Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

WPA-PSK Cracking As a Service

kdawson posted more than 4 years ago | from the get-out-of-the-cafe-quicker dept.

Encryption 175

An anonymous reader writes "Moxie Marlinspike, a security researcher well known for his SSL/TLS attacks, today launched a cloud-based WPA cracking service, where for $34 you can test the security of your WPA password. The WPA Cracker Web site states: 'WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.'"

cancel ×

175 comments

Sorry! There are no comments related to the filter you selected.

No comments? (0, Offtopic)

scurvy_lubber (58534) | more than 4 years ago | (#30360178)

Why not?

Question! (1)

Dan541 (1032000) | more than 4 years ago | (#30361254)

Will it help me break into my neighbours WiFi?

 

Re:Question! (1)

MrNaz (730548) | more than 4 years ago | (#30361368)

Probably. But the real question is, will it save you from his baseball bat if he finds out?

Re:Question! (1)

Dan541 (1032000) | more than 4 years ago | (#30361818)

In that case ill change my computer name to something other than "Dan-PC"

One problem (0)

Logic Worshipper (1518487) | more than 4 years ago | (#30360358)

Most people try to crack WiFi because they don't have internet, in which case it would impossible to access a cluster. It would be cool if it got you internet anywhere there was wifi, but it won't work, because you can't log into the cluster without internet anyway, so what's the point? Besides stealing data of course.

Re:One problem (0, Redundant)

FunkyRider (1128099) | more than 4 years ago | (#30360404)

Why pay $35 dollars for cracking a wifi, while you can pay for and get your own mobile internet the legal way? Of course that money is sent to steal data.

Re:One problem (1)

masshuu (1260516) | more than 4 years ago | (#30361410)

or go to your local coffee shop that offers free wifi

Re:One problem (3, Insightful)

ctmurray (1475885) | more than 4 years ago | (#30360426)

I think the tool is not being sold to people wanting to crack into a WiFi network, rather selling to people so that they can test their WiFi network.

Re:One problem (5, Funny)

Korbeau (913903) | more than 4 years ago | (#30360484)

I think the tool is not being sold to people wanting to crack into a WiFi network, rather selling to people so that they can test their WiFi network.

[x] Check this box if you are above the age of 18 and promise not to use this tool for malicious intends.

[BUY NOW!!!]

Re:One problem (1)

davester666 (731373) | more than 4 years ago | (#30360844)

"where for $34 you can test the security of your WPA password"

Um, what? If you know your own WPA password, you can just type it into say, dictionary.com or even into their web site. they should be able to tell you if it's in their list of strings they try for a lot less than $34...

Re:One problem (1)

Logic Worshipper (1518487) | more than 4 years ago | (#30360512)

Yeah, I'm sure that's the actual usage they're expecting.

Re:One problem (1)

Shakrai (717556) | more than 4 years ago | (#30360638)

I think the tool is not being sold to people wanting to crack into a WiFi network, rather selling to people so that they can test their WiFi network.

And the majority of bittorrent traffic is Linux torrents and WoW patches.....

Re:One problem (1)

aztracker1 (702135) | more than 4 years ago | (#30361322)

I'm sure they're willing to "test" their geolocation analytics while they test your wpa passwords too...

Re:One problem (0)

Anonymous Coward | more than 4 years ago | (#30361460)

Wow... ya think? I'm pretty sure you can use it to crack other passwords toooooooooooooo.

Re:One problem (1)

Dan541 (1032000) | more than 4 years ago | (#30361644)

Because I really find value in testing my OWN network.

Re:One problem (2, Insightful)

cbiltcliffe (186293) | more than 4 years ago | (#30361798)

Because I really find value in testing my OWN network.

If you don't, then you don't really understand security.
The point is, these dictionaries are already available to the people with their evil bit set.
If you're going "nobody's going to figure out this password," especially if you're running a business, you really should be _making sure_ that nobody's going to figure it out, rather than going on faith.

Unless you have a multi-tens-of-millions word dictionary yourself, so you can make sure that your WPA passphrase isn't in it, you're not properly protecting your network.

Re:One problem (1)

Dan541 (1032000) | more than 4 years ago | (#30362090)

You sound like a salesman, "for only $34 you can be sure that your network is secure".

Re:One problem (1)

snowraver1 (1052510) | more than 4 years ago | (#30360438)

Well, you could impress a client if you were a security contractor. For $35, that's a bargain! You could also screw with your neighbor... if they so deserve it.

Re:One problem (2, Funny)

Anonymous Coward | more than 4 years ago | (#30361642)

If their password appears in a dictionary, even one of 135 million words, then you could probably impress that client with shadow puppets, or blowing bubbles.

Re:One problem (1)

hey (83763) | more than 4 years ago | (#30360452)

Maybe somebody might want to crack their neighbor's wifi now so you so can connect if they have an outage.

Re:One problem (1)

Logic Worshipper (1518487) | more than 4 years ago | (#30360482)

For that price you can get a backup internet connection.

Re:One problem (5, Insightful)

vivian (156520) | more than 4 years ago | (#30360662)

Alternatively you could actually not be an asshat, get on with your neighbour and negotiate with them (over a 6 pack of beer) to allow legal access in the event of an outage.

Re:One problem (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30361084)

Any clued neighbor wouldn't be allowing others onto their wi-fi. I wouldn't want to be implicated if the neighbor has a taste for the "young'ons", nor do I want my IP to be considered enough evidence to win an IP infringement lawsuit because someone wants to bum Internet access for downloading the latest pr0n flick or the latest Britney Spears album.

If I were going to give wi-fi access, it will only be to allow others to connect to an OpenVPN port on an offshore provider. Then if I get a motion of discovery dropped on me, I can point to the offshore provider account belonging to someone else and go about my business.

Re:One problem (3, Interesting)

Just Some Guy (3352) | more than 4 years ago | (#30362036)

Living in fear must suck, huh? I have 4 open WiFi networks available to me at the moment (in a subdivision with 1/2-acre lots, not in a dense apartment complex). I've hopped onto a neighbor's network when my phone was out, and I have DHCP logs showing when they've been on mine. If I got hit with a subpoena, it'd be a piece of cake to show how many other people are using my router. That's a lot better approach for me and my neighbors than shutting each other out in a moral panic.

Re:One problem (1)

Enleth (947766) | more than 4 years ago | (#30360526)

Nothing a trip to the coffe shop around the corner won't fix.

A friend of mine has a modified ThinkPad fitted with threee WiFi adapters (one IWL, one Atheroes with AP/bridge functionality, another Atheros for quick scanning and data dumps on multiple channels) with external high-gain antennas and basically the only thing that keeps him from having net access virtually everywhere is the CPU power to crack keys. Luckily for him, the biggest telecom around here gives out wireless routers with preset (permanently!) WPA keys generated from the subsciption ID - they're all of the same length and share some character patterns, so a laptop CPU is able to crack them in a few hours. For others, he could be actually interested in such a service, maybe if it were a bit cheaper.

Re:One problem (3, Insightful)

Gothmolly (148874) | more than 4 years ago | (#30360754)

Isn't it cheaper, easier, and less douchebaggy to just get an aircard?

Re:One problem (1)

supernova_hq (1014429) | more than 4 years ago | (#30361450)

Not if what you want to get to is only on that network...

Re:One problem (1)

fake_name (245088) | more than 4 years ago | (#30360586)

Just wait for the iPhone app, so you can use your mobile connection to break into the faster wifi broadband.

Build a dictionary! (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30360384)

So for $34 you can make sure your password is part of their dictionary?

Re:Build a dictionary! (1)

Sam36 (1065410) | more than 4 years ago | (#30361048)

rofl yea that sounds about right. I am still on wpa and not wpa2 so my password is 32 chars from pwgen

Re:Build a dictionary! (4, Funny)

supernova_hq (1014429) | more than 4 years ago | (#30361470)

No no no no, when you submit your password it will only appear as ***** to them.

Re:Build a dictionary! (0)

Anonymous Coward | more than 4 years ago | (#30361570)

hey, if you type in your pw, it will show as stars
  ********* see!
  hunter2
  doesnt look like stars to me
    *******
  thats what I see
  oh, really?
  Absolutely
  you can go hunter2 my hunter2-ing hunter2
  haha, does that look funny to you?
  lol, yes. See, when YOU type hunter2, it shows to us as *******
  thats neat, I didnt know IRC did that
  yep, no matter how many times you type hunter2, it will show to us as *******
  awesome!
  wait, how do you know my pw?
  er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
  oh, ok.

Re:Build a dictionary! (1)

dwarfsoft (461760) | more than 4 years ago | (#30362060)

hunter2 [bash.org] sauce

Re:Build a dictionary! (0)

Anonymous Coward | more than 4 years ago | (#30361682)

No no no no, when you submit your password it will only appear as ***** to them.

they'll think everyone's password is hunter2?

Re:Build a dictionary! (1)

Macrat (638047) | more than 4 years ago | (#30361760)

That's what they want you to think.

And now... (0)

Anonymous Coward | more than 4 years ago | (#30360394)

we have your Password and IP, thanks!

And Slashdot is promoting this (1, Insightful)

ClosedSource (238333) | more than 4 years ago | (#30360436)

because?

Re:And Slashdot is promoting this (1, Funny)

Sir_Lewk (967686) | more than 4 years ago | (#30360718)

Because this is news for nerds, stuff that matters.

Dumbass.

Re:And Slashdot is promoting this (1)

ClosedSource (238333) | more than 4 years ago | (#30361562)

And this matters because..

Re:And Slashdot is promoting this (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30361688)

Because making you aware that such services exist might make you think about your own security.

Dumbass.

Re:And Slashdot is promoting this (1)

ClosedSource (238333) | more than 4 years ago | (#30362322)

Sure, because nobody around here thought about security until this story was posted.

Re:And Slashdot is promoting this (0)

Anonymous Coward | more than 4 years ago | (#30361780)

it's news for nerds

Re:And Slashdot is promoting this (1)

ClosedSource (238333) | more than 4 years ago | (#30362308)

Yes, somebody already said that. But advertisements aren't news.

Re:And Slashdot is promoting this (1)

Nerdfest (867930) | more than 4 years ago | (#30360878)

Because Moxie Marlinspike is the coolest name ever, with the possible exception of Neal Anderthal.

"test your key", riiiiight (2, Interesting)

SuperBanana (662181) | more than 4 years ago | (#30360448)

While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes

Anyone interested in testing their own key would not care about it taking 5 days. During a weekday, you're not around most of the time anyway. I doubt anyone cares enough to spend $40 for something that can be done for free.

Re:"test your key", riiiiight (1)

Dan541 (1032000) | more than 4 years ago | (#30361664)

Suppose your in the middle of a download and suddenly you ISP capps you. For $34 and 20minutes later you could be back online at full speed.

Good thing (0)

Anonymous Coward | more than 4 years ago | (#30360458)

Good thing "yourmomispoo" isn't in the diction. Phew!

Re:Good thing (1)

Lord Kano (13027) | more than 4 years ago | (#30360832)

That's far too short. "yourmomdrinksassmilk" would take longer brute force.

Well at least you can say Moxie has Moxie. (4, Insightful)

al0ha (1262684) | more than 4 years ago | (#30360460)

$34 to see if your password can survive a dictionary attack? Hell pay me $20 and I'll gladly save you some money and provide you with a password guaranteed to be unbreakable by brute force. I'll even sign an NDA to ensure I don't disclose it to anyone but rest assured even I won't be able to remember it!

Re:Well at least you can say Moxie has Moxie. (5, Interesting)

chill (34294) | more than 4 years ago | (#30360632)

I'll save 'em the full $34.

Go here: https://www.grc.com/passwords.htm [grc.com]

Re:Well at least you can say Moxie has Moxie. (4, Informative)

Urd.Yggdrasil (1127899) | more than 4 years ago | (#30360768)

Pfft, that's only pseudo random data, why settle when you can get true random data.

https://www.fourmilab.ch/hotbits/secure_generate.html [fourmilab.ch]
https://www.random.org/passwords/ [random.org]

Re:Well at least you can say Moxie has Moxie. (1)

Techman83 (949264) | more than 4 years ago | (#30360854)

Great if you want a secure password. But the parent has provided a link specifically for Wifi passwords. Long, random and valid for WPA and WPA2. Personally I'd reckon that they'd be pretty hard to crack!

Re:Well at least you can say Moxie has Moxie. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30360914)

Not as good as you think.

If somebody hacks into the server and retrieves the inital vector and 256 secret key, it's trivial to reconstruct *ALL* of the passwords ever handed out. Poor design.

He could create new secret keys regularly (hourly), or preferably mix in some real randomness to fix this.

Re:Well at least you can say Moxie has Moxie. (1)

mlts (1038732) | more than 4 years ago | (#30361164)

Even better, use a utility that gets random data without going through the Internet. Here, I use KeePass, tell it to make a 63 character random string, wiggle the mouse and type in some keys.

Then I paste the string into my router, put a copy of the string on a file in a TC protected container. That I copy to a USB flash drive and manually copy and paste that into the rest of my boxes' WPA2 config.

If I forget the WPA2 password, who cares. I log on the router via a hardwired connection, repeat the above process. I also repeat the above every so often (about once or twice yearly).

If someone can brute force a cryptographically secure 63 digit password to get on my WPA2 subnet, they must be very desperate.

The trick is: You do not have to remember the 63 digit string. This means you can use a phrase without worry about trying to keep it in your head. You just need to have it stored in a secure place so you can cut and paste it to all your machines.

Re:Well at least you can say Moxie has Moxie. (0)

Anonymous Coward | more than 4 years ago | (#30361624)

*They* can get it when it is on the clipboard because they know an exploit for your OS that you don't.

If someone is going after you there is no such thing as secure. What you are doing is not a lot more secure than using a single password that you never change.
Changing it assumes that your current password hasn't been compromised *and* that your next password won't be the next in their list. The chances that it is aren't very different to the chances for a single password. Your current password could be last in their brute-forcing list for all you know and changing it could only worsen your chances. You have no way of knowing how long they have been trying passwords and which passwords they have tried(this is no SSH). Maybe they just feed the cracker random data and your password will be struck down by God herself.

Re:Well at least you can say Moxie has Moxie. (1)

cbiltcliffe (186293) | more than 4 years ago | (#30361992)

....God herself.

You said that just to piss people off, didn't you? :)

Re:Well at least you can say Moxie has Moxie. (1)

wizzat (964250) | more than 4 years ago | (#30361860)

Interesting approach. My approach to the problem was to write an application that generated reproducibly random keys and updated all of my computers once per day to have the next key in the sequence. Then one of the computers logged into the router and updated it there. Generally speaking, this amounted to ~10 seconds of downtime while I was sleeping. Really I did it for the nerd cred (to myself).

Sure, it assumed that my initial password had never been broken and they didn't have the source - but that's about as good as someone can ask for these days. Especially considering the most likely threat is from a computer already on the network (rootkits/worms/malware/what-have-you).

Re:Well at least you can say Moxie has Moxie. (5, Funny)

Power_Pentode (1123285) | more than 4 years ago | (#30362590)

Pfft, that's only pseudo random data, why settle when you can get true random data

No "random" data that you get from the net should be trusted. I throw old 16-sided gaming dice to generate a transparent X-Y grid, which is then set over the top of my cat's litter box. The positions of the cat turds are normalized against a reference litter box and fed into a fancy matrix algorithm, the output of which is SHA4 hashed and truncated to make the WPA2 key.

Re:Well at least you can say Moxie has Moxie. (1)

DigiShaman (671371) | more than 4 years ago | (#30360852)

Take a random 63 character key in hex mode. Has anyone ever been crack such a key in WPA2 AES mode just by sniffing packets?

Re:Well at least you can say Moxie has Moxie. (2, Informative)

wagnerrp (1305589) | more than 4 years ago | (#30362526)

That's great if you have a compliant device. I spent two hours trying to figure out why my mom's Nokia wasn't working with such a passphrase. I finally got tired of typing in such a long phrase and truncated it to 15 or so characters only to find it instantly working. Turns out while it lets you type in long phrases, it will silently fail to use them in a completely undocumented deficiency.

Re:Well at least you can say Moxie has Moxie. (1)

Hurricane78 (562437) | more than 4 years ago | (#30361088)

$20?? Pad me $10 offer a tool that generates an unlimited number of military-grade security passwords that even a young child can remember forever, and optionally also generates public/private keys to use in-between.

<fearmongering>Plus a guide on proper usage and a link list if you’re interested in learning more about how to prevent your young daughter being online-raped, your partner being raped in the ass in prison because of someone framing her, and you getting caught by Chinese/Russian/American/Colombian/whatever intelligence and thrown in a gulag to be raped to the end of your life because you got cracked and were the central of the biggest botnet in human history.</fearmongering>

Buy now! ^^

Which is why... (1)

Darth Turbogeek (142348) | more than 4 years ago | (#30360464)

... you dont use d!ct!0n@ryw0rd50r@tl3@st make them hard to be brute forced.

I cant really see how this is service is legal but I am willing to be educated how it could be.

Re:Which is why... (1)

Sir_Lewk (967686) | more than 4 years ago | (#30360758)

Why should it be any more illegal than tools like aircrack-ng, nmap, or for that matter, telnet? Just because something can be used by hackers doesn't mean it's illegal*.

*Unless you live in Germany. "Hacker tools" are illegal there iirc.

Also, l33t-speaking dictionary words is generally considered a pretty poor way to create passwords.

Cloud? (0)

Anonymous Coward | more than 4 years ago | (#30360466)

I'm not typically the one to bitch about terminology as this sort of technical jargon is in constant evolution and that's a normal and good thing, but, uh... cloud? We've been calling this sort of setup a "cluster" for ages, there's no indication in TFA that this is geographically distributed, and it doesn't really do remote data storage or anything like that, which are just a few of the typical aspects of "cloud" crap I can think of off the top of my head. How is this a "cloud" thing?

Re:Cloud? (not a) (4, Interesting)

frosty_tsm (933163) | more than 4 years ago | (#30360812)

They don't discuss it, but I wonder if they don't just fire up 400 Amazon instances, do the work, then shut them off. For $34 (an oddly specific number), they can't afford to have 400 CPUs around. However, if they allocate on a job-by-job basis, then their overhead is very low.

This kind of work (high computation, high parallelization, infrequent request) might be the most brilliant and non-obvious use of cloud computing. Low overhead due to using someone else's hardware (rather than having 400 CPUs laying around). If this is truely what they are doing, I am very impressed.

$34 you can test the security of your WPA password (1, Informative)

Anonymous Coward | more than 4 years ago | (#30360470)

Only an idiot would pay $34 to see if their password was '12345'.

You can get a nice entropic password for free. [grc.com]

New Marketing Campaign (1)

zet0n (266284) | more than 4 years ago | (#30360472)

Steal your neighbors' wireless for a one time fee of thirty four dollars. Sixty percent of the time, it works every time.

From the Article... (3, Interesting)

BulletMagnet (600525) | more than 4 years ago | (#30360476)

"Marlinspike declined to say who operates his compute cluster"

I guess he can't come out and say he's using botted boxes, right?

Re:From the Article... (1)

John Whitley (6067) | more than 4 years ago | (#30361078)

Or perhaps MM simply doesn't want to get the plug pulled by a conventional cloud compute provider, due to the questionable PR (and possibly other attention) that this service may

One could view this as an alternative to the old "publish the exploit as a goad to the provider" tactic. Previously, some cryptographic weaknesses required someone to have the resources to obtain a compute cluster large enough to deal with some specific cracking problem. With this approach, it isn't even necessary to be able to set up an EC2 job -- just shell out a few bucks and away-you-go. It'll definitely be a wake-up call for some folks that big compute clusters are trivially available to anyone.

It's actually $17 for 40 min. (2, Informative)

Anonymous Coward | more than 4 years ago | (#30360628)

...$34 is the super-fast price.

400 CPU cluster or 400 node botnet? (1)

motherjoe (716821) | more than 4 years ago | (#30360652)

"WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords"

400 CPU cluster or 400 node botnet? Wonder where's he's getting the funding to pay for a farm like that? I mean you'd need to set up everything in advance of making any money off it. So again, where do the cycles come from I wonder.

Re:400 CPU cluster or 400 node botnet? (1)

Yo Grark (465041) | more than 4 years ago | (#30360722)

SETI@HOME?

Just wonderin.....

Yo Grark

Re:400 CPU cluster or 400 node botnet? (1)

Shadow-isoHunt (1014539) | more than 4 years ago | (#30360756)

It's not difficult to find rainbow tables for WPA-PSK(special in that they're salted(with the SSID) hashes) in community rainbow table projects. Think BOINC - the same goes for LM/NTLM/MD5/SHA1 too.

Re:400 CPU cluster or 400 node botnet? (5, Informative)

mzito (5482) | more than 4 years ago | (#30360802)

Actually, in this case, it's very straightforward. He's using Amazon EC2. EC2 charges by the hour, and all you have to do is spin up the number of servers you want. In fact, I happened to run the numbers on what the costs are for running 50 "8-core" servers, and it happens to be...$34/hour. So, what he did was say, "If I run two jobs an hour, I make a small amount of money. If I run 4-5 jobs per hour, I make more money"

This is, of course, a textbook use case for EC2, and I'm surprised no one has done it sooner.

Re:400 CPU cluster or 400 node botnet? (1)

Fnord666 (889225) | more than 4 years ago | (#30361804)

This is, of course, a textbook use case for EC2, and I'm surprised no one has done it sooner.

It [electricalchemy.net] has been, quite recently in fact.

Re:400 CPU cluster or 400 node botnet? (1)

maxume (22995) | more than 4 years ago | (#30360864)

They (only) accept Amazon payments, so it wouldn't be terribly shocking if they were using EC2.

They even offer high cpu instances:

http://aws.amazon.com/ec2/instance-types/ [amazon.com]

Given that they only charge $0.68 per hour for the high performance instances, he can buy quite a lot of horsepower for $17, and the costs of doing it twice as fast are pretty much exactly the same.

Re:400 CPU cluster or 400 node botnet? (1)

motherjoe (716821) | more than 4 years ago | (#30361376)

Good to know, thanks everyone for the replies.

Take care.

Re:400 CPU cluster or 400 node botnet? (0)

Anonymous Coward | more than 4 years ago | (#30360992)

Obviously, the "CPUs" opted in for free labor when they used one of the 135 million words as the password.

Re:400 CPU cluster or 400 node botnet? (1)

Dan541 (1032000) | more than 4 years ago | (#30361692)

Amazon EC2?

who uses WPA anyways? (2, Funny)

Gothmolly (148874) | more than 4 years ago | (#30360724)

Who uses WPA or WEP anyways? Either you leech your neighbor's unprotected WiFi, you live far enough away from other homes so that your signal doesn't leave your property, or you maintain a separate DMZ of wireless IPs that can't get into the good stuff, but can access the Internet.

Next people will say that MAC address security is actually meaningful.

Re:who uses WPA anyways? (1)

rikkards (98006) | more than 4 years ago | (#30360820)

Or, you run wired.
One of the first projects I did when I moved into our new house was run ethernet to all rooms

Re:who uses WPA anyways? (4, Interesting)

mlts (1038732) | more than 4 years ago | (#30361330)

Believe it or not, there are some embedded devices which don't have the CPU juice for WPA2, so they were given a BIOS update so they can run something better than WEP as some form of security. WPA has its issues, but it sure beats WEP.

The best wireless setup is to have two wireless SSIDs. Your internal one that runs off of WPA2-Enterprise, RADIUS server, and smart cards. Then an external one that has a stern packet filter and throttling mechanism. This way, people can log on your open wireless to check E-mail, but Limewire and other P2P apps will be stopped. Of course, someone can jump that, but if they do that, its not your problem anymore.

I do see one use for MAC address security, and its more of a legal thing than computer protection. If a security breach criminal case winds up in court, and you can prove a potential intruder was bypassing your MAC security, it might land a conviction. Otherwise, someone can make up a story of you allowing people to have your WPA2 passwords, etc.

Re:who uses WPA anyways? (1)

bigstrat2003 (1058574) | more than 4 years ago | (#30361386)

All forms of security are flawed, if that's what you're getting at. The goal is not to make it impossible to break into your space (be it computer network, home, whatever), but to make it difficult enough that it's not worth the attacker's trouble. I fail to see why you're bashing things like wireless encryption or MAC filtering for not being perfect, when you ought to realize this simple truth.

I mean, let's look at your example of "your signal doesn't leave your property". If your attacker cares enough to crack your WPA, do you really think he isn't going to care enough to walk onto your property? Of course not. Either he's looking for low-hanging fruit, in which case he moves on to an open wireless network, or he's looking for you, specifically, in which case nothing is going to save you if he knows what he's doing (because failing everything else, there's always physical break-in and forcing you to give up your data).

Re:who uses WPA anyways? (1)

angelbunny (1501333) | more than 4 years ago | (#30362386)

Do not underestimate wifi distance.

Years ago I was bored so I made a cantenna (sp?) and was able to crack wep from wifi sources a couple of miles out. (it was a pain in the ass but a fun experience)

To be fair, I'm on a slight hill, the can was in the attic of a two story house pointing out on a mount that I could angle quite precisely to get a signal. If even a slight gust of wind would come by (not enough to visibly notice shaking) it would kill the signal. But yes, a couple of miles out.

If it can be brute forced you're doing it wrong (1)

zblack_eagle (971870) | more than 4 years ago | (#30360746)

Nobody is going to brute force my randomly generated 63 character alphanumeric key. Not before a vulnerability in the encryption appears or the hardware gets replaced with a new standard

Re:If it can be brute forced you're doing it wrong (2, Funny)

Fnord666 (889225) | more than 4 years ago | (#30361978)

Nobody is going to brute force my randomly generated 63 character alphanumeric key. Not before a vulnerability in the encryption appears or the hardware gets replaced with a new standard

I thought this [xkcd.com] was how you brute forced a password in less than 30 minutes.

Do you trust moxie? (1, Funny)

Anonymous Coward | more than 4 years ago | (#30360798)

Given his infamous reputation for exploiting SSL, do you trust moxie?

What happens if he says your passphrase survived the 20 minute test dictionary run, you put it in production, and he leaves the system running and breaks it later in a brute force attack? Would they tell you that it was cracked then?

bad ass... (1)

adosch (1397357) | more than 4 years ago | (#30360800)

This is bad ass and probably worth the $17 for the half-CPU cluster time. However, on a sour note, I can see it getting abused for it's short worth of security affirmation. With monetary gain at stake, I can imagine funding this service is going to far outweigh validating who's using it for malicious intent. It's a far stretch and would get rather expensive for some d0uch3b4g pwning neighboor networks, but if there a network of value to get into, the $17 (or $34) can't even fill my gas take.

$34? I can undercut that. (3, Funny)

smchris (464899) | more than 4 years ago | (#30360816)

For $30 I'll run the command-line random number generator I found on the web and send you a 60 digit number.

If you act today, that's only 50 cents a number!

Nice for English people (1)

KlaasVaak (1613053) | more than 4 years ago | (#30360866)

What's the chance of this happening to a non-English speaker? most of the development of this kind of tuff seems to be happening in the the US so hurray for the rest of the world I guess.

Passwords that are found in dictionaries = FAIL! (1)

Hurricane78 (562437) | more than 4 years ago | (#30360996)

I’m sorry, but if your password is found in a dictionary, you fail, and deserve to be cracked. I don’t care if you’re 50 year old steel worker with no higher education. You are still a human. The most intelligent being on the planet! Behave like one, would ya?

Protip: Adding just ONE special character to your password is going to wreck even faster brute force attacks. Let alone dictionary ones.
If you want your password being “penis”, and it complains that it’s too short, no problem. Add a exclamation mark, or maybe more than one, and you’re not good. You’re great!
I repeat: “penis”: BAD. penis!!!1“: GREAT. ^^

I found some other nice techniques:

1. Use 1337(0d3. ^^ (Or some other keys that only you know what they mean.)

2. (My favorite:) Draw one, two or even more big letters on your keyboard, using all the keys. This works especially well with a custom keyboard layout (I use the German Neo 2.0 layout, which is rather rare. Which makes it rather hard to enter the password on other keyboards though. Then again, that is a feature. As then nobody can log your input on his computer.)

3. If you can, use public key authentication. Let’s see them brute-force a 2048 bit key!

X. Do them all together. E.g. draw “p3n“ on the keys of your keyboard, to decrypt a public key.
But: No, I do *not* expect Joe Sixpack to know that. Then again, he also does not need it. It’s just a bit of evolutionary advantage for us experts. ^^

Re:Passwords that are found in dictionaries = FAIL (0)

Anonymous Coward | more than 4 years ago | (#30361098)

Unfortunately, the wpacracker.com dictionary will even crack your "expert" advice. The reason the dictionary is so large is because it encompasses simple tricks like these -- adding characters to the end of words, exclamation points, elite-speak, mixed case, and even keyboard patterns.

Re:Passwords that are found in dictionaries = FAIL (1)

MortenMW (968289) | more than 4 years ago | (#30362524)

So.... I guess you really like penises?

360 simulatneous cracks would take 5 days. (0)

Anonymous Coward | more than 4 years ago | (#30361036)

FTA: 20 minutes instead of 5 days.

If 360 people were using this system simultaneously, and God forbid there be more than that, you would be better off running the crack yourself.

Re:360 simulatneous cracks would take 5 days. (0)

Anonymous Coward | more than 4 years ago | (#30361370)

As someone else mentioned, he's probably using EC2 as 50 8-core nodes cost... $34/hour.
so if 360 people are using the system simultaneously a crack will still take 20 minutes.
Although I wonder how long it takes EC2 to get 18000 high-cpu nodes up...

Re:360 simulatneous cracks would take 5 days. (1)

Dan541 (1032000) | more than 4 years ago | (#30361698)

FTA: 20 minutes instead of 5 days.

If 360 people were using this system simultaneously,

There aren't that many idiots here. They're all at the mall.

Use a passhprase (1)

WD (96061) | more than 4 years ago | (#30361202)

e.g. a sentence. With capitalization and punctuation. You won't really have to worry about dictionary attacks that way.

Or use your gpu that isn't doing much anyway. (1)

nodrog (31300) | more than 4 years ago | (#30361806)

There's a piece of free software http://code.google.com/p/pyrit/ [google.com] that could crunch through 135 million passwords in a few hours.
On my GTX275 it would take about 3.5 hours. I think i will save myself $34.

Nice name (1)

Frogbert (589961) | more than 4 years ago | (#30361856)

Moxie Marlinspike. That's a Gnome name if ever I heard one.

Mine cannot be cracked (0)

Anonymous Coward | more than 4 years ago | (#30362690)

This service cannot crack my WPA password. Because my password doesn't exsist in a nerds dictionary: "women"
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>