[Air-L] =?utf-8?Q?Re=3A_?=The end is nigh

Thomas Jones thomasallenjones at gmail.com
Wed Oct 27 20:36:42 PDT 2010


        
        Hi Sharon,If you understand layered communications, it all starts with network hardware. It has to before you even reach a website. Its the network hardware that allows you to perform ARP poisoning, view TCP sessions, man in the middle attacks, etc, especially over wireless networks. Your connection to the internet, and the sites therein begin with network hardware and how they handle, encrypt, and establish sessions with your computer, before even reaching sites on the internet. The exploitation by Firesheep requires an unsecured network. That security is the responsibility of the network device providing you service to the Internet itself. HTH, 
        
        -- Thomas Joneshttp://www.ThomasAllenJones.comhttp://twitter.com/OtherTomJoneshttp://www.linkedin.com/in/TheOtherTomJonesSent with Sparrow
		
		
        On Wednesday, October 27, 2010 at 11:06 PM, live wrote:
        
            Thanks for the response Thomas!I still believe that it's not a hardware network issue, but rather a site specific issue - especially, as many tend to share wifi networks in public spaces (think coffeeshop, airport.) I think this is something the Amazons, Googles, and Facebooks of the world must close on themselves and serve sites that are fully encrypted https.The futures I see, as we grow in data encryption this year (especially with cloud computing becoming so big) makes me feel like I'm in Bladerunner. -SharonOn Oct 27, 2010, at 7:56 PM, Thomas Jones wrote:                To resolve this security issue, youd need to use an 802.1x solution which unfortunately is overkill, and quite honestly too complicated for an average home user to use on their home wifi routers. This of course isnt about home users, but rather anyone who chooses to implement a "standard" setup of a home router. The problem is that our "standards" are quite lax, and to be frank, are too low. I have 
skimmed over some blog posts about using TLS to resolve the issue, but I have not had a chance to dive into this further. It is our responsibility as educated and fluent industry professionals, ethically and otherwise, to not only educate but simplify the complexities of IT security to our laymen counterparts. It is also the due diligence of major hardware vendors such as Netgear, Linksys (Cisco) et al to make the complexities of their software simple enough for novice users to secure devices (or i nternet access) in such a manner that protects the users whom are unable to protect themselves. It by no means is a legal obligation, but I dare anyone to contest that its not the right thing to do.Some corporations use dot1x, some do not. It requires some type of intermediaty authentication mechanism such as RADIUS or TACAS. In short its an identity based security solution which secures your connection to the internet.I will investigate further but my schedule is absolutely slammed this
 week.HTH,                -- Thomas Joneshttp://www.ThomasAllenJones.comhttp://twitter.com/OtherTomJoneshttp://www.linkedin.com/in/TheOtherTomJonesOne should guard against preaching to young people success in the customary form as the main aim in life. The most important motive for work in school and in life is pleasure in work, pleasure in its result, and the knowledge of the value of the result to the community.-- Albert Einstein, On Education --Sent with Sparrow 		On Wednesday, October 27, 2010 at 10:31 PM, live wrote:            I'm slightly tongue in cheek with that subject line, however something  has come to pass this week which may change everything.So for many years, security for typical online users has only been a  passing thought, if a thought at all - so many users use the web via  non end-to-end encrypted http.This week at Toorcon 12 (hacker conference), a developer Eric Butler  release a Firefox add-on called Firesheep that has put many major site  engineers in a tizz
y.Using this quick, easy add-on a user can easily hijack the  authenticated Facebook sessions of people sharing the same wi-fi  network. Or any site's session, not just Facebook, if it's  unencrypted. Basically, you can control another users Facebook account  if they are logged into Facebook on the same wifi network as yourself.  Or you can Twitter as them. Or be on Amazon or Google. All by  downloading this little plug-in. Think your information's safe at the  airport, using their wifi network? Think again.I've downloaded the plug-in and know that it works.So, my interest leads to these kinds of questions: how is this going  to change our society's view on security? It only takes one incident  in the news - say a tragic event befalls someone who had a stalker -  before the lawsuits begin flying and no amount of tight legal EULA  will stop this digital economy from slowing way down. Will Mom and Pop  Wilson get to understand what an encrypted http is? Are we growing up  in our societ
y's education & understanding of technology?Would love some feedback on these thoughts.Firesheep can be found here: http://codebutler.com/firesheepCheers,@SharonG[Non-traditional undergraduate student still looking for an  Anthropology or  Experimental, Applied, or Social Psychology graduate  program to call home. Suggestions welcome.]_______________________________________________The Air-L at listserv.aoir.org mailing listis provided by the Association of Internet Researchers http://aoir.orgSubscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.orgJoin the Association of Internet Researchers:http://www.aoir.org/ 			 			 			 			            
			
			
			
			
        
		
		
    




More information about the Air-L mailing list