PDA

View Full Version : Squeezebox and WEP



Rod Savard
2004-01-11, 10:52
This and other info I've seen disagrees that shared is more secure:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&safe=off&selm=eLON9.43979
1%24%25m4.130411%40rwcrnsc52.ops.asp.att.net

TinyURL of above:

http://tinyurl.com/3y8cg

-Rod

> -----Original Message-----
> From: discuss-bounces (AT) lists (DOT) slimdevices.com [mailto:discuss-
> bounces (AT) lists (DOT) slimdevices.com] On Behalf Of dean blackketter
> Sent: Sunday, January 11, 2004 9:49 AM
> To: Slim Devices Discussion
> Subject: [slim] Squeezebox and WEP
>
> Actually, that's backwards. Shared-Key is, theoretically, more secure.
>
> Open-System authentication doesn't use WEP to authenticate users, it
> just accepts the identity of the mobile station at face value. Support
> for Shared-Key authentication is required for stations that implement
> WEP. (This is from the O'Reilly 802.11 Wireless Networks book by
> Matthew Gast, which has more details.)
>
> Apple started requiring Shared-Key authentication in a recent update to
> their access points. Do you have a device that doesn't have the
> option to support Shared-Key encryption.
>
>
> On Jan 10, 2004, at 1:18 PM, Rod Savard wrote:
>
> >> You are right, shared authentication is not any more secure. It
> >> doesn't
> >
> > It's actually a tad less secure from what I understand...
> >
> >> matter so much though, since breaking the WEP key using AirSnort is
> >> easy enough already.
> >
> > True... but they still have to gather millions of packets, right?
> > Maybe
> > that's not so difficult with my slimp3 playing all the time. :-)
> >
> > -Rod
> >
> >

dean
2004-01-11, 11:05
Ah, I see.

The good news is that Sean's going to make the player try both to
connect.

The bad news is that the point is really pretty moot, 802.11 with WEP
isn't terribly secure either way.

-dean

On Jan 11, 2004, at 9:52 AM, Rod Savard wrote:

> This and other info I've seen disagrees that shared is more secure:
>
> http://groups.google.com/groups?hl=en&lr=&ie=UTF
> -8&safe=off&selm=eLON9.43979
> 1%24%25m4.130411%40rwcrnsc52.ops.asp.att.net
>
> TinyURL of above:
>
> http://tinyurl.com/3y8cg
>
> -Rod
>
>> -----Original Message-----
>> From: discuss-bounces (AT) lists (DOT) slimdevices.com [mailto:discuss-
>> bounces (AT) lists (DOT) slimdevices.com] On Behalf Of dean blackketter
>> Sent: Sunday, January 11, 2004 9:49 AM
>> To: Slim Devices Discussion
>> Subject: [slim] Squeezebox and WEP
>>
>> Actually, that's backwards. Shared-Key is, theoretically, more
>> secure.
>>
>> Open-System authentication doesn't use WEP to authenticate users, it
>> just accepts the identity of the mobile station at face value.
>> Support
>> for Shared-Key authentication is required for stations that implement
>> WEP. (This is from the O'Reilly 802.11 Wireless Networks book by
>> Matthew Gast, which has more details.)
>>
>> Apple started requiring Shared-Key authentication in a recent update
>> to
>> their access points. Do you have a device that doesn't have the
>> option to support Shared-Key encryption.
>>
>>
>> On Jan 10, 2004, at 1:18 PM, Rod Savard wrote:
>>
>>>> You are right, shared authentication is not any more secure. It
>>>> doesn't
>>>
>>> It's actually a tad less secure from what I understand...
>>>
>>>> matter so much though, since breaking the WEP key using AirSnort is
>>>> easy enough already.
>>>
>>> True... but they still have to gather millions of packets, right?
>>> Maybe
>>> that's not so difficult with my slimp3 playing all the time. :-)
>>>
>>> -Rod
>>>
>>>

Jason Dixon
2004-01-11, 11:24
On Sun, 2004-01-11 at 13:05, dean blackketter wrote:
> Ah, I see.
>
> The good news is that Sean's going to make the player try both to
> connect.
>
> The bad news is that the point is really pretty moot, 802.11 with WEP
> isn't terribly secure either way.

Any chance there's any 3rd party projects to develop VPN (IPsec, CIPE,
etc.) support for the Squeezebox? I don't know what hardware it
contains; it might not even have the necessary space for the kernel (or
userland, for CIPE) extensions.

It would be nice to have something like this; my entire 802.11b network
uses IPsec (OpenBSD, Linux and WinXP hosts). I'm not sure how much
demand there would be for it.

--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net

dean
2004-01-11, 11:28
We expect to add support for WPA encryption. Other VPN-style systems
haven't been discussed yet.

How important is this to folks?

On Jan 11, 2004, at 10:24 AM, Jason Dixon wrote:

> On Sun, 2004-01-11 at 13:05, dean blackketter wrote:
>> Ah, I see.
>>
>> The good news is that Sean's going to make the player try both to
>> connect.
>>
>> The bad news is that the point is really pretty moot, 802.11 with WEP
>> isn't terribly secure either way.
>
> Any chance there's any 3rd party projects to develop VPN (IPsec, CIPE,
> etc.) support for the Squeezebox? I don't know what hardware it
> contains; it might not even have the necessary space for the kernel
> (or
> userland, for CIPE) extensions.
>
> It would be nice to have something like this; my entire 802.11b
> network
> uses IPsec (OpenBSD, Linux and WinXP hosts). I'm not sure how much
> demand there would be for it.
>
> --
> Jason Dixon, RHCE
> DixonGroup Consulting
> http://www.dixongroup.net
>
>

Jason Dixon
2004-01-11, 11:34
On Sun, 2004-01-11 at 13:28, dean blackketter wrote:
> We expect to add support for WPA encryption. Other VPN-style systems
> haven't been discussed yet.
>
> How important is this to folks?

Granted, I don't see *everyone* using it. Most non-geeks don't
IPsec-ify their home 802.11b networks. Oh wait, we're all geeks, aren't
we?

Hey, just imagine the press when your features list includes IPsec. :)

--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net

Dan Sully
2004-01-11, 11:42
* Jason Dixon <jason (AT) dixongroup (DOT) net> shaped the electrons to say...

> Granted, I don't see *everyone* using it. Most non-geeks don't
> IPsec-ify their home 802.11b networks. Oh wait, we're all geeks, aren't we?

IPSec anything would kill the player's CPU (if it could even do it), and bandwidth.

-D
--
Copyright infringement, your best entertainment value.

Jason Dixon
2004-01-11, 11:47
On Sun, 2004-01-11 at 13:42, Dan Sully wrote:
> * Jason Dixon <jason (AT) dixongroup (DOT) net> shaped the electrons to say...
>
> > Granted, I don't see *everyone* using it. Most non-geeks don't
> > IPsec-ify their home 802.11b networks. Oh wait, we're all geeks, aren't we?
>
> IPSec anything would kill the player's CPU (if it could even do it), and bandwidth.

You don't know as much about IPsec as you think you do. I've run IPsec
firewalls on old Sun IPX's, P75's, even my Sharp Zaurus 5500. If it
wasn't feasible, I'm sure Dean would've said so already.

--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net

Dan Sully
2004-01-11, 11:51
* Jason Dixon <jason (AT) dixongroup (DOT) net> shaped the electrons to say...

> > IPSec anything would kill the player's CPU (if it could even do it), and bandwidth.
>
> You don't know as much about IPsec as you think you do. I've run IPsec
> firewalls on old Sun IPX's, P75's, even my Sharp Zaurus 5500. If it
> wasn't feasible, I'm sure Dean would've said so already.

You might be able to run it, but would the audio actually come over at a
decent rate? Like I said, if the CPU is able to handle it.

Also, one has to ask. This seems pointless. If you really "need" the
security, drop in a second network card/WAP, and only dedicate that to the
Squeezebox.

You're trying to solve a problem that 99.9% of the people don't have.

-D
--
Copyright infringement, your best entertainment value.

Jason Dixon
2004-01-11, 11:58
On Sun, 2004-01-11 at 13:51, Dan Sully wrote:

> You might be able to run it, but would the audio actually come over at a
> decent rate? Like I said, if the CPU is able to handle it.

Actually, yes, it would work fine. I actually perform VPN "reflection"
off my firewall's internal interface. IPsec traffic hits the default
gateway, gets translated, then pushed to the Squeezebox. The squeezebox
sees the source as the firewall's address, returns the packet, reverse
translation, etc. I have yet to experience any skips/delays/problems.

> Also, one has to ask. This seems pointless. If you really "need" the
> security, drop in a second network card/WAP, and only dedicate that to the
> Squeezebox.

If they're wireless, how does that protect it any more than the existing
wireless network? I'm concerned with unprotected wireless interfaces,
not keeping others from knowing I'm streaming audio.

> You're trying to solve a problem that 99.9% of the people don't have.

You're assuming again. I'm not suggesting a LOT of folks have this, but
don't assume that only .1% of all Squeezebox users do what I'm doing.
From the discussions on this list, it appears that most folks are pretty
tech-savvy. You underestimate the userbase.

</thread>

--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net

Jeffrey Gordon
2004-01-11, 13:48
Well I am part of that 0.1% I guess, My wifi network is firewalled from
the rest of the network and only allow VPN traffic and now SlimServer
traffic to and from my Squeezebox and SlimServer. I would much rather
have the Squeezebox work through a VPN.

Particularly if some RIAA person saw I had music broadcasting over open
airwaves I could be sued ;)

Dan Sully wrote:

>* Jason Dixon <jason (AT) dixongroup (DOT) net> shaped the electrons to say...
>
>
>
>>>IPSec anything would kill the player's CPU (if it could even do it), and bandwidth.
>>>
>>>
>>You don't know as much about IPsec as you think you do. I've run IPsec
>>firewalls on old Sun IPX's, P75's, even my Sharp Zaurus 5500. If it
>>wasn't feasible, I'm sure Dean would've said so already.
>>
>>
>
>You might be able to run it, but would the audio actually come over at a
>decent rate? Like I said, if the CPU is able to handle it.
>
>Also, one has to ask. This seems pointless. If you really "need" the
>security, drop in a second network card/WAP, and only dedicate that to the
>Squeezebox.
>
>You're trying to solve a problem that 99.9% of the people don't have.
>
>-D
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAAbacH0fQtyBJLGwRAs3TAJ9lN2TxTdbMd/hgOFzwnCVLnDP7JwCbBzeB
6Xd/lFfkVRX2sotxmYKXz7I=
=AMpi
-----END PGP SIGNATURE-----

dean
2004-01-11, 19:12
I'm not saying it's feasible or not, but I imagine it would be hard.


On Jan 11, 2004, at 10:47 AM, Jason Dixon wrote:

> On Sun, 2004-01-11 at 13:42, Dan Sully wrote:
>> * Jason Dixon <jason (AT) dixongroup (DOT) net> shaped the electrons to say...
>>
>>> Granted, I don't see *everyone* using it. Most non-geeks don't
>>> IPsec-ify their home 802.11b networks. Oh wait, we're all geeks,
>>> aren't we?
>>
>> IPSec anything would kill the player's CPU (if it could even do it),
>> and bandwidth.
>
> You don't know as much about IPsec as you think you do. I've run IPsec
> firewalls on old Sun IPX's, P75's, even my Sharp Zaurus 5500. If it
> wasn't feasible, I'm sure Dean would've said so already.
>
> --
> Jason Dixon, RHCE
> DixonGroup Consulting
> http://www.dixongroup.net
>
>

Gregory P. Smith
2004-01-16, 20:42
> Any chance there's any 3rd party projects to develop VPN (IPsec, CIPE,
> etc.) support for the Squeezebox? I don't know what hardware it

I'd be surprised if the squeezebox's little 16-bit 1-200mhz
microcontroller is powerful enough for ipsec at the bitrates it needs.

> It would be nice to have something like this; my entire 802.11b network
> uses IPsec (OpenBSD, Linux and WinXP hosts). I'm not sure how much
> demand there would be for it.

about six people. ;) not worth it at all.

-g