First and foremost, it looks as though a relatively quick and painless fix may be in the offing for the security problems hanging over the hot wireless technology known as 802.11 -- a.k.a. Wi-Fi, or wireless Ethernet or, depending on your vendor, AirThis or AirThat.
In recent months, you'll recall, cryptographers have identified a series of flaws in the options the IEEE 802.11 spec provides for protecting network traffic from snoopers.
Last month the problem reached crisis proportions, when a team of internationally renowned experts published a paper detailing a gaping hole in WEP, the standard's data-encryption scheme. At least two teams of programmers quickly followed up by posting downloadable programs that make it easy to exploit the newly revealed flaw.
Now, you may not care whether anyone is eavesdropping on your e-mail and Web surfing. Or you may calculate, as I usually do, that you're safe simply because no one is likely to care enough about your boring existence to bother.
But if you're not willing to run that risk, the only prudent assumption at this point, as I noted here last week, is that anything you send over 802.11 is vulnerable to interception -- even if you have all the protocol's standard security mechanisms turned on.
As a team of scientists at NASA's Ames Research Center put it in a press release they issued last week to announce their own home-grown solution, they "decided not to depend on any security provisions bundled with 802.11b products." Instead, they began from "the premise that the network itself provides no reliable authentication and no security from eavesdropping."
(Of course, NASA can afford to take that position, because it has staffers who can develop their own alternative. All they needed, according to the release, was an off-the-shelf PC, some freeware Unix utilities and 40 hours of coding by two security experts. For those of us who don't have such talent at hand, the choices for now are badly flawed security or none at all. In that context "badly flawed" is probably preferable if you're concerned at all about privacy.)
TGI TO THE RESCUE: Even before WEP's vulnerability became public knowledge, the IEEE committee responsible for the 802.11 specification had a task force known as Task Group i developing plans to beef up the standard's security section.
But one of the schemes they were planning, known as WEP2, turned out to be just as vulnerable as the original version to the hack disclosed last month. An alternative encryption technology they were proposing was much more secure, but probably would not have worked on existing 802.11 cards. And the access- control scheme they were working on would require a special back-end authentication server -- something few small offices, let alone home users, are likely to have or want to get involved with.
As recently as a month ago, it appeared that products incorporating the improved security standard -- called 802.11i -- wouldn't be available until the second quarter of next year, or even later. And there were serious doubts as to whether cards and base stations manufactured before that would be upgradable to the new standard.
Here's where we finally get to the good news I promised: In response to the crisis, TGi convened a special session in Seattle last week. Four proposals were submitted for fixing the WEP problem, and while they differ in detail, they're sufficiently similar that it shouldn't be hard to hammer out a single unified plan, according to Dennis Eaton, vice chairman of the Wireless Ethernet Compatibility Alliance, the trade association that represents 802.11 vendors.
All four proposals provide a secure solution to all of the vulnerabilities so far identified, according to Eaton, who also chairs the alliance's technical and security committees. All four would work automatically, transparent to users. And they should have little or no negative effect on network speed, he said.
All four plans were also designed to work on existing Wi-Fi cards and base stations or access points, with only software and firmware updates required, according to Eaton said. (Of course, he hastened to add, backward compatibility is "not a done deal" -- there can't be any guarantees until a unified proposal is completed and tested -- but "we're trying like heck" to deliver it.)
As to timing, the group voted unanimously to offer its interim solution without waiting for the full, next-generation security spec to be completed. With luck the fix should be ready this fall.
That may mean it will never be part of an official wireless standard, but under that scenario TGi would hand it off to the 802.11 trade group, which would make it part of the test suite it uses as the criterion for awarding its "Wi-Fi" compatibility certification. Because virtually all vendors of 802.11 products already submit them to that process, the alliance's endorsement would make the security fix a de facto standard.
In other words, if all goes well, the current crisis could be just a bad memory within a matter of months -- perhaps in time for the holiday gift- shopping season. Last year Bill Gates reportedly gave 802.11 cards as Christmas presents. This year tens of thousands may follow his example -- and the recipients shouldn't have to worry about anyone intercepting their mail.
THE BIG GUN: Meanwhile, 802.11 also got a double-barreled endorsement from Intel last week.
The chipmaker has marketed 802.11 products for corporate customers since last year, but for the consumer market it was until recently committed to a rival technology called HomeRF. Last week, however, Intel announced a full line of consumer 802.11 products, which it will market as the AnyPoint II Wireless series.
The line includes a PC Card for notebooks, a USB adapter for desktops and a gateway or base station, all of which are competitively priced. (Details at www.intel.com/anypoint.)
(By the way, I erred a few weeks ago in saying that cards are useless without a base station. Any desktop or notebook PC with both an 802.11 card and a wired Internet connection can function as a base station. I don't usually recommend that approach because it means that PC has to be on for anyone else to get online wirelessly, but it does save some money.)
I haven't yet had a chance to try the Intel products -- they won't actually be in the stores for another week or two -- but I was impressed with what I saw in a demo last week. The setup software is the simplest I've seen this side of Apple's.
For now, Intel's products use only the flawed security mechanisms in the current 802.11 spec, but the company has paid attention to the problem. The products are the first I know of that ship with WEP encryption turned on. And while many vendors' software provides a default network ID, which most users never change and which hackers therefore have no trouble guessing, Intel's software prompts the user during setup to provide a unique name.
An even more important indicator of the company's enthusiasm for 802.11 came from Sean Maloney, a rising star in the company's management who recently assumed the tile of executive vice president and general manager of Intel Communications Group.
In a meeting with reporters at last week's Intel Developer Forum, he declared that 802.11 has already won out as the standard for the wireless portions of the giant Ethernet network he predicted will eventually circle the globe. "Bluetooth," he said, "is in full retreat."
(Intel's PR staffers later called to explain that he was talking only about Internet access and that Intel still views Bluetooth as a complementary technology with an important role to play for other applications, such as connecting phones and handheld organizers. But Maloney himself didn't bother to make any such distinction.)
He also suggested that Intel is likely to get into the business of making 802.11 chips. It won't bother with the current version, called 802.11b, but 802.11a, a faster version expected to come to market next year, "starts to look very interesting," and Intel already has hundreds of engineers working on it.
Given Intel's resources and experience in high-volume chip production, that sounds like a challenge for the current leader in the fledgling 802.11a market,
a Sunnyvale startup called Atheros Communications. But Intel's commitment should also mean declining prices, continuing technical progress and mainstream support for a technology that's already the most exciting innovation to hit computing in many a year.
In recent months, you'll recall, cryptographers have identified a series of flaws in the options the IEEE 802.11 spec provides for protecting network traffic from snoopers.
Last month the problem reached crisis proportions, when a team of internationally renowned experts published a paper detailing a gaping hole in WEP, the standard's data-encryption scheme. At least two teams of programmers quickly followed up by posting downloadable programs that make it easy to exploit the newly revealed flaw.
Now, you may not care whether anyone is eavesdropping on your e-mail and Web surfing. Or you may calculate, as I usually do, that you're safe simply because no one is likely to care enough about your boring existence to bother.
But if you're not willing to run that risk, the only prudent assumption at this point, as I noted here last week, is that anything you send over 802.11 is vulnerable to interception -- even if you have all the protocol's standard security mechanisms turned on.
As a team of scientists at NASA's Ames Research Center put it in a press release they issued last week to announce their own home-grown solution, they "decided not to depend on any security provisions bundled with 802.11b products." Instead, they began from "the premise that the network itself provides no reliable authentication and no security from eavesdropping."
(Of course, NASA can afford to take that position, because it has staffers who can develop their own alternative. All they needed, according to the release, was an off-the-shelf PC, some freeware Unix utilities and 40 hours of coding by two security experts. For those of us who don't have such talent at hand, the choices for now are badly flawed security or none at all. In that context "badly flawed" is probably preferable if you're concerned at all about privacy.)
TGI TO THE RESCUE: Even before WEP's vulnerability became public knowledge, the IEEE committee responsible for the 802.11 specification had a task force known as Task Group i developing plans to beef up the standard's security section.
But one of the schemes they were planning, known as WEP2, turned out to be just as vulnerable as the original version to the hack disclosed last month. An alternative encryption technology they were proposing was much more secure, but probably would not have worked on existing 802.11 cards. And the access- control scheme they were working on would require a special back-end authentication server -- something few small offices, let alone home users, are likely to have or want to get involved with.
As recently as a month ago, it appeared that products incorporating the improved security standard -- called 802.11i -- wouldn't be available until the second quarter of next year, or even later. And there were serious doubts as to whether cards and base stations manufactured before that would be upgradable to the new standard.
Here's where we finally get to the good news I promised: In response to the crisis, TGi convened a special session in Seattle last week. Four proposals were submitted for fixing the WEP problem, and while they differ in detail, they're sufficiently similar that it shouldn't be hard to hammer out a single unified plan, according to Dennis Eaton, vice chairman of the Wireless Ethernet Compatibility Alliance, the trade association that represents 802.11 vendors.
All four proposals provide a secure solution to all of the vulnerabilities so far identified, according to Eaton, who also chairs the alliance's technical and security committees. All four would work automatically, transparent to users. And they should have little or no negative effect on network speed, he said.
All four plans were also designed to work on existing Wi-Fi cards and base stations or access points, with only software and firmware updates required, according to Eaton said. (Of course, he hastened to add, backward compatibility is "not a done deal" -- there can't be any guarantees until a unified proposal is completed and tested -- but "we're trying like heck" to deliver it.)
As to timing, the group voted unanimously to offer its interim solution without waiting for the full, next-generation security spec to be completed. With luck the fix should be ready this fall.
That may mean it will never be part of an official wireless standard, but under that scenario TGi would hand it off to the 802.11 trade group, which would make it part of the test suite it uses as the criterion for awarding its "Wi-Fi" compatibility certification. Because virtually all vendors of 802.11 products already submit them to that process, the alliance's endorsement would make the security fix a de facto standard.
In other words, if all goes well, the current crisis could be just a bad memory within a matter of months -- perhaps in time for the holiday gift- shopping season. Last year Bill Gates reportedly gave 802.11 cards as Christmas presents. This year tens of thousands may follow his example -- and the recipients shouldn't have to worry about anyone intercepting their mail.
THE BIG GUN: Meanwhile, 802.11 also got a double-barreled endorsement from Intel last week.
The chipmaker has marketed 802.11 products for corporate customers since last year, but for the consumer market it was until recently committed to a rival technology called HomeRF. Last week, however, Intel announced a full line of consumer 802.11 products, which it will market as the AnyPoint II Wireless series.
The line includes a PC Card for notebooks, a USB adapter for desktops and a gateway or base station, all of which are competitively priced. (Details at www.intel.com/anypoint.)
(By the way, I erred a few weeks ago in saying that cards are useless without a base station. Any desktop or notebook PC with both an 802.11 card and a wired Internet connection can function as a base station. I don't usually recommend that approach because it means that PC has to be on for anyone else to get online wirelessly, but it does save some money.)
I haven't yet had a chance to try the Intel products -- they won't actually be in the stores for another week or two -- but I was impressed with what I saw in a demo last week. The setup software is the simplest I've seen this side of Apple's.
For now, Intel's products use only the flawed security mechanisms in the current 802.11 spec, but the company has paid attention to the problem. The products are the first I know of that ship with WEP encryption turned on. And while many vendors' software provides a default network ID, which most users never change and which hackers therefore have no trouble guessing, Intel's software prompts the user during setup to provide a unique name.
An even more important indicator of the company's enthusiasm for 802.11 came from Sean Maloney, a rising star in the company's management who recently assumed the tile of executive vice president and general manager of Intel Communications Group.
In a meeting with reporters at last week's Intel Developer Forum, he declared that 802.11 has already won out as the standard for the wireless portions of the giant Ethernet network he predicted will eventually circle the globe. "Bluetooth," he said, "is in full retreat."
(Intel's PR staffers later called to explain that he was talking only about Internet access and that Intel still views Bluetooth as a complementary technology with an important role to play for other applications, such as connecting phones and handheld organizers. But Maloney himself didn't bother to make any such distinction.)
He also suggested that Intel is likely to get into the business of making 802.11 chips. It won't bother with the current version, called 802.11b, but 802.11a, a faster version expected to come to market next year, "starts to look very interesting," and Intel already has hundreds of engineers working on it.
Given Intel's resources and experience in high-volume chip production, that sounds like a challenge for the current leader in the fledgling 802.11a market,
a Sunnyvale startup called Atheros Communications. But Intel's commitment should also mean declining prices, continuing technical progress and mainstream support for a technology that's already the most exciting innovation to hit computing in many a year.
Posts
No comments:
Post a Comment