Slashdot Mirror
CNN Notices that WiFi is Insecure
josh3736 writes "From CNN comes an article that makes painstakingly obvious to the public what we already knew: 802.11 security is horrible. The article points out that nearly 40% of wireless network APs haven't even been changed from defaults and as many as 80% of home APs have encryption disabled. The article goes on to say that '[t]o make matters worse, users who don't secure their networks are often the very people who don't keep their computers up to date with the latest security patches and antivirus software.' It also accuses WiFi manufacturers of disabling security measures by default to make wireless easy to the lowest common denominator. My favorite quote? 'Experts say that while Wi-Fi hardware makers have made initial setup easy, the enabling of security is anything but. Meanwhile, average users are no longer tech savvy.' Which is to say that they at one point were?"
One major flaw I see in telling people to enable WEP on their WiFi is the first question I'm sure to get back is "How do I do that?" and, well, the instructions for doing that are different for each and every item on their network.
What's more annoying is that people think the "passphrase" they type into their router a the WiFi key rather than what it usually really is, the random seed from which their router generates the actual keys. They type their passphrase into their other devices when they're supposed to type a key value, and then they wonder why it doesn't work anymore when it was working just fine before they tried this security stuff.
I've had friends who I thought were tech savvy get tripped up over this stuff. I blame the router-makers for not providing software that makes this a whole lot more of a user-friendly experience. We as the IT industry are badly failing at this... and having a lot of open WiFi points will just make our other headaches such as spam and viruses worse in the end. This really needs to be addressed for the good of the Internet.
...I kept my Linksys WAP11 box wide open until one day I sat down at my computer to see that some fellow using the machine name "god" had joined the network and sent me a NetBIOS "net send" message. Ho ho, how clever.
Sigh... OK, fun time's over, no more sharing, hook up USB cable, generate hex key, etc. Kind of depressing.
The Army reading list
Of course they were. Around the time of the Apple I. Since then, the average cluefulness of computer users around the world has been plummeting because computers have been getting easier to use and the bar to entry has been lowered, with humorous results such as people using clueless people's WAPs.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Yes, believe it or not, at one point your average user was at least marginally tech savvy.
That point in time was somewhere around 1985, and possibly on upwards to the early to mid 1990's. Not so, since Windows became synonymous with PC, and the Internet began to define personal computing.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I think the point is that before the mass-mass marketing of wifi, the average user of wifi was a much more computer-security literate person.
Not only do WiFi equipment manufacturers disable most of the security by default. Some blame any connectivity issues you are having on the encryption (see How stable is WEP).
Personally, I would love to see some more options when it comes to turning WEP on. Since my laptop connects in both a wired and wireless manner to my network, it would be great is some software generated a new WEP key to use each time I went wired. I see no reason that the end user would need to be involved, any weakess on the part of the pseudo-random generation of a new WEP key would be less insecure than having the same one for months on end.
paul reinheimer
The very reason that Wi-Fi networks exist is that they provide simple, easy-to-use network connectivity wherever you are. Security takes a backseat to ease of use. The equipment manufacturers don't want to have to deal with the support calls if they would enable security features, such as WEP, out of the box. Adding security to Wi-Fi networks makes them harder to use and less appealing to the average consumer. Thus, it's easier for manufacturers if consumers remain blissfully unaware of the huge backdoors into their networks. But then again, anonymous internet access from my neighbor isn't that bad.
RIAA discovers that unsecure WiFi networks may create "reasonable doubt", thus hindering the criminalization of P2P activity. Film at eleven.
I'm not doing anything mission-critical over wireless at home anyway. Encryption makes my connection crawl, and it's just not worth the trouble. I have the MAC filter turned on to secure the rest of my network, and that's enough for me. If someone wants to sniff and see all the slashdot posts and porn going over the air, they can go right ahead.
When WiFi was just getting started only tech savvy users used it, meaning that the average WiFi user was tech savvy. Now, everyone and their mother (or at least my mother) is using WiFi, and the tech ability of the average user has gone down.
Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
I think the "average users" they are referring to are the average users of the particular technology. The article goes on to say "The gadgets are mainstream, appearing on the shelves of Wal-Mart and other mass retailers," implying that the fact that the tech is mainstream is the reason that the average user is not tech savvy. So when WiFi was only in use by geeks, the average user of the technology was quite savvy.
I enjoy the fact that most idiots have wifi encryption disabled and the defaults set. It makes my life easier when I'm biking or traveling with my laptop or ipaq.
Most residential and a lot of commercial areas give me free access to the internet - they may or may not know it, I don't really care.
I don't check my email or browse until I vpn into my home network. Just in case someone is sniffing packets - lets not make it that easy.
And the reason that Linksys and the rest of them don't enable it by default - tech support costs.
users who don't secure their networks are often the very people who don't keep their computers up to date with the latest security patches and antivirus software
I wonder if this would be a new, easy way for people to start a new worm/virus infection. Wardrive down the street, map a few hundred potential victims, and come back later and put the bugger in the "Startup" menu on Windows PCs. Ack.
They could have easily made this another suburb of Atlanta story, but instead went all the way to California!
My other sig is extremely clever...
In the urban area I live in, my friends and I drive around and easily discover wireless shares, usually the whole drive. Not just homes, schools, hospitals, once a funeral parlor.
We usually just leave an in image in their Documents folder with some indication of there wi-fi openess.
Amazing, really.
Once the 'puter became a household appliance instead of a hacker's toy, that's when things started to go downhill.
Yeah, right.
Hey ... don't tell anyone!
I love being able to travel and hook up my e750 to the net no matter where I am!!
*smile*
We investigate -
Claims that fire is hot,
Reports of wet water, and later, Is it dark at Night?
Jeez - talk about stating the obvious.
'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'
I live in NY and everywhere i go i got 812.11g acess automaticly because people don't secure there networks.If people will find out how insecure they are I'm gonna loose my ISP :(
I don't regularly wardrive, because I don't own a car; I use pubtrans. Anyways, in Houston, Texas, between Gessner and I-10 and Kirkwood and Memorial, I counted no fewer than ten open networks, all running Linksys G routers. All of them had their DHCP servers up and running, and all had the default admin passwords up.
Admittedly, it's nice to have open connections, but if people don't bother to secure them... well, people could do nasty things to the routers and screw with the connections.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
... has the not surprising statistic that 90% of home users DONT GIVE A FLYING FUCK if the family PC (which they consider no more than an expensive Nintendo/source of free music) is hacked.
I don't need no instructions to know how to rock!!!!
WiFi without security "just works".
WiFi with security is a configuration nightmare.
So people keep things "just working". When this becomes a problem, we'll see things change. That's how it actually works in security -- be the problem dozens of open daemons on Unix hosts, canary-less stacks in executable code, or a lack of significant checking for airline contraband, the problem is not addressed until it's exploited. When people start getting hacked through their open wireless, we'll see open wireless shut down. For the moment, they'll worry about real problems, like worms and spyware (aka corporate virii).
Ironically enough, it was bluetooth's security model that made it such a nightmare to work with -- the whole pairing process increased the setup load by several orders of magnitude. They're finally going to fix this with Near Field, but it'll take a while for them to get it out (have they even admitted it's for secure key exchange yet?).
Note, I've never said this is how things should be. Ought is not is.
--Dan
"Which is to say that they at one point were?"
I think what he's inferring is that because it's easy to setup, it's no longer used only by geeks, and that makes it a less secure environment as a whole.
If I had a network at home and making it secure slowed it down by 2 or 3 times, guess what..... No security!
Come the revolution, the Bourgeois, Capitalistic, "A PARKING STICKER HOLDERS", will be first against the wall!
Yeah, back before the 70's or so, when those who used computers had to know what they were doing. Count mine as a vote for discontinuing the trend for allowing people to dumb themselves down. When you gear everything for the lowest common denominator, everyone sinks to that level. And really, businesses *did* survive without computers as little as 10-15 years ago. I'm tired of hearing about people here on /. who have a laptop, pda, cellphone, and various other things they carry around with them everywhere all the time. Come on, people. There are still roses out there.
The following three levels of security are good enough for most cases:
1) Never broadcast SSID
2) Use a 64 bit encryption
3) and use MAC filters
Most of the routers have a web-based interface for setting these things up.
The WAP I'm using is in out-of-the-box factory default insecure mode.
I really wish I knew which of my neighbors owns it.
-JDF
Yesterday while watching TV over a buddies house I saw a commerical that Verizon is going to be giving away (after you mail in the rebate) a wireless hub with all their new DSL subscribers.
This just frightens me.
I'm just imaging the sheeple who will order DSL, get this wireless router, follow the nice glossy fold out instructions and set the thing up, with no understanding of wireless security whatsoever.
Yes Francis, the world has gone crazy.
He said, "As long as I live in this city, I'll never pay for Internet again." We'll see if that remains true when consumers with wireless routers wise up and turn on some of the security features.
--Residential Interior Design
I have intentionally left WEP off on my AP at home. I use ssh or https for anything sensitive, but I want my visitors to be able to connect via my home
network without sophisticated configuration on their side (and of course, without telling them my WEP password).
My home network is connected via Linux firewall, so I can cut the access or install traffic shaping when the problem occurs.
-Yenya
--
While Linux is larger than Emacs, at least Linux has the excuse that it has to be. --Linus
Is it legal to connect to open wireless acess points ?
It used to take a lot of tech knowledge to even operate a personal computer so the people that used them were, by definition, tech savy.
But in order to sell more computers the hardware and software manufactureres have perpetuated the myth that "computers are easy." The truth: operating computers is very easy, but maintaining them is still very difficult. Now the average user is not tech savy, but they have a machine that only tech savy people can maintain.
TW
Did they also notice the sky is blue?
I like to place meaningful quotes in my sig, so people will know that I know what meaningful quotes are.
Meanwhile, average users are no longer tech savvy
perhaps the article means the average users of wifi are no longer tech savy, i.e. it has become mainstream. not that average users of technology are no longer tech savy....
just my 2c
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
What a step down in usability!!!!
Both products have a web site that you can go to to make changes. Neither has the address printed prominently on the outside of the unit along with the default user and pass, the first step in making it easy.
I always found the netgear configuration easy, intuitive, and with tons of help. On the other hand the linksys configuration is horrible.
Once upon a time, the average user *was* tech-savvy.
Back before computers put a pretty appearance on everything with Windows XP wizards, or even 98, you had to know DOS to get anything done on a computer system, you had to know keyboard commands, and a basic idea of what the ports on your PC did.
The "average user" was more tech-savvy because there were fewer uses back then, since the learning curve was higher.
Now, with everything plug-and-play, it's much easier to not understand what's really going on inside the magical blue-and-black or grey box with a pair of antenna sticking up from the sides of it.
On my system, I use a Belkin 54G access point. SSID belkin54g. No crypto, no authentication, no MAC filtering. But, you're not going to get anywhere off the wireless segment if you connect to it. The firewall behind the WAP is configured to drop all traffic except the encrypted PPTP tunnels which the wireless clients actually use to connect to the wired infrastructure and the external router. Thus, anyone is welcome to try and get onto my network, but without having a valid account on the 2K3 Enterprise Server box playing router/connection master, and knowing the encryption keys, they're going to get precicely nowhere.
I have WEP turned on for my wi-fi network and turning it on is painless, effective and having no prior knowledge of wi-fi was easier than any other task that I accomplished.
Worst part was finding all these insecure networks popping up all across my apartment community with names such as "default", "linksys", "Diablo", "Sourabh and Sonali", "choke-the-chicken", "mamasboy", "ilovematures". If these idiots can be half as creative in setting up encryption, it would be worth it. But then again, I dont want them to get too smart either, cause for one, its easier for people like me to piggy back on to tide us over before the comcast dude sets up the new 3MBS pipe.
Still, it boggles my mind that these people would protect their PC's with the latest anti-virus software with the toughest passwords and still leave the biggest door open for everyone to come and play around. Pretty soon, i am gonna have to visit my neighbours with a clue bat
Rapid Nirvana
If you've ever dealt with the frustrations of supporting access to secure systems, you'll know first hand that security is not convenient. The addition of security at airports is a perfect example. It's a lot less convenient now to fly than it used to be. But the security is necessary. Manufacturers are simply trying to sell their products. With the thin margins these networking devices have, mass appeal is necessary. And mass appeal equals ease of use in the consumer market.
I like what Buffalo Technologies has recently come out with. They've got a pushbutton process to set up WEP between a client and the access point. I spoke to one of their reps at a show recently and they said they were trying to make security easy enough so Mom could set it up. The demo looked easy enough...
The basic message here is that if you force people to enable security, they won't buy your product. If you don't force them to enable security, they might as well leave their front door open. And most people won't enable security because they either a) don't think anything is going to happen to them or b) don't understand what COULD happen if they don't. Articles like this one from CNN are great because it has a wide audience.
"Meanwhile, average users are no longer tech savvy."
No, this doesn't mean that the average users were at some point tech savvy. It just means more idiots are buying them.
More open networks for the rest of us, I guess.
Jeremy Baumgartner
I agree with some of the other posts on the main thread, I don't so much care about people trying to see what I'm doing, I have SSH, VPNs, PGP, and other mechanisms that can do that for me when I really need to send passwords and other sensitive information over the internet. My main insentive for securing my wireless AP is so that people can't use my connection for illegal purposes.
It's a liability issues, and it doesn't seem like a big deal until one day you have to find a way to prove to the Feds and your ISP that it wasn't you sending kiddie porn to some offshore server in Eastern Europe. If your name is on the bill for that connection, I'm sure you signed a contract somewhere that states you are responsible for not allowing illegal activity on your connection.
ce n'est pas un Sig.
I'm guilty of it myself. I set up a wireless access point for my mom a couple years ago. Changed the SSID name, changed the default pw on the router and let her have at it. No problem.
Of course, as the next year rolled on, more and more wi-fi users were born. Wireless starts becoming standard with new laptops. Almost once a week someone calls in on TechTV and asks about wireless networking. I start hearing more and more about WEP encryption and MAC filtering, and eventually head back over to my mom's to redress my mistakes.
Sure enough, there were several leeches to knock off, but the point remains. As the technology grows, the users become more savvy, and these current security holes should diminish significantly.
I have a couple wifi networks at home and also install them for friends and family. I have never turned encryption on for any of them.
In most cases they live in a house and the signal doesnt get through most of the exterior walls anyway. But the main reason is although they can login to the router screen and perform many of the functions they need, they are completely confused on the encryption screen. Without encryption, the networks "just work" (tm)
There is a low probability someone would camp outside a window and have the knowledge to do serious damage anyway.
Are you intolerant of intolerant people?
CNN is an American TV network. The average American thinks that Bill Gates invented the personal computer (and that he is a national hero and a role model to be looked up to), that Excel is a general-purpose database program, that SQL is a Microsoft product ("SQL Server"), and that there is some inherent difference between Dell and Compaq. They randomly attribute any type of computer flakiness to "viruses" or "hackers", since those are the only causes for bork-ups that they understand. And just now their mass-market news network is discovering that WiFi is insecure. Is this any surprise? I'm just hoping that some day CNN will "discover" that Microsoft didn't invent the GUI, and that AOL isn't the Internet...
Honey, I shrunk the Cygwin
Wi-Fi out of the box is of course insecure. It can be made secure with a number of different methods (WEP not being one of them, heh, but there is WPA and other things). I believe one of the best features of Wi-Fi is its ease of setup and use -- if you have an open AP, anyone who comes over to your house can just use it with no or almost no configuration. It's incredibly easy and convenient.
What's the drawback? Anyone in your neighborhood has access to your local network. But it's unlikely that someone who wanted to h4x0r you would drive up your street and sit in front of your house. It is of course possible, and depends on your neighborhood. If you're the type who locks the house even when you're at home, then definitely get a security protocol. If, like me, you leave the garage door open and doors unlocked, then securing your Wi-Fi isn't something I would worry about.
So this is no surprise, but neither (in my opinion) is it a big deal.
I just love how I can take my laptop almost anywhere and get Internet connectivity. Last week I was at my mom's house doing some work on geneaology with my laptop and when I booted up, lo and behold - a wireless connection that was wide open!! It was nice to be able to check my e-mail and look at research sites online right then and there rather than either having to dial in or wait until I got home.
I've seen the same thing lots of other places including a friend's apartment in Minneapolis where I found 3 wireless access points, only one of which was encrypted and at my own single family house, I get two open wireless connections besides my own encrypted one.
I have to agree that setting up the secured connection are not obvious, especially when you have one manufacturer's access point and another manufacturer's wireless product in your laptop. It took me a little head scratching and trial and error before I got mine working.
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
The problem is not the product, but the consumers. Now, I might be wrong about this, but I am willing to bet that all access points, WNIC's and other accessories come with something called a "manual"! If you were to actually *read* one of those, by accident or intent, you might discover how to acutally use your newly accuired product! Only thing is that people don't bother anymore... They expect everything to be so userfriendly that it will install itself and automatically know how you want the settings to be!! Maybe they could put little warnings on the packs like with ciggaretts.. "warning, the DOJ says that not properly securing your accesspoint can be hazardous to your privacy bank account, and or bandwith".. Heh
I gave up trying to work authenticated wireless. I doubt the signal even makes it out of my concrete and cinderblock house. The real pisser is the lack of drivers under Linux. Leave it up to me to buy a card that won't work under Linux.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Why do people insist on it's a bad thing to share your internet connection. If more people did that I would be able to be online almost everyone inside my city.
I havn't enabled security on my access point. I see it as a service to everyone close to my house.
I have patched all my clients and are using VPN to tunnel my own traffic. If anyone abuses the bandwidth I would consider enabling security but until then you are welcome to use my access point.
It was encrypted out of the box with a default password which was linked to the serial number on the unit!
She did not like the long string of numbers though and we tried to change the WEP to something else, but were told it could only be a set of 10 numbers. (well, maybe it can be changed, but I didn't spend much time mucking with it...)
So, on one hand- hurrah that it was encrypted out of the box!
on the other hand, she had me disable encryption entirely..(but hide the SSID) so when the kids come over with their laptops they can get on Mom's interweb connection easier.
I like microcars
I think the author meant that the primary WiFi users were once the technically inclined, but has recently shifted to the less technically capible people.
I would imagine that the early adopters of Wi-Fi were tech savy and thus that the "average" user two years ago was more tech savy than the "average" user today. It's numbers.
Greg Poirier -- Magic Fairy Bunny Princesses, Inc.
Let us face it. There is no security advantage from the average induhvidual setting anything up technology wise. My neighbors that run WIFI are all open, only one uses a different SSID then the default, and it is the family name.
Configuring security is not easy. Given the fact that the networking vendors have been all for wireless in every home, they have to target the lowest common denomiator in setting up thier technology. It is the nature of the beast. This is why viruses are so prevelent in this day and age.
In God we trust, all others require data.
I live in an apartment complex, and I was stunned to see not only how many people had wireless, but how many ran w/o WEP and w/o changing defaults-last count in my largish apartment complex, better than 20 visible from street level (i.e. not right under their bedroom windows) and a good 40-50% of those completely unprotected. I use WEP and I changed the defaults but I'm under no illusions that this makes me safe. What I think helps, though, is that in my case there are at least 4 other WiFi users in my apartment building alone that are wide open. So as long as there are easier targets, I think WEP's done its job as well.
to use my MAC address on my wireless card as my security method. While someone COULD spoof my MAC address, someone COULD also crack my WEP key. I could use both, but by using one, I help speed up my network connection.
I mod down so you can mod up. Your welcome.
If cheap-o consumer routers getting 0wned thanks to pathetic Wi-Fi security seems bad, consider this: at least one vendor of e-voting systems depends on WEP as the only security measure between their voting machines and the ballot-counting system.
Yes, that's right -- ballots are passed wirelessly, and only protected via standard 802.11 WEP. How long until someone tries to 0wn a polling place? Or, worse, just sniffs the ballots out of the air and dumps them to a log file (so much for the secret ballot), say?
I wrote the article linked to above when the systems were being evaluated in Fairfax County, Virginia -- a wealthy and populous suburb of Washington, DC -- but they've since been approved by the county board of elections and used in two elections to date. Who knows how many other local governments have bought into similar systems?
Read my blog.
Since we have a unsecured 802.11 setup ad havoc, I got a wifi finder to look how far we broadcasted and actually only my 2 neighbors could join our network, and actually I would enjoy seeing them on my network but it doesn't happen. Driving around at night in the neighborhood we actually found people with very powerful 802.11 broadcast.
This is totally insecure, but very convenient.
If you trust every router between you and your destination with a plaintext password, you are crazy. The IETF is moving towards encryption for everything, and people are following. Most universities now don't allow passwords to ever be sent plaintext over the wire.
Quit blaming wireless, the same security issues exist with wired connections.
The MaxiMegalon Institute of Slowly and Painfully Working Out the Surprisingly Obvious...
And re now stating the fruit of their newfound labor...
All of you who believe in telekinesys... raise my hand.
My upstairs neighbor (apt. building) has an unencrypted Wireless Linksys router hooked up to his Broadband connection. If I wasn't hosting my domain's e-mail from one of my home machines, I would have cancelled my broadband a long time ago.
After all, I was insecure for years from my pre-teen through mid-teen years. Finally, I got over the problem and became an egomaniac. Some day I hope to take over the world. First I need to build a "laser" on my "death star".
Plant a tree in a developing country.
You're joking. C'mon, I mean... like, no way. It all makes sense now... if CNN is this far behind on technology, which moves pretty fast, then they are probably a good 25-30 years behind on their political reporting and viewpoints.
Damn hippies.
-- Liberalism is a mental disorder.
I have two WiFi APs at home. One of these has a WEP key, and is the one all of my devices use. It bridges directly to my "real" network. The other one I leave open just out of the goodness of my heart. I have a dedicated NAT router behind it, and connections coming in on the open access point are the only things that use that router.
So far, no problems, and people have thanked me heartily for giving them internet access in a pinch.
Given this setup, what risks do I run? The only one I can think of is that someone has a bunch of kiddie porn torrents just waiting to start up in a server in a van somewhere. Does that really happen? If Osama Bin Laden walks down my street (he'd probably strut, actually), and uses my "free" WiFi to send threatening emails to major governments, do I go to Guantanamo Bay?
How is this different from NYC offering free WiFi access in Bryant Park?
My brother got a call a few months ago. They were having trouble with their Internet connection dropping all the time. He went to the site and found a brand new Dell with a wireless card. When he asked where the access point was, they looked at him like he was from Mars.
They had ordered their machine with a wireless card and thought that was all they needed. They were obviously piggy-backing onto a neighbor's wireless LAN but when my brother tried to explain that to them, they accused him of lying to them.
I had the same experience. I use a linksys router but a DLink card. But I've heard from other geeks that enabling security doesn't slow them down. What's the deal? Should it have that much of an impact? Is this a cross-vendor problem or is wireless security really that slow? Sounds like MAC filtering is the way to go to prevent access (except passive snooping.)
$7.95/mo, 200 GB disk, 2TBxfer, MySQL, PHP, RoR.
> Which is to say that they at one point were?
I knew DOS, Windows 3.1 and Windows 95 inside and out. As the OS interface and glitches have lessened (yeah yeah, no really, there simply are fewer conflicts in recent versions of Windows), my need to understand how the OS functions has diminished. I'm just another dumb Windows user now. When I need to futz with my wireless router, I grab the manual to remember how the damn thing works.
In the end, I prefer it this way. Life is easier when technology just works and I don't need to understand why. Geeks aside, that's how most people want to live their lives.
I recently bought a laptop with built-in wireless connectivity and a wireless card for my desktop so I could transfer files. This is something that I need to do quite often -- photographs from my digital camera are put onto the laptop "in the field" and then transferred to the desktop at home, previously by firewire.
:-(
To cut a long story short, after a week of long, frustrating nights, I gave up trying to get wireless working. Even with security disabled, and having followed maybe half a dozen completely different tutorials, my desktop would constantly disconnect/reconnect so every few seconds I had an info panel popping up to tell me that it had lost the connection and then found it again.
To make matters worse, even when the two machines were briefly connected I couldn't find any way to have my laptop access the 'net through the desktop. With the two machines connected by firewire this works fine.
Both the desktop and laptop are running WinXP Home edition so I've come to the conclusion that this is another one of those wonderful Windows features that works perfectly for some people but hardly works at all for others. Unfortunately I'm one of the "others" this time.
The only clue I have as to what might be going wrong is that the desktop detects two available connections -- one to the laptop and one to itself. So what I think might be happening is that it is switching between the two connections, which means it is intermittently connecting to itself! The laptop only detects the desktop connection so I have no idea why the desktop is detecting itself and obviously I don't know how to prevent this from happening.
Not impressed with wireless
i believe that he saying that once upon a time, the average person who set up 802.11x was somewhat tech savvy, and nowadays 802.11x is being used by all sorts.
I have to agree with this. A few years ago, nobody would even think of setting up a network in their house unless they already worked as a system administrator, or other heavy-duty IT professional. Nowadays everyone who owns more than one computer wants to hook them together.
It's not that the overall level of savy has decreased, it's that the definition of "average user" has spread to the technopeasant masses.
Wake up - the future is arriving faster than you think.
...news and clues travel slowly. Unfortunately these people get to run countries :-(
Stick Men
If you live in a trailer, do you really need WiFi? A 5-metre ethernet cable should do the trick. :-)
Didn't read through the low level posts but I think most people are missing the point.
Unsecured home networks aren't really that much more likely to get viruses.
Sure there will be a couple nasty "replace the IE executable" virii that will run around.
But the real point is that right now if a virus hits the fan they can do a traceback to the original I.P. and find the source. Now in most cases a smart hacker would use a virtual machine well protected or an internet cafe but they still could catch the majority of hackers by tracing net traffic to a physical location and maybe going in looking for a description.
Now there is nothing stopping people from releasing or doing anything they want on the net because they are masked by physical and electronic annonymitiy.
Which is what the net is supposed to be about anyway, spreading thought without the possibility of reprecussion.
On the Pro side, with faster and faster internet inevitably making it's way into the marketplace no one uses all their bandwidth (Not even me and I BT). This sharing is great because it means we might finally start to have the internet penetration we were supposed to have years ago, free phone connections from anywhere with just a wifi phone, review's available whenever you make a purchase, perfect e-mail penetration.
Afterall, they are the ones that distributed the article. And it can be found on dozens of sites that carry the AP.
Since when has CNN been known for its quality reporting?
All they ever do is find a story, report it in any way they see as serving their political/sensationalist agenda and give it the maximum ammount of spin.
I remember one of their special reports about a year ago which did nothing more than to convince "non tech savvy users" that Cookies are a conspiracy to steal their personal information.
The average PC user would have walked away with the impression that if they had ever given their personal or credit card details online the information had more or less fallen at the mercy of each and every webmaster in the world.
I saw an ad the other day for it. I suspect this and other such deals will greatly increase the number of clueless people using wireless routers in my area.
:)
My brother and I are looking forward to future war driving expeditions in my area.
On the other hand, maybe the technicians will set them up securely?
I mean seriously, I live in a high-rise luxury apartment building and only have Macs. Why should I care about securing my access point?
At the moment I'm sharing a neighbor's connection (who hasn't changed his router from its default settings) until my broadband arrives on Saturday. I'm of the opinion that if other people want to use my Internet connection then go right ahead. I make sure that all of my machines are secured and fire-walled.
So why is it so bad if my network is not secured? I leave it open on purpose.
infested with jello like fishes no melotron wishes
From a security analyst's perspective I can fully understand why using a default config would be discouraged - but those guys are de facto pessimists, their job is to analyze situations for possible exploits.
But from a consumer's, and citizen's, perspective is constant paranoia - living your life prepared for the worst at all times - necessary or acceptable?
When I visited Osaka I was shocked and amazed that people left keys in scooters, cars, etc., and as my host family informed me, most house doors don't even have locks. Now, this is obviously a "security nightmare"... but it's a society I'm envious of.
In the Italian province Alto Adige, the public transit company SAD uses Wi-Fi at some bus stops to get diagnostics from the busses and send timetable and bypass updates to the bus.
So, when you are in hurry, perhaps you can tell the bus to go straight to your destination, skipping all intervening stops?
SAD will operate a local train using the same Wi-Fi communications, later this year.
Obviously you should change your password on the router itself so that random drivebys don't screw with your settings.... but if you're running ssh, ssl, etc. how dangerous is it to leave your access point open? There seems to be a group of people in the thread that are like "geeze idiots, my AP is like fort knox". The other crowd says "I leave mine open INTENTIONALLY".
I'm sort of one of these people that dreams of the day when we have a huge community mesh and people can tell their cell phone carriers to piss off.... but I don't want to leave my access point open if some bonehead is going to hack my box.
Anyway, I've never seen anybody tell me the difference between 1) plugging your machine into your cable modem directly and walling up your machine by shutting ports down, etc. and 2) having a wireless access point. Is having a machine on an insecure access point any more dangerous than having a machine hooked up to the open internet on a cable modem or some such?
I mean, the wired internet really is one big network after all, and there are risks associated with being on it. If you're not behind a firewall, wired or wireless, what's the difference?
The phrase is "greatest common denominator". It is the largest number that divides into a set of numbers with no remained in any case. The least common denominator is always 1.
The "least" is "least common multiple." I think this is about sixth grade mathematics or less.
There are only 6,863,795,529 types of people in the world.
I think passive snooping is the Bigest issue mozt people/companies are worried about. My company sad a big NO (Secure or not) to wireless.
Come the revolution, the Bourgeois, Capitalistic, "A PARKING STICKER HOLDERS", will be first against the wall!
Every router should come with a USB keychain which has its encryption key stored on it. Then end users who consider it to hard to retype the key or configure this and that could just plug in the usb key on the client machine and run a script that would configure the client
I do a fair bit of house-call work in my area. (Pays the bills...) I've set up a fair number of WiFi networks at homes and offices over the past few years. Most of the home networks do not have WEP enabled.
Contrary to popular belief, WEP is quite useful. Unless you have a script, you probably won't break the key. Getting and using the script is a malicious act... And there are so many other EASIER targets.
For businesses, I enable WEP by default. (Actually, I recommend that they stick to wired networks when possible... but these days, they don't listen. When they ask "but can you do this?" I say yes.) WEP is a pain to setup for the business owner... so I get repeat business when they add another station. I've tried writing instructions, but I usually end up visiting anyway. WEP is a bitch for endusers.
For home users, I give them a choice. I say, "do you want me to setup this feature?" and they say "How much?" (I bill hourly for this). I bet you all can figure how it ends.
WEP is simple to setup for a single NIC to a single WAP. In fact, MAC whitelisting also works well here. But for networks with 3 or more stations, or with NICs of different makes, or with more than one installed OS type, setup, configuration and testing of WEP (or similar encryption) is time consuming. Time is money. Consumers make a consumer decision... probably a GOOD consumer decision. Ask an economist.
I suppose I could work for free. Or I could estimate more time (and money) to begin with and lose out on the business. But I'd rather work than whine about not having enough work.
TANSTAAFL
Couple of years ago when 802.11b was kinda new, i did some testing of this sort of thing.
The fast crack using weak frames worked then. It doesn't work much now, if the boxes are using newer hardware.
The slow crack where you get enough packets to figure out the key worked then and now, but in order to actually do it back then I had to set up some continous traffic to get enough packets to make it work. We're talking millions of packets here, and it just takes forever to see enough to do it, with 112/128 bit WEP.
Can they get in? Sure.
Will they get in? They're going to have to really want in pretty badly or live nearby and be bored enough to capture for a long period of time. And if they just want free network access, they'll find the easier target like the unsecured one down the street. Or pay the 3 bucks at the nearest hotspot for the hours worth of access.
WEP is not secure, but in 99% of cases, it's secure *enough*.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Plausible deniability! But seriously, an open wireless access point means that total strangers can fileswap over your IP address. If the RIAA comes calling for their "damages", and you can't prove it wasn't you - it was some stranger using your WAP, hacked, open, or not - then you're up shit creek without a paddle. At this point, an open WAP is just negligent. But what if your WAP is cracked? Is it like saying your car was stolen, so the damage the joyriders caused to other cars not your fault, therefore the music downloaded by strangers is equally not your fault? And what if they download kiddy porn and the cops come calling? Who has decided what responsibilities one bears for open or cracked WAP? No one. We have to wait until an RIAA lawsuit victim with a wireless connection decides to fight back.
Someone at the world-acclaimed student bogsheet the Oxford Student observed that the world was going to end because their college network isn't switched. Thankfully a far more rational person pointed out that packet switching is the least of their worries, compared with wide open pidgeon holes and dustbins. Was this weekend marking International FUD day or something?
Just because they use macs doesn't mean they are smart, actually - opposite, they can't get anything out of their pc.
And I don't recall providers delivering connection kits on saturday or sunday.
Assume a woman walking down the street shouting she's looking for men to have sex with. Would it be illegal to walk up to her and introduce yourself to the lady, take her into your home and if she still consents have sex with her?
What about this access point that shouts ten times a second:
"Hello strangers! I'm an IEEE802.11 station operating in AP mode! If you want to associate with me, my BSSID is 00:30:40:50:52 and use the ESSID 'default'. I can do 1Mb/s, 2Mb/s, 5.5Mb/s 11Mb/s. I don't do ODFM and I wont accept a short preamble and my owner doesn't want me to use WEP."
What would be illegal about courteously introducing yourself to that access point with:
"Hello 00:30:40:50:52, I'm 02:00:2b:18:fd:03 I want to associate with you with ESSID 'default'"
And what would be wrong with that courtesy being returned with a cheery:
"Welcome aboard, 02:00:2b:18:fd:03. Have fun!"
And once you have been invited inside wouldn't it be proper to ask:
"Is there a DHCP server that would like to give me an ip address?"
And could a polite DHCP server do any wrong by saying:
"Hi I'm the DHCP server serving this subnet. By the power vested in me you're 192.168.1.18, your subnet mask is 255.255.255.0, my friend the DNS server is called 204.18.21.17, in case you might want to talk to machines outside my network there is a router called 192.168.1.254 who would be delighted to assist you".
And I wonder would it be wrong to continue the conversation with the following Gentleserver that cheerfully announces his presence every couple of minutes:
"Hi everybody on this subnet! I'm a NT5.1 LANMAN Server at 192.168.1.10 and I'm the Master Browser on this network serving the domain REDMOND!!"
Would it be improper to strike up a conversation along the lines of "Pleased to meet you, 192.168.1.10, Can I connect to a share of yours called C$ with anonymous authentication?"
Plausible deniability! But seriously, an open wireless access point means that total strangers can fileswap over your IP address. If the RIAA comes calling for their "damages", and you can't prove it wasn't you - it was some stranger using your WAP, hacked, open, or not - then you're up shit creek without a paddle.
At this point, an open WAP is just negligent. But what if your WAP is cracked? Is it like saying your car was stolen, so the damage the joyriders caused to other cars not your fault, therefore the music downloaded by strangers is equally not your fault?
And what if they download kiddy porn and the cops come calling on YOU?
Who has decided what responsibilities one bears for an open WAP? A cracked WAP? No one - yet. We have to wait until an RIAA lawsuit victim with a wireless connection decides to fight back, or someone's life gets ruined because kiddy porn was tracked back to your IP address.
Which is to say that they at one point were?
The average computer user in 1970 could probably figure out how to turn on WEP, were he/she transported to the present day. This is the same thing that happened with automobiles. In the early days, automobile owners had to be adept at mechanical repairs. If you read "The Grapes of Wrath" , at one point one of the characters is honing the valve seats on his truck in a campground. That was the 30's. By 1960 you'd be hard pressed to find a car owner that could do a valve job on his car. Computers have become a commodity item, just as cars did.
If a job's not worth doing, it's not worth doing right.
Say I have my WIFI router opened up to the world and that I give free access to the person next door. So long as my personal computer is firewalled why should I care if he piggy backs my WIFI? I've got more than enough bandwith and really couldn't care less.
It's the danger of what other people can do with your unsecure wireless broadband connection that is the scary element in this mess. You guys are chirping about how users aren't "tech savvy", and some display bravado in taking advantage, but no one has mentioned the type of scruples (or lack thereof) displayed by the *tech savvy* in relation to the topic!
Think of what you can do with an unsecured wireless broadband entry point while being anonymous - Don't want coppers knocking down your door 'cause you have a nasty little twitch involving kiddie porn? Don't want anyone tapping *you* on the shoulder for downloading anything that will generate an RIAA lawsuit? You have a side business forwarding communications for certain "groups" that will get yer butt in a sling if the track leads back to you?
Remember when you could leave your house unlocked without too many worries? Remember when the people who took advantage of that were considered unscrupled tresspassers, regardless of what they *didn't* do, and it was considered a criminal behavior *anyway*?
Anybody not using MAC filtering is asking for trouble. With MAC filtering, you exclude ALL users except for the ones you have previous allowed. By using WEP, MAC filtering and religiously following your router's documentation, you operate your router in "stealth" mode so that you don't even show up on a war driver's unit.
Yes, the instructions vary from makerto maker, but they ALL have the directions you need. All you have to do is follow it.
[t]o make matters worse, users who don't secure their networks are often the very people who don't keep their computers up to date with the latest security patches and antivirus software
I'd say it makes things irrelevant. If your PC is wide open, it hardly matters whether it is linked to the Internet by a wire or an insecure WiFi system. There are so many attackers out there on the net that it is hardly worth worrying about some guy parked outside your house with a Pringle-can antenna.
Even being a tech savvy person I got fed up with the WEP encryption "peculiarities" that crop up from different manufacturers etc...
So being an engineer and a project leader I sat down and actually thought about the problem. What do I actually do on my wireless. Well every once in a while I log on to look up something on IMDB when I don't feel like walking upstairs. More often than not I'm logging into work from my work laptop.
Now when I log into work, I'm using an encrypted VPN. Why would I need another layer on top of that? Now if someone was REALLY motivated to get my data, it would probably be easier to just walk into my house and take the laptop out of my hands than to do the work decrypting the VPN stuff.
So that being said, I opted for restricting the wireless stuff to just a couple of MAC addresses (my laptop and the MAC addy's of a couple friends that come to visit), no WEP encryption and that is it. All the other machines I have are hard-wired, and I try to keep everything as up to date as possible as far as patches go.
Any thoughts, opinions on this line of reasoning? It seems to make sense to me, but I'm not an expert on it by any means.
>"...average users are no longer tech savvy." "Which is to say that they at one point were?"
Yes. Once upon a time, the only people with access to computers were people with knowledge and/or connections to people with knowledge. They also generally had to spend a lot more money to get the computer gear, and while money != technical competency, people are much more likely to spend that kind of cash if it's something they have a genuine interest in.
As prices get lower, as the social stigma of being a computer geek is replaced by a tech-is-cool ethic, and as computers become "easier" to use (i.e., you can do lots of things -- including bad things -- without training), the level of technical savvy in the average end user becomes much, much lower.
I actually think that specific wording in the article indicates the author has a really good grasp of computing history in the consumer sector, actually.
THIS IS SO MORONIC.
Would you ask a TV user to resolve some integrals before plugging his TV or his radio? Of course, not. Electricity is not simple, but electrical engineers developed a way for end users to simply plug and play. You expect to be able to simply plug the TV and watch TV, and you are not worried that some villain may steal your electricity, because that doesn't happen in practice.
The same should be true for WiFi. You should just start your computer or device and it should show all the networks you can log into. You want to log into your neighbors network, you can only if you know its password. Period. Plain and simple. Any other solution is asking people to worry about things they really don't care.
1. Bear Shits in Woods /. headline....)
2. Pope Discovered to be Catholic
3. Bill Gates did Something Evil(TM) Today (oh shit, wait, that's a
In Soviet Russia, Chuck Norris will still kick your ass.
WEP is not secure, but in 99% of cases, it's secure *enough*.
That within the 1% of cases where it isn't secure enough, the results can be scary. The issue being, you don't know what your WiFi is being jacked for. Sure, it could just be the script kiddy logging in as "god" to play a joke... it could also be a spammer. Or it could could be somebody pulling a credit-card scam. Or it could be somebody that guy that was caught driving around leeching of local WiFi's with his laptop to download kiddie pr0n.
Point is... you not only have to weigh the risks of being cracked, but the risks of what happens when you are cracked.
If you have WEP, then anybody capable of cracking into the WEP is going to be capable of sniffing your MAC and duplicating it using their card. It's not particularly difficult to do or anything.
Now, if you're just trying to keep out the neighbors from accidently connecting to your network, MAC filtering is fine. But it should not be considered a real security measure by any means.
I also see a lot of people thinking that turning off the SSID broadcast actually does something useful. It doesn't, really. The SSID is contained within every single packet that goes over the network, and anybody with a sniffer can find your SSID in seconds, regardless of broadcast being on or not. If you turn off broadcast, what you're really doing is making it harder for people to connect to you accidentally, much like with the MAC filtering. Broadcast SSID's are what things like the Windows XP wireless config screen use to show the "available networks". Turn that off and you won't appear there, but anybody using a sniffer or AirSnort or what have you isn't looking at that screen anyway.
Using 112/128 bit WEP? Leave SSID broadcast on and MAC filtering off, because it makes no real difference. It also makes it easier for other people to connect to your network after you have given them the WEP key and want them to connect. And if somebody is capable of cracking your WEP, then having MAC filtering on and SSID broadcast off won't even slow them down.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Once upon a time someone who wanted to drive really had to know everything about how their car functioned before ever setting foot in it. Now you can just hop in your car and go without giving a second thought to any of it.
Now you can try to spin this such that people back then were safer because they were more "savy" with their cars but I call BS. Cars now are far safer than they were back then. Its all due to the engineering placed in the car. Not only are they more complex placing them out of the comprehension of the Average Joe but they are more reliable, durable, and in general a better driving experience than ancient vehicles.
You shouldn't need to be a super crypto-wireless-hacker guru to use a computer or wireless setup. Engineers should be designing these things to not only be simplier but more robust. Having a better and safer system has nothing to do with the "savy" user and everything to do with the manufacturers.
They mean average users of WiFi were once a more elite group than they are currently. I'm sure there are many reasons: cheaper hardware, seemingly easier to setup, tons of advertising and hardware support on common platforms. Any idiot can "kind-of" make it work,but that last 10% really counts when it's enabling the firewall, etc.
stuff |
So? I don't have WEP enabled. WEP is not the be-all and end-all. WEP is crap, and introduces horrible cross-platform issues. Not to mention that vendors can't agree on how to specify it - 40 bit vs 56-bit vs 64-bit vs 128-bit - (hint: some of those refer to the same thing).
I have MAC address restriction enabled on my AP. And it works pretty well. Additionally, unknown clients to my DHCP server do not get an address from it. And there's only a /28 routed on the interface my AP is on.
So yes, it's unsafe in that someone can park outside my house, wait until I log on, sniff my MAC address, set his MAC address to that, and get bandwidth. Except that one of my devices will notice, since duplicate MAC addresses on the same segment can cause problems. Not to mention the reception outside my house is crap, so he'd have to park directly in front of my house, and if I notice the traffic indicators on my switch start going nuts, and look outside and see some nerd with a Pringles can, I can go kick his ass.
And the article is short on details. "40% had the defaults configured". What defaults? Passwords? If so, boo CNN for connecting to other people's APs without permission ("The door was unlocked" is not a valid reason for being in someone's house, no matter how stupid you think the homeowner is). If it's SSIDs, that's totally useless. My network name is "default", because I was feeling uninspired when I got my AP. Doesn't mean it's not secure. A friend of mine still has "linksys" for the same reason, yet he has WEP enabled.
There is no sig, there is only Zuul.
I just asked my brother-in-law, who is computer savvy, why he doesn't have encryption enabled on his home access point.
His answer: "unless some guy decides to enter my property and sit on my front porch with his laptop, my weak signal is all the security I need". He claims he's tested it with several laptops and the signal is too weak to be used beyond 10 feet away from his house.
Technology used to be the domain of technologists.. then it became popular and that's when "Joe Sixpack" got online.
Nothing wrong with Joe Sixpack, per se, he's a good guy but he doesn't know the first thing about his car, except where to put the gas, and he doesn't know the first thing about his computer, except how to surf the net. And the scary part is that he doesn't *want* to know anything more.
When things go wrong, he hasn't the first clue of what to do, with the car or the comptuer. All he knows is that he wanted to surf the net at high speed from his Lay-Z-Boy. Ever since he and his cronies got on board, the technological per capita IQ on the internet plummeted.
There has been a long standing computer security axiom that states: "There is no such thing as absolute anonymity, in real life, or on the web."
Well, now there's a caveat to that axiom that I have coined, that states: "Unless you use someone else's unsecured wireless network."
Joe Sixpack is not only providing the foothold that spammers need to purvey their ilk, but also the perfect foundation from which criminals can perpetrate fraud and theft.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
wanted to and not be held responsible for it.
THAT'S the issue here. I could piggyback through entire neighborhoods hacking and cracking and stealing whatever I wanted however I wanted with no way to trace back to me.
All your base are belong to Google.
I run an open access point and my neighbor does as well. Anything (and I mean anything) more than computer games and unimportant chat sessions I tunnel through ssh/ssl or something similar.
/. aren't in favor of open access points. They seem to fit very well into the whole 'information should be free' value system that many geeks have.
Why do I leave my access point open then? Because on average I only use maybe 3% of my bandwidth and I don't see any reason that one of my neighbors shouldn't be allowed to use some of it when I don't need it. When I first moved in and didn't have my own broadband yet I was very happy one of my neighbors left his router unsecured.
I'm actually quite suprised that more people on
Not many routers support it yet, but supposedly WPA is going to be a step above WEP. I'm wondering if anyone has actually tried using it yet? I'm running 64-bit WEP here and the inherent insecurity of the protocol makes me leery.
Off hand, I can think of three reasons why you might leave your WI-FI unsecured:
1. You are an ignoramus and it never even occurred to you that someone in the neighbourhood could cause you a lot of grief.
2. You are aware of the security issues and have taken some precautions to secure your LAN, but see no harm in allowing others to share your Internet connection. Maybe you actually trust your neighbours...now there's a thought!
3. You are a predator who lures the freeloaders in with a wide open hub. Then you wait around with the packet sniffer running until some sucker shows up and crack your way into his system. The knife cuts both ways, after all.
Articles like this assume everyone is in category 1, but how can you be sure?
I have an open 802.11b at my house because I see no reason to turn on WEP. I don't use an insecure OS (windows), I don't have major secrets flying around, and if I did I would use ssh, VPN, or something careful. I could take 5 minutes setting up WEP, but the only thing that ever resulted from it was inconveinencing guests and myself during troubleshooting. I turned it off after the last time I had serious troubleshooting to do and saw no reason to restore it.
Maybe if I used windows I would be more worried.
I went with option (1), and it's a nifty little device (it runs Linux BTW). But its default wireless setup is wide open. It can be configured to cloak the SSID, restrict MAC addresses, and use WEP encryption, but a user who can't figure out how to type a set of four random sixteen-digit hex keys isn't going to be able to set it up securely. (Fortunately, the manual gives some "example" keys; I can't wait to wardrive with those...)
Part of the reason why so many wireless networks are open is because some want to leave it partly open.
For example I don't use WEP because I find it just slows down your connection to nothing, I do agree that use MAC addresses (which I use) should be used, but reality is unless your encrypting everything its much easier to just encrypt the one or two things (say some banking information and that ascii porn, ok just kidding on last part but you get the point)
NYT reports Water is wet..
National Post reports Fire is hot...
and The Globe and Mail reports government is corrupt.
~ kjrose
I think what they're saying is that popularity has grown to the point that the average users of 802.11 are no longer geeks, as Mom and Pop are using it now as well.
It was just badly worded.
"But the cars are all flashing me, bright lights are passing me, I feel life passing me by" - Stiff Little Fingers
So why is it so bad if my network is not secured? I leave it open on purpose.
One Word: Spammer.
You really want someone from the street to use your open net connection to send 10 gig of spam? It's your bandwith, not mine...
Of course, if you live on the 14th floor, then it's a VERY slim possibility, so you're mostly OK...
I live in Soviet Canuckistan you insensitive clod!
Assume I was drunk when I posted this.
So I'm not allowed to let my poor neighboor use my WIFI because someone might do something illegal with my connection? I think sharing takes a precedence over fear.
At my apartment complex I have noticed a total of 8 netgear and linksys based home wireless networks that were left wide open all within the past 3 months. In every case I simply 'attach' myself to their router and then proceed to log onto the router with the default username and password. From there it allows you to lock out any devices, change the password, and change the network name (a dead giveaway of an unsecure network is one that is still named linksys or netgear). These default usernames and password are free and available online simply by downloading the docs for the brand of router that your attempting to log onto (another good reason why you should never keep the default network name). If one were so inclined *snicker*, one could easily lock out the owner of the router to his/her own network.
-Cnik
Remember at the end when Kent was standing outside Prof. Hathaway's house, just as the laser was redirect towards the giant jiffy-pop ball? What the hell was Kent doing with his arms. It looked like he was having a grand mal seizure. That has always bothered me.
"Patience is not a virtue, it's a waste of time."
So...
If someone hacks into your "insecure" wireless network and uploads/downloads enough MP3s to get the RIAA's attention -- is a defense "I was hacked?" Seems like it would be a good defense, since other people have been found not guilty for various crimes because a "hacker" could have done it...
Hmm. Sounds like everyone who wants to download music but doesn't want to lose a lawsuit should have an insecure WAP...
there's nothing wrong with sharing with your neighbor. The problem comes from someone using your network to perform an illegal act. Because the IP address of the attack or other act will point right back to YOU.
-Cnik
It is hard to break WEP. Even though attacks are theoretically possible, my experience is that it takes too long to collect enough packets. I let AirSnort run for most of a day. It collected nothing. On a low traffic home network, WEP is quite good.
I really do not know the details of attacking WEP, so maybe there are fast cracking approaches. Writing as someone who uses WEP and casually tried to break WEP, WEP provides a high barrier to network infiltration. A stranger would have to make a lengthy effort to do it.
* Can't cut & paste the WEP key into the "Key" field.
* Have to enter the key twice.
These things are making WEP more of a nuisance than a feature to some users. They complain about having to type everything in twice, so they ask that WEP be disabled so they can just join the network and not have to fuss with "128bit HEX keys" and other annoying things.
Is LEAP a better way to go? Maybe that will trickle down into the SOHO market.
If it's easy for users, they might just do it. The problem is that it's not easy - unless you have a Mac & AirPort.
Don't run wireless anymore. As a test, ran a video feed to one laptop using 128-bit WEP and another laptop doing the sniffing. Two hours later, I had the key cracked. Needless to say I run wireless when I have to for a guest but for the rest of the time, the wireless is off. I use it as a tool but keep it locked up when not needed.
Yeah. Believe it or not, for quite some time, the only people who really used computers on a daily basis were tech-savvy people who knew a lot about them. The level of understanding that the average user has of how the computer really works and what technologies are involved will necessarily fall as computers find themselves on the desktops of less and less qualified users (qualified as in, "tech-savvy"). It's the natural evolution of technology. How many people had DVD players 10 years ago? Few. I never even heard of DVD players until 1995, and I never got one until '97. But most of the people who used them back then understand what region codes were, and what kind of technologies were involved, and why the screen image froze as the reader changed layers.
Nobody who has one now has any clue about this stuff.
Ok. You have it all set up. Take it down the street to the neighbor's house. He has wifi. You know the one. He's the "average user". You are above average. Your mom is probably below average. He is average.
He has too much money tho, so he has 4 computers. Each runs a different OS or OS version. He read on CNN that he needed WEP, so he turned it on. And after a while he got all of his computers working. And he heard from you that he should have a password on his access point, so he set one. A good one. And he read someplace that he shouldn't write passwords down (in case someone finds the post-it under the keyboard.) so he doesn't know his encryption key or passphrase or WAP password.
One omore thing. His encryption keys are "*********"'d out on his screen to protect them (some NIC utilities do this).
Go ahead and setup your powerbook in less than an hour without breaking his network. Or setup his new computer.
Wouldn't it just be easier if he hadn't messed with that WEP stuff in the first place?
I've been thinking about this one for a while now too. Here's the potted summary:
- PDAs and smartphones are becoming more sophisticated.
- Smartphones in particular (but also PDAs) are becoming everyday devices.
- 802.11 is becoming more of a PDA standard feature to compete with the squeeze from smartphones.
- Users do not tend to think of these devices as vulnerable to viruses. They do not tend to install antiviral software.
- 802.11 is generally used in an insecure way and even when secured by WEP, the security is not great. It can be broken given enough time spent listening in.
- It's very difficult to control who can listen in or broadcast near your wireless network.
- Mobile wireless devices are small and designed to be carried with you. They are hard to track down and likely to connect wirelessly to several networks in the course of a few days normal use.
- As insecure wireless networks become more widespread, causing a device to randomly scan for open networks is increasingly likely to be successful.
Mix the above together and it doesn't look good.
There doesn't seem to be much stopping a virus writer releasing code at the nearest Starbucks or whilst driving past your house or office. Once that has happened, infected devices disperse and spread the infection within the city to create a growing infection 'blackspot'. Given that users routinely take their PDAs and/or smartphones when they travel, there's not much (short of quarantine) that you can do to stop infected devices moving to new locations with their owners and seeding new blackspots. As each blackspot spreads, more devices are infected in that area and the likelihood of further spread of the infection beyond the area increases.
I suspect it's only a matter of time before we see these sorts of nasties arrive.
Although you likely wouldn't given how things are nowadays, nobody takes responsibility for anything anymore.. =/
All your base are belong to Google.
Way back when the 802.11 standard was being developed (1988), the standard commission wanted to add encryption but where not allowed to use it by the American authorities. You know, export of encryption techniques not allowed. Only when Clinton lifted this limitation it was possible to build in encryption in the standard and then there was some lag to the getting this stuff in the firmware. PS i did not read all them replies, sorry if this has already been said.
Check out this article
;)
Makes very good points as to why one should leave their wireless completely open so that anyone could get on it... (yes, you read that properly). Well, it's good provided you use P2P on a regular basis. A very nice way to cover your tracks.
Being unsecure isn't always bad
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
The other day I got a call from my broker/investment banker. This is unfortunately not a joke. He tells me he got a strange call from some kid at the coffee shop around the corner telling him his wireless network was wide open as well as the hard drive on his machine. Apparently this guy's office is around the corner from a coffee shop and he just plugged in a wireless router and didn't do any configuration to it and everyone at the coffee house has been slurping down their drinks while slurping down his hard drive at the same time.
What pisses me off is that I'm not so stupid as to use wireless, but the integrity of my own personal information is often compromised because of stupid people who may have access to my information and aren't responsible with technology.
Here is a good link to a study on WEP.
/.*
(In)Security of the WEP algorithm
What people fail to realize is that there are some flaws with WEP that make it easy enough to decipher. If you simply don't want someone to see what is in your data packets floating over the airwaves, setup a VPN connection to a wired station from your mobile devices.
You should also consider turning on MAC table filters to prevent unwanted cards on your network. This isn't fool proof because of MAC address spoofing, but its a start.
Once WPA and some other other improvements being talked about come out, things might improve a bit, but that really is the game. People that want data find ways to get it and that includes cracking codes. *Notes other article about Lorenz on
root 10956 5164 0 Oct 22 - 0:23 sendmail: rejecting connections: load average: 70 (isn't sendmail just too kind)
A big part of my business is helping the lost and wayward souls configure a secure wireless network. I feel sorry for them, but a geek's gotta eat!
Wine, music and cinema are the three great creations of humanity. -T'Ian Han
A couple years back, I worked doing tech support for Siemens Speedstream / Efficient Networks. On the wireless products, we would not support the product outside of the default configuration. If they customer enabled WEP or MAC Filtering, we would tell them to turn it off, and call us back. If they asked us how to turn it on, we would say "We don't support that feature. You can read the quick start guide for more information on that subject." I don't know if this policy still applies, but it would seem that some manufacturers may implement some kind of securtiy, but turn a blind eye to supporting it.
Password Authentication Bypassed for Root
Are you claiming that it's my responsibility to ensure that nothing illegal is done using my network connection? I've heard that argument before and I think it's a load of crap. Do they hold libraries responsible for hacking done on free network connections they provide? Do they hold universities responsible for hacking done on free network connections they provide. I don't just meant by their students, who pay for it, I can walk into most universities and plug my laptop into any random jack and get a connection). Either way though, it's the user of the network who is responsible for the hacking. Are coffee shops with open wireless networks to be held responsible for hacking done through their wireless networks? (or through their free plug-ins?) Even paid network access in coffee shops record nothing about who you are... trying to hold someone responsible for something done by a person using their network connection is just ridiculous. If you were to hold a network provider responsible every time, just think how many ISP's could be sued for every damaging hack ever performed. I don't see why any household wireless user ever sets up a closed wireless network. I'm seeing more and more articles about the percentage of insecure wireless networks and I think all of these articles are ridiculous.
Very few people will be bothered to figure out what WEP is, of course, just like 90% of people out there don't know what a firewall is. For the remaining 10% that DO know, but don't know how to configure WEP and WiFi, why don't you tell me how to securely configure my Linksys router? Thanks!
How many people change their own oil in their car? The truth is most people don't want to know the details of the equipment.
/.ers) to lock it down for them. They just don't see the point in securing it.
Even if the consumers learn how to lock down their AP, I'm willing to bet 80% of them will forget how to unlock it within 6 months.
In addition, many people won't pay for a trained professional (like most of us
Fine by me if AP's are open. At least I know I can get on the 'net from practically any suburb.
m.mmm..myyy
on the subject... it takes sniffing a major amount of packets to crack a 128bit WEP key... something a low-traffic home network is going to take MONTHS to generate...
Seriously... my memory may be failing in my old age, but it's about 6-9GB of network traffic to get enough packets to recover the encryption key... hardly "broken really easily."
I set up APs for friends/colleagues/family all the time... three things:
-Turn on WEP.
-Enable MAC address filtering
-Disable SSID broadcasting (and change the default name, naturally)
That's probably all the home user really needs to do (and may be overkill). It will certainly remove you from the low-hanging-fruit list.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Paul.
You are lost in a twisty maze of little standards, all different.
Live in the middle of nowhere.
I live in a tiny village in which I doubt anyone outside of my family has even heard of wireless let alone got a laptop with it. The chance of someone coming within range of my wireless AP is absolutly minute. I am paranoid though so I do have WEP on.
Unfortunatly living where I do also means I can't get broadband.
Yeah, wep has some security problems, but it is 'good enough' for home use, and even business use if configured properly and there is low traffic:
Yes, wep is weak. But it still requires a significant amount of packets to decipher the keys from weak IV's. It can also be a deterrent, even if you are using stronger methods (IPSec). A casual war-driver will not take the time to break your wep key...he will move to an easier target.
Ideally, WEP + IPSec should be used. At home, wep alone is probably fine so long as you pick good keys and such...most 'wardrivers' aren't going to sit around outside of your house long enough to break a wep key. They are going to jump on the fool who has their net wide open.
A story:
I was once at an airport, and there were "Internet" stations that you could connect to for $.50/minute. Instead, I found the airport's wireless net, which allowed me onto the Internet. It was scary the types of traffic that I saw on that net with passive monitoring, but all I used it for was Internet access.
I already mentioned the doctor's office. Needless to say, I no longer see that doctor. Nice HIPAA violation with my private information, bub.
I really think it's the wireless manufacturers fault for just making everything such hard work.
I've got a d-link wireless router and pci card, which support 256bit WEP... but you have to use the d-link software to configure the card... if you're using windows own config util, then you can only use 128bit. not a problem, you might think, however, the d-link configuration util only works if you're logged in as the administrator. so it's useless. great. i looked into trying to get it to start as service under the local system account... but in then end, just gave up and used 128bit.
i'd try and contact tech support about it, but they'd just tell me it's a feature.
I understand the vendors position that they want the process to be easy. So here's an easy fix.
On the front of the unit, add a momentary pushbutton.
When the unit is powered up it is a fully secured mode: a random factory WEP code is in effect, the unit is password protected, all firewalls are active, and it is impossible for the user to even use the unit as is.
The user then runs a setup program on the system he'd like to use with the router. During that procedure, the program asks the user to press the button I mentioned earlier. When the button is pushed, the unit enters "automatic setup mode": It drops WEP, accepts all MACs, and communicates with the setup program to automatically configure WEP keys, add the new MAC to the accepted MAC list, sets the new computers SSID, and generally just "does it all". This procedure can be repeated for each computer to be added.
If the user is a "power user", the user can, of course, manually set up the unit after first accessing it in this manner.
This means the unit is easilly set up by newbs, but still programmable by admins.
Your average newb that is causing this problem probably has just one wireless laptop and has no idea how to even start configuring wireless networking anyway.
This way, the instructions become: Insert CD. Click "install". Press button on the front of the unit. Surf the web! How much easier does it get? (Well, how much easier does it get to have a secure router, anyway.)
In addition to this, if the user trys to clear the WEP password, a big red screen should be thrown up that says, "Danger, Will Robinson!" and then ask for the 10 digit self destruct code. (You get the idea.)
This isn't a difficult problem. I have no idea why manufacturers won't respond to it.
In a library you *usually* (not always) sign in to use the computer in some fashion.
In a coffee shop there is usually an account of you being there during the time of an alleged attack.
In a university you can be identified easily.
If I drive around your neighborhood and launch DoS attacks on whomever, I cannot be identified.
All your base are belong to Google.
Why should we worry so much about those that can't secure their networks...doesn't that just mean free access for those of us with Pringles cans? :) I figure if they don't know what they are doing, then they obviously want to share with everyone else. Just a thought.
Sig? No thanks, I don't smoke.
Who would have thought that it would be an 'upsell' to buy Linksys - they're the cheap brand.... :)
That having been said, I've had rock solid performance under Windows and Linux with Linksys 802.11b cards.
I've had problems getting my Powerbook to talk nicely to several non Apple access points. Of course, Apple support has told me to "talk to the hand."
They suggested that it could be environmental interference until I told them that the Linux box with the Linksys card sitting next to the Powerbook worked just fine.
As it stands, I have settled on setting up 2 access points on my home network, and when the mac drops connection to one, I force a connection to the other. Interestingly, the mac's behavior has been equally bad with Siemens, DLink, and Netgear (802.11g) access points.
I recently procured a Belkin USB WLAN interface for my Tivo, and it was flawless to install and get running using WEP.
I have to say that configuring the Powerbook to use WEP was at least as hard as configuring the Linux boxes. Who knew?
But Herr Heisenberg, how does the electron know when I'm looking?
yes, usually you sign in in a library, but it's just not true about the coffee shops, and often not true about universities.
There are three coffee shops within 3 blocks of my apartment that offer free wireless. I can access one coffee shop's network from a neighboring shop that doesen't even offer network access.
If I walk a half a mile down the street I can go into another coffee shop and pay an hourly rate to sit at a plugged in computer, and no one would know who I was or what I was doing. I know of at least 3-4 shops like this in my city, and I could find more if I needed to.
Comp USA also offers free walk up internet connected terminals that I could use to do whatever I want.
I spent a month going to kinkos and using their free laptop plugins 8 hours per day. no-one had any idea who I was (I'd just got there, and moved out of the area at the end of the month). They did not require me to "sign in" in any way. If I needed to (because there was an un-enforced 30 minute usage limit) I could walk across the street and leach off a wireless network... It was convenient, but would have made no difference in responsibility or difficulty if I was doing something illegal.
I've gone to many walk-up network terminals where I pump in quarters to access the internet, and no-one is even around to see me.
If I want to do something on the internet, and don't want to be traced, it is *very* easy to avoid being traced. Securing open wireless networks is not going to change that. No one else who provides network access to the public is held responsible for the actions of the networks users, and holding random non-tech savy users responsible for their open wireless networks is non-sense.
I don't secure my network, and I wish others didn't either. I wish people would stop being so afraid. These silly articles aren't helping.
Apple's Airport. It was probably the first AP that supported bridging and is still, by far, the best bridging AP.
I've always found that disabling SSID broadcast is nothing but a false sense of security. It's going to do far more to block legitimate users than to keep out bad guys.
plus-good, double-plus-good
Just like having a lock on your front door. It is extremely easy to pick a pin-tumbler lock in less then a minute, but why would you waste your time when some people leave theirs unlocked in the first place.
Creative Demolition
and only have Macs. Why should I care about securing my access point?
I assume you're joking. Mac OSX is famous for having a huge wireless security hole. Any attacker who is on your LAN (airport wireless or ethernet cables, doesn't matter) and has an attack script running when you boot up can OWN your computer.
OS X, by default, looks for a "network configuration distributor" or something when it starts... and then it downloads and installs any patches that computer is providing. The implications are obvious.
Apple has probably patched this one hole by now, but it shows that Macs have no fundamental advantage.
No more free internet?
Please flee in terror in an orderly manner.
Linksys doesn't make drivers for their PMICA wireless cards and aren't intrested in making any either. I have talked with them. Isn't it weird that a company whose OS for all their hardware is UNIX based doesn't make UNIX drivers for their cards.
I keep my access point open as a gratuity to anyone who may visit me. The unit is too low to the floor in order to keep it's range down. All of my Windows, and Linux boxes are patched so there shouldn't be a problem there. Now if I was in an apartment building then I would enable WEP at the very least, but until then, security has never been a problem in my area..
"I bow to no man" - Riddick
However they use a proxy server that only allows access beyond their default page to a logged in user. All of the other hotspot services I've encountered do the same... this seems like an ideal situation to me... why aren't WiFi routers set up to operate this way? No encryption lag but the network is still secure.
A fool throws a stone into a well and a thousand sages can not remove it.
I always leave my WAPs open for this simple reason: the downsides of securing are much higher than the upsides. If I don't secure, what might I lose? 802.11 is pretty constrained geographically, and as long as people don't cause me to lose performance when I am connected to it, who cares. On the other hand, if I secure the dumb thing, everytime I take my laptop somewhere else, I have to reconfigure, along with lots of other junk. In essence, the cost of having it secured is very high, for very low in return.
My 2 cents.
My Siemiens SpeedStream 2624 often can't even be used to load slashdot, either with our without wires. I don't need to change the administration codes, because the signal strength is so bad you would have to be inside my living room to access the router. After that, it would just drop connections at random.
Simon's Rock College
Good thing I'm not supposed to be a security expert! It makes me wonder then, why isn't WEP based on something harder to crack? Perhaps a public/private key system would have been better?
Also, props for being the first AC to not flame the hell out of me
CAn'T CompreHend SARcaSm?
Most security problems are created by bad drivers (users and security "PROFESSIONALS"). Most excape serious injury by luck, accident, and ....
.... I just clicked on that FTP icon on my desktop (to an unknown server, configured by a previous user of the computer), I just hooked-up my friends laptop (I am thinking about buying) to the LAN here at work and loged-in (DHCP with no MAC authentication and other holes).
These days you don't need to ask for a password, just be creative about discovering the holes the SysAdmin and SecPro are leaving for the users whoops
Okay stupidity is not a crime, these days you can find Harvard graduates that made good and have no idea why security and ethics are important to US. Such a person congratulates themselves with comments like 'look I can have my oil/energy friends screw citizens and soldiers out of Billions and still get get the support of the damn fools.'
OldHawk777
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
The average user isnt tech savy? The average home user isnt even literate! The average home user calls their computer one of the following: a POOTER, da mowdem, da box, the hard drive.
The average home user does not know what a router is even if they own one. if you ask someone if they have a router i usually get a "whut now?" or "whats a ROOTER?"
CNN should work an internet help desk to get the lowdown on the average home user.
Unfortunately intermittent wireless connectivity is a fact of life if you were suckered into buying Microsoft's WiFi router. In fact, one of the so-called fixes for this problem offered in MS's KnowledgeBase is to turn off 802.11x authentication!
Perhaps this is one of the reasons MS is getting out of the WiFi hardware business.
and nobody has mentioned that the article was not even written by CNN! more like "AP notices that wifi is insecure".
I agree, but it depends on the environment. I leave my wireless AP open because this is a relatively spread out neighborhood where I get 67% signal 6 feet from the access point (in other words, the AP is a POS that can't even transmit 50 feet). It's not near a window and I would notice if someone is parking on the street that I don't recognize.
And if someone is hacking when I'm at work, then I'm not responsible, just as I'm not responsible if someone plugs into the phone jack outside the house and starts making prank calls. And when I'm here I would notice a sudden drop in upload speeds (due to spammers or DDOS). So I leave it open here, but if I was in a college town, or in a block of dense apartments, I sure wouldn't leave it open for a second.
Your high technical aptitude is irrelevant. When you're using Windows, the aptitude of three Microsoft committees and four programmers is what matters. And next year's groups also.
The average WiFi user was tech savvy too, back when only us computer geeks used it.
Here's a counter-example. Two years ago, the San Jose Mercury published this article by one of the regular tech reviewers. He was unable to get his WiFi setup to work until a tech came over and turned off his firewall. Problem solved; finesse with a sledge hammer. His system's probably a slag heap by now with all of the extra use it's gotten.
.... deterrs your nontechy neighbors.
It is there, use it.
IANAL but write like a drunk one.
There are ways to share securely.
Your cavalier attitude to security is a clear example of one of the reasons the Internet will become unusable on its current form.
IANAL but write like a drunk one.
I found CmdrTaco's headline (or did it come from the submitter?) to be very cynical... until I remembered I work in television news. I constantly have to dumb down any and every story about technology (usually the latest Windows virus) that we run.
That reminds me of another amusing anecdote. A few weeks ago, our competition's consumer reporter did an "investigation" into war-chalking and wireless security. (Video available online.) All week long they were running promos about how people can magically break into your private life, even if your house is physically secure.
The report was basically the reporter following a group of war-chalkers around, then confronting the unsuspecting victims.
Office manager Laura really hadn't thought how public her private wireless network might be.
"It says we're connected," noted Bill.
"Oh my! So, you're online with my computer system? They've broken in, Bob. They've broken into our computers from down the street," said Laura.
How the above gets a single Insightful mod is beyond me.
WEP is not crap, it is relatively weak. Of have you broken it or attempted to brake it?
You need high volumes of traffic and dumb pashprasses in order to break it. With low volume of traffic (typical of home users) it is too time consuming to break WEP. If you change your keys regularly (perhaps once every 2 months) then you are pretty safe.
You showed your lack of skill when mentioning MAC restriction. Honestly, you can't be bothered to put WEP but waste time setting MAC restrictions. What is next, tying dogs with saussage leashes?
But you should not be blamed, somebody that thinks he is safe because can be staring to his switch all day for signs of network activity, well, deserves our understanding and compassion (specially when thrown in jail failing to explain the kiddie porn or terrorist plan on his PC).
IANAL but write like a drunk one.
I've got a Netgear wireless ap and firewall.
It won't even remember the new password I set. Change any setting and its back to the default password. It won't even pretend to keep many other setup changes I've made. I did manage to upgrade its firmware to the latest version. It didn't help.
You can't blame the users if the damn device won't even remember the settings the user specifies. I suspect the manufacturer doesn't test anything but the default settings very well.
I guess I'm returning all this netgear equipment.