802.1X Security Overview

HJ Franzen writes "Ars Technica have what they call a wireless security blackpaper posted that's well worth a read. I wish this was available when I was spec'ing wireless VPN solutions for my campus. The article is pretty detailed and discusses the many ways in which companies are trying to address the fatal flaws in WEP."

End the ban

The censorship is getting out of Control. Next week, Slashdot will join forces with the RIAA.

Slashcode Updates

Many of you have noticed that CmdrTaco has changed a few things in Slashcode this week. The three changes I've observed so far are:
Karma displayed as an adjective
Karma score determines posting limit
Client IP addresses placed in readonly mode more easily
None of these are earth-shattering, so I'm going to cover them as a group.

Karma score determines posting limit:
Taco reminds everyone in this (non-archived) post that:
"KARMA DOES NOT MATTER". He goes on to prove this by making karma determine how many times you can post a day. Remember, you shouldn't use all caps, because caps is like being wrong. Here's a summary of how important karma actually is now, and while some of these details may be off, this reflects my best knowledge from reading Slashcode:
Karma: (PPD is posts per day)
26_50 : Post at 2, 25 PPD, Karma = Excellent
12_25 : Post at 1, 10 PPD, Karma = Good
1_12 : Post at 1, 10 PPD, Karma = Positive
Zero : Post at 1, 10 PPD, Karma = Neutral
-9_-1 : Post at 0, 2 PPD, Karma = Bad
-24_-10: Post at -1, 2 PPD, Karma = Terrible

Note that (as Taco points out) these are the default values in Slashcode atm; Slashdot itself may at any time be running with different values. Each IPID/SubnetId is allowed 10 AC posts per day, unless an IP is being 'abused', at which point things get more complicated. So the land of -1 trolling should be moving to threshold Zero, AC. Taco stated on IRC that the rate limiting change was made to prevent scripted crapflooding from -1 Accounts. I'd love to see a link to this crapflooding (I've never seen it) so if any of you have seen it, email me at operation_mongoose 'at' ziplip.com.

Karma adjectives:
Here's CmdrTaco's journal on the subject, and here's the non-archived discussion on the topic. Read it while you can, it will be deleted in two weeks. Taco states that he didn't just enable comments in his journal because he "didn't want people trolling his journal". Additionally, all the comments he made WRT to changes in the Karma system will be deleted. Make of this what you will.

Client IP addresses placed in readonly mode more easily
My details on this aren't very good, but as many have pointed out, the "readonly" error message seems to be popping up more often. The message is "You can't post to this page." and it appears when your IP address has been marked readonly. Basically, readonly mode means you're banned from posting anything, but you can still read the site. I think the only modification was one to the criteria for being placed in readonly mode, but I don't know exactly what the change is, only that pudge mentioned in IRC that he turned it up too high, and that now everything should be "Ok

FP!

That's it!!

No No, there's nothing wrong with it!

[Shanep]

Really! I'm enjoying my free broadband!

Just keep using it, everything is all right.

For those of you who need some info on....

[karnal]

how the current standard is broken, visit toms hardware:

http://www.tomshardware.com/network/02q3/020719/ in dex.html

They've got some good information on why 64/40 and 128 bit encryption isn't enough; as well as why the current "consumer-level" equipment can't do enough to thwart drive-bys.

Re:For those of you who need some info on....

unique lameness filter cracking id : 000002 (change this when reposting this information)
Version 1.1

Note to moderators : Do not moderate this post down, if you do then you support the editors stance on censorship and you support the end of free speech and
support evil organisations like Microsoft, RIAA, MPAA and laws like the CBTBA and DMCA

Sign this petition, let your voice be heard!

Slashdot is using censorship! It is trying to eridicate free and open discussion like we know slashdot to be, it has the following RESTRICTIONS in place to Censor you

They claim they don't, but they do, wonder why their are so many trolls, crapflooders and lamers on slashdot, because they are fighting for their rights! Slashdot is trying to silence the trolls. Remove the filters, the trolls get bored, and slashdot will be troll free!

• Lameness filters (It blocks a lot of legitmate posts)
• Unnessary posting delays. Hasnt taco learned to touch type? A lot of posts are typed in less than 20 seconds and it is a ANNOYING DELAY! 2 minute ban? Come on, so some are faster then others, big deal, some people have more to say than others
• Broken moderation system, The whole point is to sort the gems from the crap, yet a lot of posts designed to make a LIVELY DISCUSSION are MODERATED as flamebait! Come on, not everyone likes X, but just because some one bashes it dosent mean its Flamebait. Flame bait is more useful for DIRECT INSULTS and not legitmate discussions.

The "troll" moderation reason is fragmented and broken, why? Because they are trying to use an obsolete usenet term on a realtime discussion, "trolls" can cover a huge blanket of ideas.

• Crapfloods, a meaningless flood of random letters or text, which the lameness filter does a crappy job at trying to stop, besides trolls have written tools using the opensource slashcode to generate crapfloods which bypass the filter
• Links to offensive websites, the most common one is known a http://www.goatse.cx, a awful site which shows a bleeding anus being stretched on the front page. Trolls sneak these links in by posting messages that look legitimate, but infact are sneaky redirects to the site. Common examples include rd.yahoo.com, www.linux-kernel.tk, goatsex.cjb.net, and googles "Im feeling lucky".
• Trying to break slashdot, this is actually a good thing, as it helps test slashdot for bugs. Famous examples include the goatse.cx javascript pop-up, the pagewidening post and the browser crashing post!

Subnet banning, this bans a user unless they email jamie macarthy with their mp5ed ipids. This is unfair, and banning a subnet BLOCKS A WHOLE ISP SOMETIMES, and not that individual user! This can cause chaos! But real trolls use annoymous proxys to get around this so THIS JUST BANS LEGITMATE USERS!

But, the issue that concerens us the most, is the COMMENT QUOTA. A discrimatory system that stiffles discussion, cripples the community and will ultimateley destroy slashdot unless it is removed! Annoymous cowards are allowed only 10 posts a day! This is unethical! Users with negative karma only get two! That is DISCRIMINATION! How would you like to only be able to speak once a day, just because of the color of your skin. That would be racism, and slashdot is discrimitating on people just because of a negative number in a database! BOYCOTT SLASHDOT! LET THEM DIE!

We wan't these stupid useless restrictions REMOVED! This comment will be posted again and again until it does!

Inportant imformation for users
Boycott slashdot, they are pissing over their community, they are becoming like the RIAA and MICROSOFT! Do NOT TOLERATE THIS SHIT! Here are some real news for nerds sites. We don't need slashdot, slashdot deserves to die!

MSNBC
BBC NEWS
News.com
Linux online
Linux daily news network
Weird news from dailyrotten.com
Trollaxor, news for trolls, they are real people too!
CNN.com
New york times (free registration required)
LINUX.com
News forge
K5
Mandrake forum
Toms hardware
The register
Kde dot news
The linux kernel Archives

There are hundreds more, But this is where slashdot STEALS THE MAJORITY OF its "news" from.

Punish them, here are their emails, spam them, flame them goatse them!
Rob malda
Jamie Macarthy
ChrisD
Hemos

The others ones apperantly dont have an e-mail, probably because ROB MALDA IS PRETENDING HE IS JOHN KATZ.

Thank you for reading this, please feel free to repost this information, please reply to add your comments, fight slashdot and its CENSORSHIP

Re:For those of you who need some info on....

[Quila]

That's in the Ars article too.

Re:For those of you who need some info on....

[Oculus+Habent]

So we should be using Application Layer encryption as well if security is that important.

You can set up your 128-bit WEP connection, and open an SSH connection over it, or connect to your important websites with 128-bit SSL. Sure, wireless is still easier to break into than a cat5 cable, but as a business you trade the possibility of someone internally with a packet sniffer and a vengeance for someone externally with a packet sniffer, a wireless connection, time, and a vengeance/paid purpose. For major corporations, this trade-off may not be worth it, but for Joe Q. BusinessOwner, the odds that they are A) likely to be attacked, and B) transmitting sensitive data over their wireless connections without any consideration for security are low.

As time marches on, security will become a greater concern, and these issues will be more publibly noticed. But I'm looking forward to public-access networks with a universal distributed authentication system (set up much like DNS) where our data will be encrypted at the physical, transport, and application layers, and we will authenticate with our home/work networks no matter where we are

Re:For those of you who need some info on....

[Ed+Avis]

Damn right. How many of the people (suits perhaps) worrying about the lack of strong encryption on wireless LANs are quite happy to use regular Ethernet? Which is ridiculously easy to sniff.

I guess there is some point to hardware-layer encryption because many widespread protocols like DNS and NFS don't have usable secure equivalents. But even there, couldn't you use IPsec?

Re:For those of you who need some info on....

[Vulture_]

IPsec would be great if there were proper Linux support for it, meaning Linux can talk IPsec with any host it contacts. (At present, you need a user-space tunneling program.)

Or is there a patch or something for this?

No signal going through the air is secure...

... unless it's encrypted. Even then, your signal will be able to be recored and broken 10 years later when computers are faster.

Re:No signal going through the air is secure...

[Enigma23]

Yes, but in 10 years time, the encryption will that much better that knowing your now 10-years-old Private Key will be fsck all use to your would-be hackers now...

Zaurus doesn't pay attention to the SID?

[dolphinuser]

I have a Zaurus SL-5500, and when using it with my 802.11b network, it doesn't seem to care about the SID.

It doesn't matter what name I use, it seems to always work. Has anyone else experienced this?

John

Read only mode permanent?

I think this needs to be investigated

what's up, homos?

well, i'm sure glad to see that /. hasn't changed in the year or so i've not read it. some things in life just need to be stable. idiotic posts, mad nose-picking geeks, neo-fascists in charge of posting censorship, ass-licking dog-fucker michael still being his crackwhore self. ahhhh! the best htings in life ARE free.

to all my good buddies at /.: eat my rancid shit and die slowly in a fetid and reeking dumpster.

Great Read.

[two-bookoo!]

Cutting and pasting in to KWord - changing the author to me-

WinXP Shows where MS is Going by poopbot

Windows XP Shows the Direction Microsoft is Going.

"I've heard WinXP removed the cmd/command prompt."

No, Microsoft didn't remove the CMD.EXE or COMMAND.COM prompt from Windows XP. But Windows XP has reduced functionality, in many ways, not just in the command line. The command line is a big embarrassment because of its limited capabilities, but at least in Win 95 it worked. With every version since then it has worked less well. (There are two kinds of command prompt, and, according to Microsoft employees, the differences between them are not documented.)

The command line prompt sometimes begins to display short file names. Microsoft employees say that Microsoft has no fix, although someone not connected with Microsoft did make a work-around.

Cutting and pasting into a command line program often puts successive extra spaces before each line. Microsoft employees say that there is no plan to fix this.

The fast paste mode that is in Windows 98 is gone in Windows XP. Microsoft employees say there is no plan to fix this.

When using the command line interface, Windows XP doesn't always update the time. After several hours, the time reported to command line programs can be several hours in error.

There is a DOS program called START.EXE that can be used to start other programs. But it does operate the same way as in other versions of Windows. It starts a program, but cannot be made to return control to the command line program as previous versions did. There is no technical reason for this; it is just one of the shortcomings that are allowed to exist.

People often say that DOS has gone away. But Microsoft still calls the command line interface DOS, and in Windows XP Microsoft has added new programs for configuring the OS that work only under DOS.

Sometimes when you press a key while using Windows XP, it is seconds until there is any response. Apparently there is something wrong with the CPU scheduler in XP, because there are a lot of complaints about this in the forums and MS people have said that they are working on it. On one particular fresh installation of XP, on an Intel motherboard with either a Matrox G550 or an ATI Radeon video adapter, it requires 18 seconds to display a directory listing of 94 items. This is apparently related to a bug in the video software, not the adapter drivers.

Something is wrong with the Alt-Tab display of running programs under Windows XP. If there are a lot of programs, not all of them are displayed. The order jumps around in a seemingly random way.

Although articles often say negative things about Microsoft, I've never seen an article that fully documents how bad the situation really is. Microsoft's management is so bad that the company has become self-destructive. For example, Windows XP is spyware. Here is a list of ways Windows XP connects to Microsoft's servers:

1. Application Layer Gateway Service (Requires server rights.)
2. Fax Service
3. File Signature Verification
4. Generic Host Process for Win32 Services (Requires server rights.)
5. Microsoft Application Error Reporting
6. Microsoft Baseline Security Analyzer
7. Microsoft Direct Play Voice Test
8. Microsoft Help and Support Center
9. Microsoft Help Center Hosting Server (Wants server rights.)
10. Microsoft Management Console
11. Microsoft Media Player (tells Microsoft the music you like)
12. Microsoft Network Availability Test
13. Microsoft Volume Shadow Copy Service
14. MS DTC Console program
15. Run DLL as an app
16. Services and Controller app
17. Time Service, sets the time on your computer from Microsoft's computer.
18. Microsoft Office keeps a number in each file you create that identifies your computer. Microsoft has never said why.
19. Microsoft mouse software has reduced functionality until you let it connect to Microsoft computers.

These are just the ones I know. There may be others.

So, if you use Windows XP, your computer is dependent on Microsoft computers. That's bad, not only because you lose control over your possession, but because Microsoft produces buggy software and doesn't patch bugs quickly. For example, as of July 7, 2002, there are 18 unpatched security holes in Microsoft Internet Explorer. This is a terrible record for a company that has $40 billion in the bank. Obviously, with that kind of money, Microsoft could fix the bugs if it wanted to fix them. Since the bugs are very public and Microsoft has the money, it seems reasonable to suppose that top management at Microsoft has deliberately decided that the bugs should remain, at least for now.

It seems possible that there is a connection between all the bugs and the U.S. government's friendly treatment of Microsoft's law-breaking. The U.S. government's CIA and FBI and NSA departments spy on the entire world, and unpatched vulnerabilities in Microsoft software help spies.

Windows XP, and all current Windows operating systems, have a file called the registry in which configuration information is written. If this one (large, often fragmented) file becomes corrupted, the only way of recovering may be to re-format the hard drive, re-install the operating system, and then re-install and re-configure all the applications. The registry file is a single, very vulnerable, point of failure. Microsoft apparently designed it this way to provide copy protection. Since most entries in the registry are poorly documented or not documented, the registry effectively prevents control by the user.

Note that Microsoft does not support making functional complete backups under Windows XP. Look at Microsoft's policy about this: Q314828 Microsoft Policy on Disk Duplication of Windows XP Installation. Only those who work with Microsoft software will understand the true meaning of Microsoft's policy. Since almost all programs use the registry operating system file, if you cannot make a functional copy of the operating system you cannot make a functional copy of all your application installations and configurations. There are other software companies that try to fix this, but they don't work well, and Microsoft can, of course, break their implementations, as they have often done with other kinds of competitors.

Because the configuration information for the motherboard and the configuration information for the are mixed together in the registry file, the registry tends to prevent you from moving a hard drive to a computer with a different motherboard. That's another implication of the above Microsoft policy. So, if you have a motherboard failure, and a good complete backup, you may not be able to recover unless you have a spare computer with the same motherboard.

Note that Windows XP Professional can support only ten simultaneous incoming network connections. If you want more than that, you must use Windows 2000 server, and pay much, much more. (There is no Windows XP server yet.) Many businesses have very light network traffic; they just move files from staff member to staff member; they really don't need a dedicated server computer. The staff computers could easily handle the load except for this artificial limitation.

Apparently because the Windows XP GUI comes from Windows 98, Windows XP has the same problem with desktop icons that Windows 98 has. The icons sometimes flicker. Sometimes they move themselves around, particularly after the user switches monitor resolutions. Also, sometimes the taskbar settings un-configure themselves, as they do in Windows 98.

Only technically knowledgeable people know how to avoid signing up for a Microsoft Passport account during initial use of Windows XP. The name Passport gives an indication of Microsoft's thinking. A passport is a document issued by a sovereign nation. Without it, the nation's citizens cannot travel, and, if they leave, won't be allowed back in their own country. In Microsoft's corporate thinking, the company seems to be moving in the direction of believing that they own the user's computer. Most people are both honest and intimidated. Apparently about 95% do whatever they are asked on the screen. They give their personal information to Microsoft. They don't realize that, if they feel forced to get a Passport account, they should enter almost completely fictitious information, since the real question is not "What is your name and address", but "Can we invade your privacy". The honest answer to this is "No, you cannot invade my privacy", and the only effective way to communicate that is to give completely fictitious information. Since it is the educated people who have computers, Microsoft is building a database of the personal lives of educated people. Microsoft knows when they connect and from what IP address (which tends to show the area), what kind of help they ask, and information about what they are doing with their computers, including what music they like. It is not known, and there is no way to know, how much Microsoft or other organizations make use of this information, or their plans for future use.

Not only has Windows XP definitely gone further in the direction of allowing the user less control over his or her own machine, but with Palladium, Microsoft apparently intends to finish the job: Microsoft will have ultimate control over the user's computer and therefore all his or her data. Even now, under Windows XP, a recent security patch requires that the user agree to a contract that gives Microsoft administrator privileges over the user's computer. The contract says that if a user wants to patch his or her system against a bug which would allow an attack over the Internet, he or she must give Microsoft legal control over the computer. See this article also: Microsoft's Digital Rights Management-- A Little Deeper. You may need to be a lawyer to take apart the crucial sentence. "These security related updates may disable your ability to copy and/or play Secure Content and [my emphasis] use other software on your computer" legally includes this meaning: "These updates may disable your ability to use other software on your computer." Note that the term "security related updates" is meaningless to the user because the updates have no relation to user security. So, the sentence effectively means that Microsoft can control the user's computer without notice and whenever it wants. That kind of sentence is known in psychology as "testing the limits". If there is no strong public complaint about this, expect to see more and stronger language like this.

This Register article shows the direction Microsoft is going: MS Palladium protects IT vendors, not you. Absolute power corrupts absolutely, and Microsoft is well down that road. See this ZDNet article, also: MS: Why we can't trust your 'trustworthy' OS.

Microsoft's self-destructiveness does not mean that the user should be self-destructive. There is no need to apologize for using Microsoft software. The correct solution to abuse is persuading the abuser to stop being abusive. Once I posted to a Slashdot story a link to an article on a web site of mine. By far the majority of visitors from the Slashdot story used Microsoft operating systems. Rather than feel embarrassed because Microsoft is abusive, action needs to be taken to prevent the abuse. If you are against Microsoft abuse, you are not against Microsoft; you are more pro-Microsoft than Bill Gates.

These Microsoft policies mean that any government which wants to be independent of the United States government, and any government which represents itself as controlled by the people, cannot use Microsoft operating systems, or other Microsoft proprietary systems.




- posted by poopbot: who doesn't like scat?

foxsZmPsGl Post #294

Update on slashdot censorship!

unique lameness filter cracking id : 000000 (change this when reposting this information)
Version 1.1

Note to moderators : Do not moderate this post down, if you do then you support the editors stance on censorship and you support the end of free speech and
support evil organisations like Microsoft, RIAA, MPAA and laws like the CBTBA and DMCA

Sign this petition, let your voice be heard!
Don't forget to repost this information!

Slashdot is using censorship! It is trying to eridicate free and open discussion like we know slashdot to be, it has the following RESTRICTIONS in place to Censor you

They claim they don't, but they do, wonder why their are so many trolls, crapflooders and lamers on slashdot, because they are fighting for their rights! Slashdot is trying to silence the trolls. Remove the filters, the trolls get bored, and slashdot will be troll free!

• Lameness filters (It blocks a lot of legitmate posts)
• Unnessary posting delays. Hasnt taco learned to touch type? A lot of posts are typed in less than 20 seconds and it is a ANNOYING DELAY! 2 minute ban? Come on, so some are faster then others, big deal, some people have more to say than others
• Broken moderation system, The whole point is to sort the gems from the crap, yet a lot of posts designed to make a LIVELY DISCUSSION are MODERATED as flamebait! Come on, not everyone likes X, but just because some one bashes it dosent mean its Flamebait. Flame bait is more useful for DIRECT INSULTS and not legitmate discussions.

The "troll" moderation reason is fragmented and broken, why? Because they are trying to use an obsolete usenet term on a realtime discussion, "trolls" can cover a huge blanket of ideas.

• Crapfloods, a meaningless flood of random letters or text, which the lameness filter does a crappy job at trying to stop, besides trolls have written tools using the opensource slashcode to generate crapfloods which bypass the filter
• Links to offensive websites, the most common one is known a http://www.goatse.cx, a awful site which shows a bleeding anus being stretched on the front page. Trolls sneak these links in by posting messages that look legitimate, but infact are sneaky redirects to the site. Common examples include rd.yahoo.com, www.linux-kernel.tk, goatsex.cjb.net, and googles "Im feeling lucky".
• Trying to break slashdot, this is actually a good thing, as it helps test slashdot for bugs. Famous examples include the goatse.cx javascript pop-up, the pagewidening post and the browser crashing post!

Subnet banning, this bans a user unless they email jamie macarthy with their mp5ed ipids. This is unfair, and banning a subnet BLOCKS A WHOLE ISP SOMETIMES, and not that individual user! This can cause chaos! But real trolls use annoymous proxys to get around this so THIS JUST BANS LEGITMATE USERS!

But, the issue that concerens us the most, is the COMMENT QUOTA. A discrimatory system that stiffles discussion, cripples the community and will ultimateley destroy slashdot unless it is removed! Annoymous cowards are allowed only 10 posts a day! This is unethical! Users with negative karma only get two! That is DISCRIMINATION! How would you like to only be able to speak once a day, just because of the color of your skin. That would be racism, and slashdot is discrimitating on people just because of a negative number in a database! BOYCOTT SLASHDOT! LET THEM DIE!

We wan't these stupid useless restrictions REMOVED! This comment will be posted again and again until it does!

Inportant imformation for users
Boycott slashdot, they are pissing over their community, they are becoming like the RIAA and MICROSOFT! Do NOT TOLERATE THIS SHIT! Here are some real news for nerds sites. We don't need slashdot, slashdot deserves to die!

MSNBC
BBC NEWS
News.com
Linux online
Linux daily news network
Weird news from dailyrotten.com
Trollaxor, news for trolls, they are real people too!
CNN.com
New york times (free registration required)
LINUX.com
News forge
K5
Mandrake forum
Toms hardware
The register
Kde dot news
The linux kernel Archives

There are hundreds more, But this is where slashdot STEALS THE MAJORITY OF its "news" from.

Punish them, here are their emails, spam them, flame them goatse them!
Rob malda
Jamie Macarthy
ChrisD
Hemos

The others ones apperantly dont have an e-mail, probably because ROB MALDA IS PRETENDING HE IS JOHN KATZ.

Thank you for reading this, please feel free to repost this information, please reply to add your comments, fight slashdot and its CENSORSHIP

Re:Update on slashdot censorship!

you, sir, are an ass-licking dog-fucking, dildo-swallowing cretinous nose-picking fuckstick. didn't your mommy change your diapers today?

Re:Update on slashdot censorship!

so when are you going to start boycotting it yourself?

SSID Security

[jamesbernsen]

From the article:

The SSID should be created with the same rules as any strong password (long, non-meaningful strings of characters including letters, numbers and symbols).

By default the Access Point broadcasts the SSID every few seconds in what are known as 'Beacon Frames'. While this makes it easy for authorized users to find the correct network, it also makes it easy for unauthorized users to find the network name.

Can someone then explain to me what is the reason for choosing a secure SSID?

Re:SSID Security

unique lameness filter cracking id : 000001 (change this when reposting this information)
Version 1.1

Note to moderators : Do not moderate this post down, if you do then you support the editors stance on censorship and you support the end of free speech and
support evil organisations like Microsoft, RIAA, MPAA and laws like the CBTBA and DMCA

Sign this petition, let your voice be heard!

Slashdot is using censorship! It is trying to eridicate free and open discussion like we know slashdot to be, it has the following RESTRICTIONS in place to Censor you

They claim they don't, but they do, wonder why their are so many trolls, crapflooders and lamers on slashdot, because they are fighting for their rights! Slashdot is trying to silence the trolls. Remove the filters, the trolls get bored, and slashdot will be troll free!

• Lameness filters (It blocks a lot of legitmate posts)
• Unnessary posting delays. Hasnt taco learned to touch type? A lot of posts are typed in less than 20 seconds and it is a ANNOYING DELAY! 2 minute ban? Come on, so some are faster then others, big deal, some people have more to say than others
• Broken moderation system, The whole point is to sort the gems from the crap, yet a lot of posts designed to make a LIVELY DISCUSSION are MODERATED as flamebait! Come on, not everyone likes X, but just because some one bashes it dosent mean its Flamebait. Flame bait is more useful for DIRECT INSULTS and not legitmate discussions.

The "troll" moderation reason is fragmented and broken, why? Because they are trying to use an obsolete usenet term on a realtime discussion, "trolls" can cover a huge blanket of ideas.

• Crapfloods, a meaningless flood of random letters or text, which the lameness filter does a crappy job at trying to stop, besides trolls have written tools using the opensource slashcode to generate crapfloods which bypass the filter
• Links to offensive websites, the most common one is known a http://www.goatse.cx, a awful site which shows a bleeding anus being stretched on the front page. Trolls sneak these links in by posting messages that look legitimate, but infact are sneaky redirects to the site. Common examples include rd.yahoo.com, www.linux-kernel.tk, goatsex.cjb.net, and googles "Im feeling lucky".
• Trying to break slashdot, this is actually a good thing, as it helps test slashdot for bugs. Famous examples include the goatse.cx javascript pop-up, the pagewidening post and the browser crashing post!

Subnet banning, this bans a user unless they email jamie macarthy with their mp5ed ipids. This is unfair, and banning a subnet BLOCKS A WHOLE ISP SOMETIMES, and not that individual user! This can cause chaos! But real trolls use annoymous proxys to get around this so THIS JUST BANS LEGITMATE USERS!

But, the issue that concerens us the most, is the COMMENT QUOTA. A discrimatory system that stiffles discussion, cripples the community and will ultimateley destroy slashdot unless it is removed! Annoymous cowards are allowed only 10 posts a day! This is unethical! Users with negative karma only get two! That is DISCRIMINATION! How would you like to only be able to speak once a day, just because of the color of your skin. That would be racism, and slashdot is discrimitating on people just because of a negative number in a database! BOYCOTT SLASHDOT! LET THEM DIE!

We wan't these stupid useless restrictions REMOVED! This comment will be posted again and again until it does!

Inportant imformation for users
Boycott slashdot, they are pissing over their community, they are becoming like the RIAA and MICROSOFT! Do NOT TOLERATE THIS SHIT! Here are some real news for nerds sites. We don't need slashdot, slashdot deserves to die!

MSNBC
BBC NEWS
News.com
Linux online
Linux daily news network
Weird news from dailyrotten.com
Trollaxor, news for trolls, they are real people too!
CNN.com
New york times (free registration required)
LINUX.com
News forge
K5
Mandrake forum
Toms hardware
The register
Kde dot news
The linux kernel Archives

There are hundreds more, But this is where slashdot STEALS THE MAJORITY OF its "news" from.

Punish them, here are their emails, spam them, flame them goatse them!
Rob malda
Jamie Macarthy
ChrisD
Hemos

The others ones apperantly dont have an e-mail, probably because ROB MALDA IS PRETENDING HE IS JOHN KATZ.

Thank you for reading this, please feel free to repost this information, please reply to add your comments, fight slashdot and its CENSORSHIP

Re:SSID Security

[Conspiracy+Theorist]

Actually most APs broadcast a few (or many) Beacon Frames every second rather than a Beacon every few seconds. But to your question, the client (whether authorized or un-authorized) needs the SSID to associate with an AP. Picking one that is difficult to guess and using a AP that can suppress the SSID in Beacon Frames makes it that much more difficult for an un-authorized client to associate with your AP.

Re:SSID Security

[heliocentric]

By default the Access Point broadcasts the SSID every few seconds...

Can someone then explain to me what is the reason for choosing a secure SSID?

Well, if you name yours "company name" and you happen to work for Company Name then it's kind of obvious whose network you have. Now, this issue isn't so important when you have a large corporate campus and you have to be in the parking lot just to get reception "gee, I wonder whose network this is???" But it makes a lot of sense in a shared environment or in office space in urban environments. Chances are by doing some range poking you can narrow down the broadcast field where you're catching an SSID and possibly locate the physical location of the box, but it's just another layer to security. As is often promoted, layering security is better than just one this-had-better-hold form of security -- it often means you can detect intrusions at less vital areas and it often means those inside with proper access aren't working in some soft gooy center where it's easy to gain access throughout.

Re:SSID Security

[tydiriun]

This is just stupid. SSID provides security in no way what so ever. There is no point to picking a SSID that is hard to guess and a random string of letters and numbers will just add to support headaches. The SSID in in the clear. Anyone can see it with a sniffer. Even if you turn broadcast SSID off it can still be seen. Good advice would be something like this. Use a word that is easy to spell and remember so that your support staff can remember it and user will not have a problem mistyping it.

Re:SSID Security

[Chanc_Gorkon]

You know I thought this when I first read it, but now I know better! ;) No, I didn't get owned and noone got access to my network, but this is security you can see. When you turn the broadcast off, then the SSID isn't transmitted (well duh) and, also, even on clients that do have a matching SSID, you will not see the AP in your handheld's Wireless app, but you will see it is on the network. This makes it easy for some warchalkers and crackers to just pass it on by. Especially ones who have no idea why a WiFi AP would be installed in say a unassuming house in suburbia. Why investigate every house and business when you just have to look for all of the clueless folks who broadcast their SSID.

Re:SSID Security

While an overall impressive paper, the author makes two common mistakes:

1. The SSID provides security.
It (as some of the other replies to this comment state) DOES NOT. Any passive sniffer (plug: www.kismetwireless.net) can see the SSID beacon. The SSID is unencrypted plaintext for a reason - it's a name, not a security measure. All it's good for is segregating two networks on the same (or ajacent) channel in the same airspace.

2. Disabling beaconing provides securitity.
Again, it DOES NOT. The SSID is still sent every time a client joins the network, and every time a client gets a weak signal and attempts to find a stronger AP on the same network! Kismet will automatically track these transactions and uncloak a network, and any other rfmon sniffer can easily do this as well. And for anyone who thinks "oh, that's not that common" - think again. I've uncloaked networks at highway speeds with 2 packets. It's just a matter of chance. The same thing applies for SSID cloaking, where the SSID is nulled out of the beacon packets. Both provide only the illusion of security and no real benefit.

-dragorn

Re:SSID Security

[tydiriun]

If the fact that you do not see the AP when you use an app like Netstumbler make you think you have added security by turning off broadcast SSID and using a difficult to remember SSID good for you. The bottom line is that you have not. Plenty of sniffer still see your traffic and still see the SSID.

Re:SSID Security

[Chanc_Gorkon]

That may be true, but why advertise? Broadcasting the SSID is like saying look at me! I have a wirless network! Also, there's one thing that I always do when I leave for a extended period of time (a week or so)....I turn off the radio. Problem solved. BTW, I didn't use Netstumbler. I used the app builtin to my handheld. This is a layer that one has to go thru, and not a full security solution. All the layers put together is your whole solution. Should WiFi be stronger in it's security? Hell yeah, but no matter how much network security you have someone will always be able to break it. Not broadcasting the SSID is something that should be done. If it was a big deal to implement, well, maybe not but it isn't. I agree with him. Besides, Script Kiddies aren't likely to know enough or be able to get some of the tools they need to crack these things. Those are the one's I am more afraid of. Not saying that they don't have the knowledge...some don't and some do, but it adds another thing they have to do to get thru.

Re:SSID Security

[scseth]

SSID should never be used as a security mechanism for your wireless network. SSID's are truly designed to allow for roaming within your site, and for installations where there are multiple organizations attempting to utilize multiple access points (on varying channels).

802.1x allows a site owner to utilize RADIUS authentication on the access point level in combination with WEP (OTA security). This attempts to fix the original flaw with WEP, in that the 4 configurable keys were static set, therefore allowing anyone with enough time to determine at least 1 of the 4 static keys.

802.1x creates an authentication process at the access point, as well as dynamic key generation for WEP.

This, of course, helps a single enterprise network, but what about hotspots that want to include public and private applications. There is no way to do it, with the exception of a product by Roving Planet.

Re:SSID Security

Can someone then explain to me what is the reason for choosing a secure SSID?

The point made before that is that the AP can be configured in "closed" mode. This keeps the ap from broadcasting the ssid, adding a little better model for security. (still not the best in the world)

Re:SSID Security

[swillden]

Picking one that is difficult to guess and using a AP that can suppress the SSID in Beacon Frames makes it that much more difficult for an un-authorized client to associate with your AP.

Unless your attacker has a clever, devious and even diabolical mind...

... and sets his card to connect to any SSID.

For most wireless network users there's no reason whatsoever to specify an SSID, so most clueless users will see and connect to your network with nary a problem. SSIDs are to allow you to select one of multiple physically co-located but logically distinct networks. They are not, were not and cannot be a security feature.

Re:SSID Security

[Conspiracy+Theorist]

Oh, wow! I never knew that when you set your card to connect to any SSID it magically fills in the SSID field of the association request frame with the correct SSID of the AP it is requesting association with!

In order for a client to associate with an AP it must know the SSID the ap is using. It must fill in the SSID field in the associate request frame if it hopes to be granted association. Some (most? ... all?) APs that suppress the SSID in the beacon also suppress it in the probe response as well. That means that the only time the SSID is transmitted out over the air is during the association process. The only way an attacker (no matter how clever, devious or diabolical they are) can associate with your AP is if they were sniffing at the time some valid client associated, grabbed the SSID out of the frame and used it in their own association request. No it's not perfect security, it's not even that great of a security mechanism, but it's an extra hurdle that people have to get over in attacking your network.

Setting the card to connect to any SSID simply lets the card fill in the association request frame SSID field with an SSID it has seen out on the air, either through beacons or probe responses. If the AP suppresses the SSID in both beacons and probe responses, the card has no way of knowing the SSID.

If you are worried about warchalkers (or wardrivers, or whatever) connecting up to your AP, suppressing the SSID in beacons and probe responses will probably be enough to keep them walking.

If you are worried about competitors gaining access to your network through the wireless APs, suppressing the SSID will not be enough.

personal security

[Jacer]

i use a little "consumer elvel" access point/router with DHCP turned off, and a strong subnet mask (i'm talking 29 bits!) then i filled up every IP address in the range by assiging multiple ip addresses to the adapter on my server

Re:personal security

unique lameness filter cracking id : 000000 (change this when reposting this information)
Version 1.1

Note to moderators : Do not moderate this post down, if you do then you support the editors stance on censorship and you support the end of free speech and
support evil organisations like Microsoft, RIAA, MPAA and laws like the CBTBA and DMCA

Sign this petition, let your voice be heard!

Slashdot is using censorship! It is trying to eridicate free and open discussion like we know slashdot to be, it has the following RESTRICTIONS in place to Censor you

They claim they don't, but they do, wonder why their are so many trolls, crapflooders and lamers on slashdot, because they are fighting for their rights! Slashdot is trying to silence the trolls. Remove the filters, the trolls get bored, and slashdot will be troll free!

• Lameness filters (It blocks a lot of legitmate posts)
• Unnessary posting delays. Hasnt taco learned to touch type? A lot of posts are typed in less than 20 seconds and it is a ANNOYING DELAY! 2 minute ban? Come on, so some are faster then others, big deal, some people have more to say than others
• Broken moderation system, The whole point is to sort the gems from the crap, yet a lot of posts designed to make a LIVELY DISCUSSION are MODERATED as flamebait! Come on, not everyone likes X, but just because some one bashes it dosent mean its Flamebait. Flame bait is more useful for DIRECT INSULTS and not legitmate discussions.

The "troll" moderation reason is fragmented and broken, why? Because they are trying to use an obsolete usenet term on a realtime discussion, "trolls" can cover a huge blanket of ideas.

• Crapfloods, a meaningless flood of random letters or text, which the lameness filter does a crappy job at trying to stop, besides trolls have written tools using the opensource slashcode to generate crapfloods which bypass the filter
• Links to offensive websites, the most common one is known a http://www.goatse.cx, a awful site which shows a bleeding anus being stretched on the front page. Trolls sneak these links in by posting messages that look legitimate, but infact are sneaky redirects to the site. Common examples include rd.yahoo.com, www.linux-kernel.tk, goatsex.cjb.net, and googles "Im feeling lucky".
• Trying to break slashdot, this is actually a good thing, as it helps test slashdot for bugs. Famous examples include the goatse.cx javascript pop-up, the pagewidening post and the browser crashing post!

Subnet banning, this bans a user unless they email jamie macarthy with their mp5ed ipids. This is unfair, and banning a subnet BLOCKS A WHOLE ISP SOMETIMES, and not that individual user! This can cause chaos! But real trolls use annoymous proxys to get around this so THIS JUST BANS LEGITMATE USERS!

But, the issue that concerens us the most, is the COMMENT QUOTA. A discrimatory system that stiffles discussion, cripples the community and will ultimateley destroy slashdot unless it is removed! Annoymous cowards are allowed only 10 posts a day! This is unethical! Users with negative karma only get two! That is DISCRIMINATION! How would you like to only be able to speak once a day, just because of the color of your skin. That would be racism, and slashdot is discrimitating on people just because of a negative number in a database! BOYCOTT SLASHDOT! LET THEM DIE!

We wan't these stupid useless restrictions REMOVED! This comment will be posted again and again until it does!

Inportant imformation for users
Boycott slashdot, they are pissing over their community, they are becoming like the RIAA and MICROSOFT! Do NOT TOLERATE THIS SHIT! Here are some real news for nerds sites. We don't need slashdot, slashdot deserves to die!

MSNBC
BBC NEWS
News.com
Linux online
Linux daily news network
Weird news from dailyrotten.com
Trollaxor, news for trolls, they are real people too!
CNN.com
New york times (free registration required)
LINUX.com
News forge
K5
Mandrake forum
Toms hardware
The register
Kde dot news
The linux kernel Archives

There are hundreds more, But this is where slashdot STEALS THE MAJORITY OF its "news" from.

Punish them, here are their emails, spam them, flame them goatse them!
Rob malda
Jamie Macarthy
ChrisD
Hemos

The others ones apperantly dont have an e-mail, probably because ROB MALDA IS PRETENDING HE IS JOHN KATZ.

Thank you for reading this, please feel free to repost this information, please reply to add your comments, fight slashdot and its CENSORSHIP

Re:personal security

[Jacer]

i nearly forgot, i use VPN to encrypt all of my traffic that goes over the wireless link

Re:personal security

i bet you jerked off after you did that, you sick, no-life, asshole-reaming poor excuse for a human being.

wep is a stupid idea

whats the difference between an encrypted ack packet and a non enc'd one from a sniffing point of view not a one..

any key you could possible be using will get exposed through these very well documented and standardized packets.

short of non-reversable encs like md5 it is basically impossible to protect data if you know the before enc and after enc data on a common packet.

even if they manage to enc say only data in a packet. a smart sniffer will realise that if he/she sends a standard packet with data to the ip hes trying to access that they can get the keys that way too. This changes the nature from a purely passive interception attack but none-the-less doesnt make it at all secure.

its been well known in military tactics for decades that no matter how you encrypt your data it will always be broken when its exposed to scruitany. Hell pgp can even easily be broken if you know the source doc before encryption and thats supposed to be one of the most secure encryption devices out there.

Add to this that with tcpip you'll always know the source I cant see how you're gonna encrypt the packets short of changing the way tcpip works.

If you're going to use wireless dont expect absolute privacy. This should never have been a concern. If you want security fork out the bucks for wired systems.

Transmitting any sensitive information over radio just doesnt make any sense and is the very reason for the extreme security measures taken by governments. For example in nuclear launch codes.... One time use of one code which has to be on the sub prior to it leaving dock. ol dubyah cant just call up some sub and say launch without the right one of these codes and for good reason.

As for unrestricted broadband access (connection sniffing/interjection) thats tougher. How do you keep someone who can know your keys off your system well you got two choices... You setup a custom algorithm that changes the keys on both the client and access point according to a certain time internally. At best a hacker will grab 3 or 4 of these keys but if they continually rotate around something that cant be standardized it would be very difficult short of knowing the algorithm used to change keys to get reliable access tho it would undoubtedly be possible given enough time to figgure out the deal with the algorithm.

Any way you look at it its gonna be security through obsfuscation and theres really nothing you can do about it. You want wireless you're gonnna have to accept the freeloaders on your service.

To me tho id encourage open access points to everyone. But then again im sure you dont want to get your cute little ip banned from your favorite channel. Maybe ipv6 could help with a translated address or such. i dunno but as it is now you cant block wireless access so why even try.

Re:wep is a stupid idea

unique lameness filter cracking id : 000000 (change this when reposting this information)
Version 1.1

Note to moderators : Do not moderate this post down, if you do then you support the editors stance on censorship and you support the end of free speech and
support evil organisations like Microsoft, RIAA, MPAA and laws like the CBTBA and DMCA

Sign this petition, let your voice be heard!

Slashdot is using censorship! It is trying to eridicate free and open discussion like we know slashdot to be, it has the following RESTRICTIONS in place to Censor you

They claim they don't, but they do, wonder why their are so many trolls, crapflooders and lamers on slashdot, because they are fighting for their rights! Slashdot is trying to silence the trolls. Remove the filters, the trolls get bored, and slashdot will be troll free!

• Lameness filters (It blocks a lot of legitmate posts)
• Unnessary posting delays. Hasnt taco learned to touch type? A lot of posts are typed in less than 20 seconds and it is a ANNOYING DELAY! 2 minute ban? Come on, so some are faster then others, big deal, some people have more to say than others
• Broken moderation system, The whole point is to sort the gems from the crap, yet a lot of posts designed to make a LIVELY DISCUSSION are MODERATED as flamebait! Come on, not everyone likes X, but just because some one bashes it dosent mean its Flamebait. Flame bait is more useful for DIRECT INSULTS and not legitmate discussions.

The "troll" moderation reason is fragmented and broken, why? Because they are trying to use an obsolete usenet term on a realtime discussion, "trolls" can cover a huge blanket of ideas.

• Crapfloods, a meaningless flood of random letters or text, which the lameness filter does a crappy job at trying to stop, besides trolls have written tools using the opensource slashcode to generate crapfloods which bypass the filter
• Links to offensive websites, the most common one is known a http://www.goatse.cx, a awful site which shows a bleeding anus being stretched on the front page. Trolls sneak these links in by posting messages that look legitimate, but infact are sneaky redirects to the site. Common examples include rd.yahoo.com, www.linux-kernel.tk, goatsex.cjb.net, and googles "Im feeling lucky".
• Trying to break slashdot, this is actually a good thing, as it helps test slashdot for bugs. Famous examples include the goatse.cx javascript pop-up, the pagewidening post and the browser crashing post!

Subnet banning, this bans a user unless they email jamie macarthy with their mp5ed ipids. This is unfair, and banning a subnet BLOCKS A WHOLE ISP SOMETIMES, and not that individual user! This can cause chaos! But real trolls use annoymous proxys to get around this so THIS JUST BANS LEGITMATE USERS!

But, the issue that concerens us the most, is the COMMENT QUOTA. A discrimatory system that stiffles discussion, cripples the community and will ultimateley destroy slashdot unless it is removed! Annoymous cowards are allowed only 10 posts a day! This is unethical! Users with negative karma only get two! That is DISCRIMINATION! How would you like to only be able to speak once a day, just because of the color of your skin. That would be racism, and slashdot is discrimitating on people just because of a negative number in a database! BOYCOTT SLASHDOT! LET THEM DIE!

We wan't these stupid useless restrictions REMOVED! This comment will be posted again and again until it does!

Inportant imformation for users
Boycott slashdot, they are pissing over their community, they are becoming like the RIAA and MICROSOFT! Do NOT TOLERATE THIS SHIT! Here are some real news for nerds sites. We don't need slashdot, slashdot deserves to die!

MSNBC
BBC NEWS
News.com
Linux online
Linux daily news network
Weird news from dailyrotten.com
Trollaxor, news for trolls, they are real people too!
CNN.com
New york times (free registration required)
LINUX.com
News forge
K5
Mandrake forum
Toms hardware
The register
Kde dot news
The linux kernel Archives

There are hundreds more, But this is where slashdot STEALS THE MAJORITY OF its "news" from.

Punish them, here are their emails, spam them, flame them goatse them!
Rob malda
Jamie Macarthy
ChrisD
Hemos

The others ones apperantly dont have an e-mail, probably because ROB MALDA IS PRETENDING HE IS JOHN KATZ.

Thank you for reading this, please feel free to repost this information, please reply to add your comments, fight slashdot and its CENSORSHIP

Re:wep is a stupid idea

[Oculus+Habent]

You want wireless you're gonnna have to accept the freeloaders on your service.

I haven't played with any wireless base stations other than my AirPort, but I can limit MAC Addresses, as well. Sure, this doesn't work in an environment where many friends/clients will be accessing your network unexpectedly, but in a home/school where the number of new users is extremely limited or well-controlled, this can improve security quite substantially.

Sure, they can still sniff packets, and they can still break encryption, but it will be a sight harder for them to access your wired network/Internet connection.

Re:wep is a stupid idea

[WolfWithoutAClause]

whats the difference between an encrypted ack packet and a non enc'd one from a sniffing point of view not a one..

any key you could possible be using will get exposed through these very well documented and standardized packets.

short of non-reversable encs like md5 it is basically impossible to protect data if you know the before enc and after enc data on a common packet.

Nope. The best encryption techniques are proof against a 'known plaintext attack'; which is what you are talking about here. The code is not resolvable from the plaintext or the encrypted text or both together. Well, theoretically it is resolvable, but the amount of processing necessary to do it is completely beyond computational reach.

At best you might be able to guess from the context that it was an ack packet, but that's about it.

Re:wep is a stupid idea

[RadioTV]

If I can decrypt your packets - I can find your MAC address. Then I spoof your MAC address (when your not using it) and I have access to your network.

Re:wep is a stupid idea

If I can decrypt your packets - I can find your MAC address. Then I spoof your MAC address (when your not using it) and I have access to your network.

Correct - only you don't have to decrypt the packets. Only the data payload is encrypted. (Granted, without the key, spoofing a valid MAC won't get you far, but...)

-dragorn

Re:wep is a stupid idea

[Enigma23]

"short of non-reversable encs like md5 it is basically impossible to protect data if you know the before enc and after enc data on a common packet."

Well, the whole point of asymmetric encryption is that you do use non-reversable encryption methods. Of course, with any encryption system knowing how a frame looks both before and after encryption is a massive bonus for any would-be cracker of encryption codes...

The real problem for most crackers is when they don't have any sort of before and after comparisons to make on packets sent over WEP. In many cases, the fact that it's encrypted will force the majority of potential bandwidth hijackers to go looking for softer, more vulnerable targets to prey on.

Re:wep is a stupid idea

[Chops]

any key you could possible be using will get exposed through these very well documented and standardized packets

This is wrong -- if knowing the plaintext for a given ciphertext exposes the key, then your cryptography is bad. https sessions are mostly known-plaintext (http headers & static html), but you still have to brute-force the key (as far as we know.)

Re:wep is a stupid idea

[Chops]

many friends/clients will be accessing your network unexpectedly

If you need people to access your network "unexpectedly," but you want security, no currently available technology can be of assistance.

Sure, they can still sniff packets, and they can still break encryption, but it will be a sight harder for them to access your wired network/Internet connection.

Harder, but still not hard. The script-kiddie-class wireless sniffing programs probably reset your MAC address to one they see in a packet (just in case); if they don't, they will soon. Breaking WEP at least requires hanging around until X megs of traffic have passed across the AP.

Re:wep is a stupid idea

[Rupert]

MAC addresses can be faked. I just need to find the MAC address of a trusted user, which will be easy once the WEP is cracked.

Re:wep is a stupid idea

[chekhov]

Bah, FUD and snake oil. Written by a five year old too.

I'll pick on a few of the most obvious stupidities:

short of non-reversable encs like md5 it is basically impossible to protect data if you know the before enc and after enc data on a common packet.

1. MD5 isn't a cipher, it's a hash function.

2. Real cipher algorithms, e.g. AES-CBC, handles known plaintext attacks quite well.

a smart sniffer will realise that if he/she sends a standard packet with data to the ip hes trying to access that they can get the keys that way too. This changes the nature from a purely passive interception attack but none-the-less doesnt make it at all secure.

Yeah? That would be the well known ICMP-"g1mme your k3ye5"-request standard packet, or what?

its been well known in military tactics for decades that no matter how you encrypt your data it will always be broken when its exposed to scruitany.

True. Anybody with the slightest knowledge of security will tell you that any defense buys you time. No more, no less.

Hell pgp can even easily be broken if you know the source doc before encryption and thats supposed to be one of the most secure encryption devices out there.

Hmm, got a reference to back that up? No? Thought so.

Add to this that with tcpip you'll always know the source I cant see how you're gonna encrypt the packets short of changing the way tcpip works.

I can see just fine; IPsec - see RFC 2411 etc.

If you're going to use wireless dont expect absolute privacy. This should never have been a concern. If you want security fork out the bucks for wired systems.

Wired networks are not absolutely safe either. Are you sure that there are no passive sniffing devices on your net?

To me tho id encourage open access points to everyone. But then again im sure you dont want to get your cute little ip banned from your favorite channel.

Yes. I guess your mom stopped your pr0n surfing by installing netnanny so you really need to leech bandwidth from others.

Maybe ipv6 could help with a translated address or such. i dunno but as it is now you cant block wireless access so why even try.

IPv6 is supposed to rid us of NATs. Remember that NATs are evil.

Re:wep is a stupid idea

correct

mod my parent up, and mod its parent down down down....

Re:wep is a stupid idea

[ge]

The above rambling is simply not true. The problem with WEP is that the method was designed by people who were unaware of basic methods of cryptography. You can do much, much better than that.

To get technical: if an encryption method is used that is "plaintext aware" then an attacker with access to a (bounded) set of plaintext-ciphertext pairs cannot forge a valid ciphertext that's not in that set with more than negligible probability. Add replay prevention and you end up with a much better system,

Rotating the keys like a madman is not necessary if the system is well-designed. For a N-bit block cipher you need to rotate the keys before you encrypt 2^(N/2) blocks, otherwise ciphertexts will start to repeat. For a 128 bit cipher like AES you can encode over 100 exabytes before you have to rotate the key, which is every six million years or so at 802.11b speeds. Nobody cares after 6 million years.

Re:wep is a stupid idea

Actually it's even easier than this. WEP does not encrypt 802.11 management frames, therefore there's nothing to break to get a valid MAC.

Re:wep is a stupid idea

[lesv]

but I can limit MAC Addresses, as well. ... Sure, they can still sniff packets, and they can still break encryption, but it will be a sight harder for them to access your wired network/Internet connection.

If they've gone to the trouble to break your encryption, they will have no problem forging a fake MAC address, it's fairly trivial to do.

Re:wep is a stupid idea

[Dr.+Ion]

The MAC address is required to be unencrypted, even when using WEP... no need to crack anything there.

Most WiFi cards make it trivial to override the MAC and set it to anything you'd like, so "closed MAC access" doesn't give you any added security.

Re:wep is a stupid idea

[sh!va]

This guy went on a complete rant and someone gave him a 4 score. Sheesh.
You have touched upon a few good points (and a lot of bad ones).
The good stuff:
1. I think some of the stuff at the top you're trying to get at is summarized very neatly in the end-to-end argument paper by Reed, Saltzer and Clark (MIT). THe core of the argument (applied to security) is that you have to assure secrecy between the two end-points that matter. Encryption in between may only be used as an optimization - no guarantees can be made or expected. Read the paper if you haven't:
http://web.mit.edu/Saltzer/www/publications/pubs.h tml

The bad stuff:
1. Short of non-reversable encs like md5 it is basically impossible to protect data if you know the before enc and after enc data on a common packet.
What utter nonsense. Go back home and read your crypto book. What you're talking about is a known plaintext attack (you know the plain text and the cypher text and try to determine a key) and almost all the ciphers out there (DES, Rijndael, DES-variants) can withstand this attack.
2. its been well known in military tactics for decades that no matter how you encrypt your data it will always be broken when its exposed to scruitany. Hell pgp can even easily be broken if you know the source doc before encryption and thats supposed to be one of the most secure encryption devices out there.
Add to this that with tcpip you'll always know the source I cant see how you're gonna encrypt the packets short of changing the way tcpip works.
No no and no. Knowing the source does not allow you to break a crypto scheme. That's the whole difference between good crypto and security by obscurity. Read some books. The secret is usually the key, not the protocol, not the algorithm.

Re:wep is a stupid idea

[perlmonky]

If you want security fork out the bucks for wired systems.

As if a "wired" system is secure. There is no such thing as a secure network, the goal is to make it easier to go next door. It's like protecting your house. A crook, if they really want to, will get in no matter how much money you throw at it. A determined person will either break in or get caught trying. By layering WEP with Radius Authentication and MAC address filtering on a "Closed" AP network you make it alot more trouble than it is really worth.

Re:wep is a stupid idea

mac filtering doesn't enhance your security
at all. i can extract your mac address from
the radio transmissions and configure my card
to use it. I either have to wait until your
card is turned off or I could force you to
lose your association. you have a false sense
of security. you may get hurt.

Re:wep is a stupid idea

[Shanep]

If you want security fork out the bucks for wired systems.

As if a "wired" system is secure.

It's more secure if the people who have access to it can be trusted. A family in a home network can usually be trusted with their own network. Add wireless and now you have to trust your whole neighborhood.

A determined person will either break in or get caught trying.

If they need to break in to my house, then they'll probably just take the computers.

Re:wep is a stupid idea

[WolfWithoutAClause]

Well, the whole point of asymmetric encryption is that you do use non-reversable encryption methods.

Sorry, that's not right. An asymmetric encryption is still reversible- it has to be- that's how you decrypt it!

'Asymmetric encryption' just means that given one key you can't figure out the other key and vice versa. Symmetric means you can - the keys are related in some usually trivial way- like they're the same, or backwards or something.

Of course, with any encryption system knowing how a frame looks both before and after encryption is a massive bonus for any would-be cracker of encryption codes...

Yes. But when you design codes it's usual to assume a 'known plaintext'; and then design the code to deal with this. A more difficult test still is 'chosen plaintext', where the bad guy get's to give your encyption module a bunch of data and look at the results; and from that tries to work out the key.

As a rule of thumb, unless the module can stand a chosen plaintext attack, I wouldn't touch it with a barge pole.

Slashdot Sucks

unique lameness filter cracking id : GOATSE (change this when reposting this information)

Note to moderators : Do not moderate this post down, if you do then you support the editors stance on censorship and you support the end of free speech and
support evil organisations like Microsoft, RIAA, MPAA and laws like the CBTBA and DMCA

Sign this petition, let your voice be heard!

Slashdot is using censorship! It is trying to eridicate free and open discussion like we know slashdot to be, it has the following RESTRICTIONS in place to Censor you

• Lameness filters (It blocks a lot of legitmate posts)
• Unnessary posting delays. Hasnt taco learned to touch type? A lot of posts are typed in less than 20 seconds and it is a ANNOYING DELAY! 2 minute ban? Come on, so some are faster then others, big deal, some people have more to say than others
• Broken moderation system, The whole point is to sort the gems from the crap, yet a lot of posts designed to make a LIVELY DISCUSSION are MODERATED as flamebait! Come on, not everyone likes X, but just because some one bashes it dosent mean its Flamebait. Flame bait is more useful for DIRECT INSULTS and not legitmate discussions.

The "troll" moderation reason is fragmented and broken, why? Because they are trying to use an obsolete usenet term on a realtime discussion, "trolls" can cover a huge blanket of ideas.

• Crapfloods, a meaningless flood of random letters or text, which the lameness filter does a crappy job at trying to stop, besides trolls have written tools using the opensource slashcode to generate crapfloods which bypass the filter
• Links to offensive websites, the most common one is known a http://www.goatse.cx, a awful site which shows a bleeding anus being stretched on the front page. Trolls sneak these links in by posting messages that look legitimate, but infact are sneaky redirects to the site. Common examples include rd.yahoo.com, www.linux-kernel.tk, goatsex.cjb.net, and googles "Im feeling lucky".
• Trying to break slashdot, this is actually a good thing, as it helps test slashdot for bugs. Famous examples include the goatse.cx javascript pop-up, the pagewidening post and the browser crashing post!

Subnet banning, this bans a user unless they email jamie macarthy with their mp5ed ipids. This is unfair, and banning a subnet BLOCKS A WHOLE ISP SOMETIMES, and not that individual user! This can cause chaos! But real trolls use annoymous proxys to get around this so THIS JUST BANS LEGITMATE USERS!

But, the issue that concerens us the most, is the COMMENT QUOTA. A discrimatory system that stiffles discussion, cripples the community and will ultimateley destroy slashdot unless it is removed!

We wan't these stupid useless restrictions REMOVED! This comment will be posted again and again until it does!

Inportant imformation for users
Boycott slashdot, they are pissing over their community, they are becoming like the RIAA and MICROSOFT! Do NOT TOLERATE THIS SHIT! Here are some real news for nerds sites.

MSNBC
BBC NEWS
News.com
Linux online
Linux daily news network
Weird news from dailyrotten.com
Trollaxor, news for trolls, they are real people too!
CNN.com
New york times (free registration required)
LINUX.com;
News forge
K5
Mandrake forum
Toms hardware
The register
Kde dot news
The linux kernel Archives

There are hundreds more, But this is where slashdot STEALS THE MAJORITY OF its "news" from.

Punish them, here are their emails, spam them, flame them goatse them!
Rob malda
Jamie Macarthy
ChrisD
Hemos

The others ones apperantly dont have an e-mail, probably because ROB MALDA IS PRETENDING HE IS JOHN KATZ.

Thank you for reading this, please feel free to repost this information, please reply to add your comments, fight slashdot and its CENSORSHIP

Re:Slashdot Sucks

[flatulus]

Your speech is as free as a bird, but Slashdot's providing of a forum is not. If you don't care for Slashdot's policy, set up your own website or STFU.

Wait a second

[CptNoSkill]

from the secure-your-network-or-someone-else-will dept.

Are you trying to say I am the only one who has been hacking in to windows systems, applying patches, and beefing up security? I mean, the ends justify the means, right? Just don't be surprised if you leave your system on, leave the room, and come back to discover gentoo running on it....

Re:Wait a second

I think he used secure in two different contexts there...

Secure (1) To make safe.
Secure (4) To get possession of.

My experience. . .

[patrik]

I haven't read the aforementioned article, but I will check it out. My experiences may just say the same thing as they say (or maybe not). So sorry if this is repeated.

WEP is a joke unless you keep rekeying connection, which depending on how many packets you throw across the connection may or may not be realistically possible. (In many cases I'd guess not)

Choosing a secure SSID as someone mention won't get you very far if you're running in infrastructure mode since it broadcasts that. And if someone knows you have an AP then they can scan channel by channel until tcpdump picks something up and then you really don't need an SSID.

IPSec is a widely accessible protocol that gives the ability to encrypt communications and do authentication (in much the same way that ssh does it). IPSec is available on many platforms: Linux, Windows 2k/XP, BSD, (I think Mac OSX does), and most of them support it natively (ie no slow userspace daemons to run).

Using the authentication you can allow only authorized clients to connect, by allowing only IPSec packets through your router and then let IPSec do the rest. IPSec also does rekeying for the encryption so it's much safer than WEP.

Patrik

Re:My experience. . .

[WolfWithoutAClause]

Actually he's arguing that IPSec is bad because:

a) it allows people on the same AP (subnet) to communicate and use your bandwidth up, because they only need IPSec to go through the IPSec portal, not communicate with each other.

b) You have to secure the clients as well

I argue that a) is irrelevant because black hats can easily set up their own network (ad-hoc network if they want- they don't even need an AP for that), and the wireless bandwidth still gets used up, so this has little or nothing to do with security.

b) is true however, each machine needs a firewall.

Re:My experience. . .

[MeanJeans]

IPSec is great for auth/encrypt, but if you have a network with 10 or more AP's, that is 110Mbs of available bandwidth for wireless clients. The cost of a VPN concentrator that can terminate 100Mbs+ of 3DES IPSec traffic is VERY high. 802.1x will help solve this problem. Cisco's LEAP in conjunction with thier RADIUS server, while proprietary, works quite well. You can dynamicaly re-key WEP every few minutes, and authenticate your users back to AD or NDS or another RADIUS server for that matter.

Re:My experience. . .

Have you tried to crack WEP before? Despite
the fact that it can be done, it is not quite
as trivial as you seem to think it is.

You are correct that there is no such thing
as a secure SSID. I put my radio in to promiscuous
mode and save everything to a file. a simple
strings wi.log | less tells me every SSID in the
air.

Allowing IPSec only traffic through your firewall
will stop hacked outbound traffic, but not very
many people (slashdotters excluded) are even
aware of IPSec, much less able to implement it.

Doing mac (address, not the product) filtering is
not secure either. Once again, I put my radio in
promiscuous mode and extract your mac address. I
then configure my card to use the same mac address
that you were using. Yes, I need to DoS the AP
first to get your card to lose its association.

All in all, a properly configured IPSec network
is the only way to use wireless "securely".

Download to PDF! (off topic)

[Shanep]

For subscribers only?

I like to make PDF's of pages of particular interest for offline reading and archiving should they ever go offline.

I usually click the printer friendly version if they have one, print it to a file, which gives me a postscript file within Linux, then using the a tool that come with ghostscript (?) "ps2pdf" the file. It usually comes out very nice.

But with Ars, I prefer to just grab the article with wget, since they don't seem to offer a printer friendly version outside of a subscribers only PDF file. Anyone subscribed? Free?

Course, now I have OS X, I just print preview then save to PDF.

Re:Download to PDF! (off topic)

[DebtAngel]

The subscription is something like $10 per month. In addition to the PDFs, you also get to post in the Lounge and Velvet Room (aka the off topic bandwidth hungry forums) in the OpenForum, and have Subscriptor in your Openforum profile, and some other random perks.

Oh, I think the PDFs feature vector graphics, so they'll print far nicer than your ps2pdf PDF will.

I think Ace's Hardware offers something similar, but I can't remember.

Re:Download to PDF! (off topic)

you could also get Adobe Acrobat 5 and just use the "save webpage as PDF" feature. But obviously, if you're on linux, that's not an option

-Fuzzmaster Flex

Re:Download to PDF! (off topic)

[Shanep]

The subscription is something like $10 per month.

Bugger that! Thanks for the info.

Oh, I think the PDFs feature vector graphics, so they'll print far nicer than your ps2pdf PDF will.

Postscript and PDF both do vector. If the fonts on the page you are printing are vector, you print to postscript, you get vector fonts in the postscript, ps2pdf that and you get vector fonts in the resulting PDF.

Most of the PDF's I have created within Debian Linux using ps2pdf, have shown within Acrobat Reader, at 1600x zoom, to be completely smooth vector fonts.

Sometimes you might get a font within one of these PDF's that is obviously bitmap, they don't look great on screen, but they do look much better printed than on screen. Good thing is though, the most popular fonts tend to be vector within Debian at least.

Re:Download to PDF! (off topic)

[DebtAngel]

What I meant was the graphics in the article are also vector in the actual PDF. As in the JPEGs. I know this because it was mentioned as the reason the PDF was going to be late.

default SSID

[mattyohe]

in my town there are so many (mostly linksys) AP's that use the default SSID that I could practically drive arround and hit the internet from anywhere. It would be interesting to compromise a machine across the internet while connected to someone else's AP... the deleting of your logs is basically driving home.

Re:default SSID

[Chanc_Gorkon]

Another aside, how many clueless admins will not even change the routers/ap's default password (admin on Linksys).

To what lengths must we go

[Oculus+Habent]

There will always be people willing to break the encryption no matter what the costs in time, and technology. If you wanted access to my Internet connection through my 802.11 (without physically breaking into my home), you could get it eventually. But I can make it difficult for you, and that is the point.

Encryption was never to prevent information from being intercepted. It was never to stop data from being read. It was to delay. It comes back to the simple question - how important is the security of your network/data?

Re:To what lengths must we go

[RadioTV]

I agree with you completely, and I use a 802.11b network at home. I was just pointing out that restricting by MAC address is fairly easy to get around. That doesn't mean that it isn't worth doing.

white paper, black paper,blue paperhalloween paper

[Hadlock]

ok i know the last one was that "infamous" M$ paper, but could someone give me a "color chart" as to define all these different papers that i'm seeing more and more often posted on slashdot?

Correct

[af_robot]

But who will want your 10-years old porn collection or DIVX rips?

Re:white paper, black paper,blue paperhalloween pa

[lizrd]

White paper usually refers to a document that is printed in black text on white paper. The idea is to contrast documents that have useful technical information (which are usually printed in boring black text on boring white paper) with the usless documents that you get from marketing (which are all kinds of pretty colors on cool glossy paper).

The joke here is that ars has published an aritcle that has useful technical information, but their website has a black background with white text. Therefore, this is a black paper.

Blackpaper?

[msheppard]

Blackpaper? That's a kewl term I haven't heard before. I suppose it's a paper in response to a white paper showing the dark side of a technology?

M@

Re:Blackpaper?

[Dr.+Awktagon]

duh, it's on a black background ;-)

Good implementation more than just security

[limako]

Security is only one issue that needs to be considered in implementing wireless networking. We identified three key issues in developing a wireless strategy: (1) security that was "good enough", (2) end-user simplicity, and (3) technical staff set-up and management.

1. For us, security that was "good enough" meant having by-user authentication, putting the access points behind a router, and being vigilant to evidence of inappropriate use. There's not much point in putting bars on the windows when you never lock the door anyway.
2. For end-user simplicity, we wanted to support a diverse client userbase while minimizing the amount of configuration and additional software required by client machines.
3. For set-up and management, we wanted to depend on open-source and free software packages that we were already familiar with and not have the administration become a burden.

We eventually decided to use Nathan Zorn's Authentication Gateway. Wireless connections are blocked at the gateway until users connect via ssh. Clients need to have ssh and know the name of the gateway: everything else gets configured automatically. The system uses iptables, PAM, and ssh and the only admininstration required is to build accounts. The system might not scale well, but works well for an entity our size (one department).

I gave a presentation about our conclusions.

Re:Good implementation more than just security

[scseth]

There is a new product group being created called "Access Controllers" Article on 802.11 Planet Another company making a similar product for multiple organizations to exist on a common wireless infrastructure is Roving Planet.

These companies use central servers with satellite net appliances behind the access point to control user access and in some cases bandwidth provisioning for user groups. Roving Planet also has bandwidth provisioning for specific applicaitons.

How about PPPoE over 802.11b?

[gfecyk]

There was a mention of using a VPN scheme to secure your wireless LAN, which would be fine to protect your own data but still allows 'visitors' to piggyback their own networks on top of yours. This still allows the 'visitor' to take an IP address from your DHCP server and talk to the other machines.

This thought might not solve the piggyback problem but it might go a step further in securing your data. Use a PPPoE server (such as a Win2K box running RASPPPoE) to hand out network addresses and require all your clients to connect using some form of PPPoE (again, such as RASPPPoE) which can be reasonably protected using MD5 CHAP for passwords and encrypted packets.

The only thing exposed then are MAC addresses, so 'visitors' could still piggyback their own network on top of yours, but they're not taking up IP addresses or able to see *anything* on your network except other MAC addresses.

And if you wanted to be really smart you could have a probe program (too bad one doesn't exist yet) that could compare a MAC address to a matching PPPoE connection, say every ten minutes. If a MAC address doesn't have a corresponding PPPoE connection, it's blacklisted for a while and the port is freed for a legitimate client.

Not bad, albeit a bit confused about RC4

[mkettler]

The only major objection I have is that Ars is presenting some WEP problems as being RC4 problems ie: that RC4 is broken and cannot be secure if implemented properly. "The main problem with WEP is that the RC4 stream cipher used to encrypt the data has been proven insecure." I'd change that to read ".. has been proven insecure if research notes regarding these problems are ignored."

They claim the RC4 algorithm itself is broken, which it is to some degree, but there's lots of information on how to avoid these problems that was available prior to the design of WEP. I also dislike their implication that RC4 inherently uses a 24 bit IV, that was an IEEE decision, RC4 can use an IV that's as large as you want.

RC4 is reasonably secure when implemented correctly, but IEEE ignored the very well known and clearly stated fact that when using RC4, keys must not be re-used for the same data. And that's not surprising, block ciphers are greatly weakened by such things too, which is why anyone in their right mind uses a decent sized IV. RC4 is weaker to key reuse than block ciphers because of its design, but that was a well known fact prior to the design of WEP.

Weak keys are a genuine weakness in RC4. However, they too are well documented and can be easily detected and skipped prior to use. The fact that WEP uses a 24bit IV makes it particularly easy to create a table of IVs that weak, making this problem significantly worse. A great paper on RC4's weak keys, and how to avoid the problem, was posted to sci.crypt in 1995:

http://marcel.wanda.ch/Archive/WeakKeys.txt

So all the weaknesses in WEP that stem from the use of RC4 as an encryption algorithm were well documented, and methods of avoiding them resulting in weaknesses were well known, but the IEEE chose not to heed them. They were trying to make something "secure enough" and traded off things like using a short IV without consulting the cryptographic community about the implications.

Hindsight is 20-20, but I can't exactly call these RC4 flaws. I mean, if you had a power tool and you ignored the warnings printed in the manual, would you blame the tool when it fails?

Using a short IV is clearly an implementation flaw, the fault of WEP not RC4. IEEE wanted to save a few bytes of overhead and purposefuly chose a short IV. The weak keys are a flaw in RC4, but just generating a few bytes and discarding prior to using the key helps reduce the scope of this attack dramaticly. Even better is to detect and avoid the use of the weak keys in the first place, or do both. Since this was widely known when WEP was designed, I consider it to be a implementation flaw in WEP as well, albeit one that stems from a weakness in RC4.

In other news...

[antirename]

In other news, a consortium of large companies has announced that they have developed a building material that spray paint cannot adhere to. This should help companies that can not or will not secure their networks protect themselves from the insiduous threats of wardriving and warpainting. More news at 11.

Re:In other news...

What about chalk?

VPN Issues

[armagideon]

The article seems very intent on proving that every possibility is flawed. However I wonder about their VPN reasoning. They exude that using VPN's you can still let "crackers" talk and communicate using your WAP. But why would anyone go to the trouble of hacking into a WAP, just to essentially use ad-hoc mode on their wireless cards?

Bueller?
Bueller?

Let's count the inacuracies

[kevin42]

1. Authentication comes before association, not the other way around as the article mentioned. Authentication was not added in 802.11b it was there in the original 802.11 spec.
2. Decryption takes no longer with 128 bit wep than it does with 64bit wep. This depends on the actual RC4 implementation, but anyone who implemented RC4 in a way that it takes twice as long to crypt a 128bit string than it does to do 64 bits doesn't know what they are doing. Most implementations use a lookup table that makes encryption take the same amount of time regardless of key length. I'm no encryption expert, but I believe that all symetric algorithms share this attribute. It certainly won't "drastically shrink useable bandwidth" unless you have a very lame access point or 802.11 card. I don't believe any implementation will reduce the bandwidth at all by using 128 bit encryption.
3. Turning off beacon frames breaks some important 802.11 features, such as power management support. What most vendors do is not disable sending beacons, but they lie about the ssid (or leave it blank) in the beacons, and only respond to probe requests if the client request the correct ssid in the probe.
4. Turning off or hiding the ssid gives you no security whatsoever. All it does is keep the casual person from seeing your network. Any form of WEP will work better than that, because the casual user won't be able to exchange data packets on your network. The professional cracker will not be slowed down at all by hiding the ssid, all it takes is a sniffer to listen for a probe request/response which contains the actual ssid. Anyone who thinks they are securing their network in this way is deluding themselves.
5. I won't repeat the comments previously made about the authors incorrect understanding of how RC4 works, and why it is exploitable in this implementation.

After I finish reading the parts on 802.1x maybe I'll add to this list. :)

Re:Let's count the inacuracies

[karlm]

2. Decryption takes no longer with 128 bit wep than it does with 64bit wep. This depends on the actual RC4 implementation...

In fact, the way RC4 works, the key and IV are concatenated and repeated over and over to create a 256-byte(2048-bit) key. The way I usually code up RC4 (I've done it a few times before I memorized RC5... now to memorize AES.) is that I don't expand the key, just loop over it, so a longer key means fewe conditional branches and actually faster rekeying. Encryption speed should be identical. The key only sets the initial state (the permutation of 0..255), which evolves durring encryption/decryption. Unless the programmer is completely retarded, the actual encryption and decryption speeds for RC4 should be copletely independant of key size. (Yes, a keystream lookup table for short keys is cmpletely retarded.)

Two problems with VPNs

If you gain access to a wireless network that requires a VPN, you gain two things:

• Access to other attackers in your group over the wireless.
• Access to legitimate clients.

As you point out, the former isn't really a super big deal. The latter, however, means that the attacker can probe legitimate clients on the same WLAN, find a weakness in one, and gain access to that box. Once an attacker has access to a legit client, I'm sure you can see the way forward.

Watch the terminology

[GigsVT]

When you say something like 802.1X and you mean all wireless, you are showing ignorance.

802.1 encompasses a large number of wired standards in addition to wireless.

Or maybe the poster meant the actual standard named 802.1x? Port Based Network Access Control? I thought that was used for tying switch ports to certain MAC addresses.

I propose if you mean to say "all the 802.11 standards" you say 802.11*, since IEEE uses letters such as "x" to denote certain standards, not as a wildcard.

Re:Watch the terminology

[lowtekneq]

but wouldn't they use a lowercase x? 802.11a b g ect and not A B G. But i could be wrong

Re:Watch the terminology

[flatulus]

You are correct that 802.1X is the "Port Based Network Access Control" standard. That standard has hooks to permit it to be used in 802.11 networks as well as in switches.

802.1X is becoming widely adopted as a security adjunct to 802.11 WLAN infrastructures. In fact, the 802.11 Task Group "i" is developing its enhanced security additions to 802.11 on the basis of 802.1X. With "i", 802.11 and 802.1X become joined at the hip.

While your criticism is somewhat accurate, the use of 802.1X in the title is actually quite relevant to the discussion of evolving 802.11 security.

Clients are the weak point, not IPSEC

[Jacco+de+Leeuw]

I agree with you completely.

The whole article is a bit silly, pushing relatively unproven standards (EAP) which have been extended (LEAP) and extended (PEAP) over VPN standards with a good trackrecord (IPSEC).

The client is always the weakest link, for both VPN and wireless access. Basically, the author's argument boils down to saying that most IPSEC clients do not block access from other clients while they are connected (split tunneling), whereas the [LP]EAP clients do.

It's a matter of configuration. There is no way one can claim that one client is more secure that the other. Clients are always unsafe, and if not, its user is :-). I'm sure a determined recalcitrant enduser can always hack his [LP]EAP client to enable split tunneling, or other unsafe settings.

The only way to fix this (for both VPN and wireless) is to supply the user with trusted hardware. But that would mean a lot of money and a revolt of endusers because their PCs will be taken away...

By the way, here's an article by Microsoft on this matter. It basically says that Microsoft will solve all your problems if only you would buy into the latest Microsoft offerings.

Would you rather use a solution based on open standards, try Wavesec. It is mostly based on IPSEC, DHCP and DDNS.

Re:wep is a stupid idea (known plaintext)

[Beryllium+Sphere(tm)]

chops and chekhov are right, and the (currently +4!)comment they're replying to is wrong.

All the block ciphers in PGP, like IDEA, CAST and so on have (so far) survived cryptanalysis based on known plaintext attacks. In fact, a cipher is considered "cracked" in the academic sense if the key can be retrieved with *chosen* plaintext in less time than by searching all possible keys.

Incorrect conclusion about Shared Secret auth

[Dr.+Ion]

The "black paper" makes this conclusion about shared-secret authentication as part of association:

"By passively listening to the conversation, an attacker can obtain two of the three variables in the authentication equation; the clear text challenge string and what the challenge string looks like after it has been encrypted. By plugging these values into the RC4 equations, the attacker can easily solve for the shared authentication key. "

Actually, this is not what their referenced whitepaper describes at all. By observing the authentication sequence, an attacker can forge an authentication by responding correctly to the challenge without knowing the WEP key. This is made possible by the amateur 802.11b authentication scheme, not because RC4 is easily 'solved'.

So, while the shared secret authentication does not hinder a determined attack, it is incorrect to say that it weakens security at all. In the case of unenthusiastic stumblers, it may hinder casual associations with your AP.

To recommend an "open authentication" scheme for improved security seems like bad advice.

"Blackpapers" considered harmful

[Ross+Finlayson]

Apparently "blackpaper" means "white text on a black background".

Please - this is one fad from the '90s that deserves to die, quickly.

A poor man's LEAP? What do you think?

[kcurrie]

I've been thinking of hacking together a somewhat simple system that would randomly generate WEP keys, use tcl/expect/perl-expect whatever to control lynx-ssl to connect to my AP, set up a new WEP key on the AP (it can have multiple keys), then ssh to my laptops and change the wep keys on them.
One could easily write small scripts for whatever AP or system you wanted to reconfig, assuming you can do 'em from a command line.

Comments?