On Tue, 2008-02-19 at 14:19 -0500, Bill Davidsen wrote:
> Tim wrote:
> > Bill Davidsen:
> >> You read different security books than I do, mine say you should make
> >> every single step as hard as possible, even if there's a workaround the
> >> intruder may not know it.
> >
> > You're still missing the point completely:
> >
> > IT DOES NOT, IN *ANY* WAY, MAKE IT HARDER FOR A HACKER TO HACK INTO YOUR
> > WIRELESS LAN WHEN YOU STOP "BROADCASTING" THE SSID. *THEY* DO *NOT*
> > NEED YOU TO BROADCAST IT TO BE ABLE TO HACK IT. IT GIVES YOU ZERO
> > BENEFIT AND EXTRA PROBLEMS.
> >
> Caps don't make you right, nor do bogus arguments. The object is to make
> it less appealing to people just looking for a hot spot to use without
> paying Starbucks, not to block serious hackers. And if they see one with
> some vendor's default SSID and one with no visible SSID, which do you
> think they use?
>
> As far as problems (sorry, "PROBLEMS") haven't had or seen any in years,
> not sure what hidden SSID would hurt.
Several of the wireless drivers have a great deal of trouble with hidden
SSIDs. The Intel drivers have been notorious pains in the <> about it
until about a week or so ago. The latest kernel patches from John
Linville and a version of NetworkManager that's currently in pre-testing
finally seem to have solved the problem. But it's been years. For a
number of reasons, hidden SSIDs seem quite difficult to get right in the
driver.
>
> > Do you hear me now? How hard is it to understood that message? Hiding
> > it does NOT give you ANY security benefits. Not one, not even a little
> > bit, not even a teensy tiny little bit. You're deluding yourself, start
> > making your tinfoil beanie, now, if you think that sort of rubbish
> > helps.
> >
> You clearly don't believe that part of security is avoiding attacks. The
> reason to put ssh on a non-standard port is not because it makes it
> harder to crack, just because it gets less casual attention. Like a
> burglar choosing between the dark house with the empty garage or the one
> with lights on, cars in the driveway, and a "beware of dog" sign,
> someone looking for easy pickings takes the easy target.
>
> If you think that discouraging wannabees isn't worth it, feel free to
> set your SSID to "Free Public Access" if you want.
If you want to discourage casual browsers, just encrypt the channel.
WEP is no more of a barrier to anyone with a serious will to connect,
but it's at least as good at stopping casual connectors. It also stops
casual eavesdroppers, but again, not anyone serious about listening in.
We had a lecture last fall by security researcher Rick Farina. He
finally seems to have convinced our wireless network admins to give up
on hidden SSIDs. His point? They don't provide any additional security
and they annoy people who should be able to connect legitimately.
WPA2 is about the only halfway serious measure you can take short of
requiring a VPN.
--
Matthew Saltzman
Clemson University Mathematical Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
