[MLB-WIRELESS] What about?? Was.. RE: Free access to Uni networks?

evilbunny evilbunny at sydneywireless.com
Fri Sep 6 12:05:38 EST 2002


Hello KevinL,

WEP is a 2 dollar lock, for all it's faults, how many people here
would seriously think that they have anything so special someone will
spend weeks trying to crack it?

Yes it's flawed, but it takes considerable amounts of time to break
it...

Actually has anyone here actually broken WEP at all? (and I don't mean
the AP's that set a dodgy default key)

Below is a repost of a story on SydneyWireless.com that was sent in a
while ago now... by jason on this list funnily enough...

-- 
Best regards,
 evilbunny                            mailto:evilbunny at sydneywireless.com

http://www.SydneyWireless.com - Exercise your communications
freedom to make it do what you never thought possible... 

------------------------------------------------------------------------

midway Writes "The following is a post by Midway from news  groups on
a non-technical analogy of WEP, and usage of it... 

For all of you out there confused about security, this gives a very
brief overview as to how WEP fits into the picture... 

I have taken this from the alt.internet.wireless usenet group, kudos
to osiris at deltaville.net for the article. 

For those of you who want the link, the link is
news:e59f93b2.0205091513.6a1fcd67 at posting.google.com 

Article follows
----

We bashed out WEP a long time ago but it is tough to go back thru a
few thousand messages in archive. 

I am not going to document my comments here, I just want to put this
whole WEP argument to bed. 

Everyone knows that WEP is seriously flawed. There are a number folks
on this group who will tell you to use it, even so. They are correct.
Here is the reasoning...  

1) Any system which man can devise is breakable. This is a basic
premise of cryptanalysis. To my knowledge (and it is dated), there is
only ONE encryption system which can be rigorously demonstrated to be
unbreakable. That system is not practical in many environments and so
while known, is not often used.    

2) Any other system can be demonstrated to resist attack but can not
be proven to be unbreakable. Therefore the second premise of
cryptography is that a system should be designed to deny access to the
information it protects for a certain period of time.

3) The third premise is that a system should only be used to encrypt
data which needs to be protected for the time period for which the
system was designed. So if I have three different encryption systems
which have been rated one year, two years, and three years, I should
not encrypt one year information in the three year system. This is
done because we do not want to *waste* our three year system.     

4) The last premise is that *ANY* system is better than *NO* system if
you can not evaluate the quality of your encryption system, with the
caveat that you can never forget you are working with an untrusted
system.   

Remembering those ideas lets make some analogies...

1) People rarely lock their garages and barns in the country. Some
people do not run WEP. 

2) People lock their houses nearly everywhere in the US these days.
Some people do run WEP. 

3) People put safes in their houses to protect their, jewels, cash
and firearms. Some run other security systems, such ssh tunnels,
VPN's, etc... etc...  

There is a time and place for each solution.

WEP has to protect not just data which can have a long life expectancy
(credit accounts can remain open for years), but access to the
infrastructure. Access to the infrastructure by a cracker thru someone
cracked wireless network constitutes an anonymous means of interacting
with the public infrastructure. That person can do anything they want
in the absence of other security constraints and will be very nearly
untraceable. Because WEP is vulnerable to known plaintext attacks
(which you may find upon the web) it is unable to protect the data it
was designed to protect. It is also unable to protect the
insfrastructure from anonymous access (hijacking). Therefore WEP fails
the first three premises above but still triggers on the fourth. "Any
protection is better than no protection". In all fairness to WEP, I
should also point out that WEP was never intended to protect the
medium from hijacking, MAC address filter tables were always the only
solution in the 802.11b spec for that problem. Don't buy access points
that don't support it and DO use it.               

With all that said. The offence tendered was mitigating the
seriousness of the issues with WEP, there was no disagreement about
whether the home user should set up WEP. The disagreement was whether
one should say, "WEP is good enough." That of course depends upon how
one defines "good enough" and the purpose to which one is applying
"good enough".

Back to the analogy...

Most people will put a two dollar lock on a hasp on the tool shed.
Anyone could pick it but nobody will because nine out of ten people
don't lock their tool sheds at all.  

Most people will put a half decent twenty dollar lock on the front
door and a simple bolt system because they have never been burgled, or
raped. Check what people who have been burgled, or raped have on their
front doors and you will see a different arrangement.   

Some people will put a twenty thousand dollar wall safe behind a
picture in the hallway because they can 1) afford it and 2) have
something they really want to protect.  

People have to make their own choices. Non-technical people need
straight talk so that they can make wise choices. 

OK... non-techies who have suffered thru these some 100 posts on the
various threads beating around this topic... here is the bottom line.

"WEP is about as good as a two dollar lock in a neighboor hood where
ninety plus percent of your neighbors don't have any lock at all."

Now that you know that you can forget all the other noise we have been
making and focus on the information YOU need. It's a two dollar lock
but nine of ten people have no lock at all.  

This matter is completely dead.
-m-"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1966 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.wireless.org.au/pipermail/melbwireless/attachments/20020906/778b902a/attachment.p7s>


More information about the Melbwireless mailing list