LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 10-18-2017, 08:50 AM   #16
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187

WPA2 was never intended to be anything more than a "nuisance preventer." It is relatively easy to eavesdrop on another conversation in a coffee house – but if, for example, the connection is to an https web-site, or uses ssh or a VPN, the packets that you could intercept by WPA2 eavesdropping would be otherwise-encrypted anyway.

WPA2 was built to work within the very limited capabilities of wireless interfaces – what began with a simple, unchanging "WEP Key" slightly-matured into a protocol which would periodically re-negotiate the session key. But the hardware isn't really capable of much more.

Packets ought not be sent across the ether "in the clear," because "it's nobody's business but yours," so you should use WPA2, warts and all. But you should never rely on any (civilian ...) wireless-device security feature for primary security.

Last edited by sundialsvcs; 10-18-2017 at 08:52 AM.
 
Old 10-19-2017, 07:09 AM   #17
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,590

Rep: Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908
Quote:
Originally Posted by YesItsMe View Post
Memorability is not the most important aspect of a security hole.
Agreed. But is it a drawback?

Same question for identifiability.
 
Old 10-19-2017, 07:17 AM   #18
YesItsMe
Member
 
Registered: Oct 2014
Posts: 708

Rep: Reputation: 263Reputation: 263Reputation: 263
A security hole which is presented later than possible because they need to make a website first is a bad sign. And that happened in the past.
 
Old 10-19-2017, 07:26 AM   #19
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,590

Rep: Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908
Quote:
Originally Posted by YesItsMe View Post
A security hole which is presented later than possible because they need to make a website first is a bad sign. And that happened in the past.
Ah, I see, thanks for explaining. I was under the impression that it was presented later due to the idea of Responsible disclosure, nothing to do with the website per se.
 
Old 10-19-2017, 07:45 AM   #20
urbanwks
Member
 
Registered: Sep 2003
Distribution: Slackware64-Current, FreeBSD 12.1, Alpine 5.4, Manjaro 19, Alpine on WSL [Win10]
Posts: 194

Rep: Reputation: 213Reputation: 213Reputation: 213
Quote:
Originally Posted by YesItsMe View Post
A security hole which is presented later than possible because they need to make a website first is a bad sign. And that happened in the past.
Is this actually what happened? Do you have a source?
 
Old 10-25-2017, 08:25 PM   #21
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 17,212
Blog Entries: 27

Rep: Reputation: 5315Reputation: 5315Reputation: 5315Reputation: 5315Reputation: 5315Reputation: 5315Reputation: 5315Reputation: 5315Reputation: 5315Reputation: 5315Reputation: 5315
You all might be interested in what the EFF has to say about this. https://www.eff.org/deeplinks/2017/1...-you-need-know

They are not in a panic.
 
Old 10-26-2017, 08:16 AM   #22
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
EFF's web site should be regular reading for everyone.

The most important thing ... and by-the-way this is generically true ... is that your computer should never "simply trust" any computer "because it is on the 'local' network." This is a throwback to the "wired" days, when it was hard to connect a computer to the physical network. Today, every other computer in the coffee shop is "on your local network," and you should port-scan your own machine ... from another machine ... to see exactly what services it might be exposing to everyone.

I vividly remember hitting the Windows "network list" screen while setting up a new network at a client's place of business – this was very early in the days of always-on ISPs – and being astonished to find many unprotected Windows shares listed. (Some apparently were related to a lawyer's office. I presume that neither the lawyer nor the lawyer's clients had any idea.)

There were also plenty of printers. I admit that I was sorely tempted to send a "Kilroy Was Here" to one of them at random.

It's actually a very good idea to use VPN within(!) your company, such that everything that passes through your local airwaves and wires is both encrypted and station-identified. You really shouldn't assume that the file-server you're talking to really is the one you think. But, if you are talking to it through VPN, and only through VPN, you can be, because a VPN server positively identifies both itself and every client that it allows to connect, provided that(!) you use unique digital certificates, as you always should.

Last edited by sundialsvcs; 10-26-2017 at 08:17 AM.
 
Old 10-27-2017, 01:53 AM   #23
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,501
Blog Entries: 3

Rep: Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761
Quote:
Originally Posted by sundialsvcs View Post
EFF's web site should be regular reading for everyone.
Yes. The site is worth checking on a regular basis. Though with Brand Named Bugs, it can be hard to track down the CVE number(s) even at the EFF site.

The EFF post above links to an explanation of the process that created the bugs in the first place. Rick Falkvinge puts it in plain language in that it was caused by closed standards. He inadvertantly also makes a case for open access publishing at the same time, but the gist is that because the standard was behind what amounts to a paywall, few could examine or evaluate it.
 
Old 10-27-2017, 04:08 PM   #24
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
Quote:
Originally Posted by Turbocapitalist View Post
Rick Falkvinge puts it in plain language in that it was caused by closed standards. He inadvertantly also makes a case for open access publishing at the same time, but the gist is that because the standard was behind what amounts to a paywall, few could examine or evaluate it.
A silent confirmation of the frequently-made statement that "open peer-review" of any and every cryptographic technology is essential. Had the WPA2 folks not subscribed to the false-doctrine of "security through obscurity," they would not face this exposure today. The problem would have been identified and fixed, and along the way the protocol would probably have been "gratuitously greatly strengthened."
 
Old 10-29-2017, 09:21 AM   #25
patrick295767
Member
 
Registered: Feb 2006
Distribution: FreeBSD, Linux, Slackware, LFS, Gparted
Posts: 660

Rep: Reputation: 137Reputation: 137
Quote:
Originally Posted by suicidaleggroll View Post
A serious vulnerability has been found in WPA2, which brings it to the level of WEP (aka: might as well not have any encryption).

https://www.alexhudson.com/2017/10/1...ken-krack-now/
https://arstechnica.com/information-...eavesdropping/

Thoughts?

WPA2 was hacked in one or two days. There was not much security anyhow.

WPA3?
 
Old 08-08-2018, 12:54 AM   #26
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,501
Blog Entries: 3

Rep: Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761
It appears there is more where that came from:

https://asecuritysite.com/encryption/ssid_hm
 
Old 08-08-2018, 07:11 AM   #27
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,590

Rep: Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908
Quote:
Originally Posted by Turbocapitalist View Post
It appears there is more where that came from:

https://asecuritysite.com/encryption/ssid_hm
That's the same attack as what you mentioned in post #5, right?
 
Old 08-08-2018, 07:57 AM   #28
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351
I don't think WEP2 is dead, as such, any more than having a lock on your front door is pointless or using a hotel safe means your valuables will be stolen.
There never will be complete security but the key is to use as much security as you can use practically -- so make sure HTTPS sites are used, use VPNs on public WiFi spots if you use them at all and that kind of thing. The main thing is to look out for signs that your security has been compromised, such as messages showing that a secure site has been accessed at a time you know you didn't access it (many now show the last access date, time and IP address) then act accordingly. And, of course, use passwords as strong as you feasibly can.
Don't get me wrong, this is worrying and I hope it gets patched inn Android ASAP, but it doesn't really change anything.
 
Old 08-08-2018, 08:54 AM   #29
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 19,567

Rep: Reputation: 3499Reputation: 3499Reputation: 3499Reputation: 3499Reputation: 3499Reputation: 3499Reputation: 3499Reputation: 3499Reputation: 3499Reputation: 3499Reputation: 3499
Has "Chicken Little" been re-released ... ?
 
Old 08-08-2018, 10:13 AM   #30
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,501
Blog Entries: 3

Rep: Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761Reputation: 2761
Quote:
Originally Posted by ntubski View Post
That's the same attack as what you mentioned in post #5, right?
It's very closely related.

https://marc.info/?l=openbsd-misc&m=153372522315681&w=2

https://hashcat.net/forum/thread-7717.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: The Difference Between Wi-Fi Security Protocols: WPA2-AES vs WPA2-TKIP LXer Syndicated Linux News 0 12-19-2014 12:36 AM
LXer: Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both? LXer Syndicated Linux News 0 12-18-2014 06:47 PM
LXer: The Tablet Dead End Is Dead Ahead LXer Syndicated Linux News 6 07-01-2014 04:36 PM
LXer: SCO is finally “Dead Parrot” dead LXer Syndicated Linux News 0 08-09-2012 02:30 AM
Squid:2nd Browser access Internet SPEED dead becomes dead slow mwj Linux - Software 1 10-04-2003 01:40 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 07:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration