Archive for January, 2010

hostapd with psk-file

Tuesday, January 26th, 2010

I tried to make hostapd use a separate psk-file, with a different PSK per MAC-address. On Debian the file is called /etc/hostapd/wpa_psk and according to /etc/hostapd/hostapd.conf:

# Optionally, WPA PSKs can be read from a separate text file (containing list
# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.

This is fucking WRONG. The file-format is not documented anywhere else, and the above is utter bogus. The file has to look like this:
00:00:00:00:00:00 somepskstring

The 00:00:00:00:00:00 of course would have to be replaced by a real MAC-address. The MAC-address all zeroed out might signify a wildcard, but then, this isn’t documented either.

By the way, if you do not want it bloody bridged, you need to set up the interface just like normal in /etc/network/interfaces, and take care that it’s served by dhcp and has appropriate firewall-rules.

USA: enhanced stupidity at airports

Monday, January 4th, 2010

Stupidity and misunderstanding on how security works has reached new heights in the USA: TSA: Enhanced screening for people flying to U.S. from certain nations.

How bloody stupid must one be to react this way to a failed attack? Yes, failed means exactly that a security measure — in this case a terrorist attack that was thwarted by passengers(!) — works. But instead of relying more on what obviously works, the TSA (and of course, this one is backed by the government; proving that Bush and Obama really do the same bollocks) has decided to implement something else, something incredibly stupid which will actually lower security.

Security professionals worldwide don’t even know if they should laugh or cry at such a bold display of imbecility. I’ve not yet seen what Bruce Schneier has to say about this specific idiocy, but here’s an essay which essentially explains the issue: Screening People with Clearances. Just so you can see that I’m not the only security professional who thinks this way, and Bruce Schneier has rather more clout than me. ;)

Do you really think terrorists won’t be likely to fly NOT from those 14 countries? Or — gosh — use a false passport? Hell, they might even recruit people from a country deemed “safer”, the USA itself for instance. And of course, increased scrutiny of certain passengers will draw resources from scrutinizing other passengers.

Congratulations, you’ve just implemented a fast lane for terrorists while harassing other passengers coming from some 14 countries. Mindbogglingly stupid. According to Hanlon’s Razor I’m forced to conclude that the USA is run by drooling idiots.

Addendum: Bruce Schneier has now put it nicely: Christmas Bomber: Where Airport Security Worked. I can only add “and in whose aftermath common sense did not”.