Page 2 of 2

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Wed Oct 18, 2017 4:38 pm
by SwanRider
I am glad that this was asked as I am sure that many of us would be concerned about. However as has been already stated if we have applied the updates through update manager which I did last night then I believe that we should be okay from what I have read on here and on the net

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Wed Oct 18, 2017 5:01 pm
by rene
BG405 wrote:This would surely cause the printer to disappear from the genuine network?
Surely. If however as I usually see these days a single home Wi-Fi network is the only network then the same shenanigans that bumped the printer on over to the malicious clone may have triggered all/most home-devices onto the same, leaving "genuine network" as a term ill-defined and as a network ill-detectable.

Note by the way that this cloning business requires sincere proximity; tricking devices onto a clone basically amounts to having the stronger radio. Which is to say that slapping your neighbour's nerdy kid around a bit might be a more effective precaution then going on a patch collection spree right now. The protocol layer in which this issue lives makes it a fundamental problem but "fundamental" is not the same as "severest ever". Which, mind you, would not be conversely to say that it's not severe; it is, but practical impact for the individual user is not as big as the amount of press could have one believe. Which is always the case with security issues. In the end this one stands out mostly due to not being rubbish.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Wed Oct 18, 2017 6:07 pm
by karlchen
xenopeek wrote:Ideally, yes home routers are also patched, but the krackattacks folks had this to say about it: [...]
Should the sentence not rather read
Yes, home routers should also be patched [...]
Let us be realistic. Patching our Linux client side is the right thing to do and absolutely necessary. Glad the fix has been available so quickly.
But the other side, our routers should be patched as well.
Yet, router producers are not always very responsive when it comes to patching bugs and security vulnerabilities. And as a rule they are definitely much slower in doing so than software producers.

Sorry, if at the moment I can only provide a link to a German computer magazine webpage, where links to comments on the WPA2 KRACK problem can be found by those few (hard- and software) vendors who could be bothered to reply at all.
But not even all of them could state that a fix were already available or would be available soon.
KRACK: Hersteller-Updates und Stellungnahmen (KRACK: Producer Updates and Statements)
(as soon as I locate a similar English article I will add the link here)

And finally, let us not forget our dearest tamagotchies, which we carry around all the time, our oh so smart smart phones. Most of them will never see any more bug fixes and security patches for the rest of their lives, because most smart phone producers are very good at releasing new smart phone models in short intervals, but cannot be bothered to provide software updates for the same smart phones.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Wed Oct 18, 2017 6:15 pm
by BG405
rene wrote:If however as I usually see these days a single home Wi-Fi network is the only network then the same shenanigans that bumped the printer on over to the malicious clone may have triggered all/most home-devices onto the same, leaving "genuine network" as a term ill-defined and as a network ill-detectable.
True, if all the devices are connected wirelessly to the router(s). I expect it would be more obvious on a hybrid setup like mine, where only portable machines use WiFi (netbooks, very occasionally a phone - when I can find it - and my mate's phone & tablet) so in my case, the WiFi connections would be the targets and the printer will not be accessible if the computer's WiFi was connected to a spoof, as the netbooks are the only ones with working printer drivers at present. The 64-bit OS on the server, which doesn't have WiFi, doesn't currently have a working printer driver.

Whilst WiFi printers might be a convenience for some, I think they are largely unnecessary as they tend to be installed and left in one place so a wired connection is far more practical, using the router to access via WiFi. Considering their vulnerability (note my comment re. my mate's phantom photo coming out of his printer) I wouldn't use a WiFi printer any more than any other device which isn't likely to get prompt updates. Stinks of the IOT rubbish.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Wed Oct 18, 2017 9:47 pm
by jglen490
So fix what you can - patch your wifi router and your wifi connected computers (Windows, Apple, Linux, BSD). For the ones that don't have a patch available - especially tablets, phones running Android - turn off your wifi connection as much as possible and use your data connection. If you absolutely need to use wifi with your Android device, turn wifi on when you need it, turn it off when you don't. You'll be minimizing your risk. For any other devices, same pattern - on when you need it, off when you don't.

The fact is the KRACK vulnerability can only be leveraged within close proximity to your devices - that's a max of about 100 meters. It's not all that convenient for bad guys, but it could happen. Pay attention to what's happening at your wifi router or repeater, and watch for unusual activity at your computing devices. It's kinda scary, but not if you do what you need to do. Patch what you can, minimize your wifi activity on the rest.

We patched our Netgear router yesterday as soon as we found the patch, and updated the wpa-related packages/software on our Linux computers. Windows had been patched sometime ago. Moving on with life.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Thu Oct 19, 2017 8:33 pm
by Jat
What about game systems? There are other things that might never get a patch. Refrigerators for example.

Too bad my laptop is outdated and might not get a patch. I don't think my router is affected, at least Netgear says it's not, if I'm reading the site right. WNR2000v5.
https://kb.netgear.com/000049498/Securi ... -2017-2837

List of vendors:
https://www.kb.cert.org/vuls/byvendor?s ... rchOrder=4

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Thu Oct 19, 2017 8:43 pm
by BG405
The timestamp on the patch is 16/10/2017 at 08:20 IIRC. That's a pretty quick fix I think. But I was rather surprised to see that "Urgency: Medium" in the notes rather than "Urgency: Critical" or equivalent.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Fri Oct 20, 2017 12:01 am
by xenopeek
BG405 wrote:I was rather surprised to see that "Urgency: Medium" in the notes rather than "Urgency: Critical" or equivalent.
Like others have said, an attacker would need to be within range of your wifi signal. It's not like everybody lives next to somebody with the technical know-how and malicious mindset to do this attack.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Fri Oct 20, 2017 3:30 am
by Moem
Jat wrote:Too bad my laptop is outdated and might not get a patch.
That's up to you. If it's running an up-to-date OS, it will or it already has. If not, it's not the laptop that's outdated.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Fri Oct 20, 2017 10:48 am
by BG405
xenopeek wrote:It's not like everybody lives next to somebody with the technical know-how and malicious mindset to do this attack.
Whilst that is true for the majority of people as a whole, there are areas such as this one with a large student and health worker population, in fact yet another new 10-storey building has just opened down the road and now houses hundreds more students, hence my elevated concern.

There are public WiFi hotspots everywhere in and around student-land including the parks and recreation areas, also the hospital provides wifi to the nurses' accommodation and the patients. So I'd consider that risk to be much higher round here, due to the population density and demographic. I just thought that they would take a "worst case scenario" on something like this, that's all. :wink:

There are also long-range WiFi devices such as those directional antennas giving a range in the order of several miles! A suitably-equipped scrote would have a field-day in this area.

To conclude, we Mint users have (or should have!) applied the patch, it's the phone users who are still at risk. I don't know how it's been dealt with in Windows, Mac, ChromeOS, Android & iOS land; I presume they've been patched too.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Fri Oct 20, 2017 12:01 pm
by xenopeek
Yes, phones and tablets are the real targets. Phones and tablets and other "smart" devices just won't be patched in many cases due to the non-sustainable business practices of most manufacturers and mobile operators.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Fri Oct 20, 2017 8:05 pm
by Jat
So far I haven't be able to find info on if video game system are getting patched. There is this where someone asks Nintendo if there systems will be patched. But I can't find anything else. https://en-americas-support.nintendo.co ... ElMjElMjE=
xenopeek wrote: Like others have said, an attacker would need to be within range of your wifi signal. It's not like everybody lives next to somebody with the technical know-how and malicious mindset to do this attack.
Couldn't there be an easy script or program to run that automates the process developed?
Moem wrote: That's up to you. If it's running an up-to-date OS, it will or it already has. If not, it's not the laptop that's outdated.
I have an Apple Macbook that won't let me update to Sierra (or High Sierra now). If I can't get the latest operating system, or if I don't have the system requirements to run the OS, then my laptop is indeed outdated.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Fri Oct 20, 2017 8:16 pm
by Moem
Jat wrote:
Moem wrote: That's up to you. If it's running an up-to-date OS, it will or it already has. If not, it's not the laptop that's outdated.
I have an Apple Macbook that won't let me update to Sierra (or High Sierra now). If I can't get the latest operating system, or if I don't have the system requirements to run the OS, then my laptop is indeed outdated.
Many Macbooks can be upgraded to Mint or another Linux based OS.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Sun Oct 22, 2017 1:03 am
by Jat
Oh, that's what you meant.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Sun Oct 22, 2017 7:09 am
by Moem
Yes, sorry if that wasn't clear.

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Mon Oct 23, 2017 6:00 pm
by JChristensen
BigEasy wrote:It is good that issue already fixed on Mint. But it is far from the end of story - who and when will fix our WIFI routers?
I would expect that most of the popular router vendors would respond in a fairly timely manner. However, I'm taking the same approach with my routers as I am with my PCs, mainly, running open-source Linux distributions. I've upgraded my router from OpenWrt to LEDE, who responded to the KRACK vulnerability with a new release within a couple days. I'm pretty happy about that!

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Fri Nov 17, 2017 12:38 pm
by kenetics
Finally got a software update for my Buffalo router (It uses a version or DDWRT). The first update in about 5 years!

Re: WPA2 is no longer safe ? [issue is already fixed on all Mint versions]

Posted: Fri Nov 17, 2017 10:52 pm
by Portreve
Jat wrote:I have an Apple Macbook that won't let me update to Sierra (or High Sierra now). If I can't get the latest operating system, or if I don't have the system requirements to run the OS, then my laptop is indeed outdated.
I know you've already seen and read Moem's posts, but this is really a teachable moment, not just for you, but for many others out there.

The problem is that people do not have the savvy to understand what it means for something to be merely a software issue. If they did and a situation came up like Apple not backporting a fix to prior versions of Mac OS X, there would be nonstop howls of outrage directed most rightly toward Cupertino.

Generally, many issues out there aren't hardware ones, but have directly to do with software, and what producers thereof choose to do (or choose not to do as the case may be) and this is yet another sterling argument for people to migrate away from proprietary operating systems like Mac OS X or Windows, and move to one of the many distributions of GNU+Linux, such as the very fine LinuxMint.

Apple is, in a great many respects, the entirety of the Windows ecosystem rolled into one ball. With Apple, if they introduce something, you *have* to get the newest OS to have it. Sometimes, that means you have to replace otherwise good hardware. In the Windows world, people have problems with crud and cruft gathering with their installation of Windows. This can and often does include spyware and other malware, but does not necessarily have to be. Perhaps they try and fix it. Perhaps they take the computer to a local tech shop. Perhaps this happens a few times, and eventually they just replace perfectly good hardware with a new computer. I've personally witnessed people replacing their box practically on a year-and-a-half to two-year cycle, just because they couldn't contend with various forms of maintenance issues which crop up because of their OS choice.

None of this is to say certain needs don't dictate certain ends. It may well be you need some piece of software that's only written for Windows, or Mac OS X. It could be that there is a GNU+Linux choice, but it basically sucks, and so the only useful choice is one written for either of the two main proprietary OSs. In some cases you can get around this using something like WINE, or Crossover Office. In other cases, you can't, and the only option is to run one of those systems.

But, for a great many things, there are equal (sometimes better) choices for GNU+Linux, and at least then one can have some degree of confidence there is no commercial agenda waiting in the wings to get you.