CNN Notices that WiFi is Insecure 417
josh3736 writes "From CNN comes an article that makes painstakingly obvious to the public what we already knew: 802.11 security is horrible. The article points out that nearly 40% of wireless network APs haven't even been changed from defaults and as many as 80% of home APs have encryption disabled. The article goes on to say that '[t]o make matters worse, users who don't secure their networks are often the very people who don't keep their computers up to date with the latest security patches and antivirus software.' It also accuses WiFi manufacturers of disabling security measures by default to make wireless easy to the lowest common denominator. My favorite quote? 'Experts say that while Wi-Fi hardware makers have made initial setup easy, the enabling of security is anything but. Meanwhile, average users are no longer tech savvy.' Which is to say that they at one point were?"
Just how do you setup WEP anyway? (Score:5, Insightful)
What's more annoying is that people think the "passphrase" they type into their router a the WiFi key rather than what it usually really is, the random seed from which their router generates the actual keys. They type their passphrase into their other devices when they're supposed to type a key value, and then they wonder why it doesn't work anymore when it was working just fine before they tried this security stuff.
I've had friends who I thought were tech savvy get tripped up over this stuff. I blame the router-makers for not providing software that makes this a whole lot more of a user-friendly experience. We as the IT industry are badly failing at this... and having a lot of open WiFi points will just make our other headaches such as spam and viruses worse in the end. This really needs to be addressed for the good of the Internet.
Re:Just how do you setup WEP anyway? (Score:5, Insightful)
I own a linksys 802.11b router and it came with an 802.11b PCMCIA card. I had no problems getting WEP to work on either the router or my laptop. Linksys did a great job making the process easy with the router's web-based config and the configuration tool software that is provided in the package for the card. I came up with a passphrase and I could easily apply it across the board.
However, when I bought a new laptop with 802.11g wireless built-in (not from Linksys) I started having all sorts of problems trying to get the new laptop connected. I have to use the default Windows XP configuration tool (which sucks, IMO) and even when I do get connected with WEP enabled, the speed is horrible. And I'm of much higher technical aptitude than those mentioned in the article.
My point? I think the ease of configuring wireless depends totally on the manufacturer, and whether or not you have all your products from the same manufacturer. And none of them do a very good job of telling the consumer how to protect themselves.
Re:Just how do you setup WEP anyway? (Score:4, Interesting)
I've often thought Microsoft should rename their "Wireless Zero Configuration" utility to "Wireless Zero Connectivity."
Because that's what you end up with: an intermitent link that you can't troubleshoot because you just can't get enough information out of it. To make matters worse, when you have this "service" enabled, it makes multiplayer gaming impossible. It actually disconnects from and reconnects to the AP every minute or two, with predictable results (stutter, even disconnection from the server.) To make things even more fun, it prevents third party configuration tools from working (like linksys' for example, though I believe Intel's will work properly.) There aren't even any usable workarounds.
Linux may not support nearly as many devices as Windows does, but at least YOU can decide who's tools you want to use to control them!
Re:Just how do you setup WEP anyway? (Score:5, Informative)
You may want to check your hardware. Mine (on 4 different machines, home and work) does not act like this.
"To make things even more fun, it prevents third party configuration tools from working (like linksys' for example, though I believe Intel's will work properly.) There aren't even any usable workarounds."
You can simply uncheck 'Use Windows to configure my Wireless Settings', and third party tools work perfectly fine. As a matter of fact, Im typing this on an 802.11g network, on WinXP, using a Netgear with the Netgear utility, and not XP configuring my settings.
I get the feeling you either have bad hardware, or don't know what you are doing.
Re:Just how do you setup WEP anyway? (Score:4, Insightful)
Most likely it's that they don't know what they're doing..the people who frequent this site are mostly IT guys who'd rather complain that it's "all Microsoft's fault" rather than find a solution to the problem. I've got three wireless machines, with three different wireless cards and not a one of them has these kinds of problems.
Re:Just how do you setup WEP anyway? (Score:3, Insightful)
It's quite annoying since I ditched WEP in favor of just running a VPN to the rest of my network to get some real wireless security. The wireless network itself has all of the 'security' features enabled, but once you associat
Re:Just how do you setup WEP anyway? (Score:5, Interesting)
I have a carboard box full of old NICs that I acquired cheaply, thinking at the time that I would be able to save a buck. What I saved in money, I lost in time trying to get all the disparate cards to work on various machine architectures and operating systems. I finally broke down and bought all Linksys - at the time a basic 10/100 ethernet NIC was only $10 (now they are $25...must have caught them on sale at the time...) I plugged them in my Linux and Windows machines - and they just worked, right out of the box.
Re:Just how do you setup WEP anyway? (Score:3, Insightful)
I'm a linksys house too : except that turing WEP on with my Linksys router breaks Apple's rendevous. (No printer sharing, remote volume mounting, etc) Until Linksys starts making Macs, I can never standardize my whole network.
Either Apple or Linksys are playng merry buggers with the WEP standard, (of course rendevous works fine with WEP enabled on an Apple Airport AP): the point is that the user shouldn't have to standardize on Linksys or Apple any single
Re:Just how do you setup WEP anyway? (Score:4, Informative)
Ananova had a blurb about this, I don't have time to look for the link.
Turn off SSID not useful (Score:3, Interesting)
Re:A trailer? (Score:4, Funny)
I was referring to the type of neighborhood with the trailer park comment. It's all really old, cheaply built houses with beat up cars in the driveways/yards, and in the summer, when it gets nice and warm at night, the drunks down the street take their domestic disputes for a walk.
No real worries about crime though. Our landlords kids and their friends would sit in their old storage garage every night smoking weed, so we'd have anywhere from 3 to 7 kids keeping an eye out till 2 or 3 in the morning
Re:Just how do you setup WEP anyway? (Score:2)
Re:Just how do you setup WEP anyway? (Score:5, Insightful)
So what? It's not like WEP provides security. It's a fundamentally broken protocol [berkeley.edu].
CNN is engaging in dangerous misreporting. They spun it so that insecurity is the AP vendors' fault by making WEP difficult to activate. This will lead viewers to believe that once they manage to enable WEP, they're safe. And that's just absolutely wrong. You'd be safer with no WEP and higher-level encryption (although running secure application protocols is even further outside the imagination of typical consumers).
Comment removed (Score:5, Insightful)
Have you ever tried? (Score:5, Funny)
I really do not know the details of attacking WEP, so maybe there are fast cracking approaches. Writing as someone who uses WEP and casually tried to break WEP, WEP provides a high barrier to network infiltration. A stranger would have to make a lengthy effort to do it.
Re:Just how do you setup WEP anyway? (Score:4, Insightful)
As for war drivers sniffing passwords and stuff out of the air, all you would have to do is make an effort to use secure methods of transport, like SSL,TLS, etc, which is way stronger and harder to crack. we forget that plain text passwords, etc. are just as harmful on a wired network then on wireless network. Would you submit your CC information to a company, on a WIRED network, that sent your information with out encrypting it via SSL? Of course not! Same as with Wireless networks.
Re:Just how do you setup WEP anyway? (Score:5, Informative)
The key in protecting something is to make the time needed to get in as long as possible.
Without wep most cards will join a network within seconds, with wep you are already save for most wardrivers (they are usually not warparkers).
MAC filtering as you mentioned is an even bigger security hole than wep. Look up the 'hwaddr' option in the ifconfig man page.
The combination of no beacons, mac filtering and wep will make your network such a hard target that it will take a considerable effort for someone to use it.
Jeroen
Re:Just how do you setup WEP anyway? (Score:5, Interesting)
Being a lazy fellow... (Score:5, Funny)
Sigh... OK, fun time's over, no more sharing, hook up USB cable, generate hex key, etc. Kind of depressing.
Re:Being a lazy fellow... (Score:4, Insightful)
Re:Being a lazy fellow... (Score:5, Interesting)
I did it in testing... (Score:5, Interesting)
The fast crack using weak frames worked then. It doesn't work much now, if the boxes are using newer hardware.
The slow crack where you get enough packets to figure out the key worked then and now, but in order to actually do it back then I had to set up some continous traffic to get enough packets to make it work. We're talking millions of packets here, and it just takes forever to see enough to do it, with 112/128 bit WEP.
Can they get in? Sure.
Will they get in? They're going to have to really want in pretty badly or live nearby and be bored enough to capture for a long period of time. And if they just want free network access, they'll find the easier target like the unsecured one down the street. Or pay the 3 bucks at the nearest hotspot for the hours worth of access.
WEP is not secure, but in 99% of cases, it's secure *enough*.
The problem is (Score:3, Informative)
That within the 1% of cases where it isn't secure enough, the results can be scary. The issue being, you don't know what your WiFi is being jacked for. Sure, it could just be the script kiddy logging in as "god" to play a joke... it could also be a spammer. Or it could could be somebody pulling a credit-card scam. Or it could be somebody that guy that was caught driving around leeching of local WiFi's with his laptop to download kiddie pr0n.
P
Re:Being a lazy fellow... (Score:3, Insightful)
WEP is more than enough in most cases... (Score:3, Informative)
Now, if you're just trying to keep out the neighbors from accidently connecting to your network, MAC filtering is fine. But it should not be considered a real security measure by any means.
I also see a lot of people thinking that turning off the SSID broadcast actually does something useful. It doesn't, really. The
Re:WEP is more than enough in most cases... (Score:3, Informative)
Yes, and then again, no.
First off, security in any wireless communication is done using encryption. And any encryption can be broken if you're willing to devote the necessary resources to doing so. In that sense, there's no security insofar as it can always be broken.
But like everything else in the world, there's levels of security.. The goal is not to make it unbreakable, the goal is to set the bar high enough to keep
Re:Being a lazy fellow... (Score:5, Funny)
It's me, God.
Stop Touching yourself Kent...
Re: (Score:2)
Re:Being a lazy fellow... (Score:3, Informative)
Nothing is 100% secure, a determined attacker is going to get in eventually. Just don't make yourself an easy target.
Despite my best efforts to teach him otherwise, my next door neighbour still allows the entire world to get onto his wireless network and do whatever they please. Which makes my netwo
Re:Why should I care about wireless security at ho (Score:4, Insightful)
One Word: Spammer.
You really want someone from the street to use your open net connection to send 10 gig of spam? It's your bandwith, not mine...
Of course, if you live on the 14th floor, then it's a VERY slim possibility, so you're mostly OK...
Sure... (Score:3, Insightful)
Of course they were. Around the time of the Apple I. Since then, the average cluefulness of computer users around the world has been plummeting because computers have been getting easier to use and the bar to entry has been lowered, with humorous results such as people using clueless people's WAPs.
Re:Sure... (Score:4, Interesting)
It would be nice if Homeland Security could take a break from trying to find terrrorists by which shoelaces they buy to enforce technological security mandates. Unsecured WiFi networks all over the country are very useful to criminals and terrorists.
Re:Sure... (Score:5, Insightful)
Look, the Internet is not a secured network - not just WiFi but in general. Let's keep it that way.
I'm glad it doesn't take a license to make a telephone call or use the Internet, even though somewhere, some terrorist is making phone calls. Trying to turn the Internet into some little closed system would be cutting off your nose to spite your face.
As for WiFi security, it's funny how we're still getting this endless deluge of "OH NO! WIFI IS INSECURE!!!" alarmists. The reason people don't care is because it doesn't matter very much. There just aren't many good horror stories about somebody's life getting ruined because their wireless network was compromised.
Re:Sure... (Score:5, Insightful)
The problem is that those "idiots" are paying your salary. In fact, if the industry remained an exclusive club where only the High Priests of The Sun (or IBM) have access to the Sacred Computer Room, your employer likely wouldn't even be in business. We'd still not need much more than whatever proprietary peripherals are officially blessed by the computer's manufacturer.
The growth of the whole computer industry was done precisely by promising ease of use to idiots. The fact that you can sell hundreds of thousands of cards, and not just hundreds, is precisely _because_ you're selling stuff to those idiots. Under the explicit promise that it'll be secure enough and easy to use.
And I'd like to see the people in this industry actually keeping their promises for a change. Because what everyone, including your employer, is doing is _fraud_. They're making some very explicit promises to get those people's money, but have no intention of respecting those promises.
You know what's the only difference between the computer industry nowadays and the snake oil peddlers of the old days? The snake oil charlatans knew that they're frauds. They didn't feel a need to call their victims "idiots" and other insulting names. That's all.
In a sense, the snake oil con artists were actually more honest. And a lot less snotty.
Just something to keep in mind the next time you feel a need to insult the user for your product's shortcomings.
average users (Score:4, Funny)
That point in time was somewhere around 1985, and possibly on upwards to the early to mid 1990's. Not so, since Windows became synonymous with PC, and the Internet began to define personal computing.
Absolutely (Score:5, Insightful)
Once the 'puter became a household appliance instead of a hacker's toy, that's when things started to go downhill.
It gets worse (Score:5, Interesting)
Personally, I would love to see some more options when it comes to turning WEP on. Since my laptop connects in both a wired and wireless manner to my network, it would be great is some software generated a new WEP key to use each time I went wired. I see no reason that the end user would need to be involved, any weakess on the part of the pseudo-random generation of a new WEP key would be less insecure than having the same one for months on end.
Re:It gets worse (Score:3, Informative)
I do a lot of side work for friends, family and other strangers who beg me for help when they find out that I have The Knack [unimelb.edu.au].
In the end, I leave all security off by default because they will inevitably:
1) get a new PC
2) play with the settings on the PC
3) require a "hard reset" on the router
If Microsoft and the hardware vendors could make this stuff easier, it wouldn't be so much of a problem. I suggest the following:
The router redirects unsecured wireless users to a webpage that requires log-on
Re:It gets worse (Score:3, Interesting)
OK - stick a setting in the router to turn the feature off. The bottom line is that security could be on BY DEFAULT if it were easy enough while more technical people could get into the nitty-gritty and customize whatever they require. Use your head here.
Why They Aren't Secure (Score:4, Insightful)
Why _I_ don't secure them (Score:3, Interesting)
Contrary to popular belief, WEP is quite useful. Unless you have a script, you probably won't break the key. Getting and using the script is a malicious act... And there are so many other EASIER targets.
For businesses, I enable WEP by default. (Actually, I recommend that they stick to wired
They were. (Score:3, Informative)
When WiFi was just getting started only tech savvy users used it, meaning that the average WiFi user was tech savvy. Now, everyone and their mother (or at least my mother) is using WiFi, and the tech ability of the average user has gone down.
WiFi = free access points (Score:3, Interesting)
Most residential and a lot of commercial areas give me free access to the internet - they may or may not know it, I don't really care.
I don't check my email or browse until I vpn into my home network. Just in case someone is sniffing packets - lets not make it that easy.
And the reason that Linksys and the rest of them don't enable it by default - tech support costs.
New malware vector? (Score:5, Interesting)
I wonder if this would be a new, easy way for people to start a new worm/virus infection. Wardrive down the street, map a few hundred potential victims, and come back later and put the bugger in the "Startup" menu on Windows PCs. Ack.
And next on CNN... (Score:2, Offtopic)
Claims that fire is hot,
Reports of wet water, and later, Is it dark at Night?
Jeez - talk about stating the obvious.
Hell, it gets better. (Score:4, Insightful)
Admittedly, it's nice to have open connections, but if people don't bother to secure them... well, people could do nasty things to the routers and screw with the connections.
A follow up article... (Score:5, Insightful)
Re:A follow up article... (Score:4, Insightful)
Innocence is just a matter of pretending you don't know how to use your machine.
Funny how gun owners or accident prone drivers don't get to use the same defense.
Bottom Line (Score:4, Insightful)
WiFi with security is a configuration nightmare.
So people keep things "just working". When this becomes a problem, we'll see things change. That's how it actually works in security -- be the problem dozens of open daemons on Unix hosts, canary-less stacks in executable code, or a lack of significant checking for airline contraband, the problem is not addressed until it's exploited. When people start getting hacked through their open wireless, we'll see open wireless shut down. For the moment, they'll worry about real problems, like worms and spyware (aka corporate virii).
Ironically enough, it was bluetooth's security model that made it such a nightmare to work with -- the whole pairing process increased the setup load by several orders of magnitude. They're finally going to fix this with Near Field, but it'll take a while for them to get it out (have they even admitted it's for secure key exchange yet?).
Note, I've never said this is how things should be. Ought is not is.
--Dan
Re:yabut (Score:3, Insightful)
A medium-large corporation with a 20 person IT/support staff and lots of PHBs has the time and expertise to implement security policies (even broken ones like WEP are better than nada), but the home user doesn't. What would be incompetent if done by the IT department at Megacorp (tm) is simply "normal" for home users.
If you implement WEP (or whatever) you have a pile of administrative and technical overhead that simply IS N
three levels of security (Score:2)
1) Never broadcast SSID
2) Use a 64 bit encryption
3) and use MAC filters
Most of the routers have a web-based interface for setting these things up.
I'll believe it. (Score:5, Funny)
I really wish I knew which of my neighbors owns it.
-JDF
Oh, and it gets better.... (Score:4, Interesting)
This just frightens me.
I'm just imaging the sheeple who will order DSL, get this wireless router, follow the nice glossy fold out instructions and set the thing up, with no understanding of wireless security whatsoever.
Wide open in NYC (Score:5, Interesting)
He said, "As long as I live in this city, I'll never pay for Internet again." We'll see if that remains true when consumers with wireless routers wise up and turn on some of the security features.
Non-encrypted by choice (Score:5, Interesting)
network without sophisticated configuration on their side (and of course, without telling them my WEP password).
My home network is connected via Linux firewall, so I can cut the access or install traffic shaping when the problem occurs.
Re:Non-encrypted by choice (Score:2)
and of course, without telling them my WEP password
I thought you just said you don't have WEP on.
Re:Non-encrypted by choice (Score:3, Interesting)
Re:Non-encrypted by choice (Score:3, Interesting)
WEP is so broken that I don't see the need for it. If you happen to be within 30 feet of my house, which is on the end of a cul-de-sac filled with retired people who call me whenever a "strange" car is parked in front (just in case I'm being robbed), and manage to get a link, then you can:
My WAP plug
Legit question. (Score:2, Interesting)
Average users WERE tech savy.... (Score:3, Informative)
But in order to sell more computers the hardware and software manufactureres have perpetuated the myth that "computers are easy." The truth: operating computers is very easy, but maintaining them is still very difficult. Now the average user is not tech savy, but they have a machine that only tech savy people can maintain.
TW
They noticed WiFi is insecure? (Score:3, Funny)
average users (Score:2, Insightful)
perhaps the article means the average users of wifi are no longer tech savy, i.e. it has become mainstream. not that average users of technology are no longer tech savy....
just my 2c
Linksys needs to take a lot of the blame (Score:2, Interesting)
What a step down in usability!!!!
Both products have a web site that you can go to to make changes. Neither has the address printed prominently on the outside of the unit along with the default user and pass, the first step in making it easy.
I always found the netgear configuration easy, intuitive, and with tons of help. On the other hand the linksys configuration is horrible.
once upon a time (Score:4, Interesting)
Back before computers put a pretty appearance on everything with Windows XP wizards, or even 98, you had to know DOS to get anything done on a computer system, you had to know keyboard commands, and a basic idea of what the ports on your PC did.
The "average user" was more tech-savvy because there were fewer uses back then, since the learning curve was higher.
Now, with everything plug-and-play, it's much easier to not understand what's really going on inside the magical blue-and-black or grey box with a pair of antenna sticking up from the sides of it.
On my system, I use a Belkin 54G access point. SSID belkin54g. No crypto, no authentication, no MAC filtering. But, you're not going to get anywhere off the wireless segment if you connect to it. The firewall behind the WAP is configured to drop all traffic except the encrypted PPTP tunnels which the wireless clients actually use to connect to the wired infrastructure and the external router. Thus, anyone is welcome to try and get onto my network, but without having a valid account on the 2K3 Enterprise Server box playing router/connection master, and knowing the encryption keys, they're going to get precicely nowhere.
The Fairy Tale of the Mythical "Expert" (Score:3, Interesting)
Now you can try to spin this such that people back then were safer because they were more "savy" with their cars but I call BS. Cars now are far safer than they were back then. Its all due to the engineering placed in the car. Not only are they more complex placing them out of the co
Turn on Encryption...Seriously (Score:2)
Worst part was finding all these insecure networks popping up all across my apartment community with names such as "default", "linksys", "Diablo", "Sourabh and Sonali", "choke-the-chicken", "mamasboy", "ilovematures". If these idiots can be half as creative in setting up encryption, it would be worth it. But then again, I dont want them
Liability Issues (Score:4, Insightful)
It's a liability issues, and it doesn't seem like a big deal until one day you have to find a way to prove to the Feds and your ISP that it wasn't you sending kiddie porn to some offshore server in Eastern Europe. If your name is on the bill for that connection, I'm sure you signed a contract somewhere that states you are responsible for not allowing illegal activity on your connection.
Growing Pains (Score:2, Interesting)
I'm guilty of it myself. I set up a wireless access point for my mom a couple years ago. Changed the SSID name, changed the default pw on the router and let her have at it. No problem.
Of course, as the next year rolled on, more and more wi-fi users were born. Wireless starts becoming standard with new laptops. Almost once a week someone calls in on TechTV and asks about
Well, what the hell do you expect? (Score:3, Funny)
Of course. (Score:3, Interesting)
What's the drawback? Anyone in your neighborhood has access to your local network. But it's unlikely that someone who wanted to h4x0r you would drive up your street and sit in front of your house. It is of course possible, and depends on your neighborhood. If you're the type who locks the house even when you're at home, then definitely get a security protocol. If, like me, you leave the garage door open and doors unlocked, then securing your Wi-Fi isn't something I would worry about.
So this is no surprise, but neither (in my opinion) is it a big deal.
Thank goodness for the clueless folks... (Score:3, Interesting)
I've seen the same thing lots of other places including a friend's apartment in Minneapolis where I found 3 wireless access points, only one of which was encrypted and at my own single family house, I get two open wireless connections besides my own encrypted one.
I have to agree that setting up the secured connection are not obvious, especially when you have one manufacturer's access point and another manufacturer's wireless product in your laptop. It took me a little head scratching and trial and error before I got mine working.
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
WiFi not for mainstream? (Score:5, Interesting)
Re:WiFi not for mainstream? (Score:5, Insightful)
That is so very true. The average person (not just computer user, I'm talking average PERSON) is horrified at the thought of having to read a manual in order to understand how to use a gadget. When I'm working in someone's house, I am often asked silly questions like how to hook up a stereo or how to set the time on a desk clock, or how to get picture-in-picture on their snazzy new HDTV. I like to suggest that they check the manual that came with their device, because it will certainly be in there, and then watch the look of horror on their face as they realize they have to learn something now. It's really quite amusing.
And if they're a computer user, they're no different. They can have a nice big fold-out diagram of their new HP PC with color-coded connectors and nice pretty pictures and they still don't want to read that, they want a person who already knows how, to set it up for them. The average person wants to do the least amount of work to be able to use their tools, that's the bottom line.
I agree (Score:2)
2Wire encrypted out of the box... (Score:2)
It was encrypted out of the box with a default password which was linked to the serial number on the unit!
She did not like the long string of numbers though and we tried to change the WEP to something else, but were told it could only be a set of 10 numbers. (well, maybe it can be changed, but I didn't spend much time mucking with it...)
So, on one hand- hurrah that it was encrypted out of the box!
on the other hand, she had
Reminds me of the Club for cars... (Score:4, Insightful)
I live in an apartment complex, and I was stunned to see not only how many people had wireless, but how many ran w/o WEP and w/o changing defaults-last count in my largish apartment complex, better than 20 visible from street level (i.e. not right under their bedroom windows) and a good 40-50% of those completely unprotected. I use WEP and I changed the defaults but I'm under no illusions that this makes me safe. What I think helps, though, is that in my case there are at least 4 other WiFi users in my apartment building alone that are wide open. So as long as there are easier targets, I think WEP's done its job as well.
You think that's bad? (Score:5, Informative)
If cheap-o consumer routers getting 0wned thanks to pathetic Wi-Fi security seems bad, consider this: at least one vendor of e-voting systems depends on WEP as the only security measure [jasonlefkowitz.net] between their voting machines and the ballot-counting system.
Yes, that's right -- ballots are passed wirelessly, and only protected via standard 802.11 WEP. How long until someone tries to 0wn a polling place? Or, worse, just sniffs the ballots out of the air and dumps them to a log file (so much for the secret ballot), say?
I wrote the article linked to above when the systems were being evaluated in Fairfax County, Virginia -- a wealthy and populous suburb of Washington, DC -- but they've since been approved by the county board of elections and used in two elections to date. Who knows how many other local governments have bought into similar systems?
Re:You think that's bad? (Score:3, Interesting)
Then we can see how secure this voting stuff really is.
Who cares about wireless encryption? (Score:3, Informative)
If you trust every router between you and your destination with a plaintext password, you are crazy. The IETF is moving towards encryption for everything, and people are following. Most universities now don't allow passwords to ever be sent plaintext over the wire.
Quit blaming wireless, the same security issues exist with wired connections.
I'm posting from my neighbor's WiFi :) (Score:5, Funny)
Oh... My... God... Really?!?! (Score:5, Funny)
Damn hippies.
I leave mine open on purpose (Score:3, Insightful)
So far, no problems, and people have thanked me heartily for giving them internet access in a pinch.
Given this setup, what risks do I run? The only one I can think of is that someone has a bunch of kiddie porn torrents just waiting to start up in a server in a van somewhere. Does that really happen? If Osama Bin Laden walks down my street (he'd probably strut, actually), and uses my "free" WiFi to send threatening emails to major governments, do I go to Guantanamo Bay?
How is this different from NYC offering free WiFi access in Bryant Park?
Clueless (Score:3, Funny)
They had ordered their machine with a wireless card and thought that was all they needed. They were obviously piggy-backing onto a neighbor's wireless LAN but when my brother tried to explain that to them, they accused him of lying to them.
Yes, no longer tech savvy (Score:3, Interesting)
> Which is to say that they at one point were?
I knew DOS, Windows 3.1 and Windows 95 inside and out. As the OS interface and glitches have lessened (yeah yeah, no really, there simply are fewer conflicts in recent versions of Windows), my need to understand how the OS functions has diminished. I'm just another dumb Windows user now. When I need to futz with my wireless router, I grab the manual to remember how the damn thing works.
In the end, I prefer it this way. Life is easier when technology just works and I don't need to understand why. Geeks aside, that's how most people want to live their lives.
No longer technically savy (Score:3, Interesting)
It's not that the overall level of savy has decreased, it's that the definition of "average user" has spread to the technopeasant masses.
So open or not? (Score:3, Insightful)
I'm sort of one of these people that dreams of the day when we have a huge community mesh and people can tell their cell phone carriers to piss off.... but I don't want to leave my access point open if some bonehead is going to hack my box.
Anyway, I've never seen anybody tell me the difference between 1) plugging your machine into your cable modem directly and walling up your machine by shutting ports down, etc. and 2) having a wireless access point. Is having a machine on an insecure access point any more dangerous than having a machine hooked up to the open internet on a cable modem or some such?
I mean, the wired internet really is one big network after all, and there are risks associated with being on it. If you're not behind a firewall, wired or wireless, what's the difference?
historical perspective (Score:5, Insightful)
Which is to say that they at one point were?
The average computer user in 1970 could probably figure out how to turn on WEP, were he/she transported to the present day. This is the same thing that happened with automobiles. In the early days, automobile owners had to be adept at mechanical repairs. If you read "The Grapes of Wrath" , at one point one of the characters is honing the valve seats on his truck in a campground. That was the 30's. By 1960 you'd be hard pressed to find a car owner that could do a valve job on his car. Computers have become a commodity item, just as cars did.
why should I care if my wifi is free for all? (Score:3, Insightful)
Totally useless statistics... (Score:3, Insightful)
So? I don't have WEP enabled. WEP is not the be-all and end-all. WEP is crap, and introduces horrible cross-platform issues. Not to mention that vendors can't agree on how to specify it - 40 bit vs 56-bit vs 64-bit vs 128-bit - (hint: some of those refer to the same thing).
I have MAC address restriction enabled on my AP. And it works pretty well. Additionally, unknown clients to my DHCP server do not get an address from it. And there's only a /28 routed on the interface my AP is on.
So yes, it's unsafe in that someone can park outside my house, wait until I log on, sniff my MAC address, set his MAC address to that, and get bandwidth. Except that one of my devices will notice, since duplicate MAC addresses on the same segment can cause problems. Not to mention the reception outside my house is crap, so he'd have to park directly in front of my house, and if I notice the traffic indicators on my switch start going nuts, and look outside and see some nerd with a Pringles can, I can go kick his ass.
And the article is short on details. "40% had the defaults configured". What defaults? Passwords? If so, boo CNN for connecting to other people's APs without permission ("The door was unlocked" is not a valid reason for being in someone's house, no matter how stupid you think the homeowner is). If it's SSIDs, that's totally useless. My network name is "default", because I was feeling uninspired when I got my AP. Doesn't mean it's not secure. A friend of mine still has "linksys" for the same reason, yet he has WEP enabled.
Home AP's often don't need encryption (Score:3, Interesting)
His answer: "unless some guy decides to enter my property and sit on my front porch with his laptop, my weak signal is all the security I need". He claims he's tested it with several laptops and the signal is too weak to be used beyond 10 feet away from his house.
Joe Sixpack is to blame... (Score:4, Insightful)
Nothing wrong with Joe Sixpack, per se, he's a good guy but he doesn't know the first thing about his car, except where to put the gas, and he doesn't know the first thing about his computer, except how to surf the net. And the scary part is that he doesn't *want* to know anything more.
When things go wrong, he hasn't the first clue of what to do, with the car or the comptuer. All he knows is that he wanted to surf the net at high speed from his Lay-Z-Boy. Ever since he and his cronies got on board, the technological per capita IQ on the internet plummeted.
There has been a long standing computer security axiom that states: "There is no such thing as absolute anonymity, in real life, or on the web."
Well, now there's a caveat to that axiom that I have coined, that states: "Unless you use someone else's unsecured wireless network."
Joe Sixpack is not only providing the foothold that spammers need to purvey their ilk, but also the perfect foundation from which criminals can perpetrate fraud and theft.
Is this a bad thing (Score:5, Interesting)
Why do I leave my access point open then? Because on average I only use maybe 3% of my bandwidth and I don't see any reason that one of my neighbors shouldn't be allowed to use some of it when I don't need it. When I first moved in and didn't have my own broadband yet I was very happy one of my neighbors left his router unsecured.
I'm actually quite suprised that more people on
Clarify (Score:3, Informative)
I think what they're saying is that popularity has grown to the point that the average users of 802.11 are no longer geeks, as Mom and Pop are using it now as well.
It was just badly worded.
Wireless isn't worth it (Score:3, Interesting)
What pisses me off is that I'm not so stupid as to use wireless, but the integrity of my own personal information is often compromised because of stupid people who may have access to my information and aren't responsible with technology.
Re:Don't care (Score:3, Interesting)
Re:Don't care (Score:3, Insightful)
Most of these are not encrypted, and ask for the password in plaintext - are you happy to have this information public?
It may not sound important (due to the stupidly high number of websites which need membership to see some lame front page), but if you ever reuse a password [like I do - and most others do, come on... admit it], you could be cracked quite easily.
Re:Don't care (Score:3, Interesting)
But most Wireless chipsets have WEP in the hardware (or atleast in firmware) and don't give a performance loss at all.
Jeroen
Re:In other news... (Score:3, Funny)
Re:well, yeah (Score:3, Funny)
Qwest is now doing the same (Score:3, Informative)
I went with option (1), and it's a nifty little device (it runs Linux BTW). But its default wireless setup is wide open. It can be configured to cloak the SSID, restrict MAC addresses, and use WEP encryption, but a user who can't figure out how