Alright, big whatever on the widget and it's intended purpose. What does it take to load it up with debian, and use it as a little linux box? The reason I'd get on is to set up a little linux dev box for doing little stuff on my home network, so I can finally kill my old desktop. If the artical would have been a "This is how we hacked it" kind of thing, it might have been useful.
If you want to get audio books, of say periodicals like The Harvard Business Review, or Science, you can't play them on this, or most MP3 players. It's acctully one of the reasons I'm considering an iPod rather than a soild state player.
Peer to peer sucks bandwidth, a direct cost to any service provider. The only reason any ISP is going to stick up for users is for the PR, Fact-o'-life.
I've been considering getting a PowerBook to replace my current Linux laptop. I'm held back by the fact that many of the security related tools are developed on Linux.
As far a hardware lock in is concerned, there is a degree of hardware lock in for all laptops. Apple uses the same SO DIMMS and hard drives as PC laptops, though I haven't tried to get a non Airport miniPCI board to work in an Apple. Now on the desktop side there is a lot of commodity hardware for PCs.
The real argument isn't hardware replacements, it's competition. Apple makes it's money on the hardware. It's why the OS is for their hardware, and as a technincal side benefit, gives them control over how the hardware and the OS interact. I don't think Apple could reasonably port OS X to the PC for business reasons. Right now, if you want to run OS X on a laptop, guess who you have to buy from? It's simple economic, only made slightly more complicated by the fact that the PC laptop market exists. You can think of it (simplisticly) as two different markets, a low compition market i.e. PC vs Apple, and a high compition market i.e. the PC laptop market. While Apple has to pay some attention to the PC laptop market, it is not bound to any individual vendor as a direct compeditor. If OS X was released for the PC, Apple could no longer take that stance.
1. Open phone book 2. Get some shmucks name and address 3. Use the shmucks info for your gorcery discount card 4. ???? 5. Profit!
Just one more disconnect between the reliablity of authentication vs. identification. Not a novel or interesting hack, but the problem is so pervasive in these half-assed security systems that is almost always works.
Quote from George MacDonald's Flynn: "The problem is, when you reduce people to little pieces of paper, somebody is going to give you the piece of paper and not the person." -- Flynn aka NN 13 (Might be a little off, I'm going from memory, and I haven't read the book in a few years)
I've never been an AOL customer, so I wouldn't know. But when a AOLer signed his life way, he may have consented to this. Has anyone checked the Trems of Service? If it isn't, why don't we see if we somebody can't organize a class action suit against AOL for this. Then AOL might get with other teir 1 providers and sue MS for negilgence for all the worm fun.
To a more important point: This is not so good, in the same way as not having script kiddies isn't good. By killing this, you make these security issue much less visible to Joe and Jane AOL. Doing this or even going after the sources of these pop-ups doesn't work to fix the central issue of the reprehensible security model that MS seems to advocate. While the blatant shortcomings of MS software in the realm of security are pretty well known to the denizens of./, it's not something Joe and Jane have a handle on. Moreover they don't understand what effects these issue really have, much less that many of the issues directly pretaining to them are preventable. BTW raise your hand if you actually got to the bottom of the paragraph, congratulations.
1> Cardio workouts burn fat. Yeah, it's more complicated than that, but anything that brings up your heart rate will burn fat after a few minutes and do good things for your heart too.
2> The best excerise program is the one you stick with. 30 minutes a day of excerise - at least - not counting dressing, streching and other stuff.
3> Don't eat too much. Don't eat because there's nothing better to do. Don't eat just because something looks good. Don't eat just to clean your plate, finish the box or whatever. Eat 'cause you're hungery.
4> Don't eat crap. You know what crap is. You don't really need to buy reduced fat stuff, or eat like a rabbit, or follow all the nutritional fads. You know a Big Mac is crap, you know that candy is crap, you know that sweet sweet carbonated caffine delivery fluid is crap.
Now me, I play hockey. I strap on the skates in the parking lot while I let rush hour pass, and work on skating and stick handling drills. I do it because I'll do it every day.
Anything else consult a professional.
PS. The Ball chair looks pretty cool. Might try that. PPS. The Good Eat's guy is Alton Brown.
At least in my experience the FBI is hit or miss on it's ability to investigate internet crime. You have to do much of the hard evidence work yourself before they get their experts working on the attack. I've also noticed that unless you already know evidence handling, you can pretty easily screw things up for the case.
I have a Fisher Space Pen, which I love. The Space Pen was created to solve the proble of how to allow astronuts to write in a zero G enviorment. It uses and pressurized cartrige and an ink with and intergrated adhesive. The Russians faced with the smae problem used pencils.
The innovations of the Spac Pen contributed to new uses in comercail pens, and therefore contributed to the technology base.
If necessity is the mother of inventionm, then cleverness is it's father. The fantasical examples of '50s "labor saving devices of the future" are examples of such inanities that proved to inspire good design, by at a minimum counter-example.
The persuit of technology is good, because economic growth is good. What the artical is really railing against is consumerism. it is capital folly to link the eschewing of consumerism to luditeism. Economics in it's basic form is the process of taking resources from lower to higher valued uses. The is only 2 way to do that in my mind, transportation and improvement. Both are inexorably tied to technology. All socailist delusions aside, the best and most effective way of improving everyones lives is through free(ish) markets. The wonder of free markets is that we let people do stupid things with their cash.
You cultivate Anthrax, you make Sarin. There a difference between bio and chem weapons.
IANAL, but I know a bit aout the law concerning this: A university would be liable for some civil charges like wrongful death, and vilations of health codes and hazardous materials. Criminal charges of neigligence and maybe manslaughter in the right circimstances (gross disriguared for human life). If the University meerly supplied the knowledge as part of the ciriculim, I doubt any charges would be filed.
Now about virus writing, this is a little sticky. The tools are generally availible over the net, so it's not the same issue of providing access to controlled substances. There might be a neigligence charge in handling, or maybe in the ciriculim content. The issue with this is that it would come under the same percedents as full disclosure security mail lists and sites.
While I don't agree that this is the best first step in creating a useful infromation technology security program. I do think that there is nothing illegal about it irresponsable maybe, but ethics and law are different matters.
While I have enormous respect for Fyodor, and all he said was good stuff, but I think he left a few things out.
OS security: Tear apart the bastille scripts and take a good look at the NSA Windows Security Guidelines, at the very least. He suggests to us to use whatever we can in a less privilaged context, but many OSs are very permissive out of the box.
Network architcture: While Practical Unix and Internet Security is an excellent book, understanding networking components and security devices can be implemented in very complex systems. Understanding architecture is very important to the netwrok security white hat, and it's the piece as a BS/CS you get the least exposure to. I would suggest a reasonable understanding of the CCNP study materials, you may not need to design it, but you have teo understand it. Know the differences between the popular firewall vendors, maybe see if you can get one to play on.
Encryption: As a BS/CS you likely have been exposed to some cryptography. For those that don't know the alogrithims, sync vs async, what a hash is, fixed vs variable key length cyphers, read Secrets and Lies or Practical Cryptography to get an idea of the issues. Once you know cryptography, get to know some PKI methods, understand the NSA certificate class definitions.
Security Policies: If you expect to be working in an enterprise environment, oyu may want to familierize yourself with enterprise level securit policies like IOS 17799 and GASSP, and for healthcare related things, HIPAA. Many large insititutions use these as templates for their security policies and standards, talking the same language will help on many levels.
Knowing the 'spliots is great, and being able to roll your own is sorely missing in a number of enterprise security orginizations. Problem is being a kept white hat isn't only pen testing, it's policy, architecture review, user information, and incedent response.
I think the industry needs more hands on, internet age people. A large number of security pros now come from intellignce or military systems backgrounds. Internet security is a different enviornment, and what we have to offer is valuble.
Never trust your depth of exploit to the benevolence of the attacker. Lots of networks don't have things like interior IDS, regular vuln scanning, or even decent administration practices. More over, all those attacks concerning physical location are now possible. Even little defacements can require substantail response in the form of rebuilt systems, reports to management, PR issues. God help you if you have overdeveloped incedent handling procedures and have to spent weeks writing reports and answering questions to your boss, legal, the feds, the customers, and upper managment.
No compromise is small, no attacker benign. Like there is an opportunity cost to be considered when undertaking a new effort, there is an incedent cost that is the cost of handling, and the risk of compromise. Security is a weak link system, and you never know where the big incedents come from.
I know I responded to a troll, I won't pass go and I'll go get the 200 lashes with CAT5.
The creds: I'm an infosec goon for a big faceless corp that is pretty paranoid about being hacked.
OK here we go:
All you need to get 802.11b (or whatever) working is an access point and a host. The Logical Link (from that OSI model in the first chapter of the MCSE book you never read) indetifiers consist of the ubiquitous MAC address and an SSID. Alllthe client needs to do to connect is specify a valid SSID to the access point in question, voila, free porn on somebody else's dime. Here's the thing, 802.11b access points broadcast their SSIDs.
Some stoggy buggers thought that this kinda sucked, so they decided to wave the magic encryption wand over the system. What they got was the (in)famous WEP, Wire Equivalancy Protocol, or Wireless Encryption Protocol, depending on if you started messing with this before 2001 or not. This stuff comes in 2 main flavors, 56-bit and 128-bit. Two problems with WEP came up round about 2001. First, the key generation algorithim was flawed, and a 56-bit key was really a ~26-bit key, a 128-bit key was really a ~98-bit key. Second, because of the nature of the system it is very easy to gather enough data to preform differential crypto-analyses (aka extracting the keys from a bunch of traffic based on how they are encypted). Detrimental to all hope us poor white hats had of keeping our systems safe, AirSNORT was released, allowing even the cryptographically challanged intruder to compromise the best access points.
Security for the wireless:
Most commercial access points will allow at least some of the following:
Turn off SSID broadcast, this helps, unless the intruder can see a user connecting for the first time, when the client broadcasts the SSID to gain access.
Specify allowed MAC addresses, this also helps, but all an intruder has to do is change the MAC of the intruding interface, nad get on while a client isn't on.
Stuff only a few vendors do:
Use 256-bit encryption, this is pretty good, but only works with compatible cards and drivers. It can also still be cracked by a determined attacker using AirSNORT, (ok, ok a very detemined attacker with some form of supercomputer, but hey there's No Such Agency with that kind of equipment).
Cisco has tech called LEAP, which will do cool things like rotate keys on a 5 minute basis. It is unlikely that an attacker using AirSNORT will get sufficent information to crack the key before it's changed. It'll do some other cool stuff, but I'm not a Cisco rep, so I won't recite the product manual.
A "Best Practice" with wireless is to do some or all of the above, and attach the access point the the outside interface of a VPN gateway. The theory on this is to treat the wireless network like any other external connection.
Now why, if I'm doing all this stuff to secure my network, do I do a Wireless Site Survey at least quarterly at my major sites? Well, because people like easy, and people like to do it themselves. I'm most concerned about someone setting up a combo firewall/access point on my network. The best way to find rogue access points is to play marco polo with a laptop and a directional antenna (if you want good info on that stuff, talk to a friendly neihborhood HAM operator, but a coffee can works pretty well in a pinch).
Stuff you should know about site surving:
Get a good card, preferably one with an external antenna input. See what you can do about getting the right antennas for this knid of thing.
The tool De Jour for this is called Kismet. It does not have all the key cracking kung fu of AirSNORT, but it makes finding the access point pretty easy.
Have you policy in hand for the confrontation with the owner of the rogue access point, wield it with BF&I (Brute Force and Ignorance).
As a goon in the network brute squad for an enormous and paranoid company, I'm gonna say: How come all of these high level memos get out? Ok granted they've been able to keep their source code contained, but executive memos like this should be at approximitly the same sensitivity level. I could, if I were petty, ask why we should trust security and operation processes from a company that seems either not know what they are, or at least how to follow them. The information in the memo is not a great suprise to any market observer, but it could be, as experessed in other comments, legally damning.
My AP chem teacher showed us a video of a collage class throwing sodium into a lake. They were doing it for the express purpose of increasing the pH to counteract some industrial pollution. Incidentally, if you put some phenol phalyne (sp?.. its been a long tims) in the water and use a small amount of sodium it'll sputter around in the vessal with this pink trail. Kind of a cool demo to do with an overhead projector and a pitri dish.
WHat they released was a security template that amounts to the minimum that security experts have been advocating since roughly the dawn of time. The babble Clark was talking about (I really hate it when poeple old enough to be my grandparents use buzzwords like cybersecurity instead of information security or computer security, it makes them sound like dotcommies without a clue) is just political fluff. Without funding, visiblity and a plan of execution nothing will happen in a government program, it's a law of nature. As for the template, I'm still evaluating it, but so far I think it's a decent thing to put on a w2k pro box/ std image especaily if you do work for the gov. I'm just glad to see the government actually doing something security wise that will benift the smaller civil agencys and administrations.
Seriously, if nobody does anything, at all. Don't atlk to them, don't pickup their vendor goodies, don't molest their Hot Booth Babes , it won't give them anything to work with. I understand this is a monumental assursion of self-control for some, but just don't do anything. The conference is about Linux, and MS has repeatedly made Linux interoperablity as difficult as they could manage. They have no software for the platform and no interest in sponsoring any projects.
They have nothing to say.
There are in essense only three sets of rights available to the recipient of any copyrighted work:
1) Rights previously granted under Copyright Law.
2) 1 + additional rights
3) 1 - rights already granted
Most software isn't distributed under a copyright. That's the whole reason for licensing, to get around the existing pecedents of fair use. It's not: "You buy a copy of this to use and transfer and monkey with, as long as you don't make more" It is: "We let you use this as long as you promise not to move, monkey with, or figure it out, and we get to check in on you from time to time to be sure." A license is a contract, and as a contract, it's ok to specify conditions like that. The main issue I have with EULA practice is that you can't prove that the licensee even signed the agreement, to say nothing of if the terms were read or of the sobrity of the licensee at the time (That's right ladies and gents, if you're drunk you can't enter into contracts like oh... EULAs, and without a witness they can't prove that you weren't or that the EULA came up at all, like the man said it's not whats right it's what you can prove). IANAL, but I agree that the GPL is more of a statment of copyright permission than a license. I think the thing really in dispute isn't copyright law really, it's the state of the legalisium of the software license.
I work at a Fortune 500 company, I'm on the security team for the IS contracting division. I work in the regional office that services the District of Columbia, and I have done security work for the government before. Our recent independent audit was done by Verzion. They used Nessus, and some of the staff were project conritbuters. I found them, for the most part, as knowledgable as our staff. They made both an internal and external audit independently. Their reports and data analysis was good, and they provided us with the raw data. We use ISS as our primary vunlnerablity detection tool so a requirement for our audit was analysis by another system.
It sounds like you will also need some help securing your system. Your biggest problem with security will be policy. In a civilian government agency, if you do not already have a policy in place, you will waste at least half of your contracted man hours in politics. More over the project will NEVER get completed. I would recommend getting a signed security policy, by the director or secretary, before your hired guns even set foot in the office.
Feel free to contact me, I'm just an idealist with a packet analyser. I'd be happy to give some friendly advice.
It seems like if you stick the average soccer mom behind the wheel of a jeep grand cherokee, give her some eye makeup, a cell phone, and a few boxes of mcnuggets she would destroy the competition.
My dad is a coder and manager, he has 20+ years of programing experience and an MBA. I'm a system engineer with 5-6 years experience in Windows, Solaris, Linux and Cisco systems. I have no degree but I make 85% to 90% of my father's salary, and I NEVER have a problem finding a job. My dad is a good employee, no social problems, and people generally like him and his work; He gets nervous every 6 months or so about his job. His problem: he's over qualified. His programming skill set is lagging behind the mainstream, but nobody is willing to train him. I can't understand why I was hired 1.5 months ago at my current co. and they already set me to train on Win2K and Active Directory to upgrade my skills, but my dad keeps getting relegated to COBOL maintainance even though he desperately wants to learn Oracle. I agree that this industry still needs to learn the huge value of these people, but it is my opinion that managment in the tech industry is still done by brute force and ignorance.
I'm a computer geek, both my parents are computer geeks, it's genetic - I didn't have a choice.
Slashdot Mirror
Alright, big whatever on the widget and it's intended purpose. What does it take to load it up with debian, and use it as a little linux box? The reason I'd get on is to set up a little linux dev box for doing little stuff on my home network, so I can finally kill my old desktop. If the artical would have been a "This is how we hacked it" kind of thing, it might have been useful.
GO to Best Buy, get one of these. I'm sure you can find an AC adapter for UK.
I'd get a 6807 if you could get one (DVD burner instead of the CD-RW\DVD), but they don't seem to be available yet.
'Nuff said
If you want to get audio books, of say periodicals like The Harvard Business Review, or Science, you can't play them on this, or most MP3 players. It's acctully one of the reasons I'm considering an iPod rather than a soild state player.
Peer to peer sucks bandwidth, a direct cost to any service provider. The only reason any ISP is going to stick up for users is for the PR, Fact-o'-life.
I've been considering getting a PowerBook to replace my current Linux laptop. I'm held back by the fact that many of the security related tools are developed on Linux.
As far a hardware lock in is concerned, there is a degree of hardware lock in for all laptops. Apple uses the same SO DIMMS and hard drives as PC laptops, though I haven't tried to get a non Airport miniPCI board to work in an Apple. Now on the desktop side there is a lot of commodity hardware for PCs.
The real argument isn't hardware replacements, it's competition. Apple makes it's money on the hardware. It's why the OS is for their hardware, and as a technincal side benefit, gives them control over how the hardware and the OS interact. I don't think Apple could reasonably port OS X to the PC for business reasons. Right now, if you want to run OS X on a laptop, guess who you have to buy from? It's simple economic, only made slightly more complicated by the fact that the PC laptop market exists. You can think of it (simplisticly) as two different markets, a low compition market i.e. PC vs Apple, and a high compition market i.e. the PC laptop market. While Apple has to pay some attention to the PC laptop market, it is not bound to any individual vendor as a direct compeditor. If OS X was released for the PC, Apple could no longer take that stance.
1. Open phone book
2. Get some shmucks name and address
3. Use the shmucks info for your gorcery discount card
4. ????
5. Profit!
Just one more disconnect between the reliablity of authentication vs. identification. Not a novel or interesting hack, but the problem is so pervasive in these half-assed security systems that is almost always works.
Quote from George MacDonald's Flynn:
"The problem is, when you reduce people to little pieces of paper, somebody is going to give you the piece of paper and not the person." -- Flynn aka NN 13
(Might be a little off, I'm going from memory, and I haven't read the book in a few years)
I've never been an AOL customer, so I wouldn't know. But when a AOLer signed his life way, he may have consented to this. Has anyone checked the Trems of Service? If it isn't, why don't we see if we somebody can't organize a class action suit against AOL for this. Then AOL might get with other teir 1 providers and sue MS for negilgence for all the worm fun.
./, it's not something Joe and Jane have a handle on. Moreover they don't understand what effects these issue really have, much less that many of the issues directly pretaining to them are preventable. BTW raise your hand if you actually got to the bottom of the paragraph, congratulations.
To a more important point: This is not so good, in the same way as not having script kiddies isn't good. By killing this, you make these security issue much less visible to Joe and Jane AOL. Doing this or even going after the sources of these pop-ups doesn't work to fix the central issue of the reprehensible security model that MS seems to advocate. While the blatant shortcomings of MS software in the realm of security are pretty well known to the denizens of
1> Cardio workouts burn fat. Yeah, it's more complicated than that, but anything that brings up your heart rate will burn fat after a few minutes and do good things for your heart too.
2> The best excerise program is the one you stick with. 30 minutes a day of excerise - at least - not counting dressing, streching and other stuff.
3> Don't eat too much. Don't eat because there's nothing better to do. Don't eat just because something looks good. Don't eat just to clean your plate, finish the box or whatever. Eat 'cause you're hungery.
4> Don't eat crap. You know what crap is. You don't really need to buy reduced fat stuff, or eat like a rabbit, or follow all the nutritional fads. You know a Big Mac is crap, you know that candy is crap, you know that sweet sweet carbonated caffine delivery fluid is crap.
Now me, I play hockey. I strap on the skates in the parking lot while I let rush hour pass, and work on skating and stick handling drills. I do it because I'll do it every day.
Anything else consult a professional.
PS. The Ball chair looks pretty cool. Might try that.
PPS. The Good Eat's guy is Alton Brown.
Yes it is BSD, it's an OpenBSD project.
At least in my experience the FBI is hit or miss on it's ability to investigate internet crime. You have to do much of the hard evidence work yourself before they get their experts working on the attack. I've also noticed that unless you already know evidence handling, you can pretty easily screw things up for the case.
I have a Fisher Space Pen, which I love. The Space Pen was created to solve the proble of how to allow astronuts to write in a zero G enviorment. It uses and pressurized cartrige and an ink with and intergrated adhesive. The Russians faced with the smae problem used pencils.
The innovations of the Spac Pen contributed to new uses in comercail pens, and therefore contributed to the technology base.
If necessity is the mother of inventionm, then cleverness is it's father. The fantasical examples of '50s "labor saving devices of the future" are examples of such inanities that proved to inspire good design, by at a minimum counter-example.
The persuit of technology is good, because economic growth is good. What the artical is really railing against is consumerism. it is capital folly to link the eschewing of consumerism to luditeism. Economics in it's basic form is the process of taking resources from lower to higher valued uses. The is only 2 way to do that in my mind, transportation and improvement. Both are inexorably tied to technology. All socailist delusions aside, the best and most effective way of improving everyones lives is through free(ish) markets. The wonder of free markets is that we let people do stupid things with their cash.
You cultivate Anthrax, you make Sarin. There a difference between bio and chem weapons.
IANAL, but I know a bit aout the law concerning this:
A university would be liable for some civil charges like wrongful death, and vilations of health codes and hazardous materials. Criminal charges of neigligence and maybe manslaughter in the right circimstances (gross disriguared for human life). If the University meerly supplied the knowledge as part of the ciriculim, I doubt any charges would be filed.
Now about virus writing, this is a little sticky. The tools are generally availible over the net, so it's not the same issue of providing access to controlled substances. There might be a neigligence charge in handling, or maybe in the ciriculim content. The issue with this is that it would come under the same percedents as full disclosure security mail lists and sites.
While I don't agree that this is the best first step in creating a useful infromation technology security program. I do think that there is nothing illegal about it irresponsable maybe, but ethics and law are different matters.
18.2 Gigawatts a year? you could go back to 1955 15 times!
While I have enormous respect for Fyodor, and all he said was good stuff, but I think he left a few things out.
OS security: Tear apart the bastille scripts and take a good look at the NSA Windows Security Guidelines, at the very least. He suggests to us to use whatever we can in a less privilaged context, but many OSs are very permissive out of the box.
Network architcture: While Practical Unix and Internet Security is an excellent book, understanding networking components and security devices can be implemented in very complex systems. Understanding architecture is very important to the netwrok security white hat, and it's the piece as a BS/CS you get the least exposure to. I would suggest a reasonable understanding of the CCNP study materials, you may not need to design it, but you have teo understand it. Know the differences between the popular firewall vendors, maybe see if you can get one to play on.
Encryption: As a BS/CS you likely have been exposed to some cryptography. For those that don't know the alogrithims, sync vs async, what a hash is, fixed vs variable key length cyphers, read Secrets and Lies or Practical Cryptography to get an idea of the issues. Once you know cryptography, get to know some PKI methods, understand the NSA certificate class definitions.
Security Policies: If you expect to be working in an enterprise environment, oyu may want to familierize yourself with enterprise level securit policies like IOS 17799 and GASSP, and for healthcare related things, HIPAA. Many large insititutions use these as templates for their security policies and standards, talking the same language will help on many levels.
Knowing the 'spliots is great, and being able to roll your own is sorely missing in a number of enterprise security orginizations. Problem is being a kept white hat isn't only pen testing, it's policy, architecture review, user information, and incedent response.
I think the industry needs more hands on, internet age people. A large number of security pros now come from intellignce or military systems backgrounds. Internet security is a different enviornment, and what we have to offer is valuble.
Good Luck,
Never trust your depth of exploit to the benevolence of the attacker. Lots of networks don't have things like interior IDS, regular vuln scanning, or even decent administration practices. More over, all those attacks concerning physical location are now possible. Even little defacements can require substantail response in the form of rebuilt systems, reports to management, PR issues. God help you if you have overdeveloped incedent handling procedures and have to spent weeks writing reports and answering questions to your boss, legal, the feds, the customers, and upper managment.
No compromise is small, no attacker benign. Like there is an opportunity cost to be considered when undertaking a new effort, there is an incedent cost that is the cost of handling, and the risk of compromise. Security is a weak link system, and you never know where the big incedents come from.
I know I responded to a troll, I won't pass go and I'll go get the 200 lashes with CAT5.
The creds: I'm an infosec goon for a big faceless corp that is pretty paranoid about being hacked.
OK here we go:
All you need to get 802.11b (or whatever) working is an access point and a host. The Logical Link (from that OSI model in the first chapter of the MCSE book you never read) indetifiers consist of the ubiquitous MAC address and an SSID. Alllthe client needs to do to connect is specify a valid SSID to the access point in question, voila, free porn on somebody else's dime. Here's the thing, 802.11b access points broadcast their SSIDs.
Some stoggy buggers thought that this kinda sucked, so they decided to wave the magic encryption wand over the system. What they got was the (in)famous WEP, Wire Equivalancy Protocol, or Wireless Encryption Protocol, depending on if you started messing with this before 2001 or not. This stuff comes in 2 main flavors, 56-bit and 128-bit. Two problems with WEP came up round about 2001. First, the key generation algorithim was flawed, and a 56-bit key was really a ~26-bit key, a 128-bit key was really a ~98-bit key. Second, because of the nature of the system it is very easy to gather enough data to preform differential crypto-analyses (aka extracting the keys from a bunch of traffic based on how they are encypted). Detrimental to all hope us poor white hats had of keeping our systems safe, AirSNORT was released, allowing even the cryptographically challanged intruder to compromise the best access points.
Security for the wireless:
Most commercial access points will allow at least some of the following:
Turn off SSID broadcast, this helps, unless the intruder can see a user connecting for the first time, when the client broadcasts the SSID to gain access.
Specify allowed MAC addresses, this also helps, but all an intruder has to do is change the MAC of the intruding interface, nad get on while a client isn't on.
Stuff only a few vendors do:
Use 256-bit encryption, this is pretty good, but only works with compatible cards and drivers. It can also still be cracked by a determined attacker using AirSNORT, (ok, ok a very detemined attacker with some form of supercomputer, but hey there's No Such Agency with that kind of equipment).
Cisco has tech called LEAP, which will do cool things like rotate keys on a 5 minute basis. It is unlikely that an attacker using AirSNORT will get sufficent information to crack the key before it's changed. It'll do some other cool stuff, but I'm not a Cisco rep, so I won't recite the product manual.
A "Best Practice" with wireless is to do some or all of the above, and attach the access point the the outside interface of a VPN gateway. The theory on this is to treat the wireless network like any other external connection.
Now why, if I'm doing all this stuff to secure my network, do I do a Wireless Site Survey at least quarterly at my major sites? Well, because people like easy, and people like to do it themselves. I'm most concerned about someone setting up a combo firewall/access point on my network. The best way to find rogue access points is to play marco polo with a laptop and a directional antenna (if you want good info on that stuff, talk to a friendly neihborhood HAM operator, but a coffee can works pretty well in a pinch).
Stuff you should know about site surving:
Get a good card, preferably one with an external antenna input. See what you can do about getting the right antennas for this knid of thing.
The tool De Jour for this is called Kismet. It does not have all the key cracking kung fu of AirSNORT, but it makes finding the access point pretty easy.
Have you policy in hand for the confrontation with the owner of the rogue access point, wield it with BF&I (Brute Force and Ignorance).
Good luck and happy hunting,
As a goon in the network brute squad for an enormous and paranoid company, I'm gonna say: How come all of these high level memos get out? Ok granted they've been able to keep their source code contained, but executive memos like this should be at approximitly the same sensitivity level. I could, if I were petty, ask why we should trust security and operation processes from a company that seems either not know what they are, or at least how to follow them. The information in the memo is not a great suprise to any market observer, but it could be, as experessed in other comments, legally damning.
My AP chem teacher showed us a video of a collage class throwing sodium into a lake. They were doing it for the express purpose of increasing the pH to counteract some industrial pollution. Incidentally, if you put some phenol phalyne (sp?.. its been a long tims) in the water and use a small amount of sodium it'll sputter around in the vessal with this pink trail. Kind of a cool demo to do with an overhead projector and a pitri dish.
WHat they released was a security template that amounts to the minimum that security experts have been advocating since roughly the dawn of time. The babble Clark was talking about (I really hate it when poeple old enough to be my grandparents use buzzwords like cybersecurity instead of information security or computer security, it makes them sound like dotcommies without a clue) is just political fluff. Without funding, visiblity and a plan of execution nothing will happen in a government program, it's a law of nature. As for the template, I'm still evaluating it, but so far I think it's a decent thing to put on a w2k pro box/ std image especaily if you do work for the gov. I'm just glad to see the government actually doing something security wise that will benift the smaller civil agencys and administrations.
Seriously, if nobody does anything, at all. Don't atlk to them, don't pickup their vendor goodies, don't molest their Hot Booth Babes , it won't give them anything to work with. I understand this is a monumental assursion of self-control for some, but just don't do anything. The conference is about Linux, and MS has repeatedly made Linux interoperablity as difficult as they could manage. They have no software for the platform and no interest in sponsoring any projects. They have nothing to say.
There are in essense only three sets of rights available to the recipient of any copyrighted work:
1) Rights previously granted under Copyright Law.
2) 1 + additional rights
3) 1 - rights already granted
Most software isn't distributed under a copyright. That's the whole reason for licensing, to get around the existing pecedents of fair use.
It's not:
"You buy a copy of this to use and transfer and monkey with, as long as you don't make more"
It is:
"We let you use this as long as you promise not to move, monkey with, or figure it out, and we get to check in on you from time to time to be sure."
A license is a contract, and as a contract, it's ok to specify conditions like that. The main issue I have with EULA practice is that you can't prove that the licensee even signed the agreement, to say nothing of if the terms were read or of the sobrity of the licensee at the time (That's right ladies and gents, if you're drunk you can't enter into contracts like oh... EULAs, and without a witness they can't prove that you weren't or that the EULA came up at all, like the man said it's not whats right it's what you can prove). IANAL, but I agree that the GPL is more of a statment of copyright permission than a license. I think the thing really in dispute isn't copyright law really, it's the state of the legalisium of the software license.
I work at a Fortune 500 company, I'm on the security team for the IS contracting division. I work in the regional office that services the District of Columbia, and I have done security work for the government before. Our recent independent audit was done by Verzion. They used Nessus, and some of the staff were project conritbuters. I found them, for the most part, as knowledgable as our staff. They made both an internal and external audit independently. Their reports and data analysis was good, and they provided us with the raw data. We use ISS as our primary vunlnerablity detection tool so a requirement for our audit was analysis by another system.
It sounds like you will also need some help securing your system. Your biggest problem with security will be policy. In a civilian government agency, if you do not already have a policy in place, you will waste at least half of your contracted man hours in politics. More over the project will NEVER get completed. I would recommend getting a signed security policy, by the director or secretary, before your hired guns even set foot in the office.
Feel free to contact me, I'm just an idealist with a packet analyser. I'd be happy to give some friendly advice.
It seems like if you stick the average soccer mom behind the wheel of a jeep grand cherokee, give her some eye makeup, a cell phone, and a few boxes of mcnuggets she would destroy the competition.
And not even notice.
My dad is a coder and manager, he has 20+ years of programing experience and an MBA. I'm a system engineer with 5-6 years experience in Windows, Solaris, Linux and Cisco systems. I have no degree but I make 85% to 90% of my father's salary, and I NEVER have a problem finding a job. My dad is a good employee, no social problems, and people generally like him and his work; He gets nervous every 6 months or so about his job. His problem: he's over qualified. His programming skill set is lagging behind the mainstream, but nobody is willing to train him. I can't understand why I was hired 1.5 months ago at my current co. and they already set me to train on Win2K and Active Directory to upgrade my skills, but my dad keeps getting relegated to COBOL maintainance even though he desperately wants to learn Oracle. I agree that this industry still needs to learn the huge value of these people, but it is my opinion that managment in the tech industry is still done by brute force and ignorance.
I'm a computer geek, both my parents are computer geeks, it's genetic - I didn't have a choice.
Sony has a pretty cool Cursoe based laptop not to be off topic or anything. Smite congigated: Smite - Smote - Smitten?