alternatives for WPA2 networking under OS9

[bigmessowires]

I have a G3 iBook with WiFi, but it only supports WEP and my home network is WPA2. After doing a little reading it seems that there's no way to add WPA2 in OS9, so what's the next best alternative?

• Use a wired Ethernet connection. That would work, but it's not wireless.
• Use a wireless Ethernet bridge. I've no experience with these, but I think it would connect to my home network using WPA2 and then the iBook would connect to it with an Ethernet cable. I assume these wireless bridges need a separate power supply? If so, that's not really any better than plain wired Ethernet since the iBook would still be tethered to a box in a fixed location.
• Use an old router that supports WEP. I have an Airport Extreme that's configured in bridge mode and connected via wired Ethernet to my home network. I think I could configure this to run a WEP WiFi network, but... security. There's a reason that WEP isn't used anymore, and even if I added MAC address filtering I'm not sure it would be very secure.
• Maybe use the Airport Extreme without connecting it to my home network, so there's nothing on it worth hacking? I could still do AppleTalk networking between my vintage Macs, but couldn't access the internet. That's sort of fun, I guess, but not ideal.
• Some other brilliant solution?

 

[Phipli]

Use a wireless Ethernet bridge. I've no experience with these, but I think it would connect to my home network using WPA2 and then the iBook would connect to it with an Ethernet cable. I assume these wireless bridges need a separate power supply? If so, that's not really any better than plain wired Ethernet since the iBook would still be tethered to a box in a fixed location.

VONETS WiFi bridge,Wireless bridge, mini wifi router, wireless repeater, wlan repeater - VAP11G--VAP11G--Products

Something like this?

 

[Phipli]

I think I could configure this run a WEP WiFi network, but... security. There's a reason that WEP isn't used anymore, and even if I added MAC address filtering I'm not sure it would be very secure.

Yeah, there are people who map WiFi networks and what protocols they're using and share on online maps, and WEP only takes minutes to crack, even years ago. Having WEP might draw crooks too you from miles around. Or it might not, depends where you live.

P.S., this is why you should never show the list of visible SSIDs in screenshots - it's equivalent to handing out your postcode if you're in a built up area.

 

[Skate323k137]

My solution for my Pismo is to use my cell phone in usb to ethernet tethering mode, and plug an eth cable in from the Pismo to my phone via a ethernet to USB dongle. It works really well, and is fast and secure, but it's not a convenient every day solution for everybody. Despite being external it is completely mobile and it makes use of whatever (presumably secure) wi-fi your phone is on, or even cell data

 

[Phipli]

My solution for my Pismo is to use my cell phone in usb to ethernet tethering mode, and plug an eth cable in from the Pismo to my phone via a ethernet to USB dongle. It works really well, and is fast and secure, but it's not a convenient every day solution for everybody. It does make use of whatever secure Hotspot your phone is on, or even cell data

Oh, actually what we do? I reboot my Pismo into 10.4 and use a WPA2 capable Cardbus card to connect to modern wifi, download what I want, then restart into 9.

It's good enough. But the iBook doesn't have a CardBus slot.

 

[Skate323k137]

Oh, actually what we do? I reboot my Pismo into 10.4 and use a WPA2 capable Cardbus card to connect to modern wifi, download what I want, then restart into 9.

It's good enough. But the iBook doesn't have a CardBus slot.

I like it.

I also use this tethering method for other machines too, like my G3 iMac, if they're out of reach of a switch or router at the house. It's usually temporary but it's convenient.

 

[bigmessowires]

VONETS WiFi bridge,Wireless bridge, mini wifi router, wireless repeater, wlan repeater - VAP11G--VAP11G--Products
Something like this?

Right. I see that it's powered from a USB port so it actually could work as a portable solution for the iBook, albeit a somewhat clunky one.

It seems that there's no way to actually use the iBook's Airport WiFi without opening your home network to easy attacks, since it would require having a WEP access point. That makes sense, but it's too bad.

 

[cheesestraws]

Yup. The concrete risk depends on where you are, but I wouldn't run one permanently personally.

 

[Nixontheknight]

I have a G3 iBook with WiFi, but it only supports WEP and my home network is WPA2. After doing a little reading it seems that there's no way to add WPA2 in OS9, so what's the next best alternative?

• Use a wired Ethernet connection. That would work, but it's not wireless.
• Use a wireless Ethernet bridge. I've no experience with these, but I think it would connect to my home network using WPA2 and then the iBook would connect to it with an Ethernet cable. I assume these wireless bridges need a separate power supply? If so, that's not really any better than plain wired Ethernet since the iBook would still be tethered to a box in a fixed location.
• Use an old router that supports WEP. I have an Airport Extreme that's configured in bridge mode and connected via wired Ethernet to my home network. I think I could configure this to run a WEP WiFi network, but... security. There's a reason that WEP isn't used anymore, and even if I added MAC address filtering I'm not sure it would be very secure.
• Maybe use the Airport Extreme without connecting it to my home network, so there's nothing on it worth hacking? I could still do AppleTalk networking between my vintage Macs, but couldn't access the internet. That's sort of fun, I guess, but not ideal.
• Some other brilliant solution?

just make a guest network with no security and see if you can limit the number of connections to it to one machine

 

[treellama]

What I did was set up an AP with a bridge on one of the raspberry pis. Then I can use an ssh shortcut on my phone to turn on the retro WiFi when I am using a clamshell or tibook; and another to turn it back off when I am done.

I should really write up a guide on how I set it up. They can even see the netatalk server over AppleTalk that way.

 

[paws]

What are the actual risks of WEP cracking? Isn't it just that it's easy for someone to join your network? If your internal services are somewhat secured (as they should be) and the sites you use are HTTPS for anything important (as they dmn well should be!), it seems to me that the main risk is someone leeching off your internet connection. Not sure I'd worry so much about that so much. I suppose somebody could in theory place some headless device within range that did something bad on the internet, but this seems like a theoretical risk more than anything. Unless it's a very targeted attack it also seems like something that could be mitigated by changing your PSK and SSID regularly, maybe rate limiting the WEP network if you can, and obviously just turning it off when it's not needed.

WEP for home networks was obviously a huge problem back when many sites like Facebook allowed logging in over non-encrypted connections making session hijacking a doddle, but I think it's important to always be specific and realistic in your threat modelling. I'd sit down and have a think about what's available on your network and how secure it is, and if you've got e.g. important files on insecure shares or anything, then maybe fix that instead? There are many other, perhaps more common, ways for intruders to enter your network, like a friend bringing a malware-infected laptop (or you making one!), so you should do this anyway.

 

[Phipli]

it seems to me that the main risk is someone leeching off your internet connection. Not sure I'd worry so much about that so much.

You are legally responsible for what happens from your internet.

Imagine the most despicable crime that can be done with an internet connection. Now realise you don't have a good enough imagination. Now imagine having to defend yourself in court because your internet committed these crimes, and you need to prove it wasn't you when they have evidence that a computer in the network you are the primary user of did it.

but this seems like a theoretical risk more than anything

Nope. Bad people look for internet connections like this to cover their tracks. The risk is low, but the consequences are extreme.

Unless it's a very targeted attack it also seems like something that could be mitigated by changing your PSK and SSID regularly, maybe rate limiting the WEP network if you can, and obviously just turning it off when it's not needed.

I don't think you understand how easy it is to overcome WEP... It isn't much difference to loging in.

I'd sit down and have a think about what's available on your network and how secure it is, and if you've got e.g. important files on insecure shares or anything, then maybe fix that instead?

This isn't the big issue, it's crimes committed from you internet, besides, why you would be so chilled about having someone the wrong side of your firewall I don't understand!

There are many other, perhaps more common, ways for intruders to enter your network, like a friend bringing a malware-infected laptop (or you making one!), so you should do this anyway.

I think you might need to set up a guest WiFi that is in a DMZ if this is an issue.

 

[paws]

Let's just say that I'm well aware of how easy it is to overcome WEP. It used to be quite handy

The legal responsibility you mention is not, to my knowledge, entirely universal and I honestly think you're overstating the risk. Maybe it depends on where you live. Either way, there are easier ways to gain anonymous internet access in 2023 than walking around looking for WEP networks. But yes, *if* you are concerned about outgoing connections, someone setting up a Tor exit node on a Pi in your garden or something, then WEP is as bad an idea as running an open network, I concede that. But again, when WEP was current, HTTPS was not in common use, and if you were on someone's network you could just wireshark their passwords. Whoops. But that doesn't really apply anymore.

(There's a thing to be aware that's quite important in this context, btw: AFP is not encrypted as far as I know, so an intruder on your network would be able to eavesdrop here)

But I'm more curious about:

why you would be so chilled about having someone the wrong side of your firewall I don't understand!

Can you be more specific about what it is I'm supposed to be worried about? A firewall can block outgoing connections (the crimes you talk about), or incoming connections. To focus on the latter, let's say a bad actor is now on my local network, what services do they now have access to? I have a NAS type thing but... it's already got a hole in the firewall so I can access it from the outside! All workstations and laptops have file sharing and remote login turned off. So the security depends on the sharing protocol (SSH, mostly), not being walled off from the internet. Granted, all my computers run Linux and I know in detail what's going on on them. But this is what I mean by being specific in your threat modelling: understand what services you have running and how they might vulnerable. And if you're talking about a laptop that ever goes to a coffee shop or library or similar, then you should already have those protections in place. (Thankfully operating systems come with more sensible defaults, these days.)

 

[MacUp72]

I wonder how secure a MAC address filter network actually is..I mean its a bit annoying setting that up as you would have to put in all your devices, phone, tablets, desktops, portables..but should be better than WEP.

 

[Phipli]

To focus on the latter, let's say a bad actor is now on my local network, what services do they now have access to?

Home networks aren't generally designed as securely against other devices on the LAN, the web interfaces for network devices are available, including all their individual vulnerabilities. It's best to keep unwanted users out, put your security effort into a concentrated location, not need to get it right for every single device on the network.

I honestly think you're overstating the risk

I think it is low likelihood, not low consequence. Given there is no reason to run WEP, why risk it. Especially as people map insecure networks.

A firewall can block outgoing connections (the crimes you talk about)

You block outgoing http with your firewall?

I have a NAS type thing but... it's already got a hole in the firewall so I can access it from the outside!

And you have as much security internally as externally? It doesn't have LAN guest shares or less secure shares like SMB?

But this is what I mean by being specific in your threat modelling: understand what services you have running and how they might vulnerable. And if you're talking about a laptop that ever goes to a coffee shop or library or similar, then you should already have those protections in place.

I'd sooner have a good front door than need to lock all my cupboards. It doesn't mean I wouldn't lock away the jewelry, but I'd still rather not have strangers wondering around my house.

I'm not going to argue about the insecurity of insecure APs. The benefits don't outway the risks.

 

[Phipli]

I wonder how secure a MAC address filter network actually is..I mean its a bit annoying setting that up as you would have to put in all your devices, phone, tablets, desktops, portables..but should be better than WEP.

Not Great - you can get MACs by sniffing and spoofing is easy. It stops some 12 year olds, but not someone who can Google for 5 minutes and vaguely knows what to Google.

 

[paws]

Yeah, I'm sceptical about MAC filters and limiting connections as well. Hiding your wifi is also purely cosmetic. Not sure if anyone's brought up a coffee shop-style captive portal (I think some routers have that built in now?), but that's also a nuisance more than actual security. A 50 centimeter fence will keep most people out of your garden and thus serves a function, but it's not much a security system...

You block outgoing http with your firewall?

I don't, I even run a web server here. But considering the state of the world maybe permanently blocking 80 and 443 in both directions would be an improvement to my quality of life...

And you have as much security internally as externally? It doesn't have LAN guest shares or less secure shares like SMB?

Actually, no, everything is SSH/SCP. Maybe this is a special case. I suppose I don't know much about how mainstream operating systems set this up. But I will say that for a normal user, whose network consists of laptops, Chromecasts and phones, my analysis is that wifi security is much, much less of an issue than it was 10-15 years ago. Especially given how most of those will also travel to public networks where they will be exposed. You make a good point about a router's web interface, though, and it's long annoyed me that I can't get the damn thing to turn off password SSH connections for some reason.

I'd sooner have a good front door than need to lock all my cupboards. It doesn't mean I wouldn't lock away the jewelry, but I'd still rather not have strangers wondering around my house.

I understand your analogy, but this isn't wood and metal, it's packets and bytes. All I'm saying is that one should understand what's going on instead of repeating absolute advice that might be outdated.

 

[cheesestraws]

Can I suggest that we do not attempt to re-litigate the history of WiFi cryptography in this thread and stick to trying to work out the question the OP actually asked?

 

[bigmessowires]

Yes, appreciated. After giving it some thought, I think the most reasonable answers are simply not using WiFi or else enabling WEP only briefly when I want to get the iBook online, and disabling it immediately afterwards. Using a cable to a wireless ethernet bridge (or phone) just seems clunky and impractical.

 

[Skate323k137]

Using a cable to a wireless ethernet bridge (or phone) just seems clunky and impractical.

Seemed that way for me too until I realized it was less hassle than enabling separate hotspots with old technology, running LAN everywhere...

I hope you can find a solution that makes sense for you