Cool, I've taken the well-designed mt-search package and added it to this blog, so now you have search capabilities, either on the upper right hand corner of each page, or a more advanced search available. This is all built in perl and integrates pretty nicely with Movable Type's core. Heck, it can even handle regular expressions for the geeky.

In Doc Searls' blog on Wednesday, he asked me how I felt about using Wireless Access Reconnaissance as an acronym fill-in for all of the war- prefixes currently in vogue around WiFi, like Wardriving, Warchalking, Warwalking, Warbiking, etc., etc, etc.

Frankly, I don't like the use of the prefix at all, and I encourage people to think of better words when describing the community usage ofwireless broadband access, because like it or not, these military analogies only server to heighten the "cracker, hacker, lawbreaker" image that has become associated with wireless community activists in many of the mainstream press.

I suppose if we're going to put an acronym around the WAR prefix post-hoc, I'd rather use:

Wireless Activist Reality

Enjoy the meme.

802.11Planetreports on what analysts are saying about WLANs in the next few years. Some snippets:

WLAN product sales for businesses are up, as high as 175%, and will continue to grow another 60% in 2002. Revenues will only increase 7% this year as the price on 802.11-based equipment, even the newer 802.11a products, continues to plummet. Cisco's domination of the business WLAN hardware market is shifting somewhat as Linksys, Agere, and Buffalo Technologies top the total units shipped and 802.11a/b combo NICs will be the driving force for network adapters going forward.

SecurityFocus Online reportson a system built by government contractor SAIC that sets up a wireless honeypot in order to research and track the hacking methods used in the wild to break into 802.11b networks.

The network has five Cisco access points, a handful of deliberately vulnerable computers as bait, and two omnidirectional high-gain antennas for added range. On the back-end, a logging host gathers detailed connection data from the access points, while a passive 802.11b sniffer with a customized intrusion detection system monitors activity in the wireless neighborhood.

The project hasn't reported significant intrusion attempts in the 6 weeks it has been in operation. However, it is generating enthusiasm in the honeypot community, and may spawn similar projects in other cities.

It's a cool idea, and getting real-world data on black-hat attempts to hack into wireless nets is very important, especially as WiFi use continues to come in the back door of corporate networks. Good intrusion detection tools that use the data gained in these honetpot situations will increase overall wireless LAN security, and projects like this will serve to further inform the world on the security aspects of wireless networks.

However, this also further exposes a nest of legal questions. For example, as Russ Nelson asks on the BAWUG mailing list, "So if I park within range and open up my Win/XP laptop and it DHCPs an address with no intervention on my part, am I guilty of a crime?" In other words, how does one judge intent?

This is not a simple matter to brush off - People like Randall Schwartz got convicted for intrusion, even though he was actually trying to fix a security problem, and a recent report that a computer security expert living in Houston, TX was indicted on two counts of fraud because he demonstrated to a county official and a newspaper reporter how easy it was to gain access to the court's system using only a laptop computer and a wireless LAN card.

One final question: As these honeypot hotspots proliferate, will we call them "Honeyspots"?

News.com's Ben Charney reports on HereUare's inability to raise more funding, and it's openly frank executive teamdiscussing the sale of the company. Unless a miracle occurs, this probably spells the end of HereUare (and subsidiary WiFiMetro) from an investor point-of-view. When you have two weeks of cash left and your current investors have shut their wallets, you don't have much leverage to negotiate with potential buyers. My prediction: expect a sale of HereUare's assets, somewhere in the $10-20 million (aka fire sale) range.

In the end, this is about business models; HereUare's assumed a strong thriving market where:

• People were willing to pay for hotspot wireless access
• People wanted to do this from multiple locations (roaming)
• People were willing to pay enough to support multiple revenue shares (cafe owner, WISP, HereUare, roaming WISP)

In the end, hotspot access isn't compelling enough for this large a value chain, and it will collapse as carriers move in and offer WiFi public access, probably as part of a mobile voice/data plan. Another option is that smart location owners will use WiFi as a way to pull people into their location by offering it for free. Bandwidth will become a location amenity similar to electricity or bathroom access; Know anyone selling pay toilets any more?

"WiFi for customer use only"

From Venturewire:

PALO ALTO, Calif. -- Bermai, a developer of integrated semiconductor systems for indoor wireless LAN and outdoor fixed access applications, has raised an additional $5 million in its Series A round of financing. The company plans to announce the funding next week, closing the round at $20 million.

Read the full story (registration required)

John Lettice over at The Register has written a follow-up article confirming Microsoft's security enhancements to its 802.11 offerings. Funny, I must have been out of coffee last night when I wrote my original post on the subject, but after looking over Microsoft's Cable Guy column again this morning, I saw 2 important points that I had missed.

First off, Microsoft confirmed in the article that the PEAP extension is in Windows XP Service Pack 1. So that moves the discussion out of the rumor category. Second, the folks at Microsoft explained how to set up PEAP and MS-CHAP V2 with an authentication server, simply using the AP as a pass through device.

That eliminates the need for a beefier AP, since the TLS sessions will get set up between the authentication server and the client. It also plays well into Microsoft's best interests, including its "digital hub" strategy, and its recent announcements about "Soft WiFi" where AP functionality will be built into a beefier computer that has an 802.11 radio installed. These strategies hinge on the house having at least one PC sitting on the wired net next to the cable modem/DSL box, and that PC acts as the "digital hub" of the house. Now that box can function as the RADIUS and MS-CHAP-V2 server for secured 802.1x authentication as well. This only fails to work if you've got one computer and a wireless combo box with no home PC in the equation. Hmmm, potential trouble for the combo box manufacturers.

There are a number of issues surrounding the use of a PEAP scheme to protect a home wireless network. First off is the issue of a valid TLS (aka SSL) certificate on the AP; most home networks don't have an internal Certification Authority, which menas that MS would have to preinstall a certificate on each box they build, or offer a deal through one of the known public CAs, like Verisign or Baltimore, etc. That costs the end user $$$. Second is the issue of complexity - one of the biggest problems we had even before we found out that WEP was broken was that about 80% of people weren't even using WEP - they just plugged in the AP and didn't change a single out-of-the-box setting. Of course, you can blame the user in that instance, but I think tha opening up a new significant vulnerability in a network is something that the vendor should not do, even in the name of simplicity and user friendliness. You gotta work harder than that to make a really compelling product - it should be simple, user friendly, AND secure out-of-the-box.

Next comes the issue of legacy device interoperability. You know, legacy devices like your new Mac TiBook, your Linux box, or that handspring Treo. The problems with implementing a new handshake protocol into the network connection phase is that all of the devices that haven't been built with that capability obviously can't get on to the network. I'm sure that if MS stays true to form, they'll put out a release of the Pocket PC OS that will have PEAP capabilities.

Of course, you've still got the whole trusted certificate issue to deal with, so if I was Microsoft, I'd start selling inexpensive renewable certificates for these mini-IAS servers. The other option for a home user is to self-sign their certificate, and then go through a manual process of accepting the certificate on each client that will be part of the network. This opens you up to some man-in-the-middle attacks, especially for people who are connecting for the first time, but it is certainly a level of protection higher than what is out there today. The big problem remains is the geekiness factor - you have to be a geek to use this stuff, sign your own certificates, walk new users through accepting the certificates, and so on, which menas that for most home users, this will remain a feature that they leave turned off, fitting squarely into the "silly bunch of checkboxes on that security tab that I just leave unchecked".

Of course, that fits nicely into MS' strategy as well - in order to really secure your home network, you need to have a desktop PC plugged into the wall - after all, it is holding all of the music and movies you downloaded off of that cable modem, right? :-)

And your Mac or Linux box won't work, at least not until they have PEAP clients that authenticate against MS-CHAP-V2, and do they have patents on that protocol? Gotta go ask someone on the Samba team...

Sorry, I really have to watch my evil empire bashing. :-)

All in all, considering the market power that Microsoft wields, this is pretty good news - PEAP is an IETF draft standard, and the world does need big players to help push standard strong authentication and security over wireless networks. And of course, that means more people will need good tools to manage those networks.

The Associated Press reports that Myanmar's military government has made it illegal for companies to operate unlicensed private computer networks linked to their overseas offices.

The 32-point order says those who have already set up WAN services viasatellite link or by other technologies must apply for a license, which will be approved or rejected by the communications ministry.

Offenders face seven to 15 years in jail, according to the order published Friday in the state-run Myanmar Ahlin daily.

Will the local Pringles distributor face charges as well? I'll let the chips fall where they may. (OK, enough bad puns for one day)

The Register reportsthat Microsoft may ship its newly announced home and office 802.11 gear with Protected Extensible Authentication Protocol (PEAP) support in order to provide secure authenticated access over the wireless connection. PEAP is a form of EAP negotiation that essentially wraps TLS (aka SSL) around an otherwise unencrypted EAP session. Microsoft also has posted its July "Cable Guy" article, entitled "PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access" which goes into more depth on how PEAP works and how to integrate it into a current Windows crypto infrastructure.

So, a few comments: First of all, this does solve a significant problem present today with 802.11 wireless communication, that of performing authentication in a secured fashion, even over an insecure channel. There are a few problems - first of all, each access point must now have a TLS certificate, which is fine if you're VeriSign or if you're shelling out the dough for Microsoft's CA implementation across your organization. Second, it means that the APs need to have the ability to handle multiple TLS sessions at one time, which means significantly more CPU horsepower than is currently associated (sorry, bad pun) with the APs out there. Lastly, it implies that you have PEAP support on the client, which is fine if you're running Windows XP SP1 (rumored to have a PEAP client incluided in its upcoming release) but is not so good if you're using a more commodity device.

Let's call this a step in the right direction, but still way too complicated for any but the most technically astute geeks.

C|NET news reportsthat Microsoft is building 802.11b wireless home networking products within the same hardware division that creates keyboards and mice (hmmm, some of their best products, btw). This probably denotes a shift in Microsoft's rumored policy to only certify 802.11a/b combo cards with their OS; if they're going to be selling 802.11b access points, they're going to have to certify drivers for those devices as well.