WPA2, KRACK, WTF? a basic, basic summary

The following started as notes to myself in preparation for talking about the KRACK weakness in the WPA2. It is far from comprehensive (I wrote it to be about as basic as I could), but could be helpful in understanding the basics of what is going on with it and why you should be concerned, but you shouldn’t freak out. My biggest take away from this is that we need to do a better job in how we talk to people about digital security and how imperfect the landscape is. More important than understanding one specific vulnerability is helping nontechnical people develop a framework for understanding how security research works and what steps they can take to start understanding the devices and infrastructure that they use.

 Wait, What?
In July, Mathy Vanhoef, an academic security researcher in Belgium, discovered a problem with the most common way to set up a password protected wifi network (WPA2). At first Vanhoef contacted the manufacturers of the devices where he initially discovered this. Then, he realized that there is a much larger problem and contact CERT/CC, an organization funded by the US government that works on digital security and sometimes helps researchers with vulnerability disclosures. Vanhoef is presenting his research soon at a couple different conferences, so a preliminary version of his paper has recently been made available. While the initial attack only affects some devices, all platforms are vulnerable to at least one variation of the attack found by Vanhoef.

This is group of vulnerabilities is being called KRACK, standing for Key Reinstallation AttaCK.

How WPA2 and this attack work
When your device connects to a wifi router, there’s a back and forth between the two before you can connect to the internet. WPA2 uses a 4-part handshake to make sure that you are connecting to the wifi you think you are connecting to. What Vanhoef found was that if someone pretends to be the wifi router you want to connect to, if the impostor router sends that request again at step three, the device will resend the requested information and the imposter router will be able to to figure out the shared secret key between the router and the device, allowing the attacker continuing impersonating the router and to decrypt the data sent between the router and the device. More recently, similar attacks have been successful at other points of negotiation between your device and a router, like when you move from one router to another on the same wifi network. The core problems come from the ability to make the routers reuse keys.

Accessing your data there would let the attacker see your internet traffic and they may be able to get your device to switch from HTTPS to HTTP, which would mean that they could see the content that you were accessing or sending, including passwords. The problem with WPA2 means that HTTPS is even more important right now.

Why this matters to individuals
We rely on WPA2 to secure much of our internet traffic. We send all sorts of sensitive data over wifi, like passwords, financial data, and health information. We rely on the internet for many things every day and we need to be able to trust this important infrastructure with not only more traditional kinds of sensitive information, but also our most personal communications and private questions.

The KRACK vulnerability requires a targeted attack. Unlike a lot of security issues, anyone attacking you would have to be within wifi distance (generally 90 meters or less). Most people are probably ok, but this can be a serious problem for people with higher levels of risk, such as activists, journalists, human rights defenders, and domestic violence survivors; as well as for networks with higher security needs, like those connected to health and finance.

What you can do about it
The main thing that you can do is install updates on your wifi router firmware and all of the devices that you use to connect to wifi. You will be protected as long as your device is patched, even if the wifi router hasn’t been. Because the main issues with someone having this kind of access is tricking your device into using HTTP instead of HTTPS or content injection (where an attacker makes it look like content is coming from a website, but it isn’t),you can also install the HTTPS Everywhere browser extension and remember to check for the little green lock to the left of the website address.

Windows has already put out a patch. Apple is about to release theirs (currently in beta release and waiting to make sure that it doesn’t contain bugs). Several of the Linux distros have addressed this. The Android update is scheduled for 5 November, but it is unclear when individual phones will actually receive the patch because updates have to go through the phone manufacturers, instead of directly to end users.

VPNs also offer protection, but when you use a VPN, you are trusting the VPN provider with all of that information about your internet traffic.

This isn’t something you can fix by changing your wifi router or network password, but it is always a good idea to use strong, unique passwords instead of the defaults. Diceware passphrases are particularly good for this.

How problems like this are discovered and addressed
There are thousands and thousands of security researchers, some academic, some professional, some in their free time, who poke around at the internet and related technologies to understand better how they work and to find problems so that they can be fixed. Many companies have programs specifically set up to handle security vulnerability reports, which are sometimes called “bug bounties.” When a problem with an individual device of application is discovered, the researcher will generally contact the company directly and report the problem. With something so overarching, like KRACK, the researcher may ask an organization like CERT/CC to assist in the process of figuring out how to responsibility disclose the security problem.

In both cases, once the researcher has told affected parties about the issue, there’s generally a certain amount of time where the problem is kept secret so that a patch can be put in place. After that chunk of time, the researcher may announce the issue even if the patch is not yet in place. This is partially because otherwise companies might not feel the need to work quickly on the patch and because other people could also discover the issues, so staying quiet doesn’t necessarily keep the general public safe.

The bigger picture
A lot of the time, we accept the technology around us without really thinking about what it is or how it works. When we don’t understand what we are using, it’s very hard to know what kinds of risks we are taking or what decisions we are actually making. Wifi Routers aren’t magic. They are tiny computers with radios attached. In the current state of consumer electronics, we don’t necessarily know if the devices we are using are getting security updates and it can be very hard to tell. That means it is really hard to push for better options as an end user. We are increasing understanding just how important router security is and the lack of understanding of it and the relative lack of firmware updates for routers will be an increasing problem as more and more devices connect to the internet wirelessly.

Links links links!
Site explaining the research, from Vanhoef: https://www.krackattacks.com

HTTPS Everywhere: https://www.eff.org/https-everywhere

Information about diceware passphrases: https://www.eff.org/dice

Refresh on HTTPS: https://www.eff.org/pages/tor-and-https

The paper: http://papers.mathyvanhoef.com/ccs2017.pdf

Vulnerability notes database for KRACK (to check if a particular device is affected): https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

Very early Ars Technica article on KRACK: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

And a comic for all of us who are so over waiting for critical firmware updates: http://www.commitstrip.com/en/2017/10/16/wpa2-vulnerability-just-a-small-update

Friends of PM Press, May 2015 edition

The past few months have been crammed full of good books, but I have been too busy reading them (and working) to update.

This month I received:

  • Signal: 04, edited by Alec Dunn and Josh MacPhee. Signal bills itself as “A Journal of International Political Graphics & Culture.” Articles in this volume cover Palestinian Affairs (a publication of the PLO), large-scale visual interventions by the Bay Area Peace Navy, artistic responses in Juárez, Mexico, to long-term femicide occurring there, the Kotare Trust Poster Archive in New Zeland, Kommune 1, the artist behind the cover art for Three Continents Press, and the Punchclock Print Collective of Toronto.
  • The Big Gay Alphabet Coloring Book, by Jacinta Bunnell & Leela Corman. This is, unsurprisingly, a coloring book. I am not hugely excited by coloring books, but this is a cute resource for those who are. Bunnell is the person also behind the Girls are Not Chicks and Sometimes a Spoon Runs Away With Another Spoon coloring books.
  • Sisters of the Revolution: A Feminist Speculative Fiction Anthology, edited by Ann and Jeff VanderMeer. This came out within a month of Octavia’s Brood from AK Press and I can only hope that it is less of a fluke of publishing and more of an indicator of the reaffirming of the the connection between people who seek to imagine a different world and write about it and those who seek to imagine a different world and enact it. This book is co-published with Geek Radical and was assisted by a 2012 kickstarter, and appears to have been released approximately a year behind schedule. I have enjoyed the bits that I have already read and I excited for this book and the trend in general.

More information about the Friends of PM Press is available here.

Friends of PM Press, October 2014 Edition

This month I received:

  • Patty Hearst & the Twinkie Murders: A Tale of Two Trials, plus Why Was Michelle Shocked Shell-Shocked? and Reflections of a Realist: Outspoken Interview, by Paul Krasner, Number 14 in PM Press’ Outspoken Authors series, edited by Terry Bisson. Krasner is perhaps best known for publishing the controversial Disneyland Memorial Orgy (NSFW) in 1967.
  • Settlers: The Mythology of the White Proletariate from the Mayflower to Modern, by J. Sakai. Co-published with Kersplebedeb. This is an expanded new edition of the original which was published in 1983.
  • The City Is Ours: Squatting and Autonomous Movements in Europe from the 1970’s to Present, edited by Bart van der Steen, Ask Katzeff, and Leendert Hoogenhuijze, with a preface by George Katsiaficas and foreword by Geronimo. If the topic mater wasn’t already close enough to my heart to make this the next book I’m going to read, the title page image includes a “why call it tourist season if we can’t shot them?” banner.

More information about the Friends of PM Press is available here.

Friends of PM Press, September 2014 Edition

This month I received:

  • Abolish Work: “Abolish Restaurants” plus “Work, Community, Politics, War,” by prole.info, co-published with Thought Crime Ink. prole.info’s stuff is probably best summed up as accessible, intense class theory with starkly beautiful illustrations. Even when I don’t agree with their analysis, I’m always impressed with what they put out. I’m not a huge fan of Abolish Restaurants, but I’m glad that the discussion is happening.
  • Blood Lake, by Kenneth Wishnia. This is the fifth, and as of yet, final book in his Filomena Buscarsela mystery series, though I am holding out hope for more. If the previous books are anything to go on, this will almost having me wishing that my commute was longer so that I could keep reading.
  • Burning Britain: The History of UK Punk, 1980- 1984, by Ian Glasper. This book is split into chapters by region, and then within each chapter, broken down by individual bands. It is long and the print is tiny.
  • Who’s Afraid of the Black Blocs?: Anarchy in Action Around the World, by Francis Dupis-Déri, translated by Lazer Lederhendler. Originally published as Les Black Blocs. La liberté st l’égalité se manifestent by Montréal’s Lux Éditeur in 2007, with the first English language edition coming from Between the Lines in Toronto last year. This is currently the definitive book on looking past the “smashy smashy” and into the theory and history of the black bloc.

More information about the Friends of PM Press is available here.

Friends of PM Press, August 2014 Edition

Last month I received: 

  • Black Flags and Windmills: Hope, Anarchy, and the Common Ground Collective, second edition, by Scott Crow, with forewords by Kathleen Cleaver and John P. Clark (the latter is new to the second edition). Here is a written review of the first edition from Center for a Stateless Society and a promo video for the first edition. 
  • Dead Kennedys: Fresh Fruit for Rotting Vegetables, The Early Years, by Alex Ogg, with artwork by Winston Smith and photographs by Ruby Ray. 
  • The System, by Peter Kuper, with an introduction by Calvin Reid. This book is gourgeous. not just the art inside, but the book itself. I have already “read” (since there are no words) some of it, and it is exactly the kind of story about people in a city and the world that I have come to expect from Kuper. Even the blurb from Luc Sante on the back is amazing. 
  • Turning Money into Rebellion: The Unlikely Story of Denmark’s Revolutionary Bank Robbers, edited and translated by Gabriel Kuhn. Original German by Klaus Viehmann. Co-published with Kersplebedeb. This book is about the Blekingegade Group and includes historical documents and interviews with two of the groups long-time members. 

More information about the Friends of PM Press is available here.

If the next revolution is not intersectional, than it will be nothing.

This summer I wrote a piece to WSQ on my experience with gender in Occupy Wall Street. A strongly edited version of what I submitted has just been published in the current issue, Engage (Vol. 41, No. 3 & 4, Fall/Winter 2013), as Reflections on Legal Support and Occupy Wall Street, by Elena Cohen, Rose Regina Lawrence (look, ma! that’s me!), and Moira Meltzer-Cohen. Here is the original version:

If the next revolution is not intersectional, than it will be nothing. (1)

Jail support is the clean up after a march or action. It is a crucial part of taking care of ourselves and standing up to state harassment of activists through the use of an increasingly militarized police force and judicial system. It is long, boring, lonely, and frequently frustrating. Many people have never really heard of it, and those who have frequently think of the large days of action when there’s a sizeable group waiting for the arrestees to be released and the overall mood is a continuation of the sense of community felt earlier. When there are only a couple of arrestees and they are the more vulnerable, those with fewer resources, including social resources, the experiences is frequently far less joyous, but the support provided is even more important, both for the arrestee’s health and continued participation in political activism and for effecting the outcome of the legal case. It is hard to keep spending nights waiting outside police precincts, cold, often wet, and almost always harassed by the police for people one doesn’t know or like. This is one example among many of the very unglamorous drudge work that really builds movements. It is to street activism as dishes are to collective living.

I was the daytime jail support coordinator for Occupy Wall Street. The “coordination team” consisted of me and my partner, who handled the hotline at night while working. Neither of us went down to Zuccotti thinking about how much we wanted to take on that role. We saw a system that was incredibly hard on the people trying to help and knew that there were free telecom tools and a little bit of planning that could make it so much easier, more useful, and empowering. We could not help but step up.

We worked out most of the structure based on wanting to make it as easy as possible for people to participate on their own terms, specifically creating space for people who could not participate in the dominant activities and modes of behavior of Occupy. This meant no hours-long meetings, the ability to opt in or out as desired, kits that contained all the materials and information for someone either new to the idea of jail support or to New York City needed to be there on the ground, and real-time contact through phone and text so that being there on the ground was far less intimidating or flat out scary.

The group grew and shrank. Many of us got burnt out. Some of us kept going long after burning out, scared of what would happen to people who didn’t have close friends or family to wait for them. As the winter wore on, Occupy received fewer and fewer of the care packages that we had used to stock the jail support kits. After the eviction of the park and the loss of the major storage space, we no longer had a place to store the prepacked kits. Still, we were there when people were released from precincts and central booking.

Seven months after my partner and I kick started a new plan for jail support, a group of us issued a strike statement. We could no longer abide the macho bullshit “this isn’t really our responsibility” response that organizers had after months and months of suggesting, asking, begging them to step up their organizing to include jail support and to recognize that an action isn’t over until everyone can go home.

When all you have is your labor, all you can do is to withdraw it. We weren’t on strike for money, hours, or wages. We were on strike for a massive rethinking of how to approach a movement for social justice. When we went on strike, our statement overtly talked about gender. We felt that our work, that of cleaning up and caring for activists, was seriously undervalued and disregarded, with more public facing organizing deeming it not their problem, with a heavy hand of “beneath them.” We also recognized that this wasn’t just about us; the constant undermining and devaluing of the work of women and the work that historically has been designated as women’s work was widespread and deeply engrained. All of us, but especially people for whom Occupy was their political awakening, brought with us the hangups and prejudices from larger society. This was true about gender, true about race, true about class, and especially true at the intersections.

I was unemployed before Occupy. I was unemployed during Occupy. I was unemployed after Occupy. I am amazed by the level of involvement that many people, like my partner, managed to maintain while working full-time. But, for me, it was just Occupy and plenty of time to think about my labor for Occupy in the context of my labor outside of Occupy.

In the unemployment after Occupy, I read a lot in hopes of contextualizing my experience in a way that I could make sense of my frustration and figure out what I might do in the future to stack my personal deck towards more fulfilling, more successfully future organizing. Unrelated to that, I picked up Silvia Federicci’s Revolution at Point Zero, which has a section of her writings from the 1970’s and 1980’s regarding wages for housework. Federicci’s writings from almost half a decade ago about the struggle of poor, mostly Black, single mothers to seek recognition and legitimization of their labor, spoke more to the issues with labor valuation and recognition of work that I had seen within Occupy than anything else I had read.

In that moment it became so palpable to me that even with racial and class privilege, any movement that does not center the experiences of people of color, poor people, women and gender nonconforming people, people with disabilities, indigenous people, and everyone else who make up the wretched of the earth, will ultimately cut me down and refuse to value my labor because if our struggle is not a struggle against the whole kyrarchical network of abusive power relationships, then our struggle will never rise up beyond a struggle against each other.

I still organize with many of the people I met through jail support. Now we are explicit in the necessity of a holistic approach to combating state repression that constantly reinforces that one cannot make progress against capitalism or the state without confronting and addressing oppression. The issues that I saw with the valuation of unpaid labor within Occupy are by no means exclusive to it. I have found it in my search for employment (ie, labor of the paid variety). It is about gender, it is about class, it is about race and overall status in society, it is about the pathological ways we exploit each other, frequently without even thinking. Just like almost everything is. I owe so much to my elders who told me time and time again that this is a long journey and the far-view is the only view that will matter, and that, yes, people are a bunch of jerks much of the time.

Occupy was about everything, but mostly it was about how we as a society got to the 2008 mortgage crisis and accompanying economic mess. The next revolution, the next uprising, the next dreams for a better tomorrow that will break through the shell of the old will be intersectional at its core, or it will not be the next.

————–
1. This is a reference to a Foucault quotation: “if the next century is not Deluzian, than it will be nothing.”

Upcoming Event: Nothing to Hide, So Much to Lose: Understanding the NSA Leaks

I will be speaking at Nothing to Hide, So Much to Lose: Understanding the NSA Leaks this Thursday, August 22nd, 7pm, at Judson Memorial Church in NYC.

This event is going to be amazing. Mutant Legal, a group I have been part of since it’s inception, is the main force behind the event, with co-sponshorship from National Lawyers Guild-NYC, Agaric Drupal Collective, and Bill of Rights Defense Committee.

The panel discussion will be facilitated by Molly Knefel of Radio Dispatch and Nathan Sheard of the Mutant Legal Collective, with panelists Alfredo López of May First/People Link, Sarah Hogarth, a Human rights strategist and advocate, Abi Hassen, Mass Defense Coordinator for the National Lawyers Guild, and Thomas Hintze and Rose Regina Lawrence of Mutant Legal.

See you there!

Friends of PM Press, July 2013 Edition

Last month I received:

  • Snitch World, by Jim Nisbet, a crime noir novel co-published with Green Arcade
  • The Red Army Faction, A Documentary History: Volume 2: Dancing with Imperialism, introductory texts and translations by Andre Moncourt and J. Smith, introduction by Ward Churchill. Co-published with Kersplebedeb.
  • Left of the Dial: Conversations with Punk Icons, by David Ensminger.
  • John Shirley‘s New Taboos, plus…. Number 11 in PM Press’ Outspoken Authors series, edited by Terry Bisson.

More information about the Friends of PM Press is available here.

Update on NYS Bill A2736

A while ago, I wrote a short post about a piece of legislation in New York that would prevent police and prosecutors from using the presence of condoms as evidence of prostitution. The State Assembly session is almost over and that bill, A2736, still has not been brought to the floor.

Here’s what Red Umbrella Project has to say:

We need help from New Yorkers to get the bill to pass the Assembly before the end of session (which is tomorrow). Here are two calls you can make that really  make a difference. Each will take less than a minute:

Call Speaker Sheldon Silver’s office to urge him to put bill A2736 to a vote on the floor! The number is 518-455-3791

We are confident that we have the votes to pass the bill  once it is on the floor, but we need to MAKE SURE so please call your  Assemblymember and ask them to VOTE YES on A2736! You can find the info  for your Assemblymember here. Call your representative’s Albany office.

I have already made both calls, and I encourage you to do the same. NYC Department Health and Mental Hygiene distributes free condoms all over NYC free of charge. The Center for Disease Control even highlights that program as an example of a structural level intervention. This bill would prevent police and prosecutors in NYC and all over NYS from undoing the work of many government and nonprofit groups across the state.

Friends of PM Press, June 2013 Edition

This weekend I received:

  • Michael Moorcock’s Jerusalem Commands: The Third Volume of the Colonel Pyat Quartet, with a new introduction by Alan Wall. This is a huge work of fiction that I will almost definitly not read, but it does contain a bibliography that is also available here.
  • Towards Collective Liberation: Anti-racist Organizing, Feminist Praxis, and Movement Building Strategy, by Chris Crass, forward by Roxanne Dunbar-Ortiz, introduction by Chris Dixon. It is broken down into five sections: “While Learning from the Past, We Work to Create a New world”: Building the Anarchist Left; “We Make the Road by Walking”: Developing Anti-racist Feminist Praxis; “Because Good Ideas Are Not Enough”: Lessons From Vision-Based, Strategic, Liberation Organizing Praxis; “Love In Our Hearts and Eyes on the Prize”: Lessons from Anti-racist Organizing for Collective Liberation; and the Conclusion.
  • Maroon The Implacable: The Collected Writings of Russell Maroon Shoatz, Edited by Fred Ho and Quincy Saul, Afterword by Matt Meyer and Nozizwe Madlala-Routledge, Forward by Chuck D. Co-published by PM Press and Ecosocialist Horizons. I have been waiting for this book since I went to it’s release event back in early May.  That event made such an impression on me that when the book didn’t arrive in the May package, I called PM Press to ask about to (more on that another day).

More information on Friends of PM Press and why it’s amazing is available on their website.