Full Disclosure mailing list archives

Re: WEEPING FOR WEP

From: Troy Cregger <tcregger () kennedyinfo com>
Date: Fri, 06 Apr 2007 14:49:29 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I use WEP at home, even though my house is far enough from the road to
make it rather difficult for someone to jump on my network.

Even if someone decided to hide in the woods at the edge of my yard with
a laptop they're more likely to be eaten by a bear, sprayed by a skunk,
or chewed alive by mosquitoes than collecting enough packets to crack
the WEP key, so WPA or LEAP would be overkill.

Like you said, measurement of risk.


neal.krawetz () mac hush com wrote:

seconds. Knowing that WEP is no more secure than a plastic luggage
lock, many people are questioning whether WEP is even useful at all.

While I certainly do not recommend WEP for high security (or even
moderate risk) environments, you need to remember: security is a
measurement of risk. If the threat is low enough, then WEP should
be fine.

WEP actually has three things going in its favor:

   * Availability: While there are many alternatives to WEP, such
as WPA and LEAP, only WEP is widely available. Hotels and coffee
shops that only cater to WPA or LEAP will not support many of their
customers. However, if you support WEP then everyone should be able
to access the network.

   * Better than nothing: There's a saying in Colorado: I don't
have to run faster than the bear, I just have to run faster than
you. If a casual war driver or WiFi-parasite has the option to use
your WEP system or your neighbor's open system, they will always
choose your neighbor. Having WEP makes you less desirable than an
open WiFi because there is no effort needed to use the network. If
you happen to live next to a coffee shop or library that offers
free WiFi, then the casual wireless user who just wants Internet
access will always choose free over the hassle of cracking WEP.
While WEP does not block a determined attacker who wants your
network, it will stop opportunistic network users.  Attackers tend
to not be sophisticated and do not choose their targets.  Attackers
are much like Russian roulette players, and like Russian roulette
players are usually both Russian and not very intelligent.

   * Intent: This is a biggie. If someone trespassed on your
private network through an open wireless access point, then proving
digital trespassing can be very difficult. However, if the user
must bypass your minimalist WEP security, then they clearly show
intent to trespass.

Consider WEP like a low fence around a swimming pool. Without the
fence, you are in trouble if a neighborhood kid drowns in the pool.
It's an "attractive nuisance". However, with the fence, you should
be covered if a kid climbs the fence and drowns. It's still bad,
but you have a standing to refute blamed since you put up a
barrier, even if the barrier was minimal.

As far as WEP goes, it may not be very secure, but it is better
than the open-network alternative. If you have the option to use a
stronger security algorithm, then definitely do that. However, if
you have no other option, then WEP is better than nothing.

- Dr. Neal Krawetz, PhD
Author of "An Advanced Guide to chmod(1)" and "An Introduction to
Graphical Wrappers for apt and dpkg in Ubuntu"

I am best known for spending two weeks figuring out alternatives to
single user mode on my Mac.  PhD powah!

http://www.hackerfactor.com/blog/


- --
Click to consolidate debt and lower month expenses
http://tagline.hushmail.com/fc/CAaCXv1QPxZfhpzcJ4Xn8PICitIjcFxD/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

- --
Troy Cregger
Lead Developer, Technical Products.
Kennedy Information, Inc
One Phoenix Mill Ln, Fl 3
Peterborough, NH 03458
(603)924-0900 ext 662
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGFpY5nBEWLrrYRl8RAujxAJ4/emoKx9/vwwteZeGrBdEQNJq7YwCfRT+H
w5n4HjI21HB4ENS5a2hkTI0=
=8pPp
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

WEEPING FOR WEP neal.krawetz (Apr 06)
- Re: WEEPING FOR WEP Troy Cregger (Apr 06)
  - Re: WEEPING FOR WEP Valdis . Kletnieks (Apr 06)
  - Re: WEEPING FOR WEP Michael Holstein (Apr 06)
    - Re: WEEPING FOR WEP Troy Cregger (Apr 06)
    - Re: WEEPING FOR WEP Kevin Finisterre (lists) (Apr 06)
  - Re: WEEPING FOR WEP Steven Adair (Apr 06)
- Re: WEEPING FOR WEP Bruce Ediger (Apr 06)
  - Re: WEEPING FOR WEP Valdis . Kletnieks (Apr 06)
  - Re: WEEPING FOR WEP Robert Allinson (Apr 06)
- Re: WEEPING FOR WEP Michael Holstein (Apr 06)
- Re: WEEPING FOR WEP Gary Warner (Apr 06)

(Thread continues...)