New York County Hopes To Do For Online Safety What It Did For WiFi

from the i-know,-pass-another-law dept

Politicians in Westchester County began talking last year about passing a law requiring businesses that offer WiFi access to secure their network in various ways. The law passed last week, but it’s typically misguided, written with little understanding of network security and doing nothing that would actually pose a problem for a hacker. But county politicos see themselves as trailblazers, and they’ve now set their sights on the safety of kids on the internet. They’re hosting an “adults-only” meeting about it, and aren’t ruling out drafting some sort of legislation dealing with the issue. If nothing else, it would be entertaining to see what kind of law they’d come up with, given the matter of some small things like the First Amendment, or a lack of local jurisdiction over the internet. It’s also slightly amusing that the article emphasizes the meeting is adults-only, after all, it’s probably far better just to listen to all the hype about the dangers of online services, rather than actually, you know, talk to kids about them.


Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “New York County Hopes To Do For Online Safety What It Did For WiFi”

Subscribe: RSS Leave a comment
30 Comments
Chris H says:

First one!

I read about their plans to force businesses to “secure” their use wireless networks.

I wish I had known all I had to do to protect my network from “hackers” was to change the default SSID. And here I wasted all that two minutes of my time setting up WPA encryption with a random passphrase instead.

Shannon says:

Re: Re: First one!

Do you have ANY idea what you are talking about?

WEP is inherently insecure. 128 bit WEP can be cracked inside of 3 minutes.

WPA DOES encrypt your data. Read the facts before you post http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

WPA was created by The Wi-Fi Alliance, an industry trade group, which owns the trademark to the Wi-Fi name and certifies devices that carry that name. Certifications for implementations of WPA started in April 2003 and became mandatory in November 2003. The full 802.11i was ratified in June 2004.

WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user; however, it can also be used in a less secure “pre-shared key” (PSK) mode, where every user is given the same passphrase. The Wi-Fi Alliance calls the pre-shared key version WPA-Personal or WPA2-Personal and the 802.1X authentication version WPA-Enterprise or WPA2-Enterprise.

Data is encrypted using the RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV). One major improvement in WPA over WEP is the Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. When combined with the much larger IV, this defeats the well-known key recovery attacks on WEP.

In addition to authentication and encryption, WPA also provides vastly improved payload integrity. The cyclic redundancy check (CRC) used in WEP is inherently insecure; it is possible to alter the payload and update the message CRC without knowing the WEP key. A more secure message authentication code (usually known as a MAC, but here termed a MIC for “Message Integrity Code”) is used in WPA, an algorithm named “Michael”. The MIC used in WPA includes a frame counter, which prevents replay attacks being executed; this was another weakness in WEP.

WPA was formulated as an intermediate step towards improved 802.11 security for two reasons: first, 802.11i’s work lasted far longer than originally anticipated, spanning four years, during a period of ever-increasing worries about wireless security; second, it encompasses as a subset of 802.11i only elements that were backwards compatible with WEP for even the earliest 802.11b adopters. WPA firmware upgrades have been provided for the vast majority of wireless network interface cards ever shipped; 802.11 access points sold before 2003 generally needed to be replaced.

By increasing the size of the keys and IVs, reducing the number of packets sent with related keys, and adding a secure message verification system, WPA makes breaking into a Wireless LAN far more difficult. The Michael algorithm was the strongest that WPA designers could come up with that would still work with most older network cards; however it is subject to a packet forgery attack. To limit this risk, WPA networks shut down for 60 seconds whenever an attempted attack is detected.

Stan says:

Re: Re: Re: First one!

Your forgetting that your TKIP has to be transmitted of an unencrypted connection during the connecting process, throwing your encryption out the windows if some is watching the wireless traffic from the start and they get your encryption key. WEP never transacts encryption keys over an encrypted connection. and WPA is just as hackable if the password is cracked.

The only true way to keep intruders out is MAC address filtering, and no encryption is ever strong enough.

look in more places wikipedia for info

Agonizing Fury says:

Re: Re: Re:2 First one!

Yes MAC Filtering is the best way to prevent un-authorized users. Please use this and tell me where your wireless networks are. Then, I’ll just go into the advanced properties of my network card and change my MAC address to match one of yours, and use it. Aren’t you glad you spoke without thinking?

Anonymous Coward says:

RE:

i thought WEP was the weaker one? and was more easily hackable, i use WEP but thats only because my wife wont upgrade her computer to support WSA

also thats lame how they ‘fixed’ the ‘problem’ in new york, i heard it was basically free wifi for TONS of people, all living so close together your more than likely in range of someone with an open wireless network 😉

there are 2 people nearby me with free open wireless (default ‘linksys’ ssids) which i use if mine every goes down for any reason, and i live in a fairly nicely spread out neighborhood so they are probably both just a door or two down from me or across the street or something..

Stan says:

Re: RE:

no WPA is only a password to get into the wireless network, WEP scrambles all of your network usage so it is unreadable to anyone watching the air. to do that it takes a real hardcore hacker any way I would doubt u will encounter someone like that. both way are nearly imposable for an amateur to hack, but WEP dose make it harder for a pro to hack.

besides if your neighbors aren’t secured you have nothing to worry about.

Cletus says:

Re: Re: Re: RE:

You can also create an ‘access list’ that authenticates via mac address. This can’t stop the most determined hacker, but it will keep the average war dialer at bay…. That, plus WPA however, would be very tricky even for the most accomplished, especially if you have a very good IDS(Intrusion Detection System), such as Snort: http://www.snort.org

Stan says:

the government can't use the internet

the government in as computer illiterate as my grandma, they don’t know the meaning of network security. and any company who doesn’t already have a secure network NEEDS TO HIRE A GEEK.

Everyone should just give up on trying to filter the internet from kids, lets face it unless the parents work in IT their kids probably are better with computers then them and can easily hack past a two dolor filter.

shannon says:

Re: the government can't use the internet

“the government in as computer illiterate as my grandma, they don’t know the meaning of network security. and any company who doesn’t already have a secure network NEEDS TO HIRE A GEEK.

Everyone should just give up on trying to filter the internet from kids, lets face it unless the parents work in IT their kids probably are better with computers then them and can easily hack past a two dolor filter.”

And you are about as illiterate as my 3 year old daughter. Talk about the pot and the kettle. Learn to spell prior to posting.

A Kid who DOES work in IT says:

$2 Filters

I have recently become familiar through my dad with a very good filter, that is impossible to hack. It modifies the protocol dll’s in XP Pro, so you can’t access the internet without going through the the filter. it is also very hard to replace the dll’s as you can’t get thif if you can’t get to a download site.

Point: Not all filters are junk.

Gino says:

This is quite possibly the stupidest set of comments I’ve ever seen. Stan, you’re a dumbass. The only thing you said that was almost right was that WPA can be cracked if you sniff the handshake. That’s kind of difficult unless you have a lot of client activity. And that still takes a dictionary attack or bruteforce. WEP can be cracked fairly quickly with almost no need for an active client (using aireplay to inject packets). Also, your comment about MAC filtering is retarded. All you have to do is clone your MAC to that of a connected client, and you’re past that hurdle.

comment 20, from “A Kid who DOES work in IT”, no filter is impossible to hack. For that situation, you could easily get backup copies of dll’s either from the XP setup disk, downloaded to a floppy somewhere else, or simply snatched from another XP machine. And even disregarding that, most filters suck and will have holes that you can get through, usually with secure proxies and stuff. There’s always some way.

And all filters ARE junk, either from being shitty at filtering the correct things, or from being insecure. Most are both.

ITGuy says:

The only true way to keep intruders out is MAC address filtering, and no encryption is ever strong enough.

You are wrong. You should look into TLS, TTLS, and PAP authentication methods. You need to learn more about server generated security certificates too. There are ways to connect to an encrypted network without anyone being able to intercept your password. In fact, I’d say passwords are rather weak compared to say — a 256 bit security certificate.

And yes, WPA is better than WEP. WPA was made because WEP is so easy to hack. Of course, to be hacked, the hacker has to know what they are doing…and most people are too stupid to get airsnort or some other WEP cracker installed and working under Linux.

Nick says:

Does anyone know anything continued?

I came to this article from my news page and began reading down these posts. I never post on these boards but I couldn’t believe what I was reading. I would say 80% of you have absolutely no idea what you are talking about and thank you to the few who have posted in response to that and actually made some sense.

If you are just going to make something up then don’t post it, nobody wants to read your opinion that you pass off as fact.

And further more, 128-bit encryption cracked in 3 minutes? Please tell me how that is done. I have a degree in computer science and i’ve studied crytography and if you could give me the algorithm that you must have created, that would help with my thesis.

Another great one, intercepting the key? Are you serious? Do you have a full understanding of how the encryption method you are talking about works? Go read about it, then make an intelligent post. Wouldn’t it be a funny world if when i wanted to encrypt something all someone would have to do is intercept the key I send and bam they can decode all the data I transmit.

sherman (user link) says:

Needs to Be EASY for Consumers

A security solution can be as secure as all getout, but if it is too complex to implement then consumers will never use it. The current problem with WEP & WPA & MAC Address filtering is that they are all too complicated for the average consumer. 10 digit or 26 digit Hex keys? Entering those into a TIVO, accessing the router admin page, navigating the router UI, it’s all too too complex for average user out there.

What has the best chance to work for the mass market average user is something with a single button that says lock or unlock. It has to be that simple. It has to work with all devices in the network, including legacy ones. Importantly, it has to be simple enough to keep casual users of bandwidth & connections (who do so by mistake by the way thanks to Windows) off of someones network.

Solutions that start with the end user promise of simple & easy will win out every time over something that is so secure that the average person can’t even use it.

High-TechRedneck says:

Re: Needs to Be EASY for Consumers

I understand that you feel that all of the protocols are too difficult to understand how to use, but really that is hardly the fault of software designers, as they have created wizards (which I am adamantly opposed to, but feel help complete beginners) and other methodology (including but not limited to documentation, browser based setup, etc.) to make the task much simpler. When wireless routers and networks were first becoming available it was somewhat difficult to configure them, however now all one needs to do is simply read the instructions which provide a step-by-step rationale for setting up the network.

Frankly, I have both set up wireless networks for people as well as having led them through the process over the telephone and it is one of the most simple systems that we have today. Connecting to the router in Windows is more difficult than actually setting up the router for MAC filtering(opinion).

The main issue is that we are not capable of making one button that is “locked” or “unlocked” and still having full legacy capacity and not making our security standards into something even my computer-illiterate mother would be capable of breaking (slight overstatement). The point, however, remains that attempting to make a reverse compatible encryption system that is “one click” is a fantasy. If you feel that I am in error in this, try writing one, or even thinking about the feasibility (or not) of it.

I understand the argument of things being hard to use, however, having the router generate a string of numbers that it tells you to write down and then tells you how to put into your xp machine is hardly rocket science. Possibly your router doesn’t have features like this and I’d love to give you the benefit of the doubt in this case, however, it seems a bit more research into the topic before spouting off on impossibly simplistic methods without creating any sort of support for your argument seems at best far-fetched.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...