On Thu, 2009-06-04 at 12:58 +1000, Jake Anderson wrote:
> > Why? Just because it's wired doesn't mean it's secure. Is there a WAP on
> > the network? FTP is plain text, running a packet sniffer I can get your
> > full login credentials, and chances are, as with most people, those
> > credentials will work for many more things then just the local FTP
> > server.
> >   
> Actually unless the AP is doing something silly its not going to 
> broadcast packets unrelated to stuff happening on the wire.
> You have to get into mac address spoofing and all sorts of things like 
> that and that's after you have hacked the (hopefully decent) wpa2 
> encryption on the link.
> If somebody is going to that level your screwed anyway.

MAC address spoofing is trivial (on Linux). Tools for basically
automating that and everything else are plentiful, free, and easy to
get. I have a bootable USB key in my bag with a version of Backtrack
that pretty much has everything you need.

Doesn't need to be that hard anyways. Just bought a new WiFi router?
Most people plug it into their network and then configure it. What if
the phone rings and you forget that you never actually set up security?
Default password lists are out there for everyone to see.

There are tons of exploits for consumer routers, that's assuming the
router has been secured to begin with.

I'm not saying a person should be paranoid, but BASIC security is free
these days, there's no excuse in my mind not to use it.

> > The additional work for SSH is zero, there is no excuse IMHO. Even if
> > you think there is additional work, I'd rate it as well worth the
> > effort.
> >   
> Its going to slow the transfer pretty dramatically though. All that 
> encryption has a pretty heavy overhead.

Perhaps in the old days. These days, with modern multicore CPUs over my
gigabit network the hit is pretty much negligible.

TTYL

-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist