Security. WPA?/-TKIP /-CCMP
in [Wireless Internet]
|
From: Jeff Liebermann on 6 Dec 2008 12:12 On Sat, 06 Dec 2008 12:40:44 +0000, Mark McIntyre <markmcintyre(a)TROUSERSspamcop.net> wrote: >Jeff Liebermann wrote: >> Yep. Now, roll back the clock to 1995 (when 802.11 was originally >> inscribed) and try to remember what personal computing was like at the >> time. I suspect that nobody could have predicted the current >> technology and applications. It's now 2008. Could I trouble you to >> tell me what security protocols, encryption technology, and >> applications support will be required for the wireless products of >> 2018? Take your time. >A fine question Jeff - isn't it interesting how easy it is to complain >with hindsight? Sure, I do it all the time. One of my friends is responsible for planning future requirements and budgeting for a university LAN. The problem is that it typically takes 5 or more years to get funding. It's not unusual to buy 5 year old obsolete hardware or technology. The State does not write a blank cheque for equipment purchases. There's some wiggling room, but basically he has to guess what is going to be needed at least 5 years in advance. I few years ago, I saw the request for bids on a 10G fiber LAN for one of the labs. Today, that's science fiction. By the time it's budgetted and approved, it may be commodity hardware. I've used the Wi-Fi hindsight example sufficiently that I've thought about what wireless would be like in 2018. Visualize the DHS (Dept of Homeland Security) running all communications and where you are required to positively identify yourself before being allowed to use the public airwaves. Meanwhile, spread spectrum bandwidth will be auctioned by the megabyte in real time by the FCC, where user fees have replaced spectrum auctions. SDR (software defined radio) will have taken over, and every user can have their own protocol, optimized for their specific application. More horror stories when I have time. -- Jeff Liebermann jeffl(a)cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: Chrisjoy on 6 Dec 2008 12:15 On 6 Des, 17:47, John Navas <spamfilt...(a)navasgroup.com> wrote: > > You're also unlikely to get any more constructive comments. > As far as I can tell you're beyond help. The only constructive comment I got to my root posting, I did get from Jeff, telling me RADIUS would allow me to protect guests against sniffing from other guests. An hour later I had a RADIUS server up and running to see how it would look from a client point of view. I checked it out with three different wireless brands, and what I found is that it's too complicated for average Joe which is my guests. This means RADIUS is completely useless. After this, it was not posted a single comment I could use for anything useful. I did get alots of useless comments though, which basically was tributes to the excellence of 802.11.
From: John Navas on 6 Dec 2008 13:54 On Sat, 6 Dec 2008 09:15:16 -0800 (PST), Chrisjoy <ultralibertarianer(a)gmail.com> wrote in <d53eb292-34af-48d1-a8b0-c2697be362aa(a)k8g2000yqn.googlegroups.com>: >On 6 Des, 17:47, John Navas <spamfilt...(a)navasgroup.com> wrote: >> >> You're also unlikely to get any more constructive comments. >> As far as I can tell you're beyond help. > >The only constructive comment I got to my root posting, I did get from >Jeff, telling me RADIUS would allow me to protect guests against >sniffing from other guests. An hour later I had a RADIUS server up and >running to see how it would look from a client point of view. I >checked it out with three different wireless brands, and what I found >is that it's too complicated for average Joe which is my guests. This >means RADIUS is completely useless. After this, it was not posted a >single comment I could use for anything useful. I did get alots of >useless comments though, which basically was tributes to the >excellence of 802.11. Nope. You didn't know what you were doing and how to make it work, which is why you got unsatisfactory results. That you think you didn't get useful comments is a matter of your offensive personal style and determined blindness. -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: John Navas on 6 Dec 2008 15:46 On Sat, 6 Dec 2008 12:12:26 -0800 (PST), Chrisjoy <ultralibertarianer(a)gmail.com> wrote in <f5c67ec4-1ea3-45bb-9b95-c222f683377c(a)j32g2000yqn.googlegroups.com>: >I don't need accounts. I don't want accounts. I only want different >key for each session, and this is ONLY motivated by protecting guests, >that is our custommers, from being sniffed at. Are you unable to >answer me on my terms? Like your behavior, your "terms" are unreasonable. He's already given you the answers you need, as you'd know if you had any clue. -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: Mark McIntyre on 6 Dec 2008 19:06
Jeff Liebermann wrote: > On Sat, 6 Dec 2008 05:42:55 -0800 (PST), Chrisjoy > <ultralibertarianer(a)gmail.com> wrote: > >> Logging on to windows need users to know this: >> >> 1) Knowing the name of your own account. >> 2) Knowing the spelling of your own account password, and where the >> keys are at the keyborard. > > A fingerprint reader can be used in place of the login and password. > I've had rather bad luck at getting users to consistently use the > reader, but it does work. The ones where you swipe the finger over a > narrow reader window seem to be a problem. The ones where you just > press your finger onto a larger window, work much better (but cost > more). Unless you go high-end these things are horribly insecure. I've toyed with deploying them but having watched the issues that others have had, shied away. Typical problems would seem to be too many false negatives, too easy to sniff, foolable by a variety of creative methods not including severing digits, and not hooked into the OS at a low enough level to properly secure the login. The way a lot of banks and market data vendors do it nowadays for internal logins is with a chip-n-pin type card and a card reader slot in the keyboard. The next level up is a pin and an RSA securid dongle to be used in conjunction with your normal uid and pwd to login to the company vpn. |