WPA vs WEP?

I know that WPA is more secure.

However, I have an old Intel card on a laptop that doesn't
support WPA. My daughter is coming to live with me and she
has a 3 - 4 year old Thinkpad that has wireless built in -
I'm concerned that it too wont support WPA. I know that her
laptop only supports wireless B.

I know that I could purchase a new PMCIA card to replace my
old Intel card. But then, it might also be necessary to
purchase one for her Thinkpad. This could get expensive and
complicated.

I have everything else nailed down - SSID, MAC addresses
limited etc. What is the real risk of just going with 128
WEP? I'm not using file and printer sharing. My desktop
(the only machine I'm really concerned about), is wired to
the router.

Thanks for your thoughts on this.

Louise

> I have everything else nailed down - SSID, MAC addresses
> limited etc. What is the real risk of just going with 128
> WEP? I'm not using file and printer sharing. My desktop

WEP can be cracked in a matter of minutes if you're lucky, if not, a
little longer.

Avoiding the MAC address filter is even easier, it requires that just
one packet be sniffed and spoofed and you can't encrypt that so that's a
no brainer to defeat.

SSID broadcast is easier still, just run kismet or a similar tool and
it'll be there.

David.

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <yZPNf.3444$4%(E-Mail Removed)> on Fri, 03 Mar 2006
04:53:50 GMT, louise <(E-Mail Removed)> wrote:

>I know that WPA is more secure.

It is *if* (and only if) you set a secure pass phrase.

>However, I have an old Intel card on a laptop that doesn't
>support WPA. My daughter is coming to live with me and she
>has a 3 - 4 year old Thinkpad that has wireless built in -
>I'm concerned that it too wont support WPA. I know that her
>laptop only supports wireless B.
>
>I know that I could purchase a new PMCIA card to replace my
>old Intel card. But then, it might also be necessary to
>purchase one for her Thinkpad. This could get expensive and
>complicated.

Strongly suggest replacement with a card that does, which isn't terribly
expensive. Windows XP SP2 (which should run just fine on that old ThinkPad,
as it does on mine) supports WPA.

>I have everything else nailed down - SSID, MAC addresses
>limited etc.

Those things won't really help.

>What is the real risk of just going with 128
>WEP?

Real and substantial.

--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>

On Fri, 03 Mar 2006 09:39:42 GMT, David Taylor blurted:

>> I have everything else nailed down - SSID, MAC addresses
>> limited etc. What is the real risk of just going with 128
>> WEP? I'm not using file and printer sharing. My desktop
>
>WEP can be cracked in a matter of minutes if you're lucky, if not, a
>little longer.
>
This statement pops up over & over again, and it is simply untrue.
Yes, in a lab or class, it's possible to crack a WEP key if it's short
enough; but in the wild, with a reasonably complex secret (16
characters or so) it is extremely hard/time-consuming to do this. So
hard, in fact, that WEP is very reasonable security for home use -
unless you send nuclar launch codes to your mother-in-law.

This canard about cracking any WEP key in minutes is the kind of
scare-mongering that makes the profession of infosec much harder than
it has to be, yet it continues to be passed along as *fact* by people
who have taken a two day elite wireless hacking course. Give them two
laptops and an unknown WEP protected network and they'll sit there for
hours or days (if they're persistant) before they admit that cracking
WEP is just a tad harder than it looks.

My $.02
Tom

Spamming this account signifies
your unqualified consent to a free security audit

> This statement pops up over & over again, and it is simply untrue.
> Yes, in a lab or class, it's possible to crack a WEP key if it's short
> enough; but in the wild, with a reasonably complex secret (16
> characters or so) it is extremely hard/time-consuming to do this. So

Sorry, you're wrong, this is WEP we're talking about not WPA, there is
no such thing as a stronger WEP key simply due to a passphrase length
because...there's really no such thing as a passphrase! All those
passphrase generators do is create the appropriate number of digits to
enter into the key field.

> who have taken a two day elite wireless hacking course. Give them two
> laptops and an unknown WEP protected network and they'll sit there for
> hours or days (if they're persistant) before they admit that cracking
> WEP is just a tad harder than it looks.

More wrong information. My quickest so far is 7 minutes 55 seconds. A
colleague captured data from a US airline terminal and then got the key
while on the plane.

WEP is weak, *can* be cracked in minutes (not guaranteed but can) there
is no further discussion necessary. If you're not sure about this then
you need to read (and try) more.

Is it still suitable for home? Sure, it'll stop those casually
connecting, it'll deter those that are intent on snooping, it won't
deter those who are next door (or in range) and have nothing better to
do than try. They have all the time in the world and usually the age
range associated with that time.

David.

On Sun, 05 Mar 2006 07:03:29 GMT, in alt.internet.wireless , David
Taylor <(E-Mail Removed)> wrote:

>> This statement pops up over & over again, and it is simply untrue.
>> Yes, in a lab or class, it's possible to crack a WEP key if it's short
>> enough; but in the wild, with a reasonably complex secret (16
>> characters or so) it is extremely hard/time-consuming to do this. So
>
>Sorry, you're wrong, this is WEP we're talking about not WPA, there is
>no such thing as a stronger WEP key simply due to a passphrase length
>because...there's really no such thing as a passphrase!

As with all such debates, both sides are wrong and right. WEP /is/
weak and can be cracked relatively easily due to how the algo works
and how the data is transmitted.
However its still the case that in practice someone would have to sit
outside your house for quite a while. This is because they need
/traffic/ to crack the key. 99% of the time, a home PC isn't
generating traffic. This is very different to a commercial pc such as
at an airline desk, where a whole bunch of PCs using the same code,
are all continually in use generating buckets of data.

>> WEP is just a tad harder than it looks.
>
>More wrong information. My quickest so far is 7 minutes 55 seconds. A
>colleague captured data from a US airline terminal and then got the key
>while on the plane.

See above

>WEP is weak, *can* be cracked in minutes (not guaranteed but can) there
>is no further discussion necessary.

Well, actually there is. Sure, its weak. I'd never recommend it if you
have an alternative. But its better than nothing. Without WEP, you are
an open door. With it, onlly someone determined will bother.

>Is it still suitable for home? Sure, it'll stop those casually
>connecting, it'll deter those that are intent on snooping, it won't
>deter those who are next door (or in range) and have nothing better to
>do than try. They have all the time in the world and usually the age
>range associated with that time.

I completely agree.
Mark McIntyre
--

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

> However its still the case that in practice someone would have to sit
> outside your house for quite a while. This is because they need

Yes and no Yes it requires a PC to be associated, so then send
deauth, capture the arp and do an arp injection. Doesn't take long and
as I said, I don't see the threat from the person parked outside but
rather the bored teenager with nothing better to do that can do it from
their bedroom. They have plenty of time.

> /traffic/ to crack the key. 99% of the time, a home PC isn't
> generating traffic. This is very different to a commercial pc such as
> at an airline desk, where a whole bunch of PCs using the same code,
> are all continually in use generating buckets of data.

But that home PC only has to be associated and then deauth'd.

Anyway, the precise detail is irrelevant. We agree on the usage so no
point arguing.

I just dislike the posts that discuss "stronger" WEP keys - no such
thing so, moving swifly on...

David.

On Sun, 05 Mar 2006 07:03:29 GMT, David Taylor blurted:

>> This statement pops up over & over again, and it is simply untrue.
>> Yes, in a lab or class, it's possible to crack a WEP key if it's short
>> enough; but in the wild, with a reasonably complex secret (16
>> characters or so) it is extremely hard/time-consuming to do this. So
>
>Sorry, you're wrong, this is WEP we're talking about not WPA, there is
>no such thing as a stronger WEP key simply due to a passphrase length
>because...there's really no such thing as a passphrase! All those
>passphrase generators do is create the appropriate number of digits to
>enter into the key field.
>
>> who have taken a two day elite wireless hacking course. Give them two
>> laptops and an unknown WEP protected network and they'll sit there for
>> hours or days (if they're persistant) before they admit that cracking
>> WEP is just a tad harder than it looks.
>
<snip>

Like I said, FUD. I'm not going to waste my time arguing this with
you. It's too bad you can't come by and try to crack my WEP setup.
That's WEP. You won't be able to do it. Guaranteed.

Best, Tom



Spamming this account signifies
your unqualified consent to a free security audit

On Sun, 05 Mar 2006 12:39:42 -0500, in alt.internet.wireless ,
spammersarevermin <(E-Mail Removed)> wrote:

>Like I said, FUD. I'm not going to waste my time arguing this with
>you. It's too bad you can't come by and try to crack my WEP setup.
>That's WEP. You won't be able to do it. Guaranteed.

Foolish words...
Mark McIntyre
--

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

> Like I said, FUD. I'm not going to waste my time arguing this with
> you. It's too bad you can't come by and try to crack my WEP setup.
> That's WEP. You won't be able to do it. Guaranteed.

Then lets not argue, instead how about you offer up to the newsgroup
(and beyond) how your WEP set up is uncrackable... you have offered a
guarantee remember.

David.