Hi.
Which WLAN protection method would you recommend? * Shared key * WPA-Personal * WPA2-Personal
My router also supports Radius with 802.1x and WPA/WPA2-Enterprise, but these require strange stuff like certificates that leave me clueless. :)
On 05/17/11 06:30, Misha Shnurapet wrote:
Hi.
Which WLAN protection method would you recommend?
- Shared key
- WPA-Personal
- WPA2-Personal
My router also supports Radius with 802.1x and WPA/WPA2-Enterprise, but these require strange stuff like certificates that leave me clueless. :)
I would select wpa2-personal, and select AES Encryption. Be sure that you create a passphrase that is 64 characters. and is made of a random string of printable characters.
On 05/17/2011 08:21 AM, JD wrote:
I would select wpa2-personal, and select AES Encryption. Be sure that you create a passphrase that is 64 characters. and is made of a random string of printable characters.
Just out of curiosity, how would a phrase in a language that's not natively written in the Latin alphabet do? As examples, Chinese, Korean, Russian or Hebrew? (The frequency count of the letters depends, in that case, on what system of transliteration you use and in any event, will be different from English if that matters.)
On 05/17/11 08:39, Joe Zeff wrote:
On 05/17/2011 08:21 AM, JD wrote:
I would select wpa2-personal, and select AES Encryption. Be sure that you create a passphrase that is 64 characters. and is made of a random string of printable characters.
Just out of curiosity, how would a phrase in a language that's not natively written in the Latin alphabet do? As examples, Chinese, Korean, Russian or Hebrew? (The frequency count of the letters depends, in that case, on what system of transliteration you use and in any event, will be different from English if that matters.)
Good question. You have to ask a computer geek who speaks that language :)
But seriously, just about all languages have an alphabet and they use computer with the locale set to that alphbet. Probably some alphabets are coded in UTF8 and others in UTF16. So I am sure you can select a string from your native alphabet.
18.05.2011, 00:21, "JD" jd1008@gmail.com:
I would select wpa2-personal, and select AES Encryption. Be sure that you create a passphrase that is 64 characters. and is made of a random string of printable characters.
Checking WPA2... done. Checking AES... done. A passphrase of 63 mixed case letters and special symbols and a notebook and a pencil worked fine.
18.05.2011, 00:39, "Joe Zeff" joe@zeff.us:
Just out of curiosity, how would a phrase in a language that's not natively written in the Latin alphabet do?
It didn't work at all. I mean it didn't even take it as a setting.
On 17/05/11 14:30, Misha Shnurapet wrote:
Hi.
Which WLAN protection method would you recommend?
- Shared key
- WPA-Personal
- WPA2-Personal
My router also supports Radius with 802.1x and WPA/WPA2-Enterprise, but these require strange stuff like certificates that leave me clueless. :)
Also if it's your home wLan, hide it, don't broadcast the ssid. So those in your neighbourhood won't even know you have a wireless.
*Some android devices, don't like hidden wireless*
On Tue, May 17, 2011 at 9:36 AM, Frank Murphy frankly3d@gmail.com wrote:
On 17/05/11 14:30, Misha Shnurapet wrote:
Hi.
Which WLAN protection method would you recommend?
- Shared key
- WPA-Personal
- WPA2-Personal
My router also supports Radius with 802.1x and WPA/WPA2-Enterprise, but these require strange stuff like certificates that leave me clueless. :)
Also if it's your home wLan, hide it, don't broadcast the ssid. So those in your neighbourhood won't even know you have a wireless.
Yes, they will. However, not broadcasting the SSID is a good step, but not necessarily all you should do. When a client connects to the network, it inquiries if the network is available. A patient wardriver will pick this up. However, they will not be able to get easily and will move on in most cases if they see WPA2.
*Some android devices, don't like hidden wireless*
True.
The next step is MAC restricting and a lot more. However, just employing security and hidden SSID is a great start. Most people do not do this.
James McKenzie
On 05/17/11 09:30, Misha Shnurapet wrote:
18.05.2011, 00:21, "JD"jd1008@gmail.com:
I would select wpa2-personal, and select AES Encryption. Be sure that you create a passphrase that is 64 characters. and is made of a random string of printable characters.
Checking WPA2... done. Checking AES... done. A passphrase of 63 mixed case letters and special symbols and a notebook and a pencil worked fine.
18.05.2011, 00:39, "Joe Zeff"joe@zeff.us:
Just out of curiosity, how would a phrase in a language that's not natively written in the Latin alphabet do?
It didn't work at all. I mean it didn't even take it as a setting.
You understand that both the access point and the computer have to have the same settings? i.e. wpa2-psk, AES and the same 63 character string as the passphrase.
And is you router using MAC address filtering to grant access? If so, you will need to add the MAC address of your computer to the "allow" list on the router.
18.05.2011, 02:39, "JD" jd1008@gmail.com:
You understand that both the access point and the computer have to have the same settings? i.e. wpa2-psk, AES and the same 63 character string as the passphrase.
And is you router using MAC address filtering to grant access? If so, you will need to add the MAC address of your computer to the "allow" list on the router.
Everything works fine, thanks.
18.05.2011, 02:11, "James McKenzie" jjmckenzie51@gmail.com:
The next step is MAC restricting and a lot more. However, just employing security and hidden SSID is a great start. Most people do not do this.
I won't use a whitelist filter so I don't get locked out on a coincidence, plus my neighbours aren't into that level of computer science and I believe they're beyond the distance.
2011/5/17 Misha Shnurapet shnurapet@fedoraproject.org:
18.05.2011, 02:11, "James McKenzie" jjmckenzie51@gmail.com:
The next step is MAC restricting and a lot more. However, just employing security and hidden SSID is a great start. Most people do not do this.
I won't use a whitelist filter so I don't get locked out on a coincidence, plus my neighbours aren't into that level of computer science and I believe they're beyond the distance.
Beer can antenna at 1/4 of a mile works. Leo Leparte showed how to do this. He lived on a farm property near Tracy California, United States and was using this to relay from the house to the barn. Interesting bit of science.
James McKenzie
On Tue, 2011-05-17 at 17:36 +0100, Frank Murphy wrote:
Also if it's your home wLan, hide it, don't broadcast the ssid. So those in your neighbourhood won't even know you have a wireless.
Completely pointless:
Your device is transmitting something, this is detectable. And it does so several times a second (i.e. it's continual).
The SSID is only one of the names being transmitted. There's other identifying data that isn't usually displayed to most users. So hiding it is certainly not making it anonymous.
Various computers will actually list your allegedly *hidden* device as an "unnamed" access point, so it's not even hidden. Certainly the numerous programs prepared to "hack your neighbours" applications downloadable for the completely clueless will.
It does nothing to prevent anyone getting into your network when they really want to. There's no hacking involved in getting past the unnamed access point.
Actually causes problems:
Various devices find it harder to purposely connect to it, or more to the point, /you/ may find it more difficult. You have to type thing in, instead of it being presented on a list. You have to differentiate between your access point and someone else's. The SSID is part of the data your computer uses for it to pick the right access point to associate with.
It gets worse when you and your neighbours all play the faux hidden wireless network game, so you have more difficulty picking the right network. And even more fun debugging problems when more than one of you is on the same channel, or left the default manufacturer's SSID in place and hid that (when you both have the same access point).
Trying to hide it makes you an even more interesting target to the wannabe hackers.
Seriously, it's a dumb idea. Monkey see, monkey do. You're a monkey.
And while I'm shooting dumb ideas down in flames...
MAC filtering is useless as a security measure, and can be a pain in the neck for yourself trying to get things working. It can't force someone to be unable to connect, but it can make it awkward for you, making you have to reset things to allow your computer when you make mistakes, or want to connect a different NIC.
WEP security is useless.
WPA (1) security is useless.
With WPA2 use *only* AES out of the AES/TKIP choices. That means AES by itself. Not TKIP. Nor TKIP and AES as a combination. And for the PSK/EAP choice, you'll probably only be able to use PSK. I seem to recall that EAP was another bad choice, but you'll need to research that.
Password length and wierdness increases security. You're less likely to be hacked by lucky guesses if you don't have plain words in there. Certainly don't use real names, phone numbers, birthdates, or anything else that's easy for someone else to find out about you.
NB: Regarding another posting about using foreign words, the password is either ASCII or HEX. So UTF, or other encodings, are out of the question. But if you can write the word using ASCII, you can enter it.
Having an unsecured net is sheer stupidity. You might think what the hell, I've nothing to lose... Well, the moment someone does something illegal through your network you're in for some legal fun and games that you really don't want to be bothered with.
On 05/17/11 11:08, James McKenzie wrote:
2011/5/17 Misha Shnurapetshnurapet@fedoraproject.org:
18.05.2011, 02:11, "James McKenzie"jjmckenzie51@gmail.com:
The next step is MAC restricting and a lot more. However, just employing security and hidden SSID is a great start. Most people do not do this.
I won't use a whitelist filter so I don't get locked out on a coincidence, plus my neighbours aren't into that level of computer science and I believe they're beyond the distance.
Beer can antenna at 1/4 of a mile works. Leo Leparte showed how to do this. He lived on a farm property near Tracy California, United States and was using this to relay from the house to the barn. Interesting bit of science.
James McKenzie
Right. Also, it is not necessarily "neighbours" that are adjacent you your house or a few houses down. Someone can park a car not far from your house, and using the type of home-made antenna James mentioned, they can hack your network. I would strongly encourage you to use MAC address whitelist.
Around 07:16pm on Tuesday, May 17, 2011 (UK time), JD scrawled:
Right. Also, it is not necessarily "neighbours" that are adjacent you your house or a few houses down. Someone can park a car not far from your house, and using the type of home-made antenna James mentioned, they can hack your network. I would strongly encourage you to use MAC address whitelist.
Because someone with the knowhow to make antenna like this and hack your wireless password would have no idea how to spoof mac addresses?
Steve
On Tue, May 17, 2011 at 11:10 AM, Tim ignored_mailbox@yahoo.com.au wrote:
On Tue, 2011-05-17 at 17:36 +0100, Frank Murphy wrote:
Also if it's your home wLan, hide it, don't broadcast the ssid. So those in your neighbourhood won't even know you have a wireless.
Completely pointless:
Your device is transmitting something, this is detectable. And it does so several times a second (i.e. it's continual).
True. Bet you have a lock on every door to your house as well. Turning off the SSID is a deterent. Make them go somewhere else. Same with door locks. If I want to get into your house, I will. Even if it means using TNT.
MAC filtering is useless as a security measure, and can be a pain in the neck for yourself trying to get things working. It can't force someone to be unable to connect, but it can make it awkward for you, making you have to reset things to allow your computer when you make mistakes, or want to connect a different NIC.
Same thing here. It will take more 'work'. Make them go away.
With WPA2 use *only* AES out of the AES/TKIP choices. That means AES by itself. Not TKIP. Nor TKIP and AES as a combination. And for the PSK/EAP choice, you'll probably only be able to use PSK. I seem to recall that EAP was another bad choice, but you'll need to research that.
Agreed.
Password length and wierdness increases security. You're less likely to be hacked by lucky guesses if you don't have plain words in there. Certainly don't use real names, phone numbers, birthdates, or anything else that's easy for someone else to find out about you.
Yep. Use a passphrase that is something easy for you to remember, but hard for others to guess.
Again, make them go away. Determined criminals will enter your house. The common thief will rattle your front door, finding it locked and go away.
NB: Regarding another posting about using foreign words, the password is either ASCII or HEX. So UTF, or other encodings, are out of the question. But if you can write the word using ASCII, you can enter it.
Having an unsecured net is sheer stupidity. You might think what the hell, I've nothing to lose... Well, the moment someone does something illegal through your network you're in for some legal fun and games that you really don't want to be bothered with.
Ask the 83 year old lady in NYC about the child porn case she found herself involved with. Was a 25 year old registered sex offender using a 'friends' computer. She got her front door broken down and he got 170 years and had to pay for a new door.
The only places that I know of that have unsecured networks are coffee shops and maybe the occassional food establishment. Other than that, lock the damn door and secure it. Adding MAC whitelists is but one of five steps.. We've discussed the other two to the end.
James McKenzie
On Tue, May 17, 2011 at 11:23 AM, Steve Searle steve@stevesearle.com wrote:
Around 07:16pm on Tuesday, May 17, 2011 (UK time), JD scrawled:
Right. Also, it is not necessarily "neighbours" that are adjacent you your house or a few houses down. Someone can park a car not far from your house, and using the type of home-made antenna James mentioned, they can hack your network. I would strongly encourage you to use MAC address whitelist.
Because someone with the knowhow to make antenna like this and hack your wireless password would have no idea how to spoof mac addresses?
If they are that technologically advanced? I can BUY one over the Internet. Some computers even have an external connection. However, what we are suggesting is only to bar and lock the front door. If I'm determined, I'm on your network. However, if you live in the 'big city' you are going to find hundreds of unsecured wireless connections, or poorly secured ones. If I'm out in the woods, the pickings are slim and you just might want to take the effort to break in. Same if you have valuable data. TJX learned the lessons of not securing their network AND having valuable data.
James McKenzie
Steve
--
Website: www.stevesearle.com Twitter: @ReddishShift Facebook: www.facebook.com/steve.searle
19:22:02 up 31 days, 8:28, 1 user, load average: 0.01, 0.02, 0.00
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
James McKenzie wrote:
True. Bet you have a lock on every door to your house as well. Turning off the SSID is a deterent. Make them go somewhere else. Same with door locks. If I want to get into your house, I will. Even if it means using TNT.
James, why are you attempting to justify this pointless, unsecure, method of wireless configuration?
SSID hiding is *not* secure. It is *not* a deterrent. Security through obscurity is *not* security.
Same thing here. It will take more 'work'. Make them go away.
Obtaining a MAC takes seconds - i.e. no more 'work' than it is to find your 'hidden' SSID.
These snake oil methods of wireless security need to simply die.
On 05/17/11 11:23, Steve Searle wrote:
Around 07:16pm on Tuesday, May 17, 2011 (UK time), JD scrawled:
Right. Also, it is not necessarily "neighbours" that are adjacent you your house or a few houses down. Someone can park a car not far from your house, and using the type of home-made antenna James mentioned, they can hack your network. I would strongly encourage you to use MAC address whitelist.
Because someone with the knowhow to make antenna like this and hack your wireless password would have no idea how to spoof mac addresses?
Steve
It just reduces the number of would be hackers to those with the knowhow. And the probability that such knowledgeable hackers being near your vicinity is much less than the casual hackers without such knowledge. In network security, even the simplest measures should not be dropped just because there are those with the tools and the knowhow to hack it. It's like saying No need to lock your car because the door can easily be opened by an expert carthief.
On Tuesday 17 May 2011 18:11:03 James McKenzie wrote:
On Tue, May 17, 2011 at 9:36 AM, Frank Murphy frankly3d@gmail.com wrote:
On 17/05/11 14:30, Misha Shnurapet wrote:
Which WLAN protection method would you recommend?
- Shared key
- WPA-Personal
- WPA2-Personal
Also if it's your home wLan, hide it, don't broadcast the ssid. So those in your neighbourhood won't even know you have a wireless.
Yes, they will. However, not broadcasting the SSID is a good step, but not necessarily all you should do. When a client connects to the network, it inquiries if the network is available. A patient wardriver will pick this up. However, they will not be able to get easily and will move on in most cases if they see WPA2.
The next step is MAC restricting and a lot more. However, just employing security and hidden SSID is a great start. Most people do not do this.
Hiding the SSID will stop only a casual bystander getting on to your network by accident. Those who actually want to crack into a wireless network would use some tool like airodump-ng (yum install aircrack-ng) to list any and all wireless networks within reach, hidden or otherwise, and then pick which one to crack.
In other words, hiding SSID can be compared to a person putting an "I am invisible" sticker on their forehead, and hoping that others would read it and ignore him.
Hiding SSID is a matter of convenience, not security. Things like removing the clutter from user's list of available networks, avoiding accidental connections by mobile devices, etc.
For security you need to implement some WPA-related stuff and a strong firewall, possibly with MAC-filtering etc. And for sure don't even try to use WEP "security". It's commonly compared to a paper wall, and I've seen it being cracked within 10 minutes using aircrack suite above. I even did it myself once on my own router, just to see how difficult/easy it was. Reading relevant man pages was the hardest part, it took me 20 minutes. Cracking the WEP passphrase took 5 more. I can even sketch you the steps if you like. ;-)
In a nutshell, hiding SSID is a "please don't connect to my network" security. WEP is "the door is closed but not locked" security, while WPA is "guess my passphrase" security. Therefore, WPA is the only one that provides the potential cracker some reasonable headache.
HTH, :-) Marko
On Tuesday 17 May 2011 19:54:39 Marko Vojinovic wrote:
For security you need to implement some WPA-related stuff and a strong firewall, possibly with MAC-filtering etc.
Umm, I was distracted by alien ship landing in my back yard when I wrote this, sorry. Please forget the MAC-filtering part... ;-)
Best, :-) Marko
On Tue, May 17, 2011 at 11:35 AM, Michael Cronenworth mike@cchtml.com wrote:
James McKenzie wrote:
True. Bet you have a lock on every door to your house as well. Turning off the SSID is a deterent. Make them go somewhere else. Same with door locks. If I want to get into your house, I will. Even if it means using TNT.
James, why are you attempting to justify this pointless, unsecure, method of wireless configuration?
SSID hiding is *not* secure. It is *not* a deterrent. Security through obscurity is *not* security.
Want to bet? By hiding stuff in plain sight? It works. It's called Stegronagraphy. If I camoflague myself and hid in a bunch of bushes, I'm betting you won't find me. That is what we are doing when we hide the ssid. Again, it is a DETERANT, not an absolute method. If I turn off the ssid, your job just got harder.
Same thing here. It will take more 'work'. Make them go away.
Obtaining a MAC takes seconds - i.e. no more 'work' than it is to find your 'hidden' SSID.
Same here. If I can deter you, then I have success. No network is 'bulletproof'. Not even wired. However, the more work you have to do and the smaller the gain, and the more likely your efforts are subject to detection, the less likely you are to try and break in.
These apply UNLESS I'm a big target and you want what information I have. At that point, I'm probably and ID10T for using Wireless or having a WAP in the first place.
Security is not just putting door locks on the doors. If I leave a window wide open, the biggest, strongest door is worthless. Same thing here. If I have a big door, geese in the yard, an 8 foot high fence with barbed wire, you are less likely to try and invade. However, you still can try.
Again, NO NETWORK IS SECURE. Never will be.
James McKenzie
On Tuesday 17 May 2011 19:47:24 JD wrote:
On 05/17/11 11:23, Steve Searle wrote:
Around 07:16pm on Tuesday, May 17, 2011 (UK time), JD scrawled:
Right. Also, it is not necessarily "neighbours" that are adjacent you your house or a few houses down. Someone can park a car not far from your house, and using the type of home-made antenna James mentioned, they can hack your network. I would strongly encourage you to use MAC address whitelist.
Because someone with the knowhow to make antenna like this and hack your wireless password would have no idea how to spoof mac addresses?
Steve
It just reduces the number of would be hackers to those with the knowhow. And the probability that such knowledgeable hackers being near your vicinity is much less than the casual hackers without such knowledge. In network security, even the simplest measures should not be dropped just because there are those with the tools and the knowhow to hack it. It's like saying No need to lock your car because the door can easily be opened by an expert carthief.
Oh, come on, it took me cca 20 minutes to go from being an absolute noob to being able to crack my own network. It requires reading through one web page and four man pages.
From man aireplay-ng:
-h <smac> Set source MAC address.
Read the output of airodump-ng for a MAC address of an already connected client to find one that is allowed by the access point firewall. How much of an expert one needs to be to use an option switch in a command?
Really, people typically have no idea how easy it is to crack a wireless until they actually try it, at least once. After that, one gets to appreciate what is really a security measure, and what is the "please don't open me" sign on the door.
MAC spoofing is trivial. Even in Windows there is a field to type a desired MAC somewhere in the network settings...
Best, :-) Marko
On Tuesday 17 May 2011 20:15:24 James McKenzie wrote:
On Tue, May 17, 2011 at 11:35 AM, Michael Cronenworth mike@cchtml.com
wrote:
James, why are you attempting to justify this pointless, unsecure, method of wireless configuration?
SSID hiding is *not* secure. It is *not* a deterrent. Security through obscurity is *not* security.
Want to bet? By hiding stuff in plain sight? It works. It's called Stegronagraphy. If I camoflague myself and hid in a bunch of bushes, I'm betting you won't find me. That is what we are doing when we hide the ssid. Again, it is a DETERANT, not an absolute method. If I turn off the ssid, your job just got harder.
No, it didn't get harder. Mind you, nobody ever tries to crack into a wireless network by trying to connect and guessing passwords manually through the OS's user interface. That's utterly impossible. Rather, the cracker uses some ready-made software to crack in.
This software will simply "see" both the hidden and public SSID's on equal footing, along with MAC addresses of already-connected clients (I already mentioned a typical example of airodump-ng, which is in the aircrack-ng package in the Fedora repo, feel free to try it out).
It is literally *ZERO* effort to find out both hidden SSID's and allowed MAC addresses. And it is all public information, that you can read off the screen of your laptop, just by being in the area covered by the signal from the access-point. There is absolutely no security there, and it is not even a deterant.
Btw, you are not camoflaging yourself and hiding in the bushes, you are camouflaging yourself and remaining in plain sight on the street. Doing that will only attract even more attention from the knowhow-crackers.
Best, :-) Marko
On 05/17/11 12:23, Marko Vojinovic wrote:
On Tuesday 17 May 2011 19:47:24 JD wrote:
On 05/17/11 11:23, Steve Searle wrote:
Around 07:16pm on Tuesday, May 17, 2011 (UK time), JD scrawled:
Right. Also, it is not necessarily "neighbours" that are adjacent you your house or a few houses down. Someone can park a car not far from your house, and using the type of home-made antenna James mentioned, they can hack your network. I would strongly encourage you to use MAC address whitelist.
Because someone with the knowhow to make antenna like this and hack your wireless password would have no idea how to spoof mac addresses?
Steve
It just reduces the number of would be hackers to those with the knowhow. And the probability that such knowledgeable hackers being near your vicinity is much less than the casual hackers without such knowledge. In network security, even the simplest measures should not be dropped just because there are those with the tools and the knowhow to hack it. It's like saying No need to lock your car because the door can easily be opened by an expert carthief.
Oh, come on, it took me cca 20 minutes to go from being an absolute noob to being able to crack my own network. It requires reading through one web page and four man pages.
From man aireplay-ng:
-h<smac> Set source MAC address.
Read the output of airodump-ng for a MAC address of an already connected client to find one that is allowed by the access point firewall. How much of an expert one needs to be to use an option switch in a command?
Really, people typically have no idea how easy it is to crack a wireless until they actually try it, at least once. After that, one gets to appreciate what is really a security measure, and what is the "please don't open me" sign on the door.
MAC spoofing is trivial. Even in Windows there is a field to type a desired MAC somewhere in the network settings...
Best, :-) Marko
Too much bluster here. Show us any credible publication that claims wpa2-ps/AES has been easily cracked or even cracked at all.
On 05/17/2011 09:01 PM, JD wrote: <>
Too much bluster here.
Show us any credible publication that claims wpa2-ps/AES has been easily cracked or even cracked at all.
so, you say you have not been on youtube lately?
Obtaining a MAC takes seconds - i.e. no more 'work' than it is to find your 'hidden' SSID.
These snake oil methods of wireless security need to simply die.
Seconded, and the arguments about it needing technical knowledge don't really work any more because tools for old style wireless, and for hidden config hacking are automated and any kiddie can use them.
On 05/17/11 15:29, g wrote:
On 05/17/2011 09:01 PM, JD wrote: <>
Too much bluster here.
Show us any credible publication that claims wpa2-ps/AES has been easily cracked or even cracked at all.
so, you say you have not been on youtube lately?
You call youtube a credible publication?
On 05/17/2011 11:44 PM, JD wrote: <>
You call youtube a credible publication?
yes/no.
they do have all different ways of cracking wep, wpa, and wpa2 that are mentioned in this thread.
just a few from my bookmarks, which where easy to find via a little google time;
http://www.youtube.com/watch?v=OdJuXtjgIrA&feature=related http://www.youtube.com/watch?v=OG9i2VPY_LE&NR=1 http://www.youtube.com/watch?v=3lNqqryPBNU&NR=1 http://www.youtube.com/watch?v=3P8l-PsvYak&NR=1 http://www.youtube.com/watch?v=qP1BOZqrp5g&feature=related
along with a few non youtube;
http://hackerwhacker.com/ http://whacker2.hackerwhacker.com/ http://wi-foo.com/ http://www.linux-wireless.com/Sniffers/
all of which goes to show, if you want to spend a little time to find out how to hack wlan/wifi, spend a little time on google.
On Tuesday 17 May 2011 22:01:11 JD wrote:
On 05/17/11 12:23, Marko Vojinovic wrote:
On Tuesday 17 May 2011 19:47:24 JD wrote:
On 05/17/11 11:23, Steve Searle wrote:
Around 07:16pm on Tuesday, May 17, 2011 (UK time), JD scrawled:
Right. Also, it is not necessarily "neighbours" that are adjacent you your house or a few houses down. Someone can park a car not far from your house, and using the type of home-made antenna James mentioned, they can hack your network. I would strongly encourage you to use MAC address whitelist.
Because someone with the knowhow to make antenna like this and hack your wireless password would have no idea how to spoof mac addresses?
Steve
It just reduces the number of would be hackers to those with the knowhow. And the probability that such knowledgeable hackers being near your vicinity is much less than the casual hackers without such knowledge. In network security, even the simplest measures should not be dropped just because there are those with the tools and the knowhow to hack it. It's like saying No need to lock your car because the door can easily be opened by an expert carthief.
Oh, come on, it took me cca 20 minutes to go from being an absolute noob to being able to crack my own network. It requires reading through one web page and four man pages.
From man aireplay-ng:
-h<smac>
Set source MAC address.Read the output of airodump-ng for a MAC address of an already connected client to find one that is allowed by the access point firewall. How much of an expert one needs to be to use an option switch in a command?
Really, people typically have no idea how easy it is to crack a wireless until they actually try it, at least once. After that, one gets to appreciate what is really a security measure, and what is the "please don't open me" sign on the door.
MAC spoofing is trivial. Even in Windows there is a field to type a desired MAC somewhere in the network settings...
Too much bluster here. Show us any credible publication that claims wpa2-ps/AES has been easily cracked or even cracked at all.
I didn't say that cracking wpa2-ps/aes is easy. I was saying that, whatever the security algorithm you are trying to crack, having a hidden SSID and filtered MAC is not going to make it *any* harder than having a public SSID and no MAC filtering. That data is essentially publicly available to anyone in range, and can be obtained with no effort at all. One doesn't even need the know-how, one can just type a single command in the terminal and have all that "hidden" stuff displayed on the screen. And that command is something you would type anyway if you want to crack a wireless network.
In other words, hiding SSID and filtering MACs adds absolutely *nothing* to the security of the network. It is not even an extra step that one would need to deal with while cracking. It is literally equivalent to "please don't open me" sign on the door. Using a serious security algorithm is essential for a wireless network, but saying that hiding SSID and filtering MAC addresses adds an additional layer of security is just plain wrong.
Best, :-) Marko
On 05/17/11 18:07, g wrote:
On 05/17/2011 11:44 PM, JD wrote: <>
You call youtube a credible publication?
yes/no.
they do have all different ways of cracking wep, wpa, and wpa2 that are mentioned in this thread.
just a few from my bookmarks, which where easy to find via a little google time;
http://www.youtube.com/watch?v=OdJuXtjgIrA&feature=related http://www.youtube.com/watch?v=OG9i2VPY_LE&NR=1 http://www.youtube.com/watch?v=3lNqqryPBNU&NR=1 http://www.youtube.com/watch?v=3P8l-PsvYak&NR=1 http://www.youtube.com/watch?v=qP1BOZqrp5g&feature=related
along with a few non youtube;
http://hackerwhacker.com/ http://whacker2.hackerwhacker.com/ http://wi-foo.com/ http://www.linux-wireless.com/Sniffers/
all of which goes to show, if you want to spend a little time to find out how to hack wlan/wifi, spend a little time on google.
Well, I hate to disappoint anyone, but until I see a credible security researchers/professors show in a scientific publication that they were able to crack wpa2-psk/AES using PC's and in reasonable time (say a few days), then I would believe it. Youtube is no source of truth.
On 05/17/2011 09:20 AM, JD wrote:
Good question. You have to ask a computer geek who speaks that language :)
But seriously, just about all languages have an alphabet and they use computer with the locale set to that alphbet. Probably some alphabets are coded in UTF8 and others in UTF16. So I am sure you can select a string from your native alphabet.
Actually, I was thinking of having them transliterated into the Roman alphabet. One nice thing about that is that for some of the languages (e.g., Russian) there's more than one transliteration for some of the characters.
On 05/17/2011 09:30 AM, Misha Shnurapet wrote:
18.05.2011, 00:39, "Joe Zeff"joe@zeff.us:
Just out of curiosity, how would a phrase in a language that's not natively written in the Latin alphabet do?
It didn't work at all. I mean it didn't even take it as a setting.
Don't try to enter it in its native alphabet. Take the phrase you're thinking of, spell it out phonetically in the Roman alphabet and try it.
On Wed, 2011-05-18 at 01:07 +0000, g wrote:
On 05/17/2011 11:44 PM, JD wrote: <>
You call youtube a credible publication?
yes/no.
they do have all different ways of cracking wep, wpa, and wpa2 that are mentioned in this thread.
WEP is known to be vulnerable. WPA has some weaknesses in some circumstances. WPA2 however is thought to be secure if you use a hard-to-guess password.
A quick look at Wikipedia could have told you this.
Just for completeness, I visited some of the referenced URLS:
just a few from my bookmarks, which where easy to find via a little google time;
Tells you how to improve signal strength. Nothing on WEP, WPA or WPA2.
No longer available. Maybe the Men In Black removed it ...
Stupid Wifi detection program for WinXP. Again, no mention of WEP, WPA or WPA2.
No explanation, but appears to be standard password-guessing attack.
ABC News report on cellphone hacking. Unrelated to Wifi.
along with a few non youtube;
http://hackerwhacker.com/ http://whacker2.hackerwhacker.com/ http://wi-foo.com/ http://www.linux-wireless.com/Sniffers/
Random URLs of general sniffing and security pages.
In conclusion, the assertion that there are genuine WPA2 vulnerabilities (other than guessing passwords) remains unsupported.
poc
On 05/17/2011 09:53 PM, JD wrote:
Well, I hate to disappoint anyone, but until I see a credible security researchers/professors show in a scientific publication that they were able to crack wpa2-psk/AES using PC's and in reasonable time (say a few days), then I would believe it. Youtube is no source of truth.
Believe it, JD. Try Googling: How To Crack WPA2
You'll be amazed at the number of matches that come up.
And some of these cracks are 4-5 years old! I believe many of them are particular to AES, and that TKIP is still (somewhat) more secure (meaning that it can take *much* longer to crack), but I can still find some hits that claim to be able to crack TKIP as well.
Google it. Look at where the hits are (you should look at more than just the first page of hits, too!)
Then decide if you are right or not.
On 5/17/11 2:01 PM, JD wrote:
On 05/17/11 12:23, Marko Vojinovic wrote:
On Tuesday 17 May 2011 19:47:24 JD wrote:
On 05/17/11 11:23, Steve Searle wrote:
Around 07:16pm on Tuesday, May 17, 2011 (UK time), JD scrawled:
Right. Also, it is not necessarily "neighbours" that are adjacent you your house or a few houses down. Someone can park a car not far from your house, and using the type of home-made antenna James mentioned, they can hack your network. I would strongly encourage you to use MAC address whitelist.
Because someone with the knowhow to make antenna like this and hack your wireless password would have no idea how to spoof mac addresses?
Steve
It just reduces the number of would be hackers to those with the knowhow. And the probability that such knowledgeable hackers being near your vicinity is much less than the casual hackers without such knowledge. In network security, even the simplest measures should not be dropped just because there are those with the tools and the knowhow to hack it. It's like saying No need to lock your car because the door can easily be opened by an expert carthief.
Oh, come on, it took me cca 20 minutes to go from being an absolute noob to being able to crack my own network. It requires reading through one web page and four man pages.
From man aireplay-ng:
-h<smac> Set source MAC address.
Read the output of airodump-ng for a MAC address of an already connected client to find one that is allowed by the access point firewall. How much of an expert one needs to be to use an option switch in a command?
Really, people typically have no idea how easy it is to crack a wireless until they actually try it, at least once. After that, one gets to appreciate what is really a security measure, and what is the "please don't open me" sign on the door.
MAC spoofing is trivial. Even in Windows there is a field to type a desired MAC somewhere in the network settings...
Best, :-) Marko
Too much bluster here. Show us any credible publication that claims wpa2-ps/AES has been easily cracked or even cracked at all.
JD:
As far as I can discover, it has not been. DES has and 3DES is in danger of being broken (however it offers many permutations of the two/three key combination.)
James McKenzie
On 05/18/2011 01:53 AM, JD wrote: <>
Well, I hate to disappoint anyone, but until I see a credible security researchers/professors show in a scientific publication that they were able to crack wpa2-psk/AES using PC's and in reasonable time (say a few days), then I would believe it. Youtube is no source of truth.
jd,
accept it or not. that is your choice.
but before you "set your words in stone", have a view of the youtube links. then read and look thru the non youtube links.
it is "a cruel world out there" and i hate for you to rely on false security.
prove it to your self. use a wireless and you will see just how easy it can be done.
when i say 'easy', i do not mean a few minutes, because it does take some time, and less than a few days, to capture enough data to hack a system.
with software that is now available, it is easy to do, and is done.
i am not saying that i do it, nor that i have done it. that would be admitting to a crime.
because it can be done legally when you have a tightly written contract that has been signed by whose system you crack.
nor am i going to make accusations that anyone who has posted to this list that it can be done and it is easy to do, because it is not a crime to do so to your own system to test it for security checking.
so, from last 4 paragraphs, you can draw your own conclusions as to what i have done, or do not do. ;)
also, why do you think i use a pgp encrypted signature?
On 05/17/11 20:16, Kevin J. Cummings wrote:
On 05/17/2011 09:53 PM, JD wrote:
Well, I hate to disappoint anyone, but until I see a credible security researchers/professors show in a scientific publication that they were able to crack wpa2-psk/AES using PC's and in reasonable time (say a few days), then I would believe it. Youtube is no source of truth.
Believe it, JD. Try Googling: How To Crack WPA2
You'll be amazed at the number of matches that come up.
And some of these cracks are 4-5 years old! I believe many of them are particular to AES, and that TKIP is still (somewhat) more secure (meaning that it can take *much* longer to crack), but I can still find some hits that claim to be able to crack TKIP as well.
Google it. Look at where the hits are (you should look at more than just the first page of hits, too!)
Then decide if you are right or not.
TKIP is the feeble one. Two researchers in Japan busted TKIP in less than one minute using an ordinary PC.
On 5/17/11 6:20 PM, Marko Vojinovic wrote:
I didn't say that cracking wpa2-ps/aes is easy. I was saying that, whatever the security algorithm you are trying to crack, having a hidden SSID and filtered MAC is not going to make it *any* harder than having a public SSID and no MAC filtering. That data is essentially publicly available to anyone in range, and can be obtained with no effort at all. One doesn't even need the know-how, one can just type a single command in the terminal and have all that "hidden" stuff displayed on the screen. And that command is something you would type anyway if you want to crack a wireless network.
In other words, hiding SSID and filtering MACs adds absolutely *nothing* to the security of the network. It is not even an extra step that one would need to deal with while cracking. It is literally equivalent to "please don't open me" sign on the door. Using a serious security algorithm is essential for a wireless network, but saying that hiding SSID and filtering MAC addresses adds an additional layer of security is just plain wrong.
However, for the causal observer, like the casual thief, not having an immediately visible door sends them elsewhere.
I'll try to make this simple for JD. 1. Hidden SSID. Standard practice. 2. MAC filtering. Standard practice. 3. WPA-2/AES with a well-though out passphrase. Standard practice. 4. WEP. Don't even think of it. 5. WPA. Don't even think of it. 6. Minimal power. Standard practice. (If I can't read your network, then I cannot hack it.) 7. Changing the channel. Standard practice and it prevents interference.
There are other things like network segregation and even logging into the router (I've seen both.)
However, the most IMPORTANT part is using WPA-2/AES. Your traffic can only then be sniffed by folks if they gain access to the wireless 'box' and manage to put the port into promiscuous mode. (WAP GAP.) That is why I love folks that leave their wireless router open and never change the default user/password. I managed to troubleshoot why a wireless system was not working at a business that way. Marko, is correct in that there are tools that will discover the SSID and the MAC addresses of computers on the network. However, if you try to use my MAC address while I'm connected the call to IT would be most interesting.
The point is that without encryption and total security, wireless is wide open. I've been making this analogy. Put a deadbolt on your doors, pin locks on your windows and do all the right things. It takes a determined thief to break in. Then you know you have something that someone wants...
The first part of security is knowing what NOT TO do, not what TO do.
James McKenzie
On 05/17/2011 12:36 PM, Frank Murphy wrote:
Also if it's your home wLan, hide it, don't broadcast the ssid. So those in your neighbourhood won't even know you have a wireless.
As many have pointed out - you should not disable SSID broadcast.
Disabling it offers zero security benefit and makes wifi work less well than it was designed. Especially when there are multiple AP's on the same SSID.
In fact hidden SSID may even worsen security. It also violates 802.11 - and I believe later versions states that a computer may refuse to connect to any AP which does not broadcast it's SSID in accordance with the standard ... someone can confirm that I'm sure.
For some reason this hidden SSID theory leaked from some bad well a long time ago and has managed to survive ... who knows why.
If you do it and find things (phones perhaps) refuse to connect to your AP - dont be surprised.
On 05/18/2011 03:09 AM, Patrick O'Callaghan wrote: <>
WEP is known to be vulnerable. WPA has some weaknesses in some circumstances. WPA2 however is thought to be secure if you use a hard-to-guess password.
as you say *thought to be secure*.
A quick look at Wikipedia could have told you this.
i am not aware of what wikipedia states. post a link and i will read it.
Just for completeness, I visited some of the referenced URLS:
as i stated, just a few, as i have too many to post them all, and what i did post was a search of bookmarks using wifi/wireless/wlan and hack for search. nor i did not open any of the links i posted to see just exactly how they related.
as i said, and kevin j posted, a simple search via google will yield a very large list of sites that give information of what to use and how to do it.
In conclusion, the assertion that there are genuine WPA2 vulnerabilities (other than guessing passwords) remains unsupported.
i am not talking about guessing. and if you do not care to take time to run a google search to find truth, so be it.
but you can conclude this, i am not going to post in this thread or on any web site, step by step procedures of what and how to crack any system.
as i have mentioned in other threads, i have been involved in personal, corporate and national security and i will continue to maintain what i have been taught and learned.
in no way do i care to jeopardise fact that i have held some of the highest military security clearances this country has.
summation, "loose lips sink ships".
On 05/18/2011 03:36 AM, James McKenzie wrote: <>
The first part of security is knowing what NOT TO do, not what TO do.
this is one point that too many fail at, and in such, set up a weak system.
once you *think* you have a secure system, it is time to test with all the tools you have available until realization that it is not going to be easy.
when you hit that point, you have an idea of when it is time to change security keys. then anyone making attempts will have to start all over. ;)
On 05/17/2011 11:36 PM, JD wrote:
TKIP is the feeble one. Two researchers in Japan busted TKIP in less than one minute using an ordinary PC.
You are correct. I just went and looked at my wireless router, and I'm using AES. I remember hearing about how feeble TKIP was 4 years ago, and immediately switched protocols on my home router from TKIP to AES. B^/ I just couldn't remember which was which.
I'm waiting for the next level new security that is unbreakable before buying my next new home wireless router. B^)
On Wed, 2011-05-18 at 03:55 +0000, g wrote:
On 05/18/2011 03:09 AM, Patrick O'Callaghan wrote: <>
WEP is known to be vulnerable. WPA has some weaknesses in some circumstances. WPA2 however is thought to be secure if you use a hard-to-guess password.
as you say *thought to be secure*.
Given that there does not exist any cryptographic system which is provably secure, with the exception of a one-time pad using a random key as long as the plaintext, "thought to be secure" is the best anyone can do.
A quick look at Wikipedia could have told you this.
i am not aware of what wikipedia states. post a link and i will read it.
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
Just for completeness, I visited some of the referenced URLS:
as i stated, just a few, as i have too many to post them all, and what i did post was a search of bookmarks using wifi/wireless/wlan and hack for search. nor i did not open any of the links i posted to see just exactly how they related.
In other words, you didn't check that the links you posted were relevant to the point at issue.
When you post something relevant, I'll look at it. Telling people "there are plenty of references on Google" is not an argument.
poc
On 05/17/11 21:15, Kevin J. Cummings wrote:
On 05/17/2011 11:36 PM, JD wrote:
TKIP is the feeble one. Two researchers in Japan busted TKIP in less than one minute using an ordinary PC.
You are correct. I just went and looked at my wireless router, and I'm using AES. I remember hearing about how feeble TKIP was 4 years ago, and immediately switched protocols on my home router from TKIP to AES. B^/ I just couldn't remember which was which.
I'm waiting for the next level new security that is unbreakable before buying my next new home wireless router. B^)
I do not think there is one, nor will there be one (for public use). The gov would not allow it's dissemination, and for good reason: can you imagine how easily it would be taken advantage of by criminals to cause damage? Perhaps there already are so called "ubreakable" methods being used by criminals, spies, ...etc. I don't really know.
All the "allowed" methods that you can access, download and use, can be easily broken by the gov/nsa. So, I gave up on the notion of unbreakable wifi protection long before wifi was so wide spread.
Tim:
Completely pointless:
Your device is transmitting something, this is detectable. And it does so several times a second (i.e. it's continual).
James McKenzie:
True. Bet you have a lock on every door to your house as well. Turning off the SSID is a deterent. Make them go somewhere else. Same with door locks. If I want to get into your house, I will. Even if it means using TNT.
They're completely unrelated. If you want to play with analogies, let me put it this way: Painting over the house's street number does not make it any harder to pick the lock.
SSID has *absolutely* nothing to do with security.
MAC filtering is useless as a security measure
It will take more 'work'. Make them go away.
It won't cause /them/ to expend any more effort to get in. The whole thing is automated, for complete idiots to be able to do it.
It does, however, make things more awkward for legit users to use a network. Your admin has to reconfigure the network for each new device. Any mistakes, or hardware changes, and you have to go through all that again. All that pain for absolutely no gain.
Again, make them go away. Determined criminals will enter your house. The common thief will rattle your front door, finding it locked and go away.
No, the common thief will just force their way in. Unless you fortify your house (which is actually illegal, here), one house is as just about as easy as another to break in. One window, a weak door, etc.
These analogies are never good. You're trying to correlate two completely unrelated things.
The only places that I know of that have unsecured networks are coffee shops and maybe the occassional food establishment.
Most of which are almost too useless to use. Too slow, by virtue of how crap they are, or because they've been hacked and left infested.
Other than that, lock the damn door and secure it. Adding MAC whitelists is but one of five steps.. We've discussed the other two to the end.
MAC filtering isn't any part of security. It's as secure as a padlock made out of butter in the middle of summer. (Since you like bad analogies.)
Really MAC filtering is only barely useful as the most basic of management tools. e.g. You have a video game or mobile phone that automatically tries to log into a nearby network, and it's a pain to configure (or you can't). So you blacklist it, and have your net ignore it. But that can only work if whoever uses those devices doesn't reconfigure them to counteract your blacklist.
People keep promulgating useless and timewasting methods for securing networks. Which is bad enough, in itself, as it wastes everyone's time implementing them and then trying to get the network working despite it. But worse that it gives people false senses of security.
I don't do any of these useless things, never have, never will, they'll never make my network any securer.
On Wednesday 18 May 2011 06:04:49 JD wrote:
On 05/17/11 21:15, Kevin J. Cummings wrote:
I'm waiting for the next level new security that is unbreakable before buying my next new home wireless router. B^)
I do not think there is one, nor will there be one (for public use). The gov would not allow it's dissemination, and for good reason: can you imagine how easily it would be taken advantage of by criminals to cause damage? Perhaps there already are so called "ubreakable" methods being used by criminals, spies, ...etc. I don't really know.
Please keep in mind that this holds only for USA and a couple of other countries. As for the rest of the world, developing strong wireless encryption algorithms is not illegal, and they will probably be developed and implemented in the future.
All the "allowed" methods that you can access, download and use, can be easily broken by the gov/nsa.
Except for skype, of course... ;-) But that's old news. And now that Microsoft took it over, they will probably trade with the nsa for a backdoor... :-)
Best, :-) Marko
On Wednesday, May 18, 2011 07:01:53 AM Marko Vojinovic wrote:
Except for skype, of course... ;-) But that's old news. And now that Microsoft took it over, they will probably trade with the nsa for a backdoor... :-)
I apologize for the off topic remarks I am about to make.
I would be very surprised if skype didn't have back doors for governments.
Skype is proprietary and we can't examine the source for back doors.
There were allegations the Chinese Skype had a text chat back door. http://blogs.skype.com/en/2008/10/skype_president_addresses_chin.html
My paranoia causes me to believe the back doors don't stop with text chat. My paranoia causes me to believe multiple governments demanded back doors.
This is one of two reasons I don't want to use skype. The other reason I don't want to use skype is I don't want to be a super node.
In my mind, it would be very easy for governments to be men in the middle, to intercept interesting skype traffic, to be able to store conversations.
To put it plainly, I don't trust skype.
Sorry to go off topic. Flame me if you wish. I think I deserve to be flamed.
On Wed, May 18, 2011 at 09:39, Rick Sewill rsewill@gmail.com wrote:
My paranoia causes me to believe the back doors don't stop with text chat. My paranoia causes me to believe multiple governments demanded back doors.
http://en.wikipedia.org/wiki/Lotus_Software
"Prior to that year, Lotus had been restricted from exporting software that used encryption keys that were longer than 40 bits by United States law. Under an agreement with the US government, Lotus was allowed to start exporting 64 bit keys, so long as 24 bits of each key were recoverable using a special key issued by Lotus to the NSA. The result was that the newer version of Lotus Notes provided stronger protection against industrial espionage than any previous version had been allowed to provide, and it provided no less protection against decryption by the NSA than the previous versions had given."
FC
On 18 May 2011 12:23, Tim ignored_mailbox@yahoo.com.au wrote:
Really MAC filtering is only barely useful as the most basic of management tools. e.g. You have a video game or mobile phone that automatically tries to log into a nearby network, and it's a pain to configure (or you can't). So you blacklist it, and have your net ignore it. But that can only work if whoever uses those devices doesn't reconfigure them to counteract your blacklist.
Another possible application is if you have a number of devices in a department and you want to revoke access for one for some reason, but you don't want to change passwords every time you do this, so you can temporarily disable access until the next time you update passwords/encryption keys.
On Wed, 2011-05-18 at 14:20 +0100, Ian Malone wrote:
Another possible application is if you have a number of devices in a department and you want to revoke access for one for some reason, but you don't want to change passwords every time you do this, so you can temporarily disable access until the next time you update passwords/encryption keys.
That may well be, but messing with MAC filtering is still not "security."
On 05/18/11 20:33, charles zeitler wrote:
-- Do what thou wilt shall be the whole of the Law. On Wed, May 18, 2011 at 12:04 AM, JD jd1008@gmail.com wrote:
On 05/17/11 21:15, Kevin J. Cummings wrote:
On 05/17/2011 11:36 PM, JD wrote:.
I'm waiting for the next level new security that is unbreakable before buying my next new home wireless router. B^)
I do not think there is one, nor will there be one (for public use). The gov would not allow it's dissemination,
as long as strong encryption is illegal, only criminals will use strong encryption.
charles zeitler
Love is the law, love under will. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
+1 However, I am more of a believer that the Will must serve Love :) :)
On 05/18/2011 06:23 AM, Tim wrote:
Tim:
Completely pointless:
Your device is transmitting something, this is detectable. And it does so several times a second (i.e. it's continual).
James McKenzie:
True. Bet you have a lock on every door to your house as well. Turning off the SSID is a deterent. Make them go somewhere else. Same with door locks. If I want to get into your house, I will. Even if it means using TNT.
They're completely unrelated. If you want to play with analogies, let me put it this way: Painting over the house's street number does not make it any harder to pick the lock.
SSID has *absolutely* nothing to do with security.
MAC filtering is useless as a security measure
It will take more 'work'. Make them go away.
It won't cause /them/ to expend any more effort to get in. The whole thing is automated, for complete idiots to be able to do it.
It does, however, make things more awkward for legit users to use a network. Your admin has to reconfigure the network for each new device. Any mistakes, or hardware changes, and you have to go through all that again. All that pain for absolutely no gain.
Again, make them go away. Determined criminals will enter your house. The common thief will rattle your front door, finding it locked and go away.
No, the common thief will just force their way in. Unless you fortify your house (which is actually illegal, here), one house is as just about as easy as another to break in. One window, a weak door, etc.
These analogies are never good. You're trying to correlate two completely unrelated things.
The only places that I know of that have unsecured networks are coffee shops and maybe the occassional food establishment.
Most of which are almost too useless to use. Too slow, by virtue of how crap they are, or because they've been hacked and left infested.
Other than that, lock the damn door and secure it. Adding MAC whitelists is but one of five steps.. We've discussed the other two to the end.
MAC filtering isn't any part of security. It's as secure as a padlock made out of butter in the middle of summer. (Since you like bad analogies.)
Really MAC filtering is only barely useful as the most basic of management tools. e.g. You have a video game or mobile phone that automatically tries to log into a nearby network, and it's a pain to configure (or you can't). So you blacklist it, and have your net ignore it. But that can only work if whoever uses those devices doesn't reconfigure them to counteract your blacklist.
People keep promulgating useless and timewasting methods for securing networks. Which is bad enough, in itself, as it wastes everyone's time implementing them and then trying to get the network working despite it. But worse that it gives people false senses of security.
I don't do any of these useless things, never have, never will, they'll never make my network any securer.
Time to add some more confusion to the pie. If you want security by obscurity, you could use wireless a instead of b/g/n - Most people no longer use it, the gear is cheap to buy used, and I have only seen it built into a few high-end laptops. I have also seen a few access points that will support it, along with the more usual protocols.
Another security precaution that sort of helps for a home system, if you live in a house, is to put the access point in the basement. That way, the signal strength outside the house is usually too log to let someone connect. You may also have the option of controlling the output power of the access point.
Now for a slightly more realistic setup. My access point allows to to control the access it gives to wireless users. I use a setup that does not let wireless connections talk to each other, or the Internet. You need to set up a VPN to do anything useful.
As soon as I find the time, I want to upgrade the software, so I can give the wireless users a different subnet, and block everything not required to set up a VPN to my server.
Neither method is totally secure, but the standard cracking programs will not handle it. So the script kiddies will go somewhere else. On the other hand, it offers more of a challenge to a knowledgeable cracker, so it does have its down side. I do have one more measure that will slow them down - most of my network is wired, and the wireless is shut down except when I need it. I do not even have to reboot when turning it off or on.
There is one last measure that will really lock down your wireless network - put a Faraday cage around your house - nobody will be able to crack your network from the outside, monitor your cordless phone, etc. The downsides are the cost, and none of your devices will work outside the house, and cell phones will not work inside without adding some extra equipment.
This is by no means an exhaustive list, but I am not going to go into more advanced things like using a VPN router, with true routing turned on, and a separate wireless access point on its own subnet, etc...
Mikkel--
Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
On Thu, 2011-05-19 at 08:25 -0500, Mikkel L. Ellertson wrote:
Time to add some more confusion to the pie.
I'm not sure that's a good idea.
Another security precaution that sort of helps for a home system, if you live in a house, is to put the access point in the basement. That way, the signal strength outside the house is usually too log to let someone connect. You may also have the option of controlling the output power of the access point.
Though you're only going by the ordinary antenna in your gear. A better antenna may be more than enough to still work with a muffled signal. So this isn't a trick that you want to rely on.
Now for a slightly more realistic setup. My access point allows to to control the access it gives to wireless users. I use a setup that does not let wireless connections talk to each other, or the Internet. You need to set up a VPN to do anything useful.
In essence, you're moving the security from the wireless to other parts of your network. If that /other/ thing is safe, then this is (almost) fine. Merely connecting to a wireless network, but that network being unable to communicate any further, does initially make connecting to it useless. But if they manage to reconfigure your wireless access point, they may introduce some compromise to your system.
most of my network is wired, and the wireless is shut down except when I need it. I do not even have to reboot when turning it off or on.
A practical approach. Though I've found that NetworkManager can throw a tantrum if it's been unable to connect for a while, and won't reconnect without manual intervention. So, you want to fire your WLAN up well before trying to use it.
There is one last measure that will really lock down your wireless network - put a Faraday cage around your house - nobody will be able to crack your network from the outside, monitor your cordless phone, etc. The downsides are the cost, and none of your devices will work outside the house, and cell phones will not work inside without adding some extra equipment.
A properly implemented Faraday cage may well stymie the usual hacker, but most will probably have faults that would allow the knowledgeable hacker to get past it. e.g. You need to RF filter, and shield the power wiring going into it.
All theories aside, the most that most people will have to deal with are: Neighbours accidentally connecting to the wrong unsecured network, which even the most token effort will prevent. And the clueless turnkey hacker, who just wants free internet, and WPA2 with the right options and a decent passphrase will prevent that.
Unfortunately, various routers default to being completely insecure, or ticking a simple "enable security" configuration option puts it into combined WPA (1) *and* WPA2 mode simultaneously (or WEP & WPA), and the weaker one ruins any attempt at security. Not to mention the dumb passwords that some people will use.
On Tuesday, May 17, 2011 11:36:50 PM James McKenzie wrote:
I'll try to make this simple for JD.
- Hidden SSID. Standard practice.
[snip]
- Changing the channel. Standard practice and it prevents interference.
8. Turn off the router and the connection when (if) you're not using it.
My home connection gets relatively little use; it stays off unless I or my wife are actively online, which varies as to time and duration, but rarely if ever is the connection up for longer than four hours per day. The casual 'connection sharer' won't want to piggyback an 'unreliable' connection.
9. Change the passphrase frequently, using a wired connection to do it.
On Tuesday, May 17, 2011 02:10:21 PM Tim wrote:
Password length and wierdness increases security. You're less likely to be hacked by lucky guesses if you don't have plain words in there. Certainly don't use real names, phone numbers, birthdates, or anything else that's easy for someone else to find out about you.
And don't think that 1337 spelling will help your security.....
On Tuesday, May 17, 2011 02:35:09 PM Michael Cronenworth wrote:
SSID hiding is *not* secure. It is *not* a deterrent. Security through obscurity is *not* security.
SSID hiding isn't about security. It's about being able to show that someone who hacked into your network intended to do so, it didn't just pop up on their screen as an open access point that they accidentally used..... 'goes to intent' that is.
On 05/19/2011 02:10 PM, Lamar Owen wrote:
On Tuesday, May 17, 2011 02:35:09 PM Michael Cronenworth wrote:
SSID hiding is *not* secure. It is *not* a deterrent. Security through obscurity is *not* security.
SSID hiding isn't about security. It's about being able to show that someone who hacked into your network intended to do so, it didn't just pop up on their screen as an open access point that they accidentally used..... 'goes to intent' that is.
Still a bad idea - some things may, for anything that violates the 802.11 standards - such as non-broadcast of SSID, choose not to connect to your router. That means some of your client devices may no longer work ...
This is especially true if there are multiple wifi access points on same SSID (standard practice for roaming in your big office/house case). Hiding the SSID will break roaming completely.
So, turning off SSID broadcast is really not a good suggestion.
On 05/19/2011 11:45 AM, Genes MailLists wrote:
So, turning off SSID broadcast is really not a good suggestion.
If you have only one access point and no devices that insist on getting the SSID before connecting turning off SSID broadcast does have the same effect as a No Trespassing sign: it tells random strangers to stay away. If they ignore your sign they can't claim that "I didn't know I wasn't welcome." because they've been warned. Yes, it doesn't keep them away but it may make it easier to prosecute them if they get caught. Granted, that's not likely to be a consideration for your average home user, but it might be for a small to medium business.
On 05/19/2011 01:56 PM, Joe Zeff wrote:
On 05/19/2011 11:45 AM, Genes MailLists wrote:
So, turning off SSID broadcast is really not a good suggestion.
If you have only one access point and no devices that insist on getting the SSID before connecting turning off SSID broadcast does have the same effect as a No Trespassing sign: it tells random strangers to stay away. If they ignore your sign they can't claim that "I didn't know I wasn't welcome." because they've been warned. Yes, it doesn't keep them away but it may make it easier to prosecute them if they get caught. Granted, that's not likely to be a consideration for your average home user, but it might be for a small to medium business.
I would think that using any of the encryption methods available on a router would do a much better job of that. Especially for Windows users that get the little lock symbol in the information bar for that access point.
All I can see turning off the SSID broadcast does it make it more difficult for legitimate users...
Mikkel
On Thursday, May 19, 2011 02:45:38 PM Genes MailLists wrote:
Still a bad idea - some things may, for anything that violates the 802.11 standards - such as non-broadcast of SSID, choose not to connect to your router. That means some of your client devices may no longer work ...
That's fine. There's only two devices I need to use my AP, and both deal just fine with 'hidden' AP's. There are other things that violate the 'standards' too that many do anyway.... Some folks' use cases will find this 'breakage' to be a feature.
This is especially true if there are multiple wifi access points on same SSID (standard practice for roaming in your big office/house case). Hiding the SSID will break roaming completely.
Not a problem here. Rural area.
So, turning off SSID broadcast is really not a good suggestion.
It depends on what you want to do. Hammers are great for driving nails, but that doesn't mean that's the only thing they're good for. I've repurposed a lot of networking equipment for doing things for which it was never intended..... :-)
On 05/19/2011 02:56 PM, Joe Zeff wrote:
On 05/19/2011 11:45 AM, Genes MailLists wrote:
So, turning off SSID broadcast is really not a good suggestion.
If you have only one access point and no devices that insist on getting the SSID before connecting turning off SSID broadcast does have the same effect as a No Trespassing sign: it tells random strangers to stay away.
No trespassing signs are often of more interest to those who want to trespass ... after all, anyone with something to hide might be of more interest ... :-)
If you guys want to do things which violate the standards and make things less/not functional - fine - you're knowledgeable enough to deal with any ensuing problems.
But the point here is please don't offer that advice to others as a general set of instructions ... its really bad advice ... or at least caveat it as such if you insist on offering bad advice.
Add something like: this is bad advice and you may have problems - but I am comfortable taking those risks and it seems to work for me anyway and I haven't noticed problems .. ymmv.
20.05.2011, 03:10, "Lamar Owen" lowen@pari.edu:
On Tuesday, May 17, 2011 02:35:09 PM Michael Cronenworth wrote:
SSID hiding is *not* secure. It is *not* a deterrent. Security through obscurity is *not* security.
SSID hiding isn't about security. It's about being able to show that someone who hacked into your network intended to do so, it didn't just pop up on their screen as an open access point that they accidentally used..... 'goes to intent' that is.
Once I was out with my notebook when I came up with an urgent need for the Internets. I saw several access points on the list. But they are all protected and I wanted online so bad it made me want to crack them down. If these were hidden in first place I may never have gotten the idea to learn the skill.
So I personally prefer not to broadcast.
-- Best regards, Misha Shnurapet, Fedora Project Contributor https://fedoraproject.org/wiki/Shnurapet shnurapet AT fedoraproject.org, GPG: 00217306
On 05/19/2011 10:43 PM, Misha Shnurapet wrote:
20.05.2011, 03:10, "Lamar Owen" lowen@pari.edu:
Once I was out with my notebook when I came up with an urgent need for the Internets. I saw several access points on the list. But they are all protected and I wanted online so bad it made me want to crack them down. If these were hidden in first place I may never have gotten the idea to learn the skill.
So I personally prefer not to broadcast.
If you use any tool to scan wifi networks - you'll see SSID's whether they are broadcast or not ... and they will be just as attackable as non-broadcast ...
In fact some believe the non-broadcast SSID networks are preferable to attack, because the person who has them hidden (a) may be trying to hide something and (b) they seems to have a less understanding of security so they may make an easier target ...
To each his own - all I am asking is not to give bad advice to others - do whatever you want to your own network ...
20.05.2011, 11:53, "Genes MailLists" lists@sapience.com:
If you use any tool to scan wifi networks - you'll see SSID's whether they are broadcast or not ...
Nope, if you're a plain user like me using an applet to "scan" you'll only see what's broadcast. And many people are. Do not provoke them, at least?
On Fri, 2011-05-20 at 12:19 +0900, Misha Shnurapet wrote:
Nope, if you're a plain user like me using an applet to "scan" you'll only see what's broadcast.
Nope, depending on your client, you'll see them all. Even Windows did that. You'd see a list of *all* transmitting access points, and the ones with the so-called hidden SSID listed as "unnamed."
It really is bogus advice to hide it.
1. Clueless user follows bogus advice, falsely believes it makes them safer. 2. Clueless user, then, finds things that they want to connect to their WLAN, now, won't connect. 3. Clueless user has to ask for help. 4. Wastes all our time. 5. Slightly clueful user, now, starts to broadcast their SSID and everything works fine. 6. Or, pigheaded clueless user continues to hide their SSID, and continues to fight with WLAN and mailing list...
On 05/19/11 21:14, Tim wrote:
On Fri, 2011-05-20 at 12:19 +0900, Misha Shnurapet wrote:
Nope, if you're a plain user like me using an applet to "scan" you'll only see what's broadcast.
Nope, depending on your client, you'll see them all. Even Windows did that. You'd see a list of *all* transmitting access points, and the ones with the so-called hidden SSID listed as "unnamed."
It really is bogus advice to hide it.
1. Clueless user follows bogus advice, falsely believes it makes them safer. 2. Clueless user, then, finds things that they want to connect to their WLAN, now, won't connect. 3. Clueless user has to ask for help. 4. Wastes all our time. 5. Slightly clueful user, now, starts to broadcast their SSID and everything works fine. 6. Or, pigheaded clueless user continues to hide their SSID, and continues to fight with WLAN and mailing list...
Tim, your points are way too generalized. No one said not broadcasting alone will make you safer. It is advised as part of the larger defense scheme of choosing a strong protocol, a strong encryption scheme, a 63 byte string, preferably random if user can work with it, ...etc ...etc. You keep harping about a point that is just one of several to help individuals be as safe as possible, while keeping things manageable. You proceed on the assumption that everyone who wants to connect to your wlan is a savvy hacker with the right tools. I do not think that that is the case. Furthermore, all the postings of links that show how wpa2-psk/aes is easily broken is nothing but lies. It takes hefty computing power, like a massively parallel machine, and the right code breaking algorithms, which are in the domains of highly educated researchers. Gov has made it illegal to publish such algorithms, at least in the USA. As I challenged another OP: Show us a respectable scientific publication showing that wpa2-psk/AES with a decent passphrase was broken by a modern pc running windows or linux in a short time. And please: spare us the youtube junk.
On 2011/05/19 21:30, JD wrote:
On 05/19/11 21:14, Tim wrote:
On Fri, 2011-05-20 at 12:19 +0900, Misha Shnurapet wrote:
Nope, if you're a plain user like me using an applet to "scan" you'll only see what's broadcast.
Nope, depending on your client, you'll see them all. Even Windows did that. You'd see a list of *all* transmitting access points, and the ones with the so-called hidden SSID listed as "unnamed."
It really is bogus advice to hide it.
1. Clueless user follows bogus advice, falsely believes it makes them safer. 2. Clueless user, then, finds things that they want to connect to their WLAN, now, won't connect. 3. Clueless user has to ask for help. 4. Wastes all our time. 5. Slightly clueful user, now, starts to broadcast their SSID and everything works fine. 6. Or, pigheaded clueless user continues to hide their SSID, and continues to fight with WLAN and mailing list...Tim, your points are way too generalized. No one said not broadcasting alone will make you safer. It is advised as part of the larger defense scheme of choosing a strong protocol, a strong encryption scheme, a 63 byte string, preferably random if user can work with it, ...etc ...etc. You keep harping about a point that is just one of several to help individuals be as safe as possible, while keeping things manageable. You proceed on the assumption that everyone who wants to connect to your wlan is a savvy hacker with the right tools. I do not think that that is the case. Furthermore, all the postings of links that show how wpa2-psk/aes is easily broken is nothing but lies. It takes hefty computing power, like a massively parallel machine, and the right code breaking algorithms, which are in the domains of highly educated researchers. Gov has made it illegal to publish such algorithms, at least in the USA. As I challenged another OP: Show us a respectable scientific publication showing that wpa2-psk/AES with a decent passphrase was broken by a modern pc running windows or linux in a short time. And please: spare us the youtube junk.
Oh, but not broadcasting is handy if you have the ability to setup two or three WLANs. Broadcast from one. Have it override DNS and redirect to a simple minded javascript "take over your machine" page. Or redirect it to the newest Windows Anti-Virus scam. Or ... well, I am sure your imagination is worse (better? Depends) than mine.
Of course, you use the one that's not broadcasting the SSID. And you use software clever enough to try anyway on your laptop.
{^_-}
20.05.2011, 13:14, "Tim" ignored_mailbox@yahoo.com.au:
6. Or, pigheaded clueless user continues to hide their SSID, and continues to fight with WLAN and mailing list...
Gladly we don't have such people around here, oink!
On Friday 20 May 2011 05:30:11 JD wrote:
On 05/19/11 21:14, Tim wrote:
On Fri, 2011-05-20 at 12:19 +0900, Misha Shnurapet wrote:
Nope, if you're a plain user like me using an applet to "scan" you'll only see what's broadcast.
Nope, depending on your client, you'll see them all. Even Windows did that. You'd see a list of *all* transmitting access points, and the ones with the so-called hidden SSID listed as "unnamed."
It really is bogus advice to hide it.
1. Clueless user follows bogus advice, falsely believes it makes them safer. 2. Clueless user, then, finds things that they want to connect to their WLAN, now, won't connect. 3. Clueless user has to ask for help. 4. Wastes all our time. 5. Slightly clueful user, now, starts to broadcast their SSID and everything works fine. 6. Or, pigheaded clueless user continues to hide their SSID, and continues to fight with WLAN and mailing list...Tim, your points are way too generalized. No one said not broadcasting alone will make you safer. It is advised as part of the larger defense scheme
That is a very bad advice. Hiding SSID has *nothing* to do with any security, and suggesting that it does is just a mirage, giving a casual reader a false sense of security. It (a) breaks regular WLAN functionality and (b) gains absolutely nothing in terms of security. Such a setup can be useful only if you intentionaly want to break the regular functionality of your wireless network. There are some scenarios where that might be useful, but none of them have anything to do with security.
If you want to secure a wireless network, implement wpa2-psk/aes and use strong passphrases for everything. That is the *only* thing that makes your wlan reasonably secure. But hiding SSID, filtering MAC addresses, is just useless in terms of security.
I believe that was Tim's point as well.
of choosing a strong protocol, a strong encryption scheme, a 63 byte string, preferably random if user can work with it, ...etc ...etc. You keep harping about a point that is just one of several to help individuals be as safe as possible, while keeping things manageable.
Tim is not harping, he is just trying to point out (as I did) that it is *not* one of the several things to help individuals be as safe as possible. It gains exactly *zero* in terms of wireless security.
If you think that hiding SSID will help with security, you might as well add that hanging a pack of onions in front of the house will also help make your wireless more secure (in case of a vampire hacker attack, I guess :-) ). It is advice of the same quality, securitywise. Iow, an urban legend (or a rural one, depending on your preference ;-) ).
You proceed on the assumption that everyone who wants to connect to your wlan is a savvy hacker with the right tools. I do not think that that is the case.
Those without the right tools will not be able to break in, even if you have only a stupid plaintext password security implemented. Those with the right tools (even incompetent idiots with the right tools, aka script-kiddies) will not even notice that your SSID is hidden, because the tools just don't make the difference between hidden and public.
Anyway, I believe both Tim and I have made our point for the readers of this thread who wish to hear and understand. If you still think it's a good idea, go ahead. Everyone is allowed to dream as they like, there's no point in repeating "it's not real, it's not real" to a determined dreamer... ;-)
Best, :-) Marko
On 05/20/2011 05:07 PM, Marko Vojinovic wrote:
If you think that hiding SSID will help with security, you might as well add that hanging a pack of onions in front of the house will also help make your wireless more secure
There's your problem.... It should be "garlic"! :-) :-)
On Friday 20 May 2011 10:10:14 Ed Greshko wrote:
On 05/20/2011 05:07 PM, Marko Vojinovic wrote:
If you think that hiding SSID will help with security, you might as well add that hanging a pack of onions in front of the house will also help make your wireless more secure
There's your problem.... It should be "garlic"! :-) :-)
Oh my, you're right! Garlic! :-)
LOL :-D
Best, :-) Marko
On 05/20/2011 04:30 AM, JD wrote: <>
Tim, your points are way too generalized.
as is this whole thread has been.
open a browser, log google at;
http://www.google.com/advanced_search?hl=en&num=100
*leave quotes and plus sign just as they are shown*.
enter this in 'all these words';
"crack+wpa2" "cracking+wpa2"
about 1,600 results.
open a second tab, log above link, enter this in 'all these words';
"hack+wpa2" "hacking+wpa2"
about 717 results.
open a third tab, log above link, enter this in 'all these words';
"crack+wpa2" "cracking+wpa2" "hack+wpa2" "hacking+wpa2"
about 234 results.
open a fourth tab, log above link, enter this in 'this exact wording or phrase';
crack+wpa2 cracking+wpa2 hack+wpa2 hacking+wpa2
results not shown.
open a fifth tab, log above link, enter this in 'this exact wording or phrase';
securing wpa2
4 results.
in all of above results;
you will find pro and con about 'ssid'. you will find wpa2 can be hacked if key is weak.
*but*, the main thing about all of this, and should be and needs to be _understood_, if you do not read these links to see how and what is being shown and then run these procedures against your own system, you just might be vulnerable and your system can/may be hacked.
debating who is right and who is wrong about what, is doing nothing but waisting time that should be spent testing your system to insure that what is being shown on internet can not be used to crack/hack your system.
*note*, use of words "you" and "your" is not directed at any one person in this thread. they are used in a general term and in no way reflect upon any persons living or dead.
hth.
later.
g wrote:
open a browser, log google at;
http://www.google.com/advanced_search?hl=en&num=100
*leave quotes and plus sign just as they are shown*.
enter this in 'all these words';
"crack+wpa2" "cracking+wpa2"
about 1,600 results.
Or enter
"riemann hypothesis proof"
about 120,000 results. One of those MUST be right ...
On Fri, May 20, 2011 at 5:27 AM, Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Thu, 2011-05-19 at 21:30 -0700, JD wrote:
Gov has made it illegal to publish such algorithms, at least in the USA.
Evidence?
Not so. DES, 3DES and AES are all PUBLISHED alogrithms and are used by the DoD/NSA (CISSP training from (ISC)2 as source.) PGP using IDEA is a published alogrithm. There are NO bans against publishing them, just distributing them to "controlled countries" by US law. Fedora/RedHat have had to take the position that they will supply the packages to only those who do not export to controlled countries or banned individuals.
The KEY to security is a STRONG KEY, if using PGP (asymetric key alogrithm) keeping your private key private, and keeping a shared secret so. WPA-2 + AES is a published standard and alogrithm. It is best to use a very strong, 168+ bit, key and keeping it secure.
Thus, the key to securing your Wireless network is a combination of using very strong cryptography and very good physical security (knowing who is connected and why and who is connected to your wired+wireless router physically.)
James McKenzie
On 05/20/2011 12:27 PM, Patrick O'Callaghan wrote:
On Fri, 2011-05-20 at 09:46 +0000, g wrote:
in all of above results;
you will find pro and con about 'ssid'. you will find wpa2 can be hacked if key is weak.
As I said before, I don't need to open any of these links to know that a weak password gives poor security.
my apoligies for addressing my post to you and naming you specifically as who it was intended.
in addition, "pgp", ie, "pretty good privacy".
maybe you, 'poc' should look up the history of pgp.
like in what country it was designed, what country was against it and requested/forced pgp's withdrawal, and what country it was again released from.
would you like for me to google that for you?
better yet, have a look at this;
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
and to insure that you do not miss link in above page, look at;
http://en.wikipedia.org/wiki/Phil_Zimmermann
while there, do note headings: "Background" and "PGP".
i guess people on _your_ side of 'the big pond' are not as familiar as those of us on this side.
On 2011/05/20 02:07, Marko Vojinovic wrote:
On Friday 20 May 2011 05:30:11 JD wrote:
Tim, your points are way too generalized. No one said not broadcasting alone will make you safer. It is advised as part of the larger defense scheme
That is a very bad advice. Hiding SSID has *nothing* to do with any security, and suggesting that it does is just a mirage, giving a casual reader a false sense of security. It (a) breaks regular WLAN functionality and (b) gains absolutely nothing in terms of security. Such a setup can be useful only if you intentionaly want to break the regular functionality of your wireless network. There are some scenarios where that might be useful, but none of them have anything to do with security.
If you want to secure a wireless network, implement wpa2-psk/aes and use strong passphrases for everything. That is the *only* thing that makes your wlan reasonably secure. But hiding SSID, filtering MAC addresses, is just useless in terms of security.
I believe that was Tim's point as well.
If you want real security use an encrypted vlan over the wireless link.
{^_^}
On 05/20/2011 02:20 PM, g wrote: <>
better yet, have a look at this;
in addition:
yes, i went back and re-read page.
to me, there is are fine points between the meanings of, publishing, exporting, and making available on a web site.
Phil did exactly what he should have done. and, i would say, a very strong reason that charges where dropped.
On Thu, 2011-05-19 at 21:30 -0700, JD wrote:
Tim, your points are way too generalized.
I've made specific points, already in this thread.
No one said not broadcasting alone will make you safer. It is advised as part of the larger defense scheme of choosing a strong protocol, a strong encryption scheme, a 63 byte string, preferably random if user can work with it, ...etc ...etc.
I've seen posts where it declares not broadcasting a SSID makes it safer. It does not. It does not in any way.
As such, it is not part of any broader scheme of making it safer. All it is, is a waste of time. And that is ALL that it is.
Get it through your head, you and everyone else, that messing with the SSID has ABSOLUTELY NOTHING TO DO WITH ANY SORT OF SECURITY. Arguing with me, and anyone else about this does NOT change the *facts*.
That's a very specific statement, and I've made it before. There are no counter arguments to it. Every single attempt that people have made to try and justify the bogus claim about hiding the SSID being a security step has been wrong.
Perhaps we need to be even clearer: Security means locking out unwanted connections. It means steps that actually fulfil that purpose. It does not include anything that doesn't actually have that ability.
SSID *cannot* be used to "restrict access," it is not part of its function.
You keep harping about a point
Clueless people keep harping on about doing something that doesn't do what they think it does, but does actually cause other problems.
You proceed on the assumption that everyone who wants to connect to your wlan is a savvy hacker with the right tools.
No I do not. I've said, several times, and so have others, that you do not need to be any sort of tech savvy hacker to bypass this fallacy. It can by sidestepped by those who have no idea about how it even works.
If you can install a new program on your computer, which doesn't require any sort of computing knowledge, then you can install a *thing* that lets you connect to someone else's WLAN. It's as simple as that. Even a really dumb Windows user can do it. I dare say that there's programs for doing so on the Mac, as well, for the really minimally tech savvy point and click crowd.
...
*I* haven't said anything about breaking WPA2 being easy, nor posted any such bogus links.
As it currently stands, encryption is the *ONLY* thing that can secure a WLAN, and using WPA2 with sensible options is the only one that remains secure.
I've already said that, too.
Paint your WLAN access point bright pink with green polka dots. That'll make it more secure.
On 05/17/2011 02:54 PM, Marko Vojinovic wrote:
Hiding the SSID will stop only a casual bystander getting on to your network by accident. Those who actually want to crack into a wireless network would use some tool like airodump-ng (yum install aircrack-ng) to list any and all wireless networks within reach, hidden or otherwise, and then pick which one to crack.
In other words, hiding SSID can be compared to a person putting an "I am invisible" sticker on their forehead, and hoping that others would read it and ignore him.
Hiding SSID is a matter of convenience, not security. Things like removing the clutter from user's list of available networks, avoiding accidental connections by mobile devices, etc.
I'm glad you raised this. I love the analogy. I stopped hiding my SSIDs a few years ago. By broadcasting the SSID, it cleared some some intermittent connection problems I used to have both with my Smartphones, but also with my laptops.
On 05/17/2011 02:10 PM, Tim wrote:
Various computers will actually list your allegedly *hidden* device as an "unnamed" access point, so it's not even hidden. Certainly the numerous programs prepared to "hack your neighbours" applications downloadable for the completely clueless will.
Including Fedora 15/Gnome 3. We have over 30 WLANs here in our office complex. Just a quick look and I can see 5 WLANS, 2 are "<unknown>".
On Fri, 2011-05-20 at 14:20 +0000, g wrote:
On 05/20/2011 12:27 PM, Patrick O'Callaghan wrote:
On Fri, 2011-05-20 at 09:46 +0000, g wrote:
in all of above results;
you will find pro and con about 'ssid'. you will find wpa2 can be hacked if key is weak.
As I said before, I don't need to open any of these links to know that a weak password gives poor security.
my apoligies for addressing my post to you and naming you specifically as who it was intended.
in addition, "pgp", ie, "pretty good privacy".
maybe you, 'poc' should look up the history of pgp.
I know it extremely well, having taught it in undergrad CS courses.
like in what country it was designed, what country was against it and requested/forced pgp's withdrawal, and what country it was again released from.\
[irrelevant verbiage deleted]
i guess people on _your_ side of 'the big pond' are not as familiar as those of us on this side.
I have completely lost track of whatever point it was you were trying to make. PGP has nothing whatever to do with Wifi security in the sense of this thread.
And for your information, I'm not on either side of the 'pond'.
poc
On Fri, 2011-05-20 at 07:13 -0700, James McKenzie wrote:
On Fri, May 20, 2011 at 5:27 AM, Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Thu, 2011-05-19 at 21:30 -0700, JD wrote:
Gov has made it illegal to publish such algorithms, at least in the USA.
Evidence?
Not so. DES, 3DES and AES are all PUBLISHED alogrithms and are used by the DoD/NSA (CISSP training from (ISC)2 as source.) PGP using IDEA is a published alogrithm. There are NO bans against publishing them, just distributing them to "controlled countries" by US law. Fedora/RedHat have had to take the position that they will supply the packages to only those who do not export to controlled countries or banned individuals.
Actually the previous poster seemed to be saying that it is currently illegal to publish algorithms to *decrypt* WPA and friends. That's what I was asking for evidence for.
poc
On 5/20/11 3:57 PM, Patrick O'Callaghan wrote:
Actually the previous poster seemed to be saying that it is currently illegal to publish algorithms to *decrypt* WPA and friends. That's what I was asking for evidence for.
Interesting. I know of no such thing. I'll have to investigate further. I may not be able to publish what I find due to security constraints unless the information is public knowledge. I know of no restrictions on publishing the WPA-2 standards though.
James McKenzie
On 5/20/11 3:54 PM, Patrick O'Callaghan wrote:
On Fri, 2011-05-20 at 14:20 +0000, g wrote: I know it extremely well, having taught it in undergrad CS courses.
Most of us out here that lived through that mess are very well versed in the history and arrest of Phil. There was a fund to help pay for his defense.
I have completely lost track of whatever point it was you were trying to make. PGP has nothing whatever to do with Wifi security in the sense of this thread.
Cryptographic algorithms and making their internal workings public. BTW, there are TWO versions of PGP, one that uses the still patented RSA front end and the other uses IDEA. Guess which one is stronger and costs money to use and is ILLEGAL to export outside of the United States? That is why I LOVE the ability to bring things into the United States that basically make some points moot.
The point is that the WPA-2 and AES products are fully documented. Breaking them is basically against the law for several reasons. But if you fail to properly secure your network, do not employ appropriate security notification guards and I 'accidentally' break in, whose fault is it? And I'll still be looking at a handcuff surprise...
James McKenzie
On 05/21/11 17:45, James McKenzie wrote:
On 5/20/11 3:54 PM, Patrick O'Callaghan wrote:
On Fri, 2011-05-20 at 14:20 +0000, g wrote: I know it extremely well, having taught it in undergrad CS courses.
Most of us out here that lived through that mess are very well versed in the history and arrest of Phil. There was a fund to help pay for his defense.
I have completely lost track of whatever point it was you were trying to make. PGP has nothing whatever to do with Wifi security in the sense of this thread.
Cryptographic algorithms and making their internal workings public. BTW, there are TWO versions of PGP, one that uses the still patented RSA front end and the other uses IDEA. Guess which one is stronger and costs money to use and is ILLEGAL to export outside of the United States? That is why I LOVE the ability to bring things into the United States that basically make some points moot.
The point is that the WPA-2 and AES products are fully documented. Breaking them is basically against the law for several reasons. But if you fail to properly secure your network, do not employ appropriate security notification guards and I 'accidentally' break in, whose fault is it? And I'll still be looking at a handcuff surprise...
James McKenzie
Do you recall the Russian student who broke the PDF encryption scheme? He was somehow invited/enticed/lured (not sure which), to come to the US, and was arrested. I thought that a country has no jurisdiction to arrest a foreign national for a crime committed in a foreign country, which might or might not have laws against such activity. But hey, who is complaining ? :) :)
On 5/21/11 6:01 PM, JD wrote:
On 05/21/11 17:45, James McKenzie wrote:
On 5/20/11 3:54 PM, Patrick O'Callaghan wrote:
On Fri, 2011-05-20 at 14:20 +0000, g wrote: I know it extremely well, having taught it in undergrad CS courses.
Most of us out here that lived through that mess are very well versed in the history and arrest of Phil. There was a fund to help pay for his defense.
I have completely lost track of whatever point it was you were trying to make. PGP has nothing whatever to do with Wifi security in the sense of this thread.
Cryptographic algorithms and making their internal workings public. BTW, there are TWO versions of PGP, one that uses the still patented RSA front end and the other uses IDEA. Guess which one is stronger and costs money to use and is ILLEGAL to export outside of the United States? That is why I LOVE the ability to bring things into the United States that basically make some points moot.
The point is that the WPA-2 and AES products are fully documented. Breaking them is basically against the law for several reasons. But if you fail to properly secure your network, do not employ appropriate security notification guards and I 'accidentally' break in, whose fault is it? And I'll still be looking at a handcuff surprise...
James McKenzie
Do you recall the Russian student who broke the PDF encryption scheme? He was somehow invited/enticed/lured (not sure which), to come to the US, and was arrested. I thought that a country has no jurisdiction to arrest a foreign national for a crime committed in a foreign country, which might or might not have laws against such activity. But hey, who is complaining ? :) :)
I do. And he was sent home. MIT, which owned the RSA patent decided not to persue, if said student did not use the code to build an unpatented process that duplicated RSA functioning and he did not use his knowledge for illegal purposes...:) And the International Court had a field day with this as well.
James McKenzie
On 05/19/2011 08:53 AM, Tim wrote:
On Thu, 2011-05-19 at 08:25 -0500, Mikkel L. Ellertson wrote:
Time to add some more confusion to the pie.
I'm not sure that's a good idea.
Probably not.
Another security precaution that sort of helps for a home system, if you live in a house, is to put the access point in the basement. That way, the signal strength outside the house is usually too log to let someone connect. You may also have the option of controlling the output power of the access point.
Though you're only going by the ordinary antenna in your gear. A better antenna may be more than enough to still work with a muffled signal. So this isn't a trick that you want to rely on.
Not a trick you want to rely on, but one that may add a bit more protection. Remember, the access point still has to be able to receive your signal, and make it out. With the access point below ground level, it rends to frustrate most attackers. Add a directional antenna to the router, and it frustrates them more. While I am not relying on it for security, only 2 houses can get line-of-site with my router with the standard antenna. And only from the second story on the side closest to my place.
Now for a slightly more realistic setup. My access point allows to to control the access it gives to wireless users. I use a setup that does not let wireless connections talk to each other, or the Internet. You need to set up a VPN to do anything useful.
In essence, you're moving the security from the wireless to other parts of your network. If that /other/ thing is safe, then this is (almost) fine. Merely connecting to a wireless network, but that network being unable to communicate any further, does initially make connecting to it useless. But if they manage to reconfigure your wireless access point, they may introduce some compromise to your system.
No, I am adding another layer to my security. First they have to attack when I have wireless enabled. Then they have to crack the wireless security to get at the network. On most home systems, they now have access to the entire system, and the Internet.
On my system, they have access to the access point, with its built in security. (Not great, but does require cracking the user/password to gain access.) At this point, they either have to crack the router, or crack the firewall on the machine providing VPN access. The interface for that is one of two NICs on that machine, and VPN access is the only thing open on that NIC. Or have gained access to one of the VPN client keys and be able to use it. (Bad pass-phrase, no pass-phrase, or written down pass-phrase.)
It probably will not stop a really determined cracker, but it will keep the script kiddies out. And the logs will probably show someone rattling the locks, so I can keep a closer eye on things. It would probably be quicker and easier to gain physical access and get access to the system that way. In any case, except for the challenge, it is not worth the effort just to gain access to my network.
I like defense in depth - you have to crack the first layer before you find out about the second layer. This may even give me time to fix the first layer, depending on how long cracking the second layer takes.
Actually, the first layer of defense is the physical location of the access point - it makes monitoring the wireless traffic difficult. The second layer is that the wireless is turned off most of the time. The third layer is the WPA-2 wireless security. The forth layer is either access point security, or VPM server security. After that, it gets easy - you have access to the Internet, and a couple of my printers. Or you can go to work on cracking the security of the machines on the network.
most of my network is wired, and the wireless is shut down except when I need it. I do not even have to reboot when turning it off or on.
A practical approach. Though I've found that NetworkManager can throw a tantrum if it's been unable to connect for a while, and won't reconnect without manual intervention. So, you want to fire your WLAN up well before trying to use it.
True - I fire up the WLAN before I boot the machine needing it. I also have a USB drive with the connection information. I thought of using a CD, but I tend to change the settings after I have given an outsider access to the system.
There is one last measure that will really lock down your wireless network - put a Faraday cage around your house - nobody will be able to crack your network from the outside, monitor your cordless phone, etc. The downsides are the cost, and none of your devices will work outside the house, and cell phones will not work inside without adding some extra equipment.
A properly implemented Faraday cage may well stymie the usual hacker, but most will probably have faults that would allow the knowledgeable hacker to get past it. e.g. You need to RF filter, and shield the power wiring going into it.
Well, the power lines are filtered in any case. I have some commutations going over the wiring that does not like outside interference. That is also keeps signals from going out is an added benefit. I also have a hole-house surge suppressor at the panel. Defense in depth works for more then just network security.
All theories aside, the most that most people will have to deal with are: Neighbours accidentally connecting to the wrong unsecured network, which even the most token effort will prevent. And the clueless turnkey hacker, who just wants free internet, and WPA2 with the right options and a decent passphrase will prevent that.
I know. My setup is overboard. But I did it more as a learning tool on network security in depth, and how to crack my own network. (The home networks around here are too easy to crack - they did not teach me much.)
Unfortunately, various routers default to being completely insecure, or ticking a simple "enable security" configuration option puts it into combined WPA (1) *and* WPA2 mode simultaneously (or WEP & WPA), and the weaker one ruins any attempt at security. Not to mention the dumb passwords that some people will use.
I know - I am sometimes guilty of using weak passwords myself. If I do not really care if someone can get access, I do not put a lot of effort into the password. One the other hand, I had to retire one part of my throw-away passwords because my sister got a dog with the same name. (First and last name of a high school girlfriend with a special character made an easy to remember but hard to guess password for some things...)
Now, I do have a couple of devices that are only capable of WEP, but they have their own private wireless network in my workshop. It has an old Pentium server, a wireless A access point, and a wireless B access point. No access to the other of the network or the Internet. On top of that, it is usually shut down, unless I want to play.
Mikkel
On 05/21/2011 06:48 PM, Mikkel L. Ellertson wrote:
(Bad pass-phrase, no pass-phrase, or written down pass-phrase.)
I'd like to point out that writing down your pass-phrase isn't bad if you've written it on a post-it note that never leaves your home. Or, for that matter, if it's saved on a flash drive that's not plugged in for any other reason and, again, never leaves home. If they can find either of those they already have physical access and the game's already over.
On 05/21/11 19:16, Joe Zeff wrote:
On 05/21/2011 06:48 PM, Mikkel L. Ellertson wrote:
(Bad pass-phrase, no pass-phrase, or written down pass-phrase.)
I'd like to point out that writing down your pass-phrase isn't bad if you've written it on a post-it note that never leaves your home. Or, for that matter, if it's saved on a flash drive that's not plugged in for any other reason and, again, never leaves home. If they can find either of those they already have physical access and the game's already over.
On routers using MAC filtering, How quickly do the crackers guess a correct MAC address and connect (assuming they somehow got your passphrase)?
On 05/21/2011 09:22 PM, JD wrote:
On 05/21/11 19:16, Joe Zeff wrote:
On 05/21/2011 06:48 PM, Mikkel L. Ellertson wrote:
(Bad pass-phrase, no pass-phrase, or written down pass-phrase.)
I'd like to point out that writing down your pass-phrase isn't bad if you've written it on a post-it note that never leaves your home. Or, for that matter, if it's saved on a flash drive that's not plugged in for any other reason and, again, never leaves home. If they can find either of those they already have physical access and the game's already over.
On routers using MAC filtering, How quickly do the crackers guess a correct MAC address and connect (assuming they somehow got your passphrase)?
They do not usually guess. The use a program that monitors the traffic, and captures the MAC address of any system that connects to the router. They then use one of these to connect.
Mikkel
On 05/21/11 20:05, Mikkel L. Ellertson wrote:
On 05/21/2011 09:22 PM, JD wrote:
On 05/21/11 19:16, Joe Zeff wrote:
On 05/21/2011 06:48 PM, Mikkel L. Ellertson wrote:
(Bad pass-phrase, no pass-phrase, or written down pass-phrase.)
I'd like to point out that writing down your pass-phrase isn't bad if you've written it on a post-it note that never leaves your home. Or, for that matter, if it's saved on a flash drive that's not plugged in for any other reason and, again, never leaves home. If they can find either of those they already have physical access and the game's already over.
On routers using MAC filtering, How quickly do the crackers guess a correct MAC address and connect (assuming they somehow got your passphrase)?
They do not usually guess. The use a program that monitors the traffic, and captures the MAC address of any system that connects to the router. They then use one of these to connect.
Mikkel
So, the initial connection request goes in the clear! Now that's security!! :)
On Sat, 2011-05-21 at 17:45 -0700, James McKenzie wrote:
On 5/20/11 3:54 PM, Patrick O'Callaghan wrote:
On Fri, 2011-05-20 at 14:20 +0000, g wrote: I know it extremely well, having taught it in undergrad CS courses.
Most of us out here that lived through that mess are very well versed in the history and arrest of Phil. There was a fund to help pay for his defense.
I have completely lost track of whatever point it was you were trying to make. PGP has nothing whatever to do with Wifi security in the sense of this thread.
Cryptographic algorithms and making their internal workings public. BTW, there are TWO versions of PGP, one that uses the still patented RSA front end and the other uses IDEA. Guess which one is stronger and costs money to use and is ILLEGAL to export outside of the United States? That is why I LOVE the ability to bring things into the United States that basically make some points moot.
IANL, but I think you are misinformed. Notwithstanding the historical situation, no implementation of PGP (or GPG) is currently illegal to export from the US, with the exception of a short list of countries with whom virtually all trade is illegal.
The point is that the WPA-2 and AES products are fully documented. Breaking them is basically against the law for several reasons.
WPA2 and AES are algorithms, not products. Breaking them or attempting to break them is *not* illegal. Crypto conferences regularly address possible weaknesses in crypto algorithms, as do the refereed journals in the field, some of which are published in the US.
Attempting to circumvent controls in specific products which use cryptographic techniques for copyright protection may be in violation of the DMCA, but that's a different story, and has nothing to do with protection of Wifi networks.
poc
On Sunday 22 May 2011 04:57:42 JD wrote:
On 05/21/11 20:05, Mikkel L. Ellertson wrote:
On 05/21/2011 09:22 PM, JD wrote:
On routers using MAC filtering, How quickly do the crackers guess a correct MAC address and connect (assuming they somehow got your passphrase)?
They do not usually guess. The use a program that monitors the traffic, and captures the MAC address of any system that connects to the router. They then use one of these to connect.
So, the initial connection request goes in the clear! Now that's security!! :)
AFAIK, the MAC addresses of access point and its clients are never encrypted. Meaning, it's not just initial connection request that goes in the clear, it's *entire* communication between a client and an AP that has world-visible MAC addresses of both. Every packet.
So you may catch a MAC address of a client which has initiated the connection yesterday when you were not around, if it is still connected. :-)
You can try it yourself, to see what's going on in the wifi world around you:
1) yum install aircrack-ng 2) open a terminal, become root 3) use airmon-ng to put your wireless hardware into promiscuous mode 4) use airodump-ng to start looking at the wifi trafic around you 5) read both AP and clients MAC addresses on your screen, dynamically
You may wish to read man pages for airmon-ng and airodump-ng to learn the details. ;-)
Best, :-) Marko
On Sat, 2011-05-21 at 20:48 -0500, Mikkel L. Ellertson wrote:
I like defense in depth - you have to crack the first layer before you find out about the second layer. This may even give me time to fix the first layer, depending on how long cracking the second layer takes.
And therein lay a problem: Some people assume that cracking through one layer will take time, and they'll notice it and be able to respond, or it'll take too long and the miscreant will abort. The reality is that it may take no time, and you may never notice.
Any time I see someone saying they turned off their firewall to get something working, I cringe. They seem to expect that they'll be fine doing that, yet were absolutely sure that they needed it on the rest of the time.
You can get a random attack at any time, and some ISPs will tell you that they can see continuous sweeps of their IP addresses probing for something to play with.
It took all of four seconds for a friend of mine to get hacked when he first logged on with WindowsXP (via a USB ADSL modem, where there's virtually nothing between modem and computer system). And what got him (I can't recall any more, it was years ago) couldn't be removed by his anti-virus software, so he had to reformat and re-install. Around an hour or so later, he reconnected, and got hacked again in just a few seconds. I laughed so hard it hurt.
Actually, the first layer of defense is ... After that, it gets easy - you have access to the Internet, and a couple of my printers. Or you can go to work on cracking the security of the machines on the network.
When my friend first got a laptop he took me out wardriving. It was surprising how many unsecured networks were around. And, now, you have people with wireless printers that can be directly accessed. It did amuse us that it would be possible to print something on their printer, and they'd never know how or why it printed what it did.
Mikkel L. Ellertson:
They do not usually guess. The use a program that monitors the traffic, and captures the MAC address of any system that connects to the router. They then use one of these to connect.
JD:
So, the initial connection request goes in the clear! Now that's security!! :)
It has to work that way. You connect a route, then encrypt traffic that will go through it. The connection setup isn't doing anything that gives away secrets, it's just connecting two things together.
And as far as how long does it take. Well, on a network that may have 50 megabit per second speed, sending out numerous relatively smaller packets (all with networking headers) hundreds or thousands of times per second, how long do you think it would take to see data *about* the connections?
Blink, and you'll miss it.
I'm still waiting to hear news, though, about some hacker getting into someone's home garden management system. Eventually it's got to happen, with someone thinking they've cracked getting free internet, and all they can do is turn the fishpond fountain on and off. ;-)
Tim: (regarding access points buried in the basement)
Though you're only going by the ordinary antenna in your gear. A better antenna may be more than enough to still work with a muffled signal. So this isn't a trick that you want to rely on.
Mikkel L. Ellertson:
Not a trick you want to rely on, but one that may add a bit more protection. Remember, the access point still has to be able to receive your signal, and make it out. With the access point below ground level, it rends to frustrate most attackers. Add a directional antenna to the router, and it frustrates them more. While I am not relying on it for security, only 2 houses can get line-of-site with my router with the standard antenna. And only from the second story on the side closest to my place.
While it may help with a home network, and stopping the hopeless next door hacker. You wouldn't want to try that with a network that really needs protecting. All a hacker would have to do would be plant another access point between them and you, somewhere that bridged the two together.
I'm still surprised WLAN works as well as it does, considering how you may be in a densely populated area, with lots of different wireless devices all trying to use the same few channels. I work in video production, walkie talkies and wireless microphones are enough of a headache in that regard.
Only a couple of years ago we made everyone in a *nearby* restaurant stand up for the national anthem sung over a wireless microphone, from our sporting event a couple of hundred metres away. They were told to stand, and they did, not really knowing why, looking all around them trying to figure it out. A few minutes later someone came over in a hurry to sort out changing channels. Previously, we'd never had our wireless systems on at the same time.
On 05/22/11 07:14, Tim wrote:
Mikkel L. Ellertson:
They do not usually guess. The use a program that monitors the traffic, and captures the MAC address of any system that connects to the router. They then use one of these to connect.
JD:
So, the initial connection request goes in the clear! Now that's security!! :)
It has to work that way. You connect a route, then encrypt traffic that will go through it. The connection setup isn't doing anything that gives away secrets, it's just connecting two things together.
I was referring to the use of MAC filtering which is soundly defeated by the transmission of the MAC in the clear. So, MAC filtering is absolutely useless as a security measure. If I turn off my machine, the hacker has my MAC, and will have 1 less thing to worry about getting.
My reliance is then totally on wpa2-psk/aes and a well chosen 63 byte pass-phrase.
And as far as how long does it take. Well, on a network that may have 50 megabit per second speed, sending out numerous relatively smaller packets (all with networking headers) hundreds or thousands of times per second, how long do you think it would take to see data *about* the connections?
Blink, and you'll miss it.
Not with modern day scanners which capture packets continuously.
On Sun, 2011-05-22 at 08:40 -0700, JD wrote:
I was referring to the use of MAC filtering which is soundly defeated by the transmission of the MAC in the clear. So, MAC filtering is absolutely useless as a security measure. If I turn off my machine, the hacker has my MAC, and will have 1 less thing to worry about getting.
My reliance is then totally on wpa2-psk/aes and a well chosen 63 byte pass-phrase.
Yay! He's got it...
You do realise what the MAC is for? It's the name of that particular hardware interface, it's address, it's location... So that when data goes out on the wire, that's where it's intended for.
As far as network switches and routers go, it's the way of saying data for IP 192.168.1.whatever goes to/through MAC xx:yy:zz:etc. It's the MAC it's using.
It's a vital part of basic networking, whether encrypted or not, it can't be hidden from view.
Filtering using it can only ever be slightly effective. Likewise with filtering by IP. Both are readily seen on a network, even if the data can't be read. And both are easily changed.
Encryption, on the other hand, involves co-relating pseudo-random keys on both half of the connection. Where the key is a computation against a pass-phrase, and requires both sides to use the same pass phrase, and maths. A third party is going to have one hell of a time trying to fake their way into that, unless the encryption scheme is crap (e.g. WEP and WPA are useless).
Usually, well encrypted connections are hacked by: Guessing stupidly chosen passwords or stealing them (copying written notes, implanting trojans, asking someone to login to something and hoping they'll use the same password). The latter being dead easy. Lots of people use the same password for everything. And how often do you see some website that asks you to login using your Hotmail address and password? And people do, without giving any thought about it.
On 05/22/11 16:00, Tim wrote:
Yay! He's got it...
You do realise what the MAC is for? It's the name of that particular hardware interface, it's address, it's location... So that when data goes out on the wire, that's where it's intended for.
As far as network switches and routers go, it's the way of saying data for IP 192.168.1.whatever goes to/through MAC xx:yy:zz:etc. It's the MAC it's using.
It's a vital part of basic networking, whether encrypted or not, it can't be hidden from view.
Filtering using it can only ever be slightly effective. Likewise with filtering by IP. Both are readily seen on a network, even if the data can't be read. And both are easily changed.
Encryption, on the other hand, involves co-relating pseudo-random keys on both half of the connection. Where the key is a computation against a pass-phrase, and requires both sides to use the same pass phrase, and maths. A third party is going to have one hell of a time trying to fake their way into that, unless the encryption scheme is crap (e.g. WEP and WPA are useless).
Usually, well encrypted connections are hacked by: Guessing stupidly chosen passwords or stealing them (copying written notes, implanting trojans, asking someone to login to something and hoping they'll use the same password). The latter being dead easy. Lots of people use the same password for everything. And how often do you see some website that asks you to login using your Hotmail address and password? And people do, without giving any thought about it.
Is there a tool or set of procedures that can identify the source of an attack before it succeeds? It seems to me that the net is really at the mercy of the wireless router/gateway. If it does not have/provide a mechanism to send and alert to a daemon on a specific machine about attempted break-ins (such as repeated attempts of guessing the passphrase from some specific IP address), we will never know of these attempts 'til much later, or much too late.
On 5/22/11 4:00 PM, Tim wrote:
On Sun, 2011-05-22 at 08:40 -0700, JD wrote: Usually, well encrypted connections are hacked by: Guessing stupidly chosen passwords or stealing them (copying written notes, implanting trojans, asking someone to login to something and hoping they'll use the same password). The latter being dead easy. Lots of people use the same password for everything. And how often do you see some website that asks you to login using your Hotmail address and password? And people do, without giving any thought about it.
They are ID10Ts and ripe for the phishing....
And they wonder what happened when their bank accounts are drained dry.
On Sun, 2011-05-22 at 16:43 -0700, JD wrote:
Is there a tool or set of procedures that can identify the source of an attack before it succeeds?
It it only takes milliseconds to break in, what are you going to be able to do about it? (If you're meaning for the device to tell YOU that it's under attack, for you to take some action to prevent it.)
But seriously, if an attack on a wireless access point was to be made by trying out one password after another, that's an easy thing for software to detect and take some action against. The trouble is that one possible reaction is to cause a denial of service to more than just the attacker.
At least with wired networking, it's technically feasible that a really fancy router could cut off one port from traffic. Unlike wireless which has one connection, shared between everybody.
Protective measures such as filtering by IP or MAC have all the problems previously discussed in securing WLAN. Plus the problem if the attacker has cloned your IP or MAC, such a method would shut you out as well.
Likewise, it's technically feasible, and desirable, to detect port scans in progress (e.g. a remote IP is trying out connections to a variety of your ports). Again the dilemma of what to do about it... Block the IP? What if they'd cloned one of yours? Or, they could simply try connecting from a different, unblocked, IP.
It seems to me that the net is really at the mercy of the wireless router/gateway. If it does not have/provide a mechanism to send and alert to a daemon on a specific machine about attempted break-ins (such as repeated attempts of guessing the passphrase from some specific IP address), we will never know of these attempts 'til much later, or much too late.
As I outlined at the start, there's not much point in ringing alarm bells about a break in. It's too late, by then. If you're going to take active measures against hacks, the wireless device has to do it itself. Not make an alarm, but repel the attack.
I minimise the chance of (some) problems by setting my wireless access point so that configuration cannot be done over the wireless connections, a computer has to by physically plugged into it. And the configuration password is different to the connection password.
You can minimise other issues, by using an access point that doesn't allow one wireless connection to talk to another wireless connection, so direct machine to machine probing isn't possible. Though, if they can connect to your access point, they can still do whatever they're able to, to the wired side of the access point. And you may have the need for wireless devices to talk amongst themselves (peer to peer software, Samba, NFS, et cetera).
Personally, I wouldn't use wireless unless it was absolutely needed. That includes not using it *merely* because it's more convenient than wired.
Not only are their security concerns, there's throughput issues, as well. It's slower than wired ethernet. Plus it's like using a hub versus a switch, everything has to take turns to communicate. It's not possible for some terminals to simultaneously communicate between themselves, while some other terminals simultaneously communicate with other things.
You go into a school, for instance, and find that their wireless network is bogged down to being nearly unusable, because there's several laptops all trying to use it at the same time.
On 05/22/11 18:15, Tim wrote:
On Sun, 2011-05-22 at 16:43 -0700, JD wrote:
Is there a tool or set of procedures that can identify the source of an attack before it succeeds?
It it only takes milliseconds to break in, what are you going to be able to do about it? (If you're meaning for the device to tell YOU that it's under attack, for you to take some action to prevent it.)
But seriously, if an attack on a wireless access point was to be made by trying out one password after another, that's an easy thing for software to detect and take some action against. The trouble is that one possible reaction is to cause a denial of service to more than just the attacker.
At least with wired networking, it's technically feasible that a really fancy router could cut off one port from traffic. Unlike wireless which has one connection, shared between everybody.
Protective measures such as filtering by IP or MAC have all the problems previously discussed in securing WLAN. Plus the problem if the attacker has cloned your IP or MAC, such a method would shut you out as well.
Likewise, it's technically feasible, and desirable, to detect port scans in progress (e.g. a remote IP is trying out connections to a variety of your ports). Again the dilemma of what to do about it... Block the IP? What if they'd cloned one of yours? Or, they could simply try connecting from a different, unblocked, IP.
It seems to me that the net is really at the mercy of the wireless router/gateway. If it does not have/provide a mechanism to send and alert to a daemon on a specific machine about attempted break-ins (such as repeated attempts of guessing the passphrase from some specific IP address), we will never know of these attempts 'til much later, or much too late.
As I outlined at the start, there's not much point in ringing alarm bells about a break in. It's too late, by then. If you're going to take active measures against hacks, the wireless device has to do it itself. Not make an alarm, but repel the attack.
Yes there is. The router could be programmed to ring an alarm if there are say 3 or 4 repeated attempts at associating with it, and at each attempt, the wrong passphrase was used. Another thing that would be helpful is for the router to temporarily blacklist the mac address at the expense of blocking out an existing legitimate user until the problem can be resolved. For our home, it is not an unacceptable defense mechanism.
I minimise the chance of (some) problems by setting my wireless access point so that configuration cannot be done over the wireless connections, a computer has to by physically plugged into it. And the configuration password is different to the connection password.
You can minimise other issues, by using an access point that doesn't allow one wireless connection to talk to another wireless connection, so
The router in use here has no such setting :( Access point does have a setting to disable admin access from the public network, which is already employed.
direct machine to machine probing isn't possible. Though, if they can connect to your access point, they can still do whatever they're able to, to the wired side of the access point.
Well, you mean if they can succeed in breaking the wpa-psk/aes scheme? That I think is something I am not going to worry about because it has not been done yet by anyone (except the nsa of course).
And you may have the need for wireless devices to talk amongst themselves (peer to peer software, Samba, NFS, et cetera).
Yes.
Personally, I wouldn't use wireless unless it was absolutely needed. That includes not using it *merely* because it's more convenient than wired.
Not an option as this house is not wired for ethernet ports in every room.
Not only are their security concerns, there's throughput issues, as well. It's slower than wired ethernet. Plus it's like using a hub versus a switch, everything has to take turns to communicate. It's not possible for some terminals to simultaneously communicate between themselves, while some other terminals simultaneously communicate with other things.
Throughput is more of an issue for people with more demanding requirements than myself.
On Wednesday 18 May 2011 04:52:47 Genes MailLists wrote:
On 05/17/2011 12:36 PM, Frank Murphy wrote:
Also if it's your home wLan, hide it, don't broadcast the ssid. So those in your neighbourhood won't even know you have a wireless.
As many have pointed out - you should not disable SSID broadcast.
Disabling it offers zero security benefit and makes wifi work less well than it was designed. Especially when there are multiple AP's on the same SSID.
In fact hidden SSID may even worsen security. It also violates 802.11 - and I believe later versions states that a computer may refuse to connect to any AP which does not broadcast it's SSID in accordance with the standard ... someone can confirm that I'm sure.
For some reason this hidden SSID theory leaked from some bad well a long time ago and has managed to survive ... who knows why.
If you do it and find things (phones perhaps) refuse to connect to your AP - dont be surprised.
Late to the party, but just for useful information, disabling SSID broadcast is NOT a violation of of 802.11 :-) It's mandatory to put the SSID information element in your beacons, but there's nothing that says you have to tell the truth, and likewise no explicit prohibition against including multiple SSID information elements. Enterprise APs use this as a means to support multiple SSIDs on one BSSID, with each SSID mapped to a different VLAN (after association, the mapping is maintained by Association ID, not SSID), but there is of course a tradeoff as many stations do not understand more than one SSID in a beacon/probe response. Sending multiple beacons is a no-no; the medium is crowded enough as it is.
The usual compromise is to advertise any "guest" SSID in the beacons (this also applies to encryption and other information), and to respond to probe requests which contain a particular SSID with the correct information for that SSID. A station which relies on being able to pick up the SSID off the air has a user-interface bug.
One problem lies in the fact that 802.11 does not specify a particular means of giving a NULL SSID so different APs do it in different ways. Some give a zero-length SSID. Some give an SSID of length 1 consisting of a zero octet (a C null-terminated empty string). Some use a single ASCII 32. Some use a number of spaces equal to the length of the real SSID. You will thus find all sorts of rubbish in your list of available APs when looking at it using a station. Some of the older ones may Go All Funny :-(
However, the SSID WILL be present in a probe response to a probe request which contained it, so it's available to anyone with a sniffer. This has to be the case or no stations would ever be able to find it to associate, as you obviously know :-)
On Mon, 2011-05-23 at 13:58 +0100, Tim Smith wrote:
One problem lies in the fact that 802.11 does not specify a particular means of giving a NULL SSID so different APs do it in different ways. Some give a zero-length SSID. Some give an SSID of length 1 consisting of a zero octet (a C null-terminated empty string). Some use a single ASCII 32. Some use a number of spaces equal to the length of the real SSID. You will thus find all sorts of rubbish in your list of available APs when looking at it using a station. Some of the older ones may Go All Funny :-(
However, the SSID WILL be present in a probe response to a probe request which contained it, so it's available to anyone with a sniffer. This has to be the case or no stations would ever be able to find it to associate, as you obviously know :-)
In essence, when you *try* to hide your SSID, it doesn't stop broadcasting a SSID, it broadcasts a bogus one? Plus providing the real SSID details in other transmissions?
So, that would make it harder for you to connect to the ID you manually type into your client. Not to mention the fun and games of picking your random ID from the neighbour's random ID?
Though, whatever the specs say about what's supposed to be done, it's certainly been shown that various different things have a lot of trouble associating with the right access point, or any access point, when there's no SSID being sent.
On Monday 23 May 2011 16:36:00 Tim wrote:
On Mon, 2011-05-23 at 13:58 +0100, Tim Smith wrote:
One problem lies in the fact that 802.11 does not specify a particular means of giving a NULL SSID so different APs do it in different ways. Some give a zero-length SSID. Some give an SSID of length 1 consisting of a zero octet (a C null-terminated empty string). Some use a single ASCII 32. Some use a number of spaces equal to the length of the real SSID. You will thus find all sorts of rubbish in your list of available APs when looking at it using a station. Some of the older ones may Go All Funny :-(
However, the SSID WILL be present in a probe response to a probe request which contained it, so it's available to anyone with a sniffer. This has to be the case or no stations would ever be able to find it to associate, as you obviously know :-)
In essence, when you *try* to hide your SSID, it doesn't stop broadcasting a SSID, it broadcasts a bogus one? Plus providing the real SSID details in other transmissions?
Yup.
So, that would make it harder for you to connect to the ID you manually type into your client. Not to mention the fun and games of picking your random ID from the neighbour's random ID?
Not really. This is SSID, not BSSID (BSSID is usually the MAC of the AP). When you scan, you not only listen for beacons, but you (should) send probe requests. If you put an SSID into your probe request, you will get a response only from a BSS with a matching SSID, so you broadcast saying "network named 'MyHouseNetwork' please respond" at which point you get the response from the real BSS which has the real SSID in it and not the bogus one that went in the beacons.
This is not for security of the SSID, but because you also supply that SSID when you associate, so the AP may route you to different authentication systems depending on which "network" you're trying to connect to. It's sort of like having virtual IPs on one ethernet MAC. But only sort of.
Though, whatever the specs say about what's supposed to be done, it's certainly been shown that various different things have a lot of trouble associating with the right access point, or any access point, when there's no SSID being sent.
Yup. There's a lot of broken kit out there :-) How your station chooses to store and query the scan information is a good source of bugs.
On 05/23/11 09:28, Tim Smith wrote:
On Monday 23 May 2011 16:36:00 Tim wrote: Not really. This is SSID, not BSSID (BSSID is usually the MAC of the AP). When you scan, you not only listen for beacons, but you (should) send probe requests. If you put an SSID into your probe request, you will get a response only from a BSS with a matching SSID, so you broadcast saying "network named 'MyHouseNetwork' please respond" at which point you get the response from the real BSS which has the real SSID in it and not the bogus one that went in the beacons.
Well, I have placed wpa_supplicant in full debug verbosity output mode, and it's probe/scan does not seem to be aimed at just my router. In fact it gets usually 3 to 5 responses from which it then selects my AP. The wpa_supplicant.conf has the SSID and the BSSID in the configuration. So, how come the probe/scan gets more than one response?
On Monday 23 May 2011 17:50:50 JD wrote:
On 05/23/11 09:28, Tim Smith wrote:
On Monday 23 May 2011 16:36:00 Tim wrote: Not really. This is SSID, not BSSID (BSSID is usually the MAC of the AP). When you scan, you not only listen for beacons, but you (should) send probe requests. If you put an SSID into your probe request, you will get a response only from a BSS with a matching SSID, so you broadcast saying "network named 'MyHouseNetwork' please respond" at which point you get the response from the real BSS which has the real SSID in it and not the bogus one that went in the beacons.
Well, I have placed wpa_supplicant in full debug verbosity output mode, and it's probe/scan does not seem to be aimed at just my router. In fact it gets usually 3 to 5 responses from which it then selects my AP. The wpa_supplicant.conf has the SSID and the BSSID in the configuration. So, how come the probe/scan gets more than one response?
Well, note I said "If" :-)
If you do not place ANY SSID into the probe request, then all networks will respond. Depending on the configuration of a multi-SSID AP you may see more than one probe response from the same MAC address in this case. Or not. That may be up to the guy who runs the network(s) or it may be a hard-coded behaviour of the APs being used.
See the scan_ssid parameter for wpa_supplicant for how to change wpa_supplicant's behaviour in this respect.
On 05/23/11 12:22, Tim Smith wrote:
On Monday 23 May 2011 17:50:50 JD wrote:
On 05/23/11 09:28, Tim Smith wrote:
On Monday 23 May 2011 16:36:00 Tim wrote: Not really. This is SSID, not BSSID (BSSID is usually the MAC of the AP). When you scan, you not only listen for beacons, but you (should) send probe requests. If you put an SSID into your probe request, you will get a response only from a BSS with a matching SSID, so you broadcast saying "network named 'MyHouseNetwork' please respond" at which point you get the response from the real BSS which has the real SSID in it and not the bogus one that went in the beacons.
Well, I have placed wpa_supplicant in full debug verbosity output mode, and it's probe/scan does not seem to be aimed at just my router. In fact it gets usually 3 to 5 responses from which it then selects my AP. The wpa_supplicant.conf has the SSID and the BSSID in the configuration. So, how come the probe/scan gets more than one response?
Well, note I said "If" :-)
If you do not place ANY SSID into the probe request, then all networks will respond. Depending on the configuration of a multi-SSID AP you may see more than one probe response from the same MAC address in this case. Or not. That may be up to the guy who runs the network(s) or it may be a hard-coded behaviour of the APs being used.
See the scan_ssid parameter for wpa_supplicant for how to change wpa_supplicant's behaviour in this respect.
You did not show the part where I said that my router's BSSID and the nets SSID are in wpa_supplicant.conf. So, I am asking how come the wpa_supplicant is not aiming it's probe directly at that BSSID and SSID coded in the config file? It seems to me that it should do that.
On Monday 23 May 2011 22:26:49 JD wrote:
On 05/23/11 12:22, Tim Smith wrote:
On Monday 23 May 2011 17:50:50 JD wrote:
On 05/23/11 09:28, Tim Smith wrote:
On Monday 23 May 2011 16:36:00 Tim wrote: Not really. This is SSID, not BSSID (BSSID is usually the MAC of the AP). When you scan, you not only listen for beacons, but you (should) send probe requests. If you put an SSID into your probe request, you will get a response only from a BSS with a matching SSID, so you broadcast saying "network named 'MyHouseNetwork' please respond" at which point you get the response from the real BSS which has the real SSID in it and not the bogus one that went in the beacons.
Well, I have placed wpa_supplicant in full debug verbosity output mode, and it's probe/scan does not seem to be aimed at just my router. In fact it gets usually 3 to 5 responses from which it then selects my AP. The wpa_supplicant.conf has the SSID and the BSSID in the configuration. So, how come the probe/scan gets more than one response?
Well, note I said "If" :-)
If you do not place ANY SSID into the probe request, then all networks will respond. Depending on the configuration of a multi-SSID AP you may see more than one probe response from the same MAC address in this case. Or not. That may be up to the guy who runs the network(s) or it may be a hard-coded behaviour of the APs being used.
See the scan_ssid parameter for wpa_supplicant for how to change wpa_supplicant's behaviour in this respect.
You did not show the part where I said that my router's BSSID and the nets SSID are in wpa_supplicant.conf. So, I am asking how come the wpa_supplicant is not aiming it's probe directly at that BSSID and SSID coded in the config file? It seems to me that it should do that.
I wrote:
See the scan_ssid parameter for wpa_supplicant for how to change wpa_supplicant's behaviour in this respect.
Seriously. wpa_supplicant won't do that unless you change that parameter. Though of course you don't say whether that parameter is set, so you might have it set and I didn't know that, in which case it seems like you might have found a bug in wpa_supplicant (I'm assuming you have a sniffer trace of the probe request off the air to verify this. Call me old-fashioned and paranoid but I never *quite* trust a program's own debug output without independent verification :-)
From /usr/share/doc/wpa_supplicant-0.6.8/wpa_supplicant.conf:
# scan_ssid: # 0 = do not scan this SSID with specific Probe Request frames (default) # 1 = scan with SSID-specific Probe Request frames (this can be used to # find APs that do not accept broadcast SSID or use multiple SSIDs; # this will add latency to scanning, so enable this only when needed)
On 05/23/11 15:41, Tim Smith wrote:
On Monday 23 May 2011 22:26:49 JD wrote:
On 05/23/11 12:22, Tim Smith wrote:
On Monday 23 May 2011 17:50:50 JD wrote:
On 05/23/11 09:28, Tim Smith wrote:
On Monday 23 May 2011 16:36:00 Tim wrote: Not really. This is SSID, not BSSID (BSSID is usually the MAC of the AP). When you scan, you not only listen for beacons, but you (should) send probe requests. If you put an SSID into your probe request, you will get a response only from a BSS with a matching SSID, so you broadcast saying "network named 'MyHouseNetwork' please respond" at which point you get the response from the real BSS which has the real SSID in it and not the bogus one that went in the beacons.
Well, I have placed wpa_supplicant in full debug verbosity output mode, and it's probe/scan does not seem to be aimed at just my router. In fact it gets usually 3 to 5 responses from which it then selects my AP. The wpa_supplicant.conf has the SSID and the BSSID in the configuration. So, how come the probe/scan gets more than one response?
Well, note I said "If" :-)
If you do not place ANY SSID into the probe request, then all networks will respond. Depending on the configuration of a multi-SSID AP you may see more than one probe response from the same MAC address in this case. Or not. That may be up to the guy who runs the network(s) or it may be a hard-coded behaviour of the APs being used.
See the scan_ssid parameter for wpa_supplicant for how to change wpa_supplicant's behaviour in this respect.
You did not show the part where I said that my router's BSSID and the nets SSID are in wpa_supplicant.conf. So, I am asking how come the wpa_supplicant is not aiming it's probe directly at that BSSID and SSID coded in the config file? It seems to me that it should do that.
I wrote:
See the scan_ssid parameter for wpa_supplicant for how to change wpa_supplicant's behaviour in this respect.
Seriously. wpa_supplicant won't do that unless you change that parameter. Though of course you don't say whether that parameter is set, so you might have it set and I didn't know that, in which case it seems like you might have found a bug in wpa_supplicant (I'm assuming you have a sniffer trace of the probe request off the air to verify this. Call me old-fashioned and paranoid but I never *quite* trust a program's own debug output without independent verification :-)
From /usr/share/doc/wpa_supplicant-0.6.8/wpa_supplicant.conf:
# scan_ssid: # 0 = do not scan this SSID with specific Probe Request frames (default) # 1 = scan with SSID-specific Probe Request frames (this can be used to # find APs that do not accept broadcast SSID or use multiple SSIDs; # this will add latency to scanning, so enable this only when needed)
My conf file for my net has scan_ssid=1
So, does that mean it will/will not send the ssid as part of the probe?
On Tuesday 24 May 2011 00:00:47 JD wrote:
On 05/23/11 15:41, Tim Smith wrote:
On Monday 23 May 2011 22:26:49 JD wrote:
On 05/23/11 12:22, Tim Smith wrote:
On Monday 23 May 2011 17:50:50 JD wrote:
On 05/23/11 09:28, Tim Smith wrote:
On Monday 23 May 2011 16:36:00 Tim wrote: Not really. This is SSID, not BSSID (BSSID is usually the MAC of the AP). When you scan, you not only listen for beacons, but you (should) send probe requests. If you put an SSID into your probe request, you will get a response only from a BSS with a matching SSID, so you broadcast saying "network named 'MyHouseNetwork' please respond" at which point you get the response from the real BSS which has the real SSID in it and not the bogus one that went in the beacons.
Well, I have placed wpa_supplicant in full debug verbosity output mode, and it's probe/scan does not seem to be aimed at just my router. In fact it gets usually 3 to 5 responses from which it then selects my AP. The wpa_supplicant.conf has the SSID and the BSSID in the configuration. So, how come the probe/scan gets more than one response?
Well, note I said "If" :-)
If you do not place ANY SSID into the probe request, then all networks will respond. Depending on the configuration of a multi-SSID AP you may see more than one probe response from the same MAC address in this case. Or not. That may be up to the guy who runs the network(s) or it may be a hard-coded behaviour of the APs being used.
See the scan_ssid parameter for wpa_supplicant for how to change wpa_supplicant's behaviour in this respect.
You did not show the part where I said that my router's BSSID and the nets SSID are in wpa_supplicant.conf. So, I am asking how come the wpa_supplicant is not aiming it's probe directly at that BSSID and SSID coded in the config file? It seems to me that it should do that.
I wrote:
See the scan_ssid parameter for wpa_supplicant for how to change wpa_supplicant's behaviour in this respect.
Seriously. wpa_supplicant won't do that unless you change that parameter. Though of course you don't say whether that parameter is set, so you might have it set and I didn't know that, in which case it seems like you might have found a bug in wpa_supplicant (I'm assuming you have a sniffer trace of the probe request off the air to verify this. Call me old-fashioned and paranoid but I never *quite* trust a program's own debug output without independent verification :-)
From /usr/share/doc/wpa_supplicant-0.6.8/wpa_supplicant.conf:
# scan_ssid: # 0 = do not scan this SSID with specific Probe Request frames (default) # 1 = scan with SSID-specific Probe Request frames (this can be used to # find APs that do not accept broadcast SSID or use multiple SSIDs; # this will add latency to scanning, so enable this only when needed)
My conf file for my net has scan_ssid=1
So, does that mean it will/will not send the ssid as part of the probe?
According to its documentation, it will be doing that. If it isn't then either the documentation or the program is wrong. The source for 0.6.10 looks like it's doing the right thing there (just had a quick look, not a detailed inspection).
OTOH, a quick check with 0.6.8 and a sniffer reveals that this is badly bugged there - the probe request comes out with non-broadcast SSID all right but it's complete gibberish. I'm not sure whose fault that is though. It could easily be the rather odd driver I'm using there - it's not production code because I'm normally mucking with the wireless chip firmware in rude and interesting ways.
Definitely worth checking with a sniffer to see what your system is doing...
On Sat, May 21, 2011 at 17:45:53 -0700, James McKenzie jjmckenzie51@gmail.com wrote:
Cryptographic algorithms and making their internal workings public. BTW, there are TWO versions of PGP, one that uses the still patented RSA front end and the other uses IDEA. Guess which one is stronger and
RSA is used for public key support. IDEA was used for encrypting the payload. IDEA is patented and the patent will be running out real soon now. The RSA patents have already expired.
costs money to use and is ILLEGAL to export outside of the United States? That is why I LOVE the ability to bring things into the United
Neither is illegal to export (except to a few countries the US wants to punish) as long as you follow the rules. You can also write it as a book and publish the book, which is what was done. DJB also got some rulings on whether the restrictions on publishing encryption algorithms was something that could be restricted. The US government kept trying to drag things out, and ended up saying DJB wouldn't be prosecuted so that the case would be declared moot in order to avoid an unfavorable ruling by the supreme court. So if you don't want to follow the rules, in the end you would likely still win on free speech grounds, but it might cost you a lot of money and some jail time if you publish before going to court.
On 06/04/11 07:15, Bruno Wolff III wrote:
Neither is illegal to export (except to a few countries the US wants to punish) as long as you follow the rules. You can also write it as a book and publish the book, which is what was done. DJB also got some rulings on whether the restrictions on publishing encryption algorithms was something that could be restricted. The US government kept trying to drag things out, and ended up saying DJB wouldn't be prosecuted so that the case would be declared moot in order to avoid an unfavorable ruling by the supreme court. So if you don't want to follow the rules, in the end you would likely still win on free speech grounds, but it might cost you a lot of money and some jail time if you publish before going to court.
So, is DJB totally broke now? :)
On Sat, Jun 04, 2011 at 09:06:56 -0700, JD jd1008@gmail.com wrote:
On 06/04/11 07:15, Bruno Wolff III wrote:
Neither is illegal to export (except to a few countries the US wants to punish) as long as you follow the rules. You can also write it as a book and publish the book, which is what was done. DJB also got some rulings on whether the restrictions on publishing encryption algorithms was something that could be restricted. The US government kept trying to drag things out, and ended up saying DJB wouldn't be prosecuted so that the case would be declared moot in order to avoid an unfavorable ruling by the supreme court. So if you don't want to follow the rules, in the end you would likely still win on free speech grounds, but it might cost you a lot of money and some jail time if you publish before going to court.
So, is DJB totally broke now? :)
The EFF funded some of the lawsuit and he had another donation fund for it as well. I don't know what his out of pocket expenses ended up being. He also didn't publish his class notes (and still hasn't) before starting the lawsuit, so that he wouldn't be subject to jail time.
-
Alan Cox -
Bruno Wolff III -
Charles Zeitler -
Ed Greshko -
Fernando Cassia -
Frank Murphy -
g -
Genes MailLists -
Ian Malone -
James McKenzie -
JD -
jdow -
Jerry Feldman -
Joe Zeff -
Kevin Cummings -
Lamar Owen -
Marko Vojinovic -
Michael Cronenworth -
Mikkel L. Ellertson -
Misha Shnurapet -
Patrick O'Callaghan -
Richard Sewill -
Steve Searle -
Tim -
Tim Smith -
Timothy Murphy