Of course everyone by now realizes that WEP is broken.

Do you see any reasons to use WEP? Please let me know. I'd like to hear your thoughts.

Thanks,

Jim

I design and support wireless networks everyday and I get asked the WEP question all the time. Without going into a lot of detail I ask you one simple request:

Can you BREAK IT (128bit Static Key)!

It is nearly impossible. Nothing is hack proof or secure in this world. You can add add add to your network but nothing will keep out the criminal element.

Keep in mind 95% of crime is internal! If you want to secure your company network you must first educate your employees and do full background checks on everyone.

The list goes on and on but my point is that the WEP key is a very good encryption security solution and until the IEEE committee decides on a security standard there is no need to roll-out a WLAN solution, $$$$$$.

I have to agree, enable the WEP. Particularly if it's a small rollout. While it isn't foolproof, it's at least a speedbump that has to be overcome. It also keeps the honest people honest, and the casual hacker generally at bay.

If security is an issue, then you really should be doing something else, like a wired lan. If you just have to have wireless, then go WEP, and VPN from end to end.

Just my $0.02.

I agree that WEP is another speedbump at least.

I heard someone else describe it as a "No Trespassing" sign and barbed wire. Sure it's possible to get past but it will keep out the general passer byers away, and give you the ability to take legal action if you catch the person who gets in.

I would highly suggest using it.

Good point.

Does anyone know of any legal cases regarding hackers comprimising 802.11 networks? I'd read something about people stealing credit card numbers from Best Buy over the airwaves. Are there any others?

I have to agree that WEP is not perfect, it can be hacked, not so much by directly attacking the 128 bit key, but due to weaknesses of it's implementation. The known exploits still need hours or days to crack it.

It is also, like ColorCopier says, a "barbed wire" and "No Trespassing" sign. It keeps for sure the casual hackers and "script kiddies" away, and it likely gives some legal protection in case someone should hack it. I am not a lawyer, but I think there is a Federal law covering computer trespassing of "protected systems."

Because WEP is cheap to deploy and quite useful, everybody should enable it. But do not forget other security measures like keeping all APs in their own network segment and having some kind of firewalling to the corporate network. Something more, for example a VPN solution, should help considerably in case the first line of defence -- WEP -- is broken.

In case of Best Buy I think they had a really stupid system: No WEP and the CC numbers in plain text. They could have avoided the hassle easily by some basic security. A legal action is bit like closing the barn door after all the horses have ran away... Prevention is much better!

That's a good point about the legal aspects of hacking into something that's been protected. If you don't use WEP or any other form of security, then that may be thought of as leaving your door open (i.e., free for the public to enter). Any attorneys out there who can comment more on this?

You don't need an attorney. If it is not yours, and you do not have permission to use it, you can't. Simple as that.

If you think otherwise, ask yourself this: Is it legal to use a cell phone system without paying? Is it legal to use someone's cordless phone system without permission? Can you enter my home legally, even if the door is wide open? If the keys are in my car, are you allowed to take it?


Faciliatation is NOT permission.

While I agree that facilitation doesn't imply permission, we are talking about an -unliscened- radio band. Because it's unliscened and pretty much unregulated, it's the FCC's territory. And, like CB's, if you're not pushing horrific wattage, they're not going to come have a conversation with you.

As a society, we don't tend to leave our keys the in car, or front door's wide open, or sensitive files on the front desk. Because we know that such actions seem to be invitations to tempt the weak-willed individual. Think of WEP as putting a lock on your filecabinet. Will it stop a determined thief? No. It just slows him down.

As for a legal stance...I'm afraid to look at any precident's set by open doors, cell channels, 900 MHz or 2.4 GHz court cases. I think that would just make my head hurt.

All radio in the USA falls under the jurisdiction of either the NTIA (for Gov't use) or the FCC (all other use). However, that has nothing to do with it; what is really the key point is that it is the entry point to a computer network, for which unauthorized use thereof is prohibited by various Federal and State statues.

The fact that we do not leave the keys in the car does not negate the fact that unauthorized use of the car is illegal. It does not matter if the keys are present or not. We simply lock the car and take the keys to provide a barrier. Similarly, unauthorized use of a computer network is illegal regardless of the status of WEP or any other security mechanism. They are simply barriers to prevent said usage/abuse. And like the security system(s) on a car, their strength varies.

Certainly points that I agree on. However, since by using a transmitter, you are placing data onto the airwaves, at what point do they become public domain? When they leave your property line? Or, is even the airspace over your property private domain, or would the US Government consider it theirs, and/or therefore public domain?

And yes, if I transmit to your reciever, it then passes into a wired system, I'm certainly on your property. I believe it will certainly be interesting to see how the law decides to handle issues like this, as it's not considered an illegal activity to 'listen' to whatever data you're transmitting.

And, I could be wrong, but when last I understood, if I have a key to a house, I'm -not- breaking and entering. (I may be tresspassing, which is a lesser charge.) So, if I listen to your traffic, and get your WEP key, am I only tresspassing on your system, since I have the key now?

(For the record: I still think WEP is a good idea, even if it's just a speedbump for a real hacker. And if you don't want the data to be hackable by someone, don't involve wireless, and don't involve a network that's open to the Internet.)

The question is, how did you come by the key?

Either I gave it to you, or you stole/found it.

If I gave it to you, you then have "license and permission" to enter the property. If you stole or found it, you do not. Then we're back to the same legal/illegal discussion.

As far as the "public domain" goes, radio signals are never "public domain" in the normal sense of the term. The legality of monitoring them is governed by Federal and State laws. For example, cell phones are specifically outlawed from monitoring by Federal statue. Previously, they would be considered wiretapping in essentially every State. So they were never legal to listen to anyway. 802.11? Depends on the state. In Florida, it's illegal.

Let's say I'm sitting on the public bench outside your office building, where you use a keycode to unlock and open the door. You step up to the door, and speak to no one in particular, "My key is <blah>." Have you given me your key, or did I just fined/steal it?

With some manufacture of AP's, the initial handshake is all uncoded and only when you look to go beyond that does it get into the question of exchanging WEP keys. If I 'overhear' someone speaking their WEP key, is that given, found, or stolen, since the nature of broadcast radio is omni directional?

(Yeah, I know, it's nit-picking, but some day you just know this is going to end up in court, and someone will have to set the precident for it. And all they'll have to go on is law reguarding existing monitoring of electronic signals in the appropriate band.)

If I put my key under a rock in plain sight and you use it, it's still illegal, because you have NO PERMISSION.

I guess this discussion is in a tight loop, and getting very little frutful.

The first question is the legality of using somebody's computer system without permission. It is common sense that such use is illegal, and I believe there are laws nowadays nearly everywhere covering that kind of (mis)use. In any case it is very similar than going into other person's house and using the facilities without permission. So, boys and girls, be aware that you may get into a major trouble if you do it: Having a felony in the records will hurt long time after the punishment is over! No reason to gamble on it for just a free Internet surfing or proclaiming how it "should be."

The second question is "how criminal" and how easily procecutable a "trespassing" is in a concrete case. If there will be a case depends, of course, on the owner noticing that somebody is "doing things" in the network. That should be a motivation to have some protection and some logging anyway.

About unwanted access: It can be benign usage of your bandwith or it can be professional industrial spionage. It can be a spammer sending millions of e-mails through your SNMP box, thus overloading your network, and potentially seriously damaging your reputation--or even somebody may sue you due to an outsider misusing your network for a malicious purpose! It can hurt you real bad or it can be completely unnoticeable--and might be even unintended (like a Windows XP client attaching to neighbourg's network instead of the intended AP). But it is YOUR network, and YOUR business, thus nobody has right to use the resources without YOUR permission.

However, one may easily think (without being a lawyer) that having a strong case agains a suspected intruder is quite much depending on the fact if you have shown reasonable care and not left your "door open." For sure, WEP would prevent any unintended access, thus protecting you from your neighbour's WinXP and vice versa. On the other hand, breaking WEP (or even trying to break it) is a case of conscious "lock-picking."

Back to the laws: I remember seen that is indeed a federal law regulating "computer trespassing" and it has wording about "protected networks." It does NOT mean that "unprotected" (technically open) networks are freely avaiable to everybody and thus the intruder would not be legally responsible according to a law. However, the punishment might be lesser, and it might be more difficult to get conviction.

Therefore, especially because WEP is very cheap to deploy, everyone should use it on networks which are not intended for public access. It is also IMHO still non-trivial and quite time consuming to crack, and thus casual hacking attempts are defeated, and hacker-wannabes/script-kiddies are likely not considering cracking it worthwhile for just a few hours of free Internet access.

Another case is using programs like netstumbler, and just monitoring and collecting basic network parameters and statistics. All without accessing the network resources. One in this case does not even get an IP address from DHCP server. Netstumbler does not grab any data packets, and thus can not "spy" any user data flying by. In that case I guess the monitoring is so non-intrusive, that quite likely it is legal in most places. Of course, assuming that no explicit law exists forbidding that kind of monitoring.

But for solid security and/or very confidential data, it is better to use WEP AND augement the protection with other security measures like VPN and keeping the AP outside your firewall, etc. Or, maybe, just forget the wireless, and use a wired network, installed within a secured area, whenever possible...

If the intention is to keep someone out, then yes, enable WEP. I personally leave mine open cause I'm a giving kind of person and I don't mind allowing wardrivers to borrow my internet connection. Aren't hotspots nice?? My access point and internal network have a firewall (http://www.zelow.no/floppyfw) separating them. I only need to access the internet from my laptop, so I do it wirelessly, if I have any other need I plug it in to the switch to gain access to my internal network. I monitor my wirelss traffic and if I see that someone is trying to do me bad I block thier mac address, simple as that. If the spoof it, fine, but they know that I'm watching! Check out http://www.server-staion.com to read about my access point!

For public hotspots I agree. You shouldn't enable WEP to ensure that everyone can get a connection. Key management with the standard 802.11 (static) WEP would be a problem.