This post is a rant about what I think is a pretty decent idea gone pretty badly wrong. The idea is something called "Wi-Fi Protected Setup." I have not been able to find any other information on the web that talks about the particular problems I've seen (and what I believe to be a not-insignificant security hole), so why not rant about it here a bit? :)

Wi-Fi Protected Setup (WPS), as I said, seems to me to be a pretty good idea for solving a valid problem: historically, setting up a secure wireless network is not easy for the average home user. The user has historically been expected to set up a number of security-critical settings when first installing the wireless access point ("AP", usually a wireless router), such as SSID, security/encryption type, and a passphrase. Once all that is set up, each wireless "client" device must select the correct wireless network (by SSID) and then be given the network's passphrase in order to connect. For those of us familiar with security and networking, this is pretty simple. For the average home user, it can be quite confusing.

My understanding of the idea behind WPS is to help the average user bypass a lot of these steps and still end up with a secure network. In an example WPS setup (described by a whitepaper available from the Wi-Fi Alliance web site), the process might look like this:

• power up the new AP
• attempt to connect to the wireless network with a client device
• verify that the client and AP really should be connecting by:
  • pressing buttons (could be either physical or virtual) on both ends, which starts a limited-time window for allowing the connection, or
  • entering a PIN number provided by the client into the AP

This process would automatically set up an SSID (hopefully unique) and passphrase (hopefully pseudorandom) on the AP and transfer that information to the client. For each new client, the process is simply repeated (with the difference that the SSID and passphrase are not reset for the subsequent added clients). The pushbuttons/PIN help verify that only known clients are added to the network, and the user is spared a lot of setup. I quite like the theory.

In practice, of course, not all wireless APs and clients support WPS. In particular, the Wireless Zero Configuration utility in Windows XP does not support WPS. My web research also suggests that while Vista supports WPS, it does so in a way that requires a wired Ethernet connection for the initial AP setup. I'm not a Vista user, so I can't verify this personally. For any AP or client which does not support WPS, the standard "manual" method for connecting to the network must be used: the network's passphrase must be known and must be provided to the client.

My particular rant in this post, however, has to do with the way that Intel chose to implement WPS in their Wi-Fi Configuration Utility (an optional component supplied with their driver which replaces the Windows built-in Wireless Zero Configuration utility) and how it interacts with the WPS implementation in a Linksys wireless router which I have personally used.

Intel chose to implement a PIN-based method for authorizing clients on a network. My reading of the WPS descriptions that I've seen (including the aforementioned white paper) seems to imply that the PIN method is intended to work by taking a PIN provided by the client and providing it to the AP. That makes sense to me. In that model, the only time a client can join the network (using WPS) is if its PIN is provided to the AP. Access for doing that is presumably restricted to someone who controls the network.

However, upon detecting a network which supports WPS, the Intel utility asks the user for a "device ownership password" associated with the AP. Once the user obtains this "password" (which is really a WPS PIN) from the AP and types it into the PC, the connection is established. The Linksys router I used humors this behavior by providing a WPS pin (in addition to having both a physical and a web-based virtual button and a place to type in a client's PIN). The router's PIN is provided in the web interface and is printed on a sticker attached to the bottom of the router. Here's the kicker, though: the Linksys router's PIN is chosen at the factory and cannot be changed by the end user.

I see two security holes here. First, the PIN is a relatively short numeric value. Since all a WPS client needs is that PIN in order to gain access to the network, that effectively creates a very weak "password" (regardless of the size or complexity of the actual WPA/WPA2 passphrase). The bigger problem, however, is that once that PIN has been given out, it can be used again, potentially by a new unauthorized user. Since the PIN cannot be changed, the router's owner has no way of preventing this from happening. The web interface on the router supposedly gave a way to turn off WPS, but it did not appear to work. I was still able to use the PIN to gain access even after turning that option off.

On Intel's side, there is yet another problem. Not all APs which support WPS provide a PIN. Some can only accept a client PIN (which seems to me to be what was intended in the design of WPS). The Intel utility does not provide a client PIN. It requires a PIN from a WPS-supporting AP. If the AP doesn't have a PIN, then you're pretty much stuck. I did not see a way to bypass that prompt and manually connect using the network's WPA/WPA2 passphrase. The only way I saw around it was to run the Intel setup utility and remove the Wi-Fi Protected Setup feature altogether (which, fortunately, can be removed separately while leaving the rest of the utility intact). At that point, the network can be added manually.

This seems like an example of a good idea implemented very badly. I think the whole model of the AP providing the PIN to be used by the clients is backwards. It places control in the hands of the clients instead of the AP. It also reduces security by depending on a relatively short numeric value. I could almost live with that, though, if there was a way to change the PIN or disable WPS on the Linksys router. What really surprises me is that I have not seen anyone else on the net mention this. I may be missing something. The Cisco-Linksys WPS interaction I've described above is from my own experience, but it's possible that I've done something incorrect. If anyone can see the hole in my description, please comment on this post and explain. If I'm right, though, then this looks like a pretty broken system.

After skimming this page, I've decided that the circle of fifths is the Smith chart of music.

If you're a regular reader on this site and that comparison made sense to you, then your name is probably either Stephen Granade or John Wilson. Let me know if I missed anyone. :)

I do believe a week away was exactly what I needed, and now I'm back. :)

I'll try to discipline myself over the next week or so to actually write about what I did while I was away. To start with though, here's a quickie for you.

While we were in the "Sky Church" at the Experience Music Project, I started hearing a song that I immediately started humming along with but didn't immediately place. Turns out it was an artist named Petra Haden doing an almost completely a cappella remake of Journey's "Don't Stop Belivein'". Turns out there was a competition for creating videos to go with that song and the others on the same compilation album, and YouTube has the video for this one. I don't particularly like the spoken word portion. It doesn't fit with the hyper-accuracy of the rest of the song, but I forgive it anyway. :)

P.S.
This song was recorded for an album full of "guilty pleasure" songs. Bonus points for the first person to recognize and comment on the other guilty pleasure song reference in this one. :)

I feel like just about everyone who reads this site has seen the movie Galaxy Quest. I found it on the TiVo tonight and watched it again. It's just spot-on brilliant parody.

You all know that, though. This post is about Guy Fleegman, the character in the movie who we learn played the part of "Crewman Number 6", who was killed in one of the original Galaxy Quest episodes. All throughout the movie Guy is mortified that he's going to be killed. The rest of the Galaxy Quest cast constantly try to console him, and Guy does indeed make it to the end of the story. As a reward for his help and to prove that he's an important character, they give Guy a role in the new adventures of Galaxy Quest. That's all back story. What I didn't realize until just tonight is that I think the joke goes one layer deeper. I'll let you guys decide if I'm right.

Guy's character in the new series is "Security Chief 'Roc' Ingersol." If the new Galaxy Quest series is basically Star Trek: TNG, does anyone else remember the Enterprise D's first security chief and what happened to her in the very first season?

I could be reaching, but I don't think I am. :)

It's not like this one's a surprise, but it's interesting to see actual research on it...
Bad guys really do get the most girls

Here's your linkfood for tonight. I found an online filesystem service called rsync.net. It's probably most commonly used for backups, but it could work for a lot more things. I'm considering signing up, simply because it's so flexible. It's quite a bit more expensive per GB of data stored than Amazon S3, but they support lots of cool applications for accessing the files.

Tonight I watched one of the random Nova episodes that TiVo catches for me from time to time. This one was titled "The Ghost Particle". I'm no physicist, but Nova has a way of bringing even the most esoteric of scientific studies within the reach of normal folks and making them interesting. This episode was all about the neutrino. I found especially interesting the "drama" surrounding this particle over the years. Read more »

Wow. Tonight is just a treasure trove of car-related stuff for me to point and laugh at. :)

I've heard of stuff like this before, but I've never actually seen plans. Behold: "PRELIMINARY PLANS TO RUN YOUR CAR ON TAP WATER!" (emphasis most emphatically not mine).

Of course, we all remember how easy it is to show that this won't work, right?

(Bonus points for the student who thinks to ask the designer why the water vapor coming out of the tailpipe can't simply be condensed and used again.)

The sentence I love the most, though, is this one:

If you test it out, though, do as the writer suggests and use an old car that doesn't represent a loss of value if you can't make it work.

In other words, if you can't make it work, it's your fault. After all, they "know by personal experience that the technology is sound."

...and you might find a link to this CNN story.

I know a lot of people think this guy is awesome, but he apparently believes that a battery-powered car in the year 2008 with the following properties "could change the world":

• based on a 1959 Lincoln Continental convertible, a car that's over 19 feet long and originally weighed over 5000 pounds (and almost certainly weighs more as a battery-powered electric)
• has eaten over $120,000 of money to convert to its present state
• acceleration control is a knob in the back seat
• brake is on the passenger side
• a 12-mile test run which almost ended in a collision is considered a milestone

I don't have a problem with rich people having fun with their money or chasing windmills, but this story is phrased as if we are expected to believe that this car is going to create a revolution in electric automobiles. I honestly don't know whether the person who wrote this story for CNN is pandering to Young or making fun of him.

When I could (theoretically) buy one of these for $109,000, how does this story have any relevance at all? I don't blame Young for his apparent delusion. I blame CNN for passing it off as real news.

I think most people who watch much television have those few escapist shows... ones that have absolutely nothing to do with reality but are addictive despite (or more likely because of) that fact. My best example for a long time was pretty much any show written by Aaron Sorkin. The West Wing and especially Sports Night were favorites of mine. The way I put it was that no one talks that way in real life, but it's such fun to watch. :)

My latest escapist TV comes courtesy of BBC America. It's a British car show called Top Gear. It stars three hosts who basically all play different aspects of the fool. They get to drive some of the most exotic cars on the face of the earth and then snark about them. Jeremy Clarkson, especially, is just notorious for chewing on the upholstery. Honestly, he comes across as a bit of an asshole, but when he's not making fun of something I care about, he's fun to watch and listen to. :)

Anyway, I've started quite looking forward to the show popping up on the TiVo each week. Part of the fun is that they drive not only really brilliant cars but also really insane cars. According to Clarkson on the show, VW got caught a bit flat-footed and ended up with only 8 weeks to build a concept car to show at a Golf/GTI convention in Austria last year. Just to give you a starting place... the GTI is VW's sporty version of their bottom-end compact front-wheel drive hatchback. Two big key words there: compact and hatchback. Well, they decided to go for full-out insanity last year. They stole a 12 cylinder dual-turbo 650 horsepower engine from the Bentley Continental GT, shoehorned it where the back seat normally goes in a GTI and made it rear-wheel drive. Here's a hint: the Chevrolet Corvette Z06 (the really fast version) has an engine that makes 505 horsepower.

Needless to say the car was a handful.

Listen to that! In the Bentley that engine is as quiet as a startled deer. Here, it's like being chased by an imploding star... and about as scary.

Unfortunately, there is a small problem... This car will not go 'round corners.

So, Top Gear top tip: If you want a slow car that looks like a Golf... get a Golf.

Here are a few more choice quotes from other segments:

Audis are mainly built for German cement salesmen.

It's not powered by some V17 quad turbo that gets half a mile per gallon and runs on diced lions.

I am now doing 100 miles per hour, and it sounds like I'm in church... only I've got more headroom.

This is like smearing honey into Keira Knightley.

Referring to his co-host, who was driving a Porsche 911:

Ah, Richard Hammond appears to have joined us in his Volkswagen Beetle.