This post is a rant about what I think is a pretty decent idea gone pretty badly wrong. The idea is something called "Wi-Fi Protected Setup." I have not been able to find any other information on the web that talks about the particular problems I've seen (and what I believe to be a not-insignificant security hole), so why not rant about it here a bit? :)

Wi-Fi Protected Setup (WPS), as I said, seems to me to be a pretty good idea for solving a valid problem: historically, setting up a secure wireless network is not easy for the average home user. The user has historically been expected to set up a number of security-critical settings when first installing the wireless access point ("AP", usually a wireless router), such as SSID, security/encryption type, and a passphrase. Once all that is set up, each wireless "client" device must select the correct wireless network (by SSID) and then be given the network's passphrase in order to connect. For those of us familiar with security and networking, this is pretty simple. For the average home user, it can be quite confusing.

My understanding of the idea behind WPS is to help the average user bypass a lot of these steps and still end up with a secure network. In an example WPS setup (described by a whitepaper available from the Wi-Fi Alliance web site), the process might look like this:

• power up the new AP
• attempt to connect to the wireless network with a client device
• verify that the client and AP really should be connecting by:
  • pressing buttons (could be either physical or virtual) on both ends, which starts a limited-time window for allowing the connection, or
  • entering a PIN number provided by the client into the AP

This process would automatically set up an SSID (hopefully unique) and passphrase (hopefully pseudorandom) on the AP and transfer that information to the client. For each new client, the process is simply repeated (with the difference that the SSID and passphrase are not reset for the subsequent added clients). The pushbuttons/PIN help verify that only known clients are added to the network, and the user is spared a lot of setup. I quite like the theory.

In practice, of course, not all wireless APs and clients support WPS. In particular, the Wireless Zero Configuration utility in Windows XP does not support WPS. My web research also suggests that while Vista supports WPS, it does so in a way that requires a wired Ethernet connection for the initial AP setup. I'm not a Vista user, so I can't verify this personally. For any AP or client which does not support WPS, the standard "manual" method for connecting to the network must be used: the network's passphrase must be known and must be provided to the client.

My particular rant in this post, however, has to do with the way that Intel chose to implement WPS in their Wi-Fi Configuration Utility (an optional component supplied with their driver which replaces the Windows built-in Wireless Zero Configuration utility) and how it interacts with the WPS implementation in a Linksys wireless router which I have personally used.

Intel chose to implement a PIN-based method for authorizing clients on a network. My reading of the WPS descriptions that I've seen (including the aforementioned white paper) seems to imply that the PIN method is intended to work by taking a PIN provided by the client and providing it to the AP. That makes sense to me. In that model, the only time a client can join the network (using WPS) is if its PIN is provided to the AP. Access for doing that is presumably restricted to someone who controls the network.

However, upon detecting a network which supports WPS, the Intel utility asks the user for a "device ownership password" associated with the AP. Once the user obtains this "password" (which is really a WPS PIN) from the AP and types it into the PC, the connection is established. The Linksys router I used humors this behavior by providing a WPS pin (in addition to having both a physical and a web-based virtual button and a place to type in a client's PIN). The router's PIN is provided in the web interface and is printed on a sticker attached to the bottom of the router. Here's the kicker, though: the Linksys router's PIN is chosen at the factory and cannot be changed by the end user.

I see two security holes here. First, the PIN is a relatively short numeric value. Since all a WPS client needs is that PIN in order to gain access to the network, that effectively creates a very weak "password" (regardless of the size or complexity of the actual WPA/WPA2 passphrase). The bigger problem, however, is that once that PIN has been given out, it can be used again, potentially by a new unauthorized user. Since the PIN cannot be changed, the router's owner has no way of preventing this from happening. The web interface on the router supposedly gave a way to turn off WPS, but it did not appear to work. I was still able to use the PIN to gain access even after turning that option off.

On Intel's side, there is yet another problem. Not all APs which support WPS provide a PIN. Some can only accept a client PIN (which seems to me to be what was intended in the design of WPS). The Intel utility does not provide a client PIN. It requires a PIN from a WPS-supporting AP. If the AP doesn't have a PIN, then you're pretty much stuck. I did not see a way to bypass that prompt and manually connect using the network's WPA/WPA2 passphrase. The only way I saw around it was to run the Intel setup utility and remove the Wi-Fi Protected Setup feature altogether (which, fortunately, can be removed separately while leaving the rest of the utility intact). At that point, the network can be added manually.

This seems like an example of a good idea implemented very badly. I think the whole model of the AP providing the PIN to be used by the clients is backwards. It places control in the hands of the clients instead of the AP. It also reduces security by depending on a relatively short numeric value. I could almost live with that, though, if there was a way to change the PIN or disable WPS on the Linksys router. What really surprises me is that I have not seen anyone else on the net mention this. I may be missing something. The Cisco-Linksys WPS interaction I've described above is from my own experience, but it's possible that I've done something incorrect. If anyone can see the hole in my description, please comment on this post and explain. If I'm right, though, then this looks like a pretty broken system.

Wow. Tonight is just a treasure trove of car-related stuff for me to point and laugh at. :)

I've heard of stuff like this before, but I've never actually seen plans. Behold: "PRELIMINARY PLANS TO RUN YOUR CAR ON TAP WATER!" (emphasis most emphatically not mine).

Of course, we all remember how easy it is to show that this won't work, right?

(Bonus points for the student who thinks to ask the designer why the water vapor coming out of the tailpipe can't simply be condensed and used again.)

The sentence I love the most, though, is this one:

If you test it out, though, do as the writer suggests and use an old car that doesn't represent a loss of value if you can't make it work.

In other words, if you can't make it work, it's your fault. After all, they "know by personal experience that the technology is sound."

...and you might find a link to this CNN story.

I know a lot of people think this guy is awesome, but he apparently believes that a battery-powered car in the year 2008 with the following properties "could change the world":

• based on a 1959 Lincoln Continental convertible, a car that's over 19 feet long and originally weighed over 5000 pounds (and almost certainly weighs more as a battery-powered electric)
• has eaten over $120,000 of money to convert to its present state
• acceleration control is a knob in the back seat
• brake is on the passenger side
• a 12-mile test run which almost ended in a collision is considered a milestone

I don't have a problem with rich people having fun with their money or chasing windmills, but this story is phrased as if we are expected to believe that this car is going to create a revolution in electric automobiles. I honestly don't know whether the person who wrote this story for CNN is pandering to Young or making fun of him.

When I could (theoretically) buy one of these for $109,000, how does this story have any relevance at all? I don't blame Young for his apparent delusion. I blame CNN for passing it off as real news.

For a long time now, I've been fairly annoyed with the media and political hyperbole surrounding the future use of hydrogen. Most of the attention I've seen seems to revolve around the (admittedly worthy) advances in the devices (fuel cells, mostly) that help us convert hydrogen into energy for use in cars, consumer devices, etc. That's great as far as it goes, but it's not the whole story. Read more »

I've been sitting on this one for a while. The story behind it is a bit old now, but I'm just now feeling motivated enough to actually write it up.

Here's the fundamental question behind this post: why are people surprised when they are fired for bad-mouthing their employer and co-workers on their web sites?

"Dooced" is a pretty common term in the blogosphere these days. For anyone who doesn't know its meaning and/or etymology, the Wikipedia entry gives a pretty good high-level summary. Last month, the media latched onto another case of a woman getting fired for roughly the same reason.

So, here's how I view this. My employer as an entity has absolutely no good reason to concern itself with my life outside of work, and that includes this web log. However, part of the reason for that is that this web log has absolutely no reason to concern itself with the details of my experiences as an employee. I don't think there's ever been a time when I've considered that it might be okay to share specifics of my work in this weblog, regardless of whether or not I name my employer or the people in those accounts.

To me, what it boils down to is this: whatever my "typical" readership is, this web log amounts to public media. Google indexes this site quite thoroughly. Anyone who publishes a web site and doesn't know about the Wayback Machine at archive.org REALLY needs to go there and search for their own URL. Look up URLs for sites that are years-dead. Go try it. Look up "http://www.eng.ua.edu/~jmcclure/". Scary.

My point... I don't care how crafty I think I am, the web is a public medium, and there's enough information out there to connect the dots between me, my job, and any comments I make about my job on my site. Given that, how can I expect my employer not to protect itself in that situation, and unless there was clear discrimination (based on the legal definition, which doesn't include the right to bad-mouth my employer) how can I expect to have any recourse or right to complain?

An AP report on CNN.com mentions that the shuttle astronauts are thinking about using duct tape to hold on a troublesome jet pack that caused problems during a space walk yesterday. I was all ready to cue the obligatory jokes about duct tape being able to fix anything.

Except, it's not duct tape. Quoting the article:

The spacewalkers hope they can use Kapton tape to hold the backpack latches in place when they make their next spacewalk on Wednesday. The tape is like duct tape but slippery and able to withstand both frigid cold and fiery hot temperatures.

Bwah? We use Kapton tape at work occasionally. If you've ever seen it, you'll realize that quote is a bit like saying, "Sand is like sugar, but darker and able to resist dissolving in water." In other words, Kapton tape resembles duct tape in that it comes in rolls and has an adhesive backing. That's about it. :)

I know it's a silly thing to post about, but there's something to be said for not stretching the facts just so you can get a catchy headline.

I spotted Revenge of the Sith on the HBO schedule a little while back. Since I didn't watch it in the theater and had never bothered trying to get my hands on the DVD, I figured I would go ahead and have TiVo grab it for me. I finally finished watching it tonight. The verdict? It pretty much lived up to my expectations. I'll warn you now, a lot of you won't like what's beyond the "more" link. Read more »

You know, I'm not sure why I bother, but for some reason I just can't help myself. When I'm in the truck and the local NPR affiliate is playing something I'm not interested in, I'll sometimes flip over to a talk/sports radio station out Birmingham. Inevitably, I end up turning the radio off in disgust (if not full out anger) within about 15 minutes. The people I hear on the air on this station represent possibly the most consistent collection of what I call "determined ignorance" that I know of. On the way out to lunch today I flipped over there, and this one was so bad I decided I had to post about it when I got back. Read more »

This is truly frightening. The Supreme Court ruled 5-4 today that a city can seize private property for private economic development.

From the article:

Local officials, not federal judges, know best in deciding whether a development project will benefit the community, justices said.

Wow. Five justices really believe that? That, in effect, says not "They can take the land in this narrow instance," but "We don't want to touch this issue. Don't bother us again." That truly surprises me. I've been hearing about cases like this for a couple of years now. I always assumed that if a case was heard by the Supreme Court, they would side with the property owners. I guess I was wrong.

Side note... I admit that I have not studied the rulings of the 9 justices in detail, but I have the distinct impression that I'm siding with the ones that I would normally disagree with on this one. O'Connor, Rehnquist, Scalia, and Thomas shared the dissenting opinion.

Ah, the joys of home ownership. Late this morning (early this afternoon?), Amy and I were lounging on the couch, and she kept finding ants on her. When I took a closer look, the little critters had started a full scale invasion of the living room. A large portion of the rest of the day has been dedicated to trying to take care of them. I think I found the right mound and got them, but (as always) it will take a day or two to know for sure.