Date: Fri, 10 Aug 2001 15:07:58 +0930 From: Greg Lehey <grog@FreeBSD.org> To: Warner Losh <imp@harmony.village.org> Cc: Brooks Davis <brooks@one-eyed-alien.net>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/wicontrol wicontrol.8 Message-ID: <20010810150758.E37968@wantadilla.lemis.com> In-Reply-To: <200108100355.f7A3t6133271@harmony.village.org>; from imp@harmony.village.org on Thu, Aug 09, 2001 at 09:55:06PM -0600 References: <20010810131923.I38896@wantadilla.lemis.com> <200108092159.f79Lx8406626@freefall.freebsd.org> <20010809155123.A18472@Odin.AC.HMC.Edu> <20010810131923.I38896@wantadilla.lemis.com> <200108100355.f7A3t6133271@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday, 9 August 2001 at 21:55:06 -0600, Warner Losh wrote:
> In message <20010810131923.I38896@wantadilla.lemis.com> Greg Lehey writes:
>> Agreed. WEP can discourage casual crackers.
>
> WEP is massively insecure. It does discourage the extremely lazy,
> but the industrious will plow through it rather quickly...
>
> As a project, we don't enourage people to rely on things that are
> insecure, hence the warning. If you know what you are doing, you
> can ignore the warning, just like with plain old passwords in clear
> text for telnet.
OK, think of the way most people see this. Tell any kid with a
wireless card that he can drive up outside BigCo and get free wireless
coverage, and he'll do it. WEP will discourage 99% of those people.
For me, that's a good enough reason to use it.
Another example, I have a subscription to a company called Skynet
Global, who supply wireless coverage for airport lounges in Australia.
There's a company called MobileStar in the US who do the same thing.
Authentication is massively flawed. You get an IP address with DHCP.
Then you start a web browser and try to access some random site. The
network intercepts your request and pops up a login screen instead.
You enter name and password, send the form back and authenticate,
assuming their authentication software isn't broken again. The whole
thing works with http. They don't use WEP.
There are two obvious things wrong with this scheme:
1. Authentication is with http. Anybody can sniff the air and get a
username and password. Even if you're using encryption for
everything else, you can still have other people running up bills
on your account.
2. In Adelaide, the Qantas Club is directly above the arrivals hall.
Coverage is good, and I still get a good signal in the arrivals
hall. Anybody knowing (1) can go there and wait for somebody to
log in, then steal his password and use the system, without even
being in the lounge. WEP would stop this.
Greg
--
See complete headers for address and phone numbers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010810150758.E37968>