Categories

• Amy
• bike-related
• brushes with celebrity
• deep thoughts
• Dragon*Con
• food
• funny
• geekiness
• life events/news
• linkfood
• Links
• memes
  • Video Picks
• memories
• music
  • Com-Pak Music Theater
  • Huntsville Master Chorale
• new things
• random
• rant
• site updates
• Travel
• Uncategorized

Archives

• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• November 2008
• September 2008
• August 2008
• July 2008
• June 2008
• April 2008
• March 2008
• February 2008
• January 2008
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• April 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005
• August 2005
• July 2005
• June 2005
• May 2005
• March 2005
• January 2005
• December 2004
• November 2004
• August 2004
• July 2004
• June 2004
• May 2004
• April 2004
• March 2004
• November 2003
• October 2003
• April 2003
• February 2003
• January 2003
• October 2002
• September 2002
• July 2002
• May 2002
• September 2001
• November 2000

Meta

• Log in
• Valid XHTML
• XFN
• WordPress

Archive for the ‘rant’ Category

Wi-Fi Protected Setup - a good idea badly implemented?

This post is a rant about what I think is a pretty decent idea gone pretty badly wrong. The idea is something called “Wi-Fi Protected Setup.” I have not been able to find any other information on the web that talks about the particular problems I’ve seen (and what I believe to be a not-insignificant security hole), so why not rant about it here a bit?

Wi-Fi Protected Setup (WPS), as I said, seems to me to be a pretty good idea for solving a valid problem: historically, setting up a secure wireless network is not easy for the average home user. The user has historically been expected to set up a number of security-critical settings when first installing the wireless access point (”AP”, usually a wireless router), such as SSID, security/encryption type, and a passphrase. Once all that is set up, each wireless “client” device must select the correct wireless network (by SSID) and then be given the network’s passphrase in order to connect. For those of us familiar with security and networking, this is pretty simple. For the average home user, it can be quite confusing.

My understanding of the idea behind WPS is to help the average user bypass a lot of these steps and still end up with a secure network. In an example WPS setup (described by a whitepaper available from the Wi-Fi Alliance web site), the process might look like this:

• power up the new AP
• attempt to connect to the wireless network with a client device
• verify that the client and AP really should be connecting by:
  • pressing buttons (could be either physical or virtual) on both ends, which starts a limited-time window for allowing the connection, or
  • entering a PIN number provided by the client into the AP

This process would automatically set up an SSID (hopefully unique) and passphrase (hopefully pseudorandom) on the AP and transfer that information to the client. For each new client, the process is simply repeated (with the difference that the SSID and passphrase are not reset for the subsequent added clients). The pushbuttons/PIN help verify that only known clients are added to the network, and the user is spared a lot of setup. I quite like the theory.

In practice, of course, not all wireless APs and clients support WPS. In particular, the Wireless Zero Configuration utility in Windows XP does not support WPS. My web research also suggests that while Vista supports WPS, it does so in a way that requires a wired Ethernet connection for the initial AP setup. I’m not a Vista user, so I can’t verify this personally. For any AP or client which does not support WPS, the standard “manual” method for connecting to the network must be used: the network’s passphrase must be known and must be provided to the client.

My particular rant in this post, however, has to do with the way that Intel chose to implement WPS in their Wi-Fi Configuration Utility (an optional component supplied with their driver which replaces the Windows built-in Wireless Zero Configuration utility) and how it interacts with the WPS implementation in a Linksys wireless router which I have personally used.

Intel chose to implement a PIN-based method for authorizing clients on a network. My reading of the WPS descriptions that I’ve seen (including the aforementioned white paper) seems to imply that the PIN method is intended to work by taking a PIN provided by the client and providing it to the AP. That makes sense to me. In that model, the only time a client can join the network (using WPS) is if its PIN is provided to the AP. Access for doing that is presumably restricted to someone who controls the network.

However, upon detecting a network which supports WPS, the Intel utility asks the user for a “device ownership password” associated with the AP. Once the user obtains this “password” (which is really a WPS PIN) from the AP and types it into the PC, the connection is established. The Linksys router I used humors this behavior by providing a WPS pin (in addition to having both a physical and a web-based virtual button and a place to type in a client’s PIN). The router’s PIN is provided in the web interface and is printed on a sticker attached to the bottom of the router. Here’s the kicker, though: the Linksys router’s PIN is chosen at the factory and cannot be changed by the end user.

I see two security holes here. First, the PIN is a relatively short numeric value. Since all a WPS client needs is that PIN in order to gain access to the network, that effectively creates a very weak “password” (regardless of the size or complexity of the actual WPA/WPA2 passphrase). The bigger problem, however, is that once that PIN has been given out, it can be used again, potentially by a new unauthorized user. Since the PIN cannot be changed, the router’s owner has no way of preventing this from happening. The web interface on the router supposedly gave a way to turn off WPS, but it did not appear to work. I was still able to use the PIN to gain access even after turning that option off.

On Intel’s side, there is yet another problem. Not all APs which support WPS provide a PIN. Some can only accept a client PIN (which seems to me to be what was intended in the design of WPS). The Intel utility does not provide a client PIN. It requires a PIN from a WPS-supporting AP. If the AP doesn’t have a PIN, then you’re pretty much stuck. I did not see a way to bypass that prompt and manually connect using the network’s WPA/WPA2 passphrase. The only way I saw around it was to run the Intel setup utility and remove the Wi-Fi Protected Setup feature altogether (which, fortunately, can be removed separately while leaving the rest of the utility intact). At that point, the network can be added manually.

This seems like an example of a good idea implemented very badly. I think the whole model of the AP providing the PIN to be used by the clients is backwards. It places control in the hands of the clients instead of the AP. It also reduces security by depending on a relatively short numeric value. I could almost live with that, though, if there was a way to change the PIN or disable WPS on the Linksys router. What really surprises me is that I have not seen anyone else on the net mention this. I may be missing something. The Cisco-Linksys WPS interaction I’ve described above is from my own experience, but it’s possible that I’ve done something incorrect. If anyone can see the hole in my description, please comment on this post and explain. If I’m right, though, then this looks like a pretty broken system.

geekiness, rant Comments 0 Jun 15th, 2009

A water-powered car!

Wow. Tonight is just a treasure trove of car-related stuff for me to point and laugh at.

I’ve heard of stuff like this before, but I’ve never actually seen plans. Behold: “PRELIMINARY PLANS TO RUN YOUR CAR ON TAP WATER!” (emphasis most emphatically not mine).

Of course, we all remember how easy it is to show that this won’t work, right?

(Bonus points for the student who thinks to ask the designer why the water vapor coming out of the tailpipe can’t simply be condensed and used again.)

The sentence I love the most, though, is this one:

If you test it out, though, do as the writer suggests and use an old car that doesn’t represent a loss of value if you can’t make it work.

In other words, if you can’t make it work, it’s your fault. After all, they “know by personal experience that the technology is sound.”

geekiness, rant Comments 0 Jun 2nd, 2008

Look up “irrelevant” in the dictionary…

…and you might find a link to this CNN story.

I know a lot of people think this guy is awesome, but he apparently believes that a battery-powered car in the year 2008 with the following properties “could change the world”:

• based on a 1959 Lincoln Continental convertible, a car that’s over 19 feet long and originally weighed over 5000 pounds (and almost certainly weighs more as a battery-powered electric)
• has eaten over $120,000 of money to convert to its present state
• acceleration control is a knob in the back seat
• brake is on the passenger side
• a 12-mile test run which almost ended in a collision is considered a milestone

I don’t have a problem with rich people having fun with their money or chasing windmills, but this story is phrased as if we are expected to believe that this car is going to create a revolution in electric automobiles. I honestly don’t know whether the person who wrote this story for CNN is pandering to Young or making fun of him.

When I could (theoretically) buy one of these for $109,000, how does this story have any relevance at all? I don’t blame Young for his apparent delusion. I blame CNN for passing it off as real news.

geekiness, rant Comments 0 Jun 2nd, 2008

Why Hydrogen Won’t Save Us

For a long time now, I’ve been fairly annoyed with the media and political hyperbole surrounding the future use of hydrogen. Most of the attention I’ve seen seems to revolve around the (admittedly worthy) advances in the devices (fuel cells, mostly) that help us convert hydrogen into energy for use in cars, consumer devices, etc. That’s great as far as it goes, but it’s not the whole story.

Consuming the hydrogen is only one piece of the puzzle. Not only must the hydrogen be stored, transported, and distributed (no easy feat given its form as the lightest of gases), but we have to figure out how to produce it in quantity. That’s the piece I see left out of the discssion most often. Hydrogen is not an energy source, it’s an energy carrier. It’s not something we mine out of the ground. We have to make it. Currently, the most efficient (cheapest) way to make it in quantity is to use a process called steam reformation to make it from natural gas. Why not just burn the natural gas? You’re gonna release the carbon one way or another. Electrolysis of water sounds attractive, but where do you get the electrical energy to do the electrolysis?

Slashdot pointed me to an article on the Popular Mechanics web site that I think does an excellent job of outlining the challenges and unanswered questions that come between us and developing hydrogen as a true alternative to gasoline and other fuels. It’s by no means an exhaustive scientific study, but it does something I haven’t seen before: it provides estimated numbers on the various costs involved in getting the hydrogen from various sources. Specifically, it estimates the resources and costs necessary to meet Bush’s goal of using hydrogen to replace fossil fuels in all passenger cars by 2040. It’s not really a completely fair chart. It doesn’t take into account some future breakthrough in technology, but what it seems to indicate to me is that the goal depends on such a breakthrough.

By the way, what it also underscores is that we use an IMMENSE amount of oil to power our cars. I will freely admit that I’m probably a bigger fan than most of acceleration. One way or another, though, we as a nation are going to have to figure out how to cut our energy consumption. My current hypothesis: it will happen when energy finally gets expensive here. $3.00/gallon gasoline sounds bad, but we haven’t seen anything yet.

So, what am I trying to say? I think research and development on hydrogen power should continue. We may find that breakthrough (controllable fusion with a net positive energy output, making electrolysis practical, maybe?). In the meantime, though, I’m just tired of politicians making political hay claiming that they know how to save the world using hydrogen. The truth is we don’t know how to get there yet.

geekiness, linkfood, rant Comments 7 Oct 20th, 2006

Jobs & Weblogs

I’ve been sitting on this one for a while. The story behind it is a bit old now, but I’m just now feeling motivated enough to actually write it up.

Here’s the fundamental question behind this post: why are people surprised when they are fired for bad-mouthing their employer and co-workers on their web sites?

“Dooced” is a pretty common term in the blogosphere these days. For anyone who doesn’t know its meaning and/or etymology, the Wikipedia entry gives a pretty good high-level summary. Last month, the media latched onto another case of a woman getting fired for roughly the same reason.

So, here’s how I view this. My employer as an entity has absolutely no good reason to concern itself with my life outside of work, and that includes this web log. However, part of the reason for that is that this web log has absolutely no reason to concern itself with the details of my experiences as an employee. I don’t think there’s ever been a time when I’ve considered that it might be okay to share specifics of my work in this weblog, regardless of whether or not I name my employer or the people in those accounts.

To me, what it boils down to is this: whatever my “typical” readership is, this web log amounts to public media. Google indexes this site quite thoroughly. Anyone who publishes a web site and doesn’t know about the Wayback Machine at archive.org REALLY needs to go there and search for their own URL. Look up URLs for sites that are years-dead. Go try it. Look up “http://www.eng.ua.edu/~jmcclure/”. Scary.

My point… I don’t care how crafty I think I am, the web is a public medium, and there’s enough information out there to connect the dots between me, my job, and any comments I make about my job on my site. Given that, how can I expect my employer not to protect itself in that situation, and unless there was clear discrimination (based on the legal definition, which doesn’t include the right to bad-mouth my employer) how can I expect to have any recourse or right to complain?

deep thoughts, geekiness, rant Comments 11 Aug 13th, 2006