|
I've got a DSL router that supports wireless with pretty standard, good support features (WPA2-PSK, power limiting, etc.) but even with that I'm still not comfortable with running it in my apartment complex. Why? My biggest concern is someone getting into my connection and either: 1. Hacking 2. Spamming 3. Transferring illegal media (piracy) 4. Transferring really illegal media (child pornography) The thing is even with WPA2, the thing is there all night and all day, ready to talk to someone. Basically, I know there are other tekkies here who live in apartment complexes, and I need to know if I'm being reasonable or really paranoid. If I was in a house, where someone would have to be physically on my property to get access, I could run that with WPA2 and sleep easily. Just for shits and giggles, I can see the following networks from my apartment: 2x 2WIREXXX modems with WPA on 1x named network with WPA2 1x 2WIREXXX modem with "security enabled" (WEP?) 1x Totally unsecured wireless network with a custom name (this has to be a honeypot, secured some other way, or the user is a total idiot). Three-Phase fucked around with this message at Nov 06, 2009 around 00:38 |
| # ? Nov 06, 2009 00:34 |
|
|
|
| # ? Nov 22, 2009 02:00 |
|
|
Does your landlord only rent to super hackers (tekkies)?
|
| # ? Nov 06, 2009 00:40 |
|
|
TheWevel posted:Does your landlord only rent to super hackers (tekkies)? Hah! No. Honest breakdown is probably 60% over-50, maybe 25% under-30, and the rest in between.
|
| # ? Nov 06, 2009 00:42 |
|
|
Then what are you worried about?
|
| # ? Nov 06, 2009 00:44 |
|
|
Don't be so loving paranoid. Use WPA2 with AES, and a MAC whitelist. While it's still breachable technically, I have a feeling it'd take a long loving time. Or just, you know, wire your apartment. It's not like Ethernet cable is expensive, difficult to install or crimp. Alternately, turn off file sharing on your systems, and encrypt your cleverly named folders chalk full of child porn. That way, no hacker can get in there and spill your beans. PopeOnARope fucked around with this message at Nov 06, 2009 around 00:50 |
| # ? Nov 06, 2009 00:45 |
|
|
Use WPA2, you probably don't have a lot to worry about. If you're really, really paranoid, run a sandboxed wireless network that requires a secure tunnel to a small server to get out to the internet or access anything else on your network. Your risk goes down even more with the presence of other networks there. You don't have to out-secure the 'hackers', you just have to out-secure your neighbors.
|
| # ? Nov 06, 2009 00:47 |
|
|
I don't worry about it. WPA2 with a non-default SSID and a good passphrase is practically unbreakable as far as is publicly known, and there are always easier targets. As long as someone is open, WEP, or possibly now WPA1 within the same area as you, they're the easier target for any random user. My understanding is that WPA2-Enterprise is even more secure with its unique per-user authentication, but that requires a lot of setup. Just pay a slight bit of attention to the major tech news sites to see when newer technologies are cracked so you know when to upgrade. EDIT: Don't bother with a MAC whitelist. They're pointless when combined with proper encryption. Anyone who can crack your encryption knows how to use wireshark to look for valid MACs to spoof. It's just a pointless pain in the rear end.
|
| # ? Nov 06, 2009 00:50 |
|
|
^ Like you said, I heard that the MAC address filtering is more of an annoyance than a deterrence to a hacker. I've also been told that not broadcasting your SSID is even more worthless as far as protection goes. I've used WPA2-PSK, with a complicated sentence as the password, about 32 or more characters. Effectively impossible to brute force, plus my understanding is that unlike something like an encrypted file, you cannot do a brute force hammer with hundreds of thousands of combinations a second. Karanth posted:Use WPA2, you probably don't have a lot to worry about. If you're really, really paranoid, run a sandboxed wireless network that requires a secure tunnel to a small server to get out to the internet or access anything else on your network. I've heard of a recent exploit with WPA (the WPA without AES encryption), but it involves some really intricate weirdness, like the attacking computer must act as a bridge between the router and the computer that is using the router, and those two systems cannot be within communication range. But yeah, it figures people would go for low-hanging fruit, and not the high-hanging fruit. Three-Phase fucked around with this message at Nov 06, 2009 around 00:57 |
| # ? Nov 06, 2009 00:52 |
|
|
WPA2 w/ AES and a non-broadcasting SSID is probably all you need. Unless you work for the president/pentagon take off the  because nobody is going to spend the effort of cracking your network... especially when there are other networks that require much less effort.
|
| # ? Nov 06, 2009 00:59 |
|
|
NerdPolice posted:non-broadcasting SSID Considering that sniffing utilities can grab SSIDs easily, all you're really gaining by doing this is making it harder to connect new devices to your network.
|
| # ? Nov 06, 2009 01:08 |
|
|
Unless your fear is that the devices on your network are insecure, you are protected by your unprotected neighbors. If anyone is looking to do make some illegal file transfers, they're just gonna use and open or WEP network.
|
| # ? Nov 06, 2009 01:16 |
|
|
There are no practical attacks against WPA2. The only way to break it is to try to brute force the password. As long as you have a nice long one (Try generating one here), you are safe.
|
| # ? Nov 06, 2009 02:01 |
|
|
Raere posted:There are no practical attacks against WPA2. The only way to break it is to try to brute force the password. As long as you have a nice long one (Try generating one here), you are safe. It's a shame that WPA isn't cap sensative, and doesn't allow special characters. That said, you're still looking at 63 discrete values with 36 potential values each. Which means 1.114442198485452911129181496584e+98 possible passwords. Assuming you can run 1000 attempts a second, it would still take 3.5829545990401649663361030625772e+87 years to get it. And I'd assume at 1k attempts a second, most home routers would poo poo a brick, and be quickly inaccessible. \/ See numbers above, no poo poo. PopeOnARope fucked around with this message at Nov 06, 2009 around 02:08 |
| # ? Nov 06, 2009 02:03 |
|
|
PopeOnARope posted:It's a shame that WPA isn't cap sensative, and doesn't allow special characters. Still, a psuedorandomly generated 63-byte alphanumeric password is not feasibly brute force-able.
|
| # ? Nov 06, 2009 02:05 |
|
|
This is like the "DoD 7 pass wipe + drill press for maximum security" thread of the wireless world. WPA2-PSK with a secure passphrase is sufficient and then some to keep your home network secure.
|
| # ? Nov 06, 2009 02:16 |
|
|
Your DSL is probably less secure than your wireless network, especially if it terminates in-house. I've seen a number of apartment complexes where the cable network throughout the whole building is vulnerable to arp poisoning, DSL should be more resistant to this kind of thing but it depends how it is setup.
|
| # ? Nov 06, 2009 02:24 |
|
|
Karanth posted:Your risk goes down even more with the presence of other networks there. You don't have to out-secure the 'hackers', you just have to out-secure your neighbors. You don't have to run faster than a bear, only faster than your slow friends  
|
| # ? Nov 06, 2009 04:29 |
|
|
I like the guy who recommends WPA2 AND a non-broadcasting SSID. It's like not being satisfied with security in an ultra-max prison so you put a bike lock around the front door.
|
| # ? Nov 06, 2009 04:38 |
|
|
Magnificent Quiver posted:I like the guy who recommends WPA2 AND a non-broadcasting SSID. Hahaha that's hilarious but so true
|
| # ? Nov 06, 2009 04:43 |
|
|
Cuddly Coach posted:You don't have to run faster than a bear, only faster than your slow friends That emoticon combination works surprisingly well!
|
| # ? Nov 06, 2009 07:08 |
|
|
The problem I had was with all the other drat signals overlapping. I ended up setting my access point to 802.11n 5Ghz only and I am the only one on the frequency range.
|
| # ? Nov 06, 2009 07:29 |
|
|
On the other end of the spectrum, if I have legacy devices that do not support WPA, is there anything wrong with running everything on just an open named network? I don't have anything confidential on my PC at all, and my network share is passworded anyway. WEP keys are a pain, and I'm pretty sure my neighbors aren't downloading child porn.
|
| # ? Nov 06, 2009 07:40 |
|
|
Weinertron posted:On the other end of the spectrum, if I have legacy devices that do not support WPA, is there anything wrong with running everything on just an open named network? I don't have anything confidential on my PC at all, and my network share is passworded anyway. WEP keys are a pain, and I'm pretty sure my neighbors aren't downloading child porn. Hogburto fucked around with this message at Nov 06, 2009 around 09:27 |
| # ? Nov 06, 2009 09:25 |
|
|
JHVH-1 posted:The problem I had was with all the other drat signals overlapping. I ended up setting my access point to 802.11n 5Ghz only and I am the only one on the frequency range. I was also going to set the router's wireless power to the lowest level possible. (Level 1 is approximately 25mW. For comparison my Icom W32 ham radio's minimum power output is 500mW, and has a maximum of 5W. Using a remote microphone and holding the radio at arm's length is recommended at the 5W setting.) Despite being 25mW I can get a usable signal anywhere in my apartment, and I'm assuming the wireless "bubble" won't extend much farther than one apartment beyond mine, so that means the signal will only be visible in maybe eight apartments besides mine.
|
| # ? Nov 06, 2009 10:51 |
|
|
Weinertron posted:On the other end of the spectrum, if I have legacy devices that do not support WPA, is there anything wrong with running everything on just an open named network? I don't have anything confidential on my PC at all, and my network share is passworded anyway. WEP keys are a pain, and I'm pretty sure my neighbors aren't downloading child porn. Not at all. The internet should be free, man. 
|
| # ? Nov 06, 2009 14:05 |
|
|
Three-Phase posted:1x Totally unsecured wireless network with a custom name (this has to be a honeypot, secured some other way, or the user is a total idiot). It's probably that last one. I live in an older apartment building in the low-rent side of town, and can see a half-dozen completely open APs most of the time. Weinertron posted:On the other end of the spectrum, if I have legacy devices that do not support WPA, is there anything wrong with running everything on just an open named network? I don't have anything confidential on my PC at all, and my network share is passworded anyway. WEP keys are a pain, and I'm pretty sure my neighbors aren't downloading child porn. While I can't go into details, in my role as "sysadmin for a small ISP" I assure you it's quite possible that your neighbors are downloading child porn, or pirating movies, or doing any of the zillion other silly things that could get you in trouble for being the guy that owns that connection. Security keys aren't really THAT much of a pain... If you're nerdy enough to be in SH/SC, you're probably also nerdy enough to look into some of the fancier wireless routers that can broadcast two separate networks on the same radio. It may be called something like "virtual APs" or "guest network" (the latter is the name used by the Apple Time Capsule). Since the two APs are using the same physical radio and antenna, they both have to be on the same frequency, and if you're using both at the same time obviously throughput will suffer. The real reason to do something like this, though, is that the two networks can have different SSIDs and different security settings. I use WPA2 for my "normal" stuff, but when I want to pull out the Nintendo DS, I enable the guest network, which is completely open, go pwn some scrubs at Mario Kart DS, then turn it back off when I'm done.
|
| # ? Nov 06, 2009 14:27 |
|
|
Weinertron posted:On the other end of the spectrum, if I have legacy devices that do not support WPA, is there anything wrong with running everything on just an open named network? I don't have anything confidential on my PC at all, and my network share is passworded anyway. WEP keys are a pain, and I'm pretty sure my neighbors aren't downloading child porn. There are APs where you can actually broadcast two wireless networks simultaneously, one with X security level and one with Y security level.
|
| # ? Nov 06, 2009 14:29 |
|
|
Weinertron posted:On the other end of the spectrum, if I have legacy devices that do not support WPA, is there anything wrong with running everything on just an open named network? I don't have anything confidential on my PC at all, and my network share is passworded anyway. WEP keys are a pain, and I'm pretty sure my neighbors aren't downloading child porn. I have the same problem, I'm paranoid so I use WPA2 + Hidden SSID + MAC Filtering + DHCP DIsabled but I also have devices like a Nintendo DS wich I can't use  and I hate this.
|
| # ? Nov 06, 2009 15:06 |
|
|
Alright, I'll actually find some security solution. I just haven't seen the harm in another open network because from my bed I can pick up 3 different open networks, not including my own.
|
| # ? Nov 06, 2009 15:34 |
|
|
Weinertron posted:On the other end of the spectrum, if I have legacy devices that do not support WPA, is there anything wrong with running everything on just an open named network? I don't have anything confidential on my PC at all, and my network share is passworded anyway. WEP keys are a pain, and I'm pretty sure my neighbors aren't downloading child porn. Let me tell you, in college when I wanted to torrent the first thing I'd do is log on to an open AP or crack a WEP key. I would never put up an open AP on anything I'm responsible for. Anyone within your wireless range who wants to do something illegal and has the slightest of a clue is going to zip right to your connection. Sh4 posted:I have the same problem, I'm paranoid so I use WPA2 + Hidden SSID + MAC Filtering + DHCP DIsabled but I also have devices like a Nintendo DS wich I can't use Paranoia does not justify hidden SSID, MAC filtering, or disabling DHCP. Every single one of those things is literally TRIVIAL for anyone who somehow managed to get past the WPA2 encryption. Kismet and related utilities will automatically display the SSID and associated MAC addresses. Once attached to the network, open Wireshark for mere seconds and you'll see all the IPs in active use. Those "security measures" are no exaggeration 100% literally pointless and you are doing absolutely nothing at all other than making your network a pain to add devices to. For the DS, if your access point supports virtual AP mode, use that as suggested. If not, buy a cheap second AP, configure it for WEP, and only turn it on when you want to play. My AP supports virtual, but breaks badly when I turn it on, so I use the latter option with mine. Old 802.11b Netgear I had laying around, I just pop the power cord in when I want to play DS games online. wolrah fucked around with this message at Nov 06, 2009 around 15:42 |
| # ? Nov 06, 2009 15:40 |
|
|
You're all such noobs. The real solution is to turn your apartment into a giant Faraday cage.
|
| # ? Nov 06, 2009 15:51 |
|
|
Odds are there are going to be a dozen WEP networks in your apartment complex from those over 50 or uninformed younger crowd. Any "hacker" that wants to pull out some private info is not going to waste time on your WPA2 network when there are 10 WEP ones he can crack in 8min. Chances are the person with WPA2 takes a better security stance towards their computer and its contents as well vs those that use WEP so you will be more likely to find sensitive information on a WEP network.
|
| # ? Nov 06, 2009 15:57 |
|
|
You do realize that no, someone would not have to physically be on your property to use your wireless if you owned a house, right? I can pick up a couple of wireless networks and I don't even live in one of those cramped housing developments where the houses are right next to each other. Just use WPA2-PSK with a decent key and be done with it.
|
| # ? Nov 06, 2009 18:20 |
|
|
Three-Phase posted:I was also going to set the router's wireless power to the lowest level possible. (Level 1 is approximately 25mW. For comparison my Icom W32 ham radio's minimum power output is 500mW, and has a maximum of 5W. Using a remote microphone and holding the radio at arm's length is recommended at the 5W setting.) Despite being 25mW I can get a usable signal anywhere in my apartment, and I'm assuming the wireless "bubble" won't extend much farther than one apartment beyond mine, so that means the signal will only be visible in maybe eight apartments besides mine. Wow, talk about paranoid. Apparently you don't understand the fact that NO ONE IS GOING TO BREAK YOUR WPA2-PSK KEY. It would be a million times easier to just physically tap into your DSL line. Hell, it would even be a million times easier to set up a laser microphone aimed at your window and hope to catch the password being typed out. If you're using a good WPA2 key there is no need to turn down your transmission power level. Sure, it works at 25mW now, but you can't guarantee it will continue to work as the temperatures, humidity, etc. change (attenuation levels of building materials, etc.) and once the neighbor's microwave and dryer are running. All you are doing is inconveniencing yourself for some crazy paranoid concept of drive-by kiddie porn downloaders.
|
| # ? Nov 06, 2009 21:23 |
|
|
Three-Phase posted:I was also going to set the router's wireless power to the lowest level possible. (Level 1 is approximately 25mW. For comparison my Icom W32 ham radio's minimum power output is 500mW, and has a maximum of 5W. Using a remote microphone and holding the radio at arm's length is recommended at the 5W setting.) Despite being 25mW I can get a usable signal anywhere in my apartment, and I'm assuming the wireless "bubble" won't extend much farther than one apartment beyond mine, so that means the signal will only be visible in maybe eight apartments besides mine. You are retarded. People in apartment only really steal internet for one reason: They don't want to buy their own. Even if someone was hacking wireless routers to download their favorite episodes of Entourage, they're both going to go for the same poo poo: The lowest hanging fruit. Enable encryption, disable SSID broadcast, stop worrying about it. Anything beyond those two steps and you might as well disable the wireless and use a good old fashion cable. If you want to continue being crazy just to brag about how secure your wireless is to your friends (or on the internet), that's one thing. At least be realistic about what you're doing.
|
| # ? Nov 06, 2009 21:31 |
|
|
Or you could order wifi equipment from overseas that can operate on channel 14 and just use all that. Or deal with all 802.11a. Or, at this rate, just carry a wire everywhere because it's going to be less work than making your wireless system absolutely 100% hacker-proof.
|
| # ? Nov 06, 2009 21:32 |
|
|
Watch out! People can snoop your keyboard by watching the EM waves it gives off (and thereby get your password)! The Faraday Cage is the only real option here!
|
| # ? Nov 06, 2009 21:43 |
|
|
Three-Phase posted:1x Totally unsecured wireless network with a custom name (this has to be a honeypot, secured some other way, or the user is a total idiot). Odds are it's an idiot or they could be using a fone router. It's for giving out free wireless for everyone while at the same time, it also runs a secure wireless network. But odds are they are dumb.
|
| # ? Nov 06, 2009 21:49 |
|
|
Lorem ipsum posted:Watch out! People can snoop your keyboard by watching the EM waves it gives off (and thereby get your password)! The Faraday Cage is the only real option here! That's the EM given off by your monitor, not your keyboard. http://en.wikipedia.org/wiki/Van_Eck_phreaking
|
| # ? Nov 06, 2009 22:15 |
|
|
It took me just over 2 months with a dedicated machine to get through WPA (for fun and research!) on my fellow workers connection, with his permission. You have nothing to worry about. but whatever you do, don't broadcast your SSID.
|
| # ? Nov 06, 2009 23:40 |
|
Rate Thread:
