FARK.com: (6668859) Widely used encryption standard is insecure, says your Wi-Fi-stealing neighbor

		Widely used encryption standard is insecure, says your Wi-Fi-stealing neighbor (computerworld.com)		32
		More: Scary, encryption

• • •

5729 clicks; posted to Geek » on 23 Oct 2011 at 2:27 PM | Favorite | share:

more» |

Get this fabulous T-Shirt and impress the methane out of your friends!

shirt it!

Share this link:

URL:

http://fk.cm/go/6668859

Bookmark:

Article Comments close

32 Comments (+0 »)

ZAZ

2011-10-23 11:50:59 AM

XML Encryption

Two words that don't belong together. XML and encryption should be different layers of the protocol stack.

St_Francis_P

2011-10-23 12:02:53 PM

99.99% of the time, any encryption at all will keep your neighbors out.

Weaver95

2011-10-23 12:08:05 PM

St_Francis_P: 99.99% of the time, any encryption at all will keep your neighbors out.

I am the 1%.

St_Francis_P

2011-10-23 12:10:08 PM

Weaver95: St_Francis_P: 99.99% of the time, any encryption at all will keep your neighbors out.

I am the 1%.

www.lilaguzman.com

/Yarrr, matey.

Weaver95

2011-10-23 12:15:18 PM

lets just say that comcast's efforts to crack down on file trading are 1. laughable and 2. doomed to failure. there are 7 hotspots I can reach from my living room - 2 are unsecured and the remainder use weak encryption so weak they might as well not have bothered.

yeah...tracking bandwidth is really gonna catch file traders...esp when they can use any wifi hotspot in their damn neighborhood essentially at will...

Godscrack

2011-10-23 12:23:11 PM

Wi-Fi theft is wrong and should be illegal. Quick, someone call the police

oh wait.. nevermind

St_Francis_P

2011-10-23 12:30:40 PM

Godscrack: Wi-Fi theft is wrong and should be illegal. Quick, someone call the police

oh wait.. nevermind

Be fair. He was just showing us how easy it would be for a pervert to get child porn.

muzzrphochr

2011-10-23 02:30:16 PM

Weaver95: St_Francis_P: 99.99% of the time, any encryption at all will keep your neighbors out.

I am the 1% .01%.

ftfy

Schadenfreude ist die schoenste Freude

2011-10-23 02:33:25 PM

Weaver95: lets just say that comcast's efforts to crack down on file trading are 1. laughable and 2. doomed to failure. there are 7 hotspots I can reach from my living room - 2 are unsecured and the remainder use weak encryption so weak they might as well not have bothered.

yeah...tracking bandwidth is really gonna catch file traders...esp when they can use any wifi hotspot in their damn neighborhood essentially at will...

Not sure how these laws work in the U.S. so out of curiosity, say you go to court being sued by the RIAA. If you have an unsecured Wi-Fi connection, how do they prove you were the one doing the file sharing? Or is the end port where the responsibility sits?

Say you have a protected Wi-Fi connection and the same happens. How do they "prove" it was you? Do they have to find the files on one of your computers or is simply the fact that your Wi-Fi connection has a password enough for "beyond reasonable doubt"?

And lastly, say you went all tinfoil and took a small HTPC or other micro-ATX box, hid it somewhere behind a wall, etc, with no evidence of it lying around. The police serve a search warrant, take your laptop/desktop and don't find any of the shared files on your computers because all storage of torrented content is done on the hidden PC. What case would the RIAA have?

limeyfellow

2011-10-23 02:37:27 PM

The RIAA don't need evidence. The fact they are suing you for $150 billion is more than enough proof.

ApatheticMonkey

2011-10-23 02:37:37 PM

Schadenfreude ist die schoenste Freude: Weaver95: lets just say that comcast's efforts to crack down on file trading are 1. laughable and 2. doomed to failure. there are 7 hotspots I can reach from my living room - 2 are unsecured and the remainder use weak encryption so weak they might as well not have bothered.

yeah...tracking bandwidth is really gonna catch file traders...esp when they can use any wifi hotspot in their damn neighborhood essentially at will...

Not sure how these laws work in the U.S. so out of curiosity, say you go to court being sued by the RIAA. If you have an unsecured Wi-Fi connection, how do they prove you were the one doing the file sharing? Or is the end port where the responsibility sits?

Say you have a protected Wi-Fi connection and the same happens. How do they "prove" it was you? Do they have to find the files on one of your computers or is simply the fact that your Wi-Fi connection has a password enough for "beyond reasonable doubt"?

And lastly, say you went all tinfoil and took a small HTPC or other micro-ATX box, hid it somewhere behind a wall, etc, with no evidence of it lying around. The police serve a search warrant, take your laptop/desktop and don't find any of the shared files on your computers because all storage of torrented content is done on the hidden PC. What case would the RIAA have?

Well, the evidence would be that there's a computer hooked up to your network that they can't find. After all, you have to be able to access that computer somehow. Unless you have USB ports and a display built into your wall (which they'll probably find), they'll see that there's a computer sharing files on the network, and they'll start looking. I wouldn't be surprised if there was a warrant that would allow them to start knocking holes in the wall to find it.

ZAZ

2011-10-23 02:46:28 PM

Schadenfreude ist die schoenste Freude

RIAA doesn't have to prove a case beyond a reasonable doubt.

An IP address is good enough to start a case. During pretrial proceedings their lawyers ask you to state, under penalty of perjury, whether you copied the music. They subpoena your computer to have forensics look for evidence. When you say you've never heard of Kazaa and your kids or ex must have done it they send their investigators to check on these things. At trial they show evidence that the files came from your address, you wiped your hard driver before handing it over, you have previously written about Kazaa, and the people you fingered deny involvement. And the jury fines you seven figures for being so blatantly dishonest.

(The preceding paragraph is the Thomas case in a nutshell.)

Here's an interesting story about a guy who was really determined to copy a bunch of files and hid a computer in a closet at MIT to take advantage of MIT's site license: http://tech.mit.edu/V131/N30/swartz.html

ibanezdude

2011-10-23 02:47:35 PM

ApatheticMonkey: Schadenfreude ist die schoenste Freude: Weaver95: lets just say that comcast's efforts to crack down on file trading are 1. laughable and 2. doomed to failure. there are 7 hotspots I can reach from my living room - 2 are unsecured and the remainder use weak encryption so weak they might as well not have bothered.

yeah...tracking bandwidth is really gonna catch file traders...esp when they can use any wifi hotspot in their damn neighborhood essentially at will...

Not sure how these laws work in the U.S. so out of curiosity, say you go to court being sued by the RIAA. If you have an unsecured Wi-Fi connection, how do they prove you were the one doing the file sharing? Or is the end port where the responsibility sits?

Say you have a protected Wi-Fi connection and the same happens. How do they "prove" it was you? Do they have to find the files on one of your computers or is simply the fact that your Wi-Fi connection has a password enough for "beyond reasonable doubt"?

And lastly, say you went all tinfoil and took a small HTPC or other micro-ATX box, hid it somewhere behind a wall, etc, with no evidence of it lying around. The police serve a search warrant, take your laptop/desktop and don't find any of the shared files on your computers because all storage of torrented content is done on the hidden PC. What case would the RIAA have?

Well, the evidence would be that there's a computer hooked up to your network that they can't find. After all, you have to be able to access that computer somehow. Unless you have USB ports and a display built into your wall (which they'll probably find), they'll see that there's a computer sharing files on the network, and they'll start looking. I wouldn't be surprised if there was a warrant that would allow them to start knocking holes in the wall to find it.

Copyright infringement cases are civil cases, not criminal, so the police cannot serve warrants.

bravian

2011-10-23 02:48:43 PM

ZAZ: Two words that don't belong together. XML and encryption should be different layers of the protocol stack.

Schadenfreude ist die schoenste Freude

2011-10-23 02:50:34 PM

ApatheticMonkey: Well, the evidence would be that there's a computer hooked up to your network that they can't find. After all, you have to be able to access that computer somehow. Unless you have USB ports and a display built into your wall (which they'll probably find), they'll see that there's a computer sharing files on the network, and they'll start looking. I wouldn't be surprised if there was a warrant that would allow them to start knocking holes in the wall to find it.

I've been playing too much Batman so I'm all tinfoil-y

I'm just curious what they would be able to do in court if there was no record of the data anywhere on your devices seized by police and the device you used was adequately stealthed somehow.

Neondistraction

2011-10-23 02:50:39 PM

Schadenfreude ist die schoenste Freude:

And lastly, say you went all tinfoil and took a small HTPC or other micro-ATX box, hid it somewhere behind a wall, etc, with no evidence of it lying around. The police serve a search warrant, take your laptop/desktop and don't find any of the shared files on your computers because all storage of torrented content is done on the hidden PC. What case would the RIAA have?

An easier solution would be to just keep everything that's been downloaded on one hard drive and just encrypt the whole drive. When they politely ask you for the password just say you forgot it.

ZAZ

2011-10-23 02:50:54 PM

I wouldn't be surprised if there was a warrant that would allow them to start knocking holes in the wall to find it.

With a typical search warrant police can knock holes in anything big enough to hide what they are looking for. Plastic baggies are often used to package drugs. Police doing a drug bust put plastic baggies on the list of items to search for. They can take apart anything, including a wall, that is big enough to hide a plastic baggie and might have one concealed within.

In a civil case the cops rarely come calling. Instead you are served with a court order to turn over your computer(s) for forensic examination. If you turn over the wrong computer, or not all of them, it's up to the other party to notice. If the other party does notice, you probably lose the case and possibly go to jail.

ApatheticMonkey

2011-10-23 02:52:19 PM

ibanezdude: ApatheticMonkey: Schadenfreude ist die schoenste Freude: Weaver95: lets just say that comcast's efforts to crack down on file trading are 1. laughable and 2. doomed to failure. there are 7 hotspots I can reach from my living room - 2 are unsecured and the remainder use weak encryption so weak they might as well not have bothered.

yeah...tracking bandwidth is really gonna catch file traders...esp when they can use any wifi hotspot in their damn neighborhood essentially at will...

Not sure how these laws work in the U.S. so out of curiosity, say you go to court being sued by the RIAA. If you have an unsecured Wi-Fi connection, how do they prove you were the one doing the file sharing? Or is the end port where the responsibility sits?

Say you have a protected Wi-Fi connection and the same happens. How do they "prove" it was you? Do they have to find the files on one of your computers or is simply the fact that your Wi-Fi connection has a password enough for "beyond reasonable doubt"?

And lastly, say you went all tinfoil and took a small HTPC or other micro-ATX box, hid it somewhere behind a wall, etc, with no evidence of it lying around. The police serve a search warrant, take your laptop/desktop and don't find any of the shared files on your computers because all storage of torrented content is done on the hidden PC. What case would the RIAA have?

Well, the evidence would be that there's a computer hooked up to your network that they can't find. After all, you have to be able to access that computer somehow. Unless you have USB ports and a display built into your wall (which they'll probably find), they'll see that there's a computer sharing files on the network, and they'll start looking. I wouldn't be surprised if there was a warrant that would allow them to start knocking holes in the wall to find it.

Copyright infringement cases are civil cases, not criminal, so the police cannot serve warrants.

But... but.. piracy is THEFT! You're a CRIMINAL if you STEAL music!

/You're right. I totally forgot about that.
//Probably wouldn't stop the RIAA though. :(
///Speaking of which, how did the police assisted Apple raid end?

Schadenfreude ist die schoenste Freude

2011-10-23 02:59:20 PM

ibanezdude: Copyright infringement cases are civil cases, not criminal, so the police cannot serve warrants.

Ah, did not know that.

ZAZ: Here's an interesting story about a guy who was really determined to copy a bunch of files and hid a computer in a closet at MIT to take advantage of MIT's site license: http://tech.mit.edu/V131/N30/swartz.html

Heh, he hid it under a cardboard box in a network wiring closet where it was downloading mountains of data for months that network admins had been trying to pinpoint. He got impatient. If he would have just continued the wireless incursions he would have gotten away with it.

So he puts the laptop, with his prints all over it, in the network closet thinking no one would notice?

maxheck

2011-10-23 03:07:18 PM

DES has been crackable for quite a long time. Encrypting a stark, formalized language like XML probably just makes it easy to attack... Lots of GT and LT and a fairly standard preface. A cryptographer's wet dream.

Schlock

2011-10-23 03:21:14 PM

Thanks to a misleading headline by subby, yet again 90% of the thread is responding to something that has nothing to do with the article

MacGabhain

2011-10-23 03:21:36 PM

Looks from the brief description in the article that the weakness is in the way the protocol sends back information about errors in a file, giving the researchers more information than they would ordinarily have with an AES encrypted text file. They change a bit in the encrypted file then listen for the reply that says what was wrong with the underlying XML. Do that enough on the same file and you can put together a good picture of what the encryption is doing.

foo monkey

2011-10-23 03:58:06 PM

maxheck: DES has been crackable for quite a long time. Encrypting a stark, formalized language like XML probably just makes it easy to attack... Lots of GT and LT and a fairly standard preface. A cryptographer's wet dream.

upload.wikimedia.org

ok, not quite, but I love the picture.

etherknot

2011-10-23 04:02:34 PM

ApatheticMonkey: But... but.. piracy is THEFT! You're a CRIMINAL if you STEAL music!

I saw a PSA type video before a movie recently that said:
"You wouldn't steal a bear."

To which I said: THE HELL I WOULDN'T!

/Scared the people around me.
//Haven't found any bears worth taking.

Tenatra

2011-10-23 04:26:34 PM

ZAZ:
In a civil case the cops rarely come calling. Instead you are served with a court order to turn over your computer(s) for forensic examination. If you turn over the wrong computer, or not all of them, it's up to the other party to notice. If the other party does notice, you probably lose the case and possibly go to jail.

But how will they know if they are even serving the warrant to the correct person?

If the suspect had a wifi router under WEP encryption then their password will be cracked in ~ 1 min (depending on strength of the signal) by someone using Backtrack. On top of that, the person that broke into the network could had changed their mac address to any mac address prior to connecting. Thus making it very hard to find out who the real "criminal" is in the matter.

The person that received the notice could abide by every law in the world and not have the computer they are speaking of but then lose this case because the router software didn't tell them that WEP encryption is weak and any password under it could be cracked. Or would that then be grounds for the person that was charged to go after the company selling the router and sue them for not having a warning on WEP encryption?

ZAZ

2011-10-23 04:51:04 PM

But how will they know if they are even serving the warrant to the correct person?

If it goes that route, they'll start to worry when the computer forensics guy finds a load of porn instead of a load of music. Or if it's a movie suit, when they find a load of pirated music instead of a load of pirated porn.

It is possible to set people up for an offense they didn't commit. It is also possible to be caught setting people up. IIRC, somebody got busted within the past year trying to set up his neighbor for child porn.

Bathia_Mapes

2011-10-23 05:42:23 PM

tomcatadam

2011-10-23 05:48:06 PM

ibanezdude: Copyright infringement cases are civil cases, not criminal, so the police cannot serve warrants.

Under ACTA you are to be sued in a civil case AND tried under a criminal/federal case.

Nick Nostril

2011-10-23 07:47:41 PM

I know nothing about "protocol stacks" (thank Christ) so I'm considering going all ethernet in the house. Only use a computer in one room anyway, so why do I want wireless, encrypted or not?

meyerkev

2011-10-23 11:01:56 PM

Nick Nostril: I know nothing about "protocol stacks" (thank Christ) so I'm considering going all ethernet in the house. Only use a computer in one room anyway, so why do I want wireless, encrypted or not?

If you're just using a desktop, agreed. If you're running multiple computers, you'll have to get a router anyways so why not? If you're running a laptop, do you really want to deal with yet another set of cables?

/Also, do friends come over and borrow the wireless?

GreenAdder

2011-10-24 01:20:25 AM

Good luck. I'm behind seven proxies.

lordargent

2011-10-24 11:45:52 PM

St_Francis_P: /Yarrr, matey.

I'm actually from the Caribbean, and currently have this sort of pirate revival thing going on.

Check out my belt buckle.

a4.sphotos.ak.fbcdn.net

Displayed 32 of 32 comments

Redisplay/refresh comments

This thread is closed to new comments.