Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NASA Overcomes 802.11b Wireless Security Flaws

timothy posted more than 13 years ago | from the one-way-to-do-things dept.

Privacy 111

4mn0t1337 writes: "Looks like the people at NASA came up with a "solution" to the weak secrutity in 802.11: Bypass it. From the article: "The team also assumed that all information on the network would be subject to eavesdropping, and that no identification information built into 802.11b could be trusted." So they chose to disable it, and set up an 'off-the-shelf PC running the OpenBSD operating system, an Apache web server, the Internet Software Consortium DHCP server, the IPF firewall software' and just depend on the security in protocols the services use. Moral of the story: Ignore the 802.11 security and just tunnel into our access points ..."

Sorry! There are no comments related to the filter you selected.

I love Katy! (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2243068)

Katy, will you marry me? I will forget about Lum forever!

Re:I love Katy! (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2243072)

I don't think Katy will marry an Anonymous Coward... :)

Re:I love Katy! (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2243105)

Katy! Don't do it! Don't marry an AC!!

Understanding Jamie McCarthy! (-1, Offtopic)

O. P. P. Returns (518764) | more than 13 years ago | (#2243071)

Less than a week ago, I posted some information [slashdot.org] to this site regarding the ongoing failure of their efforts to filter the site. Since then, my account [slashdot.org] has been effectively eliminated, as I expected would happen when I posted the information. Revolutionaries are seldom welcomed by the established power, after all.

No editor stepped forward to claim responsibility for the attack, but evidence points to Jamie McCarthy, as I was involved in a short exchange [geocities.com] with him as a result of the aggressive editor moderation. During our brief discussion, "jamie" made the interesting claim that the bitchslap was never used on anyone except bots. This is a cynical attempt to deceive the slashdot readers.

Let's stick to the facts and examine the evidence:

While doing some unrelated research on the web, I happened upon this story of a truly unjust bitchslapping [netscape.net] by either Hemos or CmdrTaco. I can only assume that "jamie"'s non-reply to my question about modslap indicates that he is aware that this had taken place. I understand that this is probably not news to several other posters. I must point out that Taco repeatedly refers to the modslap script as "bitchslap" in his correspondence. There is no almost no difference between the two.

The article describes an incident in which a user was bitchslapped for not moderating according to the beliefs of the slashdot editors.

Even as I was writing the article on slashcode, I was not aware of how serious the problems at slashdot are. Here is an incident in which the editors were happy to unleash a bitchslap on almost no provocation. I repeat, "If you don't mod the way he likes, your moderating days are over, and your karma plummets to bitchslap levels."

While the bitchslap script is apparently still in operation, modslap is probably not used in it's original form. I do know that karma can be lost for unsatisfactory meta-moderation, as I have seen this happen to one of my accounts, during a period in which that account had not posted or moderated anything. What this evidence does reveal is that the slashdot staff have no particular loyalty either to their readers, or to freedom of speech. They are willing to suppress your posts and your account according to their own opinions.

"jamie"'s comments reveal a confused attitude towards the meaning of freedom of speech, as does this excerpt from his website [holocaust-history.org] :

I believe strongly in free speech. I believe just as strongly that no one is required to nod along with a liar, and pretend that he is making valid points: to pretend that crackpots deserve equal billing on the marquee.

Evidently, Jamie McCarthy thinks that "crackpots" should be afforded fewer rights than us right-thinking people. I wonder what sort of free speech rights he thinks should have been given to "crackpots" like Galileo? Or modern "crackpots" like Richard M. Stallman?

Besides Seth Finkelstein, do any of the contributors to the now defunct censorware.org actually understand what free speech means? I advise Jamie, and the other slashdot editors to read, or re-read John Stuart Mill's essay "On Liberty" and Voltaire's "Essay on Tolerance" to remind them why free speech is not conditional on what is being said.

this is SHOCKING!! (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2243135)

really not surprise here. slashdot hypocrisy is legendary. it's just as funny as michael posting YRO articles. keep up the good work, though i fear soon you will be bitchslapped again.

Perspective. (0, Interesting)

volsung (378) | more than 13 years ago | (#2243181)

Um, if by the statement "Revolutionaries are seldom welcomed by the established power, after all." you are trying to somehow link yourself and the other "oppressed" of Slashdot to great revolutionaries, then I would suggest you have a distorted perception of this situation and of your own importance.

I would suggest the following experiment to help you gain some perspective:

  • Turn off your computer and go outside. Observe your surroundings and note that Slashdot has no influence on any of them.
  • Go downtown and watch the crowds for several minutes. Realize that you probably have not seen a single person who knows anything about Slashdot or will ever be influenced by Slashdot.
  • Ask yourself whether Slashdot can injure your ability to eat, sleep, or move around without your consent. Then ponder whether Slashdot can hinder your free expression in any other forum but Slashdot itself.
Sure, Slashdot's recent attempts to solve the fundamental paradoxes (freedom vs. quality) of public, online discussion are flawed and causing the site to commit suicide slowly. (For example, I discovered that I cannot title this message "Perspective, perspective, perspective." because it is too repetetive. Silly.) However, do not compare yourself to revolutionaries who struggled to change real, meaningful things. This is an electronic playground and nothing more. Only five-year-olds lead revolutions on playgrounds.

Re:Perspective. (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2243214)

o
( \
x
8===D

Re:Perspective. (1)

volsung (378) | more than 13 years ago | (#2243237)

This is perhaps the best response to my comment I can think of. You are either a bot, or a genius. :)

Re:Perspective. (-1)

Klerck (213193) | more than 13 years ago | (#2243241)

I think what's more likely is that you're just an idiot.

Trolled by a penis bird; how sad is that?

Re:Perspective. (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2243254)

With any luck, volsung, user #378, is about to lose his +1 posting bonus.

Re:Perspective. (0, Offtopic)

volsung (378) | more than 13 years ago | (#2243268)

Trolled by a penis bird? Trolling usually involves inflaming or angering the user. I just think that the nonsense answer captures the essence of what I am getting at. Laugh. smile. You take this all too seriously. :)

So... (1)

Jim42688 (445645) | more than 13 years ago | (#2243073)

Depend on protocols that will be easily hacked as soon as someone sets to it?

Re:So... (1)

naasking (94116) | more than 13 years ago | (#2243128)

These protocols have been in use for thirty years and are openly published. What is there to hack?

NASA bypasses 902.11b flaws (3, Insightful)

FreeMars (20478) | more than 13 years ago | (#2243074)

Hmmm. Not so much a bug fix as a work around

Re:NASA bypasses 902.11b flaws (1)

moheeb (228831) | more than 13 years ago | (#2243170)

Weak security isn't a bug.

Re:NASA bypasses 902.11b flaws (0)

Anonymous Coward | more than 13 years ago | (#2243205)

902.11b huh?

That's a pretty sad response (5, Insightful)

mesocyclone (80188) | more than 13 years ago | (#2243077)

Tunneling works for security, but it is far less flexible than plain old IP connectivity, which is what 802.11b delivers.

The solution is to *fix* 802.11b's security, which shouldn't be that hard. I believe that simply running the crypto algorithm through a few start cycles, before transmitting, is sufficient to stop the published attacks.

Whether the fix requires buying new hardware, or flashing old hardware, or just changing drivers, is another question.

How secure is TCP/IP over wire? Not much. (3, Insightful)

Anonymous Coward | more than 13 years ago | (#2243109)

WEP should be viewed as a means of thwarting casual snooping, just as having separate 10BaseT cables for each computer hampers casual snooping. But unencrypted network traffic is ALWAYS vulnerable to snooping, so claiming 802.11b is fatally insecure is foolish. Unencrypted traffic should always be viewed as insecure.

Re:How secure is TCP/IP over wire? Not much. (3, Interesting)

Ronin Developer (67677) | more than 13 years ago | (#2243175)

Allowing the underlying application protocols to implement security is a good idea.

We've deployed a wireless application over CDPD. While we can pretty much assume the traffic between modem and CDPD carrier is encrypted and authenticated using the built in capabilities, we can't say the same about the connection from the carrier to our customer's site and their WAN.

As such, we employ an embedded VPN solution at each client and terminating site. Traffic is encrypted from the moment it leaves the mobile unit until it reaches its final destination. Unencrypted trafffic is not visible except on the terminating LAN (if the VPN is running on a machine seperate from the server).

Re:How secure is TCP/IP over wire? Not much. (3, Informative)

jcostom (14735) | more than 13 years ago | (#2243332)

We've deployed a wireless application over CDPD. While we can pretty much assume the traffic between modem and CDPD carrier is encrypted and authenticated using the built in capabilities, we can't say the same about the connection from the carrier to our customer's site and their WAN.

I hope you're not relying on the crypto in CDPD. It's RC2.

Re:How secure is TCP/IP over wire? Not much. (2)

Ronin Developer (67677) | more than 13 years ago | (#2243340)

Hell no! That's why we use an embedded VPN solution. It provides end-to-end security for our data rather than relying on a piece-meal system.

Re:How secure is TCP/IP over wire? Not much. (0)

Anonymous Coward | more than 13 years ago | (#2243832)

That sort of misses the point, which is that 802.11b allows someone to bypass a properly configured firewall by sitting outside a building in their car, etc. It's like letting someone plug their laptop into a 10BaseT jack in your office, but you can't see them sitting in your hallway.

Re:That's a pretty sad response (1)

Explo (132216) | more than 13 years ago | (#2243726)


The solution is to *fix* 802.11b's security, which shouldn't be that hard. I believe that simply running the crypto algorithm through a few start cycles, before transmitting, is sufficient to stop the published attacks.


A potential solution for quite a few flaws in WLAN security could be 802.1x. Sorry that I have no links available at the moment, but a quick search with Google or similar tool should be able to give a rough idea about it.

Re:That's a pretty sad response (1)

Florian Weimer (88405) | more than 13 years ago | (#2243950)

From a user's and non-WLAN network administrator's perspective, WLAN is a bit like traditional dial-up lines: non-permanent connections, one user might have several hosts (laptop, iPAQ). So you definitely want user-based authentication (perhaps even according to your already existing dial-up user database). As far as I know, all the WLAN security stuff is targeted to host-based security without proper key management protocols, which is not very interesting if you look at this perspective because even if it does provide some security, it is not using a practical scheme.

Facing this kind of problems, our local university decided not to use WEP at all from the beginning, but an IPsec derivate (unfortunately with vendor-specific extensions for the user-based authentication).

Why did it take this long for people to get it? (4, Insightful)

Anonymous Coward | more than 13 years ago | (#2243079)

It's really no different then plugging into a hostile, unswitched network. Trust no one! Sure, it's easier to "plug" into a wireless network, but you should never trust any traffic medium. Encryption all the way!

Unswithched or Switched (0)

Anonymous Coward | more than 13 years ago | (#2243928)

You cannot trust any net, there are also "sniffers" for swithed networks :)

Re:Unswithched or Switched (-1, Flamebait)

Anonymous Coward | more than 13 years ago | (#2244054)

That was his/her point, dipshit. Do you think before you speak?

Cool...but... (2, Interesting)

Multispin (49784) | more than 13 years ago | (#2243083)

This is the same thing that any major, secure install has been doing from day 1.

However, it is good to see widespead use of these techniques. Maybe it'll help those less secure installs:)

C'mon now (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2243085)

DO NOT have sex with that horse, you monster!

Hell, still easy to decrypt (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2243094)



Even I'm a bit amazed at how quickly someone got around this. Protocol-ased security is just weak. Here's a description on how to get past NASA's method. [128.121.12.52] Gratned, it's just a model but it shouldn't be too hard to modify it to the real thing.

WARNING: Another goatse.cx moron (2)

ZxCv (6138) | more than 13 years ago | (#2243137)

not the real goatse.cx but bad enough

Re:WARNING: Another goatse.cx moron (2)

ZxCv (6138) | more than 13 years ago | (#2243150)

eh i love what happens to replies to messages that get mod'd into oblivion

Re:WARNING: Another goatse.cx moron (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2243221)


Here is my ass
Which you may kiss.
Take time and aim well
You don't want to miss.

For if you aim low
And your lips they do fall
Then you will find
You'll be sucking my balls.

If you aim high
Despite your true heart
Sucks to be you
Now you're eating my fart.

Is this surprising? (1)

Kenyaman (458662) | more than 13 years ago | (#2243097)

This seems pretty straightforward to me.

Well shit, DUH! (1)

BiggestPOS (139071) | more than 13 years ago | (#2243099)

Who didn't know this/wasn't doing this when they were using such an insecure protocol. With Cat-5, and least you are fairly safe from eavesdropping, they have to at the very least physically compromise security. But with anything wireless that is not the case, and I wouldn't trust that network with ANYTHING secure without all kinds of controlled access at both ends. I mean, DUH.

Re: insecure? (5, Informative)

Bodero (136806) | more than 13 years ago | (#2243100)

I love how everyone is spouting "wireless is insecure" but give no real details on how that is.


The real details are not too hard to find...30 seconds with a search
engine came up with quite a few references, including:

http://www.cs.umd.edu/~waa/wireless.pdf [umd.edu]

That document contains a fair number of bibliographical references
which you might find interesting.


The principal problem I've found with wireless security is that lots
of people deploy it poorly - effectively allowing anyone nearby to
"plug" into their network. Most of the news articles about hacking
wireless networking are about this kind of insecurity. The implication
is that when you set up a wireless network you need to use WEP to
encrypt the connection.


Some of the more alarming articles suggest that WEP is weak, and so
can't really be relied upon. If this is correct, then it means one
must use encryption at a higher level - which is not a trivial
undertaking. If you can't deploy IPSEC thoughout your network, you'll
have to put your wireless access points outside of your firewall and
use VPNs to get in.

Re: insecure? (2)

mesocyclone (80188) | more than 13 years ago | (#2243196)

WEP has been proven insecure. In fact, software is available now to automatically crack any WEP system by passive monitoring.


Less clear is whether WEP must be insecure. I see no reason that a MAC-level protocol cannot be as secure as any other protocol. And WEP is based on a presumably secure encryption algorithm, which it uses poorly.

MAC-level will not work (1)

dirtyeye (322393) | more than 13 years ago | (#2243345)

Beacuse it is possible to change your MAC address there is really no securuty in it, a bit like an IP address. It is also possible to sniff MAC addresses, even off encrypted traffic, so it would be easy to get a valid address.

Re:MAC-level WILL work - depends how you use it (1)

quanta (16565) | more than 13 years ago | (#2243456)

If both users try to use the same MAC address
at the same time, each will get NOTHING!

Re:MAC-level WILL work - depends how you use it (2)

mindstrm (20013) | more than 13 years ago | (#2243564)

No.. you don't need a mac address to sniff traffic.

Re:MAC-level will not work (3, Informative)

mesocyclone (80188) | more than 13 years ago | (#2243578)

MAC level can be secured by means other than simple MAC address screening. The key is to encrypt at the MAC level (as IEE802.11b does), but to do it well. 802.11b uses a private key, so if the key is chosen properly, and the encryption algorithm is strengthened (by using it right!), then one should not need any higher level protocols for normal security.


Certainly even encrypted systems are susceptible to traffic analysis (putting together an org chart by seeing who talks to who), but that is rarely a threat in the commercial world.

Re: insecure? (2)

Bishop (4500) | more than 13 years ago | (#2243842)

I believe the answer is that WEP as implement in 802.11b is insecure. 802.11x (I believe x is correct) will add a new key exchange that is supposed to be secure.

The real problem is that marketing wants 802.11 to be secure *and* easy to setup. Security is not easy. Sure the cryptography part is dead simple. It is all the parts around it that have to be equally secure that make it hard.

Wow (-1)

Klerck (213193) | more than 13 years ago | (#2243103)

I wonder if I'm banned from posting for all my downmods today...

Re: Bluetooth (5, Informative)

Bodero (136806) | more than 13 years ago | (#2243107)

It's sure to give both Bluetooth, which was gasping for breath, and HomeRF, which was on a respirator, renewed leases on life. If the powerline networking gear arrives by year end and works as advertised, it will probably win the battle.

Not really...

802.11b is seeing high adoption rates in corporate networks. For better or worse, impenetrable security is not usually at the top of the list when choosing a network component. (ahem [sourceforge.net] )

By starting with a halfway decent basestation that allows for only registered MAC addresses to attach to it, then running some simple Vlan software (with or without WEP) you have an RF network that is as secure as most people *really* need it to be.

As for Bluetooth, it's reaally not here yet, and it's intended for short-range devices that will most likely require lower throughput's than what 802.11b offers. HomeRF is a sort-of direct competitor, but it also has issues of it's own.

With the right tools, and some dedication almost any simple network can be cracked. I remember when most people didn't know what "promiscuous mode drivers" were for, and many corporate LANs on simple 10M hubs were easily cracked by patching into an unsecured jack.

802.11b is gaining a lot of press, and thus attracts more hacker efforts. I can almost guarantee that if HomeRF were the predominant wireless standard, we would be seeing the same hacker tools for it.

Re: Bluetooth (2, Insightful)

fwr (69372) | more than 13 years ago | (#2243264)

You're kidding right? "registered only MAC addresses" security is a joke. It's such a management nightmare when you're talking about a significant number of users on a wireless network, think quite a few hundred to thousands of docs and nurses on a hospital network, that it's practically unmanageable. The only real solution is to use VPN technology. And what does VLAN software have to do with security? When you say that MAC address lists and VLAN software (whatever that's supposed to give you) makes an RF network as secure as most people *really* need to be you obviously are only thinking about breaking in and not just covert observation and data gathering. Think about HIIPA. If someone is able to gather packets on an RF network (which is relatively easy to do) then restricting which MAC addresses can get INTO the network is next to useless. The concern is people seeing confidential medical information going across the RF network, and limiting MACs does nothing to secure that information. I don't know how VLANs would help in this either. Sounds like you just through that word in there without knowing what you're talking about. And no, I don't think the 802.11b protocol can be "fixed" from a security perspective without making it an essentially new protocol that will not be compatible with all the existing equipment. Sure, it could be "backwards compatible" but then only new equipment would benefit from the enhanced security.

Stephen King, author, dead at 54 (-1, Flamebait)

Anonymous Coward | more than 13 years ago | (#2243115)


I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.

Re:Stephen King, author, dead at 54 (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2243144)

He's 53, you jerk.

Re:Stephen King, author, dead at 54 (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2243231)


Louis Armstrong, trumpet player and Jazz pioneer, died yesterday morning in his Los Angeles home. He was 71. Armstrong's last performance was at James Madison University's Convocation Center on March 24, 2001, where he played to a standing room only crowd of 5,000. Armstrong was helped off the stage by his wife of 20 years, and he later told a reporter for the campus newspaper "I don't know how much longer I can do this. This may be one of my last shows." His final song was his biggest hit, Hello Dolly! He is survived by his wife, 3 children and 6 grandchildren.

Re:Stephen King, author, dead at 54 (0)

Anonymous Coward | more than 13 years ago | (#2243461)

[yup] [i] [killed] [that] [mother] [fucker]
Lameness filter encountered. Post aborted!
Reason: Ascii art. How creative. Not here though.

Working on something similar (3, Interesting)

Mike Hicks (244) | more than 13 years ago | (#2243118)

I'm working on something similar using Linux and IP Tables. One benefit (apparently -- I haven't played with IP Filter yet) of using IP Tables is that packets can be matched by IP address and MAC address at the same time.

I shouldn't say that my piddly firewall can measure up to what the folks at NASA could cook up, though, as I haven't figured out how to get the statefulness of IP Tables/Netfilter to help me out. We're also not using VPN yet (though we're planning to allow VPN clients to connect to a server farther upstream).

Re:Working on something similar (1)

ByTor-2112 (313205) | more than 13 years ago | (#2243147)

That's pretty useless in this case, considering I can fake MAC addresses. Oh, and they can be obtained without decrypting the ciphertext.

I am homosexual, can I attend? (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2243120)

I was just wondering, becuase I am gay.

No (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2243129)

Homos need not apply!

Re:No (0)

Anonymous Coward | more than 13 years ago | (#2243413)

No, no, no. Hemos need not apply.

Tunneling is not the answer. (5, Interesting)

davidu (18) | more than 13 years ago | (#2243136)


This solution, far from creative or unique, offers nothing in terms of aiding in the creation of secure PUBLIC networks.

For example, a college campus can't be expected to teach every student, including the non-geeks how to setup IPsec, port forwarding with SSH, and all other kinds of neat things.

Granted, Dan Kaminsky [doxpara.com] gave a talk at DefCon this year on how to seamlessly tunnel your way through 'hostile' networks it still isn't as simple as just renewing your IP and being online.

One possible solution to secure public nets is similar to the way we validate PGP keys. Face to face signing parties. If I run a public net I'd like to know who is using it. How about you drop by my cafe and just give me your MAC address and I'll add you to the firewall's rulesets. Automatically you now can find out who is in promiscuous mode, who is using all your bandwidth, etc, etc, etc.

There are many other solutions that aren't as much of a hack as IPSec, ssh tunneling, or any of these other high level obfuscators.

Thanks,
David U.

neither is what you suggest (1)

DHR (68430) | more than 13 years ago | (#2243368)

MAC's can easilly be spoofed, and to sniff the network you can do it passively, so the MAC check isn't even going to come into play

Not that new of a solution... (3, Informative)

NetJunkie (56134) | more than 13 years ago | (#2243149)

Many people, me included, will put the access points outside the firewall and have the clients VPN back in to the network. This way you can disable WAP and just use the 3DES encryption of the VPN.

IPSec (1)

John Whorfin (19968) | more than 13 years ago | (#2243164)

Actually I'm in the process of setting up wireless gateways using a linux kernel, busybox, iptables, dhcpd and freeswan.

The security comes from IPSec. It also works with OpenBSD (tho Open is hard to fit on a single floppy :)).

Still not ready for public release tho :(

OpenBSD baybee (1)

niekze (96793) | more than 13 years ago | (#2243173)

This is usually where I spout about OpenBSD, (hehe guess this is a setback for you BSD-Dying trolls...) but I wonder why/who choose OpenBSD? I've recently 'played' with the grsecurity patches for 2.4.9 and I like them. A lot of them give OpenBSD-ish features to linux, but some extend what OpenBSD currently provides. The only reason I bring this up, is that >2.9 (aka -current and future releases) does not have ipf. The pf project (OpenBSD's own packet filter) replaces ipf. But, 3.0 comes out in Decemeber....Wonder how it will all turn out....

Uh, yeah. (-1, Flamebait)

TheLinuxWizard (518907) | more than 13 years ago | (#2243179)

Couldn't this have been done just as well (if not better :P) with Linux?

Major league insecure (3, Insightful)

Anonymous Coward | more than 13 years ago | (#2243188)

this "solution" is wide open to man-in-the-middle attacks. Tomorrow, I'll drive up there and setup my own DHCP server on their intentionally-WEP-disabled network. I'll hand out MY server's IP as the DNS server, and tell them to HTTP/HTTPS to MY server. I'll collect their usernames/passwords, send them a "site down for maintenance, try again later" message, and cruise through the real front door myself. Sheesh.

not perfect, but worth modding up... (2)

Psarchasm (6377) | more than 13 years ago | (#2243262)

not quite sure how you are going to get your certificate validated to a nasa.gov domain via any certificate authorities - but yes... it is wide open to a man-in-the-middle attack.

The problem as I see it for NASA in particular is that they probably support MANY client OSes. Thus making VPN difficult at best as many have suggested. I would not be suprised to hear that there were 95/98/NT/2000/MacOS 8/MacOS 9/MacOS X/Solaris/Linux clients that would all want to make use of the wireless network. It would be possible to support them all under multiple VPN products - but it wouldn't be cheap nor would it be management friendly.

Re:not perfect, but worth modding up... (1, Interesting)

Anonymous Coward | more than 13 years ago | (#2243305)

not quite sure how you are going to get your certificate validated to a nasa.gov domain via any certificate authorities

Don't need to. I'll use http. Their http server redirects you to https. Mine won't. Most users won't notice the difference. I'll put an "under construction" icon on the page and say we're remodeling. All I need is one less-cluefull user to give me his username and password, and it's game over.

And this without even getting into DDOS attacks. A rogue DHCP server is a mindnumbingly painful adversary.

Re:Major league insecure (-1, Redundant)

Anonymous Coward | more than 13 years ago | (#2243576)

Ahem.. Certificates

Re:Major league insecure (0)

Anonymous Coward | more than 13 years ago | (#2243691)

Ahem. Not quite. Certificates are only good if your lusers (1) refuse to accept an unsigned one, and (2) refuse to login on a non-SSL page. I wouldn't count on either of these things being the case.

Re:Major league insecure (2)

hbo (62590) | more than 13 years ago | (#2243610)

Yeah, and if you follow the link [nasa.gov] in the referenced article that gives details on the implementation, you'll see that they are dynamically adding ipf rules based on their Apache/PHP/SSL app. So they're letting anyone within range of the wireless AP play with an app that can potentialy open that gateway up to all kinds of traffic. The box has three interfaces, one each on the wireless, internal and "commodity internet". Thus the PHP app could potentially be subverted to open access to the internal net from the Internet.

I'm implementing a hardware based VPN for our WLAN. As others have noted, that makes it hard to support multiple OS, though not impossible. I have Free S/WAN interoperation with the VPN using IKE preshared secrets, so that gives me Linux support. Now what we need is integrated IPSEC support from the WLAN vendors.

Re:Major league insecure (2)

chill (34294) | more than 13 years ago | (#2243766)

And if you configure your clients to accept DHCP info from only one server (IP/MAC)?

Yes, I know both IP and MAC addresses can be spoofed but do you have any idea how blatently obvious it is when you stick two machines on one network (wireless or not) with the same MAC/IP address?

"Man In The Middle" attacks are wonderful conversation pieces but good luck in finding any reported successes outside a controlled lab environment.

Either way, combine their solution with both client and server certificates and you have a good solution that your "man in the middle" won't touch.

Make people REGISTER to get an account and issue them a client certificate at that point.

I was thinking of similiar schemes.. (1)

GiMP (10923) | more than 13 years ago | (#2243210)

I am with a company which is rolling out wireless Internet access via 802.11b and was considering doing something like this. 802.11b sucks for security, but there are definately many protocols for ip that you can tunnel though.

Maybe an ogre but not a troll... (1, Troll)

Psarchasm (6377) | more than 13 years ago | (#2243213)

How is this news?

The real "news" here is that NASA would find it appropriate to issue a press release on a project I would expect anyone half rational and competent to be able to figure out and implement in their sleep.

"This just in from NAS NASA - We have succesfully patched IIS against Code Red thus developing the glue to keep our servers up and operational [editorial: for now]. More on this exciting development can be read at slashdot.org"

Please... Spend my tax dollars telling me how close you are at getting me and countless others some time in space. Not on how your (notably horrible in security) NAS team has defeated the WEP weaknesses that everyone and their brother already knew how to get around.

Re:Maybe an ogre but not a troll... (0)

Anonymous Coward | more than 13 years ago | (#2243378)

I have to agree....

Upon intially reading the article my first words will always rings true... "No Shit".

Then I realized it was NASA who came to this great conclusion. (The one again, everyone and their brother had reached as well days earlier). It must be great, because NASA fucking said it!@#! I mean, they sent chimps into space. These are fucking uber geeks!

I realized then, that my choice of tunneling over 802.11 was in err and that I should use NASA's approach of simply tunneling over 802.11. What the hell was I thinking?

MAC based security? (2, Informative)

Laven (102436) | more than 13 years ago | (#2243216)

Please correct me if I am wrong, but is not MAC based security easily circumvented by simply changing the MAC address on your card? It is very easy to do with Linux and/or some vendor supplied setup programs.

Re:MAC based security? (2)

mesocyclone (80188) | more than 13 years ago | (#2243593)

MAC based security just means doing securiety at the MAC level - which is the level at which the entire 802.11b operates. For example, 802.11b encryption operates at that level.

It should not be confused with simply filtering by MAC *addresses*.

They didn't 'overcome' anything.. (2, Flamebait)

mindstrm (20013) | more than 13 years ago | (#2243240)

They just build a network assuming people could sniff it.

The principle should be the same for any network, especially reagarding anything going over the internet. Even a wired network is not 'secure'. Sure, there is the physical security element.... but one compromised host with a sniffer and you are in the same boat.

Encryption is a good thing.

Re:They didn't 'overcome' anything.. (0)

Anonymous Coward | more than 13 years ago | (#2243283)

Are you new to computers?

Re:They didn't 'overcome' anything.. (1)

webweave (94683) | more than 13 years ago | (#2243636)

Even wired networks should be built this way, all it takes is one workstation to have a 802.11 card and the network is wireless.

Did you know ... (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2243251)


Did you know that niggers don't have yellow pee? It's true, look it up! They pee black.

And chincs pee isn't yellow, it's white. Did you really think all those bukake pics were spooge? Hell no! They pee on her!

And this also explains why niggers have such big cocks. Since they never wash, they get years of black pee building up on their dicks.

general slashdot insight (-1, Flamebait)

JeromeyKesyer (463790) | more than 13 years ago | (#2243266)

i've posted approx. 10 times on /., but have never been modded above a 2. I often wonder what it feels like to have a +5, and I was all set to find out, but then I realized that the time it would take me to think of something deserving of a 5 wouldn't make it worthwhile. So instead, I'll post some insightful comments that won't be labelled that way.

- Linux is not more inherently stable than Windows. The fact is that Linux users are generally much more experienced using computers than the average Windows users and therefore can make his/her computer operate the way he/she wants to. It has very little to do with the operating system itself. Windows is also unstable thanks to applications that are idiot proof (they take over a good number of system resources, and if you something unexpected happens, a crash happens or worse a chain crash). Experienced Windows users without idiot-proof software have systems that purr.

- In general, the Windows user is less experienced than a Linux user because Windows users tend to have a life. This means that at certain times they 1) shut off their computer without worrying about their uptime, 2) go outside, sometimes in direct sunlight 3) communicate with others in their species, including the female gender and maintain relationships with these people and 4) periodically engage in consensual sexual relations with others in their species. Linux users 1) brag about their uptime to anyone who will stand still long enough to listen on IRC 2) play Quake2 and harass other users over the network (and consequently get their ISP to suspend their account - read below) and 3) cap the night off by packeting their favorite irc server/irc user/website

- Not surprising, studies have indicated that people who run Linux are more likely to get their Internet connection suspended or terminated by their ISP. Admittedly, this is largely due to people on @home running illegal web servers, but not an insignificant amount is caused by harassment on IRC and other lame behavior. In other words, Linux == social retards.

- There have been rumors that I sucked Hemos dick. Let me put these to rest right here - I did suck Hemos' dick but it was for 1 gram of weed. He said it would be 1g of shitty shwag, but I sucked dick so well that he gave my 1g of chron from his fat sack.

- I did have sex with your _____ (fill in mom or sister here, depending on which one(s) are alive and the level of hotness) and i busted in her, but now I have some sort of disease. So fuck your mom/sister/whatever.

Solution to 802.11b security (0)

Anonymous Coward | more than 13 years ago | (#2243310)

It would seem to me that people are taking this whole wireless security thing all wrong. Think about it in a wired situation, when you are connected to a hub: anyone can see any packet by using a the right tool. To proovide security in this environment, we encrypt the individual services we feel may contain sensitive data. We don't go around all day worrying about how to encrypt every packet our computers send. It would only make sense that we think of wireless in the same way. If you are worried about password security, use kerberos, if you are worried about shell security use SSH, sensitive data on the web is in most cases already protected by SSL. So in the grand scheme of things, who really cares about WEP?

Uhh, Web based login interface is innovative? (1)

Jeff Knox (1093) | more than 13 years ago | (#2243333)

Who would of thought that was a news worthy item. I mean, a web based login interface, which firewalls you out if you dont have a working login and password. Completely innovative! In a wireless sense, this is called a Captive (or Active, I myself am not clear on the differences) portal. I cant believe they made a press release out of that, and that it took them 40 hours to make!!

Sad News... (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2243339)

I just heard some sad news on TV, apparently Slashdot website creator, Rob "CmdrTaco" Malda, was rushed to the hospital this afternoon after having his penis sliced off. Authorities say the accident involved Rob's penis, his computer, and an illegal computer device imported from China that was designed to stimulate the penis during cyber-sex. The authorities aren't releasing many details yet as to how it happened, but they suspect that the device malfunctioned which caused his penis to be sliced off. However, there is speculation among the Slashdot community that the Open Source Operating System "Linux" is to blame, for its faulty structure and lack of professional development. There is no word of whether there was any foul-play involved from hackers amongst the Linux community.

Wireless at any speed... (0, Redundant)

blkros (304521) | more than 13 years ago | (#2243342)

is going to be insecure. You're broadcasting radio waves that anyone can pick up--and with the right equipment decipher. It's the same with cell phones, cordless phones, cb radio, walkie talkies,etc.. If you want security, connect the communication devices physically. It ain't foolproof, but it's a lot harder to get into the system if you have to hook into something, rather than set up a remote receiver somewhere. This is why my networks are all through CATv--I like my privacy.

Re:Wireless at any speed... (1)

Chandon Seldon (43083) | more than 13 years ago | (#2243524)

We have the cryptographic techniques to make a wireless protocal unsnoopable. It's just a quesiton of someone actually implementing it.

Been there ... Done that ... (1)

mendepie (228850) | more than 13 years ago | (#2243350)

I have not trusted wep for a long time ... I reciently reconfigured my home router/firewall so that the wireless bridge is on it's own interface.

I treat it as a hostile (external) interface. If the connection is from a known IPsec peer, then I consider it a trusted internal connection.

For the non IPsec connections I allow access to a few servces, mostly ssh and other crypted authenticated services.

I have setup a easy way for me to enable forwarding from the wireless network to the outside, so that when a friend comes over with a 802.11b laptop, I open my wireless network to the outside, while the inside is restricted.

Being able to do this is one of the advantabes of running a real system as a firewall/router than one of the "Firewall/routers for dummies" boxes.

wireless security... (0)

Anonymous Coward | more than 13 years ago | (#2243396)

Uh, if anyone ever reads some of the wireless message boards (BAWUG, Seattle Wireless, PDXWireless) you'd see that we already knew this. Thanks NASA, but we got it first. I hope they don't patenent it. Sheesh.

Bitter, aren't we? (1)

basking2 (233941) | more than 13 years ago | (#2243449)

Why, exactly, are so many people bitter, and therefore minimizing what NASA has done with their wireless network? Can't we just say, "Good for you, NASA" instead of the aimless negativity?
Oh well, just my opinion.

The OTHER solution... (2)

dpilot (134227) | more than 13 years ago | (#2243491)

And here I was expecting to see some government or corporate agency come up with the OTHER security solution...

Have a company distribute sound or music over 802.11, and then have the company use the DMCA to take anyone who cracks the security, and bash them over the head with a big legal mallet.

Either that or the military solution, to outlaw non-governmental, non-corporate encryption to the same end, bash in the head with the legal mallet.

(similarities ('bash' vs '/bin/bash') to a popular shell merely coincidental.)

Description of how they did it (1)

gfilion (80497) | more than 13 years ago | (#2243507)

Here's a technical description on how they did it: http://www.nas.nasa.gov/Groups/Networks/Projects/W ireless/index.html [nasa.gov]

It's pretty neat:
You get your networking infos via DHCP. This gives you access restricted to public data.
If you connect to their HTTPS web site and authentificate, this pokes a hole in the firewall and you get access to secured/private servers.

RE: bitter, arent we?? (0)

Anonymous Coward | more than 13 years ago | (#2243513)

we're bitter because they've dashed our hopes a few times already with their recent screw-ups involving Mars (read: metric conversion) and other space-related things. The /. crowd is full of people who dream of space, and don't like the fact that because of nasa's shitty funding, politicizing, etc. we'll never get to go into space. We all like to imagine a space where our dreams of the future come true, but with NASA being the best space agency available, and their constant bad-press, we may never realize those dreams. We can't help but wonder what it'd be like if NASA hadnt screwed up. Would they have more funding? Would the dream that was space come true? Would we be able to use our meager income to experience the glee that must come with complete weightlessness???? I tell you, this is why people are bitter. We dont' want 802.11b security. We want to float around. Sheesh.

A real solution (2, Interesting)

WestonP (59166) | more than 13 years ago | (#2243530)

I've been doing that for some time now. I simply consider the 802.11b net to be accessable to the public, and therefore it's firewalled. The problem is that people can still see what I'm doing (with the exception of SSH and HTTPS) or spoof the IP address of my laptop and get Internet access. But here's how I plan to actually solve the problem once and for all:

I'll install Linux (BSD's should work too) on my laptop and tunnel PPP over SSH to my server, thus creating a quick and easy VPN. My server's firewall will then be set to block and log everything except DHCP and SSH that comes over the real 802.11b interface, but allow everything that uses the secured PPP session.

That causes three problems:

1) I'd like to be able to keep Windows on the laptop just for the software compatibility, but I think I can get by with VMware under Linux.

2) It's not very scalable. The best solution I can think of is to make a universal SSH acount that just provides PPP sessions. The client PPP IP address would be selected based on some sort of ID that the client provides, just like DHCP. I suppose I could make the client script pass it's 802.11b adapter's MAC address to the server and then the server would assign it an IP accordingly. But, I still have to give anyone who I want to connect to my network the password for that SSH account and the client side script, and they have to be running a UNIX family OS.

3) I'm still vulnerable to DoS attacks by people in range of my WLAN. A simple broadcast storm would probably be pretty effective. But, I don't think this is a big threat, since my range is pretty limited. I'm also vulnerable to any security holes that may be in DHCP or SSH, but I seriously doubt there are any skilled crackers within range of my WLAN. And, I'll patch any holes myself once they are published on BugTRAQ or something, so script kiddies aren't a threat, if there are any in range.

So the only solution. (compiled) (1)

BrookHarty (9119) | more than 13 years ago | (#2243554)

Ok, reading what everyone says the only Secure method to use 802.11b is

1. Disable WEP
2. Put a firewall between your wireless router and network.
3. Only allow the VPN ports
4. Run a VPN client.

Is this it? Doesnt sound too hard, and I have a 486 that would make a nice firewall. Humm, time to go pick up a wireless router now. :)

Re:So the only solution. (compiled) (0)

Anonymous Coward | more than 13 years ago | (#2243677)

How will I copy a file from my wireless laptop to your wireless laptop?? Via the firewall? scp? That's laborious. Hope you don't have a bunch of Windows and Mac users.

I, and many others, need a solution that allows wireless devices to seemlessly integrate (after they have securely authenticated themselves) into my wired network. That means samba still works, they show up in network neighborhood, they can access internal webservers, drag and drop files to copy, print via normal windows/mac/what-have-you print services. All while keeping unauthorized users from using, interfering, and/or monitoring our network services and traffic.

The NASA solution doesn't even come close.

[sic] (0)

Anonymous Coward | more than 13 years ago | (#2243622)

When someone sends in a write-up it is the editors responsibility to "edit" the content.

Secrurity? I can tell that the Slashdot editors really take their job seriouslsy.

Why not M$ ? (0)

Anonymous Coward | more than 13 years ago | (#2243632)

They run it on OpenBSD ? Why not microsawpht ? OpenBSD is open source and we all know opensource sux. M$ is more reliable, faster, secure,
and they dare to avoid M$ ! What da heck they think they are ??? Are all those comercials on TV and papers for nothing ? Hey guys, don't be so pathetic, get a life !

Well (-1)

Dest (207166) | more than 13 years ago | (#2243653)

The most secure form of 802.11 is to replace it with cables.

We figured this out about a year ago. (1)

belial (674) | more than 13 years ago | (#2243681)

The whole idea of trusting the wire is a pretty bad one.

http://seattlewireless.net/ [seattlewireless.net]

That's pretty obvious (2)

jbrw (520) | more than 13 years ago | (#2243685)

I'd go so far as to say it didn't take a rocket scientist to figure that out.

Hoho!

The point is high usability / flexibility (3, Informative)

nikpieX (518952) | more than 13 years ago | (#2243738)

As the developer of this system, I would like to add a few points that the news articles didn't make clear, or mis-stated. The reason why we have a wireless network is for conferences and visiting scientists. From the start, it was considered an external network to prevent access to sensitive data. Thus, we have to support any person walking in with any type of equipment (Macs, Windows, Linux, BSD, etc) without having them use any specialized software. This is all focused on how convenient it is for the person who walks in at 8 AM and has a presentation to do in 15 min. As long as they can figure out how to use DHCP and open up a web browser, nothing more needs done. So yes, we can do IPSec, VPN, and so on, but we also don't care as it's external to begin with. We simply do not want to become a "free ISP" like so many other companies are with their wireless.

This device is indeed quite "common sense"; it is supposed to be. We searched for a vendor that provided these services (user accounting/authentication, dynamic firewall, etc), but didn't find any, so we simply built it ourselves. It does the job for what we need it to do in our environment.

-Nichole
(NASA Advanced Supercomputing Division)

Not a problem if you implement real security (1)

Jeppe Salvesen (101622) | more than 13 years ago | (#2243763)

Security is a continuing process. You have to work not only on the technical level, but also with people. That being said, I'd like to discuss a bit of security.
Security is not implemented on a single level. The idea is that if you fuck up, there is a pretty good chance another level will catch you.

Consider this wireless story. It's really not THAT terrible - if you are using secure protocols. The people that struggle, are those that trusted 802.11b to the point of thinking that was their only level of security.

The fact is, a lot of security incidents stem from employees. They may be disgruntled or just curios. Whatever their motivations may be, it is a bit naive not to watch your back when dealing with coworkers. I'm not talking full-on paranoia, just using ssh rather than telnet on the intranet and measures to that effect. It's quite amazing what you can accomplish with a bit of elbow grease and a healthy mindset.

Check out NoCatAuth... (0)

Anonymous Coward | more than 13 years ago | (#2243775)

If you're looking to set up a public access network you might be interested in something like NoCatAuth.

http://nocat.net

Duh! (0)

Anonymous Coward | more than 13 years ago | (#2243811)

Isn't it just common sense to use proven-security application-level encryption always! It's nice that link-level encryption is there but who will rely on only that... only fools.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?