Forum

  • http://news.yahoo.com/minnesota-wi-fi-hacker-gets-18-years-prison-032803295.html

    Dave

  • A few thoughts here (Dave--thanks for the post--I saw it late yesterday...):

    1. The hack was on a wifi router encrypted with WEP. This probably would not even be a story if the user had utilized WPA2-Personal with a strong passphrase or used WPS. But, I see WEP being used everywhere when doing site surveys.
    2. I'm wondering what certs the technical/forensic witnesses had. CWNP maybe?
    3. This hacker was not just vindictive, but evil! Unbelievable how much needless pain he caused this family.

  • Hi Glenn

    You're right about the security issue.

    Some of the problems with any technology can actually come from the people who write the manuals concerning it.

    For example. When I was working teaching people how to set up VSAT systems, there were items of equipment which had a voltage on the center pin of the connector. That connector attached to a cable, which then attached to another box a distance away from the first item. In this manner, electrical current could be sent to the second box without having to run a separate power cable. You had to be very careful that you did not cause a short circuit on the cable by accidently touching the outer shield to the inner conductor ( easily done ). Modern equipment has overvoltage and overcurrent protection usually using an SCR crowbar circuit. Early brands of equipment did not have this, and a fuse would usually blow. There was information about this, but it was tucked away in the manual, using the same font and type as the rest of the manual. This would cause countless hours of frustration to people who were not familiar with the equipment, and had not been trained. When I spoke to the tech publishers, they would say ?But EVERYONE knows that !!?. No they don?t. YOU know that, because that?s all you do all day long. You know that subject inside and out. If I were to give that writer a data multiplexer and ask him to configure it, or fix a fridge or ask him to change the transmission on a ?57 Chevy, and say ?Right get cracking !!?, he?d probably have the same problems as the average tech in the previous example, and just stand there blinking at it. In other words ( and we?re all guilty of this ), we assume that the ?other guy? knows about that. But, maybe ?the other guy? does other work, and his boss has said ?OK, it would be great if we could send you on a course, but we can?t. Here?s item XYZ, off you go and get on with it?.

    Going back to the previous example, the manufacturers ended up having to put a big yellow warning sticker right on the front cover of the manual and one on the equipment. This cut down dramatically on equipment returns and customer frustration. I had one engineer with me who said ?So begins the dumbing down??. One night we had to do a massive reconfiguration of all the RF and baseband equipment in a remote station. We were up for over 28 hours and soaked with sweat from constantly going back and forth from the equipment shelter to the antenna outside. I?d written everything down in block capitals on two big legal pads. He smirked and said he could keep everything in his head. I told him ?Wait and see 18 hours into this re-config, when you can?t even remember your own name??. Another smirk.

    12 hours in, he had mis-configured a ton of gear. One hour later, no comms. I go outside to find him peering in the dark ( no flashlight with him ) at a cable. He?d blown the fuse by shorting the cable. I said ?Bet you wish you had one of those big yellow stickers now, eh ?....?

    The average Wi-Fi user ( our families, friends, neighbors, Bob from the garage, John from the grocery store etc ) in general have no idea whatsoever about security.

    IMO the manufacturers need to get a big sticker and put in absolutely simple, basic terms what to do about security. In such simple terms that anyone, literally anyone can ?get it?. One reason the Wi-Fi alliance came up with the ?push button? business etc was to make things as absolutely simple as possible for the average consumer. Simplicity, simplicity, simplicity. This was done partly due to the very large percentage of returns from consumers.

    Mike from the plant takes his new router home, can?t configure it and says ?This is BS man !!? and returns it.

    There should be two parts to a consumer electronics manual. First one so simple that the average grandmother should be able to set it up with basic functionality . The second part should allow someone to ?get into? the more detailed ?bits and pieces?. IKEA are you listening ?

    I used to carry a sheet of paper with some writing in Serbo-Croat with me to classes I tought as well as a dictionary as some other grammatical material. Whenever I got someone with a smirk, I?d drop that in front of them and say ?Right, start translating?. The expression on their faces was exactly the same as that of some of my neighbors when they?ve tried to set up a wireless router.

    Nearly all commercial electronics manufacturers are guilty of this. We simple have to make things simpler for people to understand.

    Dave

  • A similar situation happened to me a few years ago when I decided to learn Spanish while being in bed crippled. I'd never learned a language before and it was all brand new to me. Had no idea where to start. Asked the wifey to go down to the local Borders ( aye, we knew ye well......... ) and grab a book on Spanish for me. I studied it from cover to cover over six months. At the end of it, I knew about the Imperfect Subjunctive, The Sequence of Tenses, the Diachronic vs the Synchronic etc. All this weird and wonderful stuff. Thought I knew it pretty well. When I was able to walk again, I met a Hispanic neighbor and told him what I'd been doing. He started talking in Spanish and I hadn't a clue what he was saying.

    Went to the Borders store and bought a child's book ( for ten year olds ) on Spanish with loads of pictures of ducks and cats and houses. etc. Read that from cover to cover, then went on Amazon and started buying school texts for twelve and thirteen year olds. Continued doing that and gradually went on to high school books and then college level books. Although the grammar related book was great for letting me read Spanish books and newspapers, it really did very little for me as far as learning the basics of how to communicate. Started watching the "Telenovelas" with the closed captioning on and started learning this most beautiful of languages from all the drama of "So, YOU'RE the father !!" "My heart is broken in a thousand pieces !!" "GO from this casa and NEVER return !!" ....all good stuff.

    If I had to do it all over again, I'd have started off again with that child's book.

    Simple stuff first then the more complex ( cart and horse etc )

    Dave

  • Did a little informal survey over the last few days. Contacted a number of my neighbors who have professional occupations ( a surgeon, an accountant, Disney executive, a company manager, a pilot etc ). Contacted some of friends overseas ( Aus, Canada etc ) and had them ask the same questions I did here:

    1. In relation to your wireless router, what is the difference between WEP and WPA-2 ?

    2. What is the only thing you need to stop someone breaking into your network ( bit of a trick question, but done deliberately ) ?

    3. Do you think the setup process/explanations for your wireless router could have been made more simple ?

    Over a hundred professional people ( including a couple of professors ) were quieried.

    Not one single person could answer question 1

    All said that you only need a password. A couple said "A good, secure sort of password".

    On the last question, a number of replies were given, from "All of it is gobbledegook to me, so I've no idea if it can be made easier or not", "I just keep hitting enter at the defaults and hope it works", "God knows..."

    etc.

    Highly informal and "off the cuff", but........

    Dave

  • I agree that WPA2 etc could have caused this family less trouble, but I think Dave also has a point in that the majority of the world doesn't understand the difference in Wireless security, and fewer still care. A password is a password is a password.

    Now I'll admit I've gone overboard, having an enterprise grade WPA2 wireless network at my house with multiple SSIDs with various forms of encryption (I'm a geek what can I say?). However, I realized even just last night why so many people don't want to go through the hassle. It turns out the Kindle that my fiance got for her birthday doesn't allow 802.1X authentication or even a walled garden setup. You have to have a passkey for the wireless. Now this wasn't hard for me since I have a WPA2-Personal SSID as well, but that key is 63 pseudo-random characters. Your everyday user would much rather sit with their WEP password as their pet's name and be done with it. (nevermind the social engineering side of screaming your password to the world every night as your 3 year old let the cat outside again)

    I guess my point in short is that no matter how easy you make it to set up a (more) secure wireless network most of the users will either not care, or will take the defaults. Until WPA(+) is the standard there isn't a lot we can do other than facepalm every time we see (Apt248 WEP) on our client's available SSIDs screen.

  • This post is helpful and interesting.love it very much !Thanks to share,I am looking forward to hearing from next.I read your article to learn a lot and hope to see your next article, look forward to your masterpiece, you can also see our information, .I hope it can give you You some convenient. I would like to share some good and cheap things to you.share more:[b][url=http://www.ourreplicawatchss.co.uk/breitling-watches.html]Breitling Replica Watches[/url][/b],[b][url=http://www.ourreplicawatchss.co.uk/tag-heuer-watches.html]Fake TAG Heuer Replica Watches[/url][/b],[b][url=http://www.ourreplicawatchss.co.uk/]Replica watches[/url][/b]

  • I agree that WEP made things a lot easier for the guy, but I think the real story here is the CP, fraud, and death threats to public officials. Before the days of wireless or even computers, I'm sure he would have just sent fraudulent letters or created obscene personal ads. I guess something like that wouldn't rate the news though.

  • An oldie but ?not-so-goody???.Santa won?t be bringing any Wi-Fi routers for this lot:

    http://3a.17.1243.static.theplanet.com/video/american-greed-hackers-operation-get-rich-or-die-tryin'-1255605790

    http://www.cnbc.com/id/40535839

    http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html?pagewanted=all

    http://www.wired.com/threatlevel/2009/04/more-fbi-hackin/

    http://www.informationweek.com/news/security/attacks/231602047

    I?m sure a movie will come out one day about this

    Dave

Page 1 of 1
  • 1