Date: Mon, 12 Feb 2001 22:55:01 -0500 From: "Jay R. Ashworth" <jra@baylink.com> To: jon@lwn.net Subject: 802.11 crack piece Wi-Fi v. Open Source by Jay R. Ashworth, special to Linux Weekly News ============================== Well, the dangers of corporate closed-development practices have reared their ugly head yet *again* last week. The wireless networking industry finally got it's collective act together last year, and produced a standard for such things that was good enough that it didn't get in your way: the 11Mbps 802.11b wireless networking standard, also known variously as Wi-Fi and by the brand names of the various cards from different manufacturers. It was as fast as (or faster than) wired networking, and didn't require you to knock holes in all of those pesky walls. But, like all wireless technologies, it was broadcast, so it didn't have even the minimal security that, say, 10BaseT inherited from the fact that there were actually wires in the middle. Realizing for a change, that no security -- which has for many years been the default posture of most commercial computer hardware and software companies -- simply wasn't good enough: the products wouldn't sell, the manufacturers included two versions of link level security, which at least one manufacturer labeled 'Silver' and 'Gold'. Now, since gold was only 10 bucks a card more expensive, I don't know why anyone would bother with the lower security silver in the first place, but the point is now moot, inasmuch as a group of academics at the University of California at Berkeley have proven that the *implementation* of even the higher security level -- dubbed "Wired Equivalent Privacy" by someone who obviously never saw the movie "Titanic" -- is faulty, and that in real world use, the average time to crack such a network by brute force is something less than a day. Note how I phrased that, it's important: I didn't say that the 128-bit encryption itself was insecure, it's the design of the overall system that is the issue. And the reason that design turned out to be so weak that an attack took only a year? Well, one assertion that could be made fairly is that it was because the design process was closed, rather than the open, peer-reviewed process which as (at least to me) been proven repeatedly as being much more likely to find the possible holes in both protocol and implementation which will make a security system insecure. Again and again, even those of us who are not especially fans of Eric Raymond for one reason or another (full disclosure: I am :-) continue to see proof of his assertion that "debugging is parallelizable". What is not always realized is that *design* requires debugging, as well as code. Another way to put this is that "not all the smart people work for you". The corollary is that there are uncountable numbers of people out there who (in the final analysis) are willing to do some of your work for you, pretty much solely in the hope of progressing further towards a world where things (software, hardware, services, and etc) don't suck. History repeats itself: the organizations who find a way to leverage that wave of effort profit from it, even when you factor in the extra effort necessary to make proper use of it. Ask people what they want, and give it to them. Wow. Now *there's* a novel concept. Of course, as the Mozilla team will tell you, it doesn't always happen on "Internet Time". But you know something? Maybe that's a feature, not a bug. Ask yourself: do I want it Right... or Tuesday? Be honest. You're going to get what you want anyway. But who knows; maybe it's just me. So many things are just me... Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Baylink The Suncoast Freenet The Things I Think Tampa Bay, Florida http://baylink.pitas.com +1 727 804 5015