WPA-PSK Cracking As a Service 175
An anonymous reader writes "Moxie Marlinspike, a security researcher well known for his SSL/TLS attacks, today launched a cloud-based WPA cracking service, where for $34 you can test the security of your WPA password. The WPA Cracker Web site states: 'WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.'"
"test your key", riiiiight (Score:3, Interesting)
While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes
Anyone interested in testing their own key would not care about it taking 5 days. During a weekday, you're not around most of the time anyway. I doubt anyone cares enough to spend $40 for something that can be done for free.
From the Article... (Score:3, Interesting)
"Marlinspike declined to say who operates his compute cluster"
I guess he can't come out and say he's using botted boxes, right?
Re:Well at least you can say Moxie has Moxie. (Score:5, Interesting)
I'll save 'em the full $34.
Go here: https://www.grc.com/passwords.htm [grc.com]
Re:Cloud? (not a) (Score:5, Interesting)
This kind of work (high computation, high parallelization, infrequent request) might be the most brilliant and non-obvious use of cloud computing. Low overhead due to using someone else's hardware (rather than having 400 CPUs laying around). If this is truely what they are doing, I am very impressed.
Re:Well at least you can say Moxie has Moxie. (Score:1, Interesting)
Not as good as you think.
If somebody hacks into the server and retrieves the inital vector and 256 secret key, it's trivial to reconstruct *ALL* of the passwords ever handed out. Poor design.
He could create new secret keys regularly (hourly), or preferably mix in some real randomness to fix this.
Re:One problem (Score:1, Interesting)
Any clued neighbor wouldn't be allowing others onto their wi-fi. I wouldn't want to be implicated if the neighbor has a taste for the "young'ons", nor do I want my IP to be considered enough evidence to win an IP infringement lawsuit because someone wants to bum Internet access for downloading the latest pr0n flick or the latest Britney Spears album.
If I were going to give wi-fi access, it will only be to allow others to connect to an OpenVPN port on an offshore provider. Then if I get a motion of discovery dropped on me, I can point to the offshore provider account belonging to someone else and go about my business.
Re:who uses WPA anyways? (Score:5, Interesting)
Believe it or not, there are some embedded devices which don't have the CPU juice for WPA2, so they were given a BIOS update so they can run something better than WEP as some form of security. WPA has its issues, but it sure beats WEP.
The best wireless setup is to have two wireless SSIDs. Your internal one that runs off of WPA2-Enterprise, RADIUS server, and smart cards. Then an external one that has a stern packet filter and throttling mechanism. This way, people can log on your open wireless to check E-mail, but Limewire and other P2P apps will be stopped. Of course, someone can jump that, but if they do that, its not your problem anymore.
I do see one use for MAC address security, and its more of a legal thing than computer protection. If a security breach criminal case winds up in court, and you can prove a potential intruder was bypassing your MAC security, it might land a conviction. Otherwise, someone can make up a story of you allowing people to have your WPA2 passwords, etc.
Re:One problem (Score:4, Interesting)
Living in fear must suck, huh? I have 4 open WiFi networks available to me at the moment (in a subdivision with 1/2-acre lots, not in a dense apartment complex). I've hopped onto a neighbor's network when my phone was out, and I have DHCP logs showing when they've been on mine. If I got hit with a subpoena, it'd be a piece of cake to show how many other people are using my router. That's a lot better approach for me and my neighbors than shutting each other out in a moral panic.
Re:Cloud? (not a) (Score:5, Interesting)
A medium 'high-cpu' linux instance at Amazon is $0.17/hr [amazon.com].
($0.17/hr) x (20min) x (400 instances) = $22.66666... +50% = exactly $34