Forgot your password?

Close
typodupeerror

Comment: Re:WTH (Score 1) 48

by eggboard (#39392859) Attached to: Throwing Light On Elcomsoft's Analysis of Smartphone Password Managers

I'm never sure if Slashdot commenters read the original article or the blurb.

In the article, which I wrote, I explain the precise degree of risk, who is at risk, and how to mitigate.

* Recommending software: I did not write the article about 1Password Pro; Joe Kissell did.

* I do not receive a share of advertising revenue, nor is any my writing for any of many publications based on advertising revenue. I receive a fixed fee arranged in advance. Only the publication knows whether or not advertising was justified.

* Attacked on his income: Neither the publication TidBITS or me personally have any income issues associated with the sale of any security software.

This article was for normal folks, not security experts, and tried to explain in clear terms how to disable (for instance) any PIN-based access or switch away from a numbers-only passwords.

The criticism here seems both misplaced, conspiracy oriented, and not based on a reading of the article.

+ - NY Times Biffs Conference Wi-FAIL Story->

Submitted by eggboard
eggboard writes "The New York Times ran a strange story that tried to explain why Wi-Fi fails when thousands of people gathered a tech event try to use a network set up by organizers. The story says Wi-Fi wasn't designed for that kind of use. I disagree, and explain why at length. The 1999 IEEE 802.11b spec might not have been designed for it, but 802.11g could handle mass numbers, and 802.11n is designed to deal with interference and large user bases."
Link to Original Source
The Media

+ - Wired Responds in Manning Chat Log Controversy 1

Submitted by
Hugh Pickens
Hugh Pickens writes "Earlier this week Glenn Greenwald wrote in Salon about the arrest of US Army PFC Bradley Manning for allegedly acting as WikiLeaks' source and criticized Wired's failure to disclose the full chat logs between Manning and FBI informant Adrian Lamo. Now Wired's editor-in-chief Evan Hansen and senior editor Kevin Poulsen have responded to criticisms of the site’s Wikileaks coverage stating that not one single fact has been brought to light suggesting Wired.com did anything wrong in pursuit of the story. "Our position has been and remains that the logs include sensitive personal information with no bearing on Wikileaks, and it would serve no purpose to publish them at this time," writes Hansen. "That doesn’t mean we’ll never publish them, but before taking an irrevocable action that could harm an individual’s privacy, we have to weigh that person’s privacy interest against news value and relevance." Poulsen adds that Wired has "led the coverage on this story, and we would gain nothing by letting another scoop simmer unreported on our hard drives" and that Greenwald's assertions the Wired has a journalistic obligation to publish the entirety of Manning’s communications is backwards — the truth is the opposite. "Greenwald’s piece is a breathtaking mix of sophistry, hypocrisy and journalistic laziness," concludes Poulsen. "In any event, if you can’t make an argument without resorting to misstatements, attacking the motives of an experienced and dedicated team of reporters, name-calling, bizarre conspiracy theories and ad hominem attacks, then perhaps you don’t have an argument.""
Wireless Networking

Finland To Legalize Use of Unsecured Wi-Fi 151

Posted by Soulskill
from the it-turns-out-not-to-be-a-swedish-trap dept.
Apotekaren writes "The Finnish Ministry of Justice has started preparing changes to a current law that criminalizes using unsecured wireless hot spots (Google translation; Finnish original). The reasoning includes the impossibility of tracking unlawful use, the ease of securing networks, and the lack of real damage done by this activity. It is also hard for a user to know if an unsecured network is intended for public use or not. The increased ubiquity of legal, open networks in parks, airports, and other public places has also influenced this move by the Ministry of Justice."
Networking

+ - iPhone 4 May Have Wi-Fi Driver Fault-> 1

Submitted by eggboard
eggboard writes "After examining the WWDC video and talking to two veteran Wi-Fi experts, it seems likely that the iPhone 4 has a Wi-Fi driver flaw that was part of the trouble in making a network connection during Steve Job's WWDC keynote. The other problem was the massive congestion caused by so many independent access points. (Congestion may have triggered the iPhone 4's troubles, too.) With mobile hotspots proliferating on phones and in portable devices like the MiFi, we're going to see more trouble in the future."
Link to Original Source

Comment: Re:TKIP and CCMP (Score 2, Informative) 77

by eggboard (#31302822) Attached to: A New Wi-Fi Exploit, Limited But Clever

1. If you're having trouble with WPA2, it's an implementation issue. There's no reason that WPA2 shouldn't work as well or better than WPA. In some silicon, AES-CCMP encryption can work faster than TKIP. Check for firmware upgrades on adapters and APs.

2. TKIP keys cannot be extracted by any known methods. Short TKIP and AES-CCMP passphrased-based keys are vulnerable to brute-force dictionary attacks, typically based on precomputed common SSIDs. A key of 10 or more characters is probably fine; 20 random characters is beyond computation in this universe. 63 is just silly.

3. The TKIP exploits are particular to AES-CCMP and don't recover the key, nor does any particular key length prevent the exploit. The exploits rely on a set of givens (such as 802.11e/WMM being available and enabled on a router), but this latest exploit that I link to uses the integrity checksum to extract a packet delivered to a client in the right circumstances.

4. This attack could be weaponized, but it's a proximity attack, so the yield is very very low in such attacks.

Comment: Re:TKIP and CCMP (Score 4, Interesting) 77

by eggboard (#31299900) Attached to: A New Wi-Fi Exploit, Limited But Clever

That comment is halfway between troll and truth.

That only works for short passwords using dictionary words and common alternatives--typically eight characters or fewer. Yes, you can get precomputed dictionaries for common SSIDs, and you can even use a new service to do some computation.

However, move to 9 characters of random text (&fa^g_!80) and a unique SSID ("My little pony's network"), and all bets are off to computing the result in anything like a usable period of time.

TKIP and AES-CCMP remain strong for long, strong passwords, long being 10 or more characters, but 12 to 20 is best.

Security

A New Wi-Fi Exploit, Limited But Clever 77

Posted by kdawson
from the out-of-thin-air dept.
eggboard writes "Martin Beck, who in 2008 co-wrote a paper describing a way to inject packets into a secured Wi-Fi system, is back with a more extensive exploit. His 'Enhanced TKIP Michael Attacks' still don't allow extraction of a key, and are limited to TKIP (not AES-CCMP) WPA-protected networks. Still, he's figured out how to put in large payloads, and to extract data sent from an access point to a client — all without cracking the network key. The attack requires proximity to sniff and inject data, but it's another crack in the older key standard (TKIP) that no one with serious security interests should still be using." Here is Beck's paper (PDF) describing the new attacks.
Networking

+ - Another Limited but Wi-Fi Exploit->

Submitted by eggboard
eggboard writes "Martin Beck, who in 2008 co-wrote a paper describing a way to inject packets into a secured Wi-Fi system, is back with a more extensive exploit. His "Enhanced TKIP Michael Attacks" still doesn't allow extraction of a key, and is limited to TKIP (not AES-CCMP) WPA-protected networks. Still, he's figured out how to put in large payloads, and to extract data sent from an access point to a client--all without cracking the network key. The attack requires proximity to sniff and inject data, but it's another crack in the older key standard (TKIP) that no one with serious security interests should still use."
Link to Original Source
Wireless Networking

+ - Apple Slips in 450 Mbps Wi-Fi in Its Base Station->

Submitted by eggboard
eggboard writes "Apple told a few reporters in briefings yesterday to look for significant changes in its two top-line base station models, which are noted in passing as "new" on the product pages: 50 percent throughput improvement and 25 percent distance bump. How did they do this? With Engadget's FCC tip about "3x3" models, I've determined that Apple now offers what seems to be the first mass-market 450 Mbps, three radio-chain Wi-Fi router. Virtually all other consumer routers max out at 300 Mbps."
Link to Original Source
Security

Metasploit Project Sold To Rapid7 70

Posted by Soulskill
from the onward-and-upward dept.
ancientribe writes "The wildly popular, open-source Metasploit penetration testing tool project has been sold to Rapid7, a vulnerability management vendor, paving the way for a commercial version of Metasploit to eventually hit the market. HD Moore, creator of Metasploit, was hired by Rapid7 and will continue heading up the project. This is big news for the indie Metasploit Project, which now gets full-time resources. Moore says this will translate into faster turnaround for new features. Just what a commercial Metasploit product will look like is still in the works, but Rapid7 expects to keep the Metasploit penetration testing tool as a separate product with 'high integration' into Rapid7's vulnerability management products."
OS X

Apple Blurs the Server Line With Mac Mini Server 557

Posted by kdawson
from the so-easy-a-child-can-set-it-up dept.
Toe, The writes "Today Apple announced several new hardware offerings, including a new Mac mini, their (almost-literally) pint-sized desktop computer. In a bizarre twist, they are now also offering a Mac mini with Mac OS X Server bundled in, along with a two hard drives somehow stuffed into the tiny package. Undoubtedly, many in the IT community will scoff at the thought of calling such a device a 'server.' However, with the robust capabilities of Snow Leopard Server (a true, if highly GUI-fied, UNIX server), it seems likely to find a niche in small businesses and even enthusiasts' homes. The almost completely guided setup process means that people can set up relatively sophisticated services without the assistance of someone who actually knows what they are doing. What the results will be in terms of security, etc. will be... interesting to watch as they develop." El Reg has a good roundup article of the many announcements; the multi-touch Magic Mouse is right up there on the techno-lust-inspiration scale.
Books

The Kindle Killer Arrives 542

Posted by kdawson
from the got-wi-fi dept.
GeekZilla sends coverage from Wired's Gadget Lab on the Nook, Barnes & Noble's first e-book reader. "Sleek, stylish and runs the Android OS. What's not to like about Barnes and Noble's new e-book reader? Despite the odd name, the Nook looks like an eBook reader that would actually be a worthwhile investment. Best feature? The ability to loan e-books you have downloaded to other Nook owners. The reader, named the 'Nook,' looks a lot like Amazon's white plastic e-book, only instead of the chiclet-keyboard there is a color multi-touch screen, to be used as both a keyboard or to browse books, cover-flow style. The machine runs Google's Android OS, will have wireless capability from an unspecified carrier, and comes in at the same $260 as the now rather old-fashioned-looking Kindle." Here is the B&N Nook site, which is still not visible on their front page and has a few non-working links. (Nook.com isn't set up yet.) Their comparison page takes dead aim at the Kindle. Among the advantages in the Nook's column: Wi-Fi, expandable memory via microSD, MP3 player, and PDF compatibility. (But remember the cautionary note B&N struck six years back when they got out of the e-book business.)

I only know what I read in the papers. -- Will Rogers

Close