Thinkpads Forum

For the record, both the WPA issues and the X11-related issues mentioned in this thread are problems fairly unique to Ubuntu and are not issues with Debian and other distros. Basically, they're both issues caused by insufficient QA and Canonical's policy of favoring "newer" over "proven."

With regards to your WPA issues I can offer the following suggestion.

Turn off WPA.

Hide your SSID (i.e. do not broadcast it)

Turn on MAC address authentication in your Wifi router.

If you must encrypt at this point (not terribly necessary for a home connection) then go for WEP or upgrade your wifi card.

With MAC address filtering and no SSID broadcast your network will be mostly secure from script kiddies and war drivers. It won't stop a dedicated hacker, but then again most people like me who hack wifi don't bother with man in the middle attack and TCP redirects against a home user.

This is very bad advice. Here's why:

1) Disabling SSID broadcasting is not a security measure. Kismet, KisMAC, Netstumbler, etc. will all happily detect and reveal so-called "hidden" networks. This presents about as much of an impediment to an attacker as putting a sign with "Don't use my network" in your front yard.

2) MAC address filtering is also worthless. It's usually trivial to change a NIC's MAC address, so again all you're doing is giving yourself a false sense of security.

3) WEP is very, very easy to break. Usually less than 5 minutes with modern hardware/software. It may make you feel safe, but it won't do a darn thing to stop anyone using any one of a number of freely-available software packages.

But why should you care? After all, it's just a home network, right? Here are some examples of what can happen if your network is compromised:

1) Most of what you send and receive is probably not encrypted. Most folks don't use SSL for their e-mail, and a number of major IM networks don't use encryption by default (AIM and MSN, for example). Almost everything you browse is sent "in the clear" -- and all of that can easily be observed by someone on your wireless network. Even sites that should use encryption don't -- if you use the same password here as anywhere else, for example, you're toast: forum.thinkpads.com doesn't secure its login form, so anyone who observes you logging in to this site may gain access to other accounts...

2) Someone can join your network and download copyrighted material or, even worse, highly illegal things (example: child pornography). If the authorities come knocking you might find it quite difficult to prove it wasn't you -- it was your network, after all, and it is your responsibility.

3) Someone on your network can tamper with traffic. This leads to *very* bad things. Unlikely? Well... less likely than #1 and #2, but not unheard of.

Bottom line: enabling WPA2/AES-CCMP is a must. If your card doesn't support it or only supports WPA/TKIP, get a new card. If your distro has bugs, get a new distro. Otherwise you're just asking for trouble.

Sure.

I already mentioned he replace his card.

Also I pointed out the chances of your average script kiddie breaking into his network are minimal.

Thirdly I also mentioned the distro thing.

Anything o wise one?

EDIT: Because that was snarky.

What I proposed was a 5 minute poor mans do it yourself and stop 90% of your problems security solution. It's home connection, not a DOD life line. That setup will keep your average looky loo away as well as the few people who read a wiki article. LIke I mentioned it's not going to stop a dedicated man in the middle attack.

Would you feel better if I had told him to properly VLAN and NAT everything then run that through a dedicated linux box and an iptables host, then make sure the user authenticates against a 1 time key on an LDAP server?

He is a home user and someone who is studying networking. Let him set it up then break in to it. This way he knows how to do it right (textbook) how to get it going in a pinch (5 minute poor man solution) and how to fail (open access, no encryption).

Your [censored] right it's unlikely someone is going to tamper with a hidden SSID that has MAC filtering enabled. If anything it's the teenage punk next door trying to browse for porn, not a dedicated eastern bloc hacker looking to create the next 'bot net.

My advice was not bad. It was not meant to be a permanent fix, just to last long enough to get his wifi working without purloining from his neighbors.

You want to try again or shall the schooling continue?

Temetka wrote:Also I pointed out the chances of your average script kiddie breaking into his network are minimal.

[...snip...]

Sorry I touched a nerve with my post.

As a former script kiddie (during my "teenage punk looking for porn" phase), I'm not so sure that's correct. Finding networks with hidden SSIDs doesn't even require any extra effort on said script kiddie's part: many sniffers do that automatically, and a quick Google search for "change MAC address" yields a wealth of easy-to-follow information.

Yes, if it's a choice between an open network and one with those "protections" enabled, most kids will choose the open one. That said, I think you're underestimating 1) how many "script kiddies" break (into) things just for the fun of it 2) the motivating allure of an open network connection through which to pirate music/movies/pr0n.

I apologize for the inflammatory nature of my response.

I learned most of my hacking skills back in the day. Back in the day being early 90's when a 14.4k modem was hot stuff. I totally agree with the bored teenager doing things for phun. I know this is true, because I was one.

Now though I use my skills for good securing small and medium business from those same teenage punks and the occasional internal 'problem employee' as well.

I think we both agree that while what I proposed would work in pinch it's not a long term solution by any stretch of the word. The easiest way to solve the problem is to either get a card that support WPA or get a distro that works with his card.

Know what we should do Rob?

Go get a tall beer and share stories. Good times right there.

Temetka wrote: Know what we should do Rob?

Go get a tall beer and share stories. Good times right there.

As someone who grew up in the modem age (started as BBSs were going away, and then moved onto the wonderful world of early-90s internet), definitely!

If you're ever on the east coast (or if I head to CA) first pint's on me.

That said, back to the issue at hand:

I think we both agree that while what I proposed would work in pinch it's not a long term solution by any stretch of the word. The easiest way to solve the problem is to either get a card that support WPA or get a distro that works with his card.

I agree: assuming that the distro and the card are (at least for the time being) immutable factors, that's probably the best that can be done. Another interim fix would be to stop using DHCP (or at least cut down the lease space to the minimum number of computers) and route anything outside the addresses you're using to oblivion. Again, easy to get around, but might help to confuse some kiddies. Of all these "protections", WEP is likely to be your best bet, and that's saying something...

That said, the writing's on the wall: a new card is probably in order. Most Atheros cards are well-supported, but a quick Google search or two is usually all you need to determine whether or not a given model of card is a good choice.

Ouch, I never got any email notifications telling me that the discussion went hot around my wireless issue.

I the mean time, I have established the fact that wireless card in the T30 is the reason, and not the distro. My wireless card doesn't support WPA.

Regarding the encryption in our house, we have 6 laptops going at this time, my IBMs, my wife's Dells (Ouch did I just say that) and the kids' laptops. To save us the work of changing all the wireless logons, we decided to stick with WPA, and rather just replace my card. I have done a couple of tweaks in the router already, but that's mostly to block certain sites from the kids' computers, and have some reserved IPs set to keep those sites available on a couple of trusted IPs, ie. the parents' computers.

If we were only looking into preventing other people from using our wireless network, WEP would probably be good enough, since we have 3-4 unsecured networks around here. For the bored teenage neighbor boy who hacks for fun, WEP is probably not good enough, but the question is how much of a threat he is, compared to really malicious hackers. Anyway, we chose to stay with WPA.

Temetka: Your suggestion for what can be done with the right equipment is interesting, I have actually thought about it. I bought some training equipment for my studies. (2 x 2514 Routers and 2 x 2950 Switches) So in the future it would definitely be interesting to look into using some of this equipment for our home network, and not just have it sit around on my desk. I also appreciate your other input, good to know that resources are out there.