Not particularly favorable.

The world is getting a sexy little laptop with wireless-only connectivity and an irreplaceable battery - the MacBook Air. They are also getting a 1TB drive that works over the radio - the Time Capsule.

This time next year, a bunch of MacBook Air owners will have laptops that lose their charge in twenty minutes, and they’ll have to pay $120 or so to get them fixed. They’ll be looking silly at their next coffee-shop meeting too, when the colleague says “oh I’ve got that file on CD.” Or worse…”I’ve got that file on my portable Firewire drive” (there’s no Firewire on the device either). This convenience have cost them roughly two grand to start.

Meanwhile, a whole bunch of other folks will have nifty storage units sitting on their shelves. They’ll download a 1.4GB movie from iTunes, which takes this user roughly a half-hour, and then they get to stir for another fifteen minutes when they decide to store it for future use. Big drives mean lots of (and big) files - transfer over the airwaves is a pain in the ass, 802.11n or not. I’m shopping for a new backup drive now, and won’t even consider one without (at least) Firewire 400.

It’s a lot of kit that seems destined to waste time as well as money. There’s an economic slowdown in the midst, and by the time people have money to burn there will already be something better out. Technology advances quickly, and I think Apple’s timing is off. Steve Jobs spoke, then Twitter went down? Give me a break - nobody cares.

But how about Apple’s stock price? Down 15 points in the past two days.

Bruce Schneier, cryptography king, keeps his home network open. And despite what Tim Lee wrote in support of the idea, please don’t listen.

The justification is that the risk of someone using your network for illegal means is very low, while the risk of you getting hacked at the local coffee shop is potentially higher. Hence, worry about your machine, not your home connection.

I say BLAH! This piss poor argument ignores two significant points:

1) There is little or no benefit to you from opening your network; and

2) It takes minimal effort to secure your network with a password.

The risks may be low, but meanwhile you have nothing to gain. Meanwhile, the effort necessary to provide that little extra layer of protection likely outweighs the cost of that single long tail incident - one that could potential cause you tons of legal hassles.

If you are hell bent on providing web access to home visitors, I’ll take for granted that you trust them. Give them the key, like I do. Or if you’re wearing a tinfoil hat as you hand them their coffee, ask them to allow you to type it in yourself.

UPDATE: Being open can cause hassles (unless you don’t consider having your computer confiscated by less than technology savvy law enforcement officers a hassle).

A taped demo at Blackhat (taped because the demonstrators were fearful someone would interfere) was supposed to show a MacBook wireless vulnerability. As it turns out, the drivers that SecureWorks researchers used were from a third party.

So much for taped demos.

***UPDATE***

You have to love this line:

“As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available.”

Responsible disclosure my ass. Can anyone say “banned from Blackhat demos, for life?”

***UPDATE 2***

Maybe that should be journalists banned from Blackhat instead.

It must be wireless hack day. A debate has ensued over at Brian Kreb’s Security Fix (WaPo) over…wireless vulnerabilities.

A demonstration is happening today at Black Hat Briefings, whereby two fellas will present hijacking a MacBook in sixty seconds flat. The question at hand - is this an OS X issue or a wireless vendor (in this case Atheros) issue?

Police in Douglas County, Colorado (right down the street from Spamroll) are going to start wardriving for the purpose of warning open wireless device hosts of impending danger.

I wish I could properly spell out what a complete waste of time and money this is, but I guess some bureaucrat thought it was a good idea. The problem with wireless hacks is not the open device, but the devices behind them that lack security of their own. Need it defined further? If you run a wireless computer behind a network in administrator (or root) mode, it really doesn’t matter whether you have WEP (the only really easy wireless encryption that everyday folks employ) running on that hub/router. Someone is going to get you if they want to.

You really have a few choices here, all of which are employed behind the Spamroll poster’s network. First, DON’T RUN IN ROOT OR ADMINISTRATOR MODE!!!!! Of course, this is difficult for Windows users, as Windows loves setting default users for admin. Unlike UNIX-like systems, Windows thinks this is an easy way out. Unfortunately, it is also an easy way in for hackers. For securing your network (in this case, to prevent the sheriff’s office from bugging the shit out of you), rename your little Linksys or Netgear router from the factory default “linksys” or “netgear” to some obscure name (and don’t be a moron and use your dog’s name either - unless you don’t ever walk said dog and/or wave to your neighbors and let them pet said pup). Next, set your router to NO BROADCAST of that little thing called SSID. You can type the name of your network directly into your computer to connect, and by not broadcasting SSID nobody can actually see your network to begin with. Also, use something besides WEP (which is well known for being a 30 second hack). Use WPA or WPA2 encryption, which exchanges new encryption keys every few hours. Beyond being tougher to crack, by the time the hacker does make it in, the key has changed and they have to start over.

As I said, best results for keeping the knocks at your door to a minimum is the no broadcast option - after that the rest is up to you. I use no broadcast, WPA2, and frequent handshakes (every two hours) to keep my gear away from prying eyes parked on the corner. Added are no running in admin (or root) mode, and running device firewalls in “stealth” mode (no detection of internal devices is the result). If someone wants in after that, I always have the unleashed collie dog and a can of moldy yogurt to throw on the windshield of that friendly wardriver’s car.

Then, tell Douglas County bureau-nuts to quit wasting your money and read Spamroll instead - a public service message should do the trick as far as getting the word out.

People find vulnerabilities in Windows machines all the time, but most of them are discovered under very specific, almost lab-like conditions. Trying to re-create the problem in an “everyday use” scenario is often difficult (particularly for the average user), but the latest Windows wireless vulnerability, discovered by Matt Loveless, is anything but irreplicable.

Do something as simple as connect at a Starbucks T-Mobile Hotspot, and next time you go out looking for a connection, someone could be connecting to you. WIndows broadcasts the last SSID it connected to when out looking for new ones. A hacker close by can capture that name, set their computer to the same, and connect to your machine without warning.

Imagine how many people last connected to the largest competitor to those paid HotSpots - that ubiquitous WiFi provider called “linksys.”

No doubt this is going to be fun. In the capital of spams and scams, the kingpins are preparing for the next wave - unleashing broad-based advertising to mobile phones.

Techdirt just noted that one of the AOL subscribers to its Techdirt Wireless newsletter has been reporting the email as spam, and that AOL is now giving them a hard time.

Techdirt is being forced to remove all AOL subscribers to the email, in order to keep AOL off their backs, and despite having a compliant double opt-in policy for subscriptions.

Will the joker that keeps reporting the Techdirt Wireless newletters as spam please use the unsubscribe link at the bottom of the newsletter, rather than punishing the rest of the subscribers through their “actions” and inaction.

You can batten down the hatches of your home wireless access point, but if you are used to Wi-Fi for home and travel, that may not prevent you from getting hacked (that is if the stories circulating have any validity).

While wi-fi phishing is nothing new, there has been a spate of new attempts targeting business travelers.

In the recent exploits, phishers supposedly pose as valid wireless hotspots, enticing users to connect and then snatching personal information. This is certainly doable, and business travelers in generally are not exactly the most technologically saavy bunch, but it does raise a few questions..

Are the attackers sitting in that coffee shop posing as a wi-fi access point? Do paid airport locales need to implement additional security measures to prevent their login pages from getting hijacked?

AirDefense didn’t mention exactly how this type of exploit is pulled off when they announced their products would protect against these attacks. If you are posing as a legitimate hotspot, don’t you have to set up some wireless infrastructure nearby, or steal the domain of an existing provider?

I am looking for some additional insight on this issue, if anyone has any. Meanwhile, I will be waiting for an announcement from hotspot providers on their latest security measure implementations and/or some sneaky looking characters eyeing laptop owners at my favorite wi-fi venue.

A while ago I told you home-wireless junkies that someday you would get a knock on your door, and some law efforcement officer would accuse you of spamming. When you didn’t hear it, I said it again.

Now I have to admit, I was all wrong.

And I apologize. I told you that keeping your wireless network password protected would give you that needed time to raise suspicion from Aunty Allie next door. But it doesn’t take thirty, twenty or even ten minutes for a hacker to break into your 128 bit WEP-protected wireless network.

It only takes THREE!

At a recent information security conference, a team of FBI agents demonstrated the 3 minute crack, which included the traffic scan, packet analysis, and the key generation. Ouch. And you know if a team of experts from the US government can do it in three minutes, a fifteen year old kid with a P3 laptop can likely do it in about a minute and a half.

This Slashdot post includes a link to the FBI methodology used. Boy am I glad they posted that.

Good thing I use WPA, at least for the next month, that is.