Slashdot Mirror

← Back to Stories (view on slashdot.org)

Replacing WEP with IPsec on OpenBSD, Windows XP

Posted by timothy on from the nearly-navajo dept.

BSD Forums writes "WEP has been proven insecure and is thus inadequate for protecting a wireless network from eavesdropping or abuse. IPsec can be used as a replacement to WEP in the following scenarios. Joshua Stein has implemented IPsec on OpenBSD with manual keying between a router and a client as a replacement. Also, Thomas Walpuski describes in detail the configuration of an IPsec Host-to-Host connection between OpenBSD and Windows XP Professional with Authentication via X.509v3 Certificates."

47 comments

  1. Does it mater all that much? by zbowling · · Score: 0, Flamebait

    I use WEP, and it seems to me that using something is better then using nothing. Really does it really matter how secure someone's wireless connection is for most home appiliations? I could see if you had a nosey nabor who would sit around and log everything back and forth and maybe pull out a credit card nummber or two, but I really don't see this as a big problem and if it becomes one then I can see changing in the future.

    --
    No.
    1. Re:Does it mater all that much? by eht · · Score: 1

      Most home applications don't really need much more than WEP if even that much, but some corporations are setting up WAP and WEP is pretty worthless there if you want to provide access to the internal network since that's where all the nice files reside.

    2. Re:Does it mater all that much? by darthtuttle · · Score: 5, Interesting

      Yes, it does matter.

      Not only can it affect what someone can "hear" when they listen to your wireless, it's access control. If I'm a terrorist and I want to post something to the internet for my friends somewhere else to get, I'm going to find an open wireless access point, since that's easiest, but lacking one of those, I can just listen for any, and once I've found one using WEP only for security I can crack it and use it.

      What's your point? The point is, if the "evildoers" use your wireless access point to transmit information guess who's hosue the Department of Homeland Security shows up at. Even if they don't haul you off to jail, having them show up at your house is not fun.

      There is a misconception that because your not a large company or other visable target that your not going to be targeted. The problem is that people don't have to target you to abuse your network. They simply look for any network easy to abuse, and there's enough people looking to abuse networks that someone will stumble on to yours given enough time and a pringles can.

      This is the same as companies I've been to who feel they aren't an "eBusiness company" and their access to the Internet is not public (there's no public website) so they aren't going to get hacked. They got hacked.

      --
      Darthtuttle
      Thought Architect
    3. Re:Does it mater all that much? by Anonymous Coward · · Score: 0

      Yes it fucking matters! First off, I didn't see anything about home users in the article; they're talking about how to secure wireless networks for any use. But, thats beside the point. Even if it's just you on your wireless network, and even if you live in a rural area, you should still care about security. "I really don't see this as a big problem and if it becomes one then I can see changing in the future." How will you know when it's a problem? What if it's not even something as important as credit cards, but just your neighbor watching the URLs you visit and the instant messages you send?

      Whats that you say? You've got an MCSE? Fuck, you were just troll me, weren't you. You bastard! I should have realized, nobody is that stupid. Are you?

    4. Re:Does it mater all that much? by Anonymous Coward · · Score: 0
      The End of FreeBSD

      [ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

      When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

      Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.

      FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.

      It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.

      So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.

      Discussion

      I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.

      From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.

      There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.

      Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.

      Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?

      Shouts

      To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.

      To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real go

    5. Re:Does it mater all that much? by Anonymous Coward · · Score: 0
      So why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?

      The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.

    6. Re:Does it mater all that much? by bodgit · · Score: 1

      A false sense of security is better than no security at all. Discuss.

  2. Forget WEP, go to WPA by jrpascucci · · Score: 5, Interesting

    WPA, which stands for 'Wi-Fi Protected Access', is the replacement for WEP. It does a prima facia good job making up for WEP's flaws. Several companies have firmware updates and drivers to enable WPA. More are coming.

    If you want strong protection, use it in combination with 802.1x authentication with a TLS (and accept the infrastructure problem), PEAP (and choose between the incompatible v1 or v2 versions of it, and I personally can never remember which it is MS supports), or TTLS.

    For even stronger protection, turn on 'session resumption' on your .1X client (if you can), and return a Session-Timeout of a few minutes. You'll effectively completely rekey (start from new material, in addition to the rekeying WPA provides.

  3. Links links links by coyote4til7 · · Score: 5, Informative

    Slashdot had a long discussion on WiFi security late last hear (Replacing WEP for Wireless Security). ComputerBits has a relatively short overview (Wireless Hot Spot Security) for those who prefer something more organized. Then there's the Unoffical 802.11 Security Page, the website of the WiFi Alliance (the industry group for 802.11) and a nifty google search on WiFi Security.

    --

    the clock on the wall says 4 til 7
    1. Re:Links links links by Anonymous Coward · · Score: 0
      Fact: *BSD is dead
  4. No it doesn't by democritus · · Score: 2, Insightful

    And even with you scenerio of a nosy neighbor, I hope you're using an SSL/HTTPS website, so your credit card number is secured through that interface.

    Encrypting the physical layer is just silly. If you want your packets to stay private, use the appropriate encryption on proper level.

    1. Re:No it doesn't by Senjutsu · · Score: 1

      And even with you scenerio of a nosy neighbor, I hope you're using an SSL/HTTPS website, so your credit card number is secured through that interface. Encrypting the physical layer is just silly. If you want your packets to stay private, use the appropriate encryption on proper level.

      Leaving anyone with a pringles can and a bit of know-how able to use your internet connection to post child porn, contact terrorist cells, or hack into a corporate server. Smart!

    2. Re:No it doesn't by democritus · · Score: 1

      Yeah, because MAC address locking is all that difficult. Hell, most 802.11 access points turn it on by default.

    3. Re:No it doesn't by Senjutsu · · Score: 1

      Yeah, because MAC address locking is all that difficult. Hell, most 802.11 access points turn it on by default.

      Spoofing a MAC address is as easy as changing the value of a registry entry in Windows. All you'd need to do is sniff a MAC address off the network with the aforementioned pringles can. An unsecured physical layer is rife with possibilities for exploitation.

    4. Re:No it doesn't by Anonymous Coward · · Score: 0
      The End of FreeBSD.

      [ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

      When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

      Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.

      FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.

      It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.

      So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.

      Discussion

      I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.

      From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.

      There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.

      Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.

      Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?

      Shouts

      To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.

      To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real goals. I

    5. Re:No it doesn't by Anonymous Coward · · Score: 0

      you're a moron..

  5. W2K? by iamr00t · · Score: 2, Interesting

    This is a very good paper, assuming it works.
    Also, it looks like W2K has all same functionality (besides security monitor, which i assume is just that - monitor). Can it be used for that?

    Also, what about denying non-ipsec protocol over the server interface that is connected to access point?

    1. Re:W2K? by commodoresloat · · Score: 1

      Look, W2K is not going to be a problem. There might be some computers that have problems with the changeover, but most things will function normally. There are Cobol coders working overtime to make sure we transition to W2K smoothly. But just in case I got some guns and a fallout shelter....

    2. Re:W2K? by Anonymous Coward · · Score: 0
      Hey fella, chew on this:
      *BSD is dead
  6. Good WPA article here by gad_zuki! · · Score: 4, Interesting

    Short but decent read without getting too technical.

    http://www.nwfusion.com/research/2003/0331wpa.html ?page=1

    1. Re:Good WPA article here by Anonymous Coward · · Score: 0
      Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?

      The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.

  7. Cool, but does Airport/OS X support this? by psxndc · · Score: 3, Interesting
    I use an OpenBSD firewall/gateway as my wireless access point and my iBook as the client. Does anyone know how I'd do this under OS X? The last time I looked, the built-in IPSec implementation was not really user accessible.

    psxndc

    --

    The emacs religion: to be saved, control excess.

    1. Re:Cool, but does Airport/OS X support this? by MrChuck · · Score: 4, Informative
      Does Apple Airport support [IPSEC]?
      No, but the machine past your Airport does.

      Run WEPless and use IPSec to the house server.

      VaporSec is a pretty GUI to setup racoon and IPSec on your OS X box. (see also netbsd ipsec docs; be neat if apple's userland utilities would keep up with BSDs post 2000 - FreeBSD 4.x and 5.x userlands are far more advanced).

      If WEP is good enough then just turn it off. The WEP emporer is naked. Hell, just print out your squid logs and put them up on your door and your website. Unless you're spinning new keys every couple thousand packets, you're easy to watch. It's not even hard to break - mom can bring up a stumbler program and just leave it on for a couple hours.

    2. Re:Cool, but does Airport/OS X support this? by psxndc · · Score: 3, Informative
      No, but the machine past your Airport does

      Sorry I wasn't clear enough. My setup is more like this:

      Internet -- OpenBSD firewall -- OpenBSD WAP/Firewall -- iBook w/ Airport card.

      I don't have an airport base station, only the airport card. I'll look into VaporSec though. Thanks.

      If WEP is good enough then just turn it off

      I completely disagree with this statement. Yes, WEP is very weak, but if there are 5 WEP networks in the area and 25 networks with no WEP, guess which ones I'm going to try and connect to. If someone wants to break in, sure they can. But having WEP will discourage the casual intruder since there are so many other non-WEPed networks out there. WEP is good enough until you can set up IPSEC. Once that's up, sure, turn off WEP.

      psxndc

      --

      The emacs religion: to be saved, control excess.

    3. Re:Cool, but does Airport/OS X support this? by Anonymous Coward · · Score: 0
      The End of FreeBSD

      [ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

      When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

      Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.

      FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.

      It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.

      So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.

      Discussion

      I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.

      From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.

      There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.

      Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.

      Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?

      Shouts

      To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.

      To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real go

    4. Re:Cool, but does Airport/OS X support this? by Anonymous Coward · · Score: 0
      The End of FreeBSD

      [Ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

      When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

      Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.

      FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.

      It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.

      So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.

      Discussion

      I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.

      From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.

      There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.

      Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.

      Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?

      Shouts

      To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.

      To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real g

    5. Re:Cool, but does Airport/OS X support this? by Anonymous Coward · · Score: 0

      One, for fun i find Wep protected networks and crack the nut. I have another machine i use to go in and actually make use of the open access points. Scary statistic, in Cincinnati ohio the average Wardrive reveals that in residential and business areas, I find more residential areas with any sort of security than I find in the business areas. Great way to make a few Key people turn white as a sheep, go to lunch up on the hill power up the laptop with a small antenna, and start browsing over their, "secure network". Great way to get a very expensive lunch for free, while properly scaring the VP's.

    6. Re:Cool, but does Airport/OS X support this? by Anonymous Coward · · Score: 0

      If someone wants to break in, sure they can. But having WEP will discourage the casual intruder since there are so many other non-WEPed networks out there.

      So you're afraid of the "casual intruder", but not the uberhacker? That makes no sense, brotha. The uberhacker is the one that will find uncommon remote exploits that the "casual intruder" didn't read on bugtraq.

      I personally don't give a flying packet about "casual intruders" as I would assume these types of hackers would attempt to exploit known exploits. And if you don't update your software when a security announcement comes out, you're screwed anyway.

  8. PPTP by Anonymous Coward · · Score: 0

    PPTP (Point-To-Point Tunnelling Protocol) works quite well too between a *BSD box and windows, and is a LOT easier to set up compared to IPSEC.

    1. Re:PPTP by DrCarbonite · · Score: 5, Informative

      PPTP is not very secure. For more information: http://www.counterpane.com/pptpv2-paper.html and http://www.counterpane.com/pptp-paper.html If you are taking the trouble to replace WEP, you might as well replace it with a good solution. That being said, the worst mistake would be to deploy a "fix" incorrectly... ie: an improperly configured IPSec box is far worse than a correctly configured PPTP.

  9. If I SSH to everything, do I still need IPsec? by linuxbaby · · Score: 1

    When using my wireless laptop, I use SSH2 tunnels for all of my email and intranet work.

    So - pretty much anything that I wouldn't want sniffed is going through SSH2 anyway.

    Do I still need wep or ipsec? Is it more to protect the host (firewall+WAP), client (my laptop), or the stuff exchanged inbetween?

    1. Re:If I SSH to everything, do I still need IPsec? by benk0027 · · Score: 3, Insightful

      IPSec or WEP doesn't just keep your traffic secure. It also helps ensure who can connect to your access point. So, probably, because it will help keep people from stealing bandwidth from you or finding unencrypted stuff you didn't want them seeing. It's basically to encrypt all traffic to and from the WAP - clients.

  10. False sense of security by adamsc · · Score: 2, Informative

    There's only one way to be secure and that's to use strong, end-to-end encryption. Anything which encrypts only the wireless portion is borderline snake-oil - not only does it not protect your data but it actually makes the problem worse since people see all of the cryptogeekery and assume that it's secure - after all, they didn't understand any of what they had to do to use it! All of this hassle merely gets you an insecure network which is now hard to use, less reliable and slower.

    I've taken the opposite approach - my access points are wide-open (=easy to use) because all that gets you is access behind a firewall which allows HTTP to a squid proxy, SSH, HTTPS/IMAPS/POP3S/SMTPS, IM and DNS. (When IPSec is more widely available I plan to replace this with something which blocks almost all non-IPSec traffic. I'd be less surprised to find everything running over SSL a decade or more before near universal IPSec deployment)

    This approach encourages better practices because it makes people aware that they're doing something risky - many people have no idea that anyone along the way could capture their password during one of the 5,000 times their email client sends it in cleartext during a given week. One of these days I'd like to hack together a script with ettercap's password collector which would periodically send someone's password to them in a warning and set the expired password flag on their account.

  11. I'm doing this with cipe by Anonymous Coward · · Score: 0

    I found cipe much easier to configure and set up. See the linux and win32 sites for more information.

  12. Developer despairs: What Killed FreeBSD by Anonymous Coward · · Score: 1, Interesting
    The End of FreeBSD

    [ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

    When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

    Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.

    FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.

    It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.

    So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.

    Discussion

    I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.

    From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.

    There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.

    Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.

    Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?

    Shouts

    To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.

    To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real goals. I

  13. What about WKA by Anonymous Coward · · Score: 0

    What about APs that support Weak Key Avoidance? They seem to resist many of the cracking attacks.