Mostly Harmless

wireless-bandwagon-department

The nasty gram from Comcast has compelled me to finally get an actual hardware router/firewall. Might as well get WiFi while I’m at it, I thought. Might as well get 802.11g — and judging by this thread at Slashdot I’m especially glad I didn’t give Comcast any money for their spy-router.

The nasty gram went something like this: “we see that you may be using more than one network device with your cable modem…” and “get your own router or buy one from us.” Got my own, thank you very much. At least they only really care about how many IP addresses I’m hogging. (I guess I don’t download enough pr0n to get the “you’re sucking (no pun intended) too much bandwidth” letter.)

In the olden days, 4-5 years ago, they would only let one device get a DHCP address anyway. Then one day I noticed that my laptop grabbed an address which meant I didn’t need to route through my other Mac anymore. How convenient. DHCP worked for my TiVo when I put it online too, and that was over a year ago. So now they’re clamping down on the extra addresses people are using — which they wouldn’t have been able to use in the first place if Comcast hadn’t silently(?) removed the limitation. I’d like to thank ‘em for the “free” ride though because I have a much cooler wireless setup now than what I would have gotten a year ago.

I got this 802.11g router and an AirPort Extreme card at Amazon. Ordered them Monday morning and had ‘em Wednesday morning. Wednesday night it was all about the WiFi! Woot!

Now that I have an AirPort card I realize that I could have probably avoided the cost of the router altogether by just using the neighbor’s network, but I’m not getting a very good signal *cough*cantenna*cough* and I’d have to go through the inconvenience of cracking their WEP key — the inconvenient part is that the numerous WEP cracking utilities don’t work with my wireless card. The cracking itself is fairly straightforward, from what I’ve read.

Fun with wireless security! Turns out that most of the security features can be gotten around with Not Much Effort. First, we have “hiding the SSID.” That just means the router doesn’t blatantly advertise its presence with a large neon sign that says “free bandwidth.” My neighbor didn’t get that memo so I can see his network but he can’t see mine. Unfortunately the SSID is included in every packet so anyone sniffing the network is going to know what it is. It is nice to not have a big neon sign though.

Secondly we have WEP. Wired Equivalent Privacy. Isn’t. Since it uses a static key for (a) everyone, and (b) everything, it can be busted wide open in a matter of hours without any fuss whatsoever. You can use dynamic keys with WEP but that only adds a moderate level of difficulty to the cracking, apparently. It’s kinda like putting a padlock on your tool shed — it keeps the honest people out.

Next, we’ve got MAC address control, wherein you tell your router to only let known devices connect to the network. So even if someone knows your SSID and your key they still won’t get in. The problem here is that the sniffers can determine a legitimate MAC address and spoof it by setting their wireless card to that address. Still, I’m leaving that turned on. No need to make it easy for the crackers.

Finally(?) there’s WPA. Wireless Protected Access. Is. It’s holding the fort until 802.11i is finalized and you need to buy a new wireless router because of the beefier encryption requirements. WPA fixes all the problems with WEP, or so they say. Cryptographically strong and all that rot, using Temporal Key Integrity Protocol (cool!) and Michael (MIC - message integrity check) to make your WiFi network safe for a better tomorrow. WPA gives you per-session, per-packet encryption instead of that one static key that WEP uses. The biggest potential problem is using a weak password. WPA can be run with a pre-shared key for SOHO users, or with a RADIUS server back-end for enterprise class security. The pre-shared key in WPA is much more secure than a pre-shared WEP key because of the better encryption in WPA. Having an authentication server dynamically allocating encryption keys is even better. I think that’s the best you can hope for until 802.11i comes out, short of building a Faraday cage, of course.

(I’m currently compiling a RADIUS server for my own amusement. The amusement is that I never have the right libraries for these sorts of things and I have to go schlepping around for them.)

In the meantime I’m enjoying watching all the infected PCs bounce off my firewall. Perhaps later I’ll go war-walking around the apartment building, that should be entertaining, and the next time I’m in the mall parking lot I’ll see if I get a signal from Old Chicago or Buffalo Wild Wings, they’re both supposed to have WiFi.