Re: Two wireless routers one network

On Fri, 27 Jan 2006 23:00:36 +0000, Mark McIntyre
<markmcintyre@xxxxxxxxxxx> wrote:

>Well, doesn't it? If you have to climb a wall, get past dogs, swim a
>crocodile infested lake, and then walk a minefield, isn't that more
>secure than just the wall? Do you dispute that the harder it is, the
>longer it takes, the less liklely it is?

I don't have a clear answer. If you're trying to stop the casual
drive by hacker, then almost any obstacle will suffice to stop them.
They simply don't have the time. However, if you're trying to stop
the neighbors 16 year old script kiddie from borrowing your broadband
because his parents have pulled the plug on his porno download habits,
methinks you'll find him willing to spend an inordinate amount of time
and effort in navigating the obstacle course. Stangely, I've found
more the latter type of hacker than the former.

>>why should I attack your home system via wireless when I can just hotwire
>>your ethernet cable that's running under your house?
>
>You think it'd be inconspicuous to dig a 3ft square hole through my
>drive or through the public highway? And you think that hiring the
>equipment required would be cheap enough to warrant theft of 2MB
>broadband?

That again depends on what you're trying to protect against. I
wouldn't bother with your home system. However, I've done the wiretap
trick successfully at businesses. I posted a story of a customer with
an expensive, highly encrypted, proprietary radio link between
buildings. I tapped into the system in the phone room in the hallway,
where the CAT5 to the roof went towards the server room. All the
wireless security in the world didn't do them any good when I can go
around it. Other examples if you need additional entertainment.

>Did you consider training the kids?

College kids. Impossible to teach them anything. We don't even speak
the same language.

>I suspect they'll grasp it much
>quicker than the parents. And frankly, if your clients are too stupid
>to get this right, then it doesn't matter what security you put in
>place, they'll be too thick to comprehend it.

My clients are not stupid. Many of them have impressive credentials
and advanced degrees. They're just not interested in the intricacies
of wireless and just want it to work. You might consider them lazy i
this regard, but they say they have better things to do than configure
routers. Since they pay my exhorbitant rates to do it for them, I
would think of disagreeing.

>I respect you on facts, but your opinion is definitely never humble,
>and often bull***.

I would be disappointed if everyone agreed with me. I'm prepared to
defend my allegations and conclusions. I'll admit that I've been
quite wrong in the past and expect to be wrong in the future. It
won't take much Googling to find my mistakes. I've also adequately
demonstrated that I'm an egotistical, arrogant, self-centered,
obnoxious, and irritating person who considers unsubstantitated
opinions to be no better than bull***.

>>security is in the monitoring, not the
>>implimentation. The best door lock is worthless if nobody checks to
>>see if the door is locked.
>
>I agree with this. Security is more than 50% social engineering.

I notice you didn't say anything about my comments about monitoring
being the "real" basis of security. I'm curious if you also consider
this to be bull***. I've done my share of social engineering and
suspect it's more like 25%. My guess is 50% is reading about how
others have done it, and adapting their techniques for the current
attack. In other words, research, reading, and understanding.

Speaking of social engineering, do some NetStumbling and find a few
wireless SSID's in the form of 2wireXXX. Try doing some social
engineering and try to get a complete stranger to show you the WEP key
label on the bottom of the 2wire router. Good luck.

Incidentally, I once watched a real security expert (name withheld)
hack his way into a 3DES protected VPN with a capture program, a
debugger, and some simple crypto tools. VPN's are about the ultimate
in multi-layer security obstacle courses. If you know how it works,
and what you're doing, your obstacle course is worthless. However,
once we had broken in, the IDS (intrusion detection system) belched
alarms all over the place. My cell phone had an SMS message showing
an intrusion alert about 2 minutes after we broke in. Like I said,
monitoring is what makes "real" security work.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@xxxxxxxxxxxxxxxxxxxxxx
# http://802.11junk.com jeffl@xxxxxxxxxx
# http://www.LearnByDestroying.com AE6KS
.