Weakness in Passphrase Choice in WPA Interface
By Glenn Fleishman
By Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp
<http://wifinetnews.com/archives/002452.html>
...
The offline PSK dictionary attack
...
Just about any 8-character string a user may select will be in the
dictionary. As the standard states, passphrases longer than 20 characters
are needed to start deterring attacks. This is considerably longer than
most people will be willing to use.
This offline attack should be easier to execute than the WEP attacks.
...
Using Random values for the PSK
The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large
number for human entry; 20 character passphrases are considered too long
for entry. Given the nature of the attack against the 4-Way Handshake, a
PSK with only 128 bits of security is really sufficient, and in fact
against current brute-strength attacks, 96 bits SHOULD be adequate. This is
still larger than a large passphrase ...
...
Summary
...
Pre-Shared Keying is provided in the standard to simplify deployments in
small, low risk, networks. The risk of using PSKs against internal attacks
is almost as bad as WEP. The risk of using passphrase based PSKs against
external attacks is greater than using WEP. Thus the only value PSK has is
if only truly random keys are used, or for deploy testing of basic WPA or
802.11i functions. PSK should ONLY be used if this is fully understood by
the deployers.
See also:
Passphrase Flaw Exposed in WPA Wireless Security
<http://www.technewsworld.com/story/32070.html>
Wi-Fi Protected Access. Security in pre-shared key mode
<http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>
Cracking Wi-Fi Protected Access (WPA)
<http://www.ciscopress.com/articles/article.asp?p=369221>
<http://www.ciscopress.com/articles/article.asp?p=370636&rl=1>
WPA Cracker
<http://www.tinypeap.com/html/wpa_cracker.html>
--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>
> Just about any 8-character string a user may select will be in the
> dictionary.
Even deliberate misspellings, invented acronyms, and
<word><symbol><word> assemblies? How about made-up, non-dictionary
words?
When are SOHO routers going to include RADUIS or 802.1x? Isn't that
coming RSN...
>John Navas <spamf...@navasgroup.com> wrote:
>> <http://wifinetnews.com/archives/002452.html>
>
>> Just about any 8-character string a user may select will be in the
>> dictionary.
>
>Even deliberate misspellings, invented acronyms, and
><word><symbol><word> assemblies? How about made-up, non-dictionary
>words?
If you limit yourself to 8 character maximum passwords, a brute force
attack of all possible hex combinations will take 53710 days. See:
http://www.ciscopress.com/articles/article.asp?p=370636&seqNum=2
for the limitations. However, if any of the word are in the
dictionary, are devoid of non-text characters, are all lower case, or
follow well known keyboard patterns, then chances are high that it
will be recovered in considerably less time.
Once upon a time, I used to run the Unix Crack 4.5 program on
/etc/password or /etc/shadow to see how many trivial passwords can be
extracted. This is basic Hacker 101 type of password cracking that
uses a dictionary attack. Despite warnings from management and
threats of violence by myself, numerous users consistently and
regularly assigned themselves unsafe password. I fear that I'm still
guilty of that practice myself as I always seem to have a creativity
failure when it comes time to assign passwords and pass phrases. At
least I rarely reuse a password, which is another big time security
screwup.
>When are SOHO routers going to include RADUIS or 802.1x? Isn't that
>coming RSN...
There's already one that I found:
| http://www.zyxel.com/product/model.php?indexcate=1111384189&indexcate1=1085450343&indexFlagvalue=1021876859
There's also no reason that a company could not setup a RADIUS-like
authentication system on the internet and sell accounts. Microsloth
IAS will do this now.
| http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx
Search for RADIUS/AAA service providers. Many of the "virual ISP's"
use such services for admin and accounting. I've been tempted to
setup such a scheme in my office and provide authentication services
for my customers via the internet.
--
Jeff Liebermann je...@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
In <t71qk1ll5qupgpikh...@4ax.com> on Wed, 12 Oct 2005 08:46:51
-0400, William P. N. Smith <> wrote:
>John Navas <spamf...@navasgroup.com> wrote:
>> <http://wifinetnews.com/archives/002452.html>
>
>> Just about any 8-character string a user may select will be in the
>> dictionary.
>
>Even deliberate misspellings, invented acronyms, and
><word><symbol><word> assemblies? How about made-up, non-dictionary
>words?
A typical attack, which can be done offline, will be a dictionary attack
(including common misspellings), followed by a brute force attack if that
fails.
>When are SOHO routers going to include RADUIS or 802.1x? Isn't that
>coming RSN...
ZyXEL 2000 Plus
http://www.zyxel.com/product/model.php?indexcate=1111384189&indexcate1=1085450343&indexFlagvalue=1021876859
Or for less money, tinyPEAP on the WRT54G/GS <http://www.tinypeap.com/>
A wonderful program. I rewrote that years ago into a networked form, so
could run on about 50 workstations or so overnight. Always put detected
passwords back into the dictionary, so incremental pwd changes wouldn't
sneak past so easily. Used to grab up to maybe 10 passwords (out of
~1000 in the NIS) overnight - the accounts were then disabled by the
networking staff pending user "education". Fine until we got the MD's.
It was amazing how the MD's convenience outweighed security of entire
company computer network :-) Knuckles well rapped for doing the job.
Sorry, couldn't resist.
--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
>Jeff Liebermann wrote:
>...
>>
>> Once upon a time, I used to run the Unix Crack 4.5 program on
>> /etc/password or /etc/shadow to see how many trivial passwords can be
>> extracted. This is basic Hacker 101 type of password cracking that
>> uses a dictionary attack. Despite warnings from management and
>> threats of violence by myself, numerous users consistently and
>> regularly assigned themselves unsafe password. I fear that I'm still
>A wonderful program. I rewrote that years ago into a networked form, so
>could run on about 50 workstations or so overnight. Always put detected
>passwords back into the dictionary, so incremental pwd changes wouldn't
>sneak past so easily. Used to grab up to maybe 10 passwords (out of
>~1000 in the NIS) overnight - the accounts were then disabled by the
>networking staff pending user "education".
I did the same thing but manually. The reason was that I just hated
to get a phone call at 7AM demanding to know why their login was
disabled. I generally set up the lockout for during lunch break and
then only a few at a time.
>Fine until we got the MD's.
>It was amazing how the MD's convenience outweighed security of entire
>company computer network :-) Knuckles well rapped for doing the job.
That must have been before HIPAA. The confidentiality requirement put
me in partially in charge of security at one medical conglomeration
with about 30 doctors and 60 assorted staff members. I got fed up
with the password issue so I arranged to have everyone get a security
dongle with an X.509 certificate. It also requires a password, but
that was just in case someone lost their dongle (which happened
literally the first day it was implimented). I tried to go with a OTP
(one time password) S/Key systems, but the requirement that it had to
be a very fast login killed that plan. The X.509 dongle also had side
benifits in that it eliminated the common forgetting to logout
security hassle, was also used for 802.1x wireless authentication and
single signon for Microsloth and Unix servers, and acts as part of the
PKI pretzel for PGP encryption and email authentication.
>Sorry, couldn't resist.
The secret to long life and staying sane in this business is to never
waste energy resisting temptation.
--
Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
831.336.2558 voice
http://www.LearnByDestroying.com AE6KS
http://802.11junk.com Skype: JeffLiebermann
je...@comix.santa-cruz.ca.us je...@cruzio.com
Not sure about earlier MS solutions but IAS in Windows 2000 Server will
already happily do EAP-TLS authentications so they have been doing it
for a while.
Sander
Oooh. I didn't know that was in Windoze 2000. Yep:
| http://support.microsoft.com/default.aspx?scid=kb;en-us;318710
Looks like some "issues" were fixed:
| http://support.microsoft.com/kb/304697/
| http://support.microsoft.com/kb/303364/EN-US/
Well, it _was_, but now that you've published the algorythm, it's
practically trivial, isn't it? Well, assuming access to the same
'random seed' anyway. 8*)
In <3d7cp15f6l504m9aa...@4ax.com> on Tue, 06 Dec 2005 23:27:59
GMT, Gordon <gord...@DELETEswbell.net> wrote:
>To generate my passphrases I use an old church hymn book, taking
>the page number followed by the first letters of the words of one
>of the verses, followed by the hymn number. This is easy to
>remember, and I think it would be very hard for anyone to crack.
It can be shown mathematically that any reproducible pattern is bad. There
are other ways to remember passphrases. My own method is to keep generating
pseudo-random passphrases until I get a memorable acronym.
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>
Now, we only need to figure out _which_ hymn book :-)
--
derek
I think people are a tad overly worried. Should a business be cautious of
course, but in your neighborhood in typical America, come on. How many
neighbors with Windows computers have any idea how to set up Linux, unpack
a couple of tarballs and get one of these cracker programs going (on a
laptop with a wireless card supported by the kernal). You people under
estimate the hassle of getting set up to do this. Can it be done, yes, but
get real why is anyone going to go to these lengths just to leach a little
bandwidth off your home network?
fundamentalism, fundamentally wrong.
Which old hymnal? Methodist, Whiskeypalean, Baptist?
fundamentalism, fundamentally wrong.
"Paranoia strikes deep
Into your life it will creep
It starts when you're always afraid"
(Stepehn Stills)
fundamentalism, fundamentally wrong.
In <4cKlf.38671$wi2...@bignews1.bellsouth.net> on Wed, 07 Dec 2005 23:28:22
GMT, rico...@hotmail.com (Rico) wrote:
"The road to security hell is paved with invalid assumptions."
"Overconfidence and complacency are alternate routes to the same destination."
In <96Klf.38576$wi2....@bignews1.bellsouth.net> on Wed, 07 Dec 2005 23:22:03
GMT, rico...@hotmail.com (Rico) wrote:
>In article <3d7cp15f6l504m9aa...@4ax.com>, gord...@DELETEswbell.net wrote:
>>On Wed, 12 Oct 2005 02:08:15 GMT, John Navas
>><spamf...@navasgroup.com> wrote:
>>
>>>Unfortunately, WPA-PSK is vulnerable attack. See
>I think people are a tad overly worried.
I think you are a tad naive.
>Should a business be cautious of
>course, but in your neighborhood in typical America, come on. How many
>neighbors with Windows computers have any idea how to set up Linux, unpack
>a couple of tarballs and get one of these cracker programs going (on a
>laptop with a wireless card supported by the kernal).
Lots of kids.
>You people under
>estimate the hassle of getting set up to do this. Can it be done, yes, but
>get real why is anyone going to go to these lengths just to leach a little
>bandwidth off your home network?
It's actually trivial, and there are lots of people doing it.
Can you provide examples of resendential wireless networks with even WEP
much less WPA being cracked? Otheriwse, repeat what you said so I can start
laughing.
>
>>Should a business be cautious of
>>course, but in your neighborhood in typical America, come on. How many
>>neighbors with Windows computers have any idea how to set up Linux, unpack
>>a couple of tarballs and get one of these cracker programs going (on a
>>laptop with a wireless card supported by the kernal).
>
>Lots of kids.
Can you provide examples of resendential wireless networks with even WEP
much less WPA being cracked? Otheriwse, repeat what you said so I can start
laughing.
>
>>You people under
>>estimate the hassle of getting set up to do this. Can it be done, yes, but
>>get real why is anyone going to go to these lengths just to leach a little
>>bandwidth off your home network?
>
>It's actually trivial, and there are lots of people doing it.
Can you provide examples of resendential wireless networks with even WEP
much less WPA being cracked? Otheriwse, repeat what you said so I can start
laughing. Should be easy if "there are lots of people doing it."
fundamentalism, fundamentally wrong.
I await you regailling me with actual examples of surburn home wireless
home networks being hacked when even the most basic and simplest of
security tools have been employed (even a short WEP key maybe the son's
first name).
fundamentalism, fundamentally wrong.
Its not as wide-spread as many people are paranoid that it is, but it
certaintly goes on.
I've had a couple of attempts on my WLAN. I know with certainty that these
attempts had to been from wardriving assholes for a number of reasons. One:
My WLAN is 802.11a and does not spill off my property. My property is too
large. With just a standard client, someone would have to drive all the way
up my driveway to get even a very weak signal. The attempts had to of been
done by someone with a directional antenna with quite a bit of gain. Two:
In addition to the 802.11a for my WLAN, I also have 802.11g and 802.11b.
The use the 802.11g for media stuff and it is secure, but the 802.11b
(completetly seperate network) is open. It is an internet-only pipe that I
don't mind anyone using. (I am using a captive portal for content filtering
and logging though.) I have a couple outside repeaters for the 802.11b. If
these attempts were by someone just wanting to get an internet-pipe, they
would've used the 802.11b and not made any attempts on the 802.11a. Three:
The time that the attempts occured; late Friday and Saturday nights.
Wardrivers haven't yet discovered females, so they spend their Friday and
Saturday nights doing so-called "research" and trying to "save the world
from itself". If they could get a girlfriend, they would probably lose
interest in people's stupid little $100 plastic boxes.
Cheers,
Eric
> I think people are a tad overly worried. Should a business be cautious of
> course, but in your neighborhood in typical America, come on. How many
> neighbors with Windows computers have any idea how to set up Linux, unpack
> a couple of tarballs and get one of these cracker programs going (on a
> laptop with a wireless card supported by the kernal).
Well, really, it's pretty darn simple. You could probably find a Live CD
that does the whole thing for you. However, most people would probably
take advantage of a situation where an available connection simply popped
up in Windows, but wouldn't actively seek out such a connection. From
posts on this newsgroup, it's obvious that many people actually think such
connections _should_ appear when they buy a computer with "wireless
Internet"
--
derek
You underestimate the ability to download a ready made ISO with all the
tools loaded! :)
David.
Rob
You clearly don't have a cupboard full of wireless cards to choose
from?!! :)
I have a bundle, somewhat frustrating that the linux heads can't even
write a load of tools and let it all work with just one card. Having to
have different cards for different tools is such a pain.
<g,d & r>
David.
Hey, it's not our fault that the manufacturers won't publish specs so that
we can write tools to work with all the cards. Basically, you're reduced
to using a few chipsets that have published the APIs, the fewer that
release binary drivers, or anything that lets you use the windows drivers
under ndiswrapper. Because of the different ways those methods work, some
tools won't work with all of them.
I simply chose my laptop based on the fact that it had a wireless NIC that I
already knew was well supported.
--
derek
Yeah I know, I was just having a fun dig at the Linux folks, see who I
could catch ;)
David.
Attempts, but they did not succeed, the 'kids' wardriving are looking for
open networks. I'm not for a moment saying you should not apply WEP or WPA,
I'm just saying there is no need in suburbia to go crazy over the
passphrase. Now a business should indeed be more careful as there are
people out there actually trying to get data off a business's network with
the idea of getting hold of trade secrets etc.
> I know with certainty that these
>attempts had to been from wardriving assholes for a number of reasons. One:
>My WLAN is 802.11a and does not spill off my property. My property is too
>large. With just a standard client, someone would have to drive all the way
>up my driveway to get even a very weak signal. The attempts had to of been
>done by someone with a directional antenna with quite a bit of gain. Two:
>In addition to the 802.11a for my WLAN, I also have 802.11g and 802.11b.
>The use the 802.11g for media stuff and it is secure, but the 802.11b
>(completetly seperate network) is open. It is an internet-only pipe that I
>don't mind anyone using. (I am using a captive portal for content filtering
>and logging though.) I have a couple outside repeaters for the 802.11b. If
>these attempts were by someone just wanting to get an internet-pipe, they
>would've used the 802.11b and not made any attempts on the 802.11a. Three:
>The time that the attempts occured; late Friday and Saturday nights.
>Wardrivers haven't yet discovered females, so they spend their Friday and
>Saturday nights doing so-called "research" and trying to "save the world
>from itself". If they could get a girlfriend, they would probably lose
>interest in people's stupid little $100 plastic boxes.
Seriously, one weekend (apply appropriate other security measures to
protect your computers) weaken your passphrase to something simple (the
dog's name, your little girl's name), switch to WEP on one of your APs so
they can have an 'easy' target to attack and see if they actually spend the
time to successfully crack your network. Won't happen. Now if you switch
your A network to no security, the factory defaults, of course they are in
in a minute, but that isn't what I'm saying.
I contend and no one has shown me documentation too the contrary that very
basic precautions are more then enough for a home network. WPA or WEP is
plenty with just a basic passphrase that isn't real obvious (don't use the
house number or zip code or your last name<g>).
>
>Cheers,
>Eric
>
>
fundamentalism, fundamentally wrong.
Gotta get the module loaded for that card. So you gotta have a card that is
supported. I' holding off installing Linux on a spare latptop I
'inheritted' from a customer recently because I'm having an issue getting
the wireless card I want to use supported.
> However, most people would probably
>take advantage of a situation where an available connection simply popped
>up in Windows, but wouldn't actively seek out such a connection. From
>posts on this newsgroup, it's obvious that many people actually think such
>connections _should_ appear when they buy a computer with "wireless
>Internet"
I'm not saying take no precautions, but the basic steps are fine and more
then enough for a home network. Use one of the encription schemes WPA or
WEP and use a less then obvious passphrase and you are covered. Even a
wardriving kid who can't get a date on Friday night will cruise by you see
your network (SSID) maybe make an attempt, get bored and move down the
block to the open network. People are lazy and kids are easily bored. If
there are easier pickings down the street why put in the effort to break
into a secure network. It isn't that the alarm on your door actually keeps
a determined burglar out but why bother when the house next door has no
alarm.
Now what I would like to see is a way to hack past the proxy at a McDonalds
<grin> and get free internet while clogging my arteries.
fundamentalism, fundamentally wrong.
Please point me to that ISO with support for my WPC55AG version 1 card. (I
would prefer Fedora, but will take what I can get) Thanks.
>
>David.
fundamentalism, fundamentally wrong.
bingo!!!
My point exactly.
>
>Rob
fundamentalism, fundamentally wrong.
But you underscore my point, yes you can find card(s) that can do it, but
look at what a hassle it is for the average kid with a somewhat limited
budget.
>
>David.
fundamentalism, fundamentally wrong.
The main problem is that people are either too lazy or don't understand
the eqpt they are using so they don't take any precautions at all.They
believe the hype about straight from the box and hardly ever read the
manuals.This applies to computers in general as well as wireless.
http://www.msnbc.msn.com/id/10363568/
I live on the outskirts of a small town and within wireless range of
my network there are 3 other networks:-
1. ad-hoc no security
2. Hidden SSID no security
3. Hidden SSID encrypted
No3 actually uses WPA(I know the owner} though it shows up as WEP with
the "Sniffer".
We therefore have 50% of the networks can easily be "utilised" by other
people.
The main problem lies in educating people so that security becomes a
habit and not an afterthought.Electronics and the hacker do not stand
still so neither should the user.
Rob
> Please point me to that ISO with support for my WPC55AG version 1 card. (I
> would prefer Fedora, but will take what I can get) Thanks.
>
>
>>David.
>
>
> fundamentalism, fundamentally wrong.
Jeff has already posted a link to this "Live CD"
http://www.remote-exploit.org/index.php/Auditor_main
Whether this works with your card I don't know although it seems to work
with "Atheros" chipsets.We originally had 4 laptops in the house and
none of their original cards were recognised so I ended up getting a
second hand one from a computer fair.There is a list of known working
cards on the site but I don't know when it was last updated.
Rob
>The main problem is that people are either too lazy or don't understand
>the eqpt they are using so they don't take any precautions at all.
Sounds almost like "blame the victim".
I beg to differ. Methinks the real problem is the manufacturers
unwillingness to deliver a product that's secure out of the box. All
that would be necessary is to deliver the wireless router with:
1. A pre-assigned WEP or WPA pass phrase.
2. A pre-assigned unique SSID.
3. A pre-assigned router config password.
At the very worst, the wireless should be disabled until configured
properly. At this time, only 2Wire.com delivers wireless routers in
this manner, with the SSID and passwords printed on a label attached
to the router.
I tried to convince one manufacturer that they should do this, but
they claim it will create "confusion" among the customers or is too
difficult to manufacture. It will also affect the customers OBE (out
of box experience). Can't have that happen.
The only argument that seems to get their attention is that it creates
a potential liability situation. The outside of the box proclaims all
manner of security features, but there's no warning to the customer
that these security features are delivered disabled by default. The
typical customers perception is that it's a secure router, with no
additional effort on their part. I contend that any consequential
damages might be actionable in court, but not being an attorney, my
opinion carries little weight.
I run into users that buy wireless routers, but don't have any
wireless clients. The logic is that they "might" need the wireless
later when they buy a laptop. Meanwhile, the wireless section of the
router is left enabled and wide open for anyone to use. When I
mention the security implications, they often don't understand the
nature of the problem. Maybe a front panel wireless on-off switch
would be more useful for these.
Which would you rather do? Which is easier? Educate the GUM (great
unwashed masses), or just get the manufactories to clean up their
default installation?
--
Jeff Liebermann je...@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
>Jeff has already posted a link to this "Live CD"
>http://www.remote-exploit.org/index.php/Auditor_main
>
>Whether this works with your card I don't know although it seems to work
>with "Atheros" chipsets.We originally had 4 laptops in the house and
>none of their original cards were recognised so I ended up getting a
>second hand one from a computer fair.There is a list of known working
>cards on the site but I don't know when it was last updated.
I don't think it will work with Atheros chips. See:
http://www.remote-exploit.org/index.php/Auditor_FAQ
for a general clue as to supported cards. Basically, you try it, see
if it works, and buy something else if it doesn't.
Note that this is basically the Knoppix runtime and has most of
Knoppix features and supported software. However, Knoppix has gone a
bit farther in driver support than the Security Auditor CD and might
be a better LiveCD.
http://www.knoppix.net/wiki/Wireless_Networking
I use a no-name Prism 2 b/g card I bought on eBay for $25. Also my
Orinoco Silver card works (for 802.11b only).
>Please point me to that ISO with support for my WPC55AG version 1 card. (I
>would prefer Fedora, but will take what I can get) Thanks.
Well, that's one of the supported cards. You win. Read:
http://www.knoppix.net/forum/viewtopic.php?t=12351
http://hardware.newsforge.com/hardware/04/05/28/1738226.shtml?tid=65&tid=81
>Snip..................................
>http://www.smallbusinesscomputing.com/webmaster/print.php/3567981
"To take advantage of SES, you must use a client adapter that's
also SES-capable, like the WPC54GS CardBus adapter (Linksys also
offers SES-compatible PCI and USB adapters)."
It also only works with WPA-PSK, not WEP.
Do you see a problem here perhaps? On the client end, it's all in the
driver software, but that has to be licensed from Broadcom. I don't
see a rush to license SES by other vendors unless it's endorsed by the
Wi-Fi Alliance. At least HP will eventually support SES.
Also:
"...it doesn't disable the SSID broadcast, which is generally
considered a helpful (albeit modest) security measure. It also
doesn't enable MAC filtering or force you to change the router's
default administrator password."
It's been around for a while since the intro of the WRT54G v3
http://www.broadcom.com/products/secureeasysetup.php
Have you ever looked at any of the security live CD's with all the
drivers ready to go?
Nothing to load.
David.
Hey, if you've got a card with no drivers then that's not my fault.
Point being there are live distros with everything ready to roll with
support for a documented set of cards. Anyone with the intention of
having a little fun will surely go and find a card that works rather
than believing it doesn't happen just because the one card they have
isn't on the supported list?
David.
There's no point at all, there's a documented list and plenty of cards,
it's NOT hard at all.
I have a Cisco 352, an Orinoco Gold, a Senao CD Ext2 Prism 2.5 and a
Dlink DWL650G. None of these is in any way difficult to get hold of.
David.
Consumers can look for SecureEasySetup software in the following products:
* Brother MFC-640cw 7-in-1, Color Inkjet Multi-Function Center®;
* Gateway notebook computers for the holiday buying season sold via
leading technology and electronics retailers;
* HP Photosmart 3310 All-in-One and HP Officejet Pro K550dtwn color
printers; and
* Linksys Wireless-G and Wireless-G with SpeedBooster product
families, including desktop routers, travel routers, and CardBus, PCI
and USB adapters.
>
> Also:
> "...it doesn't disable the SSID broadcast, which is generally
> considered a helpful (albeit modest) security measure. It also
> doesn't enable MAC filtering or force you to change the router's
> default administrator password."
>
> It's been around for a while since the intro of the WRT54G v3
> http://www.broadcom.com/products/secureeasysetup.php
>
>
>
One step....
There are a few experimenting but what if any interoperability there
will be who knows.
AOSS
http://www.buffalotech.com/wireless/products/airstation/WBR2G54.html
Rob
As an aside Jeff I just upgraded my FF browser and it keeps locking up
on web pages including the FAQ.I was going to post in the discussion
section but am not looking for a debate which will have been held many
times.Why "Simplex" and not "Half-Duplex" in the performance and speed.
I shall now go and re-istall my old browser and do some maint.
> On Fri, 9 Dec 2005 14:37:34 +0000 (UTC), Rob <m...@private.privacy>
> wrote:
>
>>The main problem is that people are either too lazy or don't understand
>>the eqpt they are using so they don't take any precautions at all.
>
> Sounds almost like "blame the victim".
>
> I beg to differ. Methinks the real problem is the manufacturers
> unwillingness to deliver a product that's secure out of the box.
You're right that we should lay the blame in the right place - it's true
that the average person buying a wireless router has no idea what they're
doing so it's really the manufacturer's responsibility to make things as
secure as possible "out of the box".
> All
> that would be necessary is to deliver the wireless router with:
> 1. A pre-assigned WEP or WPA pass phrase.
pre-assigned _unique_ key - not generated sequentially like their MAC
addresses are (my two Linksys routers, bought at the same time, have
sequential MACs).
> 2. A pre-assigned unique SSID.
> 3. A pre-assigned router config password.
> At the very worst, the wireless should be disabled until configured
> properly. At this time, only 2Wire.com delivers wireless routers in
> this manner, with the SSID and passwords printed on a label attached
> to the router.
Good for them!
>
> I tried to convince one manufacturer that they should do this, but
> they claim it will create "confusion" among the customers or is too
> difficult to manufacture.
As much confusion as is caused when they start up their Linksys or Netgear
router and their laptop finds half a dozen local APs with the same SSID?
> The only argument that seems to get their attention is that it creates
> a potential liability situation. The outside of the box proclaims all
> manner of security features, but there's no warning to the customer
> that these security features are delivered disabled by default.
It's taken a whole lot of threatening of lawsuits to convince Microsoft that
security is important - and I'm still not convinced the majority of people
working there are convinced of it. The router manufacturers are probably
going to need to be named in a suit or two before they do anything.
> Which would you rather do? Which is easier? Educate the GUM (great
> unwashed masses), or just get the manufactories to clean up their
> default installation?
I'm all for educating the GUM - education is a good thing :-) But selling
unsecured routers is like the phone companies selling you a private line
but actually giving you a party line (for you young'uns, there was once a
time when you not only didn't _need_ a warrant for a wiretap, but listening
in on phone calls was the community's favorite pastime).
--
derek
Really, it's not hassle.
>Consumers can look for SecureEasySetup software in the following products:
>
> * Brother MFC-640cw 7-in-1, Color Inkjet Multi-Function Center®;
> * Gateway notebook computers for the holiday buying season sold via
>leading technology and electronics retailers;
> * HP Photosmart 3310 All-in-One and HP Officejet Pro K550dtwn color
>printers; and
> * Linksys Wireless-G and Wireless-G with SpeedBooster product
>families, including desktop routers, travel routers, and CardBus, PCI
>and USB adapters.
OK. I'll conceed that other manufacturers are using SES. However,
SES is not required to setup the router or device. It's just another
setup program that nobody will run voluntarily. There's nothing to
stop a user from setting up their router or wireless device with the
default settings, zero security, default SSID, no encryption, and just
using it. In other words, SES doesn't really solve the problem of
clueless users deploying insecure wireless systems. It has to be
solved by the device manufactures changing the way the boxes are
shipped by default. If the boxes were shipped with wireless disabled
until SES is run, I might be convinced that SES is worthwhile.
>One step....
Forward or backwards? From my warped perspective, it's just another
setup program that most users will ignore. Also, I don't see any Mac,
Unix, or Linux versions of SES.
>There are a few experimenting but what if any interoperability there
>will be who knows.
>
>AOSS
>http://www.buffalotech.com/wireless/products/airstation/WBR2G54.html
There is one manufacturer, 2Wired, that have already *SOLVED* the
problem of not shipping insecure by default routers. I mean like how
hard is it for Linksys, Netgear, Dlink, and others to deliver firmware
that presets a unique SSID, enables encryption by default, sets a
default WEP/WPA key, and sets a default router config password?
>As an aside Jeff I just upgraded my FF browser and it keeps locking up
>on web pages including the FAQ.
I use FireFox 1.5beta3 and found a few bugs. However, I have it
loaded on approximately 5 of my own machines and perhaps 5 of my
customers and have not had it lockup on any web pages. I did have it
screw up big time when I tried to import settings from IE6 where some
spyware had crawled into the registry settings and caused Firefox to
just lock up. Recovery required that I uninstall Firefox, dive into
the registry and clean out anything left by Firefox, clean out the
spyware, and then reinstall Firefox.
>I was going to post in the discussion
>section but am not looking for a debate which will have been held many
>times.
Too soon. It would be better if you added some useful content
instead. I don't think it's ready for prime time. I'm also
considering almost starting over with a question and answer FAQ format
instead of what seems to be turning into an encyclopedia format.
>Why "Simplex" and not "Half-Duplex" in the performance and speed.
You noticed. I've been debating that in a different mailing list. The
problem is that ethernet and wireless are really simplex, not
half-duplex (as I often post). The basic definitions of a link are:
1. Simplex: both ends can only talk and listen one at a time.
2. Half-duplex: One end can both talk and listen simultaneously (full
duplex), but the other end(s) can only talk and hear one at a time
(simplex).
3. Full-duplex: Both ends of the line can talk and listen at the same
time.
In two way radio, half-duplex quite common. It's a central radio
repeater, that can both talk and hear at the same time on different
frequencies. However, the mobile radios can only either talk or
listen, but not simultaneously. In datacomm, the only example I can
think of are star type topologies, where the central transceiver is
full duplex, but the remote clients are simplex.
--
Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
831.336.2558 voice
http://www.LearnByDestroying.com AE6KS
http://802.11junk.com Skype: JeffLiebermann
je...@comix.santa-cruz.ca.us je...@cruzio.com
>You're right that we should lay the blame in the right place - it's true
>that the average person buying a wireless router has no idea what they're
>doing so it's really the manufacturer's responsibility to make things as
>secure as possible "out of the box".
Perception is everything. If the customer is expected to perceive
that the device is secure, it certainly should be as secure as
possible without requiring an ordeal process or an educational
experience.
>> 1. A pre-assigned WEP or WPA pass phrase.
>
>pre-assigned _unique_ key - not generated sequentially like their MAC
>addresses are (my two Linksys routers, bought at the same time, have
>sequential MACs).
Here we get into implementation. MAC addresses are public knowledge
and should not be buried with security by obscurity and such. However,
the generation of a pre-assigned WEP or WPA phrase creates a
philosophical problem. If the vendor uses a "secret" magic formula or
routine in the firmware to conglomerate the key, then someone will
eventually disassemble the routine, write a keygen, and totally
compromise the security model. It doesn't matter how many factors are
used to seed the routine (serial number, MAC address, date of MFG,
position of moon) it can be reverse engineered. Therefore, I've been
pushing for the manufacturer to simply use a random rubbish generator
and pre-load the loader area of the flash (where the MAC is also
buried). There's nothing to reverse engineer.
>> 2. A pre-assigned unique SSID.
2Wire.com uses the word "2wire" plus the last 3 digits of the MAC
address for the SSID. It's not totally unique, but good enough to
avoid problems with the neighbors.
Also, the default router password is the serial number of the router.
If you use their Home Portal "monitor" program to setup Windoze
shares, it insists on password protecting the shares:
: http://support.2wire.com/cgi-bin/twowire.cfg/php/enduser/std_adp.php?p_sid=9LDImGWh&p_lva=&p_faqid=189&p_created=1044499848&p_sp=cF9zcmNoPTEmcF9ncmlkc29ydD0mcF9yb3dfY250PTEwJnBfc2VhcmNoX3RleHQ9cGFzc3dvcmQmcF9zZWFyY2hfdHlwZT0zJnBfcHJvZF9sdmwxPX5hbnl_JnBfcHJvZF9sdmwyPX5hbnl_JnBfY2F0X2x2bDE9fmFueX4mcF9zb3J0X2J5PWRmbHQmcF9wYWdlPTE*&p_li=
Need default setups that are specific to DSL ISP's?
: http://www.2wire.com/?p=268
>It's taken a whole lot of threatening of lawsuits to convince Microsoft that
>security is important - and I'm still not convinced the majority of people
>working there are convinced of it. The router manufacturers are probably
>going to need to be named in a suit or two before they do anything.
I don't think that's necessary. What's needed is some feedback from
paying customers. Maybe a few nasty editorials by the usual pundits.
Maybe a few awards for 2Wire shipping "consumer friendly" products
that will make the others look deficient. I was going to try an
convince the alternative firmware vendors (Sveasoft, DD-WRT, etc) that
it would be a good idea to show Linksys how it's done, but haven't the
time to do the necessary ranting. My theory is that if someone does
it right, the other manufacturers will follow.
>I'm all for educating the GUM - education is a good thing :-)
By definition, the GUM are uneducated and uneducateable. Personally,
I think convincing the manufactories is easier.
>
>>Why "Simplex" and not "Half-Duplex" in the performance and speed.
>
>
> You noticed. I've been debating that in a different mailing list.
I have frequently had my ear bent over this and people who have used
Data Transfer as opposed to wireless for most of their lives keep
referring me to sites such as:
http://www.tcpipguide.com/free/t_SimplexFullDuplexandHalfDuplexOperation.htm
http://www.erg.abdn.ac.uk/users/gorry/course/intro-pages/simplex.html
http://physinfo.ulb.ac.be/cit_courseware/datacomm/dc_014.htm
I think that you are right about re-working the FAQ.Perhaps more on the
lines of http://www.dslreports.com/faq/wlan
Rob
My FF1.5 problem was noticeably worse if I had a pdf file open in
another tab.However I have reverted back to 1.07 for the time being.
Rob
>Jeff Liebermann wrote:
>>>Why "Simplex" and not "Half-Duplex" in the performance and speed.
>> You noticed. I've been debating that in a different mailing list.
>I have frequently had my ear bent over this and people who have used
>Data Transfer as opposed to wireless for most of their lives keep
>referring me to sites such as:
>http://www.tcpipguide.com/free/t_SimplexFullDuplexandHalfDuplexOperation.htm
>http://www.erg.abdn.ac.uk/users/gorry/course/intro-pages/simplex.html
>http://physinfo.ulb.ac.be/cit_courseware/datacomm/dc_014.htm
Sigh. This is one case where my wireless (radio experience) is
detrimental. The telecom crowd seems to consider anything that is not
full-duplex as being half-duplex. It also considers one way broacasts
to be the definition of simplex. It's quite different in the radio
business. I'm not sure which is right, but I tend to argue in favor
of the radio definition when discussing 802.11 wireless and telecom
definition when discussin a wired or fiber implimentation. To retain
my sanity, I'll dump the simplex terminology and go back to
half-duplex.
>I think that you are right about re-working the FAQ.Perhaps more on the
>lines of http://www.dslreports.com/faq/wlan
Yep. That's what got my attention. I've done FAQ's before but never
using a Wiki. The main thing for this one is that it reflects actual
users questions and not just good things to know.
>My FF1.5 problem was noticeably worse if I had a pdf file open in
>another tab.However I have reverted back to 1.07 for the time being.
Adobe Acrobat 7.0.x on XP and W2K seem to be acceptable. However,
6.0.x tends to hang all of my machines when opened in a browser. Works
fine outside the browser. The ACRO32 process never seems to exit
despite setting in preferences that it should go away and die on exit.
Sometimes shutdown complains that it can't close "Tool Tips" which is
part of Acrobat. I often get browser hangs if I stop a PDF from
loading inside the browser. Methinks you're on the right track.
>>> 2. A pre-assigned unique SSID.
>
> 2Wire.com uses the word "2wire" plus the last 3 digits of the MAC
> address for the SSID. It's not totally unique, but good enough to
> avoid problems with the neighbors.
That's good. The odds that you'll ever run into a collision there are
pretty small.
>
> Also, the default router password is the serial number of the router.
I like that - as long as the serial number isn't directly related to the
MAC.
>
>>It's taken a whole lot of threatening of lawsuits to convince Microsoft
>>that security is important - and I'm still not convinced the majority of
>>people
>>working there are convinced of it. The router manufacturers are probably
>>going to need to be named in a suit or two before they do anything.
>
> I don't think that's necessary. What's needed is some feedback from
> paying customers. Maybe a few nasty editorials by the usual pundits.
> Maybe a few awards for 2Wire shipping "consumer friendly" products
> that will make the others look deficient.
I hope you're right :-)
--
derek
> 3. Hidden SSID encrypted
>No3 actually uses WPA(I know the owner} though it shows up as WEP with
>the "Sniffer".
>We therefore have 50% of the networks can easily be "utilised" by other
>people.
> The main problem lies in educating people so that security becomes a
>habit and not an afterthought.Electronics and the hacker do not stand
>still so neither should the user.
>
>Rob
Not disagreeing with you here, remember this thread started with how to
generate these massive keys you can't remember and have to write down to
secure the network. My point is that that extreme in a home set up isn't
required, just basic and reasonable precautions. Using your neighborhood as
an example, if you wanted to steal bandwidth, which APs would you mooch off
of, the one that you will have to crack security or the two open ones?
Again before someone jumps in out of context I'm not saying no precautions
and I'm not talking a bout a business with trade secrets etc to protect,
we're talking home network to a cable/DSL modem.
fundamentalism, fundamentally wrong.
I can see the help desk at Linksys now... You are right of course, but I
honestly don't blame the equipment makers, you see the questions that pop
up here in this group (and I think most people on Usenet are a bit more
tech savey then the typical internet user). I'm not knocking anyone who has
a question (unless they don't ask). My point is the support desks at
Linksys would be drowning in calls if they encrypted before they shipped.
First thing I do when encountering a friend that needs help is turn off all
security, get things working then start applying. I suspect you take a
similar approach when asked by you non-techie friends to help them out.
Again not saying you are worng because you aren't, but I do understand why
the makers don't do this.
>
>The only argument that seems to get their attention is that it creates
>a potential liability situation. The outside of the box proclaims all
>manner of security features, but there's no warning to the customer
>that these security features are delivered disabled by default. The
>typical customers perception is that it's a secure router, with no
>additional effort on their part. I contend that any consequential
>damages might be actionable in court, but not being an attorney, my
>opinion carries little weight.
>
>I run into users that buy wireless routers, but don't have any
>wireless clients. The logic is that they "might" need the wireless
>later when they buy a laptop. Meanwhile, the wireless section of the
>router is left enabled and wide open for anyone to use. When I
>mention the security implications, they often don't understand the
>nature of the problem. Maybe a front panel wireless on-off switch
>would be more useful for these.
>
>Which would you rather do? Which is easier? Educate the GUM (great
>unwashed masses), or just get the manufactories to clean up their
>default installation?
>
fundamentalism, fundamentally wrong.
I had not seen that, but that is a great idea, now if you can just force
people to click the buttons...
fundamentalism, fundamentally wrong.
Well let's be real here, if they are using a flavor of Unix (aside from MAc
with its hand holding) or Linux and they don't know to secure their
wireless network I think they deserve what might happen. I mean the Linux
crowd should pretty well be techie enough to handle this issue.
fundamentalism, fundamentally wrong.
> In article <jkcjp1l0or7h77fg1...@4ax.com>, Jeff Liebermann
> <je...@comix.santa-cruz.ca.us> wrote:
>>
>>I tried to convince one manufacturer that they should do this, but
>>they claim it will create "confusion" among the customers or is too
>>difficult to manufacture. It will also affect the customers OBE (out
>>of box experience). Can't have that happen.
>
> I can see the help desk at Linksys now... You are right of course, but I
> honestly don't blame the equipment makers, you see the questions that pop
> up here in this group (and I think most people on Usenet are a bit more
> tech savey then the typical internet user). I'm not knocking anyone who
> has a question (unless they don't ask). My point is the support desks at
> Linksys would be drowning in calls if they encrypted before they shipped.
> First thing I do when encountering a friend that needs help is turn off
> all security, get things working then start applying. I suspect you take a
> similar approach when asked by you non-techie friends to help them out.
>
> Again not saying you are worng because you aren't, but I do understand why
> the makers don't do this.
I don't buy it. Most of the time, when someone has a problem, you have to
turn off all the security and other bells and whistles because they got a
step wrong when they turned it on. If you _started_ with a properly
configured, secure, router, there'd be a lot less trouble.
There's certainly no excuse for providing every router with the password
'admin' (sorry all you Linksys users whose security I've just blown!).
--
derek
http://internetweek.cmp.com/handson/showArticle.jhtml;jsessionid=WOTZXI5PHALB4QSNDBGCKHSCJUMEKJVN?articleId=174907404&pgno=2
1. Mozilla was supposed to fix Firefox's JavaScript support in
version 1.5. What I'm seeing is just the opposite. I'm having more
trouble with proper page rendering than I had with Firefox 1.0.x. Some
pages just crash or freeze the browser completely. For example, I can't
make some JCPenney product pages load properly, and enterprise
applications used by my company that worked okay with the previous
version of Firefox no longer work as well.
2. Firefox 1.5 also tends to freeze up after launch, and during or
just after Web page load. I've also experienced very long launch times
from links in other programs, such as from a hyperlink sent in email.
These three symptoms were also commonly experienced by Firefox 1.0.1,
1.0.2, and 1.0.3 users. The problem appears to be back in Firefox 1.5.
In most cases the Firefox freeze-ups unstick themselves after a
couple of minutes. But I have also experienced permanent lock-ups that
have required me to kill the firefox.exe process. And I've even been
forced to reboot Windows XP a few times.
In addition, PDFs are now a total adventure. Sometimes they work,
sometimes they never finish loading. And I'm using the latest version of
the Adobe Acrobat Reader.
Haven't hasd time to test this yet, but even if it doesn't work, thanks for
the effort
>
fundamentalism, fundamentally wrong.
Look at all this dance you are doing just to say you could with time maybe
crack some home network? Get real, this is the point, look at hwat all you
went through.
fundamentalism, fundamentally wrong.
What is your occupation (not trying to pry here, but to make a point)?
fundamentalism, fundamentally wrong.
>>Forward or backwards? From my warped perspective, it's just another
>>setup program that most users will ignore. Also, I don't see any Mac,
>>Unix, or Linux versions of SES.
>Well let's be real here, if they are using a flavor of Unix (aside from MAc
>with its hand holding) or Linux and they don't know to secure their
>wireless network I think they deserve what might happen. I mean the Linux
>crowd should pretty well be techie enough to handle this issue.
Are you serious? I've spent years trying to deploy Linux solutions
with very limited success. The best I've been able to do is small
office servers. Most of the current direction of the Linux releases
is moving away from the geeks and programmers, and towards mainstream
commodity use by the GUM (great unwashed masses). If you presume user
competence, you may as well consign the desktop version of Linux to
some manner of programmers specialty operating system. Yeah, it would
be nice if the GUM had a clue about computers, security, and basic
procedures, but they don't. They "just wannit to work" or some such
simplification. Maybe the average Linux desktop user can be ignored
by Broadcom. After all, a Linux group will surely reverse engineer
the protocol and post an open source version anyway. But, what about
MacIntosh users or OS/X (Unix) users? They're not presumed to be
knowledgeable.
In any case, "Real Linux Users" don't use a commodity routers. They
use a Linux server running PCTEL SoftAP to simulate a wireless access
point and IPMasq with ipfw, ipfilters, ipchains, or iptables as a
firewall. "Real Linux Users" are purists.
>I can see the help desk at Linksys now...
Are you in India?
>My point is the support desks at
>Linksys would be drowning in calls if they encrypted before they shipped.
Really? PacHell/SBC/AT&T/Whatever have been shipping 2WIRE wireless
routers (er.. Home Portals) for several years without much difficulty.
The default password, SSID, and WEP/WPA key are inscribed on a label
stuck on the bottom of the machine. They also supply a Windoze setup
and monitor program to help with the PPPoE login and password loading.
It also can easily be done with a web browser. I've done a few of
these. Once I found the label, everything was obvious.
Drivel: The most challenging part of setting up a router is selecting
a suitable password and WEP/WPA key. I've had customers literally
agonize for a considerable number of minutes trying to select a
suitable password. If they're setting up an account at the same time,
the user name selection is equally difficult. I see pre-selection of
the default passwords to be generally beneficial because it saves the
customer the agony of being forced to think.
>First thing I do when encountering a friend that needs help is turn off all
>security, get things working then start applying. I suspect you take a
>similar approach when asked by you non-techie friends to help them out.
Not really. I wish I had a consistent approach to wireless
troubleshooting. Most of what I find are problems on the client side.
I drag in my known working laptop. If that plays, I concentrate on
removing junkware and viruses, configuring overly complex personal
firewalls, and generally clean house. I rarely have to tinker with
the router except to configure port forwarding and triggering.
>Again not saying you are worng because you aren't, but I do understand why
>the makers don't do this.
Oh, I understand exactly why they don't do it. However, it has
nothing to do with the users ease of setup or support problem. It has
to do with what the competition is doing. None of the biggies (DLink,
Linksys, Netgear, Belkin) want to do anything that is deemed to be
fundamentally "different". There's too much risk is being labelled an
oddity. 2wire can do it correctly because they only sell to big ISP's
who can deal with the support issues. However, if only one
manufacturer did it right, I can assure you that these vendors would
instantly demand something similar from their far east product
suppliers.
I'm not sure, but the bugs mentioned sure sound like 1.5beta1 and not
the current beta3.
> 1. Mozilla was supposed to fix Firefox's JavaScript support in
>version 1.5. What I'm seeing is just the opposite.
I just ran through my "library" of stolen Javascript routines with
1.5beta3. No problems.
> 2. Firefox 1.5 also tends to freeze up after launch, and during or
>just after Web page load.
Nope. I've been running 1.5beta3 on several machines for about 2
weeks and have not seen any such problems.
>I've also experienced very long launch times
>from links in other programs, such as from a hyperlink sent in email.
Nope. However, I don't click on URL's sent in email so I wouldn't
know if there's a problem. However, URL's from the "Help-About" pages
of various programs I've tried work instantly.
> In most cases the Firefox freeze-ups unstick themselves after a
>couple of minutes. But I have also experienced permanent lock-ups that
>have required me to kill the firefox.exe process. And I've even been
>forced to reboot Windows XP a few times.
I'm using Windoze 2000 SP4 on all but one of my machines which runs XP
SP2. No freeze-ups, no hangs, and no reboots required. I do see
hangs with Acrobat and Quicktime, but I don't think that's the browser
as IE6 does the same thing.
>In addition, PDFs are now a total adventure. Sometimes they work,
>sometimes they never finish loading. And I'm using the latest version of
>the Adobe Acrobat Reader.
I'm always suspicious of authors that say they are using the "latest"
version. They usually are not using the latest version and often are
embarrassed by the publication delays causing them to appear
substantially behind the times. That's what I think happened here.
Incidentally, the bloated VM use was from 1.0.7, not 1.5beta3. I've
been running the 1.5beta3 for about 2 hours doing my usual banking,
stocks, browsing, eBay, etc. VM size is a conservative 50KB. Peak
Mem use is 77.2KB. No sign of the previous memory leaks.
Well the final FF1.5 was supposed to be the same as 1.5 release 3
>>I've also experienced very long launch times
>
>>from links in other programs, such as from a hyperlink sent in email.
>
> Nope. However, I don't click on URL's sent in email so I wouldn't
> know if there's a problem.
>
If FF is not running I get this with both 1.07 and 1.5
>
>> In most cases the Firefox freeze-ups unstick themselves after a
>>couple of minutes. But I have also experienced permanent lock-ups that
>>have required me to kill the firefox.exe process. And I've even been
>>forced to reboot Windows XP a few times.
>
>
> I'm using Windoze 2000 SP4 on all but one of my machines which runs XP
> SP2. No freeze-ups, no hangs, and no reboots required. I do see
> hangs with Acrobat and Quicktime, but I don't think that's the browser
> as IE6 does the same thing.
These lock-ups seem to be what I was experiencing with XP SP2.Never had
to do a reboot.
>
>
>
> I'm always suspicious of authors that say they are using the "latest"
> version. They usually are not using the latest version and often are
> embarrassed by the publication delays causing them to appear
> substantially behind the times. That's what I think happened here.
>
> Incidentally, the bloated VM use was from 1.0.7, not 1.5beta3. I've
> been running the 1.5beta3 for about 2 hours doing my usual banking,
> stocks, browsing, eBay, etc. VM size is a conservative 50KB. Peak
> Mem use is 77.2KB. No sign of the previous memory leaks.
>
If the memory leak was high on my laptops they would probably stop the
applications that were running(I need to upgrade the RAM someday}.
I had the cards already, just downloaded the iso, ran from CD, nothing
to install. No effort.
Issue is, that it's not just some home network though is it? Don't
think for a moment that all of industry has suddenly switched away from
WEP.
David.
Give me some options and i'll answer a) b) etc :)
David.
In <RUVlf.22242$Pc3....@bignews5.bellsouth.net> on Thu, 08 Dec 2005 12:47:04
GMT, rico...@hotmail.com (Rico) wrote:
>Can you provide examples of resendential wireless networks with even WEP
>much less WPA being cracked? ...
I know of at least two, and possibly more -- it's not always easy to tell --
but I'm not about to post that information in a public forum.
--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>
In <qXVlf.22260$Pc3....@bignews5.bellsouth.net> on Thu, 08 Dec 2005 12:49:49
GMT, rico...@hotmail.com (Rico) wrote:
>I await you regailling me with actual examples of surburn home wireless
>home networks being hacked when even the most basic and simplest of
>security tools have been employed (even a short WEP key maybe the son's
>first name).
In your own words...
"citation please"
:)
The problem there is "How would your average home user know that someone
had accessed their network".To provide definitive evidence and not
heresay there would probably have to have been a court case and your
average user would have difficulty proving it was a hacker that was
responsible for the offence, I doubt some police forces would use their
budget to have his computers "Forensically Examined" unless the case was
of "High Profile".
I know of only 1 court case in the UK and I suspect the network was open.
http://news.bbc.co.uk/1/hi/technology/4721723.stm
Rob
Darn you, now I guess I'm going to have to change that...
fundamentalism, fundamentally wrong.
A few thousand miles west of there, but really good long distance vision
<wink>
fundamentalism, fundamentally wrong.
By no means, bought a $9.00 wireless card on Ebay not long ago for a
friend that needed very basic wireless for an older laptop when traveling,
since most hotels don't encrypt but use a proxy instead, a WEP only card
for low bucks was fine for the purpose. SHe just wanted to check email from
time to time while out west.
fundamentalism, fundamentally wrong.
A)IT or Engineering/Technical related
B) anything else (banking, sales (non tech), real estate....
>
>David.
fundamentalism, fundamentally wrong.
Is he harmed in that case? At least where I live there are within a couple
blocks half a dozen give or take open wireless netowrks. Why would you or
anyone else bother with mine given I am encrypted (figure you are out
wardriving and want to have a little mischief). Can't speak for you
specifically, but if it's me, I'm going where the pickings are easy.
>To provide definitive evidence and not
>heresay there would probably have to have been a court case and your
>average user would have difficulty proving it was a hacker that was
>responsible for the offence, I doubt some police forces would use their
>budget to have his computers "Forensically Examined" unless the case was
> of "High Profile".
> I know of only 1 court case in the UK and I suspect the network was open.
>http://news.bbc.co.uk/1/hi/technology/4721723.stm
>
>Rob
Yes, I seem to recall there was an instance in Florida also, but in that
case the network was open.
fundamentalism, fundamentally wrong.
So you're point is what? :)
>
> Is he harmed in that case?
http://www.channelcincinnati.com/health/5520020/detail.html
It will be interesting to see how this works out.