Changes

From Security Weekly Wiki
Jump to navigationJump to search
6,581 bytes added ,  19:23, 5 July 2007
no edit summary
== Wireless Guest Network: Part I ==
Equipment Used:
= Listener Feedback and News =
== Steve Gibson Clarification == <pre> I have been listening to your podcast for several months now and Ifind it fun to listen to but also informative...... alot of the time.I am a little confused about the jibs and jabs at Steve Gibson. I knowSteve has been around for a while, as a matter of fact, I didn't evenknowhe had a podcast. So I went back and gave a listen to one or two ofthem.Granted the subject matter is a little more rudimentary and theres nodoubt that it is directed at less experienced windows users. The fewpodcastsI listen to though seemed like they would benefit those that mightlisten to it. Is this a private joke between pauldotcom and GRC ? Or have Ijust not been listening long enough ? =========================================================================Is linux saying the king has no cloths ?  Gary Keen</pre> [PaulDotCom] - So lets clear the air about Steve Gibson. First, he has done much good for the security community, no doubt. Say what you will about him, he has contributed stuff that has helped improve the security of the Internet. However, we pick on him because he's an easy target, shame on us. HOWEVER, he does have tons of listeners and will often say things that are not technically correct (heh, so do we), but will then go uncorrected. We have written them several times to help correct them, with no response. They don't seem to want to collaborate and communicate with us in the same manner that *Every other security podcast in production today* has and continues to. We have a great working relationship with Cyberspeak, Hak.5, Sploitcast, and many others. Security Now! just chooses to ignore us, making them the target of public ridicule because well, they are an easy target and we have no spine (Kidding!!). Another thing, Steve often presents things in a confusing manner, and I think this is because he tries to explain some of the more advanced security topics to an audience with a very low level of computer knowledge. Sometimes, this just doesn't work no matter how hard you try and causes confusion (hence the sweeper). So, we don't dislike Steve or Security Now!, but we have our moments with them.  == Guiding RF (Jim S.) ===
<pre>In episode 76 when you were discussing the new WiFi distance record, Nick was saying you can't direct a radio wave in flight. We beg to differ. <pictures of waveguide></pre>
''' Email added by [Larry] - == Blackholign MySpace (Chris B. writes:''') ==
<pre>Hi Paul,
''' == Email added by [Larry] - (Shlomo D. writes:''') ==
<pre>I was thinking about what you guys said in Episode 72. It seems that
[Larry] Wow, so much seems to be wrong here. Let's discuss - onsite, policies, education, identifiable information....
 
== Zigbee Security (Grimreaper) ==
 
<pre>Guys,
 
Just want to say still enjoying the podcast, it makes the commute easier,
keep up the good work.
 
I'm considering taking a new job and one of the projects I would be working
on deals w/the ZigBee wireless standard. I'm no expert but I've heard it
compared to BlueTooth and that was a bit concerning in light of reading
about hacks for that standard.
 
I was wondering if you know about ZigBee and what your opinions might be
where security is concerned.
 
 
Thx,
 
Grim Reaper</pre>
 
[PaulDotCom] - I found this resource: http://www.cs.berkeley.edu/~nks/papers/15.4-wise04.pdf "Secuity Considerations for IEEE 802.15.4 Networks" and if I remember correctly, Josh said that it suffers from many of the problems that bluetooth and 802.11 suffer from in authentication of mgt frames.
 
== Kismet on WRT54G (Jason) ==
 
<pre>Hey guys,
I'm mucking around with kismet on my wrt and can't get the thing to report
the power levels of the networks around. Have you guys run into this? I've
been all over, but so far no luck. Any suggestions?
 
Jason</pre>
 
[PaulDotCom] - Broadcom drivers suck and don't give you the RSSI info. However, using Kamikaze and the 2.6 kernel you can get Atheros drivers to work on your platform. No configuration in /etc/config, however you can use the wlanconfig commands to configure. You will then need to compile Kismet drone with atheros support, which I just haven't gotten around to.
 
== WEP & WRT54G Models (Andy) ==
 
<pre>Hey, I "discovered" the Hak5 podcasts and they mentioned your site. I watched episode 66 the other day and had a few questions.
 
Which is the better alternative to WEP, standard stuff available on most routers? The stuff I've seen since I heard the podcast suggests WPA, but even that isn't very strong (coWPAtty, etc).
 
Are there any video postings of the Episodes, besides the TV episodes?
 
You all talked about the WRT54G. I read that only versions 1-4 were usable (linux versions), then linksys switches systems after that. Is that not true or were you guys mostly refering to the WRT54GS? And then the most important question is where to get a WRT54G (v1-4) or WRT54GS at a good price. I expected wardriving.com to have something but they linked to the linksys site.
 
Thank for the help.
 
Andy</pre>
 
[PaulDotCom] - <Shameless Book Plug>There is a hack in the book that shows you how to get WPA-Enterprise working on a standalone WRT54G. This is the most secure option, and does not have the vulnerabilities that are contained within WEP or WPA-PSK. The WRT54GL router is the one recommended in the book and is still produced by Linksys for hacking. The WRTSL54GS is great too and used in the book too, its $99 if that fits into your budget. With respects to war driving, the book has an awesome hack, poineered by renderman and improved upon by Larry, called war-driving in a box!</Shameless Book Plug>
 
== Secure Web Development (d4ncingd4n) ==
 
<pre>"Twitchy" has mentioned several times how much Java, PHP, AJAX, and
Web 2.0in general suck. Recognizing that programs can be written
insecurely in any
language, what do you guys feel is the best development platform that
balances security, responsiveness, ease of development/deployment, and
scalability for a client-server environment? What are the reasons for your
opinions? I would prefer to use open source to avoid drinking the MS
Kool-aid (and besides my company is cheap...).
 
I have a couple of suggestions for the show: 1) On the website, keep a list
of the beers you mention. Sometimes you mention a really good beer but,
since I don't know how the name is spelled, I can't find the beer so I can
try it also. 2) On the website, keep a list of resources available for
learning such as the SANS reading room, SecurityForest, OWASP project,
especially links to podcasts of the various conferences.
 
Here's some demographics..
First computer: VIC-20 (I still have it along with "Compute Gazattes". I
used to start a program load from cassette and then walk to buy beer at the
corner market.)
Location: Nashville, TN
Job title: Network admin
Newest gadget: Nokia 770 (love it)
 
Keep up the good work!
 
D4ncingD4n </pre>
 
[PaulDotCom] - I would suggest using whatever web application platform you are most comfortable with, take SANS Secure coding courses and web application courses, and regularly audit your code and application.
2,337

edits

Navigation menu