Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Wireless Networking Security Hardware

Study: Wi-Fi users Still Don't Encrypt 283

Posted by CowboyNeal
from the won't-you-come-on-in dept.
Shackleford writes "SecurityFocus has an article saying that two days of electronic eavesdropping at the 802.11 Planet Expo in Boston last week sniffed out more evidence that most Wi-Fi users still aren't securing their networks. Security vendor AirDefense set up two of its commercial 'AirDefense Guard' sensors at opposite corners of the exhibit hall at the Boston World Trade Center, the site of the conference, and for two days analyzed the traffic flowing between conference-goers and 141 unencrypted access points set up by the conference for public use, and by vendors on the floor. What they found was that users checking their e-mail through unencrypted POP connections vastly outnumbered those using a VPN or another encrypted tunnel. Only three percent of e-mail downloads were encrypted on the first day of the conference, 12 percent on the second day."
This discussion has been archived. No new comments can be posted.

Study: Wi-Fi users Still Don't Encrypt

Comments Filter:
  • WEP is weak (Score:5, Funny)

    by Anonymous Coward on Saturday July 05, 2003 @09:23AM (#6372169)
    First post through my neighbor's compromised WAP gateway. Off to view some porn now. :-)
  • Okay ... (Score:4, Informative)

    by Neon_Mango (143057) <sean@NoSPAm.baseri.com> on Saturday July 05, 2003 @09:28AM (#6372180) Homepage
    But with some patience and airsnort even "secured" (ie. encrypted) access points can be used without permission. And MAC address filtering is a joke since I can easily change the what MAC address my airport card uses under linux.

    Maybe it's time for a new, and effective standard.
    • Re:Okay ... (Score:5, Insightful)

      by mindstrm (20013) on Saturday July 05, 2003 @09:30AM (#6372190)
      And with some patience, very little in fact, your car door can be opened, and your car stolen, or your house door opened, and your house cleaned out... but that doens't mean we run around leaving our doors unlocked and open.

      Furthermore... there are legal implications. Is sniffing out POP passwords in this way illegal? Probably, but maybe not.. but is doing so off an encrypted channel illegal? Most certainly... as there is no logical way you can deny that you kneew the signal was supposed to be private.
      • Re:Okay ... (Score:5, Insightful)

        by anthony_dipierro (543308) on Saturday July 05, 2003 @09:51AM (#6372267) Journal

        And with some patience, very little in fact, your car door can be opened, and your car stolen, or your house door opened, and your house cleaned out... but that doens't mean we run around leaving our doors unlocked and open.

        A lot of people do leave their doors unlocked. Besides, your analogy is flawed because breaking into a car or house attracts people to the presense of the crime. Cracking WEP encryption is something that can be done in the privacy of your own home.

        Is sniffing out POP passwords in this way illegal?

        Maybe not, but using that sniffed POP password certainly is.

        • WEll (Score:5, Informative)

          by mindstrm (20013) on Saturday July 05, 2003 @10:17AM (#6372354)
          the point of WEP is misunderstood, as well. Yes, it was poorly implemented.. but it was not supposed to be the data security layer anyway... just "wired equivalent"
          That means.. it was supposed to be roughly as hard to get access to the actual network packets as it is when someone has a wired lan.

          The wire is not secure, as you know. Wires can be tapped numerous ways, invasively, or passively. Yes, the logic is kind of flawed, the situation is different.. but it just makes it harder to sniff, not impossible.

          IT wasn't supposed to be a replacement for using secure protocols.

      • Can we PLEASE stop using analogies? They don't work unless you are either, really proficient in English studies. Includes near perfect score on verbal SAT's or studying it in school as a profession or teaching it.

        Problem is, slashdoters don't usually use the "higher end" ideas, such as irony, analogies and such correct. If you want to make your point, just make it.

        wifi is nothing like having a car. It's like a line of communication, just like a voice call or using walkie talkies. Unless you use code (
    • Re:Okay ... (Score:5, Insightful)

      by the uNF cola (657200) on Saturday July 05, 2003 @09:31AM (#6372191)
      And you can guess IPSec keys too, eh? :) There are effective standards, just the majority doesn't use them. 802.x works well when you use a VPN.
    • Re:Okay ... (Score:5, Insightful)

      by ergo98 (9391) on Saturday July 05, 2003 @09:35AM (#6372207) Homepage Journal
      The point of this analysis was that when people used unencrypted wifi in public places, they used open and unencrypted channels to communicate sensitive information such as email passwords. i.e. They didn't establish an encrypted VPN session first, or their organizations don't use IPSec/POP3 SSL. The net effect is that they're publicly broadcasting all of their information.

      Of course I wouldn't see it much differently if the conference hall had CAT5 jacks that you could plug into: You still should have no faith in the people running the show, or anyone capable of putting in a wire shunt, who have every ability to log and trace all of you messages: You should always presume that someone is listening. This is just another reminder that the world needs to move to secured application layer transport protocols as mandatory (or blocking external access apart from through a VPN) as quickly as possible, because the human element will always take the easiest route, and the natural human instinct, barring a case of paranoia, is to presume that nothing will ever happen to them- Every victim is someone who thinks it'll only happen to the next guy.
      • Re:Okay ... (Score:4, Insightful)

        by iangoldby (552781) on Saturday July 05, 2003 @02:50PM (#6373335) Homepage
        You should always presume that someone is listening. This is just another reminder that the world needs to move to secured application layer transport protocols as mandatory

        Of course there is always the alternative view that these people simply didn't care if someone was evesdropping on their email. I know I wouldn't be at all bothered.

        People still send postcards - think of it - in this day and age when paper envelopes are so easily available...
    • >> MAC address filtering is a joke since I can easily change the what MAC address my airport card uses under linux.

      Correct me if I am wrong but, unless you already have access to the WiFi controller and know what MAC addresses have been explicitly granted permission, it doesn't matter that you can change your MAC address.
      • You can sniff encrypted traffic, crack the WEP key, and easily see what MAC addresses are in use. With that info you can easily have a list of MAC addresses to impersonate.
        • Coming into the WiFi game a little later than most, I was under the mistaken impression that filtering by MAC address was secure. Then I followed a link from this thread to the Kismet [kismetwireless.net] site and realized just how idiotic that belief was. Encrypted or not, the TCP stack is going to carry the MAC of the sender.

          In the end, I guess it's very much like locking your car door. It'll disuade the casual thief but if someone really wants to get in, they're going to get in.
    • You mean IPSEC'ing your wireless connections? Something actually on my TODO list today. ^,^
    • Re:Okay ... (Score:5, Informative)

      by Bagheera (71311) on Saturday July 05, 2003 @11:37AM (#6372604) Homepage Journal
      Using AirSnort takes time and patience. For a "large" site where you can get a lot of traffic, or where you're trying to crack your next door neighbor's network where you can get a lot of traffic over time, it's practical.

      At a conference, it's unlikely that people will even bother setting up WEP since key management isn't worth the effort.

      MAC address filtering is a mixed bag. Yes, it's trivial to alter your own MAC address to impersonate another machine, but the usefulness depends on your environment. A big site probably won't bother with filtering. Too many addresses to track. A small site running MAC filtering may well have a clueful network admin who'll notice homeboy.haxornet.lan's MAC on the air when he -knows- he left that box at the office.

      The point was the insecure protocols used over the wireless links. Web, POP, IMAP, telnet, etc., passwords sent in the clear are trivial to sniff in that environment.

      As some have already pointed out SSL will cure that issue for quite a number of applications. Using SSH to reach your mail server is another simple "fix" to what is essentially NOT a wireless networking problem.

  • POP3 with SSL (Score:5, Insightful)

    by ergo98 (9391) on Saturday July 05, 2003 @09:29AM (#6372183) Homepage Journal
    A similar survey would be to test how many POP3 servers out there support SSL. I suspect that it's on the low side of 3%. POP3 with SSL is a trivial, easy alteration that many POP3 clients support, instantly securing the network without layering on a secondary encryption layer (VPN/PPTP/IPSec) when all you want is to check you email, which is what probably 99% of the users do at trade shows like this.
    • i would love to see people like yahoo POP3 implement SSL, but i suspect with a large (non-paying) userbase, the processor time required by the extra SSL encryption overhead would probably cripple their servers during peak times...
    • What about IMAP? Is it secure? Does it support SSL?

      Ciryon
      • Re:POP3 with SSL (Score:5, Informative)

        by derF024 (36585) * on Saturday July 05, 2003 @09:54AM (#6372277) Homepage Journal
        What about IMAP? Is it secure? Does it support SSL?

        both IMAP and SMTP also support ssl nativley.

        I use wifi around my apartment, and I encrypt everything via either ssl (imap, smtp and http) or ssh tunnels. After living on a non-switched college network for 4 years, I've learned to never trust the local network anywhere.
        • Re:POP3 with SSL (Score:3, Informative)

          by petard (117521)

          I use wifi around my apartment, and I encrypt everything via either ssl (imap, smtp and http) or ssh tunnels. After living on a non-switched college network for 4 years, I've learned to never trust the local network anywhere.

          It's good that you've learned never to trust the local network anywhere, but your comment implies that you could rely on a switched network for some sort of added security. You can't. It is trivial to sniff traffic on a switched network. [sourceforge.net]

          • Yes.. (Score:3, Interesting)

            by mindstrm (20013)
            but not as trivial as sniffing on an unswitched network.

            Furthermore... if I'm the sysadmin, and I catch you running a sniffer, well, I probably won't care.

            If I catch you doing arp poisoning in order to intercept traffic on a switched lan, I'm going to yank your connection / get you fired / expelled / press charges for hacking.
            One involves listening. The other involves messing with stuff and deliberately breaking how things work.

      • It doesn't need to support SSL. SSL is an adapter layer for stream-based protocols - it fits in between TCP and anything that can run on top of TCP (except that I don't think out-of-band TCP messages will work).
    • I've seen POP3 SSL hacks using stunnel, which means connections from localhost, and therefore you can't filter based on IP properly (assuming you want to filter at the application level instead of the network level). What POP3 daemons support SSL _NATIVELY_?
    • Re:POP3 with SSL (Score:5, Informative)

      by SCHecklerX (229973) <thecaptain@captaincodo.net> on Saturday July 05, 2003 @09:58AM (#6372290) Homepage
      Or just run ssh on the client and server and be done with it, but then again, it's far easier and more efficient to just use pine on the 'pop' server via ssh login when you are away. Or you could be uber-cool and run cyrus IMAP instead, then you are in sync and have all of your mail no matter where you are.

      ssh -N -l loginname -i ~/.ssh/identity_nopass -L 5110:localhost:110 pop.server.net

      In the above, you would configure your pop client to go to localhost as the server on port 5110.

    • Well, I don't know about your ISP, but AT&T (now Comcast) provides this in my area, and I've been using it since day 1.
    • I just checked, and none of the three ISPs I use seem to have SSL POP3 servers. ;-(

      However they do have https'd web interfaces to the mail servers, so you can always use that at these conferences, and that would be secure.

  • by Gendhil (686251) on Saturday July 05, 2003 @09:29AM (#6372187)
    9% of attendees learned something from the expo. :)
  • by pir8garth (674943) on Saturday July 05, 2003 @09:30AM (#6372189)
    There is some good basic WLAN security info on AirDefense's knowledge center [airdefense.net] section of their website...
  • by Anonymous Coward on Saturday July 05, 2003 @09:31AM (#6372193)
    This only verifies the importance of application level encryption. Every socket communication should be encrypted so that security doesn't rely on the network connection itself.

    Suprasphere encrypts all socket communication using a dynamically generated Diffie-Hellman key exchange. This is much better than SSL because it does not require using a CA so you can set it all up without any administrative overhead.

    Furthermore, all authentication uses a zero-knowledge proof so that a password is never sent over the wire. Even though the traffic is all encrypted anyway, this adds another level of security so that a compromised passphrase at one sphere will not allow authentication at any other. You can store a profile at different places that can only give you access if you can prove beyond a statistically reasonable doubt that you are who you say you are.
    • Wouldn't that make man-in-the-middle pretty much trivially easy? All I would need to do is haxor the name server to point you to my evil box. You'd get a dutfilly performed diffie-hellman exchange just before all your data came into my posession. Your plan has no way to verify identity of the endpoints.

    • This only verifies the importance of application level encryption. Every socket communication should be encrypted so that security doesn't rely on the network connection itself.

      And one very easy way of encrypting "every socket communication" is via IPsec. And, guess what, you don't need to hack every application to do it. Nor, for that matter, do you need

      Suprasphere encrypts all socket communication using a dynamically generated Diffie-Hellman key exchange. This is much better than SSL because it does
  • Not surprising (Score:5, Insightful)

    by grokBoy (582119) on Saturday July 05, 2003 @09:33AM (#6372199)
    In my experience 'new' hardware such as this is always the last thing that people think about when it comes to security.

    With all the media hype about wireless, a growing number of people are simply buying an access point and a couple of NICs, flicking through the manual, and then running default configurations, because the average user probably isn't aware that what they are doing *is* insecure, and has never heard of WEP. No doubt this (and newer ideas such as 802.11x) will be in the 'advanced' section at the back of the manual with bluntly technical instructions filled with acronyms and concepts that a non-IT savvy person would simply skip over.

    Once it 'works', the majority set-it-and-forget-it - no different to the populous of home users running xDSL without a firewall, or those who never patch their boxes. A quick drive round your local residential area with a copy of Kismet proves this point for anyone with any doubt =)

    On the flipside of the coin, in the corporate world, sales reps, engineers, and other 'road warriors' should really be given this advice from their support teams, and have their machines configured appropriately in advance by someone knowledgeable - they really can't be held responsible for the lack of action by the correct department.

    • Re:Not surprising (Score:3, Insightful)

      by FattMattP (86246)

      With all the media hype about wireless, a growing number of people are simply buying an access point and a couple of NICs, flicking through the manual, and then running default configurations, because the average user probably isn't aware that what they are doing *is* insecure, and has never heard of WEP. No doubt this (and newer ideas such as 802.11x) will be in the 'advanced' section at the back of the manual with bluntly technical instructions filled with acronyms and concepts that a non-IT savvy perso

  • Not surprising (Score:5, Interesting)

    by airuck (300354) on Saturday July 05, 2003 @09:33AM (#6372203)
    I live in a small iniversity town. Even the shortest bike ride with my Zaurus running kismet finds many access points in businesses and homes unencrypted (war biking?). I often run ethereal for the few minutes it takes me to get up and order coffee at one of the local cafes. It never fails to catch pop and imap passwords, mail, and instant messaging conversations. I always use ssh or VPN, but I don't feel superior. Most of my own non-work related mail is sent in plain text.
  • Jeez... (Score:4, Funny)

    by Faust7 (314817) on Saturday July 05, 2003 @09:42AM (#6372229) Homepage
    Next thing you know, people will be failing to apply patches.
  • by HBI (604924) <kparadine AT gmail DOT com> on Saturday July 05, 2003 @09:44AM (#6372240) Homepage Journal
    Is it possible that most people don't give a shit about encrypting their e-mail because the contents of their e-mail are so inane and you can't trust the intervening steps?

    I mean really - if I want secure transfer of information i'm not going to use e-mail. The effort wasted securing it is truly wasted effort, in my view, because of the lack of a trusted MTA. I don't trust my ISP. They can read this shit. So can every other transit point. Do you? Don't you feel somewhat foolish for admitting that?

    I secure my IM. End-to-end encryption at least has a point there.

    That being said, the article seems to lack point - expecting 'more people' to do something that is fundamentally pointless.
    • Re:Arriving clue (Score:4, Informative)

      by jdreed1024 (443938) on Saturday July 05, 2003 @10:04AM (#6372305)
      Is it possible that most people don't give a shit about encrypting their e-mail because the contents of their e-mail are so inane and you can't trust the intervening steps?

      It's not the e-mail that's the problem. It's the fact that your password is sent unencrypted (with a few notable exceptions). And, a large portion of the time, I'd bet your password for the POP3 server is the same as that for a shell account with that ISP. Or FTP access to your web publishing directories. Or, if you're really stupid, it's the same as your online banking password.

    • Great, so long as you don't care about people using your mail account. Encrypting the actual mail is almost an afterthought- it's encrypting the login id and password that matter the most. POP sends the password in plaintext, so you need some kind of an encryption scheme to keep that from being pulled down and used against you.
    • That's the main reason I wouldn't bother. I just don't care if people can read my mail or know the password to my email account. Really there is very little online I worry about encrypting. If I connect to work it's encrypted. If I connect to home it's encrypted. If I connect to my web server it's encrypted. If I'm looking at offers to enlarge my penis as I sit surfing porn then what do I care? :)

      Just a note.. The program driftnet is a fun toy. Try it on your insecure network today. It nicely lets you see
    • I mean really - if I want secure transfer of information i'm not going to use e-mail. The effort wasted securing it is truly wasted effort, in my view, because of the lack of a trusted MTA.

      Use GPG. Then you don't have to trust anything, except that you have a geniune key.

  • Wi-Fi? (Score:5, Interesting)

    by TheRaven64 (641858) on Saturday July 05, 2003 @09:44AM (#6372241) Journal
    I'm amazed that people still use unencrypted anything over the Internet (well, except http. I don't really care if someone knows I read /.)

    A few years ago I was given a demo of TCP-dump by a resident BOFH. First step was to read all of the private communications between a certain user and other people in a chat room. The next was to take a look at some people's emails as they were relayed through the router (including their POP3 passwords). Since that day I have not sent any password unencrypted...

    • I'm amazed that people still use unencrypted anything over the Internet (well, except http. I don't really care if someone knows I read /.)

      What do you care if someone reads your spam?

    • I'm amazed that people still use unencrypted anything over the Internet

      What choice do people have? For example, my ISP only offers unencrypted POP3 access, and that ISP is the only ISP that offers broadband access in my area.

      If you have some suggestions for third party mail boxes that offer encrypted IMAP4 access, well, please share them.
  • by FearUncertaintyDoubt (578295) on Saturday July 05, 2003 @09:47AM (#6372251)
    That's great for e-mail, but what about general browsing? Or telnet? Or any other communication that I might use with a public WiFi? And I'm pretty sure the POP3 providers I use have the option of SSL. So what do I do? Either say, "well, it's not safe to check my e-mail," or "screw it, I'll take the chance that someone sees my penis-enlargement spam." The point is that it isn't very efficient, realistic, or even possible to expect users to be securing every internet-capable application on their PC. So why not encrypt at the common gate -- i.e., the point at which all data goes in or out of the PC?

    If you use WEP, but everyone knows the key (e.g., at a trade show so you need to make the key public to let people on the WiFi network), I assume that's the same as unencrypted. However, why couldn't there be a RSA or symmetric encryption for 802.11[x]? So you make the public key for the access point, available, anyone with that can connect, but your PC/WiFi card encrypts every packet going out the door, so the traffic going from the client to the access point is now secure. Similarly, the client gives the access point its public key, so all the traffic coming back to the client is also secure. This probably requires a lot more overhead in the access point and client, but I don't think that it would be unreasonably so.

    • That's great for e-mail, but what about general browsing? Or telnet?

      If you are using in-the-clear protocols, then your connection is vulnerable to eavesdropping _anyway_, wireless or no wireless. Use https instead of http, and especially use ssh instead of telnet. Of course this requires the other side to support it (many web sites don't do https) but that is just as you'd expect - a connection that is secure against attackers in the middle must necessarily require cooperation from both the endpoints.

    • However, why couldn't there be a RSA or symmetric encryption for 802.11[x]?

      Doesn't really work in this case. It's the network at these shows that is untrustworthy not just the airwaves. The only thing the WEP (if it works right) is good for is keeping people you don't want off your network; it doesn't actually add any significant security for the user from the network. So as a user in 99% of all cases you want end-end security, not point-point; because at each of these points the traffic is unencrypted an

    • However, why couldn't there be a RSA or symmetric encryption for 802.11[x]?

      Bluetooth seems to address this: its encryption does not have the weaknesses of 802.11x, and newer versions apparently allow 128bit encrypted open/ad-hoc connections.

      I'll take the chance that someone sees my penis-enlargement spam.

      The problem is that people also see your POP3 password, which means that they may be removing both your penis-enlargement spam and your real mail from your mailbox after getting your password.
  • by ramzak2k (596734) * on Saturday July 05, 2003 @09:48AM (#6372257)
    the problem lies more in the way the access points work at the moment rather than the end users not using POP without security. The best you can do with access points today is to set up single key (like WEP) that is shared among multiple users. The accesspoints of the future would hopefully have 2 WEPs: One to allow access to acesspoint and a second second one - dynamically assigned to individual clients(probably recognized by unique mac address) for all data communication between that unique client and accesspoint.
    • ugh (Score:3, Informative)

      by TrekkieGod (627867)
      The best you can do with access points today is to set up single key (like WEP) that is shared among multiple users.

      WEP is a horrible thing. I use it msyelf, but that's mainly to keep my non-techie neighbors from turning on their laptops one day, have windows xp realize there's a wireless connection in their range, and start using my bandwidth. I have no delusions that my data is secure since anyone could, with a little patience, use airsnort [shmoo.com] to find out what my key is.

      The accesspoints of the future

    • One to allow access to acesspoint and a second second one - dynamically assigned to individual clients(probably recognized by unique mac address) for all data communication between that unique client and accesspoint.

      But that means that the access point needs to be able to store one key per client. Furthermore, in order to be reasonably convenient, there needs to be a protocol to do the key exchange without user intervention. Adding this on to 802.11 looks like a major headache. (I think the new Bluetoo
  • by vadim_t (324782) on Saturday July 05, 2003 @09:52AM (#6372271) Homepage
    Encryption might take a while to set up, but it's a very good thing. Not only for your own data.

    I'll explain. Many of us run web servers and let friends have sites or mail accounts on them. Now, I'm pretty sure that in most places reading your user's mail is illegal. Suppose you're logged in on your server trying to solve some problem by looking at what's going on with a sniffer like tcpdump or ethereal. Accidentally you see a friend's private email scroll by.

    Now, of course, this wasn't intentional. But what if you make a slip? The email could have been about some event you didn't know about. Then, a week later you forget where you got that information from, you ask that friend about whether his grandma got better. The friend then asks "How do you know that? You weren't reading my mail, were you?". Depending on how this person feels about you, you might get into some trouble.

    This is why on my server I provide IMAP accounts only though SSL. I never look in user directories unless needed. And I tell everybody who gets an account that if they want to be completely sure their data stays confidential that they should use PGP and that I can explain how to use it.

    It's not that hard to set up, anyway. Set up a mail server with SSL and you'll be able to check your mail safely from anywhere. Install SSH for administration. Install Apache SSL even if you don't need it much, to give the users who want it the ability to log in with an encrypted connection. Use an instant messenger like Jabber with a SSL connection too.

    Don't worry about self-signed certificates. A certificate from Verisign provides a rather small increase of security which people tend to ignore anyway. If you just want to avoid your traffic from being sniffed, it should be enough.

    Excepting web browsing, most of my data is encrypted. I even found that I can browse kuro5hin.org throught https. It's a good thing too, when I login my password won't be sent in clear text.
  • and? (Score:3, Interesting)

    by Connie_Lingus (317691) on Saturday July 05, 2003 @09:52AM (#6372272) Homepage
    So perhaps this *may* mean that only 3-12% of the people feel that what is contained in their email is important enough to encrypt. Why does this article assume that VPNs are necessary in every case?

    You know, it is sometimes good to be "paranoid", but often it is just that, paranoia. Do I care if someone sniffs my unencrypted "penis enlargement NOW!" emails? Security is not always the primary design factor, and sometimes is disregarded altogether in the face of getting things done.

    I can't help when I think of "security" of the push/pull battle that the U.S. Army had with the Manhattan Project personal. The Army, of course, say bogeymen under every rock at Los Alamos, but the scientists soon discovered that to aid in the project, many "security" concerns had to be circumvented...

    • Re:and? (Score:3, Informative)

      by volsung (378)
      I generally don't care whether my email messages are encrypted, but I do care about whether my email password is being sent out cleartext. Something like digest authentication would be fine, but I don't think IMAP or POP3 does that, so I have to go all out and use IMAPS.
  • by volsung (378) <stan@mtrr.org> on Saturday July 05, 2003 @10:01AM (#6372295)
    Universities are probably the worst places for wireless security:
    • Many are installing public (or at least semi-public) WAPs all over campus.
    • They are generally not even using WEP because of the overhead and because the goal is to make it as easy as possible for people to jump on the network. (Yes, I realize WEP in most cases is worthless anyway, but it at least raises the bar.)
    • There is a high density of wireless users checking their email.
    • Few use IMAPS or POP3S either due to laziness or insufficient computational resources on the email servers.

    This all adds up to make it really easy to sniff usernames and passwords just by sitting in a campus hangout area with a packet sniffer.

    I have whined at my University for IMAPS support and was told that, while they were interested, they couldn't roll it out because their servers couldn't handle the extra CPU load from all that encryption/decryption. I suspect the answer is the same in other places.

    • by Enry (630)
      We use Blue Socket boxes behind our WAPs, so while anyone can get an IP address from our WAP, you won't be able to get anywhere until you authenticate (via SSL). Since the wireless network is outside our firewall, you have to either use a VPN or SSL-web access to get your e-mail.
      • Yeah, my university does a similar authentication process via SSL, but there is no VPN option for email access. We have a SSL webmail program, but webmail is really bothersome to use, hence my hope for better protocol support.
  • Trying to get secure email has been a bugbear for me ever since my mail server started supporting secure IMAP and secure SMTP.

    The hardware specifications are as follows:

    Toshiba Tecra 9100, European, with built-in wireless (an orinocco under the hood)
    One Netgear ME102 nice and simple mdaemon mail server (altn.com)
    Outlook XP (so sue me)

    A couple of revisions ago mdaemon started supporting SSL for IMAP and SMTP. Great, I thought, I'll enable that in Outlook and when I'm out and about on public APs I'll

  • Why should I care about encrypting the download of mail? It goes in clear text across the network anyway; everyone knows you should not write anything in electronic mail that you wouldn't send on a postcard. That's what PGP is for.

    (It is a bit more worrying if someone could pretend to be me and delete all my messages from the server.)
    • (It is a bit more worrying if someone could pretend to be me and delete all my messages from the server.)

      You just answered your question. I'm not particularly concerned about the contents of my email, either. But, POP3 sends the password in the clear.

      That password is typically also the account password, giving the interceptor access to all of your services, while masquerading as you.

  • Its plain to see! Take my hometown.. right next to a beautifull mountain range. Just get on top of one of the mountains and use a dish tolook down.. 72% of the 180 networks that showed up within 5-6 minutes were all unencrypted!
  • Because (Score:3, Informative)

    by CausticWindow (632215) on Saturday July 05, 2003 @10:12AM (#6372342)

    802.11b is slow enough already.

    Try streaming a DivX over wireless with encryption, it doesn't work. It barely works when you turn it off.

    • Damn straight. This just shows the importance of application level security. I don't care if the wlan is secure or not, because I'm using secure IMAP to check mail, HTTPS when necessary, and SSH to log into my servers. Do I want ALL my traffic encrypted (with the overhead slowing it down)? Heck no. I don't care if someone is sniffing my slashdot http requests.

      Forget trying to get encryption on all wireless traffic, that is a stupid idea to solve a problem that is better solved elsewhere. The real problem t
  • Overreaction (Score:5, Insightful)

    by DoorFrame (22108) on Saturday July 05, 2003 @10:20AM (#6372362) Homepage
    Most people don't care all that much about their home wireless networks (or their personal email) being encrypted, because there's no major threat. Sure, corporations need to protect their ever so secret information and precious bandwidth, but if someone near my house wants to go ahead and use my wireless connection, as long as it's not crippling my connection speed, so be it. Not a big loss for me. If someone is going to go through the effort to snoop my network, you're not going to find anything worth stealing that you couldn't get easier from Kazaa. If someone's going to be reading my personal email, well, they're going to be plenty bored. It's just not worth hacking into my computer, there's nothing of non-personal value on it.

    Security isn't a major issue for home users. That's why they don't treat it as such. Sorry guys.
    • Re:Overreaction (Score:5, Insightful)

      by mindstrm (20013) on Saturday July 05, 2003 @10:28AM (#6372391)
      Yeah, I mean
      it's not like home users access services at work, bank accounts, online shopping, credit cards, in house file sharing, personal financial correspondence, IP phone calls, and so on... they really have nothing to worry about.

      Hey.. why not stick your filing cabinet in the front yard with all the papers in it and say "free shit!" too!

      Home users don't treat security as a big deal because they don't KNOW the issues, because they are a bit too technical.. because joe average doesn't have time to get into the details.. not because he doesn't care about security.
      • it's not like home users access services at work, bank accounts, online shopping, credit cards, in house file sharing, personal financial correspondence, IP phone calls, and so on... they really have nothing to worry about.

        You have a point. But let's be a little realistic. The fact is that you dont have malicious wardrivers in every neighborhood in every town just waiting to get your bank password, credit card, etc. I think a lot of well meaning computer security folks tone up the FEAR factor a little

    • If you have some way of preventing network visitors from sending email, then you're safe from wardriving spammers. If you never use the same password between some cleartext protocol and some sensitive application like online banking, then you're safe from having your online banking password stolen. If all your machines are sufficiently hardened that you could expose them to malicious connections without a firewall in between, then you're (relatively) safe from becoming someone's next DDoS zombie. If you don
    • Re:Overreaction (Score:3, Insightful)

      by Cyno (85911)
      No?

      Fine, well, if I were to hack some corporation or person on the net I would do it through a wireless connection to some open network like yours, then hack through one of your systems and trash your system on my way out to delete as much evidence as possible. Its virtually anonymous and it doesn't matter whether your data is valuable or not. I'm not interested in your data, I'm interested in anonymity.

      You can trust 99% of the people, but it only takes one like me to ruin your day. And I think that is
    • Re:Overreaction (Score:3, Insightful)

      by YrWrstNtmr (564987)
      but if someone near my house wants to go ahead and use my wireless connection, as long as it's not crippling my connection speed, so be it. Not a big loss for me.

      Sure. Until he sends some kiddie porn to his buddies, and it gets traced back to *your* network and IP address.

      Prove it wasn't you.
  • by sgarrity (262297)
    This shows the power of defaults. Anyone who has done any wardriving will notice that a lot of networks have the SSID "linksys" or "default".

    Take it out of the box, plug it in, and it works. That's the beauty of wifi.

    I'm sure we'll see a move my manufacturers towards secure-by-default (as secure as possible, that is) as we've seen Microsoft trying to do with IIS in Win2003.

    That said, there is certainly a place for unencrypted open networks.
  • by MyDixieWrecked (548719) * on Saturday July 05, 2003 @10:24AM (#6372375) Homepage Journal
    I went wardriving the other day through a rich neighborhood in NJ. Good ol kismac, my Ti, and the stock Airport card/ antennas. After a 10 minute drive, we discovered nearly 20 open networks. A mere 5 of them using WEP.

    I was surprised that I was able to pick these up from the street. Also surprising was the names of some of the networks, I mean kittyNET, c'mon!

    Also, it's amazing how many people have linksys.

    USE WEP, PEOPLE! Or at least configure your router to only accept your computers' MAC address! jeez.

    There's lots of reasons to close your network to the outside. The main one being that you don't want to give people access to your LAN. Most people don't password their computers from other machines on the LAN, since they figure it's secure, but it's not. Also, I tried the default linksys password ("admin") on a couple of the networks, and would have been able to change router settings. Imagine setting up a dreamcast w/ wifi outisde of someone's house on their external power outlets and serving warez off their connection. sheesh.

    these routers should come with little pamphlets about wireless security.


  • Coincidence! I am currently mootching some guys 802.11b net here in SF. Thanks for the 11mbit 80% signal quality link! My friends had been offering the telephone which I connect @~50kbis, I think I will stay on here instead.

  • yeah, but ... (Score:2, Insightful)

    by BigBadDude (683684)
    ... did they mentioned that some access points go down to modem speed if WEP is on? The on board CPUs simply cant keep up doing WEP/64.

    I think you should forget about WEP and use IPSeC and VPNs instead
  • Only three percent of e-mail downloads were encrypted on the first day of the conference, 12 percent on the second day.

    I am not familiar with the tool they used. It doesn't say how many different kinds of encrypted connections they looked for (since there are a wide variety from https to ssh that are easily applied to email, not to mention products that support content-based rather than connection-based encryption and more). Does their claim to have counted all encrypted tunnels really mean they are om

  • by cenobita (615440) on Saturday July 05, 2003 @10:48AM (#6372455)
    I don't see this as too surprising..most people think that by installing ZoneAlarm and buying a Linksys router, they're immune to any form of attack or subversion. This extends to both wireless and traditional setups.

    As I see it, there are two very fundamental reasons for this: lack of awareness and lack of comprehension. The average day-to-day user doesn't even know what a firewall is..what are the chances that they'll have a clue about encryption? I mean, c'mon..we're living in a world of users who largely think that SSL means that they're safe as can be, that security is something you purchase, and the only difference between wireless and a traditional connection is a lack of cables.

    Awhile back, I was going on a pretty big BSD advocacy kick..y'know what finally made me give it up and shut my mouth? One girl had a bunch of questions, so I tried to answer them as best I can. I also wanted to make sure that I made clear the differences between Windows and BSD, as most MS users aren't accustomed to the file system, configuration, etc. So, naturally, I bring up firewalls, and how you essentially write your own rules for it by hand (in this particular instance, I was covering ipfw).

    Rather than take my advice, she immediately became defensive, ranting off about how she's not some AOL kid, and how she already has ZoneAlarm, so she won't need to worry about a firewall on BSD. I could go on and on with stories like this.

    I realize that this isn't just about wireless, but I don't think the issue is that limited in scope. Computer security is taboo to a lot of people, and unfortunately, it's a problem that needs to be addressed...or taken advantage of by those with a greater sense of what the fuck is up.
  • Security vendor AirDefense set up two of its commercial 'AirDefense Guard' sensors

    I guess they're terrorists. Guards, seize them!

  • WiFi Worm Challenge? (Score:3, Interesting)

    by AndroidCat (229562) on Saturday July 05, 2003 @11:03AM (#6372508) Homepage
    I wonder how long it will be before someone rewrites an a worm that checks for a 802.11 card and if so also uses a sniff/infect mode?

    Someone could cause chaos by strolling through a downtown with an infected system.

  • by Jon Abbott (723) on Saturday July 05, 2003 @11:43AM (#6372628) Homepage
    Here's a simple guide to setting up WEP on your WAP:

    1. Visit this [random.org] page -- it will generate 13 random hexadecimal digits that you will use for a 128-bit key.

    2. Copy the resulting digits into a text editor and strip out all of the whitespace between the characters.

    3. Log into your WAP router and go to the Wireless configuration settings. Select the "128-bit encryption" option, and enter the generated key into the WEP key field.

    4. The last step is OS-dependent... In OS X, you would log on to the WAP as usual, except that now it will ask for a password. Select the dropdown box labeled "password" and change it to "128-bit Hex", then enter in the generated key. I believe OS 9 users will need to enter a "$" before their hex key for it to work properly. It won't let you paste the key in, so you will need to type it carefully. I don't run my Linux box via WAP, so I'm not exactly sure how Linux users would do this -- feel free to reply to this post and add other OS instructions...
  • by seismic (91160) on Saturday July 05, 2003 @11:45AM (#6372640)
    The average non-technical user is happy enough just getting things working.

    Home users want to take their notebooks anywhere in the house and be able to surf. Business travel through airports (interoperability) may not even be their priority.

    Why should they be concerned about mac addresses or hex keys? Firmware upgrades to make things more compatible?

    Lets make it easy for them. Vendors should sell wireless home networking kits that have all the encryption turned on in advance by default, with drivers that assume this also by prompting for the prepackaged keys at install time.

    Joe user could buy a box containing an access point with two pcmcia wireless nics. By default those two nics will be the only onces that can access the access point. The shiny box that says "easy install" will be what clinches the purchase.

    Of course an advanced user could still change the defaults to suit their needs.. but that requires effort.

    Joe User will always assume the defaults are good enough for him, and they should be.
  • Doesn't bother me. (Score:5, Insightful)

    by man_ls (248470) on Saturday July 05, 2003 @12:01PM (#6372689)
    It doesn't bother me if my wireless traffic is sniffed...anything important I'm doing over a wireless connection (Secure HTTP for online purchases, SSH for shell access, etc.) is already encrypted at a higher level than WEP works at. There's no need to encrypt the entire network, if you don't care about someone reading your e-mail.

    Even if you do care, IPSec is probably a better choice than WEP is.

What this country needs is a dime that will buy a good five-cent bagel.

Working...