Wireless at Osh

"David Dyer-Bennet" wrote in message
...
john smith writes:

In article ,
"Brian O" wrote:

"john smith" wrote in message

...
In article , John T
wrote:

This has been a recurring topic with no clear answers.

I say, hoof it over to the hilton. They have wireless for their
guests.
There is no sign on page, but I have no idea what their range is.

And someone will be sitting there with their laptop watching
everything
streaming by in the ether. Google "ethereal" for more information.
:-))
Beware of ARP cache poisoning, also.
Never use any program which transmits any of your passwords over an
open
wireless network.

Why would you not want to use any programs that transmits any
passwords?
They are just as encrypted as they would be over a landline or dsl
connection.

Unless you are logging into a private VPN service through the open wifi
connection they are not. Beware of the man-in-the-middle!

Well, https is encrypted, for web stuff. Mostly, though, I connect
back to important places via SSH, which is very carefully encrypted.
If you've connected from that laptop to that destination before, SSH
also remembers the host key info, and can then detect
man-in-the-middle attacks, as can https.
--
David Dyer-Bennet, , http://www.dd-b.net/dd-b/
RKBA: http://www.dd-b.net/carry/
Pics: http://dd-b.lighthunters.net/
http://www.dd-b.net/dd-b/SnapshotAlbum/
Dragaera/Steven Brust: http://dragaera.info/

What is SSH? I guess Im right about the https being encrypted. I doubt you
would have any problems as long as you are using web stuff.
B

"Brian O" wrote in message
...
What is SSH?

A simplistic description would be that it's telnet with security.

I guess Im right about the https being encrypted.

By definition, https is encrypted. But then, I didn't see you make any
statement like "https is encrypted". How are you right?

I doubt you
would have any problems as long as you are using web stuff.

It just depends. Many users don't have a clue whether they are using an
encrypted link or not (http vs https). Any web site dealing in sensitive
information *should* be using https, but the user should confirm that and
I'll bet the majority don't even know *how* to confirm it, never mind do
they do so.

Also, not all POP, SMTP, or NNTP servers require encrypted passwords and
many users may not be using encrypted passwords. Heck, as far as I can
recall, the DUAT web sites don't use https.

As far as your original statement that "They are just as encrypted as they
would be over a landline or dsl connection", I suppose that's true depending
on your definition of "encrypted". Technically, with respect to the actual
data being transmitted over the Internet, you're right. But the very nature
of a wireless network makes it less secure. It is relatively safer to
transmit unencrypted data over a hard-wired network connection than it is to
do so over a wireless connection, because it's more difficult to extract the
data being sent over a hard-wired network connection than it is to do so
over a wireless connection (especially a public one that is likely not using
any encryption such as WEP or WPA).

Of course, that said, I think it's a good idea for anyone to treat *any*
public or quasi-public network connection as unsecured and equivalent to
wireless whether wireless or not. Not that one's home DSL connection is
guaranteed to be secure either, but the likelihood of someone intercepting a
private line like that is fairly remote, especially compared to the
likelihood of a public service provided by a third party being compromised.

And of course, *that* said, there's probably not much reason for a user to
not be avoiding plain-text passwords and sensitive data regardless of their
network connection. So the advice to not use such things on a wireless
network is perfectly valid, but probably ought to be applied across the
board and not just while at OSH.

Pete

In a previous article, "Peter Duniho" said:
And of course, *that* said, there's probably not much reason for a user to
not be avoiding plain-text passwords and sensitive data regardless of their
network connection. So the advice to not use such things on a wireless
network is perfectly valid, but probably ought to be applied across the
board and not just while at OSH.

If you are on a public wireless network with your own laptop, you should
make damn sure that any site you care about your passwords for (email,
banking, etc) are using ssl to connect (https is http over ssl).

You should also assume that any public access computer, wired or wireless,
is infested with keyboard sniffer programs and hardware and any password
you use on those systems will be immediately captured and sent to people
who will use them for neferious deeds. Never read your email or visit a
banking site at a public access computer (especially not in "internet
cafes"). Even if they wipe the software and reinstall it after every user
(and most places dont), a person could install one of these:
http://www.thinkgeek.com/gadgets/electronic/5a05/ or
http://www.thinkgeek.com/gadgets/security/7af2/
and capture every keystroke on the computer without anybody knowing.

--
Paul Tomblin http://xcski.com/blogs/pt/
Died. Woke up in Hell. Punched in PIN, logged on. Just another day.
-- David Gerard