Well said, Greg. I agree.
<!-- Harjit -->
-----Original Message-----
From: Technology Discussion at UVM [mailto:[log in to unmask]] On
Behalf Of J. Greg Mackinnon
Sent: Friday, January 20, 2006 11:06 AM
To: [log in to unmask]
Subject: Re: Wi-Fi security flaw to be fixed in 2007
Stef:
My reply was not intended as a personal attack. I am very sorry if it
seemed that way.
My main point is that we need to be conservative in our reactions to
security bulletins. I get at least 30 messages a day from security
mailing lists. (It used to be closer to 120... I had to pair down my
subscriptions for sanity.) If I took every note at face value, I would
be too afraid to get out of bed in the morning. Do we need to pay
attention to these announcements? Yes. Should we share information
that we deem important with our co-workers and clients? Of course! Do
we need to react to every bulletin? No.
Cordially,
-Greg
Stefanie Ploof wrote:
> Phil and Greg -- good morning to you, too. :) That is why I chose
> IT-DISCUSS, where techs can read the info and decide to discuss it or
not,
> but it's not broadcast-worthy. It's information for anyone who wants
it.
>
>
> On Fri, 20 Jan 2006, Philip Plourde wrote:
>
>
>> So this threat is about as dangerous as being connection to a network
>> with other computers while having file sharing turned on.
>>
>> I love this line in particular:
>> "This would allow the two machines to associate together, potentially
>> giving the attacker access to files on the victim's PC."
>>
>> Associate together? Is that like having tea?
>>
>> This feature, that I believe was deactivated with SP2, is one of the
>> first questions we get from people with a new notebook. They take
the
>> machine home and find that it won't talk to their home wireless
>> gateway/router. You either have to create a wireless profile for
your
>> home system and allow it to connect, or you throw the switch back to
>> auto connect to any available network. If you offer the security
>> prudent solution and create the profile, your third support call will
be
>> a few months later with them in their hotel room at some conference
and
>> their machine will again not connect to the latest wireless network
they
>> encounter.
>>
>> The bottom line is still the same: If you are not accessing your
files
>> remotely, leave file sharing blocked by the firewall. Regardless of
>> whether you access files remotely, have good passwords on all
accounts
>> on the machine, especially Administrator, which should be renamed
anyway.
>>
>> The vector of attack here is the mere ability to pass IP traffic to
your
>> machine. If that worries you, I'd consider one word very carefully:
>> CatsPAWS
>>
>> Phil.
>>
>>
>> Stefanie Ploof wrote:
>>
>>> Microsoft has acknowledged a wi-fi security flaw in their operating
>>> system, but will not offer a patch until 2007 when Windows XP SP3 is
>>> released:
>>>
>>> http://newsletters.zdnetuk.cneteu.net/t/103590/1882716/78546/0/
>>> http://news.zdnet.co.uk/internet/security/0,39020375,39247302,00.htm
>>> http://news.zdnet.co.uk/software/windows/0,39020396,39247733,00.htm
>>>
>>> If you follow the chain of ZDNets you'll see that Vista is taking
>>> priority over XP SP3, hence the delay.
>>>
>>>
>>> ----
>>> Stefanie Ploof
>>> CIT Client Services
>>> CALS Information Technology Office
>>> University of Vermont, Burlington
>>>
>>>
|