Matthew Saltzman wrote:
On Tue, 2008-02-19 at 14:19 -0500, Bill Davidsen wrote:
Tim wrote:
Bill Davidsen:
You read different security books than I do, mine say you should make
every single step as hard as possible, even if there's a workaround the
intruder may not know it.
You're still missing the point completely:
IT DOES NOT, IN *ANY* WAY, MAKE IT HARDER FOR A HACKER TO HACK INTO YOUR
WIRELESS LAN WHEN YOU STOP "BROADCASTING" THE SSID. *THEY* DO *NOT*
NEED YOU TO BROADCAST IT TO BE ABLE TO HACK IT. IT GIVES YOU ZERO
BENEFIT AND EXTRA PROBLEMS.
Caps don't make you right, nor do bogus arguments. The object is to make
it less appealing to people just looking for a hot spot to use without
paying Starbucks, not to block serious hackers. And if they see one with
some vendor's default SSID and one with no visible SSID, which do you
think they use?
As far as problems (sorry, "PROBLEMS") haven't had or seen any in years,
not sure what hidden SSID would hurt.
Several of the wireless drivers have a great deal of trouble with hidden
SSIDs. The Intel drivers have been notorious pains in the <> about it
until about a week or so ago. The latest kernel patches from John
Linville and a version of NetworkManager that's currently in pre-testing
finally seem to have solved the problem. But it's been years. For a
number of reasons, hidden SSIDs seem quite difficult to get right in the
driver.
Ah ha, then that's a limitation I haven't had. I'm running the IPW2200
driver on most laptops, and even as far back as FC4 I haven't had a
problem connecting. Good thing to keep in mind if I see this, though,
new generation of laptops will be deployed this year.
Do you hear me now? How hard is it to understood that message? Hiding
it does NOT give you ANY security benefits. Not one, not even a little
bit, not even a teensy tiny little bit. You're deluding yourself, start
making your tinfoil beanie, now, if you think that sort of rubbish
helps.
You clearly don't believe that part of security is avoiding attacks. The
reason to put ssh on a non-standard port is not because it makes it
harder to crack, just because it gets less casual attention. Like a
burglar choosing between the dark house with the empty garage or the one
with lights on, cars in the driveway, and a "beware of dog" sign,
someone looking for easy pickings takes the easy target.
If you think that discouraging wannabees isn't worth it, feel free to
set your SSID to "Free Public Access" if you want.
If you want to discourage casual browsers, just encrypt the channel.
WEP is no more of a barrier to anyone with a serious will to connect,
but it's at least as good at stopping casual connectors. It also stops
casual eavesdroppers, but again, not anyone serious about listening in.
Do run WEP, router doesn't support WPA so I am using OpenVPN once
connected. Since all the laptops need to use hotspots and random wired
connections, OpenVPN is installed everywhere.
We had a lecture last fall by security researcher Rick Farina. He
finally seems to have convinced our wireless network admins to give up
on hidden SSIDs. His point? They don't provide any additional security
and they annoy people who should be able to connect legitimately.
WPA2 is about the only halfway serious measure you can take short of
requiring a VPN.
If the laptops are used on the road, encryption of partitions and a VPN
seem like a slightly better than average compromise, while usable beyond
some really paranoid setups.
Thanks for the input on blank SSID, happily haven't seen it, but I have
a box of PCMCIA cards on my desk which I have to shake out, we may
change SSID if the drivers are so limited (or I might think of hacking
the driver).
--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
