Slashdot Mirror

← Back to Stories (view on slashdot.org)

802.1X Security Overview

Posted by michael on from the secure-your-network-or-someone-else-will dept.

HJ Franzen writes "Ars Technica have what they call a wireless security blackpaper posted that's well worth a read. I wish this was available when I was spec'ing wireless VPN solutions for my campus. The article is pretty detailed and discusses the many ways in which companies are trying to address the fatal flaws in WEP."

9 of 98 comments (clear)

  1. End the ban by Anonymous Coward · · Score: -1, Offtopic

    The censorship is getting out of Control. Next week, Slashdot will join forces with the RIAA.

  2. Slashcode Updates by Anonymous Coward · · Score: -1, Offtopic

    Many of you have noticed that CmdrTaco has changed a few things in Slashcode this week. The three changes I've observed so far are:
    Karma displayed as an adjective
    Karma score determines posting limit
    Client IP addresses placed in readonly mode more easily
    None of these are earth-shattering, so I'm going to cover them as a group.

    Karma score determines posting limit:
    Taco reminds everyone in this (non-archived) post that:
    "KARMA DOES NOT MATTER". He goes on to prove this by making karma determine how many times you can post a day. Remember, you shouldn't use all caps, because caps is like being wrong. Here's a summary of how important karma actually is now, and while some of these details may be off, this reflects my best knowledge from reading Slashcode:
    Karma: (PPD is posts per day)
    26_50 : Post at 2, 25 PPD, Karma = Excellent
    12_25 : Post at 1, 10 PPD, Karma = Good
    1_12 : Post at 1, 10 PPD, Karma = Positive
    Zero : Post at 1, 10 PPD, Karma = Neutral
    -9_-1 : Post at 0, 2 PPD, Karma = Bad
    -24_-10: Post at -1, 2 PPD, Karma = Terrible

    Note that (as Taco points out) these are the default values in Slashcode atm; Slashdot itself may at any time be running with different values. Each IPID/SubnetId is allowed 10 AC posts per day, unless an IP is being 'abused', at which point things get more complicated. So the land of -1 trolling should be moving to threshold Zero, AC. Taco stated on IRC that the rate limiting change was made to prevent scripted crapflooding from -1 Accounts. I'd love to see a link to this crapflooding (I've never seen it) so if any of you have seen it, email me at operation_mongoose 'at' ziplip.com.

    Karma adjectives:
    Here's CmdrTaco's journal on the subject, and here's the non-archived discussion on the topic. Read it while you can, it will be deleted in two weeks. Taco states that he didn't just enable comments in his journal because he "didn't want people trolling his journal". Additionally, all the comments he made WRT to changes in the Karma system will be deleted. Make of this what you will.

    Client IP addresses placed in readonly mode more easily
    My details on this aren't very good, but as many have pointed out, the "readonly" error message seems to be popping up more often. The message is "You can't post to this page." and it appears when your IP address has been marked readonly. Basically, readonly mode means you're banned from posting anything, but you can still read the site. I think the only modification was one to the criteria for being placed in readonly mode, but I don't know exactly what the change is, only that pudge mentioned in IRC that he turned it up too high, and that now everything should be "Ok

  3. FP! by Anonymous Coward · · Score: -1, Offtopic

    That's it!!

  4. Read only mode permanent? by Anonymous Coward · · Score: -1, Offtopic

    I think this needs to be investigated

  5. Great Read. by two-bookoo! · · Score: -1, Offtopic

    Cutting and pasting in to KWord - changing the author to me-

  6. WinXP Shows where MS is Going by poopbot by Anonymous Coward · · Score: -1, Offtopic
    Windows XP Shows the Direction Microsoft is Going.

    "I've heard WinXP removed the cmd/command prompt."

    No, Microsoft didn't remove the CMD.EXE or COMMAND.COM prompt from Windows XP. But Windows XP has reduced functionality, in many ways, not just in the command line. The command line is a big embarrassment because of its limited capabilities, but at least in Win 95 it worked. With every version since then it has worked less well. (There are two kinds of command prompt, and, according to Microsoft employees, the differences between them are not documented.)

    The command line prompt sometimes begins to display short file names. Microsoft employees say that Microsoft has no fix, although someone not connected with Microsoft did make a work-around.

    Cutting and pasting into a command line program often puts successive extra spaces before each line. Microsoft employees say that there is no plan to fix this.

    The fast paste mode that is in Windows 98 is gone in Windows XP. Microsoft employees say there is no plan to fix this.

    When using the command line interface, Windows XP doesn't always update the time. After several hours, the time reported to command line programs can be several hours in error.

    There is a DOS program called START.EXE that can be used to start other programs. But it does operate the same way as in other versions of Windows. It starts a program, but cannot be made to return control to the command line program as previous versions did. There is no technical reason for this; it is just one of the shortcomings that are allowed to exist.

    People often say that DOS has gone away. But Microsoft still calls the command line interface DOS, and in Windows XP Microsoft has added new programs for configuring the OS that work only under DOS.

    Sometimes when you press a key while using Windows XP, it is seconds until there is any response. Apparently there is something wrong with the CPU scheduler in XP, because there are a lot of complaints about this in the forums and MS people have said that they are working on it. On one particular fresh installation of XP, on an Intel motherboard with either a Matrox G550 or an ATI Radeon video adapter, it requires 18 seconds to display a directory listing of 94 items. This is apparently related to a bug in the video software, not the adapter drivers.

    Something is wrong with the Alt-Tab display of running programs under Windows XP. If there are a lot of programs, not all of them are displayed. The order jumps around in a seemingly random way.

    Although articles often say negative things about Microsoft, I've never seen an article that fully documents how bad the situation really is. Microsoft's management is so bad that the company has become self-destructive. For example, Windows XP is spyware. Here is a list of ways Windows XP connects to Microsoft's servers:
    1. Application Layer Gateway Service (Requires server rights.)
    2. Fax Service
    3. File Signature Verification
    4. Generic Host Process for Win32 Services (Requires server rights.)
    5. Microsoft Application Error Reporting
    6. Microsoft Baseline Security Analyzer
    7. Microsoft Direct Play Voice Test
    8. Microsoft Help and Support Center
    9. Microsoft Help Center Hosting Server (Wants server rights.)
    10. Microsoft Management Console
    11. Microsoft Media Player (tells Microsoft the music you like)
    12. Microsoft Network Availability Test
    13. Microsoft Volume Shadow Copy Service
    14. MS DTC Console program
    15. Run DLL as an app
    16. Services and Controller app
    17. Time Service, sets the time on your computer from Microsoft's computer.
    18. Microsoft Office keeps a number in each file you create that identifies your computer. Microsoft has never said why.
    19. Microsoft mouse software has reduced functionality until you let it connect to Microsoft computers.
    These are just the ones I know. There may be others.

    So, if you use Windows XP, your computer is dependent on Microsoft computers. That's bad, not only because you lose control over your possession, but because Microsoft produces buggy software and doesn't patch bugs quickly. For example, as of July 7, 2002, there are 18 unpatched security holes in Microsoft Internet Explorer. This is a terrible record for a company that has $40 billion in the bank. Obviously, with that kind of money, Microsoft could fix the bugs if it wanted to fix them. Since the bugs are very public and Microsoft has the money, it seems reasonable to suppose that top management at Microsoft has deliberately decided that the bugs should remain, at least for now.

    It seems possible that there is a connection between all the bugs and the U.S. government's friendly treatment of Microsoft's law-breaking. The U.S. government's CIA and FBI and NSA departments spy on the entire world, and unpatched vulnerabilities in Microsoft software help spies.

    Windows XP, and all current Windows operating systems, have a file called the registry in which configuration information is written. If this one (large, often fragmented) file becomes corrupted, the only way of recovering may be to re-format the hard drive, re-install the operating system, and then re-install and re-configure all the applications. The registry file is a single, very vulnerable, point of failure. Microsoft apparently designed it this way to provide copy protection. Since most entries in the registry are poorly documented or not documented, the registry effectively prevents control by the user.

    Note that Microsoft does not support making functional complete backups under Windows XP. Look at Microsoft's policy about this: Q314828 Microsoft Policy on Disk Duplication of Windows XP Installation. Only those who work with Microsoft software will understand the true meaning of Microsoft's policy. Since almost all programs use the registry operating system file, if you cannot make a functional copy of the operating system you cannot make a functional copy of all your application installations and configurations. There are other software companies that try to fix this, but they don't work well, and Microsoft can, of course, break their implementations, as they have often done with other kinds of competitors.

    Because the configuration information for the motherboard and the configuration information for the are mixed together in the registry file, the registry tends to prevent you from moving a hard drive to a computer with a different motherboard. That's another implication of the above Microsoft policy. So, if you have a motherboard failure, and a good complete backup, you may not be able to recover unless you have a spare computer with the same motherboard.

    Note that Windows XP Professional can support only ten simultaneous incoming network connections. If you want more than that, you must use Windows 2000 server, and pay much, much more. (There is no Windows XP server yet.) Many businesses have very light network traffic; they just move files from staff member to staff member; they really don't need a dedicated server computer. The staff computers could easily handle the load except for this artificial limitation.

    Apparently because the Windows XP GUI comes from Windows 98, Windows XP has the same problem with desktop icons that Windows 98 has. The icons sometimes flicker. Sometimes they move themselves around, particularly after the user switches monitor resolutions. Also, sometimes the taskbar settings un-configure themselves, as they do in Windows 98.

    Only technically knowledgeable people know how to avoid signing up for a Microsoft Passport account during initial use of Windows XP. The name Passport gives an indication of Microsoft's thinking. A passport is a document issued by a sovereign nation. Without it, the nation's citizens cannot travel, and, if they leave, won't be allowed back in their own country. In Microsoft's corporate thinking, the company seems to be moving in the direction of believing that they own the user's computer. Most people are both honest and intimidated. Apparently about 95% do whatever they are asked on the screen. They give their personal information to Microsoft. They don't realize that, if they feel forced to get a Passport account, they should enter almost completely fictitious information, since the real question is not "What is your name and address", but "Can we invade your privacy". The honest answer to this is "No, you cannot invade my privacy", and the only effective way to communicate that is to give completely fictitious information. Since it is the educated people who have computers, Microsoft is building a database of the personal lives of educated people. Microsoft knows when they connect and from what IP address (which tends to show the area), what kind of help they ask, and information about what they are doing with their computers, including what music they like. It is not known, and there is no way to know, how much Microsoft or other organizations make use of this information, or their plans for future use.

    Not only has Windows XP definitely gone further in the direction of allowing the user less control over his or her own machine, but with Palladium, Microsoft apparently intends to finish the job: Microsoft will have ultimate control over the user's computer and therefore all his or her data. Even now, under Windows XP, a recent security patch requires that the user agree to a contract that gives Microsoft administrator privileges over the user's computer. The contract says that if a user wants to patch his or her system against a bug which would allow an attack over the Internet, he or she must give Microsoft legal control over the computer. See this article also: Microsoft's Digital Rights Management-- A Little Deeper. You may need to be a lawyer to take apart the crucial sentence. "These security related updates may disable your ability to copy and/or play Secure Content and [my emphasis] use other software on your computer" legally includes this meaning: "These updates may disable your ability to use other software on your computer." Note that the term "security related updates" is meaningless to the user because the updates have no relation to user security. So, the sentence effectively means that Microsoft can control the user's computer without notice and whenever it wants. That kind of sentence is known in psychology as "testing the limits". If there is no strong public complaint about this, expect to see more and stronger language like this.

    This Register article shows the direction Microsoft is going: MS Palladium protects IT vendors, not you. Absolute power corrupts absolutely, and Microsoft is well down that road. See this ZDNet article, also: MS: Why we can't trust your 'trustworthy' OS.

    Microsoft's self-destructiveness does not mean that the user should be self-destructive. There is no need to apologize for using Microsoft software. The correct solution to abuse is persuading the abuser to stop being abusive. Once I posted to a Slashdot story a link to an article on a web site of mine. By far the majority of visitors from the Slashdot story used Microsoft operating systems. Rather than feel embarrassed because Microsoft is abusive, action needs to be taken to prevent the abuse. If you are against Microsoft abuse, you are not against Microsoft; you are more pro-Microsoft than Bill Gates.

    These Microsoft policies mean that any government which wants to be independent of the United States government, and any government which represents itself as controlled by the people, cannot use Microsoft operating systems, or other Microsoft proprietary systems.




    - posted by poopbot: who doesn't like scat?

    foxsZmPsGl Post #294
  7. Re:SSID Security by Anonymous Coward · · Score: -1, Offtopic
    unique lameness filter cracking id : 000001 (change this when reposting this information)
    Version 1.1

    Note to moderators : Do not moderate this post down, if you do then you support the editors stance on censorship and you support the end of free speech and
    support evil organisations like Microsoft, RIAA, MPAA and laws like the CBTBA and DMCA

    Sign this petition, let your voice be heard!

    Slashdot is using censorship! It is trying to eridicate free and open discussion like we know slashdot to be, it has the following RESTRICTIONS in place to Censor you

    They claim they don't, but they do, wonder why their are so many trolls, crapflooders and lamers on slashdot, because they are fighting for their rights! Slashdot is trying to silence the trolls. Remove the filters, the trolls get bored, and slashdot will be troll free!
    • Lameness filters (It blocks a lot of legitmate posts)
    • Unnessary posting delays. Hasnt taco learned to touch type? A lot of posts are typed in less than 20 seconds and it is a ANNOYING DELAY! 2 minute ban? Come on, so some are faster then others, big deal, some people have more to say than others
    • Broken moderation system, The whole point is to sort the gems from the crap, yet a lot of posts designed to make a LIVELY DISCUSSION are MODERATED as flamebait! Come on, not everyone likes X, but just because some one bashes it dosent mean its Flamebait. Flame bait is more useful for DIRECT INSULTS and not legitmate discussions.
    The "troll" moderation reason is fragmented and broken, why? Because they are trying to use an obsolete usenet term on a realtime discussion, "trolls" can cover a huge blanket of ideas.
    • Crapfloods, a meaningless flood of random letters or text, which the lameness filter does a crappy job at trying to stop, besides trolls have written tools using the opensource slashcode to generate crapfloods which bypass the filter
    • Links to offensive websites, the most common one is known a http://www.goatse.cx, a awful site which shows a bleeding anus being stretched on the front page. Trolls sneak these links in by posting messages that look legitimate, but infact are sneaky redirects to the site. Common examples include rd.yahoo.com, www.linux-kernel.tk, goatsex.cjb.net, and googles "Im feeling lucky".
    • Trying to break slashdot, this is actually a good thing, as it helps test slashdot for bugs. Famous examples include the goatse.cx javascript pop-up, the pagewidening post and the browser crashing post!
    Subnet banning, this bans a user unless they email jamie macarthy with their mp5ed ipids. This is unfair, and banning a subnet BLOCKS A WHOLE ISP SOMETIMES, and not that individual user! This can cause chaos! But real trolls use annoymous proxys to get around this so THIS JUST BANS LEGITMATE USERS!

    But, the issue that concerens us the most, is the COMMENT QUOTA. A discrimatory system that stiffles discussion, cripples the community and will ultimateley destroy slashdot unless it is removed! Annoymous cowards are allowed only 10 posts a day! This is unethical! Users with negative karma only get two! That is DISCRIMINATION! How would you like to only be able to speak once a day, just because of the color of your skin. That would be racism, and slashdot is discrimitating on people just because of a negative number in a database! BOYCOTT SLASHDOT! LET THEM DIE!

    We wan't these stupid useless restrictions REMOVED! This comment will be posted again and again until it does!

    Inportant imformation for users
    Boycott slashdot, they are pissing over their community, they are becoming like the RIAA and MICROSOFT! Do NOT TOLERATE THIS SHIT! Here are some real news for nerds sites. We don't need slashdot, slashdot deserves to die!

    MSNBC
    BBC NEWS
    News.com
    Linux online
    Linux daily news network
    Weird news from dailyrotten.com
    Trollaxor, news for trolls, they are real people too!
    CNN.com
    New york times (free registration required)
    LINUX.com
    News forge
    K5
    Mandrake forum
    Toms hardware
    The register
    Kde dot news
    The linux kernel Archives

    There are hundreds more, But this is where slashdot STEALS THE MAJORITY OF its "news" from.

    Punish them, here are their emails, spam them, flame them goatse them!
    Rob malda
    Jamie Macarthy
    ChrisD
    Hemos

    The others ones apperantly dont have an e-mail, probably because ROB MALDA IS PRETENDING HE IS JOHN KATZ.

    Thank you for reading this, please feel free to repost this information, please reply to add your comments, fight slashdot and its CENSORSHIP
  8. Slashdot Sucks by Anonymous Coward · · Score: -1, Offtopic
    unique lameness filter cracking id : GOATSE (change this when reposting this information)

    Note to moderators : Do not moderate this post down, if you do then you support the editors stance on censorship and you support the end of free speech and
    support evil organisations like Microsoft, RIAA, MPAA and laws like the CBTBA and DMCA

    Sign this petition, let your voice be heard!

    Slashdot is using censorship! It is trying to eridicate free and open discussion like we know slashdot to be, it has the following RESTRICTIONS in place to Censor you
    • Lameness filters (It blocks a lot of legitmate posts)
    • Unnessary posting delays. Hasnt taco learned to touch type? A lot of posts are typed in less than 20 seconds and it is a ANNOYING DELAY! 2 minute ban? Come on, so some are faster then others, big deal, some people have more to say than others
    • Broken moderation system, The whole point is to sort the gems from the crap, yet a lot of posts designed to make a LIVELY DISCUSSION are MODERATED as flamebait! Come on, not everyone likes X, but just because some one bashes it dosent mean its Flamebait. Flame bait is more useful for DIRECT INSULTS and not legitmate discussions.
    The "troll" moderation reason is fragmented and broken, why? Because they are trying to use an obsolete usenet term on a realtime discussion, "trolls" can cover a huge blanket of ideas.
    • Crapfloods, a meaningless flood of random letters or text, which the lameness filter does a crappy job at trying to stop, besides trolls have written tools using the opensource slashcode to generate crapfloods which bypass the filter
    • Links to offensive websites, the most common one is known a http://www.goatse.cx, a awful site which shows a bleeding anus being stretched on the front page. Trolls sneak these links in by posting messages that look legitimate, but infact are sneaky redirects to the site. Common examples include rd.yahoo.com, www.linux-kernel.tk, goatsex.cjb.net, and googles "Im feeling lucky".
    • Trying to break slashdot, this is actually a good thing, as it helps test slashdot for bugs. Famous examples include the goatse.cx javascript pop-up, the pagewidening post and the browser crashing post!
    Subnet banning, this bans a user unless they email jamie macarthy with their mp5ed ipids. This is unfair, and banning a subnet BLOCKS A WHOLE ISP SOMETIMES, and not that individual user! This can cause chaos! But real trolls use annoymous proxys to get around this so THIS JUST BANS LEGITMATE USERS!

    But, the issue that concerens us the most, is the COMMENT QUOTA. A discrimatory system that stiffles discussion, cripples the community and will ultimateley destroy slashdot unless it is removed!

    We wan't these stupid useless restrictions REMOVED! This comment will be posted again and again until it does!

    Inportant imformation for users
    Boycott slashdot, they are pissing over their community, they are becoming like the RIAA and MICROSOFT! Do NOT TOLERATE THIS SHIT! Here are some real news for nerds sites.

    MSNBC
    BBC NEWS
    News.com
    Linux online
    Linux daily news network
    Weird news from dailyrotten.com
    Trollaxor, news for trolls, they are real people too!
    CNN.com
    New york times (free registration required)
    LINUX.com;
    News forge
    K5
    Mandrake forum
    Toms hardware
    The register
    Kde dot news
    The linux kernel Archives

    There are hundreds more, But this is where slashdot STEALS THE MAJORITY OF its "news" from.

    Punish them, here are their emails, spam them, flame them goatse them!
    Rob malda
    Jamie Macarthy
    ChrisD
    Hemos

    The others ones apperantly dont have an e-mail, probably because ROB MALDA IS PRETENDING HE IS JOHN KATZ.

    Thank you for reading this, please feel free to repost this information, please reply to add your comments, fight slashdot and its CENSORSHIP
  9. Re:Update on slashdot censorship! by Anonymous Coward · · Score: -1, Offtopic

    so when are you going to start boycotting it yourself?