Re: Wireless Security

From: Austin Murkland (amurkland_at_merydion.com)
Date: 10/19/05

  • Next message: xyberpix: "Re: prohibiting visitors from connecting to network" 
    Date: Tue, 18 Oct 2005 17:39:42 -0700
To: hfebelingjr@lycos.com, security-basics@securityfocus.com

    Herman Frederick Ebeling, Jr. wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > - ----Original Message----
    > From: Alloishus BeauMains [mailto:all0i5hu5@gmail.com]
    > Sent: Tuesday, 18 October, 2005 09:34
    > To: hfebelingjr@lycos.com
    > Cc: security-basics@securityfocus.com
    > Subject: Re: Wireless Security
    >
    > : Good points.
    > :
    > : A good level of paranoia isn't bad, as it will normally lead people to
    > : take at least rudimentary precautions and take those reasonable
    > : measures I mentioned.
    >
    > Yep, gotta agree that a little paranoia isn't a bad thing. It's only when one
    > reaches the "foil hat" stage that things
    > have been taken to too far of an extreme. . .;-)
    >
    > : However, I note that there is a difference between the two analogies.
    > : In the situation you mentioned, a person was allowed to use the car.
    > : In that case, of course, the person who allowed an untrustworthy
    > : person to use the car could be held accountable.
    >
    > Ok, this one I think we need to disagree to. Just because person a) loans
    > person b) his/her car doesn't mean that they
    > should be held accountable for what that friend does. Let's say that the friend
    > in question instead of using the
    > borrowed car to "run" drugs gets involved in a hit-and-run accident killing an
    > innocent bystander. Does that mean that
    > the owner of the car should be held responsible?
    >

    I'm not a lawyer, but in quite sure that in some circumstances, that's
    EXACTLY what happens. Welcome to the American legal system.
    > The same is true with
    > : a wireless connection. If you explicitly give someone permission to
    > : use the wireless connection, and then they use it for nefarious
    > : purposes, then you could be held liable.
    >
    > On this one too, I'd have to think that we'll have to again, disagree. That's
    > like saying that someone who has say an
    > account with NetZero and they d/l "tons" of kiddie porn. Does that make NetZero
    > "guilty" as well??? I don't think so,
    > and I think that their lawyers would agree with me. Or that'd be like saying
    > just because the criminals use the roads
    > conduct their illegal activities that those who built the roads are also somehow
    > "guilty" because of it.
    >
    NetZero and similar services have indemnity clauses that you sign/agree
    to before using the service to protect it from EXACTLY what you mentioned.
    > If you give someone
    > : permission to use your mailbox, and they decide to slip a brick of
    > : coke in there, then you might be held liable.
    >
    > I would think that one would have to have an idea of WHY someone was wanting to
    > use their mailbox and allow it to
    > happen. Or another way to look at it is like this. Say someone rents a mailbox
    > at a private company and they get
    > "10-keys" of coke delivered to them at THAT address. Does that make the private
    > company just as guilty, as the persons
    > who placed the order?
    >

    Again Waiver/Clauses protecting them that you, *YOU* have to sign. The
    absence of those waivers means YES, they are liable.
    > :
    > : On the flip side, if you didn't give them permission, then they are
    > : stealing. If your friend did not give his other friend permission to
    > : use the car, and it is found to have drugs, then your friend would
    > : report the car as stolen, which should, in a normal circumstance,
    > : absolve him of any wrongdoing.
    >
    > Sadly the Military doesn't work the way that "normal" people think that it
    > should. . .
    >
    that...doesn't make sense. he's right, by reporting it stolen he
    absolves himself from any wrongdoing that occurred while he was not in
    possession of his property.
    > :
    > : I would imagine that if you came home from work, and checked you
    > : mailbox and found a brick of coke, then the most appropriate action
    > : would be to call the police (No, not keep it and snort it, and no, not
    > : sell it......the other dude might come looking after all). I would
    > : also imagine that if you told the police the situation...that you just
    > : checked your mail and there is a brick of coke, then they would
    > : probably leave you alone after a few questions and probably send some
    > : patrol cars to check out your neighborhood, stake out your
    > : mailbox...etc etc.
    >
    > Unless the person who put the brick of coke in your mailbox was dumb enough NOT
    > to wrap it in a "plain brown" wrapper
    > how would one know that it was coke until AFTER they opened the package???
    >
    I'm not sure what this analogy has to do with Wireless security...
    > :
    > : Likewise, many cities/states now have cybercrimes units that you could
    > : call if you suspected someone using your network, and you can normally
    > : call your isp and let them know of unauthorized activity.
    >
    > That's good to hear.
    >
    abuse@domainofipaddressyoudidaWHOISon.com is where you usually wanna
    send that stuff... after a 2 weeks with no response and repeated
    attempted, contact the local police, then the FBI.
    > :
    > : Lastly, the solution to this is the same as the solution to many other
    > : issues....simply awareness. Many 70+ elders, for instance, would not
    > : imagine that using their credit card over an unsecure network might
    > : pose a risk. Most people simply need to be educated. In some cases, it
    > : actually takes a bad occurrence (such as ID theft) to make someone see
    > : the light.
    >
    > Yep, education IS the key to everything, which is why I started this in the
    > first place. And I've learned that just
    > because something is "too" fantastic doesn't mean that someone won't have
    > thought of it. Which is/was something that
    > we were told when I was in the Army. If captured don't even make up any "plans"
    > to tell the captures cause ya never
    > know IF someone hasn't already put those "plans" to work. . .
    >
    Educating people on security risks is a losing battle. i refer you to
    the creator of the firewall, Marcus J. Ranum for more on that.
    > :
    > : PS: On a side note, I noticed that this did not get posted to the
    > : Internet, or web. Am I posting this to the mailing list? Or am I
    > : responding just to you? Is everyone seeing this, or just you? Do I
    > : need to do anything other than reply? reply all? Or do I need to put
    > : security-basics@securityfocus.com in the send address?
    >
    > I think that ya need to hit the reply all button, and IF the
    > security-basics@securityfocus.com address isn't there then
    > ya need to add it.
    >
    > Herman
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP 8.0.3
    >
    > iQA/AwUBQ1VmWx/i52nbE9vTEQK05wCfW0Voy4JMHhBBaZMqYBsOxMXrsioAn3yW
    > ZM086qyScefvvqP/zPbg2lIp
    > =kiJo
    > -----END PGP SIGNATURE-----
    >
    >
    >
    >
    >

  • Next message: xyberpix: "Re: prohibiting visitors from connecting to network"