ALERT: WPA can be less secure than WEP

Hey, if you've got a card with no drivers then that's not my fault. Point being there are live distros with everything ready to roll with support for a documented set of cards. Anyone with the intention of having a little fun will surely go and find a card that works rather than believing it doesn't happen just because the one card they have isn't on the supported list?

David.

Reply to
David Taylor
Loading thread data ...

There's no point at all, there's a documented list and plenty of cards, it's NOT hard at all.

I have a Cisco 352, an Orinoco Gold, a Senao CD Ext2 Prism 2.5 and a Dlink DWL650G. None of these is in any way difficult to get hold of.

David.

Reply to
David Taylor

Consumers can look for SecureEasySetup software in the following products:

  • Brother MFC-640cw 7-in-1, Color Inkjet Multi-Function Center®; * Gateway notebook computers for the holiday buying season sold via leading technology and electronics retailers; * HP Photosmart 3310 All-in-One and HP Officejet Pro K550dtwn color printers; and * Linksys Wireless-G and Wireless-G with SpeedBooster product families, including desktop routers, travel routers, and CardBus, PCI and USB adapters.

One step....

There are a few experimenting but what if any interoperability there will be who knows.

AOSS

formatting link

Rob

As an aside Jeff I just upgraded my FF browser and it keeps locking up on web pages including the FAQ.I was going to post in the discussion section but am not looking for a debate which will have been held many times.Why "Simplex" and not "Half-Duplex" in the performance and speed. I shall now go and re-istall my old browser and do some maint.

Reply to
Rob

Really, it's not hassle.

Reply to
David Taylor

OK. I'll conceed that other manufacturers are using SES. However, SES is not required to setup the router or device. It's just another setup program that nobody will run voluntarily. There's nothing to stop a user from setting up their router or wireless device with the default settings, zero security, default SSID, no encryption, and just using it. In other words, SES doesn't really solve the problem of clueless users deploying insecure wireless systems. It has to be solved by the device manufactures changing the way the boxes are shipped by default. If the boxes were shipped with wireless disabled until SES is run, I might be convinced that SES is worthwhile.

Forward or backwards? From my warped perspective, it's just another setup program that most users will ignore. Also, I don't see any Mac, Unix, or Linux versions of SES.

There is one manufacturer, 2Wired, that have already *SOLVED* the problem of not shipping insecure by default routers. I mean like how hard is it for Linksys, Netgear, Dlink, and others to deliver firmware that presets a unique SSID, enables encryption by default, sets a default WEP/WPA key, and sets a default router config password?

I use FireFox 1.5beta3 and found a few bugs. However, I have it loaded on approximately 5 of my own machines and perhaps 5 of my customers and have not had it lockup on any web pages. I did have it screw up big time when I tried to import settings from IE6 where some spyware had crawled into the registry settings and caused Firefox to just lock up. Recovery required that I uninstall Firefox, dive into the registry and clean out anything left by Firefox, clean out the spyware, and then reinstall Firefox.

Too soon. It would be better if you added some useful content instead. I don't think it's ready for prime time. I'm also considering almost starting over with a question and answer FAQ format instead of what seems to be turning into an encyclopedia format.

You noticed. I've been debating that in a different mailing list. The problem is that ethernet and wireless are really simplex, not half-duplex (as I often post). The basic definitions of a link are:

  1. Simplex: both ends can only talk and listen one at a time.
  2. Half-duplex: One end can both talk and listen simultaneously (full duplex), but the other end(s) can only talk and hear one at a time (simplex).
  3. Full-duplex: Both ends of the line can talk and listen at the same time.

In two way radio, half-duplex quite common. It's a central radio repeater, that can both talk and hear at the same time on different frequencies. However, the mobile radios can only either talk or listen, but not simultaneously. In datacomm, the only example I can think of are star type topologies, where the central transceiver is full duplex, but the remote clients are simplex.

Reply to
Jeff Liebermann

Perception is everything. If the customer is expected to perceive that the device is secure, it certainly should be as secure as possible without requiring an ordeal process or an educational experience.

Here we get into implementation. MAC addresses are public knowledge and should not be buried with security by obscurity and such. However, the generation of a pre-assigned WEP or WPA phrase creates a philosophical problem. If the vendor uses a "secret" magic formula or routine in the firmware to conglomerate the key, then someone will eventually disassemble the routine, write a keygen, and totally compromise the security model. It doesn't matter how many factors are used to seed the routine (serial number, MAC address, date of MFG, position of moon) it can be reverse engineered. Therefore, I've been pushing for the manufacturer to simply use a random rubbish generator and pre-load the loader area of the flash (where the MAC is also buried). There's nothing to reverse engineer.

2Wire.com uses the word "2wire" plus the last 3 digits of the MAC address for the SSID. It's not totally unique, but good enough to avoid problems with the neighbors.

Also, the default router password is the serial number of the router.

If you use their Home Portal "monitor" program to setup Windoze shares, it insists on password protecting the shares: :

formatting link
*&p_li= Need default setups that are specific to DSL ISP's? :
formatting link

I don't think that's necessary. What's needed is some feedback from paying customers. Maybe a few nasty editorials by the usual pundits. Maybe a few awards for 2Wire shipping "consumer friendly" products that will make the others look deficient. I was going to try an convince the alternative firmware vendors (Sveasoft, DD-WRT, etc) that it would be a good idea to show Linksys how it's done, but haven't the time to do the necessary ranting. My theory is that if someone does it right, the other manufacturers will follow.

By definition, the GUM are uneducated and uneducateable. Personally, I think convincing the manufactories is easier.

Reply to
Jeff Liebermann

I have frequently had my ear bent over this and people who have used Data Transfer as opposed to wireless for most of their lives keep referring me to sites such as:

formatting link
I think that you are right about re-working the FAQ.Perhaps more on the lines of
formatting link
Rob

My FF1.5 problem was noticeably worse if I had a pdf file open in another tab.However I have reverted back to 1.07 for the time being.

Reply to
Rob

Jeff, I meant to add that I don't expect a reply to this.I tend to say "whatever" if it is brought up in conversation but when it appears in a document I just like to know from which perspective the author views it.

Rob

Reply to
Rob

Sigh. This is one case where my wireless (radio experience) is detrimental. The telecom crowd seems to consider anything that is not full-duplex as being half-duplex. It also considers one way broacasts to be the definition of simplex. It's quite different in the radio business. I'm not sure which is right, but I tend to argue in favor of the radio definition when discussing 802.11 wireless and telecom definition when discussin a wired or fiber implimentation. To retain my sanity, I'll dump the simplex terminology and go back to half-duplex.

Yep. That's what got my attention. I've done FAQ's before but never using a Wiki. The main thing for this one is that it reflects actual users questions and not just good things to know.

Adobe Acrobat 7.0.x on XP and W2K seem to be acceptable. However,

6.0.x tends to hang all of my machines when opened in a browser. Works fine outside the browser. The ACRO32 process never seems to exit despite setting in preferences that it should go away and die on exit. Sometimes shutdown complains that it can't close "Tool Tips" which is part of Acrobat. I often get browser hangs if I stop a PDF from loading inside the browser. Methinks you're on the right track.
Reply to
Jeff Liebermann

That's good. The odds that you'll ever run into a collision there are pretty small.

I like that - as long as the serial number isn't directly related to the MAC.

I hope you're right :-)

Reply to
Derek Broughton

Are you serious? I've spent years trying to deploy Linux solutions with very limited success. The best I've been able to do is small office servers. Most of the current direction of the Linux releases is moving away from the geeks and programmers, and towards mainstream commodity use by the GUM (great unwashed masses). If you presume user competence, you may as well consign the desktop version of Linux to some manner of programmers specialty operating system. Yeah, it would be nice if the GUM had a clue about computers, security, and basic procedures, but they don't. They "just wannit to work" or some such simplification. Maybe the average Linux desktop user can be ignored by Broadcom. After all, a Linux group will surely reverse engineer the protocol and post an open source version anyway. But, what about MacIntosh users or OS/X (Unix) users? They're not presumed to be knowledgeable.

In any case, "Real Linux Users" don't use a commodity routers. They use a Linux server running PCTEL SoftAP to simulate a wireless access point and IPMasq with ipfw, ipfilters, ipchains, or iptables as a firewall. "Real Linux Users" are purists.

Reply to
Jeff Liebermann

Are you in India?

Really? PacHell/SBC/AT&T/Whatever have been shipping 2WIRE wireless routers (er.. Home Portals) for several years without much difficulty. The default password, SSID, and WEP/WPA key are inscribed on a label stuck on the bottom of the machine. They also supply a Windoze setup and monitor program to help with the PPPoE login and password loading. It also can easily be done with a web browser. I've done a few of these. Once I found the label, everything was obvious.

Drivel: The most challenging part of setting up a router is selecting a suitable password and WEP/WPA key. I've had customers literally agonize for a considerable number of minutes trying to select a suitable password. If they're setting up an account at the same time, the user name selection is equally difficult. I see pre-selection of the default passwords to be generally beneficial because it saves the customer the agony of being forced to think.

Not really. I wish I had a consistent approach to wireless troubleshooting. Most of what I find are problems on the client side. I drag in my known working laptop. If that plays, I concentrate on removing junkware and viruses, configuring overly complex personal firewalls, and generally clean house. I rarely have to tinker with the router except to configure port forwarding and triggering.

Oh, I understand exactly why they don't do it. However, it has nothing to do with the users ease of setup or support problem. It has to do with what the competition is doing. None of the biggies (DLink, Linksys, Netgear, Belkin) want to do anything that is deemed to be fundamentally "different". There's too much risk is being labelled an oddity. 2wire can do it correctly because they only sell to big ISP's who can deal with the support issues. However, if only one manufacturer did it right, I can assure you that these vendors would instantly demand something similar from their far east product suppliers.

Reply to
Jeff Liebermann

I'm not sure, but the bugs mentioned sure sound like 1.5beta1 and not the current beta3.

I just ran through my "library" of stolen Javascript routines with

1.5beta3. No problems.

Nope. I've been running 1.5beta3 on several machines for about 2 weeks and have not seen any such problems.

Nope. However, I don't click on URL's sent in email so I wouldn't know if there's a problem. However, URL's from the "Help-About" pages of various programs I've tried work instantly.

I'm using Windoze 2000 SP4 on all but one of my machines which runs XP SP2. No freeze-ups, no hangs, and no reboots required. I do see hangs with Acrobat and Quicktime, but I don't think that's the browser as IE6 does the same thing.

I'm always suspicious of authors that say they are using the "latest" version. They usually are not using the latest version and often are embarrassed by the publication delays causing them to appear substantially behind the times. That's what I think happened here.

Incidentally, the bloated VM use was from 1.0.7, not 1.5beta3. I've been running the 1.5beta3 for about 2 hours doing my usual banking, stocks, browsing, eBay, etc. VM size is a conservative 50KB. Peak Mem use is 77.2KB. No sign of the previous memory leaks.

Reply to
Jeff Liebermann

I don't buy it. Most of the time, when someone has a problem, you have to turn off all the security and other bells and whistles because they got a step wrong when they turned it on. If you _started_ with a properly configured, secure, router, there'd be a lot less trouble.

There's certainly no excuse for providing every router with the password 'admin' (sorry all you Linksys users whose security I've just blown!).

Reply to
Derek Broughton

This one to me is the silliest, your sniffer was fooled for what a couple of nano seconds?

Not disagreeing with you here, remember this thread started with how to generate these massive keys you can't remember and have to write down to secure the network. My point is that that extreme in a home set up isn't required, just basic and reasonable precautions. Using your neighborhood as an example, if you wanted to steal bandwidth, which APs would you mooch off of, the one that you will have to crack security or the two open ones?

Again before someone jumps in out of context I'm not saying no precautions and I'm not talking a bout a business with trade secrets etc to protect, we're talking home network to a cable/DSL modem.

fundamentalism, fundamentally wrong.

Reply to
Rico

I can see the help desk at Linksys now... You are right of course, but I honestly don't blame the equipment makers, you see the questions that pop up here in this group (and I think most people on Usenet are a bit more tech savey then the typical internet user). I'm not knocking anyone who has a question (unless they don't ask). My point is the support desks at Linksys would be drowning in calls if they encrypted before they shipped. First thing I do when encountering a friend that needs help is turn off all security, get things working then start applying. I suspect you take a similar approach when asked by you non-techie friends to help them out.

Again not saying you are worng because you aren't, but I do understand why the makers don't do this.

fundamentalism, fundamentally wrong.

Reply to
Rico

I had not seen that, but that is a great idea, now if you can just force people to click the buttons...

fundamentalism, fundamentally wrong.

Reply to
Rico

Well let's be real here, if they are using a flavor of Unix (aside from MAc with its hand holding) or Linux and they don't know to secure their wireless network I think they deserve what might happen. I mean the Linux crowd should pretty well be techie enough to handle this issue.

fundamentalism, fundamentally wrong.

Reply to
Rico

Jeff Liebermann wrote: Snip

formatting link
?articleId=174907404&pgno=2 1. Mozilla was supposed to fix Firefox's JavaScript support in version 1.5. What I'm seeing is just the opposite. I'm having more trouble with proper page rendering than I had with Firefox 1.0.x. Some pages just crash or freeze the browser completely. For example, I can't make some JCPenney product pages load properly, and enterprise applications used by my company that worked okay with the previous version of Firefox no longer work as well.

  1. Firefox 1.5 also tends to freeze up after launch, and during or just after Web page load. I've also experienced very long launch times from links in other programs, such as from a hyperlink sent in email. These three symptoms were also commonly experienced by Firefox 1.0.1,
1.0.2, and 1.0.3 users. The problem appears to be back in Firefox 1.5.

In most cases the Firefox freeze-ups unstick themselves after a couple of minutes. But I have also experienced permanent lock-ups that have required me to kill the firefox.exe process. And I've even been forced to reboot Windows XP a few times.

In addition, PDFs are now a total adventure. Sometimes they work, sometimes they never finish loading. And I'm using the latest version of the Adobe Acrobat Reader.

Reply to
Rob

Haven't hasd time to test this yet, but even if it doesn't work, thanks for the effort

fundamentalism, fundamentally wrong.

Reply to
Rico

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.