Chop Orinoco Silver PCMCIA card into Airport slot

[okto]

So telling other people this is a 'fake problem' is irresponsible. It's not a fake problem at all. If you have decided that in your risk calculus this is OK, then that's fine.

I mean, I already send sensitive information to the public internet, how much more risky could this be? The WEP leak requires the attacker to be physically proximal to your network and deliberately trying to attack, and since wardriving hasn't been a thing in at least a decade now, unless you live in a super-dense apartment complex, the odds of this ever happening are just so, so low. It's a little like preparing for your house to resist a plane crash.

And even then: what information is being transferred on my LAN that isn't already being transferred on the internet, and how much of it is being transmitted as cleartext? Do you think I'm sending my credit card numbers and passwords back and forth between my home machines? The only 802.11b traffic in my home is machines so old they can't even do SSL, so there is, AFAIK, no site or platform left in this world that both requires a login and protects sensitive information that I can use on those machines. I am truly not worried about someone hacking my Macintosh Repository account.

It can also be mitigated on the network layer by having your WEP network as a separate broadcast domain and route between that and the rest of your network

...yeah? Who is out there running WEP and WPA on the same router? How many modern routers is this even possible on? My 802.11b network is a WRT-54G hardwired into my real router, with a separate SSID that isn't broadcast. I fully realize not broadcasting an SSID isn't a security measure, but if people can't even casually notice that it exists, that's another layer of lowered probability.

Someone would have to choose my house AND be within ~20m of my router (the closest they can get without trespassing is about 10m) AND looking for hidden 802.11b networks AND willing to sit there to capture enough packets to crack the password (which, on a network that probably handles 200 HTTP transactions a month, on perhaps as many as three days in that month, is gonna take them anywhere from a couple hours to several weeks) AND then mess with redirecting traffic...all to, what, capture a bunch of encrypted traffic and some HTTP transactions to sites that don't even have logins, much less host any information worth having?

And they'd have to be parked in front of my house to do any of that...and everything but the old Macs is VPNd on each device, so that's yet ANOTHER level of obfuscation to this imaginary attacker being able to do anything more nefarious than printing porn on the LaserJet that's turned off 98% of the time. This whole thing is like four orders of magnitude less likely to affect me than the act of simply living in a house people can see.

But each person has to make their own decision here; to tell them it's a fake problem prevents them from making their own decision about risk in a situation where the nature of that risk can be very non-obvious. And that's not a good thing to do.

And the most root reason this doesn't matter? This is hogwash. I'm not making anyone do anything; I can't prevent anyone reading this from doing literally anything at all. The person who gives an eighth of a metric shit about IPSEC or INFOSEC and follows advice from internet randos like they're military orders doesn't exist, and honestly, if they did, should not be using the internet unsupervised in the first place and is their own largest security hole.

Be this paranoid at work. At home just isn't enough of a target and doesn't have enough at stake to get this worried about it.

 

[adespoton]

Be this paranoid at work. At home just isn't enough of a target and doesn't have enough at stake to get this worried about it.

Time for me to be That Guy.

I often work from home. My home network has to be at least as secure as anything I do at work. And threat actors out there today are intentionally targeting high value targets at home, hoping that they can use cross-pollination to gain access to work environments. Because virtually nowhere airgaps between work electronics and personal electronics anymore.

Another problem here is that while many work environments have moved to zero trust network architecture, most people still run their home networks using a firewall model -- so if someone/something gets through, there's virtually nothing to prevent further abuse of what's found.

It used to be that nation state groups only targeted top people in corporate environments, and most home users only had to worry about generic malware, script kiddies and wardriving teens -- but that landscape's changed in the past 5 years. Now you've got North Korean hacking groups with access to your neighbour's phone via a dodgy flashlight app pivoting off of it to gain access to local wireless networks, all automated through a Chinese SIM farm set up in a rental apartment somewhere in New York.

Still a personal choice thing, but also a good idea to throw out the idea that your home airspace isn't a target -- if it overlaps with someone else's, it could very much be a stepping stone someone out there wants to abuse.

That said, an open WAP that only has access to 1990s-era Macs and doesn't usually connect to the Internet.... most likely any attacker still wouldn't know where to begin establishing a foothold.

 

[CC_333]

Time for me to be That Guy.

You make good points, but so does @okto .

That said, an open WAP that only has access to 1990s-era Macs and doesn't usually connect to the Internet.... most likely any attacker still wouldn't know where to begin establishing a foothold.

It's a situation where StO (Security through Obscurity) is a valid and relatively effective model, for better or worse.

c