<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div>Two good articles on =
this:</div><div><br></div><div><a =
href="http://www.formortals.com/Default.aspx?tabid=36&EntryID=11=
9">http://www.formortals.com/Default.aspx?tabid=36&EntryID=119</a>=
</div><div><br></div><div><a =
href="http://erratasec.blogspot.com/2008/10/wpa-is-not-obsolete.html">ht=
tp://erratasec.blogspot.com/2008/10/wpa-is-not-obsolete.html</a></div><div=
><br></div><div><br></div><br><div><div>On Oct 13, 2008, at 1:56 PM, =
David Hinkle wrote:</div><br =
class="Apple-interchange-newline"><blockquote type="cite"> <div> =
<!-- Converted from text/plain format --><p><font size="2">WPA in all =
it's mutant forms probably isn't going away any time soon, but it =
arguable should never have been born. For day to day applications =
such as playing world of warcraft and picking up girls on the internet =
it's fine, but if you really need to keep something confidential you =
should be using something with a lot longer history and a lot more =
research behind it.<br> <br> Wep was always a hack, and will always be a =
hack, the purpose of which is only to give lip service to security =
without having to build AP's with enough horse power to do real =
encryption. Whatever parts of the standard may or may not have =
been broken at any given time is irrelevant, it'll all get broken sooner =
rather than later anyway. The golden rule: Anyone smart =
enough to design their own secure crypto system knows better than to do =
so. If the people who designed WEP were smart enough to =
build a secure encryption system they would have done so by deploying =
IPSEC.<br> <br> David<br> <br> <br> -----Original Message-----<br> From: =
<a href="mailto:qclug-bounces@qclug.org">qclug-bounces@qclug.org</a> =
on behalf of Chris Cooper<br> Sent: Mon 10/13/2008 1:41 PM<br> To: <a =
href="mailto:qclug@qclug.org">qclug@qclug.org</a><br> Subject: Re: =
[QCLUG] Recent article on Slashdot and VPN setup<br> <br> The WPA2 =
standard is far from dead. This only applies to WPA/WPA2 PSK<br> =
(Pre-Shared Key). It has no effect on WPA-EAP (or any =
variation<br> thereof). If you use a radius server for WPA =
Authentication, this<br> article means nothing.<br> <br> Hardware =
assisted WPA-PSK cracking is nothing new. coWPAtty (a<br> popular =
WPA cracking utility) already has support for FPGA hardware<br> =
acceleration. What they did was simply alter the code to use the =
new<br> NVida API (the NVidia in API mode acts almost like an FPGA for =
the<br> heavy floating point math required by RC4 and AES =
encryption).<br> <br> Back in May, Lockheed used the Playstation 3 Cell =
processor to do the same:<br> <a =
href="http://www.networkcomputing.com/blog/dailyblog/archives/2008/05/lo=
ckheed_breaks.html">http://www.networkcomputing.com/blog/dailyblog/archive=
s/2008/05/lockheed_breaks.html</a><br> <br> This really isn't anything =
new, just a new application. Even at that,<br> it is still just =
brute forcing. This isn't like WEP where they found<br> design =
flaws that let them derive the keys.<br> Given enough processing power, =
any encryption is trivialized. The<br> 3DES standard once used by =
Linux crypt() is just as cryptographically<br> sound as AES. The =
only difference is AES can use larger keys at the<br> cost of MUCH =
greater processing power. This increases the time<br> required to =
exhaust the entire keyspace during a brute force attack.<br> As =
computers get faster and faster, and the average core count becomes<br> =
greater, all of our current encryption standards will become<br> =
trivialized, much the way 3DES has.<br> <br> As Arron pointed out, it =
really just boils down to password strength.<br> A great password =
generator and site explaining password strength and<br> complexity =
is:<br> <a =
href="https://www.grc.com/passwords.htm">https://www.grc.com/passwords.h=
tm</a><br> <br> <br> <br> On Mon, Oct 13, 2008 at 10:11 AM, Arron Lorenz =
<<a href="mailto:arronlorenz@gmail.com">arronlorenz@gmail.com</a>> =
wrote:<br> > I also should mention that in Soviet Russia you don't crack =
WPA, WPA CRACKS<br> > YOU!!<br> ><br> > On Mon, Oct 13, 2008 at 10:07 =
AM, Arron Lorenz <<a =
href="mailto:arronlorenz@gmail.com">arronlorenz@gmail.com</a>><br> > =
wrote:<br> >><br> >> I read the article you mentioned and the method for =
cracking is still the<br> >> same method they just figured out that if =
you use hundreds/thousands of<br> >> networked pc's that it goes =
faster.<br> >> From the article:<br> >> "The 100-fold increase in =
speed is achieved with two GeForce GTX280's per<br> >> workstation"<br> =
>> Now that is two (2) Nvidia GTX 280's per workstation. They also said =
you<br> >> would need 20 of these workstations.<br> >><br> >> They also =
mentioned in the article that:<br> >> "This will, of course, mainly =
affect simple ascii keys. And it will only<br> >> work against static =
keys; anyone using more complicated authentication<br> >> schemes will =
not be at risk for now. But since that takes a couple of extra<br> >> =
minutes when installing, smaller businesses or departments often =
skip<br> >> setting this up."<br> >> I hope that no one is using simple =
keys for their passwords. "abcd1234"<br> >> will be cracked quickly =
whereas "a^b#c$d*1.2,3?4" will take a lot longer.<br> >> original<br> >> =
article: <a =
href="http://securityandthe.net/2008/10/12/russian-researchers-achieve-1=
00-fold-increase-in-wpa2-cracking-speed/">http://securityandthe.net/2008/1=
0/12/russian-researchers-achieve-100-fold-increase-in-wpa2-cracking-speed/=
</a><br> >> So I would say make sure your WPA keys are updated to a good =
password.<br> >> Make sure that you change it regularly (The Ron Popeil =
"Set it and forget<br> >> it" method of security is not good). Also =
don't put important financial data<br> >> over wireless. I also would =
make sure to not piss off anyone with $20,000 in<br> >> top of the line =
nvidia graphics cards.<br> >> Thanks,<br> >> Arron<br> >><br> >><br> >> =
On Mon, Oct 13, 2008 at 9:46 AM, Mark Riedesel <<a =
href="mailto:mriedesel@gmail.com">mriedesel@gmail.com</a>><br> >> =
wrote:<br> >>><br> >>> Those ingenious Russians. I plan to be there!<br> =
>>><br> >>> On Mon, Oct 13, 2008 at 9:18 AM, agamotto <<a =
href="mailto:agamotto@sbcglobal.net">agamotto@sbcglobal.net</a>> =
wrote:<br> >>>><br> >>>> I =
read last night that apparently gfx cards can now be used to<br> >>>> =
hack WEP and WPA networks with relative ease. Anyone coming to the =
meeting<br> >>>> tomorrow care to discuss setting up a VPN with the =
usual DSL or Cable<br> >>>> router/modem setup? I am a bit =
confused as to where the VPN sits in terms<br> >>>> of setup.<br> =
>>>><br> >>>> I figured this =
might be a good discussion topic!<br> >>>><br> >>>> =
_______________________________________________<br> >>>> QCLUG mailing =
list<br> >>>> <a href="mailto:QCLUG@qclug.org">QCLUG@qclug.org</a><br> =
>>>> <a =
href="http://qclug.org/mailman/listinfo/qclug">http://qclug.org/mailman/=
listinfo/qclug</a><br> >>><br> >><br> >><br> >><br> >> --<br> >> =
From:<br> >> Arron James Lorenz<br> >> Reel to Reel Drive In<br> >> <a =
href="http://www.DavenportDriveIn.com">http://www.DavenportDriveIn.com</=
a><br> >> 563-579-7046<br> ><br> ><br> ><br> > --<br> > From:<br> > =
Arron James Lorenz<br> > Reel to Reel Drive In<br> > <a =
href="http://www.DavenportDriveIn.com">http://www.DavenportDriveIn.com</=
a><br> > 563-579-7046<br> ><br> =
_______________________________________________<br> QCLUG mailing =
list<br> <a href="mailto:QCLUG@qclug.org">QCLUG@qclug.org</a><br> <a =
href="http://qclug.org/mailman/listinfo/qclug">http://qclug.org/mailman/=
listinfo/qclug</a><br> <br> </font> </p> </div> =
</blockquote></div><br><div apple-content-edited="true"> <span =
class="Apple-style-span" style="border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; orphans: 2; text-align: auto; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><div>Dave Bergert</div><div><a =
href="mailto:dbergert@gmail.com">dbergert@gmail.com</a></div><div><br =
class="webkit-block-placeholder"></div></div></span><br =
class="Apple-interchange-newline"> </div><br></body></html>=