Date: Wed, 13 Aug 2003 09:35:57 -0400 From: Bill Moran <wmoran@potentialtech.com> To: Paul Robinson <paul@iconoplex.co.uk> Cc: chat@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:09.signal Message-ID: <3F3A3EBD.1090905@potentialtech.com> In-Reply-To: <3F3A0581.9010908@iconoplex.co.uk> References: <Pine.NEB.3.96L.1030811133518.66226B-100000@fledge.watson.org> <3F37D493.9050604@potentialtech.com> <44lltyij8s.fsf@be-well.ilk.org> <3F397708.7050803@potentialtech.com> <3F3A0581.9010908@iconoplex.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Robinson wrote: > Bill Moran wrote: > >> And ... as far as I'm concerned, WEP is _completly_ insecure, and totally >> worthless. > > Great, so I send you 10Mb of WEP traffic caught off the air, you can > decrypt it for me? You see, to me it's just a big mess of encrypted > traffic, but you obviously have some secret technique (or should that be > "t3kni|<" ?) for breaking it trivially. If you can't, you've just shown > it has some security advantage. Which it has. Yes, and no. Yes, if you send me 10Mb of WEP traffic I could crack it. And no, it's not a secret. The fact that WEP is cracked has been known for quite some time. I believe it was last spring (but my memory could be off) that a couple of college students actually attempted the exploit to demonstrate whether or not it was really doable. Again, my memory could be off, but I think they showed that it took less than 15 minutes of sniffing to break WEP on average. Their report is quite detailed, including the exact (cheap) hardware that was required to capture the packets. Abuse google if you want the details. The last time I looked the data was still online. And, yes, WEP has _some_ security advantage. About the same amount as locking the screen door on your house has. The terribly easily deterred criminals will give up. You're right, that probably is worth something. > Oh, and I think you meant that you were guessing WEP is completely > UNsecure, and not INsecure. If it was insecure, it would be asking us > all to hug it more often. OK, you caught me at my own game here, Mr English. You're right, I used the word incorrectly. But don't put words in my mouth. WEP _is_ unsecure. There's no guessing about it. *Hugs his WEP* -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F3A3EBD.1090905>