Slashdot Mirror
Study: Wi-Fi users Still Don't Encrypt
Shackleford writes "SecurityFocus has an article saying that two days of electronic eavesdropping at the 802.11 Planet Expo in Boston last week sniffed out more evidence that most Wi-Fi users still aren't securing their networks. Security vendor AirDefense set up two of its commercial 'AirDefense Guard' sensors at opposite corners of the exhibit hall at the Boston World Trade Center, the site of the conference, and for two days analyzed the traffic flowing between conference-goers and 141 unencrypted access points set up by the conference for public use, and by vendors on the floor.
What they found was that users checking their e-mail through unencrypted POP connections vastly outnumbered those using a VPN or another encrypted tunnel. Only three percent of e-mail downloads were encrypted on the first day of the conference, 12 percent on the second day."
Yes, this doesn't surprise me at all. 68 WAP's in my community - none broadcasting WEP.
First post through my neighbor's compromised WAP gateway. Off to view some porn now. :-)
But with some patience and airsnort even "secured" (ie. encrypted) access points can be used without permission. And MAC address filtering is a joke since I can easily change the what MAC address my airport card uses under linux.
Maybe it's time for a new, and effective standard.
A similar survey would be to test how many POP3 servers out there support SSL. I suspect that it's on the low side of 3%. POP3 with SSL is a trivial, easy alteration that many POP3 clients support, instantly securing the network without layering on a secondary encryption layer (VPN/PPTP/IPSec) when all you want is to check you email, which is what probably 99% of the users do at trade shows like this.
9% of attendees learned something from the expo. :)
There is some good basic WLAN security info on AirDefense's knowledge center section of their website...
Something clever...
This only verifies the importance of application level encryption. Every socket communication should be encrypted so that security doesn't rely on the network connection itself.
Suprasphere encrypts all socket communication using a dynamically generated Diffie-Hellman key exchange. This is much better than SSL because it does not require using a CA so you can set it all up without any administrative overhead.
Furthermore, all authentication uses a zero-knowledge proof so that a password is never sent over the wire. Even though the traffic is all encrypted anyway, this adds another level of security so that a compromised passphrase at one sphere will not allow authentication at any other. You can store a profile at different places that can only give you access if you can prove beyond a statistically reasonable doubt that you are who you say you are.
With all the media hype about wireless, a growing number of people are simply buying an access point and a couple of NICs, flicking through the manual, and then running default configurations, because the average user probably isn't aware that what they are doing *is* insecure, and has never heard of WEP. No doubt this (and newer ideas such as 802.11x) will be in the 'advanced' section at the back of the manual with bluntly technical instructions filled with acronyms and concepts that a non-IT savvy person would simply skip over.
Once it 'works', the majority set-it-and-forget-it - no different to the populous of home users running xDSL without a firewall, or those who never patch their boxes. A quick drive round your local residential area with a copy of Kismet proves this point for anyone with any doubt =)
On the flipside of the coin, in the corporate world, sales reps, engineers, and other 'road warriors' should really be given this advice from their support teams, and have their machines configured appropriately in advance by someone knowledgeable - they really can't be held responsible for the lack of action by the correct department.
They should just make it illegal to run an unencrypted wifi network. It might be argued that it's a bit of a sledgehammer to crack a nut, but it's amazing how many people and businesses will suddenly wake up once fines start being issued.
I live in a small iniversity town. Even the shortest bike ride with my Zaurus running kismet finds many access points in businesses and homes unencrypted (war biking?). I often run ethereal for the few minutes it takes me to get up and order coffee at one of the local cafes. It never fails to catch pop and imap passwords, mail, and instant messaging conversations. I always use ssh or VPN, but I don't feel superior. Most of my own non-work related mail is sent in plain text.
First entomology, then virology, and finally bioinformatics systems. Bugs follow me wherever I go.
How can they tell how many people encrypted their email checking when you can't tell what goes over an encrypted link?
I have of course not read the article, so it could be the submitter.. But anyway, 3 and then 12 percent of the people who checked their email without using a totally encrypted transport (SSH-tunnel, VPN..), which just isn't the same thing..
AirDefense Software Screenshot
Something clever...
What they found was that users checking their e-mail through unencrypted POP connections...
I guess my Yahoo address would be secure under the same circumstances then? I mean if POP3 is as unsecure as they say it is then that renders POP3 unusable in a corporate environment considering most people are too lazy to encrypt.
I've noticed that everyone who is for abortion has already been born - Ronald Reagan
Next thing you know, people will be failing to apply patches.
The coolest voice ever.
Is it possible that most people don't give a shit about encrypting their e-mail because the contents of their e-mail are so inane and you can't trust the intervening steps?
I mean really - if I want secure transfer of information i'm not going to use e-mail. The effort wasted securing it is truly wasted effort, in my view, because of the lack of a trusted MTA. I don't trust my ISP. They can read this shit. So can every other transit point. Do you? Don't you feel somewhat foolish for admitting that?
I secure my IM. End-to-end encryption at least has a point there.
That being said, the article seems to lack point - expecting 'more people' to do something that is fundamentally pointless.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
A few years ago I was given a demo of TCP-dump by a resident BOFH. First step was to read all of the private communications between a certain user and other people in a chat room. The next was to take a look at some people's emails as they were relayed through the router (including their POP3 passwords). Since that day I have not sent any password unencrypted...
I am TheRaven on Soylent News
What should have been done was make wi-fi equipment operate in an encrypted mode by default. A couple of MS-style wizards would make this a snap.
Maybe the next version of 802.x will make this happen.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
If you use WEP, but everyone knows the key (e.g., at a trade show so you need to make the key public to let people on the WiFi network), I assume that's the same as unencrypted. However, why couldn't there be a RSA or symmetric encryption for 802.11[x]? So you make the public key for the access point, available, anyone with that can connect, but your PC/WiFi card encrypts every packet going out the door, so the traffic going from the client to the access point is now secure. Similarly, the client gives the access point its public key, so all the traffic coming back to the client is also secure. This probably requires a lot more overhead in the access point and client, but I don't think that it would be unreasonably so.
the problem lies more in the way the access points work at the moment rather than the end users not using POP without security. The best you can do with access points today is to set up single key (like WEP) that is shared among multiple users. The accesspoints of the future would hopefully have 2 WEPs: One to allow access to acesspoint and a second second one - dynamically assigned to individual clients(probably recognized by unique mac address) for all data communication between that unique client and accesspoint.
Siggy Say, Siggy Do
Encryption might take a while to set up, but it's a very good thing. Not only for your own data.
I'll explain. Many of us run web servers and let friends have sites or mail accounts on them. Now, I'm pretty sure that in most places reading your user's mail is illegal. Suppose you're logged in on your server trying to solve some problem by looking at what's going on with a sniffer like tcpdump or ethereal. Accidentally you see a friend's private email scroll by.
Now, of course, this wasn't intentional. But what if you make a slip? The email could have been about some event you didn't know about. Then, a week later you forget where you got that information from, you ask that friend about whether his grandma got better. The friend then asks "How do you know that? You weren't reading my mail, were you?". Depending on how this person feels about you, you might get into some trouble.
This is why on my server I provide IMAP accounts only though SSL. I never look in user directories unless needed. And I tell everybody who gets an account that if they want to be completely sure their data stays confidential that they should use PGP and that I can explain how to use it.
It's not that hard to set up, anyway. Set up a mail server with SSL and you'll be able to check your mail safely from anywhere. Install SSH for administration. Install Apache SSL even if you don't need it much, to give the users who want it the ability to log in with an encrypted connection. Use an instant messenger like Jabber with a SSL connection too.
Don't worry about self-signed certificates. A certificate from Verisign provides a rather small increase of security which people tend to ignore anyway. If you just want to avoid your traffic from being sniffed, it should be enough.
Excepting web browsing, most of my data is encrypted. I even found that I can browse kuro5hin.org throught https. It's a good thing too, when I login my password won't be sent in clear text.
So perhaps this *may* mean that only 3-12% of the people feel that what is contained in their email is important enough to encrypt. Why does this article assume that VPNs are necessary in every case?
You know, it is sometimes good to be "paranoid", but often it is just that, paranoia. Do I care if someone sniffs my unencrypted "penis enlargement NOW!" emails? Security is not always the primary design factor, and sometimes is disregarded altogether in the face of getting things done.
I can't help when I think of "security" of the push/pull battle that the U.S. Army had with the Manhattan Project personal. The Army, of course, say bogeymen under every rock at Los Alamos, but the scientists soon discovered that to aid in the project, many "security" concerns had to be circumvented...
never bring a twinkie to a food fight.
Wow, that's hardcore. Where's that from?
Actually: Mass Destruction + Stupidity = Globalization... or something ;o)
I've noticed that everyone who is for abortion has already been born - Ronald Reagan
This all adds up to make it really easy to sniff usernames and passwords just by sitting in a campus hangout area with a packet sniffer.
I have whined at my University for IMAPS support and was told that, while they were interested, they couldn't roll it out because their servers couldn't handle the extra CPU load from all that encryption/decryption. I suspect the answer is the same in other places.
Personally, I would always try to encrypt my data transmissions over the air. However, I don't know what the big deal is that other people send in the clear. These are certainly interesting statistics, but I don't find them that shocking. What I'd like to know is how many of those people say they're using encryption. ;-)
/usr/bin/complain >
Trying to get secure email has been a bugbear for me ever since my mail server started supporting secure IMAP and secure SMTP.
The hardware specifications are as follows:
Toshiba Tecra 9100, European, with built-in wireless (an orinocco under the hood)
One Netgear ME102 nice and simple mdaemon mail server (altn.com)
Outlook XP (so sue me)
A couple of revisions ago mdaemon started supporting SSL for IMAP and SMTP. Great, I thought, I'll enable that in Outlook and when I'm out and about on public APs I'll have secured email. Not that simple. On enabling the SSL support in Outlook the Toshiba would drop its wireless connection every time I checked for new mail. Take SSL support off, and it kept a steady connection. I asked a friend I know internally at MS if there were any known problems with SSLed IMAP over wireless. He came up a blank, checked it with the MS internal WLAN, and with his home WLAN, and it worked flawlessly for him.
So, as Netgear were the easiest people to contact, I sent a detailed email to their support group. Despite being promised a 24 hour turnaround by the auto responder, 1 month later, nothing.
Toshiba are impossible for the end user to contact, so that was a dead end.
Eventually I updated the Orinocco drivers, grabbing them from the manufacturer site (a risk, as you know how fussy laptop drivers can be, especially Toshiba), but the problem still arose.
So where does the problem lie? XP, Outlook? (Nope, that configuration works elsewhere). The Orinoco card? The Netgear? Who knows, there are too many variables.
Nothing, nada, I still get drop outs when using secure IMAP. It's generally overkill setting up a VPN at home, so I'm stuck with unsecure IMAP.
Doesn't really work in this case. It's the network at these shows that is untrustworthy not just the airwaves. The only thing the WEP (if it works right) is good for is keeping people you don't want off your network; it doesn't actually add any significant security for the user from the network. So as a user in 99% of all cases you want end-end security, not point-point; because at each of these points the traffic is unencrypted and can then be sniffed.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"You mean IPSEC'ing your wireless connections? Something actually on my TODO list today. ^,^
Why should I care about encrypting the download of mail? It goes in clear text across the network anyway; everyone knows you should not write anything in electronic mail that you wouldn't send on a postcard. That's what PGP is for.
(It is a bit more worrying if someone could pretend to be me and delete all my messages from the server.)
-- Ed Avis ed@membled.com
However they do have https'd web interfaces to the mail servers, so you can always use that at these conferences, and that would be secure.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"As long as large ISP's advertise such products as "Wireless DSL" to the average user, and fail to help them setup a decent encryption on the WiFi network, this problem will percede.
I don't see how it is different with people that don't use encryption on normal e-mail, with a hard line connection. Or other technologies, such as FTP, Telnet, and non-SSL websites. There are secure solutions for all of these, but I doubt a large majority of their users actually go through the trouble to do it.
Error 407 - No creative sig found
but not as trivial as sniffing on an unswitched network.
Furthermore... if I'm the sysadmin, and I catch you running a sniffer, well, I probably won't care.
If I catch you doing arp poisoning in order to intercept traffic on a switched lan, I'm going to yank your connection / get you fired / expelled / press charges for hacking.
One involves listening. The other involves messing with stuff and deliberately breaking how things work.
Its plain to see! Take my hometown.. right next to a beautifull mountain range. Just get on top of one of the mountains and use a dish tolook down.. 72% of the 180 networks that showed up within 5-6 minutes were all unencrypted!
802.11b is slow enough already.
Try streaming a DivX over wireless with encryption, it doesn't work. It barely works when you turn it off.
How small a thought it takes to fill a whole life
the point of WEP is misunderstood, as well. Yes, it was poorly implemented.. but it was not supposed to be the data security layer anyway... just "wired equivalent"
That means.. it was supposed to be roughly as hard to get access to the actual network packets as it is when someone has a wired lan.
The wire is not secure, as you know. Wires can be tapped numerous ways, invasively, or passively. Yes, the logic is kind of flawed, the situation is different.. but it just makes it harder to sniff, not impossible.
IT wasn't supposed to be a replacement for using secure protocols.
Most people don't care all that much about their home wireless networks (or their personal email) being encrypted, because there's no major threat. Sure, corporations need to protect their ever so secret information and precious bandwidth, but if someone near my house wants to go ahead and use my wireless connection, as long as it's not crippling my connection speed, so be it. Not a big loss for me. If someone is going to go through the effort to snoop my network, you're not going to find anything worth stealing that you couldn't get easier from Kazaa. If someone's going to be reading my personal email, well, they're going to be plenty bored. It's just not worth hacking into my computer, there's nothing of non-personal value on it.
Security isn't a major issue for home users. That's why they don't treat it as such. Sorry guys.
--
RumorsDaily
The thing is, I have to wonder if people care enough about the security of their systems to go through the hassle of securing them. I have a DSL line run through a router with a built in firewall, which I only have because I share access with my roommates. One of my roommates however, feels the need for an additional firewall on his desktop, just in case. This always causes issues when playing network games, and we essentially can't share files with each other. My point is, sure, if someone went to the effort, I guess they could hack my computer, but why would anyone target me specifically? I don't really have any sensitive information on my computer either, and I keep backups of my writing, just in case. So I just can't justify the inconvenience of a desktop firewall. If securing a wireless network creates similar hassles, I imagine that many home users just wouldn't see the point. Of course, if it were easy to set-up and didn't put restrictions on file-sharing between computers or create problems networking games, I imagine more people might just feel like setting it up.
Random rants about technology: http://technorants.blogspot.com
This shows the power of defaults. Anyone who has done any wardriving will notice that a lot of networks have the SSID "linksys" or "default".
Take it out of the box, plug it in, and it works. That's the beauty of wifi.
I'm sure we'll see a move my manufacturers towards secure-by-default (as secure as possible, that is) as we've seen Microsoft trying to do with IIS in Win2003.
That said, there is certainly a place for unencrypted open networks.
I was surprised that I was able to pick these up from the street. Also surprising was the names of some of the networks, I mean kittyNET, c'mon!
Also, it's amazing how many people have linksys.
USE WEP, PEOPLE! Or at least configure your router to only accept your computers' MAC address! jeez.
There's lots of reasons to close your network to the outside. The main one being that you don't want to give people access to your LAN. Most people don't password their computers from other machines on the LAN, since they figure it's secure, but it's not. Also, I tried the default linksys password ("admin") on a couple of the networks, and would have been able to change router settings. Imagine setting up a dreamcast w/ wifi outisde of someone's house on their external power outlets and serving warez off their connection. sheesh.
these routers should come with little pamphlets about wireless security.
...spike
Ewwwwww, coconut...
WEP is a horrible thing. I use it msyelf, but that's mainly to keep my non-techie neighbors from turning on their laptops one day, have windows xp realize there's a wireless connection in their range, and start using my bandwidth. I have no delusions that my data is secure since anyone could, with a little patience, use airsnort to find out what my key is.
The accesspoints of the future would hopefully have 2 WEPs: One to allow access to acesspoint and a second second one - dynamically assigned to individual clients(probably recognized by unique mac address) for all data communication between that unique client and accesspoint.
As another poster pointed out in this very article, it would be much better to have some sort of PGP encryption in the access point, where you send your public key to it, and it encrypts the data back. Problem with doing anything based on mac addresses themselves, is that you can change your mac address in both windows and linux
Warning: Opinions known to be heavily biased.
Coincidence! I am currently mootching some guys 802.11b net here in SF. Thanks for the 11mbit 80% signal quality link! My friends had been offering the telephone which I connect @~50kbis, I think I will stay on here instead.
That's what I can't stand about all of these kinds of "security" vendors. It is as if they think that pointing out flaws and vulnerabilities does a great service to society. It does little more than pump up their egos. It doesn't help end-users at all.
Did these people offer to point out the problems to the users while the conference was going on? Did they offer a handout with steps to secure their connections? A class? A tap on the sholder, "hey buddy, if you do this then nobody will know how much pr0n you download"?
Seeing that AirDefense sells monotoring tools and are pimping security seminars on their website, this article can only be 1 of 2 things...a marketing tool to push their services, or a marketing tool to show "how much they care," trying to raise their status in the community. In general, does anyone really believe the crap that marketing spews out??
As far as your friend's firewall causing additional problems, remember the old saying that 'security = 1/usability'.
Refreshing to see someone with backups too =)
for goodness sake :)
A blog I run for the wealth
Thats kinds of interesting, and especially timely for me, since at the moment im leeching off my neigbors wifi connections. I am getting DSL installed, since I moved to a new house, but the aren't able to get here for at least a week, so I had to find an alternate source of net for that time. :).
I did a bit of war driving - on my block there were *12* AP's, and only two of them were encrypted. Get this though - one off the had the WEP key as the AP's name
Nearly all the others had "default" "linksys", etc as the names, showing me that the people hadn't really bothered to take the 5 minutes to set it up properly. Oh well, good for me.
... did they mentioned that some access points go down to modem speed if WEP is on? The on board CPUs simply cant keep up doing WEP/64.
I think you should forget about WEP and use IPSeC and VPNs instead
Ask that question again, "why would anyone target me specifically?" It sounds like you use Windows. It also sounds like you don't know what a script kiddie is. It really sounds like you haven't got a clue.
There is a low likelihood that someone will engage in a targetted attack against your machine. However, with batch attacks being run by adolescents, targetting entire IP address ranges, you b0x could be 0wnz0r3d by such an attack.
Your...question, "My point is, sure, if someone went to the effort, I guess they could hack my computer, but why would anyone target me specifically?" is the same view most people have. The problem is that your are clueless, and don't believe that it takes no effort at all to 0wn j00r b0x.
All the "l33t hax0rs" (read: script kiddies) have the airsnort in their bag-of-scripts that they don't know how they work anyway, so why bother?
Only three percent of e-mail downloads were encrypted on the first day of the conference, 12 percent on the second day.
I am not familiar with the tool they used. It doesn't say how many different kinds of encrypted connections they looked for (since there are a wide variety from https to ssh that are easily applied to email, not to mention products that support content-based rather than connection-based encryption and more). Does their claim to have counted all encrypted tunnels really mean they are omniscient, or how did they distinguish them, etc.
It seems likely to me that the real headline may have been less earth-shattering: "Activities of encryption users are harder to detect than activities carried out on the net in plain text."
You are vastly underestimating the amount of "patience" you need to crack WEP.
For average home users, the number of packets sent is remarkably small and infrequent--it will take you quite a long time to gather enough packets. Longer than most kiddies and scanners have the patience for, I'll wager.
Corporate networks are different though--there is certainly enough traffic generated on those networks for you to compromise the key in a decent amount of time.
I don't see this as too surprising..most people think that by installing ZoneAlarm and buying a Linksys router, they're immune to any form of attack or subversion. This extends to both wireless and traditional setups.
As I see it, there are two very fundamental reasons for this: lack of awareness and lack of comprehension. The average day-to-day user doesn't even know what a firewall is..what are the chances that they'll have a clue about encryption? I mean, c'mon..we're living in a world of users who largely think that SSL means that they're safe as can be, that security is something you purchase, and the only difference between wireless and a traditional connection is a lack of cables.
Awhile back, I was going on a pretty big BSD advocacy kick..y'know what finally made me give it up and shut my mouth? One girl had a bunch of questions, so I tried to answer them as best I can. I also wanted to make sure that I made clear the differences between Windows and BSD, as most MS users aren't accustomed to the file system, configuration, etc. So, naturally, I bring up firewalls, and how you essentially write your own rules for it by hand (in this particular instance, I was covering ipfw).
Rather than take my advice, she immediately became defensive, ranting off about how she's not some AOL kid, and how she already has ZoneAlarm, so she won't need to worry about a firewall on BSD. I could go on and on with stories like this.
I realize that this isn't just about wireless, but I don't think the issue is that limited in scope. Computer security is taboo to a lot of people, and unfortunately, it's a problem that needs to be addressed...or taken advantage of by those with a greater sense of what the fuck is up.
Security vendor AirDefense set up two of its commercial 'AirDefense Guard' sensors
I guess they're terrorists. Guards, seize them!
perhaps the law of the jungle. Few will encrypt til they get tired of their systems getting hacked. The stupid ones who don't figure out what the problem is will go out of business.
Besides how would IT sales guys sell them "new and improved, now with security features." Duh, ya mean that door you sold me didn't have a lock on it?
Someone could cause chaos by strolling through a downtown with an infected system.
One line blog. I hear that they're called Twitters now.
Many people dont even care about their privacy. It's nothing to do with anything else. Talk to the average net user and they laugh and say so what?
I guess it's true, boring people just dont need privacy.
...people do all kinds of stupid things mindlessly like driving drunk, having sex without a condom and catching AIDS or syphilis, living unhealty etc. And this stuff kills them.
So, you shouldn't be surprised that they don't secure their WLANs. You should be surprised that they don't drop dead 'cos they have forgotton to breathe.
Owner of a Mensa membership card.
I ahve a feeling that at a conference such as this, you will many higher-ups in companies that are not the most technically advanced. Trying to tell them to setup a VPN on their own computer would be like trying to tell them to increase the budget for the IT department, it just won't happen. So it becomes someone's responsibility to do this for the user, or the Wi-Fi companies need to make it easy enough for the general user to setup the encryption themselves. Is it the fault of general user that they don't want to spend hours researching how to setup encryption for a result they can't see or is it the fault of the Wi-Fi companies for not making it esay enough for the general user to setup out of the box?
In home / small buisnes lan's the WEP priority is in 2nd. If we can filter "premit only" by MAC the WEP isn't going to do such a difference in what regards to security blocked network ... or it does ?
However, why couldn't there be a RSA or symmetric encryption for 802.11[x]?
Bluetooth seems to address this: its encryption does not have the weaknesses of 802.11x, and newer versions apparently allow 128bit encrypted open/ad-hoc connections.
I'll take the chance that someone sees my penis-enlargement spam.
The problem is that people also see your POP3 password, which means that they may be removing both your penis-enlargement spam and your real mail from your mailbox after getting your password.
Wi-Fi is rapidly becoming a "hot" technology, cool to have, among average users. Average users aren't interested in encryption or other difficult things, they are only interested in not having to mess with wires.
If you have some way of preventing network visitors from sending email, then you're safe from wardriving spammers. If you never use the same password between some cleartext protocol and some sensitive application like online banking, then you're safe from having your online banking password stolen. If all your machines are sufficiently hardened that you could expose them to malicious connections without a firewall in between, then you're (relatively) safe from becoming someone's next DDoS zombie. If you don't use personal finance software and never store your correspondence with Mastercard online, you're safe from having your credit card number stolen. If you never use your computer for correspondence that includes your SSN or your mother's maiden name, those won't be used for identity theft.
That's just a quick list of things to think about. If you hired me for an analysis I'd come up with a lot more.
I don't care who's see's my hotmail emails, or hell any of my god damn emails. I think security articles have to take in consideration a % of people who jus dont give a shit if someone is reading their emails. Its all pr0n anyways!?@?!
In Soviet Russia, they were most grateful for those circumventions.
-- The Bogeyman.
I use SSL for e-mail. My ISP doesn't support SSL, but I have them autoforwarding to my university account that does.
At home, I rotate my WEP key daily by plugging in physically to the network, and mashing keys pseudo-randomly until they text field fills up. This is until I get IPSec working.
At school, wireless is all unencrypted. They have to support like every platform out there including older computers, so nothing more advanced is really an option. Using WEP with that much traffic would do nothing but give people a false sense of security.
That's where SSL and SSH come in.
When someone might yell at me, it has to be OpenBSD.
i would love to see people like yahoo POP3 implement SSL, but i suspect with a large (non-paying) userbase, the processor time required by the extra SSL encryption overhead would probably cripple their servers during peak times...
This is what RC4 is for. In spite of all the potential weaknesses in this stream cipher, it is still believed to be secure if used properly. RC4 is dirt cheap per byte, and a standardly-available SSL option.
Here's a simple guide to setting up WEP on your WAP:
1. Visit this page -- it will generate 13 random hexadecimal digits that you will use for a 128-bit key.
2. Copy the resulting digits into a text editor and strip out all of the whitespace between the characters.
3. Log into your WAP router and go to the Wireless configuration settings. Select the "128-bit encryption" option, and enter the generated key into the WEP key field.
4. The last step is OS-dependent... In OS X, you would log on to the WAP as usual, except that now it will ask for a password. Select the dropdown box labeled "password" and change it to "128-bit Hex", then enter in the generated key. I believe OS 9 users will need to enter a "$" before their hex key for it to work properly. It won't let you paste the key in, so you will need to type it carefully. I don't run my Linux box via WAP, so I'm not exactly sure how Linux users would do this -- feel free to reply to this post and add other OS instructions...
Slashdot's first reaction to VMware
The vendors were probably leaving their APs open on purpose to others can browse freely. I am sure most of them know better.
The average non-technical user is happy enough just getting things working.
Home users want to take their notebooks anywhere in the house and be able to surf. Business travel through airports (interoperability) may not even be their priority.
Why should they be concerned about mac addresses or hex keys? Firmware upgrades to make things more compatible?
Lets make it easy for them. Vendors should sell wireless home networking kits that have all the encryption turned on in advance by default, with drivers that assume this also by prompting for the prepackaged keys at install time.
Joe user could buy a box containing an access point with two pcmcia wireless nics. By default those two nics will be the only onces that can access the access point. The shiny box that says "easy install" will be what clinches the purchase.
Of course an advanced user could still change the defaults to suit their needs.. but that requires effort.
Joe User will always assume the defaults are good enough for him, and they should be.
How much does the extra computation involved in en- & decrypting everything affect network performance? Is there a tradeoff between performance and privacy that may make some people willingly not encrypt?
Just goes to show that most people don't keep things on their computers that they care if other see. Maybe a simple explanation is the best.
Note to the over bloated and costly security software industry: If you don't want people to have access to your information don't put it where they can get at it.
It doesn't bother me if my wireless traffic is sniffed...anything important I'm doing over a wireless connection (Secure HTTP for online purchases, SSH for shell access, etc.) is already encrypted at a higher level than WEP works at. There's no need to encrypt the entire network, if you don't care about someone reading your e-mail.
Even if you do care, IPSec is probably a better choice than WEP is.
"IPSEC is not an end-to-end protocol."
IPSEC cannot authenticate users to a service, nor can it encrypt messages betweeen users or applications. At the most, your message transport is encrypted, which is all transport-layer encryption systems like IPSEC and SSL can do. Neither SSL nor IPSEC automatically make your POP or IMAP services "secure", e.g. one can still perform buffer overflow attacks over an encrypted channel. They merely make it difficult to eavesdrop on the transmission media.
I'm proud of my Northern Tibetian Heritage
Where in SF are you?
I'm doing the same. =D
You call that encryption?
I'm not sure why this is a big deal. One should treat wireless like any other Internet connection and assume that the packets are going to be in the clear for everyone to see. This is why there are other encryption methods on top of IP. If I'm using a wireless access point and I need to access the corporate network, I fire up a vpn. If I need to check my email, I SSH into the email server. If I want to buy some pr0n, I use an https connection. If I want to view some pr0n, I leave it unencrypted for everyone else to see, because I'm just a nice guy.
no shit.. your average wifi person is totally friggin oblivious that they're so exposed... just for fun i used to drive around with my laptop to see how popular wifi is... TONS of people had it... funny thing is that out of maybe 200 networks found in about an hour, only around 5-10 had ANY security on 'em ... including my own standard network which has the normal encryption, MAC address lockouts and i myself use all encrypted protocols on top of that... (except for web, public ftp and public cvs, etc)
i even found a local computer store had their store network on an unsecured wifi lan... (compUSA)
i find that especially troubling/amazing
i wouldnt be surprised if more than half of 'em had the default manufacturer passwords set on their wifi switches/routers
p r m t h s
We better start encrypting now...we sure don't want anyone to be able to enlarge their penis, get a low rate mortgage, or miss the business opportunity of alifetime from Nigeria.
But seriously, if someone ever got my email that way they would disconnect quickly with al the spam hitting my box these days, it would deter them to a certain extent.
People using wireless in their home are all about conveinece. Install stuff and it works, no wiring needed, just some basic networking skills the first time you set it up.
Think about Cell Phones or Wireless Phones. With old scanners it's pretty easy to listen in on your neighbors, and they may even order something over the phone and you can get their CC #'s.
I like the security on my Garage Door opener. I have to physically press a button on the motor compartment and then add the new remote or keypad. This would be great in my house - press - add new device to network on my router, get my PC to logon to the wireless net and the light goes off. In a home situation it would be great and we could let the machines worry about hardware and even use one time pads to each device based on mac.
The most common request I field is a remote office dialing in to HQ to do data entry on a propriety data base. Nonprofits do this all the time with Results/Plus Metafile and their donor data.
It's easy to dial in and access the database, but how to encrypt your confidential data with a VPN? Not even biggies like the United Way and Jewish Appeal can do this.
So, genius, tell us how to set up the VPN. I've used VNC with SSH, but no MCSE will touch VNC.
I check my mail. But I do an SSH tunnel, and while it is up I can be doing anything including things they are trying to gage statistics on, but I wouldn't count toward a percentage using encryption to do X because they wouldn't be able to tell.
WEP has lots of problems. OK, lets say Vendor X turns WEP on. They will have to put a big sign up saying what the password is (so captured packets could then be decrypted...). This is any more secure? It is more of a hassle.
The fact that APs don't enable WEP by default might be a problem, but even if they did, they would have to make that password public (again, no more security) or go through a lot of tech support calls from people who had the caps lock key on when configuring one or the other.
[On point MS Bash: The greater percentage of the worms, viri, and other really evil disruptions would go away if MS would simply DISABLE things like javascript and other active content in Outlook and disable unnecessary services and ports BY DEFAULT - in comparison WEP, although covering a different security aspect, is not worth bothering about from an economic standpoint - And I've not heard any meaningful clarion call to reform the MS situation]
WEP is so bad that it is almost pointless. To make it even marginally secure requires a lot of hassle (e.g. burning the WEP key into a Cisco card's flash - assuming you can go all cisco - from an offline, locked-up computer).
All the fixes are well known, but are just becoming standard, or require external standards (e.g. PPPoE over a proper encrypted tunnel).
I recommend them.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
A little wardriving I conducted last week using the excellent KisMac tool discovered about 25 wireless accesspoints in my town. 20 of them did not utilize WEP or any other security measures. One of these was a local insurance company.
However I wouldn't know if some people put open their accesspoints on purpose so that everybody can use their hotspot. Still it's disturbing that a Insurance Company has an Open wireless spot.
I'll be conducting the same wardrive later on this week to check if situations where temporary configuration errors, or are permanent hotspots. If so i'm probably going to inform the owners (if they can be located).
-- Cliff Albert
I appreciate the good uses that SSH tunnel forwarding can be put to, but extensions to SMTP (RFC 2487), as well as POP3 and IMAP ( RFC 2595 allow secure connections without requiring the tunnel.
These extensions are integrated into most mail clients. Installing a server that supports the secure connection isn't hard either.
I always try to keep it simple. When I start having to troubleshoot three different systems in order to find out why my mail isn't being sent or received, I'm making my system too complex (too complex for the likes of me, anyway :-)
Notes From Under *nix: blas.phemo.us
The future of wireless security is 802.11i But this standard uses a different encryption scheme than WEP, therefore some hardware upgrade will be required. There is an interim standard called WPA that combines some features of 802.11i with the encryption algorithm of WEP allows only software/firmware upgrades.
of course they don't! [duh]!
.. why should they care exactly? they have no reason too!
Why should they when the manufacturers tell them they are "secure"?
and even if we tell them they are insecure why should they care then even still?
Security to normal[non-geeks] people is a non-matter, the only time it does matter is once they've been burned....
and then all hell breaks loose and things get done, until then
A good friend of mine has an interesting hobby - he's looking for APs and checks whether there's a mostly open file server around and then proceeds to copy the contents to the laptop, burn a CD or two and drop them into the phyisical mailbox of that company or office.
In at least two cases, he got the contents of a lawyer office. Some people were supposedly not amused, but at least they accepted his help in securing their networks.
Wi-fi users still don't encrypt? I don't know wi... Maybe fi users are just not particularly good cryptographers I guess? (Pun definitely intended.)
Karma: Positive (probably because of superiour intellect)
secure
easy to install
cross-platform
FreeS/Wan is quite tedious to setup, Microsoft PPTP isn't secure (from what I've heard), so the choice I have for setting up a VPN is quite limited. I think that's withholding a lot of people.
"It's too bad that stupidity isn't painful." - Anton LaVey
why is it that i am not surprised at this stat? the problem with the current state of wi-fi is that it is generally insecure by default. if you want to increase security you have to fudge around with cryptic configuration settings, and if you don't know what you're doing you can make your network even less secure or fubar the whole thing. the mass market consumer -- and this would be the target audience if wi-fi were to really take off -- should not be expected to know what vpn stands for or what a tunnel is besides the big holes that trains and vehicles go through.
in an ideal world secure protocols would be built in and invisible to the user. out of the box all security measures would be enabled by default, so if you want to turn off encryption you'd have to turn it off manually. the dream of ubiquitous computing would be a nightmare without ubiquitous security.
if you don't encrypt, you must acquit!
Except that Yahoo no longer pretends they can make a profit just by selling advertising. They're hard-selling "premium" mail services: larger mailboxes, access to an smtp server that doesn't append tag lines, etc. Secure access would be an obvious way to generate fees. But they've never been that clueful.
What they found was that users checking their e-mail through unencrypted POP connections vastly outnumbered those using a VPN or another encrypted tunnel
What's even more amazing is that if they checked the actual wired lines, they'd discover that users checking their email over wires through unencrypted POP connections vastly outnumbered those using a VPN or other encrypted tunnel. POP is by nature an unsecure protocol, like FTP and HTTP. Anyone who is savvy enough to find a WiFi convention interesting and uses POP without GPG or PGP is probably not sending email they care about having interecepted.
Sending unencrypted email is like sending a postcard. Sending it through WiFi is like stapling the postcard to an office wall. Either way, unintended recepients can look at it if they want to; the difference is only the quality and quantity of those unintended recipients.
You call that a troll?
You moderators need to get out of the house a bit too... watch that sunlight, it'll do your head in if you're not expecting it.
-1 Uncomfortable Truth
Clusterknoppix or gnu/linux with openmosix patch, and $200 Walmart/TigerDirect boxes.
Or simply use the existing boxes, just apply the openmosix patch to each one. Boxes with spare cpu cycles will contribute processing power to the mail server, without any hardware investment.
Can't take the load is no longer an acceptable excuse. Time to change the administrators.
I don't care, and obviously alot of people don't care. Nothing I do is THAT important except Credit Card transactions and those are done via SSL, which IMHO is secure enough for me. I went to 802.11 Planet and everyone there seemed to acknowledge the fact that their transactions were not secure, yet didn't seem to care.
-Jamie
Given the end-to-end argument is it much more important that we start to use OpenPGP, even if some one discovers our userid/password the encrypted email will be only readable by the addressee, and no one else.
This IMHO also put a end to the discusion that WEP is weak. Why shouldn't be? If it was strong it would be even more expensive, and regulated, and it would have been overkill for most applications. If a application needs encryption, like email, the application should provide encryption and not the lower protocols.
Why there are still mail clients with out openpgp surport I really do not understand, email is as privat as a postcard... Is nobody telling users that?
What I cannot create, I do not understand
They wouldn't have even counted me among the people using things like unencrypted POP to read email. Why? Well, because I read my email by sshing to a machine where I use a plain-text email reader. I do this for good reason. I got fed up with the thins that all the fancy GUI mail readers did to me. Even with mozilla's reader, when I told it to never send html and always send plain text, it embarrassed me by sendin g html. I don't trust any of them.
So I log in and use mh to read email. And to the folks in this article, I wasn't reading email at all, I was running an ssh session.
They probably similarly missed most of us old-time geeks in their statistics. So much for the meaningfulness of their data.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Why bother with WiFi encryption? Really, the entry net is unsecure. At least in my book. If you want security, it needs to be point to point. Really, the only reason I use WEP is because I don't want to get a call from my ISP that I'm downloading too much porn or have the record industry's lawyers calling my house. I would gladly open my WiFi if it wasn't for those two things.
I tend to think of email as a postcard; I don't use it to send anything that needs to be highly secure. If I did, I'd encrypt the message itself.
grr...
My father and I have gone "war-flying" at 500 feet above residential areas in his Cessna 120 (2 seater airplane) and have literaly picked up HUNDREDS of open and unencrypted AP's within minutes. From what I understand, it is completely legal to listen in and monitor any radio frequency, so long as it is not encrypted and you do not publish any of the content.
For fun in college, my buddies and I used to terrorize our fellow dorm mates by listening in on their cordless telephone conversations using a police scanner. We would call them back and mention parts of their conversation in amusing ways. We were always kind of hoping that we would overhear a girl say "I'm so horny right now" and then go knocking on her door at just the right moment. We were pretty pathetic...
Listen to Live FM Radio
Agreed. Anytime you are checking your email on the road it should be secure. ssh tunneling is one method, secure webmail is another.
What amazes me is that so few firms understand that their "road warriors" are their weakest link in their security. You frequently see firms where engineers are told they cannot work from home, even with ssh tunneling, "for security reasons", but the companies' road warriors are zipping in and out of airports with detailed business plans and spreadsheets sitting on their unsecured laptops.
Hint to sysadmins, if you're letting them fetch their mail over a clear connection, you'd probably let someone else pretending to be them send email through the company mail server.
Wifi is the single stupidest idea for network access ever.
The original idea was sort of like:
"Lets have this entirely asinine implementation of an open network and then worry about security and connectivity later..lets market it and bring it in as the latest best thing, even though it's a piece of ripe, fly egg studded shit as is."
I think the warchalking symbol for a good spam wireless access point should be a spam can with an antenna sticking out of it.
Here's what it really comes down to. There are people out there that are totally oblivious to technology and that they somehow "trust" it kind of like buying a new car. You trust that it will run everytime you start it and that it won't break down. Even though there could be manufacturer defects, but as long as they don't affect you or you don't know about them you're "okay" so to speak.
Every user should know what kind of hardware they are buying and they should know as much about it as they possibly can. The manuals are usually there for a reason, not just to waste paper. And if they are dumb enough not to understand the hardware they deserve to get compromised. There really is no excuse for not knowing that your network is reachable by anyone if you practically LET THEM IN.
>>if you reuse a password one crooked or incompetent web site can leak and now anyone in the world might have your "master key".
/*
It seems to me that many 'professional' web sites have no idea what your password is - they store a hash instead. For example, here is a bit of the javascript source code for the Yahoo login page:
---
* A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
* Digest Algorithm, as defined in RFC 1321.
* Copyright (C) Paul Johnston 1999 - 2000.
* Updated by Greg Holt 2000 - 2001.
* See http://pajhome.org.uk/site/legal.html for details.
*/
---
If you forget your password, Yahoo mails you a new one. This means they *never* have to store your password!
Of course any site that will mail you your password must store it somehwere...
-Sam
It's *the* most funny thing I have *ever* seen! :-))))))))) Please mod it up! Thanks! Oh my God! It' *so* great! I'm still ROTFL!!!! :-)))
that's a good one! +5 funny! it's a shame those stupid mods don't have any sense of humor.