Re: Perpetuating weak wireless security

Hi Nico,

First, it was nice to meet you last week at AD. I've heard much about
you from Jerry - all good no less!

I'm a technical peon compared to those who've weighed in this so far;
and as such I won't even attempt to debate the technical points of
this solution; but I would like to make a couple of general points:

1) This solution appears to be "security through obscurity" - a term
borrowed from a SANS instructor if I remember correctly - and that
leaves me feeling uneasy about it. Is this truly the case - are you in
essence burying a molecule of water in a puddle and hoping it's not
found?

2) What bothers me more is that solutions of this type provides a
means to extend the life of a known weak security method. Argue what
you will about bridging the gap to allow companies to make it to their
next hardware refresh cycle (in order to discard WEP); but we know
that what will actually happen in many cases is that this type of
solution will instead provide a means to delay the normal refresh
cycle - thereby extending the life of WEP in this case. If it is
"perceived" that the king now has clothes, where's the incentive to
change? (And no, I'm not a hardware vendor :-)

I understand that it's a double-edged sword - providing a means to
better secure a poor implementation that might not otherwise be
secured at all vs. running the risk of extending the life of this same
poor technology.

- Nick

Nick Leachman
GSEC GCIH