 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
I am not sure I share your view completely. From a technical perspective, you are absolutely right: it has been well known for a while that WEP has severe vulnerabilities, and that they amount to near-total compromise. For some discussion, see: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html However, WEP is useful for keeping nosey people out of your network, or preventing confusion between neighboring networks. With an understanding of its security vulnerabilities, I think it still has some use. WEP does effective authentication in the sense that, if the underlying cryptography were secure, then any participant in a WEP LAN would be at least known to be a friend rather than a foe. This is not the main purpose of WEP and is really more of a side effect. I brought up the WEP subject only as an example of incompatibility between different models of wireless LAN hardware from the same manufacturer. You were right to point out that WEP is now generally regarded as insecure. This is an especially nasty problem, really a cryptographer's worst nightmare, because so many people now have investments in hardware with a known vulnerability and they will likely keep using it forever. -- Mike On 2001-08-13 at 10:30 -0400, Derek Atkins wrote: > No, WEP does no such thing. Consider that your whole system, and > all users, have to share a single WEP key... No, there is > no authentication. And yes, WEP _DOES_ encrypt the on-the-airwaves > data, but does so in a broken way that allows someone to derive > your actual WEP key. Once I have your WEP key, I'm on your wireless > network.... This implies that it's safer to not trust your wireless > network in the first place. > > In other words, keep your wireless network "open" and use real > encryption/authentication technologies to let users access your > network services. > > -derek > > David Kramer <david at thekramers.net> writes: > > > On 13 Aug 2001, Derek Atkins wrote: > > > > > Don't use WEP.. It's broken, completely. If I can _hear_ your > > > base station I can break your keys in a matter of minutes (well, > > > after I 'hear' a few million packets, but that only takes an hour > > > or so on a busy LAN). > > > > > > WEP is broken. You might as well keep it off and just use IPsec > > > and ssh. > > > > I'm more-than-new to this (I have ordered, but not received, my wireless > > gear), but isn't the purpose of WEP to authenticate the client, not > > encrypt the connection? I can't vouch for how crackable WEP is, but using > > ssh over wireless does not help authenticate the client, so it's not > > really a substitute. - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
