Wireless insecurity at NANOG meetings

Sun Sep 22 11:11:07 UTC 2002

On Sat, 21 Sep 2002, Richard A Steenbergen wrote:

> Would WEP solve anything other than keeping the casual person on the
> street who doesn't know what NANOG is from getting free bandwidth for a
> couple days? I don't think so.

The trouble is that not using WEP looks like you're not bothering with the
low level of security that's available in wireless. The fact that WEP only
adds a 15 second - 15 minute delay to full access to the network both for
legitimate and not-so-legitimate users means it offers more annoyance than
security, but that doesn't alter the perception.

> There are also people ssh'ing to personal and corporate machines from
> the terminal room where the root password is given out or easily
> available.

Are you saying people shouldn't SSH?

> Clearly *SOME* NANOG participants aren't terribly security conscious. But
> are these the experienced network operators, or just the people who show
> up because someone at their company thinks its a network training camp?

The real question is: how far we want to go in protecting people against
themselves? If the answer is: far, fine: then filter the wireless network
for everything that isn't SSH, SSL or some kind of VPN. Otherwise they'll
learn the hard way, just like why it's important to back up your files.

> That's what the password board is for I guess.

Even more fun would be to scan for email headers and send messages back to
the originator that the message is being read over insecure means. That
should get some people's attention...

However, I think it's dangerous to talk about how insecure everything is
all the time. At some point, people are going to think it's no use to even
try securing their stuff and just give up. It would be better to deliver a
more positive message: if you use SSH, SSL and/or a VPN, you can do
whatever you want over a wireless connection without running bigger risks
than at home or at the office.