January 2006


Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
"Dhaliwal, Harjit" <[log in to unmask]>
Reply To:
Technology Discussion at UVM <[log in to unmask]>
Fri, 20 Jan 2006 11:59:38 -0500
text/plain (104 lines)
Well said, Greg.  I agree.   

<!-- Harjit -->

-----Original Message-----
From: Technology Discussion at UVM [mailto:[log in to unmask]] On
Behalf Of J. Greg Mackinnon
Sent: Friday, January 20, 2006 11:06 AM
To: [log in to unmask]
Subject: Re: Wi-Fi security flaw to be fixed in 2007


My reply was not intended as a personal attack.  I am very sorry if it 
seemed that way.

My main point is that we need to be conservative in our reactions to 
security bulletins.  I get at least 30 messages a day from security 
mailing lists.  (It used to be closer to 120... I had to pair down my 
subscriptions for sanity.)  If I took every note at face value, I would 
be too afraid to get out of bed in the morning.  Do we need to pay 
attention to these announcements?  Yes.  Should we share information 
that we deem important with our co-workers and clients?  Of course!  Do 
we need to react to every bulletin?  No.


Stefanie Ploof wrote:
> Phil and Greg -- good morning to you, too. :)  That is why I chose
> IT-DISCUSS, where techs can read the info and decide to discuss it or
> but it's not broadcast-worthy.  It's information for anyone who wants
> On Fri, 20 Jan 2006, Philip Plourde wrote:
>> So this threat is about as dangerous as being connection to a network
>> with other computers while having file sharing turned on.
>> I love this line in particular:
>> "This would allow the two machines to associate together, potentially
>> giving the attacker access to files on the victim's PC."
>> Associate together?  Is that like having tea?
>> This feature, that I believe was deactivated with SP2, is one of the
>> first questions we get from people with a new notebook.  They take
>> machine home and find that it won't talk to their home wireless
>> gateway/router.  You either have to create a wireless profile for
>> home system and allow it to connect, or you throw the switch back to
>> auto connect to any available network.  If you offer the security
>> prudent solution and create the profile, your third support call will
>> a few months later with them in their hotel room at some conference
>> their machine will again not connect to the latest wireless network
>> encounter.
>> The bottom line is still the same:  If you are not accessing your
>> remotely, leave file sharing blocked by the firewall.  Regardless of
>> whether you access files remotely, have good passwords on all
>> on the machine, especially Administrator, which should be renamed
>> The vector of attack here is the mere ability to pass IP traffic to
>> machine.  If that worries you, I'd consider one word very carefully:
>> CatsPAWS
>> Phil.
>> Stefanie Ploof wrote:
>>> Microsoft has acknowledged a wi-fi security flaw in their operating
>>> system, but will not offer a patch until 2007 when Windows XP SP3 is
>>> released:
>>> If you follow the chain of ZDNets you'll see that Vista is taking
>>> priority over XP SP3, hence the delay.
>>> ----
>>> Stefanie Ploof
>>> CIT Client Services
>>> CALS Information Technology Office
>>> University of Vermont, Burlington