<div dir="auto">Corp email and phishing. What a pain.<div dir="auto"><br></div><div dir="auto">Maybe if there was a way to digitally sign email as a way to guarantee the source....</div><div dir="auto"><br></div><div dir="auto"></snark></div><div dir="auto"><br></div><div dir="auto">Security is hard and not easy for the lay person to grok. Trusting Apple and Google to protect us...., how many subpoenas do they fulfill every year?</div><div dir="auto"><br></div><div dir="auto">So much hardware for home use is "sell and forget" it borders on immoral. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Jun 4, 2023, 1:36 PM Solomon Peachy via Ale <<a href="mailto:ale@ale.org">ale@ale.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Sun, Jun 04, 2023 at 10:34:27AM -0400, DJPfulio--- via Ale wrote:<br>
> A few years ago (perhaps 3?), a flaw in wifi was discovered that had <br>
> been in the code since the beginning - over 20 yrs.<br>
<br>
The original Wifi WEP "security" was abysmally bad, and was considered <br>
completely broken 20 years ago, with the network keys capable of being <br>
recovered in less than an hour of passive sniffing.<br>
<br>
What was recently (2017) discovered ("KRACK") was a flaw in many <br>
*implementations* of the WPA/WPA2 key exchange protocol. Unlike the <br>
orginal WEP attacks, this one didn't allow for the key data to be <br>
recovered, and instead relied on forcing one end of the exchange to <br>
install what effectively amounted to a null key.<br>
<br>
Another difference -- the underlying protocol itself was fine, and <br>
implementations were easily(and rapidly) fixed. Assuming the vendor <br>
ever shipped an update, that is. (Yet another reason why you should be <br>
using Free Software on your infrastructure & devices!)<br>
<br>
> My CMMI training says, that if 1 bug is found, there's an 86% <br>
> likelihood of another bug existing in the same software.<br>
<br>
Pfft. If you assume anything other than 100% probability of eventually <br>
finding a flaw, you're a fool. So you have to design your system to <br>
asusming it's going to need to be updated.<br>
<br>
> If you want strong security, assume the protocols have bugs (known and <br>
> unknown) and take necessary steps to mitigate those. 1 method is to <br>
> use a full VPN. IPSec is the most secure VPN today.<br>
<br>
Yeah, you have to layer stuff. FWIW, even with KRACK, if you used <br>
encrypted network protocols, the worst the attacker could do is DOS you.<br>
<br>
> If you just want to protect against the neighbor's kid and don't want <br>
> to worry about more sophisticated attacks, that's fine, but that <br>
> wouldn't count as "strong" in any book on security as a description <br>
> for wifi security.<br>
<br>
Again, "strong" is a relative definition. What's "strong" against a <br>
neighbor's kid is effectively tissue paper for a state-sponsored agency, <br>
and what's "strong" for said agency is most likely completely unusable<br>
for a layperson.<br>
<br>
> Where I've worked, we never trusted wifi without our corporate VPN, <br>
> using 2FA, even on systems that we'd provisioned inside our buildings. <br>
> This was the requirement by our data security team which wasn't <br>
> exactly small for this F-10 company.<br>
<br>
Meanwhile, at most places I've worked, internal corporate communications <br>
emails were, more often than not, indistinguishable from phishing based <br>
on the training said corporate policies required us to undergo. This <br>
was particularly ironic given that phishing (and related <br>
social-engineering stuff) remains the primary threat vector for internal <br>
system compromise.<br>
<br>
- Solomon<br>
-- <br>
Solomon Peachy pizza at shaftnet dot org (email&xmpp)<br>
@pizza:shaftnet dot org (matrix)<br>
Dowling Park, FL speachy (libra.chat)<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank" rel="noreferrer">Ale@ale.org</a><br>
<a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>