James Galvin

In the two days since I posted about the security flaw in Eircom broadband routers’ default configuration, coverage has spiraled to the front page of the Irish Times and elsewhere. In the words of a former roadie for Metallica: “new shit has come to light, man”. Bart got a reply from Eircom. I am surprised to say that it looks like everyone’s favourite Irish telecoms operator (excluding BT Ireland… and Smart Telecom) are taking this seriously and responsibly. I am obliged to nitpick, however, at a particular section:

“This vulnerability makes it possible for a person with an advanced working knowledge of encryption and coding techniques to access an eircom customer’s Internet connection”

Eircom, you are missing the very crucial point here. We are not worried about the person with an advanced working knowledge of encryption and coding techniques - WEP is no protection against these guys to begin with. We are worried about the guy with NO knowledge of encryption and NO coding techniques, who can simply wander over to s4dd’s Eircom WEP Key Generator website and type in his neighbour’s SSID.

A lot of people missed the issue here, focusing instead on the demerits of WEP encryption. Here’s the analogy: someone sells you a new car with those old-fashioned locks on the side of the window that you push down / pop up. Anyone who knows what they’re doing can break through this security mechanism simply by using a coathanger, but at least your car is locked, right? What if everyone in Ireland had the key to the car? The fact that there are better ways to secure your car than using those push down / pop up buttons suddenly becomes irrelevant.

This is not about the strength of WEP - it is about being sold short. It’s about thinking you have a Cornetto when it’s really just a Wibbly Wobbly Wonder. It is also a funny story about an over-enthusiastic programmer who spent weeks thinking up an elaborate key-gen algorithm but was so distracted by the Hendrix solo in his head that he overlooked a pretty significant weakness in his magnus opus. But more importantly, it is about a false sense of security (albeit partial security) given to Eircom broadband customers.

So how will Eircom respond? According to the letter sent to Bart, they’ll contact everyone affected outlining the issue, with advice on how to handle it. They’ll be upgrading the security on their routers and will also try to improve the general security awareness of their customers. Could we ask for anything more? This does not sound like the incompetent Eircom I’m used to dealing with. Business development mangers at Monster.ie could take note!

A post on Irish Linux Users’ Group awhile ago linked to this boards.ie thread about a major weakness in the way the default WEP key for your Netopia is generated. The WEP key is formed from the serial number of the router and some Jimi Hendrix lyrics. That’s fair enough you might think, because nobody knows your serial number, right? For some reason, the Eircom SSID is also generated from the serial number in such a way that, given the SSID, you can easily find out the serial number, and hence the WEP key. The process has already been automated via an Eircom WEP key generator. I haven’t tried it myself, but one ILUGer has already reported that it works.

Some people will point out that WEP hardly gives much protection to begin with, since it can be cracked so easily and quickly by someone who knows what they’re doing. But now, even the laziest kid on the street can hack into your network without ever having to worry about command prompts or aircrack-ngs. Eircom broadband users would be wise to change their SSID from the default, and to switch to WPA encryption while you’re at it. (Surf to 192.168.1.254 and it’s in the options there somewhere…)

Update: I removed the link to s4dd’s site with the WEP key generator. There’s no point brushing stuff like this under the carpet, I think it is important to raise awareness about this, but at the same time I don’t want to be responsible for anyone stealing your email.

I’m happy with my new Eircom Broadband connection, but it’s not the reliable service that it used to be. Tonight I was knocked offline for a few minutes, as my router lost its connection for no apparent reason. I don’t have a particularly weak signal to noise ratio, and I’m not far from the exchange, but this is not the first time I have been randomly disconnected. I’ve had a couple of search referrals to this site from users who are clearly experiencing similar issues, e.g. “why is my eircom broadband connection always failing”. I know Paddy is having a terrible time in the past two weeks, being disconnected most evenings and sometimes unable to connect for hours. Eircom send out engineers and replace routers, but nothing gets fixed.

This thread on boards.ie blames the new batch of Netopia routers that Eircom provide - the silver ones with two aerials and ‘eircom’ written on top. I’ll track down my trusty old Solwise SAR110 router and see if that makes an improvement, but I’m wondering if Eircom’s network is sick at the moment. Is anyone else having problems?

I got the Sunday Tribune today, and was pleased to be greeted by the broadband coverage map made by Damien Mulley and John Handelaar. There it is in big bold font: “Gaping holes in Irish internet”: Mulley 1 - 0 Eircom.

Noel Dempsey’s spokesman admirably exhibits the art of saying nothing but saying everything, in the generic please-everyone response:

“Broadband is a top priority for the minister because it is an essential building-block for the knowledge economy. While the minister is not satisfied with the current situation, significant progress has been made over the past two years”.

I’m happy with that response from the government, because the score remains at 1-0. But the fatcats never lose. Enter Eir“SUCKERS OF SATAN’S COCK”com. David McRedmond took a break from projectile vomiting to respond: “Your mother’s in here, Damien. Would you like to leave a message?” before going on to say that the map is “grossly misleading”. I wish I had been interviewing David McRedmond when he said that, because my next question would have been “SHUT THE FUCK UP YOU MORON”. Where exactly is it misleading, let alone grossly misleading?? Is that not a map of Ireland? Are those yellow blobs not marking every enabled exchange? Does this map not actually make Eircom’s coverage look far better than it really is?

Mr. McRedmond, I will give you an example of something that is misleading:

“we are making broadband available as much as it is anywhere in Europe, and this is a fantastic achievement”

I could never be a reporter, or a politician, because when someone comes out with a statement like this, I just can’t let it rest. To me it is an assault on humanity, because somebody might believe it. It brings me back once again to the Islamic cyber-terrorists threatening our safety with their Battlefield 2 mod - as long as you have stupid reporters who don’t research anything and ignorant politicians who dont know anything then we will never have progress.

Adolf Hitler asserted that the masses will more easily fall victim to a huge lie than to a small one. Forget about your “uhh its not as bad as it seems” approach - reach for the stars: “its fantastic”. This is an old trick, and by far the most effective way to cover up for a complete disaster. It used to happen at Intel - somebody fucks up and theres a crisis in the department, all hands on deck trying to restore productivity, and next thing they’re all queueing up at the award ceremony, patting each other on the back. Eircom’s “fantastic achievement” in enabling all these exchanges in the past year has been made possible by their ABSOLUTE INCOMPETENCE in the preceding years. Do you want me to praise you for being YEARS behind schedule?

Thank you Ireland Offline for having the patience to stand up to this, because when it comes to technology, our politicians are rabbits in headlights, with myxomatosis. Just look at the Health Service Executive and their cutbacks last year - then count up how much they pissed away on everything IT related. And I’m not just talking about their payroll system. As long as you can keep the “fantastic achievements” coming in your monthly reports, then you’ll never have to worry.

I’m not even going to start on the electronic voting saga. Before they’re allowed stand for election, every prospective TD should complete a mandatory two weeks “WAKE THE FUCK UP” course in technology.