Security by ... too much honesty?
derek at pointerstop.ca
Tue Apr 21 04:07:39 UTC 2009
John Moser wrote:
> Mostly, a lot of things are supported and work just fine. We live in
> a decent enough world, usually you're not really a target for anything
> bad, and we can ignore all the hype about most stuff because hey, it's
> just unlikely.
> I call BS.
I call double BS :-)
> If I wanted to get into your bank account, I would probably... hmm. Let's
Not get there.
> First I'd grab BackTrack or nUbuntu. Then I'd snoop your wifi,
> picking up your hidden network from the headers of some authentication
> packets, and use aircrack-ptw to pull your WEP key in about 30 seconds
You don't even have to try that hard - my wifi's wide open.
> (if I want to be stealthy, I'll camp and pick up your key from your
> P2P traffic). Now I can use that key in a specially modified version
> of Ethereal or tcpdump to snoop your activity, pick up your gmail
> cookie, and read your e-mail.
Unless I seriously misunderstand TLS, you won't get my email that way.
> I can authenticate with your wifi or
> spoof your IP and mac now, use the WEP key to get on your network, use
> your gmail cookie to log in as you, and read your message about your
> online password.
Which (a) I don't keep, and (b) none of my financial institutions emailed to
me. Come on now, while I have some responsibility for my own security,
_nobody_ should be doing business with banks that email them their
> I'm sure a bunch of people reading this are going to say, "We don't
> want to do that. Those tools should be complicated, so that only
> really really REALLY intent bad guys can use them; normal badguys
> don't bother and it keeps us secure." Open your mouths, say it, you
> know you want to.
Actually, I don't want to. I just understand that wifi security is as much
an oxymoron as military intelligence, and look for my security elsewhere.
> (yeah guess what? Those idiots aren't your threats, they have
> no interest in you anyway).
I disagree - "those idiots" are the only threat to most of us. The script
kiddies are a very real threat simply _because_ they'll target you at
random. Those of us who have something worth stealing - by somebody who
wants to invest the time - are not going to be made secure by methods this
More information about the Ubuntu-devel-discuss