RE: Wireless Security

["Herman Frederick Ebeling, Jr." <hfebelingjr () lycos com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----Original Message----
From: Austin Murkland [mailto:amurkland () merydion com]
Sent: Tuesday, 18 October, 2005 20:40
To: hfebelingjr () lycos com; security-basics () securityfocus com
Subject: Re: Wireless Security

: Herman Frederick Ebeling, Jr. wrote:
:: -----BEGIN PGP SIGNED MESSAGE-----
:: Hash: SHA1
::
:: - ----Original Message----
:: From: Alloishus BeauMains [mailto:all0i5hu5 () gmail com]
:: Sent: Tuesday, 18 October, 2005 09:34
:: To: hfebelingjr () lycos com
:: Cc: security-basics () securityfocus com
:: Subject: Re: Wireless Security
::
::: Good points.
:::
::: A good level of paranoia isn't bad, as it will normally lead people to
::: take at least rudimentary precautions and take those reasonable
::: measures I mentioned.
::
:: Yep, gotta agree that a little paranoia isn't a bad thing.  It's only when
:: one reaches the "foil hat" stage that things
:: have been taken to too far of an extreme. . .;-)
::
::: However, I note that there is a difference between the two analogies.
::: In the situation you mentioned, a person was allowed to use the car.
::: In that case, of course, the person who allowed an untrustworthy
::: person to use the car could be held accountable.
::
:: Ok, this one I think we need to disagree to.  Just because person a) loans
:: person b) his/her car doesn't mean that they
:: should be held accountable for what that friend does.  Let's say that the
:: friend in question instead of using the
:: borrowed car to "run" drugs gets involved in a hit-and-run accident killing
:: an innocent bystander.  Does that mean that
:: the owner of the car should be held responsible?
::
:
: I'm not a lawyer, but in quite sure that in some circumstances, that's
: EXACTLY what happens.  Welcome to the American legal system.

I know, "tain't perfect, but it's the only one we've got."

::  The same is true with
::: a wireless connection. If you explicitly give someone permission to
::: use the wireless connection, and then they use it for nefarious
::: purposes, then you could be held liable.
::
:: On this one too, I'd have to think that we'll have to again, disagree.
:: That's like saying that someone who has say an
:: account with NetZero and they d/l "tons" of kiddie porn.  Does that make
:: NetZero "guilty" as well???  I don't think so,
:: and I think that their lawyers would agree with me.  Or that'd be like saying
:: just because the criminals use the roads
:: conduct their illegal activities that those who built the roads are also
:: somehow "guilty" because of it.
::
: NetZero and similar services have indemnity clauses that you sign/agree
: to before using the service to protect it from EXACTLY what you mentioned.

Granted, I'm no lawyer either, but I always thought that an absence to agree was
not to be taken as an agreement.

::  If you give someone
::: permission to use your mailbox, and they decide to slip a brick of
::: coke in there, then you might be held liable.
::
:: I would think that one would have to have an idea of WHY someone was wanting
:: to use their mailbox and allow it to
:: happen.  Or another way to look at it is like this.  Say someone rents a
:: mailbox at a private company and they get
:: "10-keys" of coke delivered to them at THAT address.  Does that make the
:: private company just as guilty, as the persons
:: who placed the order?
::
:
: Again Waiver/Clauses protecting them that you, *YOU* have to sign.  The
: absence of those waivers means YES, they are liable.

Again, I'd have to say that the absence of a wavier is/or should be taken as an
agreement to the crime that may have been committed.

:::
::: On the flip side, if you didn't give them permission, then they are
::: stealing. If your friend did not give his other friend permission to
::: use the car, and it is found to have drugs, then your friend would
::: report the car as stolen, which should, in a normal circumstance,
::: absolve him of any wrongdoing.
::
:: Sadly the Military doesn't work the way that "normal" people think that it
:: should. . .
::
: that...doesn't make sense.  he's right, by reporting it stolen he
: absolves himself from any wrongdoing that occurred while he was not in
: possession of his property.

You'll get no argument from me about that.  The Military IS the only place that
I know of where two wrongs DO make a right.

:::
::: I would imagine that if you came home from work, and checked you
::: mailbox and found a brick of coke, then the most appropriate action
::: would be to call the police (No, not keep it and snort it, and no, not
::: sell it......the other dude might come looking after all). I would
::: also imagine that if you told the police the situation...that you just
::: checked your mail and there is a brick of coke, then they would
::: probably leave you alone after a few questions and probably send some
::: patrol cars to check out your neighborhood, stake out your
::: mailbox...etc etc.
::
:: Unless the person who put the brick of coke in your mailbox was dumb enough
:: NOT to wrap it in a "plain brown" wrapper
:: how would one know that it was coke until AFTER they opened the package???
::
: I'm not sure what this analogy has to do with Wireless security...

Sorry, was trying to show that it'd be next to impossible to know that there was
a brick of coke in a package in their mail unless they opened said package. . .

:::
::: Likewise, many cities/states now have cybercrimes units that you could
::: call if you suspected someone using your network, and you can normally
::: call your isp and let them know of unauthorized activity.
::
:: That's good to hear.
::
: abuse () domainofipaddressyoudidaWHOISon com is where you usually wanna
: send that stuff... after a 2 weeks with no response and repeated
: attempted, contact the local police, then the FBI.
:::
::: Lastly, the solution to this is the same as the solution to many other
::: issues....simply awareness. Many 70+ elders, for instance, would not
::: imagine that using their credit card over an unsecured network might
::: pose a risk. Most people simply need to be educated. In some cases, it
::: actually takes a bad occurrence (such as ID theft) to make someone see
::: the light.
::
:: Yep, education IS the key to everything, which is why I started this in the
:: first place.  And I've learned that just
:: because something is "too" fantastic doesn't mean that someone won't have
:: thought of it.  Which is/was something that
:: we were told when I was in the Army.  If captured don't even make up any
:: "plans" to tell the captures cause ya never
:: know IF someone hasn't already put those "plans" to work. . .
::
: Educating people on security risks is a losing battle.  I refer you to
: the creator of the firewall, Marcus J. Ranum for more on that.

Sadly, I think that that is true in most situations, NOT just computer security.
A good example is what happened when I went through BASIC, I was telling my
fellow recruits that when we got to the desert to check their boots when they
got up in the morning, to move out of their sleeping bags before getting into
them and before getting out of them.  For snakes, spiders, and such.  They all
pretty much blew me off thinking that I didn't know what I was talking about.
UNTIL we went through the safety briefings before going to the desert for our
training.  We were told EXACTLY the same thing that I'd been telling them. . .

:::
::: PS: On a side note, I noticed that this did not get posted to the
::: Internet, or web. Am I posting this to the mailing list? Or am I
::: responding just to you? Is everyone seeing this, or just you? Do I
::: need to do anything other than reply? reply all? Or do I need to put
::: security-basics () securityfocus com in the send address?
::
:: I think that ya need to hit the reply all button, and IF the
:: security-basics () securityfocus com address isn't there then
:: ya need to add it.
::
:: Herman
::
:: -----BEGIN PGP SIGNATURE-----
:: Version: PGP 8.0.3
::
:: iQA/AwUBQ1VmWx/i52nbE9vTEQK05wCfW0Voy4JMHhBBaZMqYBsOxMXrsioAn3yW
:: ZM086qyScefvvqP/zPbg2lIp =kiJo
:: -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQ1W1ZB/i52nbE9vTEQKZ7gCcDERitXVM24wuYegOYrJ19w1o65EAnA9L
7PrxuZ/NaWgE3TAvPaxsc0Hs
=5+Iu
-----END PGP SIGNATURE-----