Re: ALERT: WPA can be less secure than WEP

On 26 Jan 2006 16:13:52 -0800, glenn@xxxxxxxxxx wrote:

>There are several attempts now to have one-button or click-and-secure
>options in home gateways and NICs, and that should come to fruition
>later this year, according to the head of the Wi-Fi Alliance, who I
>spoke to two weeks ago at the Consumer Electronics Show. Major
>chipmakers and major Wi-Fi product manufacturers want users to click a
>button and have a strong key generated for them and managed for them
>using out-of-band methods to ensure that key is wrapped in encryption
>as it's exchanged among devices.

Wouldn't it be easier for the manufactures to ship their products
secure by default rather than insecure? At this time, all vendors,
except 2wire.com, ship their routers wide open. Wireless enabled by
default. No encryption. No router password or a commonly known
default password. Great for the out-of-box experience but doesn't do
much for security. Adding another layer to the installation ordeal
process is only a band-aid as any one-button security fix doesn't do
much if it isn't used. In my never humble opinion, arm twisting the
manufacturers to deliver secure by default products is far more
effective than an optional run-once utility. See 2wire.com for
details on how it should be done.

Also, you might want to ask members of the Wi-Fi certification group
why they test for WEP key functionality using Hex keys, but allow the
vendors of the various WEP enabled devices to default to using ASCII
keys. The problem is that there are apparently two different
algorithms for converting WEP keys from ASCII to Hex. Microsloth
Wireless Zero Config only supports one of these. The result is
encryption key exchange failure, with Microsoft aggrivates by not
producing any useful diagnostics on a key exchange failure (i.e.
limited connectivity error). Some users ask questions of support or
in this newsgroups. However, most of them just notice that WEP
doesn't work and just run their wireless network with no encryption.
Instead of hunting for band-aids to fix the security problems, tell
them to fix the stuff that already exists.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@xxxxxxxxxxxxxxxxxxxxxx
# http://802.11junk.com jeffl@xxxxxxxxxx
# http://www.LearnByDestroying.com AE6KS
.