Last Thursday, CNN.com ran a story on a security threat to wireless users called an Evil Twin. Essentially, all an attacker does is give her AP an identical SSID as the legitimate AP, drop it within proximity of wireless users, and wait for people to connect.

The end user has no idea that they are connecting to the wrong AP, and the attacker is able to conduct any number of attacks on the user including a man in the middle attack or simple packet capture.

Being seduced by an Evil Twin can be deterred by using WEP or WPA security, though there is still no guarantee that you are secure. WEP's been pretty well compromised and it's well accepted that WPA's days are also numbered.

Ultimately, the solution doesn't lie on the network layer, but on the data layer. If you really want to secure yourself, use something like ReefEdge's Dolphin. This software's an all in one wireless router/firewall with VPN capabilities. Place Dolphin on a machine between your wireless router and the rest of your network and it will regulate and secure access. From their site:

The Dolphin software transforms dedicated x86 hardware into a secure wireless gateway. Dolphin is ideal for a home environment or for IT professionals interested in exploring wireless network security. Dolphin supports secure authentication, IPSec security, and session roaming across subnets. Users authenticate with the wireless LAN using SSL and Dolphin enforces security policies based on type of user. Dolphin even supports encrypted access for trusted users via IPSec.

Cool stuff huh? With Dolphin, you can forget about WEP or WPA. The pipe to your network is regulated by a free enterprise strength security appliance that you can assemble yourself! Very cool stuff!

Note: As of this posting, the techzone.reefedge.com domain doesn't seem to be responding. Oh well, try try again.

The first step is admitting you have a problem.

That's right - you heard me, I look at my hands when I type! I'm not proud of it, but it's true. I just never learned to type correctly. Everyone in my high school was required to take a 7 week typing class during their junior year. The teacher of this class went on and on about learning to type the right way and how I would regret it if I didn't. I didn't listen. I don't even remember who taught the class, but if you are out there - YOU WERE RIGHT!

It's no good being in front of a computer all day and looking down at my hands. It slows me down. While I'm looking at my hands I'm spelling things wrong on the screen, missing words, doing bad things. By the time I look up I've typed two paragraphs of an email and I have to read it over to find mistakes. Sometimes I just fire off the email only to realize too late that it's so full of mistakes that it looks like a 3rd grader wrote it.

I've tried for years not to look down and to learn how to do it right. I've always failed. Then one day recently I went to a client's office to give a little help with a code problem they were having. I promptly sat down in front of her computer and realized in horror that half of the letters were worn off the keyboard! It was embarrassing, but I stumbled my way though the session, typing, correcting and cursing myself for never learning to just stop looking down.

However, I noticed something interesting by the time I left. I was slowly improving over the course of the session. Just in the 2 hours I was there, I noticed a significant improvement in my ability the "get it right the first time" when typing. I thought to myself, I need to steal this keyboard!

Unfortunately, my client caught me on the way out with her keyboard and I had to return it. But I still wanted a keyboard that would have the same effect, so I made one. I took a Macromedia User Group sticker and a hole punch and punched a buncha holes in it. I used those little round stickers to cover up all the keys on the keyboard. Any sticker will do, but it's more fun when you use stickers you are supposed to be handing out at CFUG meetings.

Viola! Instant learning tool. I'm going to keep my home keyboard set up like this and leave the work/laptop ones alone. I wonder how long it will be before I either go insane or learn to type correctly?

For the record, this blog posting was the very first thing I typed after doing this little experiment, and the hardest word to type (ironically) is the word "keyboard".

Coachella 2005 information was just announced today. The lineup hasn't been announced yet, but there is plenty of speculation as to who will be playing. According to NME.com, possible acts could include The Futureheads, Snow Patrol, Keane, Bloc Party, Secret Machines, Hot Hot Heat, Phoenix, The Bravery and Radio 4, Franz Ferdinand, and Coldplay. Productshop NYC has some speculation of it's own, adding rumors about Garbage, Bjork, Prince, Jay-Z appearing with Lincoln Park. The most interesting rumor is that The Smiths might be making an appearance this year! Get your hotel rooms now folks. They will all be gone soon! Thanks to Bump for the links!

On February 2nd Rob Rohan, the creator of CFEclipse, and Angela Buraglia, Team Macromedia member and Dreamweaver Guru/Author will be facing off at the monthly San Diego ColdFusion User Group meeting. Both will be giving tours of the respective IDEs and showing how they can be used to develop ColdFusion applications and make your life easier. I expect this to be a very exciting meeting, particularly for those who've tried (or want to try) CFEclipse or Dreamweaver as a ColdFusion IDE.

So you think you do a good job with security. You spend precious time every week/month making sure that you download all the latest updates and patches for desktops, databases, and web servers. You encrypt customer information before you back it up and store it offsite in a guarded facility. You are the most paranoid programmer around, validating all form input, and detecting scripting attacks on the fly. Then you walk down the hall and see four boxes of chock full of customer data sitting outside the backdoor of your office. None of it is encrypted, none of it is guarded. It's just sitting there out in the open.

This photo was taken in the office building I work in every day. Those boxes have been sitting in a hallway outside of the back door of a mortgage banking company for the past THREE DAYS!!!!

You might also notice that the door is propped slightly open by a deadbolt that's extended. This door has been propped open in this way every day since I've worked in this building.

You are only as secure as your weakest point, and that point isn't always on the network.

Although many of these security issues are created by a Space Cadet in an Administrative Assistant's shoes, it's also common for software developers to focus on application security while neglecting physical security. While a developer may remember to lock her workstation every time she walks away from it, what about that debugging output sitting on her desk? Is there customer information on it? Did she leave it out on top of her desk at the end of the day when she went home? Should it be thrown away? Should it be shredded? Maybe it should be locked inside the desk. It's always a good idea to think about the physical security of data and not just the electronic security of it. Not enough of us do.

Last night I attended a meeting of the Socal Free Net (formerly the San Diego Wireless Users Group) and heard about some very interesting and exciting projects they are doing in the communities of San Diego. They've been installing free wifi hotspots in (primarily low income) communities around San Diego. Someone donates the equipment and the bandwidth and the folks of Socal Free Net provide the labor to setup the hotspots. When they get an opportunity to put up a hotspot - these guys get on rooftops, mount antennas, form rooftop-to-rooftop links between nodes, and stretch the signal to as much of the community as they can. It's really great stuff, free and open internet for anyone within range. It's a worthwhile project and I may join them at their next install this weekend. These projects are very ambitious and promise to offer free internet to alot of people who may not otherwise be able to afford it. However, all this talk of free and open internet has me thinking - are these projects doomed to repeat the same mistakes that plagued the early internet? In the early days of what is now the internet, everyone on the network was trusted to a certain extent. In the beginning, protocols were open, alot of stuff was sent in cleartext, and there were few failsafes preventing malicious activity such as Denial of Service attacks. As more users came onto the internet, worms started appearing, DoS attacks started taking advantage of weaknesses in underlying protocols, and the internet because a nastier place. Things have changes since those early days, and today the internet is a far different place. So what does this have to do with the Socal Free Net projects? The spirit of these projects is to allow free and open access to everyone in the community. No-one is restricted. If you can physically get within range of the network, you can use the network. Also, due to the inherent difficulties in teaching an entire community how to enable WEP/WPA security, it's not enabled on these access points. Cleartext is visible in the air, and it's up to the individual user of the network to take whatever measured they see fit to secure themselves. I see many similarities between these wifi hotspots and the mistakes (if you want to call them that) made in the early days of the internet. Eventually someone's going to figure out that they can sniff their neighbor's network traffic. Eventually someone's going to figure out that hardly anyone encrypts their POP account password when they check their email. And eventually someone is going to realize that a person's POP login is often the same as the one they use for online banking, forums, and the recipe of the week club website. So, you say, what's the difference between this and any other wired network today? Alot of wired community networks have this same problem! Here's the difference: You don't have to live in the community to participate on this network. If you want to listen to traffic on a wired network, you generally have to either physically plug into it or compromise a box on the local subnet or at a router. With these networks, all you have to do is drive over within range of the network. So let's skip forward a few years. June 2008 (why not?). There are now open networks in communities all over town. All over lots of towns. Some software programmer somewhere has just released net wireless application, and she built it to take advantage of the abundance of open wifi hotspots found in her local city. The software runs on a wifi enabled laptop or Pocket PC and constantly looks for open networks. When it finds them it starts gathering packets sent across the network. The software picks out POP passwords and logs them to a file, it picks out HTTP form posts and logs them to a file, it might even pick out data patterns, whole email messages or HTTP request/replies and logs them to a file. Thousands of script kiddies get ahold of this software. People with bad intentions get ahold of this software. They load it up on their Pocket PC and just drop it into their pocket/purse/backpack, going about their day like they normally would. At the end of the day/week/month they take a look at their bounty. Files and files chuck full of personal data, full of passwords, full of account information. Maybe this already exists. Sure, if you're reading this blog you probably already have your own access point with VPN over AES encrypted WPA and work/live inside a Faraday cage. but what about these community networks? For that matter what about your neighbor 2 houses over who thought their access point was "plug and play"? Are we headed down the same road all over again? It's easy to say the responsibility of security resides with the end user, but with these community networks, can we really expect the average end user to know how to configure themselves to communicate over wifi securely? Is it even offered to them? I'm not really sure what the answers to these problems are, but those are my thoughts of the day about wifi, and it's about time I posted *something* to my blog.