I agree with John's assessment and recommendation of VPN with PC level
personal firewall on the laptop.  More people get hit by P2P hacks while on
a Public AP because they have Windows and NETBUI sharing enabled over IP w/o
any personal firewall then sniffs or WEP hacks.  John is absolutely right
about user education being the minimum requirement before being allowed to
VPN into the corporate network.  Should I open a VPN session on PC w/o
personal firewall a local P2P WiFi hacker could slingshot through my PC onto
Corporate network.
Keep Your Guard UP!

-----Original Message-----
From: tcwug-list-bounces at tcwug.org [mailto:tcwug-list-bounces at tcwug.org] On
Behalf Of tcwug-list-request at tcwug.org
Sent: Monday, June 07, 2004 3:31 PM
To: tcwug-list at tcwug.org
Subject: [Norton AntiSpam] tcwug-list Digest, Vol 9, Issue 5

Send tcwug-list mailing list submissions to
	tcwug-list at tcwug.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://mailman.real-time.com/mailman/listinfo/tcwug-list
or, via email, send a message with subject or body 'help' to
	tcwug-list-request at tcwug.org

You can reach the person managing the list at
	tcwug-list-owner at tcwug.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of tcwug-list digest..."


Today's Topics:

   1. RE: Another point on the wifi hotspot business model curve..
      (John T. Hoffoss)
   2. RE: Another point on the wifi hotspot business model curve..
      (John T. Hoffoss)
   3. RE: Another point on the wifi hotspot business model curve..
      (William Titler)
   4. Tomorrow Meeting important info! (Ben Nelson)
   5. Re: Another point on the wifi hotspot business model curve..
      (steve ulrich)
   6. Re: [wireless] Tomorrow Meeting important info! (steve ulrich)


----------------------------------------------------------------------

Message: 1
Date: Mon, 7 Jun 2004 14:29:42 -0500
From: "John T. Hoffoss" <hoff0438 at umn.edu>
Subject: RE: [TCWUG] Another point on the wifi hotspot business model
	curve..
To: "'Twin Cities Wireless Users Group List'" <tcwug-list at tcwug.org>
Message-ID: <smtpd.60b2.40c4c1f6.6e1bd.1 at mhub-c4.tc.umn.edu>
Content-Type: text/plain;	charset="us-ascii"

I respectfully disagree with your recommendation, and I would hope you
wouldn't recommend that to your customers. Well, at least I would hope you
would take into consideration the company's business, the need for
accessibility, (even if on a public access point) and the risk to the
company presented by said connectivity.

A quick-n-dirty solution to this problem (and my blanket recommendation to
anyone without assessing need/risk/etc) is firewall on the laptop plus a VPN
connection to the company/home over *any* wireless connection, trusted or
not, WEP'd or not.

More in response to Steve's comments, I wouldn't worry about TMobile
sniffing your traffic or capturing information; this would IMO, provide a
very clear privacy violation. I would worry more about the billing
information you freely gave them, and whether their TOS allows for direct
marketing or the sale of said information.

>From the sniffing side, I'd worry more about someone sitting in the same
Starbucks capturing your traffic for later decryption, while on the same
TMobile hotspot. This risk is no more or less dangerous on an open/free
hotspot. The problem with WEP is this excessive false sense of security.
Yes, WEP defeats the majority of those that might only casually sniff
traffic for kicks. If someone is dedicated enough to set up an open hotspot
and install an inline sniffer to capture traffic, the same person could just
sniff enough traffic to crack the WEP key and capture the same traffic.

So, this is where the VPN recommendation comes into play. Sure, you want to
decrypt my WEP'd traffic, go right ahead. You'll just get more encrypted
traffic, that, if set up properly, isn't nearly as easily decrypted. In
addition, by requiring VPN over public Aps (as the security guru of our
imaginary company) I can also continue to monitor/block access to
inappropriate material, monitor for information leakage, policy violations,
etc. that I might be doing on my LAN.

There are of course numerous other things that I would recommend or do,
education being the first and most important, but VPN is a great start.

-John

> -----Original Message-----
> From: tcwug-list-bounces at tcwug.org 
> [mailto:tcwug-list-bounces at tcwug.org] On Behalf Of Mike Ellsworth
> Sent: Monday, June 07, 2004 1:04 PM
> To: sulrich at botwerks.org; 'Twin Cities Wireless Users Group List'
> Subject: RE: [TCWUG] Another point on the wifi hotspot 
> business model curve..
> 
> Steve,
> 
> Yeah, snorting traffic on public Websites is a risk that I 
> have been waiting for corporate America to finally realize. 
> Yet I don't see T-Mobile exploiting this possible advantage. 
> If I were in charge of corporate security for a company of 
> any size, I'd forbid employee use of public Wi-Fi.
> 
> 
> 
> -----Original Message-----
> From: tcwug-list-bounces at tcwug.org 
> [mailto:tcwug-list-bounces at tcwug.org] On Behalf Of steve ulrich
> Sent: Monday, June 07, 2004 12:34 PM
> To: mellsworth at stratvantage.com; Twin Cities Wireless Users Group List
> Subject: Re: [TCWUG] Another point on the wifi hotspot 
> business model curve..
> 
> when last we saw our hero (Monday, Jun 07, 2004),  Mike 
> Ellsworth was madly tapping out:
> > The most interesting thing I got from this article is 
> T-Mobile's claim 
> > that it is more secure (and more reliable) than free hotspots.
> > Anybody got any idea how they can claim that? I've used 
> their service 
> > and it wasn't running any security as far as I could tell.
> 
> it's not just about link layer security.  when you put your 
> traffic onto an open hotspot from john doe you really don't 
> know what they're doing with your traffic.  it's not in the 
> best interests of a t-mobile or SP to harvest subscriber 
> traffic for their nefarious applications. 
> 
> i'm not saying that tmobile and other SPs can't sniff your traffic.
> but wifi with a branded hotspot probably isn't going to be 
> snorting all the traffic that goes by.  whereas you're more 
> likely taking your chance with the freebies.
> 
> further, many reputable carriers have the ability to do 
> things like virus/worm mitigation in their access 
> infrastructure.  that's nice if someone jacks into the same 
> segment and starts to hose you down with the virus of the 
> day.  such mechanisms would not be visible from the users persepctive.
> 
> as with many things in life if you're going have unprotected 
> packet exchange,  you have risks.  if you'd like to mitigate 
> those risks, slather on the protection with copious amounts 
> of crypto and f/ws.
> 
> > -----Original Message-----
> > From: tcwug-list-bounces at tcwug.org 
> > [mailto:tcwug-list-bounces at tcwug.org]
> On
> > Behalf Of Andy Warner
> > Sent: Monday, June 07, 2004 9:44 AM
> > To: wireless at tc-unwired.net; tcwug-list at tcwug.org
> > Subject: [TCWUG] Another point on the wifi hotspot business 
> model curve..
> > 
> > Apologies in advance if this ends up being one of those 
> > "subscriber-only" pages that drops you through to a login 
> screen; but 
> > the NYTimes carried the following article about the growth of free 
> > hot-spots, contrasted with the fortunes of pay-per-use hot spots; 
> > along with the struggle to find a sustainable business 
> model for the 
> > pay-per-use carriers.
> > 
> >
> http://www.nytimes.com/2004/06/07/technology/07wifi.html?8hpib
> =&pagewanted=a
> > ll&position=




------------------------------

Message: 2
Date: Mon, 7 Jun 2004 14:32:48 -0500
From: "John T. Hoffoss" <hoff0438 at umn.edu>
Subject: RE: [TCWUG] Another point on the wifi hotspot business model
	curve..
To: "'Twin Cities Wireless Users Group List'" <tcwug-list at tcwug.org>
Message-ID: <smtpd.6172.40c4c2af.d5d63.1 at mhub-c4.tc.umn.edu>
Content-Type: text/plain;	charset="us-ascii"

Probably, but this isn't nearly as ominous as McDoanlds (btw, this is the
SSID of the Dinkytown McDonalds AP) capturing my CC info on said website. In
addition, this really isn't any different than what is done with cookies,
and in fact, this tracking could probably be embedded in normal website
cookies tracking the source IP, and comparing with the DB of IPs McDonalds
has available.

> -----Original Message-----
> From: tcwug-list-bounces at tcwug.org 
> [mailto:tcwug-list-bounces at tcwug.org] On Behalf Of William Titler
> Sent: Monday, June 07, 2004 2:24 PM
> To: mellsworth at stratvantage.com; Twin Cities Wireless Users 
> Group List; sulrich at botwerks.org
> Subject: RE: [TCWUG] Another point on the wifi hotspot 
> business model curve..
> 
> The truth is that many of the big non web companies that are 
> offering or planning to offer wifi in their stores for pay or 
> free will be sniffing the traffic so that they can mine the 
> information of where people go to create better marketing 
> relationships.  They will be using a login page that is not 
> their own site but say Bestbuy.com with the login for the 
> wifi network imbedded in the page at McDonalds. By sniffing 
> the traffic McDonalds can see how long the user stayed on the 
> site and what they bought so that bestbuy will be paying 
> appropriately for the marketing.




------------------------------

Message: 3
Date: Mon, 7 Jun 2004 14:49:57 -0500
From: "William Titler" <titlerw at datanautics.com>
Subject: RE: [TCWUG] Another point on the wifi hotspot business model
	curve..
To: "Twin Cities Wireless Users Group List" <tcwug-list at tcwug.org>
Message-ID: <ABEDLOMAKFLPOABOMEKBEECDCGAA.titlerw at datanautics.com>
Content-Type: text/plain;	charset="us-ascii"

I agree, this is not a tracking to be scared of it is the same that everyone
does on their own sites today.
Bill
-----Original Message-----
From: tcwug-list-bounces at tcwug.org [mailto:tcwug-list-bounces at tcwug.org]On
Behalf Of John T. Hoffoss
Sent: Monday, June 07, 2004 2:33 PM
To: 'Twin Cities Wireless Users Group List'
Subject: RE: [TCWUG] Another point on the wifi hotspot business model
curve..

Probably, but this isn't nearly as ominous as McDoanlds (btw, this is the
SSID of the Dinkytown McDonalds AP) capturing my CC info on said website. In
addition, this really isn't any different than what is done with cookies,
and in fact, this tracking could probably be embedded in normal website
cookies tracking the source IP, and comparing with the DB of IPs McDonalds
has available.

> -----Original Message-----
> From: tcwug-list-bounces at tcwug.org
> [mailto:tcwug-list-bounces at tcwug.org] On Behalf Of William Titler
> Sent: Monday, June 07, 2004 2:24 PM
> To: mellsworth at stratvantage.com; Twin Cities Wireless Users
> Group List; sulrich at botwerks.org
> Subject: RE: [TCWUG] Another point on the wifi hotspot
> business model curve..
>
> The truth is that many of the big non web companies that are
> offering or planning to offer wifi in their stores for pay or
> free will be sniffing the traffic so that they can mine the
> information of where people go to create better marketing
> relationships.  They will be using a login page that is not
> their own site but say Bestbuy.com with the login for the
> wifi network imbedded in the page at McDonalds. By sniffing
> the traffic McDonalds can see how long the user stayed on the
> site and what they bought so that bestbuy will be paying
> appropriately for the marketing.


_______________________________________________
Twin Cities Wireless Users Group Mailing List - Minneapolis/St. Paul,
Minnesota
http://www.tcwug.org
tcwug-list at tcwug.org
https://mailman.real-time.com/mailman/listinfo/tcwug-list




------------------------------

Message: 4
Date: Mon, 07 Jun 2004 14:59:05 -0500
From: Ben Nelson <benmgroup at earthlink.net>
Subject: [TCWUG] Tomorrow Meeting important info!
To: "tcwug-list at tcwug.org" <tcwug-list at tcwug.org>,	tc-unwired
	<wireless at tc-unwired.net>
Message-ID: <BCEA3339.7E63%benmgroup at earthlink.net>
Content-Type: text/plain; charset="iso-8859-1"

Sorry all, but I won¹t be at the meeting tomorrow. As attendance has been
sparse at the last few meetings, perhaps interested attendees could post
their intentions to the list before heading down to the Dunn Bros. That way
no one will be stuck there by themselves.

For the record:
Dunn Bros
201 3rd Avenue
Minneapolis, MN 55401
612-692-8530
(on the same block as the Milwaukee Road Depot hotel and skating rink)

Map and directions: http://tinyurl.com/79jt

Limited parking behind the building, plenty of on-street parking near-by.
-- 
Ben Nelson
612.685.9116 cell
benmgroup at earthlink.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mailman.real-time.com/pipermail/tcwug-list/attachments/20040607/6369c
7d4/attachment.htm

------------------------------

Message: 5
Date: Mon, 7 Jun 2004 15:15:49 -0500
From: steve ulrich <sulrich at botwerks.org>
Subject: Re: [TCWUG] Another point on the wifi hotspot business model
	curve..
To: mellsworth at stratvantage.com,	Twin Cities Wireless Users Group
List
	<tcwug-list at tcwug.org>
Message-ID: <20040607201548.GA782 at botwerks.org>
Content-Type: text/plain; charset=us-ascii

when last we saw our hero (Monday, Jun 07, 2004), 
 Mike Ellsworth was madly tapping out:
> Steve,
> 
> Yeah, snorting traffic on public Websites is a risk that I have been
> waiting for corporate America to finally realize. Yet I don't see
> T-Mobile exploiting this possible advantage. If I were in charge of
> corporate security for a company of any size, I'd forbid employee
> use of public Wi-Fi.
> 

forbidding the use of public WiFi networks seems particularly
draconian.  this is what IPSec is for.  you tunnel all of the traffic
to your corporate VPN concentrator and don't have to worry about folks
sniffing the traffic.  hence my remarks regarding the judicious use of
crypto. 

i'm a _very_ mobile worker and i plug into service provider networks
all over the place and i tunnel back to the vpn concentrator at
corporate or home (depending on what i'm doing) i'm not worried about
folks sniffing my traffic.

 
> -----Original Message-----
> From: tcwug-list-bounces at tcwug.org [mailto:tcwug-list-bounces at tcwug.org]
On
> Behalf Of steve ulrich
> Sent: Monday, June 07, 2004 12:34 PM
> To: mellsworth at stratvantage.com; Twin Cities Wireless Users Group List
> Subject: Re: [TCWUG] Another point on the wifi hotspot business model
> curve..
> 
> when last we saw our hero (Monday, Jun 07, 2004), 
>  Mike Ellsworth was madly tapping out:
> > The most interesting thing I got from this article is T-Mobile's
> > claim that it is more secure (and more reliable) than free
> > hotspots.  Anybody got any idea how they can claim that? I've used
> > their service and it wasn't running any security as far as I could
> > tell.
> 
> it's not just about link layer security.  when you put your traffic
> onto an open hotspot from john doe you really don't know what
> they're doing with your traffic.  it's not in the best interests of
> a t-mobile or SP to harvest subscriber traffic for their nefarious
> applications. 
> 
> i'm not saying that tmobile and other SPs can't sniff your traffic.
> but wifi with a branded hotspot probably isn't going to be snorting
> all the traffic that goes by.  whereas you're more likely taking
> your chance with the freebies.
> 
> further, many reputable carriers have the ability to do things like
> virus/worm mitigation in their access infrastructure.  that's nice
> if someone jacks into the same segment and starts to hose you down
> with the virus of the day.  such mechanisms would not be visible
> from the users persepctive.
> 
> as with many things in life if you're going have unprotected packet
> exchange,  you have risks.  if you'd like to mitigate those risks,
> slather on the protection with copious amounts of crypto and f/ws.

{ snipped - misc .signatures } 

> > -----Original Message-----
> > From: tcwug-list-bounces at tcwug.org [mailto:tcwug-list-bounces at tcwug.org]
> On
> > Behalf Of Andy Warner
> > Sent: Monday, June 07, 2004 9:44 AM
> > To: wireless at tc-unwired.net; tcwug-list at tcwug.org
> > Subject: [TCWUG] Another point on the wifi hotspot business model
curve..
> > 
> > Apologies in advance if this ends up being one of those
> > "subscriber-only" pages that drops you through to a login screen;
> > but the NYTimes carried the following article about the growth of
> > free hot-spots, contrasted with the fortunes of pay-per-use hot
> > spots; along with the struggle to find a sustainable business model
> > for the pay-per-use carriers.
> > 
> >
>
http://www.nytimes.com/2004/06/07/technology/07wifi.html?8hpib=&pagewanted=a


{ snipped - misc .signatures }


-- 
steve ulrich                       sulrich at botwerks.org
PGP: 8D0B 0EE9 E700 A6CF ABA7  AE5F 4FD4 07C9 133B FAFC



------------------------------

Message: 6
Date: Mon, 7 Jun 2004 15:19:51 -0500
From: steve ulrich <sulrich at botwerks.org>
Subject: [TCWUG] Re: [wireless] Tomorrow Meeting important info!
To: wireless at lists.tc-unwired.net
Cc: "tcwug-list at tcwug.org" <tcwug-list at tcwug.org>,	tc-unwired
	<wireless at tc-unwired.net>
Message-ID: <20040607201951.GB782 at botwerks.org>
Content-Type: text/plain; charset=us-ascii


dang! this is the first meeting i'll be able to make in a loooong
time.  was looking forward to seeing you and other folks there. 

consider this notification of my intent to attend. :)

when last we saw our hero (Monday, Jun 07, 2004), 
 Ben Nelson was madly tapping out:
> Sorry all, but I won?t be at the meeting tomorrow. As attendance has been
> sparse at the last few meetings, perhaps interested attendees could post
> their intentions to the list before heading down to the Dunn Bros. That
way
> no one will be stuck there by themselves.
> 
> For the record:
> Dunn Bros
> 201 3rd Avenue
> Minneapolis, MN 55401
> 612-692-8530
> (on the same block as the Milwaukee Road Depot hotel and skating rink)
> 
> Map and directions: http://tinyurl.com/79jt
> 
> Limited parking behind the building, plenty of on-street parking near-by.

{ snipped - misc .signatures }

 

-- 
steve ulrich                       sulrich at botwerks.org
PGP: 8D0B 0EE9 E700 A6CF ABA7  AE5F 4FD4 07C9 133B FAFC



------------------------------

_______________________________________________
tcwug-list mailing list
tcwug-list at tcwug.org
https://mailman.real-time.com/mailman/listinfo/tcwug-list


End of tcwug-list Digest, Vol 9, Issue 5
****************************************



_______________________________________________
Twin Cities Wireless Users Group Mailing List - Minneapolis/St. Paul, Minnesota
http://www.tcwug.org
tcwug-list at tcwug.org
https://mailman.real-time.com/mailman/listinfo/tcwug-list