Slashdot Mirror
Freakonomics Q&A With Bruce Schneier
Samrobb writes "In grand Slashdot tradition, the Freakonomics blog solicited reader questions for a Q&A session with Bruce Schneier. The blog host writes that Mr. Schneier's answers '...are extraordinarily interesting, providing mandatory reading for anyone who uses a computer. He also plainly thinks like an economist: search below for "crime pays" to see his sober assessment of why it's better to earn a living as a security expert than as a computer criminal.'" The interview covers pretty much the whole range of issues Schneier has written about, and he provides links to more detailed writings on many of the questions.
I think what he means is that if you are depending on your wireless connection for security, you're already doing something wrong.
One is because most secure practices can be implemented well separate of wireless, if you are concerned with security. And in fact relying on wireless encryption as your "only" form of security is something that even most non-savvy computer users can be taught not to do, so the experienced ones should have no excuse.
The other is that most "security" for wireless has already been broken and can be repeated in a near trivial amount of time, so if someone was dead set on sniffing your data, chances are they'd be able to do it.
In my defense, I run an open wireless network that is sectioned off, that instead of encryption relies on MAC addresses to allow into the normal section of the network. Everyone not on the list just gets to use the internet.
Allows friends to come over and connect happily to the web without messing with stuff, and if they need the network access adding their computer is a 10 second job.
You never realize how much manually made unmanaged "linked" lists suck, till you have src.link.link.link.link...
This is excellent logic, but I think much of the reasoning behind wifi encryption is that people who do connect to your wifi are essentially getting to fire a load of packets around the internet with your name on them.
Which could be worrying or not, depending on their interests. The number of people connecting to open access points to use kazaa to download the latest movie blockbuster would worry me if I was in an apartment building or something.
Correction: Actually, they're keeping us from seeing the long string of flag-draped coffins streaming home...
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
I can't answer which sites will actually store your passwords and which ones will only store a one-way hash of it, but I can tell you that some customers I've developed sites for insisted that the passwords be stored in cleartext. So "many sites store your password in cleartext" is my best guess.
Also, even if the site doesn't store your password in cleartext, it will still be sent to them as cleartext. Even if it goes over SSL, the site itself will be able to decrypt it. So, one way or another, They have your password.
I would like to suggest a feature that could be added to browsers. An idea to think about; not a request for implementation just yet. But here's the idea. Let the browser perform the one-way hashing. You enter your password, the browser hashes it, and the hashed value is sent to the site. You can use a different hash for every site, and thus use the same password on your side, but send different values to different sites. That way, no site can pick up your password and use it with another site. You are still open to replay attacks on the same site if the site doesn't protect against that (e.g. by using SSL), but it's a lot better than things are now. You never send out your actual password, so nobody ever gets to know it.
Please correct me if I got my facts wrong.
AFAIK, MAC addresses can be sniffed while you use the WLAN and replayed when you don't to get access. So this is not a good way to authorize a client.