[SecurityRatty] tag: switch-ed-off

Cablevision Activates Major Areas of Its Wi-Fi Network

Wed, 03 Sep 2008 17:01:01 +0000

New York area cable operator Cablevision flips switch for high-traffic areas of Long Island: They're announcing Thursday that they've turned on the initial phases of their network in Nassau and Suffolk counties, as well as at commuter rail platforms and station parking lots throughout Long Island. The service offers 1.5 Mbps in each direction, the company claims. Detailed site maps for their previous much smaller activated areas are up at their Wi-Fi information site, and I expect to see these updated soon.

Cablevision will ultimately spend about $300m in building a Wi-Fi network exclusively for its customers; 2.4m of these customers qualify to use the service at no cost. There's no pay as you go option, no monthly subscription; you're either a subscriber of theirs, or not. It's a fascinating strategy, because they're leveraging all these dollars as a tool to crack its competitors in the market. With increasing competition from telephone companies that are offering television service, cable companies need to compete on voice, data, and video, as well as well as on mobile offerings. When the network is built, Cablevision can conceivably offer Wi-Fi telephony service, too.

I'm dying to know what the reduced churn rate and increase in subscriptions will be in six months. Given that hotspot access costs $10 to $30 per month depending on the network, Cablevision is delivering something of value. It's great honey for new subscribers and glue to keep current subscribers.

The company is claiming that with this latest activation, they have the largest Wi-Fi network for consumers in the U.S. They're likely correct. The only other public access network of scale that's being used by large numbers is in Minneapolis, and based on what I know about both networks, Cablevision probably deserves bragging rights. The network in Taipei, Taiwan, is likely still larger, but I haven't heard any usage number in nearly two years; at that point, subscription rates were 10 percent of what had been projected.

Wee-Fi: Houston-Fi, ASCII WPA Passphrases, Green Wi-Fi

Tue, 19 Aug 2008 06:26:25 +0000

Houston flips switch on free downtown Wi-Fi: Dwight Silverman of the Houston Chronicle accidentally discovers the soft launch of the network funded by EarthLink's $5m default fee. (The fee was paid when they missed a milestone, and the firm later walked away.) The downtown area now has a limited pilot project that's free; the real effort in Houston is supposed to be at 10 housing projects and in parks where service would be used to bridge the digital divide and improve the quality of life. How, exactly, is part of what's being tested.

That's ASCII, not hex: An article on wardriving raises security hackles by repeating some slightly overheated statements about Wi-Fi security. The article opens with a 63-character ASCII WPA passphrase, which is later described as "hex." (ASCII passphrases in WPA can be up to 63 "printable" characters - ASCII 32 to 127 - while a hex version of a 256-bit TKIP or AES password is 64 hexadecimal digits long.) The article tries to conflate Wi-Fi attacks that led to the largest set of breaches in retail credit-card systems and wardriving, a hobbyist activity that's never been looked on very favorably by law enforcement. The sense of ennui of wardriving pioneers is pretty clear; when Wi-Fi is everywhere and generally secured, it's far less interesting. The wardriver in the article convinced the reporter that a maximum-length WPA passphrase stored on a USB drive for automatic use was the best way to go. But, really, 20 characters containing letters and punctuation and no words found in a dictionary along with changing your network's SSID (network name) provides all the security you'll ever need for a home or small business. (If you need more, deploy WPA/WPA2 Personal.)

Green Wi-Fi's Senegal efforts hit snags: The folks at Green Wi-Fi are well motivated, and they're running up against all forms of security theater and bureaucracy both here and in Senegal, where they have an active project. The San Francisco Chronicle notes the group's effort to build solar-powered, self-sustaining Internet access via mesh networked nodes. Getting devices out of the country, clearing customs in Senegal, and hooking up their solar system all hit problems they're working through. As with the One Laptop Per Child program, I see a "build it and they will come" mentality in Green Wi-Fi's mission statement: the notion that providing computing power and Internet access will result in good things, rather than an effort to figure out what good things need to be achieved, and whether computers and the Internet will assist.

People said China was safe, but danger still lurks in the so-called "safe" places.

Tue, 12 Aug 2008 12:06:00 +0000

The unfortunate stabbing death of an american who travelled with the Olympians showed that we should not take safety for granted.

Without being there, it is difficult to know, but one wonders if the press got it right when they reported that the killer did not know that the people he attacked were from America. It is highly probable that most American tourists would stand out on the streets of Beijing. If they followed the advice of security consultants who advise about trying to "blend in", there is a chance that they would be less obvious, but due to the fact that many were there to support the atheletes,I think it is very likley that the killer was able to identify them as being American.

The attacker did commit suicide after the attack, so there is a good chance that he was mentally disturbed. When we travel abroad, or even within our own countries for that matter, we should not only be looking for potential terrorists. There are a lot of other categories that can cause harm; burglars, robbers, purse snatchers, street con artists, kidnappers, people under the influence of alcohol/drugs and so on.

For many people, it is difficult to switch from relaxed tourist one minute to a defensive positon the next. Remember that it is alright to be cautous and suspicious. You don't have to make friends with everyone you meet on the street. It is much more important to be able to come home safe and sound to your family at the end of your trip.

Wee-Fi: Boingo Expands to Dulles, Reagan; HP Buys Colubris

Tue, 12 Aug 2008 08:05:30 +0000

Boingo Wireless's airport wireless division brings service to Washington's two airports: Dulles and Reagan (National) offer Wi-Fi under the regular terms. These airports carry 24m and 18m passengers, respectively, each year. It's $5/hr, $8/24 hours, and $22/month (no contract commitment) for US access, and $39/mo for worldwide access (no contract commitment). The company isn't the exclusive operator, but appears as one of three Wi-Fi network choices when you're in the airport.

HP buys Colubris: Colubris was an early wireless LAN company, making sophisticated hardware for the enterprise, but I've seen its market and products shift across many markets over several years, including hotspot offerings. I'd lost track of them in recent years, although this story says that the firm refocused on service providers rather than corporations. HP will integrate Colubris into ProCurve, which will compete more effectively against Cisco. A few years ago, there were beaucoup WLAN switch operators, each with somewhat different approaches and offerings. Airespace was bought by Cisco, Trapeze more recently by Belden, and Aruba went public.

Top 10 Signs Your Network Admin has Gone Rogue

Fri, 25 Jul 2008 14:00:30 +0000

Terry Childs captivated much of the IT world over the past week and a half with his lock-down of San Francisco’s IT system. Instead of watching a bunch of police chasing a white Bronco, this time the coverage amounted to many many articles, blog posts, comments, and long email chains. It seemed I would read one thing and the very next one would contradict or shed more light on some aspect of the case.

Depending on who you talk to, he is:

a) a hero

b) a disgruntled worker

c) in need of a serious work/life adjustment

d) in need of $5 million and/or a better lawyer

e) all of the above

Surprisingly strong opinions, regardless of what you choose.

We chose to lighten things up a bit and, as we always try to do, figure out how to help our customers be proactive. So here it is, the Top 10 Signs Your Network Admin has Gone Rogue:

10) David Letterman has a Top 10 list called “Top 10 Signs Your Network Admin Has Gone Rogue”

9) Your Admin is the only one with the network device log-ins and refuses to share them with anyone else.

‘8) His presentations about network configuration include the words “Magic” and “Burn after reading”.

7) Instead of email, he forces everyone to use the Suggestion box placed outside of his door…and then places a very obvious nanny-cam hidden in a teddy bear right next to it.

6) He begins to grow out his sideburns and every question directed to him in meetings results in the same response, “Do you feel lucky today, punk?”

5) He has the mayor on speed-dial.

4) He starts wearing very big shoes to the office and accosts random people in the hallways asking if they think they could fill them.

3) He refuses to write router and switch configs to flash citing network security concerns.

2) He calls you and asks for a $5 million salary advance; caller id flashes “Department of Corrections”.

And #1: You’re the City of San Francisco

Enjoy your lock-down free weekend!

ShareThis

HP's NAC- What I've Been Wanting to Tell You (but couldn't)

Tue, 22 Jul 2008 18:29:11 +0000

Well everyone- there’s something I’ve been wanting to tell you and now, after a year, I can!

Because of non-disclosure and other confidentiality contracts with various partners, vendors and manufacturers, we’ve had sealed lips for almost exactly 12 months. Now that it’s been made public by the media, I can share a little information with you and explain why I think you should be excited.

What cat is out of the bag now? HP ProCurve’s network access control solution leverages endpoint management technology from StillSecure’s Secure Access solution. Information Week spilled the beans, so to speak, in Mike Fratto’s recent 2008 NAC Survey Analytic Report. (See page 32)

Now, at this point, I can probably lump you into one of three groups… 1) You don’t care or have no clue what this means 2) You care but think this means HP ‘has no NAC’… or group 3) You know about StillSecure’s success and ProCurve’s integration and think this is a great combination.

I’m sure everyone will have their own opinion- I happen to be in Group 3. Why? Because HP has taken the power of their servers, leveraged a very solid endpoint management tool and incorporated a variety of other management and security features by way of their identity management solution.

The endpoint security. StillSecure’s Safe Access solution has been winning awards and earning stars for years. You can probably Google it, or check out some of Shimel’s blog posts, such as this one, with 4- and 5-star reviews from SC Magazine. In fact, just this year (and in previous years) Safe Access was voted Best Endpoint Security Solution by SC Magazine and has won numerous other awards and accolades from various analysts and media firms. They have a clean, user-friendly GUI, a solid Linux platform and a variety of testing methods, deployment options and switch integrations. (And no, you don’t need ProCurve switches, the NAC integration is ready for your Cisco, Extreme, or whatever you have).

User management. Combine one of the highest-rated endpoint security solutions with ProCurve switches, the #2 leader in the switching market (and Magic Quadrant resident) and the full integration with ProCurve’s Identity Driven Manager platform and you have one amazingly capable access control system. With ProCurve IDM, you can integrate directly with their NAC 800 appliance to offer per-user (or per-group) ACLs, QoS, restrictions or priviliges. Rules can be identity-based, time-based, location-based, or a combination of all. And, IDM eases 802.1X integration by offering users a central management and repository for user settings and VLAN assignments; it really is ProCurve’s special sauce and a distinguishing feature.

Switch security. The integration of advanced switch security functions, such as DHCP snooping, Dynamic ARP protection and dynamic IP lockdown gives ProCurve another leg-up to fight common known attacks for both in-line and out-of-band NAC deployments.

Zero-day protection. It gets better, the new Dynamic Configuration Arbiter (DCA) functions in ProCurve’s Pro-vision switches gives customers the unique advantage of integrating the NAC and IDM with ProCurve’s Network Immunity Solution (NIM). NIM uses flow analysis from sFlow and network behaviour anomaly detection (NBAD) to detect and automatically remediate on the edge. In English, that means we can use ProCurve’s NIM to detect attacks and take action at the edge port, such as blocking the port, locking out the MAC address of the offender, rate-limiting, or even mirroring the traffic to an IDS for further inspection. The super-nice part is, all the sFlow and NBAD works on wireless too. (Hey Stiennon, did you hear that?)

Full integration. Unlike some of the other network-based NAC vendors, ProCurve has done an exceptional job of integrating these features and we’ll continue to see more integration in future revisions of the softwares and as more TNC/TCG integration frameworks are released (such as IF-MAP).

I think the strong integration with the infrastructure and the ability to leverage a mature endpoint integrity will make HP a ‘real’ player in the NAC market moving forward.

Not to knock other NAC solutions- Choosing a NAC is like selecting the perfect wine for your dish- there’s no 1 ‘right’ choice for all occasions. Each have their advantages and disadvantages. There are several that have special sauces and you’ll actually be seeing more on that soon…

# # #

Maybe she should switch to unich? Get it?

Tue, 22 Jul 2008 09:19:48 +0000

Found this in one of the groups I belong to at Eons.
Go ahead, forward it to the lil wife.

clipped from www.eons.com

Dear Tech Support,

Last year I upgraded from Boyfriend 5.0 to Husband 1.0 and noticed a distinct slowing down in overall system performance, particularly in the Flower and Jewelry applications, which operated flawlessly under Boyfriend 5.0. In addition, Husband 1.0 uninstalled many other valuable programs, such as Romance 9.5 and Personal Attention 6.5, and then installed undesirable programs such as NBA 5.0, NASCAR 3.0 and Golf 4.1.

Steven J. Vaughan-Nichols is no Nobel economic laureate

Wed, 16 Jul 2008 12:09:15 +0000

You have to both admire and laugh at zealots and extremists no matter what guise they come in. Whether it be religion, politics or technology they find God's hand guiding you towards their position in every event, good or bad. A perfect example was brought to my attention by Michael Farnum. Steven J. Vaughan-Nichols, the resident Cyber Cynic and Linux zealot at ComputerWorld, has taken the current state of our economy as a message from God that Linux is on a messianic mission to save us from high gas prices, high food prices, the mortgage and credit crisis and those satan's in Redmond. Vaughan-Nichols says that by switching to Linux and other open source products you could save your company, your job and be more secure to boot!

Michael who is no Microsoft fan boy points out some obvious pitfalls with Vaughn-Nichols strategy. I am far from a Microsoft shill myself (now my friend Mitchell might be another story). I personally think it is ludicrous. One thing obvious is the cost of the switch. Economic cycles being what they are, by the time you actually planned and implemented this switch the economy would probably be back on the upswing and the economic reasons for undertaking this drastic a move would be gone. Than you would have the expense of moving over including training and downtime. I think by the time you are done with doing all this, if the economy hasn't killed your company, the cost of switching will!

I guess that is why Vaughan-Nichols is just a fanatic on ComputerWorld and noone has nominated him for any Noble prizes or confused him with John Kenneth Galbraith.

Opinion: Good virtual security requires better IT teamwork

Tue, 15 Jul 2008 09:00:00 +0000

Today, many security folks know how to harden an OS and/or they know how to protect a network bridge or switch appliance. Few know how to do both simultaneously, or how to deal with the hypervisor as a complicating factor -- reasons why different people on the IT team need to play nicely, Edward Haletky says.

You want the truth, you can't handle the truth!

Thu, 10 Jul 2008 18:50:16 +0000

I am not sure what it is with Richard Stiennon. Maybe his mom beat him with a NAC stick when he was young. Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC. In any event Richard never seems to miss a chance to take a pot shot at NAC. I have fired back and debated him many times on this. In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow. Richard still thinks of NAC as Cisco???s network admission control, circa Dec ???03. He has not gotten up to speed on anything happening with NAC since. Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard???s latest NAC knock comes on a comment to an excellent article by the Hoff. Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can???t take the analyst out of the man), takes exception to Hoff???s ???whining??? (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong. Great Richard you try to prove them wrong, when because of what they report you don???t have a market, can???t get any capital and have no visibility. I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

???Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu.???

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth. Richard the fact is that the edu market is not the only viable market for NAC. In fact, one of the biggest customers of NAC is the DoD. That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can???t handle the truth! You sleep securely under the blanket of protection that NAC provides. If it is good enough to help ???clean the sand??? out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don???t know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

Let me give you some other truths you may not like Richard. Why do you think every switch vendor (of which we partner with many of them) is lining up and bringing out NAC solutions? Why has Microsoft put such a big push on NAP? Why despite the Luddites like you does NAC still draw crowds at conferences like Interop (ask Joel about that). Richard we are still signing new major OEM partners. I am afraid you are the one sadly out of touch on this one Richard. Just as you are out of touch in missing Hoff???s point in his article.

As to Hoff???s article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to ???learn??? from them while at the same time trying to educate them. I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts. Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc. A vendor giving an analyst a real live???pet??? customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy. But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.