technology:wireless access

Internet, we have a problem: Wi-Fi WPA2 security probably broken through key re-installation attack

Two Belgian researchers, Mathy Vanhoef of KU Leuven and Frank Piessens of imec-DistriNet, are confident they really have done serious damage to WPA2.

Their paper “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” will be formally presented on November 1st at the ACM Conference on Computer and Communications Security.

▻https://www.modmy.com/wi-fi-wpa2-security-has-been-krack-ed

The vulnerability, called KRACK (Key Reinstallation AttaCK), is found within the 4-way handshake process which takes place when a device attempts to connect to a wireless network. This process involves generating unique single-use numbers to secure the connection between the device and the wireless access point. As it turns out, under certain reproducible conditions, such a number (called a nonce) can be reused, which may significantly weaken the encryption for traffic between Wi-Fi access points and devices connecting to them.

►https://www.theregister.co.uk/2017/10/16/wpa2_inscure_krackattack

The CVE (Common Vulnerabilities and Exposures) numbers for Krack Attack have been reserved. They are CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088

►https://www.i4u.com/2017/10/124939/wi-fi-wpa2-security-broken

The researchers published last year a paper titled “Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys.” The core problem for that security problem of Wi-Fi was the 802.11 random number generator allowing predicting its output including the group key. The paper shows how a downgrade-style attack against the 4-way handshake works. The researchers also propose the solution to fix the vulnerability with the random number generator based on randomness extracted from the wireless channel.

►https://www.alexhudson.com/2017/10/15/wpa2-broken-krack-now

Lots of us have old routers at home, which have no chance of a firmware upgrade, and lots of WiFi equipment that may well not get a protocol upgrade if one is required. Right now, it sounds like all this stuff is going to be worthless from the perspective of encryption.

#WPA2

Amazon granted a patent that prevents in-store shoppers from online price checking - The Verge
▻https://www.theverge.com/2017/6/15/15812986/amazon-patent-online-price-checking

Amazon’s long been a go-to for people to online price compare while shopping at brick-and-mortars. Now, a new patent granted to the company could prevent people from doing just that inside Amazon’s own stores.

The patent, titled “Physical Store Online Shopping Control,” details a mechanism where a retailer can intercept network requests like URLs and search terms that happen on its in-store Wi-Fi, then act upon them in various ways.

The document details in great length how a retailer like Amazon would use this information to its benefit. If, for example, the retailer sees you’re trying to access a competitor’s website to price check an item, it could compare the requested content to what’s offered in-store and then send price comparison information or a coupon to your browser instead. Or it could suggest a complementary item, or even block content outright.
“It could suggest a complementary item, or even block content outright”

Amazon’s patent also lets the retailer know your physical whereabouts, saying, “the location may be triangulated utilizing information received from a multitude of wireless access points.” The retailer can then use this information to try and upsell you on items in your immediate area or direct a sales representative to your location.

Though recently approved, the patent was originally filed in 2012. Amazon CEO Jeff Bezos is not one to shy away from playing the long game, so it’s hard to say how this will factor into any of Amazon’s immediate plans (if at all — it could be a defensive patent), especially as its physical store initiatives are fairly new.

As mentioned, it does appear that this patent would only be implemented via an in-store Wi-Fi network, meaning you could work around it by using your provider’s data to surf. While the idea of a blocked price comparison search is annoying, it’s also the very sort of thing Amazon itself protests. Amazon, along with other companies and nonprofit groups, have signed on to a “day of action” to protest the FCC’s planned rollback of net neutrality rules. You can read the entire patent here.

▻http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=9665881.PN.&OS=PN/9665881&RS=PN/9665881

#commerce

Bufferbloat: The hidden cause of slow Internet and how to fix it

A good and lengthy article pointing to the fact that awareness of bufferbloat is still not widespread.

We strongly recommend that network operators study the vast amount of research already available on the topic of bufferbloat. Then, at critical network connections such as wireless and mobile access points, we need to test for bufferbloat. You will probably want to have the data from these tests to talk with your service provider or wireless access point vendor.

What exactly is buffer bloat?
The issue is closely tied to how the TCP protocol operates and how network buffers are managed. Even though there is a widespread belief that dropping packets in the Internet is always a bad thing, the truth is that dropping packets is absolutely essential to the proper operation of TCP.

In an attempt to reduce packet loss in the internet, network operators, developers, and engineers have increased the size of network buffers many times over. This increases latency but has little effect on throughput. Consequently, critical small packets such as those in VoIP, DNS, and TCP ‘acks’ can become trapped in the buffers behind much larger packets from file transfers and other bulk transfers, such as adaptive bit rate video.

Who is most affected by this phenomenon?

Anyone who is actively browsing or using search engines. Also, anyone who is using real-time applications like voice or video. An example would be employees working from home, on the road in hotels or at Wi-Fi hot spots. Our research showed that hotels and Wi-Fi cafes are prone to very bad bufferbloat issues.

What kind of traffic is affected?

Traffic flowing on links which have high-bandwidth utilization in the opposite direction will deteriorate. Applications using small packets such as VoIP, DNS, and ARP can also suffer. The impact on VoIP will be increased latency and jitter. DNS queries may be returned in two to eight times the normal response time.

What is buffer bloat’s impact on TCP operation?
Understanding how TCP operates reveals why buffer bloat is a problem. ers.
This is nicely explained in the article by explaining the slow start en TCP’s Congestion Control algorithm, as well how the problem could be tackled with techniques such as CoDel, or Controlling Queue Delay, and fq-Codel, which seems more effective than RED or WRED

▻http://www.networkworld.com/article/3107744/internet/the-hidden-cause-of-slow-internet-and-how-to-fix-it.html
Backup copy of the article: ▻https://www.docdroid.net/file/download/srkf7eW/the-hidden-cause-of-slow-internet-and-how-to-fix-it-network-world.pdf

#bufferbloat

cartography - Examples of Beautiful Maps - Geographic Information Systems Stack Exchange
▻http://gis.stackexchange.com/questions/3083/examples-of-beautiful-maps?newsletter=1&nlcode=37215|c38a

Un thread qui recense pleins de belles cartes, on y trouve pas mal de sources intéressantes.

Celle-ci me rappelle quelque chose :p

http://i.stack.imgur.com/hTVsD.jpg

#map #design

Brick Nintendo before they brick you! | DefectiveByDesign.org
►http://www.defectivebydesign.org/nintendo

The Nintendo 3DS keeps track of every game you play, along with any data or information created while using the device. This includes personal data such as any name, address, or other information you enter; as well as “age, gender, geographic area, game play data, online status, Nintendo 3DS System serial number and device ID, device certificate information, cookies, Friend Codes, wireless access point information, Internet Protocol (’IP’) address, and Media Access Control (’MAC’) address” (to quote the Nintendo 3DS System Privacy Policy). Further, they collect all “User Content,” which they define as all “[...] comments, messages, images, photos, movies, information, data and other content”.
(...)
The Nintendo 3DS will send the Activity Log to Nintendo when the wifi is connected.
(...)
Nintendo can then choose to share your information and use it to target advertisements to you.
(...)
Worst of all, Nintendo has claimed the right to use the information they collect from your device to judge if you are allowed to continue using it.

#nintendo #privacy #fsf