Comments on: WiFi, Encryption & Clue Density http://ddos.arbornetworks.com/2006/07/wifi-encryption-clue-density/ A weblog dedicated to educating the community on security threats that matter Sun, 29 Jan 2012 02:23:23 +0000 hourly 1 http://wordpress.org/?v= By: Chris Morrow http://ddos.arbornetworks.com/2006/07/wifi-encryption-clue-density/comment-page-1/#comment-578 Chris Morrow Fri, 28 Jul 2006 07:07:33 +0000 http://asert.arbornetworks.com/2006/07/wifi-encryption-clue-density/#comment-578 I think both of the previous comments miss the greater point: "Security is more than a firewall or AV solution, it includes authentication information as well." Do the criminals stealing your info care about the 'laws' regarding dsniff or 'wiretaps'? No, obviously not. Do they care about the legality of using their ill-gotten authentication information later? No. One thing that scares me about authentication information being sent in the clear is that on average users have only 4-5 passwords. So, given one, I can probably 'break into' 1/4th of that user's logins. This is scary. It's not a call for 'better, more diverse passwords for all' it's a call for 'better, more pervasive secure authentication systems for all'. I'd venture to guess that, like me, many users just use whatever authentication system is provided to them. Their corp IT folks don't see the 'need' for 'secure authentication' or can't make it work (applying a x.509 cert is so very hard these days, eh?) or just don't care. It's not always the user's fault :( I appreciate the entry though. Thanks! I think both of the previous comments miss the greater point: “Security is more than a firewall or AV solution, it includes authentication information as well.” Do the criminals stealing your info care about the ‘laws’ regarding dsniff or ‘wiretaps’? No, obviously not. Do they care about the legality of using their ill-gotten authentication information later? No.

One thing that scares me about authentication information being sent in the clear is that on average users have only 4-5 passwords. So, given one, I can probably ‘break into’ 1/4th of that user’s logins. This is scary. It’s not a call for ‘better, more diverse passwords for all’ it’s a call for ‘better, more pervasive secure authentication systems for all’.

I’d venture to guess that, like me, many users just use whatever authentication system is provided to them. Their corp IT folks don’t see the ‘need’ for ‘secure authentication’ or can’t make it work (applying a x.509 cert is so very hard these days, eh?) or just don’t care. It’s not always the user’s fault :(

I appreciate the entry though. Thanks!

]]> By: Thomas H. Ptacek http://ddos.arbornetworks.com/2006/07/wifi-encryption-clue-density/comment-page-1/#comment-571 Thomas H. Ptacek Thu, 27 Jul 2006 18:26:13 +0000 http://asert.arbornetworks.com/2006/07/wifi-encryption-clue-density/#comment-571 You know that in Michigan, where the Arbor research team is based, owning a copy of dsniff is also illegal? You're goin' down, Danny. 2006's first Super DMCA casualty. You know that in Michigan, where the Arbor research team is based, owning a copy of dsniff is also illegal? You’re goin’ down, Danny. 2006′s first Super DMCA casualty.

]]> By: Richard Bejtlich http://ddos.arbornetworks.com/2006/07/wifi-encryption-clue-density/comment-page-1/#comment-558 Richard Bejtlich Thu, 27 Jul 2006 01:10:48 +0000 http://asert.arbornetworks.com/2006/07/wifi-encryption-clue-density/#comment-558 You know that you're conducting a wiretap, and that in the United States that is illegal? You know that you’re conducting a wiretap, and that in the United States that is illegal?

]]>