Be on the wave or under it
News – 05/28/03
New Wireless Standard Enhances Security
Before we get started here,
I’ve got to apologize for all the TLA (Three Letter Acronym)
and FLA (Four Letter Acronym) acronyms
in this story. But we’re talking wireless security here, an
area reeking with technical jargon, but which you should be
concerned about if you or your company runs a wireless LAN.
Wireless industry body the
Wi-Fi Alliance recently announced the certification of products
using WPA (Wi-Fi Protected Access), which replaces the existing
security protocol, called WEP (Wired Equivalent Privacy.)
WPA is a subset of the 802.11i
standard that the IEEE (Institute of Electrical and Electronics
Engineers) has been working on for seeming ever. The IEEE won't
be finished with the full standard for at least another year.
Meanwhile, any wireless cracker with 24 hours to spare and a
comfortable place to park his listening device can crack WEP
on a reasonably busy network.
WPA is better at protecting
wireless data, but it’s far from perfect. The standard uses
the same weak RC4 (standing for Rivest's Cipher 4, based on
creator Ron Rivest’s name) stream cipher from RSA Security (named
for its founders, Rivest, Shamir, and Adleman). The standard
improves the RC4 implementation by doubling the initialization
vector size (don’t ask, I don’t know what it is either) and
adds automatic key resetting, which means crackers have less
time to crack the algorithm.
In the existing WEP standard,
there was no means to rotate keys, a common practice used to
decrease the likelihood of a system breach. When you use the
same key for long periods of time, as WEP does, a cracker can
find enough patterns in the transmissions to deduce the key.
That currently can be done in about a day for networks with
normally amounts of traffic. All a cracker has to do is intercept
enough traffic to deduce the key, then use it to log on to the
network and, bada-bing, bada-boom, your network is compromised.
Automatically rotating in new keys at relatively short intervals
decreases the window for compromise.
WPA goes to the extreme of
rotating the key with every wireless packet. This is as if you
and a friend decided to encode your messages to one another
and used a different method for each sentence. Unfortunately,
all this key swapping increases network load, and thus can slow
a wireless network.
The new standard adds some
other tricks like a checksum (each network packet must add up
to a number that is transferred along with it) and increasing
authentication (figuring out you are who you say you are).
The result, however, is that
to use the new standard, you’re likely going to need new wireless
network adapters for your machines. While wireless access points
can likely be upgraded via firmware, it's questionable whether
most adapters will.
But the wireless vendors will
be happy to sell you new cards. Buffalo Technology will ship
WPA-enabled products this month. D-Link Systems will equip its
products with WPA by the end of the second quarter, and offer
free firmware upgrades for current customers. Linksys Group
(being acquired by Cisco) will make WPA available in its Wireless-G
products via firmware and software upgrades this month. NetGear
expects to provide a WPA firmware upgrades by the end of June.
SMC Networks announced that WPA will be built in to all of its
wireless LAN products by the end of June.
A company CEO recently asked
me, “Should I be worried about wireless LANs?” I told him, “Yes.”
Later this summer, the answer will probably be, “Maybe, if you
don’t have WPA-enabled systems.”
- Shameless Self-Promotion Dept.: My article,
“Innovative Marketers Target Unwired Customers” was published
in the NetSuds
Coming Soon: A new eBook, Be On the Wave Or Under It™
will collect the best of SNS’ insights over the last couple
of years, along with additional material from CTOMentor white
papers and new material. It will make a great gift (Father’s
Day?) for associates and friends in need of a guide to the
latest and greatest technology. Watch for more information
in upcoming SNS issues.
I was quoted extensively on eLearning in a recent issue of
the Minneapolis magazine, Upsize, which is aimed at growing
A couple issues ago I debuted SNS Begware, an opportunity
for you, gentle reader, to express your appreciation by tipping
your server via PayPal. See the sidebar for more info. Total
in the kitty so far: $46.48.
I’ve reworked the TrendSpot
and Opinion sections, adding a Prediction
Tracking page to track the various predictions I’ve made,
and also added a Stuff I Said page with some quotes of things I said a
decade or so ago on the Net.
I repurposed and adapted an article about the wireless service
known as Short Messaging Service (SMS) for the Reside newsletter.
It’s entitled, Wherever they go, there you are and it points out
how marketers can use – carefully – this new way to contact
I’m featured in Manyworlds’ Thought Leader Showcase, which lists a few of the white
papers I’ve done. I’ve also added their fancy icon to the
- Bring Out Your Dead (OSes): It
seems that Windows NT is finally doomed. Microsoft tried to
retire NT 4.0 by the end of 2003 but, faced with a hue and
cry from corporate America, the company decided earlier this year to extend the deadline until
the end of 2004. The venerable OS (it’s seven years old, for
crying in the beer!) is living on the newly borrowed time
because too many corporate domain controllers and servers
are running the old code and no one wants to spend the bucks
to upgrade to either Windows 2000 (the sane choice as it’s
been through several service packs) or the new (and thus really
buggy, one figures) Windows 2003.
Recently, however, Microsoft released security bulletin MS03-010,
which reports that anyone with access to port 135 can crash
the RPC endmapper service, thereby taking down all RPC functionality
and some COM functionality. According to the software giant,
the Windows NT architecture cannot be changed to accommodate
a fix. Of course, we don’t know if this is just Marketing
talking or not. Nonetheless, the effect is the same: All old
WinNT systems are vulnerable to a simple hack and must be
replaced. Kind of a convenient security flaw for a company
that sells operating systems, wouldn’t you say? (Check here for the expiration dates of your favorite Microsoft
- RFID Takes Another Step: Soon
everything you buy will contain an RFID (Radio Frequency Identification)
label. Gillette is buying a half a billion of the things for
their consumer products, as reported in a previous
SNS. And now the UCC (Uniform
Code Council, the people who gave us the UPC) and the EAN (European Article Numbering,
a standards body who gave us the EAN) have combined forces
to license EPC (Electronic Product Code, tired of the acronyms
yet?) technology that was developed by MIT (figure it out)
Auto-ID Center. The joint effort, called
AutoID Inc., will commercialize the technology that assigns
a unique number to every possible manufactured thing. EPCs
are then used in RFIDs to make possible things such as smart
shelves (in test at Wal-Mart, as reported in the same previous
SNS) and refrigerators that order milk when you’ve run out.
Of course, I’ve had Auto-ID on the TrendSpot
list since July of 2000, when it probably sounded like science
fiction. Hmmm. What too-fantastic tech is on the list now
that will come true in three years?
- Legal Internet Guide Available: The
Minnesota Department of Trade and Economic Development has
released the fourth revision of their “A Legal Guide to the
- Mac Axes SMS Promotions in UK: McDonald’s
had been sending text Short Messaging System (SMS) messages
to McDs;-)TXT Club members’ phones as part of one of the first
large scale marketing uses of the new technology. The messages
offered special deals on Mickey D’s products as well as other
prizes, according to mobile marketing agency 12snap, which
ran the campaign. (BTW, the 12snap Website is a rather nauseating
Flash site.) The “Pop & Txt” promotion launched last November
offering discounts embedded in McDonald’s drink cups. Club
members would enter the code in an SMS message to receive
discounts and prizes. The promotion ran for four weeks across
all 1,200 UK restaurants. The agency said McDonald’s was decreasing
marketing dollars across all venues and thus the SMS campaign
got the ax. “It was right last year, but not now,” a 12Snap
- Stolen Laptops Call Home: When
the General Services Administration (GSA) in Atlanta had two
laptops stolen from its office, Absolute
Software's Computrace agent helped get them back. The
agent was installed on each of the GSA’s computers. When the
thief used one of them to connect to the Internet about two
weeks later, the software program silently checked in with
Absolute’s data center, and the computer was traced to a physical
address. Within 48 hours, the thief was apprehended, and led
authorities to the location of the second machine.
The 2.2 MB Computrace Agent software silently calls into a
data center every time the computer connects to the Internet.
If the computer is reported stolen, authorities can often
trace the physical location of the user with the cooperation
of ISPs (Internet Service Providers).
Of course, I can think of plenty of other privacy-infringing
uses of this type of software in the event that some industry
giant, say Microsoft, decides to incorporate this feature
into its operating systems.
- Mini-DMCA Laws Aren’t So Bad: Alert
SNS Reader Andrew Hargreave sends along an article that takes
issue with the notion that the Mini-DMCA (Digital Millenium
Copyright Act, the name of a piece of brain dead federal legislation)
laws currently being enacted or considered by the states outlaw
common networking practices. I nattered on about this in a
previous SNS primarily because I don’t trust legislators
to understand technical concepts such as NAT (Network Address
Translation, a scheme to make it appear that all traffic from
a company is coming from a single address). The Mini-DMCA
laws make it a crime to hide your real address but, as this
article correctly points out, only if the intent is to defraud.
Well, I stand by my trepidation because I can envision law
enforcement adopting a “prove you’re not a crook” attitude
toward users suspected of contravening the law.
Can’t happen here, you say? We’ve got Bill of Rights protection,
you say? Consider the sad case of US Citizen (of 14 years)
Maher (Mike) Hawash. According to the Free
Mike Hawash Web site, Hawash, a Muslim of Arab decent
and an employee of Intel for many years, was held in a high-security
federal prison without being charged with any crime for five
weeks after his initial arrest. Proceedings in his case
during that time were then and are still secret. This guy’s
not an “illegal combatant,” he’s a citizen for crying out
loud. Still think it can’t happen here?
- If You're Scoring at Home: Here's the tally of
TLAs and FLAs in this issue:
you find them all? The first to email me a list of all 26 acronyms
wins fame (a mention in the next SNS) but not fortune (what,
are you kidding?). Note: the same acronym used multiple times
only counts once. Good luck!
Return to Mike’s
Copyright © 2000-2008, StratVantage Consulting, LLC. All rights
Please send all comments to
Looking to light up your office, your business, or your city?
The WiMAX Guys™ can help you easily provide secure wireless Internet to your customers.
The WiMAX Guys specialize in designing and running wireless networks. We're experienced, we're quick, and we won't cost you an arm and a leg. Give us a call today provide your users a wireless Internet experience tomorrow.
Alert SNS Reader Hall of Fame
About The Author
a New Service from StratVantage
Can’t Get Enough of ME?
In the unlikely event
that you want more of my opinions, I’ve started a Weblog. It’s the fashionable
thing for pundits to do, and I’m doing it too. A Weblog is a datestamped
collection of somewhat random thoughts and ideas assembled on a Web
page. If you’d like to subject the world to your thoughts, as I do,
you can create your own Weblog. You need to have a Web site that allows
you FTP access, and the free software from www.blogger.com.
This allows you to right click on a Web page and append your pithy thoughts
to your Weblog.
I’ve dubbed my Weblog
entries “Stratlets”, and they are available at www.stratvantage.com/stratlets/.
Let me know what you think.
Also check out the TrendSpot for ranking of
the latest emerging trends.
14, 1928 - July 5, 2003
Jane C. Ellsworth
20, 1928 - July 20, 2003