
Nope, I Demonstrates WPA2 Is Crap
..because there is a "shared" key. You have to trust everybody else in the WLAN.
Firesheep – the Firefox extension that lets you nab people's cookies over insecure networks and hijack their web accounts – doesn't do anything that hasn't been done for years. But it makes for good theatre. Last week, in an effort to "spread the word" about the dangers of sidejacking, New York-based software engineer Gary …
WPA uses a 4-way handshake to generate and assign a Pairwise Transient Key which is derived from many sources of information, including the AP MAC address, but more importantly the client MAC. This is then cryptographically hashed. This essentially means that each client connected to the AP has its own key, and cannot be sidejacked.
However, I know from experience that Starbucks use open wifi APs, so this doesn't apply.
More info here: http://en.wikipedia.org/wiki/IEEE_802.11i-2004
As stated above WPA (2) does not leave the users inside a network open to sidejacking, but you also mistook WPA2-preshared-key (WPA2-PSK) for WPA2. The difference being that WPA (1 or 2) requires a RADIUS server and uses certificate based encryption, where the preshared key versions used on home wireless routers don't.
..I learned there is a somewhat broken protocol named RADIUS. Still using md5, despite being of questionable security.
Mir rollt es die Fussnägel hoch*:
http://en.wikipedia.org/wiki/Md5#Security
But that's not the only way RADIUS is crap.
And if you use PSK, I question you how this can achieve security as there is ZERO Public-Key crypto involved. Or did I figure this wrong.
And even if they did use PK Crypto, whatabout man-in-the-middle ? (That would simply be accomplished by blasting the legitimate AP (10mW or so) with a 2000mW bogus AP). I can't find anything related to certificates when I connect to an AP. Using directed antennas (Yagi or Parabole) can even make a rogue 10mW appear like a 100mW legit AP. Without the legit AP even realizing....
This is all crap. If you want secure WLAN, you have to use either only https sites or tunnel all traffic OpenVPN or similar. In this case, you can skip the WPA2-Smoke-And-Mirror altogether and leave the WLAN unencrypted. OpenVPN will do proper crypto using SSL/TLS.
http://en.wikipedia.org/wiki/Openvpn
* use translate.google.com
So you can get into mah facebooks. Big whoop. If I log on to fb and someone has posted something nutty/obscene under my ID, or shared all my data with a billion and one 'applications', I should care why?
Likewise amazon, really, as long as it's not the actual purchasing bit.
I know, I know, computer security, personal data, blah blah blah, but who really gives a crap if some geek in an internet cafe can see your mate's status updates about how wrecked they got the other day, pictures of someone's new baby, or if (as happens frequently when someone leaves an unattended machine somewhere) there's an unexpected status update proclaiming a joyful appreciation of being on the receiving end of a bit of bottom-sex?
(Ignoring your Paris icon . . .)
If something illegal is posted using your Facebook account, then you can be arrested. You may get fired from your job. Some quick ideas: confessing to recently-committed felonies, threatening politicians, making bomb threats, posting illegal pr0n, posting racist comments . . .
If someone can log in to your Amazon account, then he *can* make a purchase. At the very least, he can make your browsing history appear suspicious so that Amazon suggests up terrorist or pr0n books.
And, as you say, "personal data, blah blah blah blah". I would add "do affect your insurance rates, security clearance, background checks, credit rating, and the like".
Surely that is like noticing a car that hasn't been locked, opening the door, pushing the little lock thing down (yeah this is going back a bit but I used to do it a lot) and then leaving a note saying that they left their car open?
I wouldn't say it was illegal, doesn't there have to be criminal intent, in place of community spirit?
...I thought it was going to be "and sure enough, they had. He got up, packed his laptop and headed for the door before being intercepted by two of NYC's finest in their donut-sugar-frosted uniforms for inadvertently stealing the credentials of their sergeant..."
(Or maybe a mark had narked, y'know, something resulting in the bloke leaving Starbucks in cuffs)
This guy might be trying to make a point, perhaps he knows about computer security, but he sure as hell doesn't have any common sense. He almost certainly violated laws by hacking into other people's accounts. Good intentions or not, he could find himself in serious trouble.
If his intent was to demonstrate how vulnerable Starbucks was, he should have enlisted a volunteer to act as his guinea pig. He could even have mentioned that even while testing he had to filter out other computers which were exhibiting the same issues he was testing on the volunteer.
Anyway, I don't know why starbucks don't just encrypt their network. These vulnerabilities exist because the network has no encryption at all. With encryption, it would be considerably harder to eavesdrop on other people. Starbucks could even use it to prevent freeloaders by cycling passwords daily or suchlike and printing today's password on till receipts.
...that people ignore things that they don't understand.
And if he had started buying things on Amazon from their accounts, they would hold their hands in the air running around crazily, blaming Amazon, Starbucks, their ISP, the Government and everyone else but themselves.
I'm beginning to think that the Internet is too dangerous to let Joe Public loose on it! Maybe we need an Internet driving test before allowing them to connect.
Needless to say, this is also illegal in GB. It's instructive to run the attack on your own private network, compromising your own sock puppet accounts (after temporarily turning off https-everywhere). Doing what this blogger did merits a visit from Inspector Knacker.
http://en.wikipedia.org/wiki/Computer_Misuse_Act_1990
You remember the case of the Philadelphia-area high school that was surreptitiously peeping in on the students via the web-cam on laptops it had issues to the students? If so, you'll recall that there was no prosecution on this clearly illegal activity because there was "no criminal intent". Since there was clearly no criminal intent here either, this chap is in the clear.
From the article (http://www.theregister.co.uk/2010/08/19/school_webcam_spying_no_crime/): "I have concluded that bringing criminal charges is not warranted in this matter," Zane David Memeger, US attorney for the Easter District of Pennsylvania said in a statement, Wired reports.
"For the government to prosecute a criminal case, it must prove beyond a reasonable doubt that the person charged acted with criminal intent. We have not found evidence that would establish beyond a reasonable doubt that anyone involved had criminal intent."
No harm, no foul, it seems....
Isn't the act of logging into someone else's facebook account without their permission criminal? Certainly the author intended to do so, no? Just because his motives were supposedly altruistic, and that he wasn't seeking any sort of monetary gain, should that alleviate him from prosecution? Certainly he knew it was illegal, something that may not have been known by the fellow who set up the cameras in the school case example.
The ones which come to mind immediately:
1. The US jury system is so screwed up it is nearly impossible to get what most of us would regard as a competent jury seated, because so many of the things most of us would regard as marks of competence count as reasons to dismiss you from the jury pool.
2. Before you get to a jury trial, there's the whole plea bargaining mess.
3. Given solid evidence against a perp who committed a violent crime, there is at best a 50/50 chance of conviction. This isn't a violent crime, and the guy has shown his intention was to help people. I don't even think you could find 12 people if you select them at random who will agree to convict someone who hasn't caused ACTUAL harm when he was trying to do something good.
"When he got home, he realized his pants were unzipped. "Back at my apartment, I began to settle in – only to realize that throughout the entire night, my fly had been wide open."
So he forgot to zip after he cranked one out under the Starbucks table while cracking other peoples login info on top of the Starbucks table? I mean, geez, at first I thought this guy was just another do-gooder, intent on pressing his high-and-mighty security opinions onto unwilling others. But after seeing the zipper part, now I'm not so sure. Sounds like he may be a bit of a security perv.
*He* didn't actually blog about this. His blog was sidejacked and someone posted this entirely-fictional account to get him in trouble.
10: The thing is, the person sidejacking him is actually innocent; they're also being 'framed'. Their account was sidejacked by yet another party that's trying to get them into trouble.
20: GOTO 10
I hope that this clears things up...
When used properly GOTO can, in fact, improve code quality and readability. According to Knuth, who took a more balanced view than Djikstra.
Although you should still be shot for using it without having read both. And I don't just mean the two papers.
In fact I'd state that as a general principle, but I suspect if I were to go around putting all the codemonkeys who haven't even heard of either of them against a wall, we'd start getting low on programmers. Which might even end up being a bad thing.
@iamapizza you need to enable ssh for the entire session to avoid sidejacking, not just the logon. That is the point. Most sites are vulnerable, not just amazon and facebook
This is why you should never let a site store your credit card details for 1 click purchasing :)
Reminds me of that Cobol programmer they found dead in the shower in the mid 90's. CSI could not figure out the cause of death.. until a geek on the investigation team discovered the reason when he read the instructions on the shampoo bottle found with the body.
The instructions said:
1. Lather.
2. Rinse.
3. Repeat.
This guy oughta be careful. He may be operating within the Law as it is written, and may have the public interest in-mind, but that doesn't necessarily make any odds. He may view exposing the vulnerability as a proper action, but others with vested interests in keeping the status-quo (or, perhaps simply with avoiding doing the work needed to fix the security-hole) may not agree.
http://www.theregister.co.uk/2010/11/01/spamhaus_blocks_spamwise/