Slashdot Mirror
New Security Ideas From Intel
Scott writes "Intel is developing a new technology that could prevent unauthorized access to wireless networks using the time it takes for packets to arrive from the access point to the Wi-Fi user. This is one of several ideas were presented at Intel Developer Forum. Intel has also released a hardware-based solution to fight against worm spreading. From the report: 'The system monitors the number of external connections being made and if a higher network activity is detected, the computer is disconnected to prevent the infection of further machines on the network.'"
is only as strong as the weakest link.. which in most cases is the user.
What happens if I have to take my laptop to the bathroom with me? Will I stay connected?
Say goodbye to P2P and BT.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Hey, kudos to Intel for coming up with this stuff, but I suspect that the majority of people who buy a wi-fi router in the next five years will still not bother to even change the default admin password.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Please. Slashdot has had the same effect on websites for years.
Security through proximity is not security at all.
No thank you. Don't decide for me what traffic I can generate.
You are not the customer.
while this sounds fine and dandy.. arent there so many things to consider.. interference from other devices, walls, metal objects... how accurate would this be... im thining it could end up with too many false-positives
The amount of time it takes for a packet to arrive could change because things other than physical distance from the access point. Like hardware latency, interference, etc. If it could be forgiving of these, perhaps the packet transfer time could only be so high, it may work. I haven't RTA yet, but I think there are betters ways to stop the spread of a worm. I think every machine on a network should be running a software firewall, not just a hardware firewall for incoming threats from the outside. With people bringing in floppies and USB storage devices, the attacks are coming from the inside. Why trust the inside? Windows desktops should have the firewall enabled. If you need available ports, allow them and nothing else. And IMHO if reasonable, run FreeBSD on your servers or something else with fewer attacks. Intel's solution will help, but still result in problems. It will have to be hardware-based or virii could stop it. A hardware-based solution could be very expensive, unless Intel wants to give it away, or bundle it with NIC's or CPUs.
Powered by caffeine and sugar; BSD
Its disgusting how Intel capitalizes on paranoia in order to increase profit. How do you expect free community networks to take off if people don't keep their access points open? I keep my access point wide open for everyone to use and never had any problems. If I need to transfer something sensitive I simply use ssl, ssh, or any other type of encryption.
With lines like this....
The system monitors the number of external connections being made and if a higher network activity is detected, the computer is disconnected to prevent the infection of further machines on the network. You'd have to wonder how many people are that transucent to understand once you're connected to a netwrk, you're vulnerable from many varieties of attacks, no matter what browser you use.
These people make sure that they find workable ways around browsers to ensure the installation of unwanted software. My only real recommendation is to start using other servers, (Like Serverbeach or speakeasy) and block the traffic acros the board. USA Only, what, Google? I fyou wish to help prevent spam, check the IP logs, see who transmits the most mail, wipe em out *because most are guaranteed to be SPAM* and be done with it. INVITE ONLY!!! LIKE YOU HAD IT BEFORE!!!!! BE SMART, NOT EVIL LIKE MICROSOFT!!!
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I suspect that the majority of people who buy a wi-fi router in the next five years will still not bother to even change the default admin password.
I hope you're right! All those open WAPs are so convenient.
(This post should not be interpreted to advocate actions which may be illegal in your jurisdiction and probably mine too.)
If your comment title says 'Re: Foo', I'm not likely to read it.
Crackers are developing new technologies to enable unauthorized access to wireless networks using the time it takes them to intercept and retransmit packets between the access point and the Wi-Fi user.
As for the "solution" of detecting worms by autokilling connections when bandwidth usage changes in a way that the software didn't predict, (in a way that's more likely to cripple your favorite P2P client software more than it's likely to disable a worm that decides to start slowly and ramp up), how about Intel gets off its sorry ass (if you felt a rant coming on, you were right) and comes up with a real solution to connection hijacking -- namely by implementing cryptographically strong authentication between client and access point at Layer 2 of the OSI model, not Layer 7.
Oh, right. Securing Layer 2 instead of Layer 7 would harm the interest of those in charge of writing Layers 8 (financial) and Layer 9 (political) of the 7-layer model.
If you tell the router which port you run your P2P on (e.g. I usually run Azureus on port 6502), then it should be able to distinguish P2P traffic from virus traffic. Besides, virus connections are usually much shorter lived than P2P connections, right?
Before anyone gets too upset at the idea of their computers getting cut off from the internet for running P2P:
This kind of technology is not interesting to home users, or even for developer workstations: nobody is going to want to use a technology that cuts off their personal computer. The place it looks (IMHO) to be aimed at is ordinary user desktops in large corporations. These are (supposed to be) highly locked-down environment and controlled tightly by the sysadmins. In this environment, the IT manager is going to prefer inconveniencing a few users by cutting their 'net connection than managing a widescale worm outbreak that'll likely take the rest of the network down for everyone.
Horses for courses: home users and developers will still be best served by taking precautions (virus scanners and social countermeasures) and being vigilant for signs of an outbreak.
The system monitors the number of external connections being made and if a higher network activity is detected, the computer is disconnected to prevent the infection of further machines on the network.
My router, a Westell 327w, already has this feature. It locks up when I use the wifi for anything remotely network-intensi...NO CARRIER SIGNAL
unable to resolve function slashdot.sig(), aborting...
Why stop at doing this for wireless devices? Why not include such connnection-based control for any connections made from the host?
Also, the article says this proposed change will require change to existing Wi-Fi devices. IS that really going to happen in near future?
http://efil.blogspot.com/
But when I think of hardware security, I think of a box I built one time without a hard drive. It just had a CD ROM, from which I would load a Puppy Linux CD, remove it, and leave it running for days at a time with nothing but RAM. If we needed to save a file on it, we used removable media such as USB keydrives. With no writable disks present to infect, with nothing, in fact, but a motherboard, CPU, and a 1-gig DDR, I always wondered how it would fare on a network. But I suppose this is what is meant by 'dumb terminals'.
What is there here that can't be done with software ?. Oh, wait .. that needs Microsoft to do it. Doing it at the WiFi card level might give intel an advantage - but most likely they'll just push this into the driver code. Then we're back to the "why doesn't Microsoft do this" - though in truth, we should chuck it and use Linux.
It essentially means that the moment I run bittorrent, Intel's new WiFi chip will throw me off the network. That's what it'll do for most of us.
> The access point times the time it takes a packet to arrive the client and go back. Using this time, the access point can predict the location of the user and tell whether a client device is inside or outside the allowed area, for example office wall.Similarly all Ethernet cards will have something that allows only packets addressed to it's MAC address to be read. And then someone will find out a way to work around that. I could rephrase when guns are outlawed, only outlaws will have guns - but this is even worse. Intel will create APs which have an artificially limited range to prevent you from taking your laptop to the crapper. This is almost like the userfriendly joke about laptops chained to the desk form of security.
Truly these are ideas to be sold, not products. Once people buy in on the security of these things, intel hopes to make a killing for no extra-work (yes, we have to buy the NEW secure WiFi cards and then just boot up that AP, let's get mailing status reports - leaving a router with "linksys" wide open). Security needs care and control - just cheap hacks on hardware will not do .Quidquid latine dictum sit, altum videtur
Could it be..
- Setting the router defaults to be more secure
- Printing out how to run the setup utility included with the router to secure your network on a big bright yellow card
- Forcing the user to pay attention to the settings by setting the WPA key to a random default
- Printing, in big letters somewhere on the inside of the box, explaining how if the user runs yet another inescure 802.11b network, the terrorists have already won
</sarcasm>It seems like Intel might be searching for an automatic solution for this problem, which is bound to fail as quickly as they can put it out in the wild. How do you protect users from bad network setups if the users largely aren't aware that the problem exists? We don't need new technology, we need to modify existing technology that, while it might add a few extra steps, forces users to pay attention to the problem that everyone here is already aware of.
DOS attacks have just gotten easier.
http://www.rayn.net . Funny. Stuff.
..that filtering based on timing goes aginst the whole idea of a network be able to route through alternative routes if something happens.
It looks to me that security will come to stay when someone comes with a good way of authenticating all users of the network to begin with...
Comment removed based on user account deletion
I use it for (mostly) Web sites (including now) and also for gaming. You are perfectly right, the VersaLink (as Westell marks it) does disconnect the wireless (and sometimes even the Ethernet) connection sometimes, especially when both are active--and sometimes when both are needed. (Playing SOCOM II while finding a "war" on Game Battles, etc.) I ued to think it was just the ISP booting us for abuse; from what you say, I believe it is That Damn Modem.
Usually, it gets teh job done, though.
You can hold down the "B" button for continuous firing.
Intel is inventing a solution for a problem that has never really been determined to be a problem.
There are plenty of existing ways of securing an existing Wi-Fi network. Those who care will.
A lot of the reason people don't know how to secure their networks is because people have never been give a reason to learn. In spite of all this talk from the security conscious about why they should lock down their networks (the most compelling justification I feel is to make sure illicit things (terrorism, kiddie porn, illegal downloading) are not done on the network--I have not seen a single article which has some poor loser lamenting their failure to lock down their network. (I predict that the situations will remain non-existant or few and far between.)
If those situations started popping up--where individuals pay a price for an unsecured network, then everyone else will take it more seriously.
That's "used", not "ued" you idiot. Hooked on Phonics will work for you.
You can hold down the "B" button for continuous firing.
Come on, Zonk, why did you decide that this was worth putting up? Time pressure and quotas?
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
I agree... about a year ago I did a quick wardrive around my mom's neighborhood (upper middle class suburb of Columbus, OH). I drove 3 blocks, and found 14 wireless networks. 10 were open. I tried using the default password for all of the router types (as identified by netstumbler), and it worked on 9 of the open networks... only 1 of the secured networks had not changed the default password.
......
What is the solution to this? I am hardly an expert on supply-side economics relating to production, but how hard would it be to set a random password for both the router and the wireless network? Include a piece of paper with both the password written on them (kind of like a manual addendum, that way each manual won't have to be customized). Or better yet, make the default password the serial number of the router. Extremely difficult to guess, usually a string of alpha and numerics, and the user could never really lose it (unless they removed the serial number sticker from the router).
There has to be a better way of doing things than what currently exists. To offer a product to consumers that has no security whatsoever in an out of the box condfiguration is moronic. Even more moronic is the fact that the consumer (I'm speaking in general terms of course) makes no effort to read the manual. You would think that logic would strike them in the face as they connect to their network for the first time...
"Oh, look, Windows automagically detected my wireless network!"
"Neat, now it's joined! That was easy..."
"Almost TOO easy"
*smack* (this is the sound of logic smacking them in the face)
"Wow, maybe I should do something so that it wouldn't be this easy for other people!"
Just like driving a car:
(D) to go forward
(R) to go backward
(OK, so it has nothing to do with Clarke's Law, other than sharing the same sentence pattern.)
"Intel is developing a new technology that could prevent unauthorized access to wireless networks using the time it takes for packets to arrive from the access point to the Wi-Fi user."
As opposed to, say, enabling encryption?
"Intel has also released a hardware-based solution to fight against worm spreading."
The software-based solution is using a real OS. Another hardware-based solution is to refuse to run any Microsoft operating systems.
'The system monitors the number of external connections being made and if a higher network activity is detected, the computer is disconnected to prevent the infection of further machines on the network.'
ok.. so this will also cut off anyone who uses bit torrent or any other swarming distribution program, regardless of legitimate or illegitimate activity. Fun.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
This is just another one of Intel's marketing schemes. I wouldn't pay a cent for it and, yes, I am proud of operating an open access point for others to use. I've never had any problems except neighbors coming up to me and offering to pitch in money for my broadband connection...
I've seen several parts of this thread where it seems people are under the impression that the Wireless idea and the worm-stopper idea are somehow related, or work together. They don't. They're only related because they both fall under the giant umbrella known as "security".
/. for putting 2 barely-related stories in the same story.
Thanks
"Dude! As soon as I finish downloading the new Knoppix CD we'll be set to...WTF?!?"
I wonder if there's some kind of conservation of energy system possible for securing radio transmissions (like WiFi, Bluetooth, "wireless"). A system in a closed space like a room which is covered with a material which absorbs all the internal radiation could be good - if such a system (perhaps room-temp superconducting) consumed nearly no power, it might run solely on a fraction of the absorbed radiation.
Maybe tightly focused beams of radio energy, connecting transmitter and receiver with thin, long low power needles. The power and coordinates at transmission encoded into the signal, for "checksum" decoding where received. The received power compared to the calculated expected received power, to detect "man in the middle" attacks. If it checks OK, the receiver transmits an ACK back to the transmitter, which continues transmitting only while receiving "heartbeat" ACKs. The transmitter encodes the signal so that any receiver must receive windows of the signal longer in duration than the inter-ACK clock to decode it (like transmitting a new symmetric encryption key every alternating ACK). That way two ACKs in a row are required to decode any signal symbol, so detecting a man in the middle stops the second ACK, which stops the second half of the symbol from transmission.
Is the delivered energy predictable to smaller precision than that lost to a man-in-the-middle attack? Is this system stable? Is anyone doing it?
--
make install -not war
So any one macine will only have time to infect five others. Problem solved!
seeing as you cant get wireless working i would say 0 relevance
Windows won't be going away any time soon, so there will remain plenty of worm fodder. I am surprised by the number of relatively unsophisticated home users who are switching to Mac OS X or Linux as a result of adware, spyware, and worms, but I haven't seen the same switcher phenomenon occurring in corporations.
Besides, worms probably wouldn't go away even if Windows did. Although conventional wisdom says that a large pool of exploitable systems is required for successful worm propagation, that's not true, demonstrated by the Witty Worm's exploitation of a very small population of vulnerable systems. Although they are not as common, worms have exploited other, non-Windows systems and application software, and certainly buffer overflow exploits are discovered periodically in such systems. Granted, the UNIX architecture makes worm exploitation of application software less likely to result in super-user access, but routers, DNS servers, and others remain vulnerable to the extent that they contain worm-able security defects -- and clearly many do.
Worms are getting more sophisticated all the time. From the starting point of their current capabilities, worms and botnets could easily be extended to automatically harvest particular types of data from particular companies or government agencies, using the chaos of a massive worm outbreak for cover. Their ability to receive arbitrary commands from remote attackers over IRC control channels means that they may already be in use for this purpose.
My company specializes in antiworm technology and consulting. The FireBreak AntiWorm system impedes worm propagation without interfering with normal network operations -- including bit torrent.
There is a tremendous amount of innovation going in in the software security area lately, driven by the relatively recent realization among large corporations that they must now spend money on worm prevention, containment, and recovery if they want their heavy investment in the Windows monoculture to survive.
Opting out of the monoculture simply isn't feasible for most large corporations at this point. It's not just the cost of the desktop PC -- if that's all it was, a bunch of them would have switched en masse to Mac OS X Tiger when it came out. The applications, the developers who write them, the help-desk workers, the system administrators, the managers, the employees -- at this point all they know is Windows.
Switching a desktop is so hard for a large company, that the survival of the Windows monoculture is virtually assured for about as long as one can predict anything in the IT world (5 years, I'm told). The the problems that come with it will be creating market opportunities for a long while to come.
If you mod me down, I shall become more powerful than you could possibly imagine.
The speed of light in the neighborhood of the device might be locally distorted, too. (I hate it when that happens. I loose all track of time.)
If you mod me down, I shall become more powerful than you could possibly imagine.
When security compromises functionality, you have already lost. Kinda like how Al-Qaeda won the war on terrorism.
The first idea sounds like some geek's dissertation. Bully for you, Dr. Poindexter, you get the degree, but you don't get the VC. The second is just stupid, a naive case of traffic conditioning.
Here's a novel idea for security--stop writing crappy software. This will never happen so long as profit$ = quality / time. That's why I hate programming, and why I'm now doing system administration type stuff instead. At least I can blame MY idiot users for my headaches instead of banging my head against the combined might of billions of commons-tragedic fools.
Take a hammer and beat the IT directors at every major broadband ISP over the head until they finally decide to start filtering port 25. Simple. Elegant, and more effective than any other idea that's been presented.
Intel is developing a new technology that could prevent unauthorized access to wireless networks
There already exist a number of methods for preventing unauthorized access to wireless networks: stopping SSID broadcasting, filtering MAC addresses, WPA, and even IPSEC for the paranoid. People already don't use what is available because they don't think it is important. What makes Intel think they will use this? It seems to me that the automatic response to security mechanism these days is "turn it off, it's too confusing and we aren't trying to hide anything." A lot of people just don't understand that their passwords and credit card numbers are being sent over the airwaves in cleartext and can be easily intercepted unless you use the security features of your access point.
Yes, and the potential for worm based inward-facing DOS attacks is very real, even though most DOS attacks are thought of as accidental (due to network traffic from the probing threads) or outward facing (directed at remote web site). It's one of the more interesting aspects of this Zotob outbreak, but not well reported.
Zotob (and variants) demonstrated that an internal DOS attack can be about as devastating as the worm / botnet infestation itself. The massive news coverage of this latest crop of worms was due almost entirely to the effects of the (apparently accidental) Denial of Service attack that it performed on many vulnerable networks. The buffer overflow attempt appears to have failed quite often, and when it did the intended victim computer would reboot itself.
The instant the first worm hit a network and started probing around, systems all over the network were crashing. It resulted in widespread panic (well, pandemonium anyway) in some organizations, flooding the help-desk. Systems couldn't stay up much more than a few seconds after rebooting on networks with more than a few scanning worms.
The importance of the DOS aspect of these worms has been underestimated by trade press, but I'm sure it hasn't gone unnoticed by malware authors. It added substantially to the "noise" in the worm-infested environment, and hampered recovery and containment efforts in some organizations -- and they learned about its effectiveness on CNN.
Future worms will probably include options to "scan with horked buffer overflow" to intentionally cause this kind of disruption. In the past, crackers tossed these failed buffer overlow exploits out with the empty pizza boxes and Mountain Dew cans. After Zotob, they'll probably become part of the standard worm toolkit.
If you mod me down, I shall become more powerful than you could possibly imagine.
I had some problems when configured Mozilla to use HTTP 1.1 pipeline, many firewalls blocked my connection and the log was filled with DDoS alerts.
It's user lucky that Mozilla don't come with pipeline enabled
http://www.michel.eti.br
If you go to far you get disconnected.
Mostly its not anything special just a 25 foot cat5 cable.
It's useless to detect new addresses or unusual activity. A better solution such as the one http://www.exceliance.fr/en/ldapercu.htmdescribed here which consists in blocking inter-workstation communication is clearly more reliable. Nowadays, workstations don't need to talk to each other. That's simple.
Am I the only one who thinks this is going to backfire on them and fail miserably? Assuming they make this standard, how is the average computer user going to feel? Most of them don't even know when they're infected, and most of them don't even seem to care. They DO, however, get quite angry if they suddenly cannot connect to the internet.
Huh. Well, they just updated MSN Messenger to 7.5, and it seems to have a better firewall detection engine. Although it ticks me off that I cannot force messenger to go through my http proxy anyway - the boxes are greyed out.
You might be right about P2P having longer connection cycles than the average virus. But virus writers will quickly get around that by padding their connections with garbage. It shouldn't take them too long.
How is this technology going to handle the short but seamingly repetitive connection of on line udp port games? And of course, we all know how well the original Quake server was exploited. This idea is about as good as "Security through Obscurity".
"BSD is about people pissing each other.." (Moid Vallat)
Great so now, right when I get to the height of my pr0n browsing I will be disconnected from the network.
Damn. You caught me. I am a special agent for the NSACIAEIEIO.
You've outed me, which is a crime. Fear not though, your punishment will be the same as Rove's.
Just like driving a car:
(D) to go forward
(R) to go backward
How about a simple USB jack on the wireless router, and another on the remote device; if you plug the remote unit into the hub when it's at factory default, it accepts settings (keys, channels, etc.) from the router, then you unplug, and slap it on the remote computer, viola, all done.
I could imagine a collection of settings on the remote device (Home, Office, Starbucks) that once set, are kept and automatically scanned through when powered on, and uniquely indentified. (each user getting a key set could get a serial number, and an expiration time from 30 minutes to 30 years)
heck you could use that one-wire connection technology, and just have a small metal plate you touch the remote against, and it authenticates in a short low power burst, I think you can even use the human body as a conductor.
All a company needs for complete wifi security is 1 guard with a high powered rifle, armor piercing bullets, and IR goggles in a guard tower overlooking the entire wardrivable area, when someone drives up he takes a look at their car with the IR goggle and if he sees a guy with a laptop. Then well... hes got a high powered gun high armor piercing bullets for a reason.
"It is looking at changes in traffic pattern behaviour. It doesn't have anything to do with how the virus was coded," Rattner added.
- with a sentence like that you just *HAVE* To trust intel
This is a temporary and very weak solution. There are much better authentication mechanisms. Imagine when there are multiple wireless devices and noise. How can you depend on response times? This may suits a fixed setup but when its dynamic, it will fail terribly
Why bother to setup such a complicated system when there is quantum transmission already implemented? Ok, it is not wireless, but I suspect a system like yours might detect a security breach every time someone moves his chair ..
I'm still trying to figure out what people mean by 'social skills' here.
....is including a deacent setup wizard with the router.
Every single router I've bought has had a nice wizard for getting the WIRED side set up, but then nothing for the wireless.
A wireless wizard which also incidently stepped you through setting up at least minimal security...
I see it now...
*open Azureus or other BitTorrent client*
*50+ connections very quickly*
*Intel has used hardware to protect you from yourself. Have great day*
-M
when you see the word 'Linux', drink!
Sure they do. It's a rare computer that won't run Linux. It's much more difficult to convince a user to run something else.
Friends don't help friends install M$ junk.
So, do you tell them to stand outside and wait for rain if they are thirsty?
What do you think you are gaining by this? Abuse of your network connection is far more likely to come from any of the 250,000,000 people who can see your gateway than the 25 who can see your WAP.
Friends don't help friends install M$ junk.
I guess no one has ever heard of these guys: http://www.arubanetworks.com/
/. should not worry about Joe Shmoe so much, but rather make sure your own equipment is good and tight.
The time it takes a packet to make a round trip is stupid. Theres too much uncertainty and interference in the 2.4 GHz spectrum for that to be a reliable security mechanism. An AP should be just that, an Access Point. In order to gain access, prove who you are. Thats what 802.1x is for, wow! We already have that!
Strong encryption, none of this silly breakable WEP, is needed too. Thats what WPA and WPA2 (802.11i) are for. So, I guess we already have that too...
Most modern AP's that a home user can buy should support at least WPA-PSK (Wifi Protected Access - Pre Shared Key), and if they don't like mine didn't at first, firmware upgrades are sometimes available.
IMHO, we the community of
We should worry about the opensource wifi security software that is out there, like xsupplicant or wpasupplicant and FreeRADIUS. Make it better, make it work with more wireless cards.
Joe Shmoe is an idiot. Don't worry about him. Eventally their type will be weeded out and taken care of.
Ugh, you are right.
How long will it be before my ISP is forced to^H^H^H^H^H^H implements this? I can see the reasoning now, "no normal user needs to be connected to more than six other computers at once. This will end virus propagation." Other success stories include upload caps, port blocks, forced smtp usage. The internet is looking more like broadcast and the post office every day.
Friends don't help friends install M$ junk.
So how long before your ISP picks it up? Think of upload caps, port blocks and smtp jails as other "technologies" that piss users off and don't do anything for security.
Friends don't help friends install M$ junk.
The system monitors the number of external connections being made and if a higher network activity is detected, the computer is disconnected to prevent the infection of further machines on the network.
This doesn't open the door to DOS (Denial Of Service) attacks?
Yup, *that* is worrying. My ISP is a university and thus generally quite permissive, with a load of totally random restrictions that they sometimes enforce in heavy-handed ways.
:-( )
This kind of technology might be useful to ISPs (from their point of view) but it's something I'd pay extra to avoid - I'd been very happy to vote with my wallet by going to another ISP, as long as the competition is available (not in my case
OTOH, will the availability of this technology *really* make the situation much worse in clueless ISPs than it already is?
All in all, it seems like a pretty goofy idea: "Secure your WAP: artificially limit it's already meager range!"
If it means accepting connections from people in the building and rejecting those from people in the parking lot, across the street, or in the competitor's facility next door, I bet it will go over big with enterprise users.
Measuring with multiple receivers can also pinpoint the client location, not just distance, even in the presence of unceartainty in turnaround time. Also: Turnaround time uncertainty can be small if you're dealing with packets that generate a response from the adapter's firmware rather than the driver/kernel's protocol stack.
What I'm trying to figure out is what's NEW about this.
Several vendors have had such options built into their lightweight-access-point configurations for some time now. These are devices where the bulk of the access points' brains are in a central box and the multiple access points themselves are dumb radios with minimal networking capability, using the net to talk solely to the central box. With multiple, widely-scattered, radios having details of their packet scheduling handled by the same central device that also handles their connection to the net, it's moderately trivial to add an orchestration function to do location-finding, then another to use the output of that for authentication and firewalling. (It also helps hunt down rogue access points installed on the wired LAN, and active rogue clients.)
From the article it looks like Intel wants to augment the standard to insure some particular response comes from the firmware (or even the hardware) of the adpater itself, in a short and perhaps defined time - possibly something new or with a minor tweak on something existing that would thus identify conforming implementations. That would make it possible for a single AP to get an accurate range measure without having to identify the adapter, firmware version, and perhaps the underlying OS on every client. It would also require firmware tweaks for a hostile interface to disguise its distance, and greatly limit the amount it could appear to be closer (though it could masquerade as being farther without trouble).
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
All in all, it seems like a pretty goofy idea: "Secure your WAP: artificially limit it's already meager range!"
What's wrong with having an adjustable range limit? It makes perfect sense to me.
In particular: Permissions-based configurations lead to most home users having wide-open APs. The incentive on the manufacturers is to ship a default configuration with the door wide open, so the user doesn't have trouble getting connected on instalation. Of course most users stop once it's up and running, so most home access points stay wide open.
But with reliable range-limiting that works across vendors, the AP can be shipped with the limit set to something that will cover a house but not reach the street or the neighbors - with a configuration option to extend the allowable range. Then up-and-running is effectively closed - perhaps except for the next-door or nearby-apartment neighbors. The appliance-users will simply think that the AP can't reach the back yard, while those that read the manual can try tuning it for more range.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I suspect that the majority of people who buy a wi-fi router in the next five years will still not bother to even change the default admin password.
I hope you're right! All those open WAPs are so convenient.
Won't matter. They'll ship 'em with the limit turned on. The clueless will leave it that way, only the clueful who WANT to allow open access will turn it on.
APs are shipped with open default configs so users can get them up and running without making an expensive service call. Limiting the range won't keep them from getting things running initially, so vendors may chose (or be pushed into) making limited range the default.
Upside, for people looking for open APs, is that new APs will only have expanded range if the user INTENDED it to be open. This will help head off the current legal attack on people who use open APs as "service thieves".
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
In order to establish a "bubble" within which users must be located, you have to determine the position of the furthest legitimate user and then add one foot per nanosecond of worst-case response time. For a real-world situation, this new sphere is likely to take in some real estate that isn't under your physical control. For instance, at my house I have a machine that's around 60 feet from my AP. If I add 40 nanoseconds (feet) to that, an illegitimate user could park on the street. Even if we assumed a zero-time latency, someone could sit on the curb and be within the bubble. If the only way for this to help is to restrict users to living room, it doesn't seem to be very "wireless" any more.
Cryptography seems like a much better solution for the real world.
Well, you need an insulated room, and you need precise signal power measurements for every incoming and outgoing signal. Sounds like a lot of effort.
It is not like I could not see the NSA trying it out, but for every other institution your idea is just not how affordable electronics is handled.
I'm still trying to figure out what people mean by 'social skills' here.
Quantum entanglement is easy and cheap?
--
make install -not war
No, it isn't, but you just have to secure a line, not a 3D space, which makes it scale better.
Also QE gets down to the smallest unit that energy can be measured in - your system would still risk to be snooped on by a detector that didn't milk much power. So eventually your system with increasing sophistication would end up being a quantum entanglement system as well.
Your idea is quite useful to detect someone exploting an existing system, but not as a concept for the design of a new system.
I'm still trying to figure out what people mean by 'social skills' here.
If only the only issue was getting a base Linux install running. Many larger corporations have far too many Windows only applications that users must run, and not all of them will work under Wine. I have to run VmWare for those few apps, but most users aren't going to be able to figure that out, and I know our desktop support team sure as hell doesn't want to try and support VmWare across our corporation.
Until every single app can work seamlessly under Linux (either natively or via Wine), it's not an option for most companies that have more than a handful of employees.