Re: [slim] Hide SSID ?
There at least used to be a web site that would generate passwords that were strong but were at the same time at least somewhat memorizable. I've lost it. Anyone remember it (and care to share)? -- bobkoure bobkoure's Profile: http://forums.slimdevices.com/member.php?userid=14646 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
there's www.goodpassword.com For what it's worth; I use a similar manual system; which creates a strong password which are very easy to remember. (ie password containing a mix of upper case letters, lower case letters and numbers.) Think of a phrase which is personal to you and shrink it into an acronym, combining a relevant number: For example: You have two cats called Tiddles and Cuddles which were born in 2002 = TidCud02 Your friends called John and Stacy who live at number 98 = John98Stacy [I don't have any cats... or any friends... at #98 :-) ] -- pnharrison pnharrison's Profile: http://forums.slimdevices.com/member.php?userid=11409 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
For what it's worth; I use a similar manual system; which creates a strong password which are very easy to remember. (ie password containing a mix of upper case letters, lower case letters and numbers.) You have two cats called Tiddles and Cuddles which were born in 2002 = TidCud02 Still moving waaay OT. This approach generates keys that appear strong, and are moderately strong against a bad guy who picks you at random. But not all bad guys do that. Many (most?) serious attacks start with some social engineering. Finding your name, wife's name, kids names, pets names is fairly easy, whether it be by looking at facebook or just walking down the street and being friendly when you are walking the dog. Your tidcut02 example is not close to random. A dictionary of your favorite words, pets, etc. with all sorts of variant spellings is still tiny. Better than leaving it as linksys but really a false security. I personally believe that remembered passwords just don't work for serious security. If its random enough to be strong, you won't remember it. If you can remember, its not really strong. Protecting your music library does not require serious security. Pat -- Pat Farrell http://www.pfarrell.com/ ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
pfarrell;297861 Wrote: Protecting your music library does not require serious security. Indeed. But it's nice to be able to come up with a password that can both be remembered (there are a lot of passwords on post-its) and that is at least not totally susceptible to dictionary attack. I'm a contractor (mostly software, but I end up doing IT sometimes as well), Sometimes I get asked about passwords. Sometimes they're on a post-it on a user's monitor, or the password is password or Secret and I figure I'd ought to at least say something. Up to now, I've been telling folks about book codes (i.e. find a phrase you can remember) and then interject some numbers and/or punctuation. So for instance, even without the punctuation you get things like tpwshbnhv (Twain) or iwtbotiwtwot (Dickens). While we're going way off topic, IMHO it's worth reading what Clay Shirky has to say about downloading, the RIAA and encryption 'The RIAA Succeeds Where the Cypherpunks Failed' (http://www.shirky.com/writings/riaa_encryption.html). It -does- have a connection to music (sort-of). -- bobkoure bobkoure's Profile: http://forums.slimdevices.com/member.php?userid=14646 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
bobkoure wrote: But it's nice to be able to come up with a password that can both be remembered (there are a lot of passwords on post-its) and that is at least not totally susceptible to dictionary attack. post-it-notes is the death of security. iwtbotiwtwot (Dickens). This is actually a better example, assuming you are not internationally known as an expert on dickens. 'The RIAA Succeeds Where the Cypherpunks Failed' I was there, wrote up the NIST conference when they tried to sell Clipper and key escrow. http://w2.eff.org/Privacy/Key_escrow/Clipper_II/farrell_nist_key_escrow_meet_0995.summary -- Pat Farrell http://www.pfarrell.com/ ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
https://www.grc.com/passwords.htm /DVB -- DVB DVB's Profile: http://forums.slimdevices.com/member.php?userid=13707 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
pfarrell;297898 Wrote: This is actually a better example, assuming you are not internationally known as an expert on dickens. Well, if I was, I'd pick a line from Hemingway - assuming that I could find a line with more than nine words in it :-) I remember when Clipper was introduced. Lots of folks were exercised about it (I was working in Cambridge at the time - RMS was making a really big deal about it). And then it just, basically... disappeared. I hadn't realized that it was withdrawn because it could be made to be -too- secure. Maybe that part got downplayed...(?) -- bobkoure bobkoure's Profile: http://forums.slimdevices.com/member.php?userid=14646 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
Beyond way OT bobkoure wrote: I remember when Clipper was introduced. Lots of folks were exercised about it (I was working in Cambridge at the time - RMS was making a really big deal about it). And then it just, basically... disappeared. I hadn't realized that it was withdrawn because it could be made to be -too- secure. Maybe that part got downplayed...(?) I am not sure it was ever withdrawn. What happened was that at the NIST conference, every business interest, every speaker, every lobbyist, except two who had products to sell for Clipper/Skipjack, was against it. Key escrow is a fine idea, you use crypto to secure your data, and escrow the keys to someone trusted so if the guy managing it, say Pat, is gone to a tropical island, you can get access to the key, unlock your data and continue business. What was not fine was having some Government agency hold it, require that they hold it, and just ask you to 'trust us'. The many widely publicized problems with VA and Social Security losing laptops with huge amounts of private data, had not happened, but folks were still asking trust you why? What really happened is that Mark Shuttleworth and others made businesses selling strong crypto outside the US, and even the politicians decided that the idea that only programmers in the US could make ciphers became OBE. Shuttleworth made enough money to become a space tourist and start Ubuntu. Over time, the restrictions on strong crypto were loosened, and became unenforceable. All this was about protecting strong keys. Not keys that look random like the TidCud02 example, but real random keys. The reality, and back to something vaguely on topic, is that most folks don't want the hassle of managing real strong keys. At least TidCud02 is a lot better than 'password' for a key Pat -- Pat Farrell http://www.pfarrell.com/ ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
Hide SSID is a non-security feature. It's useless and just invites more haxx0rs to try and get into your network. WPA2-AES is reasonably secure as long as your key is moderately complex. -- SuperQ SuperQ's Profile: http://forums.slimdevices.com/member.php?userid=2139 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
SuperQ wrote: Hide SSID is a non-security feature. It's useless and just invites more haxx0rs to try and get into your network. WPA2-AES is reasonably secure as long as your key is moderately complex. MAC filtering is useless too and only complicates things. WPA2 has not been cracked with a sufficiently complicated key AFAIK, which would make it more than reasonably secure. Regards, Peter ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
Well I can see that MAC filtering can be cracked. Does it not do any good as my filtered devices SB SBR and SBC are on the net all the time. and the only Mac's the router lets through is these 3 adresses. So any hack has to compete with these for bandwith. The Mac filterings works without any problems, I don't see why it would be bad, my setups rarely changes. So i don't see it as a hustle to alter the router settings once or twice a year. My network is so static that it is in fact completely static, no DCHP I do use WPA2 AES but i'm not so paranoid that i have an completely randomized code... yet. it's 15 characters long. And i skipped the most obvious traps and did not use a pass based on family names, pets etc or common language. So what would happen's if someone did crac my security you have to spoof 1 mac adress crac my WPA2 code spoof an IP nr, would not something crash if 2 devices had the same MAC and IP or same MAC and 2 different IP's. What would the router do ? I could change my code to something random but then i have to setup the receiver again, ouch ! btw why would an hidden SSID invite haxx0rs ? how fun can a 4port router at a private home be ? I just don't want to invite the local kids to do something. A real hacker would probably crac it instantly. but who would want to get me ? -- Mnyb Mnyb's Profile: http://forums.slimdevices.com/member.php?userid=4143 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
So to get into your network you would have to do the following: 1. Find the network (given that SSID beacon is off) 2. Break the WPA encryption 3. Grab a valid MAC to associate with the AP 4. Select an unused IP (no spoofing required) Of these, all are trivially easy to do except step 2, which given a decent password is basically impossible unless (and possibly even if) you're the NSA. Hence, you could switch on the SSID and switch off the MAC filtering and still be just as secure as you were before. However now you wouldn't have all those niggly little issues with devices which like to see the SSID or which have a new MAC to add to the router. More convenience, more compatibility, same security. -- radish radish's Profile: http://forums.slimdevices.com/member.php?userid=77 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
Nonetheless I agree that it is a bug if the SBC cannot handle hidden SSID, so if it is not working a bug report should be filed (if one does not already exist). Of course it might not get very high priority. -- bhaagensen bhaagensen's Profile: http://forums.slimdevices.com/member.php?userid=7418 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
My SBC works fine with SSID broadcast turned off. There were some problems very early on in the beta test but it has been fine for several months. I have a similar setup to yours (WRT54GL, Tomato 1.19), but I don't have any encryption turned on. -- jth jth's Profile: http://forums.slimdevices.com/member.php?userid=48 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
radish wrote: 2. Break the WPA encryption [snip] decent password is basically impossible unless (and possibly even if) you're the NSA. This is much too strong of a statement without some qualifications. WPA with AES-CCMP is strong, WPA with RC4 is substantially weaker, and is used in many (most?) places. And the requirement for decent password is not often met. Weak passphrases can be detected and cracked with widely available and easy to use tools such as kismet. To be 'decent' a password has to have a lot of entropy, which means true random values. Just being long is not sufficient. A passphrase of: A SlimDevices Transporter is a great audiophile component is long, but has trivial amounts of entropy, especially among folks on this forum. A good password looks like: 642435996fa7035bde1adaef4ec16368687a8b74 and this is actually a bad example, as it is not at all random, rather its the md5 checksum of a common file. I generally do not make casual comments about NSA's code breaking ability. They are very good. If they want to break in, they probably will. A chain is only as strong as its weakest link. -- Pat Farrell http://www.pfarrell.com/ ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
pfarrell;297026 Wrote: This is much too strong of a statement without some qualifications. WPA with AES-CCMP is strong, WPA with RC4 is substantially weaker, and is used in many (most?) places. True, but I haven't found any evidence for a better attack than brute force. Provided your key isn't in the dictionary, you're looking at a pretty long search time. The examples I've seen indicate around 20keys/sec. Assuming I have hardware 10 times faster than that and a 10 character random key (using a-zA-Z0-9) I get a max search time of approx 4e15 seconds. Half that for an average hit time (assuming random searching) and we're still looking at 6e7 years. (Apologies for any math errors, corrections welcome!) http://www.linuxjournal.com/article/8312 http://wirelessdefence.org/Contents/coWPAttyMain.htm http://blogs.zdnet.com/Ou/?p=127 To be 'decent' a password has to have a lot of entropy, which means true random values. Just being long is not sufficient. A passphrase of: A SlimDevices Transporter is a great audiophile component is long, but has trivial amounts of entropy, especially among folks on this forum. How does the amount of entropy affect the crack time for brute force, provided there's a trivial amount so the key isn't in a dictionary? Let's say, for an example, that I have a really lame dict file that only includes english words. In this situation Bonjour is just as hard to crack as aX2*i9:, and in fact 111 isn't any easier. Of course in real life Bonjour and 111 would be in the dictionary, so the random-ish key is better. I guess I'm just not understanding your comment on an MD5 hash not being good enough. Provided the attacker doesn't know you make a habit of using MD5 to generate your keys I think you're fine. Of course there's another issue for the attacker once he's done with the dictionary, and that's that he doesn't know how much entropy is in my key, so he has to assume the maximum. I may have chosen to only use upper case letters, but he has no idea that my key doesn't have numbers in so he has to test those all the same. Now he may be smart and think that I'm probably an idiot and have a really small character set, so statistically he's better off hitting the lower-case-only keys first, but you get my point. A chain is only as strong as its weakest link. Agreed. The easiest way to break into WPA is probably to attack a node on the network directly (via a trojan for example) and get the PSK from an OS vulnerability. -- radish radish's Profile: http://forums.slimdevices.com/member.php?userid=77 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
radish wrote: How does the amount of entropy affect the crack time for brute force, provided there's a trivial amount so the key isn't in a dictionary? This is getting OT, and complicated. First, it depends on the cipher and the amount of ciphertext you have access to. With WiFi, its easy to get huge amounts of cipher text and you can get some known clear text. For example, if the user checks his email every 10 minutes, you can see traffic, which will have known text as he does the POP3 access to the ISP. With better ciphers, every bit in the key changes every byte of output. But you don't know, without doing a lot of serious post-doc-level analysis, if changing the key from Bonjour to Bonj0ur changes it completely, or if you can do partial attacks. Birthday paradox become a big deal with sufficient amounts of ciphertext. You also don't know how the attack works. For example, with a cable modem or DSL line, a little work wearing all black can let you plug in a 'butt set' to pick up the clear text. With both clear text and cipher text, a lot of attacks are much easier. Its all about how paranoid you want to be. Remember, just because you are paranoid, it doesn't mean that they are not out to get you. in so he has to test those all the same. Now he may be smart and think that I'm probably an idiot and have a really small character set, so statistically he's better off hitting the lower-case-only keys first, but you get my point. If you look at the serious research, you find that even folks using what they think are good passphrases use the same, weak ones. There are about 30,000 words in a typical college educated English speaker's vocabulary. That is a trivial number to push through a dictionary attack. Even if you change from Englist to LeetSpeak, its still a fairly small number in crypto terms. Check out the reference to a CERT advisory (Cert advisory CA-2003-08) on lame passwords. Its sad. http://www.pfarrell.com/technotes/lamepasswords.html Agreed. The easiest way to break into WPA is probably to attack a node on the network directly (via a trojan for example) and get the PSK from an OS vulnerability. Social engineering is how most cracks are done. With the popularity of wireless keyboards, it doesn't take much to just capture the key strokes and skip all the WiFi stuff complete. -- Pat Farrell http://www.pfarrell.com/ ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
All very truebut I don't see anything suggesting a particularly good KPT attack on RC4. There's one paper I read suggesting a way to reduce the search space a little, but TKIP solves the major problem with WEP. If you look at the serious research, you find that even folks using what they think are good passphrases use the same, weak ones. There are about 30,000 words in a typical college educated English speaker's vocabulary. That is a trivial number to push through a dictionary attack. Even if you change from Englist to LeetSpeak, its still a fairly small number in crypto terms. Obviously, anything which is in a dictionary is as good as broken, but that's not really what I'm talking about. Once you get out of the realm of anything in a reasonable dictionary (i.e. random chars) you start getting into _how_ random it is (like your comment about an MD5 hash not being random enough). My point is that whilst good randomness is needed to implement an algo, it's not needed to generate a key, provided the attacker doesn't have access to or knowledge of how you did it. Anyway, this is, as you say, way off topic. I'm off to bed with my old copy of Applied Crypto :) -- radish radish's Profile: http://forums.slimdevices.com/member.php?userid=77 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
Interesting responses, some of you must be in to encryption and such ? this has gone very off topic but interesting. On the same tangent, the SBC has a limited charset, so all phassprases are not possible to type with the controller, the same applies to the SB I see that tomato has got to 1.19 ill have a look at that. Quote: If you look at the serious research, you find that even folks using what they think are good passphrases use the same, weak ones. There are about 30,000 words in a typical college educated English speaker's vocabulary. That is a trivial number to push through a dictionary attack. Even if you change from Englist to LeetSpeak, its still a fairly small number in crypto terms. How do you check your passphrase if it's good ? To be more specific mine is 15 letters and one number. the words used comes from rather obscure literature. I found this test online http://rumkin.com/tools/password/passchk.php there my pass is judged as resonable with Entropy: 48.9 bits and it flunks completely, according to http://www.passwordmeter.com/ But my real security is that my desktop computer is off when i'm not at home and not able to wol My server contains only music (with its own firewall and passw). Thats the equivalent off putting a class off water or a wiff of fresh air in a safe. All music in the world is aviable on any torrent tracker. the router also has passw and i use the https:/ variant off admin page. The only concern is if some hack use's my server as a spambot or similar. Thank you for the replys, I don't think i have the energy to write that bug report now. My concern was realy that i had to alter perfectly functional router settings to connect the duet. Good Morning (it's 6:22 in sweden) -- Mnyb Mnyb's Profile: http://forums.slimdevices.com/member.php?userid=4143 View this thread: http://forums.slimdevices.com/showthread.php?t=46953 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
Mnyb wrote: Interesting responses, some of you must be in to encryption and such ? this has gone very off topic but interesting. Yes, way OT. On the same tangent, the SBC has a limited charset, so all phassprases are not possible to type with the controller, the same applies to the SB Which in the grand scheme of things is not terribly important. And inside the SqueezeBox is just a commodity WiFi card, so there are hidden weak links in the chain, if you are NSA class paranoid. To secure music, its not really an issue. How do you check your passphrase if it's good ? To be more specific mine is 15 letters and one number. the words used comes from rather obscure literature. What is obscure in Swedish may be off the chart in America. The real answer is that you can not tell. There are good rules of thumb, such as this: http://www.microsoft.com/protect/yourself/password/create.mspx there my pass is judged as resonable with Entropy: 48.9 bits There is a fundamental flaw in measuring entropy in this context. The definition comes from Claude Shannon's work, which is also the basis for PCM audio, so I can make a tenuous connection back to audio, squeezeboxen, etc. and is based on probability. The usual measure is based on characters. So in theory, the information value of an eight bit character is 1/256. But in English, we use far fewer characters in words. And as pointed out above, the character set may have other limitations. So the values may be radically different in practice. Most folks use something close to words in their native language. This is the basis for all dictionary attacks. The Microsoft paper cited above, talks about how conversions to EleetSpeak, or similar things are weak. They specifically say that M1cr0$0ft is not much more 'random' than Microsoft. As the Microsoft paper says: Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children. The problem is always social engineering, humans simply can't remember strong random things. We have not evolved to do so. So we either use something not random, like the phrase about Transporters in my posting up thread, or we write it down on yellow sticky pads and past them to the monitor. All music in the world is aviable on any torrent tracker. The primary rule of serious security is to make the cost of the attack higher than the value of the target. So if all that is in the target is music, which is all over the torrent world, then there is little value in the attack. This could change if your music is flac and all the torrents have is over compressed MP3. Realistically, the primary value in attacks on home servers is either: 1) access to bank accounts, brokerage accounts, or identity theft enablers 2) hosts for botnets to attack other systems. What is interesting to me is that nearly all of the information for this stuff is ancient. I wrote Towards a Model of Computer Security October 1992 National Computer Security Conference, Fort Meade, MD, with William H Murray. That was nearly 15 years ago. We modeled how a machine can be used as a resource for attacks on other systems. Some folks might notice how close Fort Meade, MD is to a agency of interest. -- Pat Farrell http://www.pfarrell.com/ ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Hide SSID ?
Pat Farrell wrote: The problem is always social engineering, humans simply can't remember strong random things. We have not evolved to do so. So we either use something not random, like the phrase about Transporters in my posting up thread, or we write it down on yellow sticky pads and past them to the monitor. We're talking about a home network here. It's perfectly acceptable to create a random key with lots of entropy and put it in a file on a USB key from where you can easily copy paste it when you want to add a new machine. WPA-AES can only be brute forced AFAIK and with a random enough key that's practically impossible. With WPA you use a stream cipher and the keys are constantly changed so that should be fairly secure, bugs in the implementation not withstanding. The new controller is of interest here, because if I understand it correctly, during the initialization process the device transmits your home WPA key over an unencrypted wifi link (or encrypted with a fixed/guessable WEP key, I forget which). Any NSA agents in your garden may steal it. So be particularly vigilant for black vans just after ordering your Duet. Regards, Peter ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss