Sprint USB EV-DO + Cradlepoint personal hotspot = sweet!
Default password = bad!

As I posted the other day, my new Cradlepoint PHS300 3G router is just awesome, and I would happily recommend it to anyone. If you do get one, however, be sure to change the default password immediately. The seemingly-strong password is worse than insecure - it’s available to anyone who asks whenever the router is powered on!

Let’s back up, though. When I first set up the router, I was impressed by how simple it was. Turn it on and its Wi-Fi LAN appears almost immediately. Connect to the LAN and your browser is redirected to the router’s management interface (at 192.168.0.1).

I was happy to see that, unlike nearly all router manufacturers, Cradlepoint does not use a default password. Rather, each router has its own unique password - the last six hexadecimal characters of the MAC address, which is printed on a sticker on the bottom of the unit. At the time, this seemed much better than the big manufacturers, which tend to use the easily-guessable “admin” or another short, simple-to-crack word.

But the Cradlepoint also uses the last three characters of the MAC address as its default Wi-Fi SSID. So three of the password’s six characters are broadcast constantly to anyone who cares to see, regardless of whether they are even connected to the LAN! This literally makes the password 4,096 times easier to guess. My router’s SSID was “PHS-28a”, and the password was “02828a” - see the problem?  Amazingly enough, though, this isn’t the worst problem!

Most people know that DNS servers translate domain names (like “blog.fosketts.net”) into IP addresses (like “208.113.206.204″). But Ethernet networks (including Wi-Fi) use a different addressing scheme, and IP addresses themselves must be translated into a MAC address (like “00:30:44:02:82:8a”) before it can transmit data. Any connected client can use a command line program called arp to look up a MAC address, which means they can simply ask the router for the MAC thus discover the password. See my password in that example? But wait, it gets worse still!

Cradlepoint suggests setting a connection password, which will keep people from using its 3G connection but will do nothing to prevent them from using arp to find out the router’s password. Smarter people will turn off the SSID broadcast or use a WEP password, which will keep them from connecting to the router’s Wi-Fi network. Although this will stop the arp attack, the password is still vulnerable. See, the address is included as part of every Wi-Fi packet in plaintext, and as any wardriver will tell you, it’s simple to snoop on Wi-Fi packets. So the router is continually transmitting its password, whether one is connected or not. One would need to figure out the WEP password in order to connect, but there are techniques that allow this, and the attacker would then be able to use the administrator password to reconfigure the router.

The Cradlepoint also supports WPA/WPA2, which is much more secure than WEP and would dramatically improve the situation, but not all devices support it. But the real solution is much simpler - change the administrator password to something much more secure. Sadly, most people won’t do any of this - they’ll leave the password as it is and thus leave their router totally open to attack.

But let me just take a moment to beg those who read this post: Don’t ever use a MAC address as a password!

The glorious Victorinox Swiss Army CyberTool 34: Geek's best friend or security's worst nightmare?

Aah, security. It seems that, in the last decade, the balance between liberty and security in the United States has tilted rather strongly, to the point that we expect to be scanned and have our possessions confiscated before entering buildings. Such was the case when my family and I made our pilgrimage to the Empire State Building in New York, separating me from my beloved Victorinox CyberTool after 10 years of loyal service. It’s a good thing they took it away, too!

I had planned on using the built-in pozidrive, Torx, and Phillips (#0 and #1) bits to dismantle the building and take it home with me. The pliers and scissors might have helped there, too. And since they didn’t confiscate (or really even thoroughly check) my bag, the corkscrew, bottle opener, and can opener might have allowed me to get wild with the Chardonnay and Vienna sausages while I was working! Good thing it packs a toothpick and tweezers, too, since those things can be dangerous. And if anyone tried to stop me, I would have had my choice of 1.5″ or 2.5″ blades to “defend” myself!

Or perhaps I could have used the tiny screwdriver to fix my glasses and the scissors to snip the end off of my kids’ drinking straws to make it easier for them to enjoy lunch. Either way, we’re all safer now that my CyberTool is forever in the hands of the professionals on 34th street. Just don’t let them know that Amazon delivered a new Onyx CyberTool 34 last week!

Real Video: Where the SAN Stands

Curious about the current state of SAN technology?  Stephen Bigelow of TechTarget interviewed me (last summer) about SAN options, and the video is now live on their BitPipe site.

Topics covered include combined iSCSI and FC SANs, ups and downs of modular storage and oversubscribed switches, next-generation SAN management applications, storage virtualization, and best practices for SAN design.

Here’s a snip - the three best practices for SAN design are as follows:

1. Choose reliable high-quality hardware
2. Build dual redundant networks
3. Protect management interfaces

Watch the whole video (it’s 17 minutes long) and let me know what you think!

As a frequent business traveler, I have repeatedly been (let’s say) confused by TSA (and FAA and airline) security policies. Lots of them seem like nonsense, overreaction, or comical misunderstandings, and they can lead to some odd results, like the current planeside baggage mess. But now that the TSA has a blog of its own, people can start commenting back. And boy, have they!

As a liberal-minded person, I tend toward the libertarian with regard to social issues, and especially technological ones. But although lots of the TSA policies annoy me, I’m frankly just too scared of missing my flight to “join the resistance” as it were and stand up and question some of the idiocy.

But here are the things I’d like a straight answer from the TSA about:

• Why are some airport x-ray scanners so much more or less sensitive than others? I always wear my wallet and watch through, and usually my belt, but the other day I accidentally left my V-Moda Vibe headphones and a steel business card case in my pockets with nary a beep. I must have had a pound of metal on me!
• Is toothpaste a liquid? I got yelled at in Philly that it didn’t need to be in “the bag”, and yelled at in Denver that it did! And yet, I accidentally left a tube in my backpack for a year without a question…
• They tried to explain the 3-ounce liquid thing.  I just don’t buy it.  And (not that the TSA has anything to do with this) I have a hard time understanding why no one makes a 3-ounce tube of toothpaste!  It’s 1.3 or 4.4, as far as I can tell!
• Why scan uniformed, ID-toting airline personnel and airport employees?  They could kind of do whatever they want with us anyway, so let’s just let them through, ok?
• What’s up with this new “dump out all your electronics” rule?  The bomb squad was once called on me (BOS, terminal B) due to my proliferation of mouses, external drives, power supplies, retractable cords, etc…  I’m what’s known as a road warrior, and I don’t want to have to dump out all of my stuff!
• Why can I put most items in one bin, but my laptop has to be in a separate one alone?

Aah well, maybe we’ll get some answers.  Or maybe it’ll just be a new place for flyertalkers to complain!

Looks like storage security just might happen after all.  Although EMC has done little to capitalize on their acquisition of RSA, I’ve been seeing a lot of interest in the security space for the last year. Take a look at NeoScale with their global key manager, and you’ll see an interesting twist on the security picture.

Now Hifn has purchased Siafu, which will only increase acceptance of this much-needed element of the storage puzzle.  John Matze and the rest have done a terrific job of pushing encryption in the small business segment, and this should get their stuff accepted more broadly.  Plus, it might just spread John’s non-security iSCSI expertise more broadly, and that’s always a good thing.