[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] WEEPING FOR WEP
- To: Troy Cregger <tcregger@xxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] WEEPING FOR WEP
- From: george_ou@xxxxxxxxxxxxxxxx
- Date: Fri, 06 Apr 2007 12:56:36 -0700
<div>
But WPA-PSK mode is even easier to use than WEP. Why would you use
WEP. Distance isn't really a problem with a pringle can antenna.</div>
<div> </div>
<div><BR>George<BR></div>
<div name="wmMessageComp"><BR><BR>
<BLOCKQUOTE style="PADDING-LEFT: 8px; MARGIN-LEFT: 8px; BORDER-LEFT: blue 2px
solid">-------- Original Message --------<BR>Subject: Re: [Full-disclosure]
WEEPING FOR WEP<BR>From: Troy Cregger <tcregger@xxxxxxxxxxxxxxx><BR>Date:
Fri, April 06, 2007 11:49 am<BR>To: neal.krawetz@xxxxxxxxxxxx<BR>Cc:
full-disclosure@xxxxxxxxxxxxxxxxx<BR><BR><PRE>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I use WEP at home, even though my house is far enough from the road to
make it rather difficult for someone to jump on my network.
Even if someone decided to hide in the woods at the edge of my yard with
a laptop they're more likely to be eaten by a bear, sprayed by a skunk,
or chewed alive by mosquitoes than collecting enough packets to crack
the WEP key, so WPA or LEAP would be overkill.
Like you said, measurement of risk.
<A
onclick="Popup.composeWindow('pcompose.php?sendto=neal.krawetz%40mac.hush.com');
return false;"
href="http://email.secureserver.net/pcompose.php?aEmlPart=0&type=replyall&folder=INBOX&uid=11019#Compose";>neal.krawetz<B></B>@mac.hush.com</A>
wrote:
<FONT color=#800000>
> seconds. Knowing that WEP is no more secure than a plastic
luggage</FONT>
<FONT color=#800000>
> lock, many people are questioning whether WEP is even useful at
all.</FONT>
<FONT color=#800000>> </FONT>
<FONT color=#800000>
> While I certainly do not recommend WEP for high security (or
even</FONT>
<FONT color=#800000>
> moderate risk) environments, you need to remember: security is
a</FONT>
<FONT color=#800000>
> measurement of risk. If the threat is low enough, then WEP
should</FONT>
<FONT color=#800000>> be fine.</FONT>
<FONT color=#800000>> </FONT>
<FONT color=#800000>> WEP actually has three things going in its
favor:</FONT>
<FONT color=#800000>> </FONT>
<FONT color=#800000>
> * Availability: While there are many alternatives to WEP,
such</FONT>
<FONT color=#800000>
> as WPA and LEAP, only WEP is widely available. Hotels and
coffee</FONT>
<FONT color=#800000>
> shops that only cater to WPA or LEAP will not support many of
their</FONT>
<FONT color=#800000>
> customers. However, if you support WEP then everyone should be
able</FONT>
<FONT color=#800000>> to access the network.</FONT>
<FONT color=#800000>> </FONT>
<FONT color=#800000>
> * Better than nothing: There's a saying in Colorado: I
don't</FONT>
<FONT color=#800000>
> have to run faster than the bear, I just have to run faster
than</FONT>
<FONT color=#800000>
> you. If a casual war driver or WiFi-parasite has the option to
use</FONT>
<FONT color=#800000>
> your WEP system or your neighbor's open system, they will
always</FONT>
<FONT color=#800000>
> choose your neighbor. Having WEP makes you less desirable than
an</FONT>
<FONT color=#800000>
> open WiFi because there is no effort needed to use the network.
If</FONT>
<FONT color=#800000>
> you happen to live next to a coffee shop or library that
offers</FONT>
<FONT color=#800000>
> free WiFi, then the casual wireless user who just wants
Internet</FONT>
<FONT color=#800000>
> access will always choose free over the hassle of cracking
WEP.</FONT>
<FONT color=#800000>
> While WEP does not block a determined attacker who wants
your</FONT>
<FONT color=#800000>
> network, it will stop opportunistic network users. Attackers
tend</FONT>
<FONT color=#800000>
> to not be sophisticated and do not choose their targets.
Attackers</FONT>
<FONT color=#800000>
> are much like Russian roulette players, and like Russian
roulette</FONT>
<FONT color=#800000>> players are usually both Russian and not very
intelligent.</FONT>
<FONT color=#800000>> </FONT>
<FONT color=#800000>
> * Intent: This is a biggie. If someone trespassed on
your</FONT>
<FONT color=#800000>
> private network through an open wireless access point, then
proving</FONT>
<FONT color=#800000>
> digital trespassing can be very difficult. However, if the
user</FONT>
<FONT color=#800000>
> must bypass your minimalist WEP security, then they clearly
show</FONT>
<FONT color=#800000>> intent to trespass.</FONT>
<FONT color=#800000>> </FONT>
<FONT color=#800000>
> Consider WEP like a low fence around a swimming pool. Without
the</FONT>
<FONT color=#800000>
> fence, you are in trouble if a neighborhood kid drowns in the
pool.</FONT>
<FONT color=#800000>
> It's an "attractive nuisance". However, with the fence, you
should</FONT>
<FONT color=#800000>
> be covered if a kid climbs the fence and drowns. It's still
bad,</FONT>
<FONT color=#800000>
> but you have a standing to refute blamed since you put up
a</FONT>
<FONT color=#800000>> barrier, even if the barrier was minimal.</FONT>
<FONT color=#800000>> </FONT>
<FONT color=#800000>
> As far as WEP goes, it may not be very secure, but it is
better</FONT>
<FONT color=#800000>
> than the open-network alternative. If you have the option to use
a</FONT>
<FONT color=#800000>
> stronger security algorithm, then definitely do that. However,
if</FONT>
<FONT color=#800000>> you have no other option, then WEP is better than
nothing.</FONT>
<FONT color=#800000>> </FONT>
<FONT color=#800000>> - Dr. Neal Krawetz, PhD</FONT>
<FONT color=#800000>
> Author of "An Advanced Guide to chmod(1)" and "An Introduction
to</FONT>
<FONT color=#800000>> Graphical Wrappers for apt and dpkg in Ubuntu"</FONT>
<FONT color=#800000>> </FONT>
<FONT color=#800000>
> I am best known for spending two weeks figuring out alternatives
to</FONT>
<FONT color=#800000>> single user mode on my Mac. PhD powah!</FONT>
<FONT color=#800000>> </FONT>
<FONT color=#800000>> <A href="http://www.hackerfactor.com/blog/%3C/font";
target=_blank>http://www.hackerfactor.com/blog/</FONT< a>>
- --
Click to consolidate debt and lower month expenses
<A href="http://tagline.hushmail.com/fc/CAaCXv1QPxZfhpzcJ4Xn8PICitIjcFxD/";
target=_blank>http://tagline.hushmail.com/fc/CAaCXv1QPxZfhpzcJ4Xn8PICitIjcFxD/</A>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: <A href="http://lists.grok.org.uk/full-disclosure-charter.html";
target=_blank>http://lists.grok.org.uk/full-disclosure-charter.html</A>
Hosted and sponsored by Secunia - <A href="http://secunia.com/";
target=_blank>http://secunia.com/</A>
- --
Troy Cregger
Lead Developer, Technical Products.
Kennedy Information, Inc
One Phoenix Mill Ln, Fl 3
Peterborough, NH 03458
(603)924-0900 ext 662
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - <A href="http://enigmail.mozdev.org/";
target=_blank>http://enigmail.mozdev.org</A>
iD8DBQFGFpY5nBEWLrrYRl8RAujxAJ4/emoKx9/vwwteZeGrBdEQNJq7YwCfRT+H
w5n4HjI21HB4ENS5a2hkTI0=
=8pPp
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: <A href="http://lists.grok.org.uk/full-disclosure-charter.html";
target=_blank>http://lists.grok.org.uk/full-disclosure-charter.html</A>
Hosted and sponsored by Secunia - <A href="http://secunia.com/";
target=_blank>http://secunia.com/</A>
</PRE></BLOCKQUOTE></DIV></FONT>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/