Date: Fri, 10 Aug 2001 10:41:16 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: Greg Lehey <grog@FreeBSD.org> Cc: Warner Losh <imp@harmony.village.org>, Brooks Davis <brooks@one-eyed-alien.net>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/wicontrol wicontrol.8 Message-ID: <Pine.NEB.3.96L.1010810104012.19412N-100000@fledge.watson.org> In-Reply-To: <20010810150758.E37968@wantadilla.lemis.com>
next in thread | previous in thread | raw e-mail | index | archive | help
My understanding is that researchers in the area have automated tools that break WEP in short order. It probably won't take long for those tools to make it into the hands of 15-year-olds. And you shouldn't discount the effectiveness of 15-year-olds in using the tools either: Yahoo! can tell you all about 15-year-olds, as can anyone who runs a high-visibility site, IRC server, etc. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Fri, 10 Aug 2001, Greg Lehey wrote: > On Thursday, 9 August 2001 at 21:55:06 -0600, Warner Losh wrote: > > In message <20010810131923.I38896@wantadilla.lemis.com> Greg Lehey writes: > >> Agreed. WEP can discourage casual crackers. > > > > WEP is massively insecure. It does discourage the extremely lazy, > > but the industrious will plow through it rather quickly... > > > > As a project, we don't enourage people to rely on things that are > > insecure, hence the warning. If you know what you are doing, you > > can ignore the warning, just like with plain old passwords in clear > > text for telnet. > > OK, think of the way most people see this. Tell any kid with a > wireless card that he can drive up outside BigCo and get free wireless > coverage, and he'll do it. WEP will discourage 99% of those people. > For me, that's a good enough reason to use it. > > Another example, I have a subscription to a company called Skynet > Global, who supply wireless coverage for airport lounges in Australia. > There's a company called MobileStar in the US who do the same thing. > > Authentication is massively flawed. You get an IP address with DHCP. > Then you start a web browser and try to access some random site. The > network intercepts your request and pops up a login screen instead. > You enter name and password, send the form back and authenticate, > assuming their authentication software isn't broken again. The whole > thing works with http. They don't use WEP. > > There are two obvious things wrong with this scheme: > > 1. Authentication is with http. Anybody can sniff the air and get a > username and password. Even if you're using encryption for > everything else, you can still have other people running up bills > on your account. > > 2. In Adelaide, the Qantas Club is directly above the arrivals hall. > Coverage is good, and I still get a good signal in the arrivals > hall. Anybody knowing (1) can go there and wait for somebody to > log in, then steal his password and use the system, without even > being in the lounge. WEP would stop this. > > Greg > -- > See complete headers for address and phone numbers > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010810104012.19412N-100000>