I was a devout unbeliever, but Lord of the Rings, Final Fantasy X, and now this, I'm sure starting to think I might be wrong.
Hey, big jolly guy, if you're still doling out these fabulous holiday goodies, please remember that letter I sent you about smoking cigars in a bathtub full of nitro with Fairuza Balk!
Carmack rocks. Other game programmers might try, but it's for reasons like this we'll always love the man.
..remove the words "Well, it's okay because that box is sitting behind our firewall" from everybodys lexicon.
The point was raised above about how out of date this book would be by the time it was released. I honestly don't believe that's as big of an issue as people seem to think, 99% of the battle with keeping our networks secure is just getting people to consider the issue in the first place. Any book I can throw at our apps developers that gets them even thinking about the broad issues is a good thing, because once the seed is planted, then they come over and ask us what we would reccomend as they're working on their apps. Over the past six months we've seen the 'Ooops, you mean that travel site with the form for people to put their CC number in should be SSL'd?' to almost daily informal meetings about what they're doing and how we can support them.
Our biggest nightmare has been the sysadmins. The NT sysadmin refuses to apply any patches, 'because then things break', and won't close a single port, 'if you want features, you have to leave things open'. Lots of guerilla midnight work going on behind that boy.;-)
Our solaris sysadmin is no better, if you could take the words 'Well, back at Siemans..' out of his vocabulary, he wouldn't have anything to say. Yet, he's very good at the above mentioned meetings for arguing that we're too paranoid, 'Only a very skilled attacker could sniff passwords of our switched network,' and this after multiple times of showing him dsniff and ettercap in action, complete with grabbing his passwords several times. Once again, lots of midnight cowboy fixes behind the back.
There's a really good book out, Building Secure Software where he brings out some very good points. The best one being that security is put on networkings shoulders, when the real problem is that the developers don't build their applications with security in mind. Therefore, the strategy is to deny attackers access to the errors in the code, when the best practice would be to remove those errors in the first place. That and the quote about ecrypting information in transit is like a guy living on the sidewalk using an armored car to send his credit card information to a man living on the beach in a cardboard box is simply priceless.
Why is this guys comment a 0? A "how to" may not be as sexy as driving around for open networks, (and if you think that's sexy, you've been way toooo into Final Fantasy jpegs), but it's definitely needed.
However, in a brief spiel before I have to run, ensure end-to-end encryption. Approach it just like you would a normal WAN. Disable telnet and ftp on your servers, use SSH and SCP instead. Harden your hosts. Look into using FreeSwan or the BSD's IPSec solutions for vpns. Switch over to DJDNS. In short, do everything that people should be doing on their 'normal' wired networks. It never ceases to amaze me that just because WEP is easy to break, everything else must be totally secure by default.
You know, these people driving around looking for wide open networks are probably the ones that raise the biggest stink about "script kiddys" any time someone finds a new security hole.
Yes, WEP is insecure. Yes, there are a lot of networks that are just thrown up. Wow, kind of like wire eh? Reminds me of that great quote, "Never attribute to malicousness what can be explained by human stupidity."
Cool,
After talking to consume.net over in England, our intrepid head of the propoganda team, aka ipl31, threw a box up with good bandwidth to network all the community wireless groups. It's over here, Freenetworks. Of course it's running slashcode, so everyone would feel at home.:-)
Good greif. How many "regular LANs" do you allow any idiot off the street to plug into?
Well, sparky, if you're browsing the internet from your lan, I'd say just about everyone out there. You know something I don't here?:-)
Hey,
You can start with just the encryption settings that came with the card, it's almost harder to disable the encryption settings than to put them in with just default 128 bit.:-)
After that, it's just like protecting any other network. Just because it's wireless, doesn't mean it's a wide open door. All of the other technologies/tricks still apply, ie authentication, firewalls, vpns, acls, etc. Think of it just as you would implementing a regular LAN. Personally, I'm working up the documentation for FreesWan servers on the SeattleWireless network, but we have no demands that you use a preferred set up, it's more of a guideline. If you run a node, enforce it as you like. However, don't think that the other people working with you won't notice if your node starts becoming a hot point of activity.:-)
Sorry this reply is brief and shallow, but I'm at work atm.:-)
I personally work on SeattleWireless, and as such I think GAWD is a great idea. However, there are things that start bothering you.
The people that jump on going "it's only got so and so number of points". Who cares? It was just announced, give it time.
The people that love bragging about how insecure access points are. Who cares if you can log in to someones network? Does that make you any better than a script kiddy bragging about how many shell accounts he has? Is 802.11 any different than securing any other xmission technology? Nope. So before bragging about the clueless users, why don't you help to educate them? Remember, at least a script kiddy has know how to dl a script to gather their accounts.:-)
To the luddite. Why don't you get involved with a similar project, user group, etc. etc. Then you'd see that you actually get more face to face time than you do sitting in front of a monitor writing screeds about how technology is disenfranchising the proletariat.
Okay, I've vented (and lost the first version of this due to fat fingers), but it just drives me nuts that every open source type of project you get into, for every one person that helps out and contributes, you get ten that sit around and tell you why you'll fail, and when it works, they get to tell you how it's flawed, politically unworkable, yadda yadda yadda. So Shmoo and any other groups that are contributing, they'll always get respect for taking the time away from rl in order to work on projects for other people. Thanks guys.
Slashdot Mirror
I was a devout unbeliever, but Lord of the Rings, Final Fantasy X, and now this, I'm sure starting to think I might be wrong.
Hey, big jolly guy, if you're still doling out these fabulous holiday goodies, please remember that letter I sent you about smoking cigars in a bathtub full of nitro with Fairuza Balk!
Carmack rocks. Other game programmers might try, but it's for reasons like this we'll always love the man.
..remove the words "Well, it's okay because that box is sitting behind our firewall" from everybodys lexicon.
;-)
The point was raised above about how out of date this book would be by the time it was released. I honestly don't believe that's as big of an issue as people seem to think, 99% of the battle with keeping our networks secure is just getting people to consider the issue in the first place. Any book I can throw at our apps developers that gets them even thinking about the broad issues is a good thing, because once the seed is planted, then they come over and ask us what we would reccomend as they're working on their apps. Over the past six months we've seen the 'Ooops, you mean that travel site with the form for people to put their CC number in should be SSL'd?' to almost daily informal meetings about what they're doing and how we can support them.
Our biggest nightmare has been the sysadmins. The NT sysadmin refuses to apply any patches, 'because then things break', and won't close a single port, 'if you want features, you have to leave things open'. Lots of guerilla midnight work going on behind that boy.
Our solaris sysadmin is no better, if you could take the words 'Well, back at Siemans..' out of his vocabulary, he wouldn't have anything to say. Yet, he's very good at the above mentioned meetings for arguing that we're too paranoid, 'Only a very skilled attacker could sniff passwords of our switched network,' and this after multiple times of showing him dsniff and ettercap in action, complete with grabbing his passwords several times. Once again, lots of midnight cowboy fixes behind the back.
There's a really good book out, Building Secure Software where he brings out some very good points. The best one being that security is put on networkings shoulders, when the real problem is that the developers don't build their applications with security in mind. Therefore, the strategy is to deny attackers access to the errors in the code, when the best practice would be to remove those errors in the first place. That and the quote about ecrypting information in transit is like a guy living on the sidewalk using an armored car to send his credit card information to a man living on the beach in a cardboard box is simply priceless.
Thank you.
Why is this guys comment a 0? A "how to" may not be as sexy as driving around for open networks, (and if you think that's sexy, you've been way toooo into Final Fantasy jpegs), but it's definitely needed.
However, in a brief spiel before I have to run, ensure end-to-end encryption. Approach it just like you would a normal WAN. Disable telnet and ftp on your servers, use SSH and SCP instead. Harden your hosts. Look into using FreeSwan or the BSD's IPSec solutions for vpns. Switch over to DJDNS. In short, do everything that people should be doing on their 'normal' wired networks. It never ceases to amaze me that just because WEP is easy to break, everything else must be totally secure by default.
Hope that helps.
You know, these people driving around looking for wide open networks are probably the ones that raise the biggest stink about "script kiddys" any time someone finds a new security hole.
Yes, WEP is insecure. Yes, there are a lot of networks that are just thrown up. Wow, kind of like wire eh? Reminds me of that great quote, "Never attribute to malicousness what can be explained by human stupidity."
Cool, After talking to consume.net over in England, our intrepid head of the propoganda team, aka ipl31, threw a box up with good bandwidth to network all the community wireless groups. It's over here, Freenetworks. Of course it's running slashcode, so everyone would feel at home. :-)
Good greif. How many "regular LANs" do you allow any idiot off the street to plug into? Well, sparky, if you're browsing the internet from your lan, I'd say just about everyone out there. You know something I don't here? :-)
Sorry this reply is brief and shallow, but I'm at work atm. :-)
The people that jump on going "it's only got so and so number of points". Who cares? It was just announced, give it time.
The people that love bragging about how insecure access points are. Who cares if you can log in to someones network? Does that make you any better than a script kiddy bragging about how many shell accounts he has? Is 802.11 any different than securing any other xmission technology? Nope. So before bragging about the clueless users, why don't you help to educate them? Remember, at least a script kiddy has know how to dl a script to gather their accounts. :-)
To the luddite. Why don't you get involved with a similar project, user group, etc. etc. Then you'd see that you actually get more face to face time than you do sitting in front of a monitor writing screeds about how technology is disenfranchising the proletariat.
Okay, I've vented (and lost the first version of this due to fat fingers), but it just drives me nuts that every open source type of project you get into, for every one person that helps out and contributes, you get ten that sit around and tell you why you'll fail, and when it works, they get to tell you how it's flawed, politically unworkable, yadda yadda yadda. So Shmoo and any other groups that are contributing, they'll always get respect for taking the time away from rl in order to work on projects for other people. Thanks guys.