<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; =
charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version =
6.5.7652.24">
<TITLE>RE: [QCLUG] Recent article on Slashdot and VPN setup</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>WPA in all it's mutant forms probably isn't going away =
any time soon, but it arguable should never have been born. For =
day to day applications such as playing world of warcraft and picking up =
girls on the internet it's fine, but if you really need to keep =
something confidential you should be using something with a lot longer =
history and a lot more research behind it.<BR>
<BR>
Wep was always a hack, and will always be a hack, the purpose of which =
is only to give lip service to security without having to build AP's =
with enough horse power to do real encryption. Whatever parts of =
the standard may or may not have been broken at any given time is =
irrelevant, it'll all get broken sooner rather than later anyway. =
The golden rule: Anyone smart enough to design their own secure =
crypto system knows better than to do so. If the people who =
designed WEP were smart enough to build a secure encryption system they =
would have done so by deploying IPSEC.<BR>
<BR>
David<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: qclug-bounces@qclug.org on behalf of Chris Cooper<BR>
Sent: Mon 10/13/2008 1:41 PM<BR>
To: qclug@qclug.org<BR>
Subject: Re: [QCLUG] Recent article on Slashdot and VPN setup<BR>
<BR>
The WPA2 standard is far from dead. This only applies to WPA/WPA2 =
PSK<BR>
(Pre-Shared Key). It has no effect on WPA-EAP (or any =
variation<BR>
thereof). If you use a radius server for WPA Authentication, =
this<BR>
article means nothing.<BR>
<BR>
Hardware assisted WPA-PSK cracking is nothing new. coWPAtty (a<BR>
popular WPA cracking utility) already has support for FPGA hardware<BR>
acceleration. What they did was simply alter the code to use the =
new<BR>
NVida API (the NVidia in API mode acts almost like an FPGA for the<BR>
heavy floating point math required by RC4 and AES encryption).<BR>
<BR>
Back in May, Lockheed used the Playstation 3 Cell processor to do the =
same:<BR>
<A =
HREF="http://www.networkcomputing.com/blog/dailyblog/archives/2008/05/l=
ockheed_breaks.html">http://www.networkcomputing.com/blog/dailyblog/archi=
ves/2008/05/lockheed_breaks.html</A><BR>
<BR>
This really isn't anything new, just a new application. Even at =
that,<BR>
it is still just brute forcing. This isn't like WEP where they =
found<BR>
design flaws that let them derive the keys.<BR>
Given enough processing power, any encryption is trivialized. =
The<BR>
3DES standard once used by Linux crypt() is just as =
cryptographically<BR>
sound as AES. The only difference is AES can use larger keys at =
the<BR>
cost of MUCH greater processing power. This increases the time<BR>
required to exhaust the entire keyspace during a brute force attack.<BR>
As computers get faster and faster, and the average core count =
becomes<BR>
greater, all of our current encryption standards will become<BR>
trivialized, much the way 3DES has.<BR>
<BR>
As Arron pointed out, it really just boils down to password =
strength.<BR>
A great password generator and site explaining password strength and<BR>
complexity is:<BR>
<A =
HREF="https://www.grc.com/passwords.htm">https://www.grc.com/passwords.=
htm</A><BR>
<BR>
<BR>
<BR>
On Mon, Oct 13, 2008 at 10:11 AM, Arron Lorenz =
<arronlorenz@gmail.com> wrote:<BR>
> I also should mention that in Soviet Russia you don't crack WPA, =
WPA CRACKS<BR>
> YOU!!<BR>
><BR>
> On Mon, Oct 13, 2008 at 10:07 AM, Arron Lorenz =
<arronlorenz@gmail.com><BR>
> wrote:<BR>
>><BR>
>> I read the article you mentioned and the method for cracking is =
still the<BR>
>> same method they just figured out that if you use =
hundreds/thousands of<BR>
>> networked pc's that it goes faster.<BR>
>> From the article:<BR>
>> "The 100-fold increase in speed is achieved with two =
GeForce GTX280's per<BR>
>> workstation"<BR>
>> Now that is two (2) Nvidia GTX 280's per workstation. They also =
said you<BR>
>> would need 20 of these workstations.<BR>
>><BR>
>> They also mentioned in the article that:<BR>
>> "This will, of course, mainly affect simple ascii keys. =
And it will only<BR>
>> work against static keys; anyone using more complicated =
authentication<BR>
>> schemes will not be at risk for now. But since that takes a =
couple of extra<BR>
>> minutes when installing, smaller businesses or departments =
often skip<BR>
>> setting this up."<BR>
>> I hope that no one is using simple keys for their passwords. =
"abcd1234"<BR>
>> will be cracked quickly whereas "a^b#c$d*1.2,3?4" =
will take a lot longer.<BR>
>> original<BR>
>> article: <A =
HREF="http://securityandthe.net/2008/10/12/russian-researchers-achieve-=
100-fold-increase-in-wpa2-cracking-speed/">http://securityandthe.net/2008=
/10/12/russian-researchers-achieve-100-fold-increase-in-wpa2-cracking-spe=
ed/</A><BR>
>> So I would say make sure your WPA keys are updated to a good =
password.<BR>
>> Make sure that you change it regularly (The Ron Popeil =
"Set it and forget<BR>
>> it" method of security is not good). Also don't put =
important financial data<BR>
>> over wireless. I also would make sure to not piss off anyone =
with $20,000 in<BR>
>> top of the line nvidia graphics cards.<BR>
>> Thanks,<BR>
>> Arron<BR>
>><BR>
>><BR>
>> On Mon, Oct 13, 2008 at 9:46 AM, Mark Riedesel =
<mriedesel@gmail.com><BR>
>> wrote:<BR>
>>><BR>
>>> Those ingenious Russians. I plan to be there!<BR>
>>><BR>
>>> On Mon, Oct 13, 2008 at 9:18 AM, agamotto =
<agamotto@sbcglobal.net> wrote:<BR>
>>>><BR>
>>>> I read last =
night that apparently gfx cards can now be used to<BR>
>>>> hack WEP and WPA networks with relative ease. =
Anyone coming to the meeting<BR>
>>>> tomorrow care to discuss setting up a VPN with the =
usual DSL or Cable<BR>
>>>> router/modem setup? I am a bit confused as to =
where the VPN sits in terms<BR>
>>>> of setup.<BR>
>>>><BR>
>>>> I figured =
this might be a good discussion topic!<BR>
>>>><BR>
>>>> _______________________________________________<BR>
>>>> QCLUG mailing list<BR>
>>>> QCLUG@qclug.org<BR>
>>>> <A =
HREF="http://qclug.org/mailman/listinfo/qclug">http://qclug.org/mailman=
/listinfo/qclug</A><BR>
>>><BR>
>><BR>
>><BR>
>><BR>
>> --<BR>
>> From:<BR>
>> Arron James Lorenz<BR>
>> Reel to Reel Drive In<BR>
>> <A =
HREF="http://www.DavenportDriveIn.com">http://www.DavenportDriveIn.com<=
/A><BR>
>> 563-579-7046<BR>
><BR>
><BR>
><BR>
> --<BR>
> From:<BR>
> Arron James Lorenz<BR>
> Reel to Reel Drive In<BR>
> <A =
HREF="http://www.DavenportDriveIn.com">http://www.DavenportDriveIn.com<=
/A><BR>
> 563-579-7046<BR>
><BR>
_______________________________________________<BR>
QCLUG mailing list<BR>
QCLUG@qclug.org<BR>
<A =
HREF="http://qclug.org/mailman/listinfo/qclug">http://qclug.org/mailman=
/listinfo/qclug</A><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>