tnt@kalik.net wrote:
What could a hacker do to the server if he can't even get passed returning a correct shared secret?
Get the usernames and passwords of your users and gain access to your network at will. Publish them and let anybody use your network.
Internet for free. Sounds great. Here's one example, is this you? Geier, Eric me@egeier.com 297 Marchmont Drive Fairborn, Ohio 45324 United States +1.9372600286 First Google hit: http://www.informit.com/authors/bio.aspx?a=AFEDE263-5156-4C97-AD8E-5E4473511... Interesting list of books on your site. "Say I did open up to any IP, the AP's MAC must match one from my list; moreover the hacker must have the shared secret. Plus if I can add to the example SQL statement, I would add to the WHERE clause "and domain =(domain pulled from what's after the username's @ sign). Then the hacker must know a username and domain that matches an acceptable AP, the user's password, that acceptable AP's MAC address, and then finally the shared secret for the AP. " So, because a lot of hurdles are put in front of someone that should stop them? If so, I would never be where I am today. All that does is challenges your adversaries intellect, and let us face reality a bit, the ones that knows what they do would take that challenge on any day. Put a carrot in front of a donkey, and it'll get eaten. Put a lot of carrots in front of the donkey and they'll still get eaten, it'll just take slightly longer. I can't see how putting your authentication and authorization system in the wild will help you, other than saving a buck on setting up VPNs between your sites. Which can also be done cheaply if cost is the motivator. Don't put an infrastructure piece like this sit in the open if you use it for your internal purposes. Wouldn't you agree? //anders