| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 06 Apr 2007 11:15:03 -0500 From: <neal.krawetz@....hush.com> To: <full-disclosure@...ts.grok.org.uk> Cc: Subject: WEEPING FOR WEP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 seconds. Knowing that WEP is no more secure than a plastic luggage lock, many people are questioning whether WEP is even useful at all. While I certainly do not recommend WEP for high security (or even moderate risk) environments, you need to remember: security is a measurement of risk. If the threat is low enough, then WEP should be fine. WEP actually has three things going in its favor: * Availability: While there are many alternatives to WEP, such as WPA and LEAP, only WEP is widely available. Hotels and coffee shops that only cater to WPA or LEAP will not support many of their customers. However, if you support WEP then everyone should be able to access the network. * Better than nothing: There's a saying in Colorado: I don't have to run faster than the bear, I just have to run faster than you. If a casual war driver or WiFi-parasite has the option to use your WEP system or your neighbor's open system, they will always choose your neighbor. Having WEP makes you less desirable than an open WiFi because there is no effort needed to use the network. If you happen to live next to a coffee shop or library that offers free WiFi, then the casual wireless user who just wants Internet access will always choose free over the hassle of cracking WEP. While WEP does not block a determined attacker who wants your network, it will stop opportunistic network users. Attackers tend to not be sophisticated and do not choose their targets. Attackers are much like Russian roulette players, and like Russian roulette players are usually both Russian and not very intelligent. * Intent: This is a biggie. If someone trespassed on your private network through an open wireless access point, then proving digital trespassing can be very difficult. However, if the user must bypass your minimalist WEP security, then they clearly show intent to trespass. Consider WEP like a low fence around a swimming pool. Without the fence, you are in trouble if a neighborhood kid drowns in the pool. It's an "attractive nuisance". However, with the fence, you should be covered if a kid climbs the fence and drowns. It's still bad, but you have a standing to refute blamed since you put up a barrier, even if the barrier was minimal. As far as WEP goes, it may not be very secure, but it is better than the open-network alternative. If you have the option to use a stronger security algorithm, then definitely do that. However, if you have no other option, then WEP is better than nothing. - - Dr. Neal Krawetz, PhD Author of "An Advanced Guide to chmod(1)" and "An Introduction to Graphical Wrappers for apt and dpkg in Ubuntu" I am best known for spending two weeks figuring out alternatives to single user mode on my Mac. PhD powah! http://www.hackerfactor.com/blog/ -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYWcbAACgkQDpFP8dW5K4aMSQP8CnJ3MAgAUBhBpVESlhsZppveFAwz FA92uVeBAZMR4d1s4YlPuGuiAd8X14/Q9yZmXdQthKxdteADfviJwPsqos/HDXvep6Zb wAQZfO1VLFofT1/rJ5j3rJ2gvcGu1BI7RFfX2/Sic+lVCD2aTRcpBl/G4+8lX4xjIJHC XlaWIdQ= =o3+F -----END PGP SIGNATURE----- -- Click to consolidate debt and lower month expenses http://tagline.hushmail.com/fc/CAaCXv1QPxZfhpzcJ4Xn8PICitIjcFxD/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists