Security by ... too much honesty?

Derek Broughton derek at pointerstop.ca
Tue Apr 21 05:07:39 BST 2009


John Moser wrote:

> Mostly, a lot of things are supported and work just fine.  We live in
> a decent enough world, usually you're not really a target for anything
> bad, and we can ignore all the hype about most stuff because hey, it's
> just unlikely.
> 
> ...
> 
> I call BS.

I call double BS :-)
> 
> If I wanted to get into your bank account, I would probably... hmm.  Let's
> see.

Not get there.
> 
> First I'd grab BackTrack or nUbuntu.  Then I'd snoop your wifi,
> picking up your hidden network from the headers of some authentication
> packets, and use aircrack-ptw to pull your WEP key in about 30 seconds

You don't even have to try that hard - my wifi's wide open.

> (if I want to be stealthy, I'll camp and pick up your key from your
> P2P traffic).  Now I can use that key in a specially modified version
> of Ethereal or tcpdump to snoop your activity, pick up your gmail
> cookie, and read your e-mail.  

Unless I seriously misunderstand TLS, you won't get my email that way.

> I can authenticate with your wifi or 
> spoof your IP and mac now, use the WEP key to get on your network, use
> your gmail cookie to log in as you, and read your message about your
> online password.

Which (a) I don't keep, and (b) none of my financial institutions emailed to
me.  Come on now, while I have some responsibility for my own security,
_nobody_ should be doing business with banks that email them their
passwords.

> I'm sure a bunch of people reading this are going to say, "We don't
> want to do that.  Those tools should be complicated, so that only
> really really REALLY intent bad guys can use them; normal badguys
> don't bother and it keeps us secure."  Open your mouths, say it, you
> know you want to. 

Actually, I don't want to.  I just understand that wifi security is as much
an oxymoron as military intelligence, and look for my security elsewhere.

> (yeah guess what?  Those idiots aren't your threats, they have
> no interest in you anyway).

I disagree - "those idiots" are the only threat to most of us.  The script
kiddies are a very real threat simply _because_ they'll target you at
random.  Those of us who have something worth stealing - by somebody who
wants to invest the time - are not going to be made secure by methods this
simple.
-- 
derek




More information about the Ubuntu-devel-discuss mailing list