July 31, 2002

WLAN Predictions from Analysts

802.11Planet reports on what analysts are saying about WLANs in the next few years. Some snippets:

WLAN product sales for businesses are up, as high as 175%, and will continue to grow another 60% in 2002. Revenues will only increase 7% this year as the price on 802.11-based equipment, even the newer 802.11a products, continues to plummet. Cisco's domination of the business WLAN hardware market is shifting somewhat as Linksys, Agere, and Buffalo Technologies top the total units shipped and 802.11a/b combo NICs will be the driving force for network adapters going forward.

Posted by dsifry at 11:42 AM | View blog reactions

July 29, 2002

WiFi Honeypots sprouting - "honeyspots"?

SecurityFocus Online reports on a system built by government contractor SAIC that sets up a wireless honeypot in order to research and track the hacking methods used in the wild to break into 802.11b networks.

The network has five Cisco access points, a handful of deliberately vulnerable computers as bait, and two omnidirectional high-gain antennas for added range. On the back-end, a logging host gathers detailed connection data from the access points, while a passive 802.11b sniffer with a customized intrusion detection system monitors activity in the wireless neighborhood.

The project hasn't reported significant intrusion attempts in the 6 weeks it has been in operation. However, it is generating enthusiasm in the honeypot community, and may spawn similar projects in other cities.

It's a cool idea, and getting real-world data on black-hat attempts to hack into wireless nets is very important, especially as WiFi use continues to come in the back door of corporate networks. Good intrusion detection tools that use the data gained in these honetpot situations will increase overall wireless LAN security, and projects like this will serve to further inform the world on the security aspects of wireless networks.

However, this also further exposes a nest of legal questions. For example, as Russ Nelson asks on the BAWUG mailing list, "So if I park within range and open up my Win/XP laptop and it DHCPs an address with no intervention on my part, am I guilty of a crime?" In other words, how does one judge intent?

This is not a simple matter to brush off - People like Randall Schwartz got convicted for intrusion, even though he was actually trying to fix a security problem, and a recent report that a computer security expert living in Houston, TX was indicted on two counts of fraud because he demonstrated to a county official and a newspaper reporter how easy it was to gain access to the court's system using only a laptop computer and a wireless LAN card.

One final question: As these honeypot hotspots proliferate, will we call them "Honeyspots"?

Posted by dsifry at 10:31 AM | Comments (1) | View blog reactions

July 24, 2002

HereUare almost gone

News.com's Ben Charney reports on HereUare's inability to raise more funding, and it's openly frank executive team discussing the sale of the company. Unless a miracle occurs, this probably spells the end of HereUare (and subsidiary WiFiMetro) from an investor point-of-view. When you have two weeks of cash left and your current investors have shut their wallets, you don't have much leverage to negotiate with potential buyers. My prediction: expect a sale of HereUare's assets, somewhere in the $10-20 million (aka fire sale) range.

In the end, this is about business models; HereUare's assumed a strong thriving market where:

  • People were willing to pay for hotspot wireless access
  • People wanted to do this from multiple locations (roaming)
  • People were willing to pay enough to support multiple revenue shares (cafe owner, WISP, HereUare, roaming WISP)
In the end, hotspot access isn't compelling enough for this large a value chain, and it will collapse as carriers move in and offer WiFi public access, probably as part of a mobile voice/data plan. Another option is that smart location owners will use WiFi as a way to pull people into their location by offering it for free. Bandwidth will become a location amenity similar to electricity or bathroom access; Know anyone selling pay toilets any more?

"WiFi for customer use only"

Posted by dsifry at 8:20 AM | Comments (1) | View blog reactions

July 16, 2002

Bermai Raises Additional $5 Million in Series A

From Venturewire:

PALO ALTO, Calif. -- Bermai, a developer of integrated semiconductor systems for indoor wireless LAN and outdoor fixed access applications, has raised an additional $5 million in its Series A round of financing. The company plans to announce the funding next week, closing the round at $20 million.

Read the full story (registration required)

Posted by dsifry at 8:19 AM | View blog reactions

July 15, 2002

Update on PEAP and musings on Microsoft's 802.11 strategy

John Lettice over at The Register has written a follow-up article confirming Microsoft's security enhancements to its 802.11 offerings. Funny, I must have been out of coffee last night when I wrote my original post on the subject, but after looking over Microsoft's Cable Guy column again this morning, I saw 2 important points that I had missed.

First off, Microsoft confirmed in the article that the PEAP extension is in Windows XP Service Pack 1. So that moves the discussion out of the rumor category. Second, the folks at Microsoft explained how to set up PEAP and MS-CHAP V2 with an authentication server, simply using the AP as a pass through device.

That eliminates the need for a beefier AP, since the TLS sessions will get set up between the authentication server and the client. It also plays well into Microsoft's best interests, including its "digital hub" strategy, and its recent announcements about "Soft WiFi" where AP functionality will be built into a beefier computer that has an 802.11 radio installed. These strategies hinge on the house having at least one PC sitting on the wired net next to the cable modem/DSL box, and that PC acts as the "digital hub" of the house. Now that box can function as the RADIUS and MS-CHAP-V2 server for secured 802.1x authentication as well. This only fails to work if you've got one computer and a wireless combo box with no home PC in the equation. Hmmm, potential trouble for the combo box manufacturers.

There are a number of issues surrounding the use of a PEAP scheme to protect a home wireless network. First off is the issue of a valid TLS (aka SSL) certificate on the AP; most home networks don't have an internal Certification Authority, which menas that MS would have to preinstall a certificate on each box they build, or offer a deal through one of the known public CAs, like Verisign or Baltimore, etc. That costs the end user $$$. Second is the issue of complexity - one of the biggest problems we had even before we found out that WEP was broken was that about 80% of people weren't even using WEP - they just plugged in the AP and didn't change a single out-of-the-box setting. Of course, you can blame the user in that instance, but I think tha opening up a new significant vulnerability in a network is something that the vendor should not do, even in the name of simplicity and user friendliness. You gotta work harder than that to make a really compelling product - it should be simple, user friendly, AND secure out-of-the-box.

Next comes the issue of legacy device interoperability. You know, legacy devices like your new Mac TiBook, your Linux box, or that handspring Treo. The problems with implementing a new handshake protocol into the network connection phase is that all of the devices that haven't been built with that capability obviously can't get on to the network. I'm sure that if MS stays true to form, they'll put out a release of the Pocket PC OS that will have PEAP capabilities.

Of course, you've still got the whole trusted certificate issue to deal with, so if I was Microsoft, I'd start selling inexpensive renewable certificates for these mini-IAS servers. The other option for a home user is to self-sign their certificate, and then go through a manual process of accepting the certificate on each client that will be part of the network. This opens you up to some man-in-the-middle attacks, especially for people who are connecting for the first time, but it is certainly a level of protection higher than what is out there today. The big problem remains is the geekiness factor - you have to be a geek to use this stuff, sign your own certificates, walk new users through accepting the certificates, and so on, which menas that for most home users, this will remain a feature that they leave turned off, fitting squarely into the "silly bunch of checkboxes on that security tab that I just leave unchecked".

Of course, that fits nicely into MS' strategy as well - in order to really secure your home network, you need to have a desktop PC plugged into the wall - after all, it is holding all of the music and movies you downloaded off of that cable modem, right? :-)

And your Mac or Linux box won't work, at least not until they have PEAP clients that authenticate against MS-CHAP-V2, and do they have patents on that protocol? Gotta go ask someone on the Samba team...

Sorry, I really have to watch my evil empire bashing. :-)

All in all, considering the market power that Microsoft wields, this is pretty good news - PEAP is an IETF draft standard, and the world does need big players to help push standard strong authentication and security over wireless networks. And of course, that means more people will need good tools to manage those networks.

Posted by dsifry at 7:06 AM | Comments (6) | View blog reactions

July 14, 2002

Set up an 802.11 WAN in Myanmar, go to jail for 7-15 years

The Associated Press reports that Myanmar's military government has made it illegal for companies to operate unlicensed private computer networks linked to their overseas offices.

The 32-point order says those who have already set up WAN services via satellite link or by other technologies must apply for a license, which will be approved or rejected by the communications ministry.

Offenders face seven to 15 years in jail, according to the order published Friday in the state-run Myanmar Ahlin daily.

Will the local Pringles distributor face charges as well? I'll let the chips fall where they may. (OK, enough bad puns for one day)

Posted by dsifry at 10:36 PM | View blog reactions

The Register: MS to use PEAP in new wireless products

The Register reports that Microsoft may ship its newly announced home and office 802.11 gear with Protected Extensible Authentication Protocol (PEAP) support in order to provide secure authenticated access over the wireless connection. PEAP is a form of EAP negotiation that essentially wraps TLS (aka SSL) around an otherwise unencrypted EAP session. Microsoft also has posted its July "Cable Guy" article, entitled "PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access" which goes into more depth on how PEAP works and how to integrate it into a current Windows crypto infrastructure.

So, a few comments: First of all, this does solve a significant problem present today with 802.11 wireless communication, that of performing authentication in a secured fashion, even over an insecure channel. There are a few problems - first of all, each access point must now have a TLS certificate, which is fine if you're VeriSign or if you're shelling out the dough for Microsoft's CA implementation across your organization. Second, it means that the APs need to have the ability to handle multiple TLS sessions at one time, which means significantly more CPU horsepower than is currently associated (sorry, bad pun) with the APs out there. Lastly, it implies that you have PEAP support on the client, which is fine if you're running Windows XP SP1 (rumored to have a PEAP client incluided in its upcoming release) but is not so good if you're using a more commodity device.

Let's call this a step in the right direction, but still way too complicated for any but the most technically astute geeks.

Posted by dsifry at 10:23 PM | Comments (3) | View blog reactions

July 11, 2002

Microsoft to begin selling WiFi gear

C|NET news reports that Microsoft is building 802.11b wireless home networking products within the same hardware division that creates keyboards and mice (hmmm, some of their best products, btw). This probably denotes a shift in Microsoft's rumored policy to only certify 802.11a/b combo cards with their OS; if they're going to be selling 802.11b access points, they're going to have to certify drivers for those devices as well.
Posted by dsifry at 10:12 AM | View blog reactions

July 8, 2002

Network Computing reviews 802.11a APs

Network Computing reviews the state of 802.11a gateways. Their winner was a Proxim Harmony, a fairly expensive unit at $695. Netgear and Linksys had poorly performing units, costing well under $400 (for the SOHO market). The Netgear is powered by an Atheros chipset, but I'm unsure what 802.11a chipsets the other products use. UPDATE: Jim Thompson (Musenki wizard and former CTO of Wayport), notes that all of the reviewed designs are based off of the Atheros reference design.
Posted by dsifry at 1:26 PM | View blog reactions

July 3, 2002

Business Week on the Mesh

Business week reports on the ways WiFi are putting broadband power in the hands of the people, and goes on to speculate on how this could reshape the broadband oligopoly. Personally, I think that citizen-controlled broadband access is a wonderful idea - but there are two issues (also read opportunities) here as well:
  • Interconnect to the Internet: Which means that if people are going to violate their AUPs, oligopolies will attempt to squash them or at least paint them in a negative light. Note how the conversation in the mainstream media falls into the classic "Robin Hood" mold, talking about stealing from the bandwidth-rich and giving to the rest of us.
  • Management of the mesh: Until enough of these devices make their way into people's hands, there will be reliability problems and poor user experiences for the non-techie. And when deployment does become widespread, interference and spectrum use become an issue, especially in dense urban environments. For broadband to really reach all of the urban areas in the country, we're going to need much smarter devices and we're going to need some (loose-handed) management, especially at the network interconnect points. That takes time and energy, which means money.
Community broadband activists: We need to be careful about how the media portays us, lest we become painted with the same "hacker, cracker, pirate, lawbreaker" brush that the MPAA and RIAA love to paint users of file swapping services and internet radio. This starts with terminology and concrete example. Why do we call it wardriving, for example? Or Warchalking? Well, it sounds cool, and we techies like the sounds of the terms. It sounds cool and dangerous. But it plays into the monopolist's hands.

We can battle this. Get involved in, and promote a low-income or egalitarian use of WiFi, like a project to wire towns in the Dominican Republic or set up wireless access at your local library.

Besides, it'll feel good helping out, too.

Posted by dsifry at 2:46 PM | Comments (1) | View blog reactions

July 2, 2002

WiFi Cartoons

This is just too funny. And while we're on the topic of Joy of Tech, get this little Stallman pleaser.
Posted by dsifry at 6:09 PM | View blog reactions