Full Disclosure mailing list archives
Re: WEEPING FOR WEP
From: Gary Warner <gar () askgar com>
Date: Fri, 06 Apr 2007 16:09:39 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neal, Your three WEP points of favor are interesting discussion points. #1 - Availability. That's an excellent point and one we should start pushing to change. WEP is the primary "hotel" wireless protocol. Hotel users usually have the choices of "Open" "WEP" or "Bring Your Own". It needs to be stressed to the Hiltons and Marriotts of the world that using WEP is a huge disservice to their customers, which means we need to "bullet-proof" some of the other methods. I'm going through this one at work right now myself. My team convinced me that we should use "WPA2" with TKIP for our new wireless service. Guess what? Most Windows-controlled wireless laptops don't have an option to select WPA2 as their authentication protocol! My team says "No problem, we can just have them download a more recent version of their driver and use the software that comes with their wireless card to manage their wireless instead of the windows client." ARRRGH! *NOT* a valid answer! - --------------- #2 - Better than nothing. Actually, the point of the Weeping for WEP story is that its no longer any harder to break WEP than it is to connect to an open network. Demonstrated "time-to-connect" according to the German's paper? 60 seconds. Now, if I needed 45 minutes to get on to your network, I'd likely keep driving. But if it truly only takes 60 seconds? Its easier to get on your network than to drive to the next signal? (Unless your in my office, where from my 10th floor window I can see 51 Wireless networks, 30 "open" and 21 "WEP" without an external antenna from my Dell laptop). The infoworld article: http://www.infoworld.com/article/07/04/04/HNdontusewep_1.html and the actual paper: http://eprint.iacr.org/2007/120.pdf make it clear that 50 seconds of gathering and 3 seconds of cracking open a 104-bit WEP key. - ---------------- #3 - Intent of Trespass. Well, its true that you could say "He intentionally broke in", but how many wireless intrusion cases were there in the entire US last year? Three? Four? I'd rather just spend 5 minutes to update my security and be secure rather than knowing that I could "prove" the guy who stole my bandwidth (and identity?) did so "on purpose". Thanks for sharing your thoughts! _-_ gar -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGFrcTg79eYCOO6PsRAifTAJ9RZru1L0u/TXuhRfGoWpTTZVYH6wCcCZO9 l4IycpfyP6wL6AQ/+A9zLH4= =oE3g -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: WEEPING FOR WEP, (continued)
- Re: WEEPING FOR WEP Troy Cregger (Apr 06)
- Re: WEEPING FOR WEP Valdis . Kletnieks (Apr 06)
- Re: WEEPING FOR WEP Michael Holstein (Apr 06)
- Re: WEEPING FOR WEP Troy Cregger (Apr 06)
- Re: WEEPING FOR WEP Kevin Finisterre (lists) (Apr 06)
- Re: WEEPING FOR WEP Steven Adair (Apr 06)
- Re: WEEPING FOR WEP Troy Cregger (Apr 06)
- Re: WEEPING FOR WEP Bruce Ediger (Apr 06)
- Re: WEEPING FOR WEP Valdis . Kletnieks (Apr 06)
- Re: WEEPING FOR WEP Robert Allinson (Apr 06)
- Re: WEEPING FOR WEP Michael Holstein (Apr 06)
- Re: WEEPING FOR WEP Gary Warner (Apr 06)
- Re: WEEPING FOR WEP James (njan) Eaton-Lee (Apr 06)
- Re: WEEPING FOR WEP george_ou (Apr 06)
- Re: WEEPING FOR WEP Mike Vasquez (Apr 06)
- Re: WEEPING FOR WEP george_ou (Apr 06)
- Re: WEEPING FOR WEP Mike Vasquez (Apr 06)
- Re: WEEPING FOR WEP Troy Cregger (Apr 09)
- Re: WEEPING FOR WEP Mike Vasquez (Apr 06)