staff are paid to know better than to put
insecure technology into production and they need to
be held accountable if they make such a boneheaded
move.


How many corporate networks have dumped Outlook so far?

How many corporate sites still run IIS because a conversion to
Apache would be even more costly than getting hacked every 2 months?

It's *quite* possible that at least some of these IT staffers did
the calculation: "Hmm... if we deploy this, we can expect $2M/year in
writeoffs due to guys out in the parking lot with pringle-can yagis, but
we'll save $4M/year, so we'll be ahead anyhow..."  It's all trade-offs,
and nothing news to the big corporations - I'm *positive* that the
master
financial plan for Best Buy already has a line item for "write off 2.3%
of all credit card transactions" and that such write-offs are a standard
part of doing business.  They may decide that it's easier and cheaper to
just raise their write-off margin to 2.7% rather than fix the
problem....

And factor *THIS* into the equation - let's say that Very Large Chain
Q-Mart decides to run wireless without any security.  Perhaps they had
a *reason*.  Like - if any security is disabled, you can deploy devices
that can hop onto the net without any assistance - so it's safe to give
these handheld scanners/etc to a $7/hour functional illiterate.  On the
other hand, if security is enabled, it's quite possible for the device
to get confused and be unable to talk.  This not only means that you've
just idled the $7/hour worker until it's fixed, it means you need to
find
an actual *literate* and *competent* person, who's probably costing you
a lot MORE than $7/hour, to unsnarl the mess and figure out what
happened.

                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech
Previous By Date Next
Previous By Thread Next

Current thread: