t...@kalik.net wrote:
What could a hacker do to the server if he can't even get passed returning a
correct shared secret?

Get the usernames and passwords of your users and gain access to your
network at will. Publish them and let anybody use your network.


Internet for free. Sounds great. Here's one example, is this you?

     Geier, Eric  m...@egeier.com
     297 Marchmont Drive
     Fairborn, Ohio 45324
     United States
     +1.9372600286

First Google hit:

http://www.informit.com/authors/bio.aspx?a=AFEDE263-5156-4C97-AD8E-5E4473511557

Interesting list of books on your site.

"Say I did open up to any IP, the AP's MAC must match one from my list;
moreover the hacker must have the shared secret. Plus if I can add to the
example SQL statement, I would add to the WHERE clause "and domain =(domain
pulled from what's after the username's @ sign). Then the hacker must know a
username and domain that matches an acceptable AP, the user's password, that
acceptable AP's MAC address, and then finally the shared secret for the AP. "

So, because a lot of hurdles are put in front of someone that should stop them? 
If so, I would never be where I am today. All that does is challenges your 
adversaries intellect, and let us face reality a bit, the ones that knows what 
they do would take that challenge on any day. Put a carrot in front of a 
donkey, and it'll get eaten. Put a lot of carrots in front of the donkey and 
they'll still get eaten, it'll just take slightly longer.

I can't see how putting your authentication and authorization system in the 
wild will help you, other than saving a buck on setting up VPNs between your 
sites. Which can also be done cheaply if cost is the motivator.

Don't put an infrastructure piece like this sit in the open if you use it for 
your internal purposes. Wouldn't you agree?

//anders

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to