Niche Konsult Newsletter
December 2007 Edition
This email message is being sent to all individuals who have expressed interest
in Niche Konsult or Niche Konsult partner products and solutions in accordance
with Niche Konsult’s
privacy policy.
You may opt out of future mails by sending a mail to
newsletter@nichekonsult.com
with “Unsubscribe” in the Subject line.
View in Browser
Privacy Policy
Feature Story: SANS Top 20 2007 Annual Update
Sorry this may be said to be stale news. It occurred in November 2007, but
because of its relevance we decided to make it the feature article.
Some Seven years ago, the SANS Institute and the National Infrastructure
Protection Center (NIPC) of the FBI started a joint project – documenting the
ten most important threats to IT security. This project later metamorphosed into
the SANS Top 20. The SANS Top 20 is a list of the 20 most important
vulnerabilities. st important threats to IT security. This project later metamorphosed into
the SANS Top 20. The SANS Top 20 is a list of the 20 most important
vulnerabilities.
The SANS Top 20 is a living document. It is not a dry list but includes
actionable information so administrators can take steps to remedy those
vulnerabilities. It is also a consensus document (Regretably, to the best of our
knowledge and belief, Nigerians are yet to begin to contribute to it.) To
contribute, send your suggestions to
top20@sans.org.
The following points are worth noting: the dominance of web application
insecurity (over 50%), client-side vulnerabilities and enterprise insecurity
arising from browser usage, (on the one hand) and the reduction (decline) in
operating system vulnerabilities, on the other.
The SANS Top 20 is broken into the following parts:
- Client-side Vulnerabilities (discussing web browsers, office software,
email clients, Media players)
-
Server-side Vulnerabilities (in web applications, windows services, Unix and
MAC OS services, Backup software, antivirus software, management servers and
databases)
-
Security Policy and Personnel (excessive user rights and unauthorized
devices, phishing and spear phishing, unencrypted laptops and removable media)
-
Application Abuse (Instant Messaging and peer-to-peer programs)
-
Network Devices (VOIP servers and phones) 6. Zero day attacks
-
Zero day attacks
According to the press release on the SANS Top 20 2007, attackers are now
zeroing on users who are easily misled implying that organizations may need to
be doing a lot more in terms of user education and custom-built applications.
For More Information
PRESS RELEASE/EXECUTIVE SUMMARY:
SANS TOP 20 2007 Media Speak
SANS TOP 20:
http://www.sans.org/top20/
Disclosure: Niche Konsult resells software solutions and provides value added
services that can be used to resolve vulnerabilities raised in the SANS Top 20.
These include the following:
Client-side Vulnerabilities:
GFI LANguard Network Security Scanner /GFI LANguard
VulnerabilityManager for client-side vulnerability scanning
GFI LANguard Network
Security ScannerGFI LANguard PatchManager for patch management
Server-side Vulnerabilities:
Acunetix Web Vulnerability Scanner to scan web
servers (both Windows and Apache) and database servers for vulnerabilities
GFI LANguard Network
Security Scanner /GFI LANguard
VulnerabilityManager for
windows services, MAC OS services and Linux OS services vulnerability scanning;
as well as Backup software, antivirus software, management servers and databases
vulnerability scanning
Security Policy and Personnel
GFI EndPointSecurity to
exercise control over the use of unauthorized devices,
GFI MailEssentials to
combat phishing and spear phishing,
Pointsec Protector to encrypt laptops and
removable media
GFI LANguard Network Security Scanner to scan for unauthorized
wireless access points/USB devices
BROWSER SECURITY: New Section
From the
December 2007 edition henceforth, a new Section that will be devoted to issues
of web browser security.
BROWSER SECURITY: Internet Explorer Download Zones
Mix-up leads to cross-site scripting
Yair Amit of Watchfire recently discovered
that Internet Explorer could - under certain conditions - be exploited against a
large number of web-applications. The flaw results in XSS holes in websites that
allow the downloading of user-controlled HTML files (for example, webmail and
forum services).
For More Information:
For more details, you are welcome to read
the blog post at:
http://blog.watchfire.com/wfblog/2007/12/internet-explor.html
BROWSER SECURITY: Netscape Navigator: End-of-LifeCycle Warning
AOL official
support for all Netscape client products will end on February 1st, 2008. Niche
Konsult therefore recommends that administrators add Netscape Navigator to the
list of banned applications on the corporate network, as well as add it to the
list of issues to be considered when conducting vulnerability scanning. Niche
Konsult forecasts that malware purveyors will begin creating malicious payloads
targeted at Netscape Navigator users .
For More Information:
http://browser.netscape.com/
http://en.wikipedia.org/?search=Netscape%20Navigator
http://blog.netscape.com/2007/12/28/end-of-support-for-netscape-web-browsers/
Disclosure: Niche Konsult resells
GFI LANguard Network Security Scanner which
can be used to scan for banned applications that may be installed on the
corporate network, as well as GFI WebMonitor for ISA Server, as well as GFI
WebMonitor for ISA Server, a Real-time HTTP/FTP monitoring, anti-virus & access
control as well as WebMarshall from Marshall
BROWSER SECURITY:
February 12, 2008: Microsoft Internet Explorer 7 Force-Install on Corporate
Networks
Since October 2007, Microsoft stopped requiring proof of legitimacy of
the underlying operating system before an installation of Microsoft Internet
Explorer 7 on end-user PCs. Now Microsoft intends to ensure rapid adoption of
its latest browser by distributing Microsoft Internet Explorer 7 via WSUS.
For
More Information:
http://support.microsoft.com/kb/946202
http://blogs.zdnet.com/microsoft/?p=1114
Disclosure: Niche Konsult resells
GFI
LANguard Network Security Scanner and
GFI LANguard PatchManager which can be
used to deploy applications across the enterprise. For a comparison of GFI
LANguard Network Security Scanner and competitive patch management/software
deployment tools, please send an email to
idara@nichekonsult.com and we will be
glad to provide you the details.
DATABASE SECURITY: First Mass SQL Injection
Worm of 2008
SQL Injection attacks targeted at both Microsoft SQL server and
Sybase databases have recently been spotted.
For More Information:
http://www.computerworld.com.au/index.php/id;683627551
http://www.acunetix.com/websitesecurity/sql-injection2.htm
Disclosure: Niche
Konsult resells Acunetix Web Vulnerability Scanner.
Acunetix Web Vulnerability
Scanner is
-
An automatic JavaScript analyzer allowing for security testing of
Ajax and Web 2.0 applications
-
Industries' most sophisticated SQL injection and
Cross site scripting testing
-
Visual macro recorder makes testing web forms and
password protected areas easy
-
Extensive reporting facilities including VISA
PCI compliance reports
-
Multi-threaded and lightning fast scanner crawls
hundreds of thousands of pages with ease
-
Intelligent crawler detects web
server type and application language
-
Acunetix crawls and analyzes websites
including flash content, SOAP and AJAX
-
-
A free version is available at
www.acunetix.com
DATABASE SECURITY: Swingbench - Load Generator and Benchmark
tool for Oracle
Swingbench is a free load generator (and benchmark tool)
designed to stress test an Oracle database (9i,10g,11g). SwingBench consists of
a load generator, a coordinator and a cluster overview. The software enables a
load to be generated and the transactions/response times to be charted.
Whilst
it is primarily used to demonstrate Real Application Clusters it can also be
used to demo functionality such as online table rebuilds, standby databases,
online backup and recovery etc. The code that ships with SwingBench includes two
benchmarks, OrderEntry and CallingCircle. OrderEntry is based on the "oe" schema
that ships with Oracle9i/Oracle10g. It has been modified so that Spatial,
Intermedia and the Oracle9i schema's do not need to be installed. It can be run
continuously (that is until you run out of space). It introduces heavy
contention on a small number of tables and is designed to stress interconnects
and memory. It is installed using the "oewizard" located in the bin directory.
CallingCircle simulates the SQL that is generated for an online telco
application. It requires data files to be generated and copied from the database
server to the load generator before each run, it typically requires between 1
and 8 Gig of disk space. Both benchmarks are heavily CPU intensive. Experience
has shown that you require at least 1 processor of load generator to every 2
processors of database server. It is designed to stress the CPU and memory
without the need for a powerful I/O subsystem. Its is installed using the
"ccwizard" located in the bin directory.
The entire framework is developed in
Java and as a result can be run on wide variety of platforms. It also provides a
simple API to allow developers to build their own benchmarks.
Try SwingBench by
visiting http://www.dominicgiles.com/swingbench.html
For More Information:
http://www.dominicgiles.com/swingbenchfaq.html
DATABASE
SECURITY: Free, cross-platform database security assessment toolkit
Scuba by
Imperva is a free, lightweight Java utility that scans Oracle, DB2, MS-SQL, and
Sybase databases for known vulnerabilities and configuration flaws. Based on its
data security assessment results, Scuba creates clear, informative reports with
detailed test descriptions. Summary reports, available in Java and HTML format,
illustrate overall risk levels. With Scuba by Imperva, you are quickly on your
way to meeting industry-leading best practices for database configuration and
management.
Scuba by Imperva Benefits include:
• Detect vulnerabilities before
malicious users do. Databases are easy targets for attacks and internal abuse.
Uncover your security risk level and remediate open vulnerabilities.
• Bolster
security for business and regulatory requirements. Many compliance laws mandate
that organizations protect sensitive data, test systems and processes, and
ensure effective internal controls. Scuba by Imperva helps organizations meet
these requirements.
• Assess your database infrastructure in minutes. Scuba by
Imperva scans your database for vulnerabilities and generates HTML or Java
assessment reports on demand in record time.
• Unbeatably low price - free.
Scuba by Imperva is available free of charge
Scuba by Imperva Database Supports:
• Oracle*
• IBM DB2*
• Microsoft SQL Server*
• Sybase*
• All database operating
systems are supported.
Scuba by Imperva Client Requirements
• Windows
98/NT/2000/XP
• Sun Java JRE 1.5+
For More Information:
http://www.imperva.com/products/scuba.html/
http://www.imperva.com/lg/lgw.asp?pid=213
EMAIL SECURITY: University of
Liverpool now uses GFI MailSecurity
Email is the University of Liverpool’s
primary mode of communication and the computer network – hosting 34,000
mailboxes – delivers over 8 million email messages each month to over 50,000
different locations – or 400,000 email messages a day at peak times. This high
dependency on email means that providing protection against viruses, malware and
other malicious attacks is a critical function. To address this issue the
University sought an anti-virus product that offered optimum protection at
server level and ensured that each email was clean of malicious content before
it reached each one of the University’s 34,000 mailboxes.
Apart from buying a
solution that offered multiple anti-virus engines
Read More
For More
Information:
EXECUTIVE SUMMARY
http://www.gfi.com/news/en/liverpoolcs.htm
FULL
CASE STUDY
http://www.gfi.com/documents/cs/liverpooluni.htm
Disclosure: Niche
Konsult resells GFI MailSecurity.
ENTERPRISE SECURITY: Log collection and
Analysis infrastructure: Part 2
TYPES OF EVENT LOGS
Windows Event Logs
According
to the Microsoft Knowledge Base Article 308427, an event is any significant
occurrence in the system or in a program that requires users to be notified, or
an entry added to a log.
On a Windows XP computer there are three main types of
logs, the Application log which contains events written by the operating system
and windows applications, the Security log which contains entries written to
Local Security Authority Subsystem Service (LSASS) and the System log which
contains events logged by Windows XP system components.
On a Windows Server
computer, additional logs include, the Directory Service log contains events
written to by Active Director Service, the File Replication Service Log which
contains events written by the Windows File Replication Service and the DNS
Server log which contains events written by the Windows DNS Service.
On a
Windows Vista computer, there are two new additional logs Setup and Forwarded
Events ( As a matter of fact, the Windows Event Log was totally overhauled in
Windows Vista, but that is a matter for another day).
W3C Logs
W3C logs are used
mainly by web servers to log web related events including web logs. W3C logs are
recorded in text-based flat files using any one of the two W3C logging formats
currently available:
• W3C Common Log file format
• W3C Extended Log File format
The W3C common log file format was the first format to be released and to date
it is still the default format used by a variety of popular web servers
including Apache. There is however one downside - the information about each
server transaction is fixed and does not provide for certain important fields
such as referrer, agent, transfer time, domain name, or cookie information. To
overcome this problem, the W3C Extended log file format was released. This newer
type of log is in customizable ASCII text-based format, permitting a wider range
of data to be captured. The W3C Extended log file format is the default log file
format used by Microsoft Internet Information Server (IIS).
Syslogs
Syslog is
the standard for logging messages, such as system events, in an IP network. The
syslog standard is most commonly used for the logging of events by computer
systems running on UNIX and Linux as well by network devices and appliances such
as Cisco routers and the Cisco PIX firewall. Syslog events are not directly
recorded by applications running on the computer systems. Whenever an event is
generated, the respective computer will send a small textual message (known as
syslog message) to a dedicated server commonly known as ‘Syslog Server’. The
syslog server will then save the received message into a log file. Syslog
messages are generally sent as clear text; however, an SSL wrapper can be used
to provide for a layer of encryption.
Syslog is typically used for computer
system management and security auditing. While it has a number of shortcomings,
its big plus is that syslog is supported by a wide variety of devices and
receivers. Because of this, syslog can be used to integrate log data from many
different types of systems into a central repository using the syslog server as
a log aggregator.
The above list is not comprehensive, yet it treats the most
common logs an administrator needs to interact with. In the next edition, we
will look at event log monitoring tools.
For More Information:
http://technet2.microsoft.com/windowsserver/en/library/ff00cacf-3a04-49eb-8676-c5eb9262a9291033.mspx?mfr=true
http://www.microsoft.com/technet/technetmag/issues/2006/11/EventManagement/default.aspx
http://www.computerperformance.co.uk/vista/vista_event_viewer.htm#New_Event_Logs_in_Vista
http://www.lockergnome.com/it/2005/02/09/windows-server-2003-event-viewer/
http://kbase.gfi.com/showarticle.asp?id=KBID002767
http://kbase.gfi.com/showarticle.asp?id=KBID002769
http://www.w3.org/TR/WD-logfile.html
Disclosure: Niche Konsult resells the
following event log monitoring solutions - GFI EventsManager and Netikus
EventSentry.
ENTERPRISE SECURITY: Who Polices the police?
Microsoft’ sixth
immutable law of security reads: A computer is only as secure as the
administrator is trustworthy.
Every computer must have an administrator: someone
who can install software, configure the operating system, add and manage user
accounts, establish security policies, and handle all the other management tasks
associated with keeping a computer up and running. By definition, these tasks
require that he have control over the computer. This puts the administrator in a
position of unequalled power. An untrustworthy administrator can negate every
other security measure you've taken. He can change the permissions on the
computer, modify the system security policies, install malicious software, add
bogus users, or do any of a million other things. He can subvert virtually any
protective measure in the operating system, because he controls it. Worst of
all, he can cover his tracks. If you have an untrustworthy administrator, you
have absolutely no security.
When hiring a system administrator, recognize the
position of trust that administrators occupy, and only hire people who warrant
that trust. Call his references, and ask them about his previous work record,
especially with regard to any security incidents at previous employers. If
appropriate for your organization, you may also consider taking a step that
banks and other security-conscious companies do, and require that your
administrators pass a complete background check at hiring time, and at periodic
intervals afterward. Whatever criteria you select, apply them across the board.
Don't give anyone administrative privileges on your network unless they've been
vetted – and this includes temporary employees and contractors, too.
Next, take
steps to help keep honest people honest. Use sign-in/sign-out sheets to track
who's been in the server room. (You do have a server room with a locked door,
right? If not, re-read Law #3). Implement a "two person" rule when installing or
upgrading software. Diversify management tasks as much as possible, as a way of
minimizing how much power any one administrator has. Also, don't use the
Administrator account—instead, give each administrator a separate account with
administrative privileges, so you can tell who's doing what. Finally, consider
taking steps to make it more difficult for a rogue administrator to cover his
tracks. For instance, store audit data on write-only media, or house System A's
audit data on System B, and make sure that the two systems have different
administrators. The more accountable your administrators are, the less likely
you are to have problems.
Source: Microsoft’s 10 Immutable Laws of Security
For
More Information
YUNG-HSUN LIN OF MEDCO HEALTH SYSTEMS FAILED LOGIC BOMB
http://www.newark.fbi.gov/dojpressrel/2007/nko91907.htm
ROGER DURONIO OF USB
PAINEWEBBER SUCCESSFUL LOGIC BOMB
http://www.usdoj.gov/criminal/cybercrime/duronioIndict.htm
JUSTIN A. PERRAS
http://www.usdoj.gov/criminal/cybercrime/perrasSent.htm
http://www.sans.edu/resources/securitylab/log_bmb_trp_door.php
MICROSOFT’S 10
IMMUTABLE LAWS OF SECURITY
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true
http://www.scmagazineus.com/Former-New-Jersey-systems-administrator-gets-30-months-in-prison-for-logic-bomb/article/100582/
ENTERPRISE SECURITY: Network printers - An emerging attack vector
According to
Aaron weaver: "Many network printers listen on port 9100 for a print job (RAW
Printing or Direct IP printing). You can telnet directly to the printer port and
enter text. Once you disconnect from the printer it will print out the text that
you send it. Network printers also accept PostScript, and Printer Control
language. The security around this is usually minimal - connect to the port,
send the print job, disconnect and the printer prints the page. Within the last
year there have been new discoveries on attacking the Intranet from the
Internet1. This involves setting an image tag or script tag to an internally
addressable IP address and then the browser will request the "image" resource.
Several attacks can be accomplished; port scanning, fingerprinting devices, and
changing internal router settings."
According to
Aaron weaver: "Many network printers listen on port 9100 for a print job (RAW
Printing or Direct IP printing). You can telnet directly to the printer port and
enter text. Once you disconnect from the printer it will print out the text that
you send it. Network printers also accept PostScript, and Printer Control
language. The security around this is usually minimal - connect to the port,
send the print job, disconnect and the printer prints the page. Within the last
year there have been new discoveries on attacking the Intranet from the
Internet1. This involves setting an image tag or script tag to an internally
addressable IP address and then the browser will request the "image" resource.
Several attacks can be accomplished; port scanning, fingerprinting devices, and
changing internal router settings."
For More Information
AARON WEAVER IN FULL
http://aaron.weaver2.googlepages.com/CrossSitePrinting.pdf
PRESS MENTIONS
http://infotech.indiatimes.com/Beware_your_printer_can_be_hijacked/articleshow/2692428.cms
http://www.heise-security.co.uk/news/101646
GENERAL SECURITY: Targeted Attacks - A must-read Presentation by Martin
Horenbeck of the ISC
Niche Konsult encourages all IT administrators to forward a
copy of the presentation by Martin Horenbeck of the ISC to their Management. It
is one of the best examples of targeted attacks one can find on the internet.
For More Information:
http://isc.sans.org/diary.html?storyid=3835
INSTANT MESSAGING SECURITY: Ooops! No News!!
PORTABLE DEVICE
SECURITY: Portable Electronic devices: Balancing convenience & Security
Given
the number of news articles in the breach involving information leakage as a
result of the mismanagement of portable storage devices, as well as the
prevalence of these devices on the market, Niche Konsult intends to do a podcast
that highlights the dangers that corporations face from the uncontrolled use of
these portable devices, a copy of this podcast will be posted to the web in
three days time, i.e., on January 24, 2008 and will feature prominently on our
home page http://www.nichekonsult.com. We trust our readers find the podcast
relevant.
Disclosure: Niche Konsult resells
GFI EndPointSecurity and
PointSec
Protector which can be used to control the use of portable storage devices in
the enterprise.
PORTABLE DEVICE SECURITY: Sensitive NHS Patient Data Lost to
portable storage devices
Once again, another British agency in the news for
information leakage due to the mismanagement of portable storage devices. This
could happen to anyone and to any organization. If your organization does not
have policies for managing these kinds of devices, then its high time someone
begun the process.
For More Information:
http://www.manchestereveningnews.co.uk/news/s/1031694_personal_info_lost_in_oldham
Disclosure: Niche Konsult resells
GFI EndPointSecurity and
PointSec Protector
which can be used to control the use of portable storage devices in the
enterprise.
WEB APPLICATION SECURITY: Section Re-Name
From the December 2007
edition henceforth, the Web Security Section of the newsletter will be named Web
Application Security.
WEB APPLICATION SECURITY: Another Free MAX World Platinum
Pass
Kurt Grutzmacher grutz@jingojango.net has for the second time in two years
discovered that one did not have to pay a dime to attend Steve Job’s MacWorld.
By the way, a Platinum Pass costs $1,895.00.
Last year Kurt disclosed a method
of obtaining a free Platinum Pass, and even made contact with the web
application developer, and the problem was resolved. This year again, Kurt found
out that a free Platinum Pass could once again be obtained. The question is how?
FOR MORE INFORMATION:
http://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.html
WEB APPLICATION SECURITY: Flash Files, Cross Site Scripting & Web Application
Vulnerabilities
According to Rich Cannings, Critical vulnerabilities exist in a
large number of widely used web authoring tools that automatically generate
Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Adobe Acrobat
(r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and
Techsmith Camtasia. The flaws render websites that host these generated SWF
files vulnerable to Cross-Site Scripting (XSS).
This problem is not limited to
authoring tools. Autodemo, a popular service provider, used a vulnerable
controller SWF in many of their projects.
Simple Google hacking queries reveal
that hundreds of thousands of SWFs are vulnerable on the Internet, and a
considerable percentage of major Internet sites are affected. We are only
reporting XSS vulnerabilities that have been fixed by the vendors.
FOR MORE
INFORMATION:
http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw
WEB
APPLICATION SECURITY: OWASP Asia Pacific & Australia 2008 Application Security
Conference
Join us at the 8th Application Security Conference for OWASP at the
Gold Coast Convention Centre in Queensland Australia.
The Conference offers a
three day program including an initial day of Application Security Awareness
Training, and then two days of technical and business presentations.
The
Conference includes a number of leading Industry Experts in the Application
Security Field, including Mark Curphey (Microsoft Europe who started OWASP way
back), as well as published author Brian Chess and local speakers including Jean
Marie Abighanem, Matthew Hackling, Darren Skidmore and Paul Theriault and many
more.
Presentations include a diverse offering of Application Security Topics
from both a technical and business nature and include topics such as
- Secure
Development Lifecycles
- Enterprise Testing Projects & Considerations
-
Understanding Attack Vectors such as XSS, CSRF etc - Security in a Web 2.0 World
- Static Analysis and Dynamic Analysis
- PCI Security Standards for Application
Security
- Hacking Techniques for the Web and Google
- Web Services and XML
Security
- Flash based Malware Detection & Analysis
- Legal Risk & Compliance
Issues with Application Security
Registrations are now open and can be completed
online through the OWASP web site. http://www.owasp.org/index.php/OWASP_Australia_AppSec_2008_Conference
EarlyBird
Registrations are available to the 25th January 2008 to save $50 off your
registration costs.
Standard Conference Registration is $475.00 USD or OWASP
Members $425.00 USD Conference Training Day provided at $650.00 USD
The
Conference fees include access to the presentations as well as day meals, and a
Gala Dinner for the Conference Attendees. Be sure to register today to secure
place at the Leading Asia Pacific & Australia Application Security Conference. http://www.owasp.org
WINDOWS SECURITY: Is your operating system running in Secure Mode?
If your PC is not fully patched, running antivirus software, a firewall and antispyware software, then most probably it isn’t.
If such a PC is personal, then how about trying Secunia PSI? Secunia PSI is a free solution from Secunia that allows private users to map, patch, and secure the software installed on their computers. As of January 2008, the Secunia PSI has been installed on more than 215,000 computers, the Secunia PSI monitors more than 17,6 million applications, categorised as either Insecure, End-of-Life, or Patched. The first version of the Secunia PSI was released July 2007, it is currently in version 0.9.0.0 (Release Candidate 1)
For More Information:
Personal PCs
https://psi.secunia.com/
Corporate/Enterprise networks:
GFI
LANguard Network Security Scanner
WINDOWS SECURITY: Microsoft Vista Service Pack
1 Near-Final “Release Candidate” Now Available
Microsoft has incorporated bug
fixes, performance improvements, capability improvements as well a few new
features into the Windows Vista Service Pack 1.
For More Information:
http://blogs.zdnet.com/microsoft/?p=1106
WIRELESS SECURITY: Which way to go?
Open wireless or Secure wireless?
Those of us with modern laptops are often
notified of the existence of open or secure wireless networks within the reach
of machines. There is a raging controversy over whether it is wrong or right to
run an open or a secure wireless network. The argument on both sides of the camp
makes an interesting