Here's Mike's post on the subject:
http://blog.kismetwireless.net/2010/11/psk-doesnt-mean-public-shared-key
.html

Was the SOPHOS guy wrong about being able to decrypt other's traffic,
sure, but his idea would still raise the bar back up to non-Grandma
level. Sure, that's a bandaid, and that's what we in the industry are
famous for, but ask Mike said, there really isn't a solution.

And people will point the finger at the web app peeps who coded their
cookie/sessions 'insecure', and they'll point at the transport layer,
in this round robin of blame.

Yes. The SOPHOS gent was wrong in his assumption that it was a
solution, but it's a step forward, and that's better than we have to
offer.

--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org

On Mon, Nov 15, 2010 at 3:21 PM, Paul Asadoorian <paul (at) pauldotcom (dot) com [email concealed]> wrote:
> I have to say, I am really digging this blog (I mean it is called "naked
> security", which is really close to "hack naked", or is it?). I
> referenced several articles from it on a few podcasts.  However, an
> article was posted titled, "Dear Starbucks: The skinny on how you can be
> a security hero", and well, should have had a few more eyes on it before
> it went public:
>
> http://nakedsecurity.sophos.com/2010/11/09/dear-starbucks-the-skinny-on-
how-you-can-be-a-security-hero/
>
> They did come clean and present the real (?) facts, that in a WPA-PSK
> network you can decrypt anyone's traffic that joins the network after
> you (which I am assuming is correct, unless the experts on this list
> present evidence to the contrary or I get off my lazy ass and look it up
> myself).
>
> Enjoy the article for a good laugh while I go back and review some of
> its earlier posts that I mentioned....
>
> Cheers,
> Paul
>
> --
> Paul Asadoorian
> PaulDotCom Enterprises
> Web: http://pauldotcom.com
> Phone: 401.829.9552
> Fax: 1.877.846.2187
>

[ reply ]