Many have probably heard of the Internet Watch Foundation…

Most probably heard of it for the first time when the new story broke that they effectively blocked Wikipedia in almost all of the UK. Now, the Wikipedia has had it’s share of criticism — but endorsing child porn is not one of them.  However, the Internet Watch Foundation thought otherwise.

The Internet Watch Foundation, having missed it’s true calling to protest the Scorpion’s 1976 release of their Virgin Killer record, decided to wage an Internet crusade against Wikipedia for displaying the album art cover (which featured a nude girl with a glass crack obscuring her genitals). This is despite the album (with it’s associated cover art) being available for sale at amazon.co.uk, as well as in stores in England.

All this media attention has made the image more popular than ever before. Quite the opposite of what they wanted, no?

So how does the Internet Watch Foundation work?

The IWF maintains a blacklist to which the UK ISPs can voluntarily subscribe… “voluntary” being the key term, as ISPs feel a good deal of public pressure to subscribe to the list. No one wants to have the stigma of allowing “hardcore child porn” on their ISP. In addition, this “voluntary” compliance helped to stave off burdensome government regulation of the internet industry that may have been even more onerous.

However, as critics of the great Aussie firewall are quick to point out, ISP filtering can easily be bypassed with the simplest of proxies. In short, it simply doesn’t work. Everyday consumers and surfers are inconvenienced and pirates and child pornographers are unimpeded.

One can only wonder what we will face in the US if RIAA and it’s allies succeed in their objective of getting US service providers of filtering internet content on a widespread basis.

The truth of the matter is that the Internet Watch Foundation has overstretched it’s bounds. And while they may have wisely reversed their decision on the Wikipedia blacklist, their folley has caused even their champions to question their operations.

A few weeks ago, Elcomsoft reported that is had developed a software to harness the power of a GPU to brute-force WPA/WPA2. What that could mean is that, for a scant $1,000 in hardware, one could break the encryption used on wireless networks. While this price may sound prohibitively high, two top GPUs in SLI is fairly common in high end gaming. People dedicated enough to break into corporate networks now have a means to do so.

That’s the theory, atleast.

As one keen commenter pointed out, the reality and sheer mathematics behind it is mind boggling. WPA2 can be 63 characters using lower case, upper case, numbers, symbols, provides 94 choices for each character. If I use a 63 character password, that 63 character password could be one of 1.9 * 10 ^126 possible choices.

If you want to have a 100% chance of brute forcing this key in one year one would still need to execute 6*10^118 trys a second.

It would be faster to attack the 256 bit hash as this only has 1.1*10^77 permutations.

So if one could issue 3.6 *10^69 commands per second one could guarantee a break in one year. Lets assume that it takes 10 flops (floating point operations) to test one key. As of August SETI@HOME is executing an average of 150 terra-flops (150*10^12). Therefore one would still need ~ 2.5 *10^56 SETI@HOME projects to break one key in one year.

The most efficient computer uses 2.8 watts per GFLOP. Therefore it would take 2.5*10^59 watts to break one key. Since the average usages of power for all people on the planet is 15 TW we would need 1.5*10^46 times the current power output of the planet to break one key.

Unless someone is using a weak password, like “aaaaaaaa”, it’s rather unlikely someone would be able to successfully crack WPA2.

Why am I taking the time to point this out? The short explanation is that I’m tired of lesser admins and specialists preaching to me that WPA2-PSKs are insufficient safeguards for wireless security, especially in a business/enterprise setting. This is simply not the case. While it may be optimal to use WPA2 Enterprise set ups in corporate environments, the reality is the many IT departments are run on a shoestring budget. The mark of a good IT consultant is not how fast, powerful, or secure they can make something with an unlimited budget… but how well they can make do on a budget resembling the McDonald’s dollar menu.

Some theorist suggest that link security, such as WEP and WPA, may eventually take a backseat to data security, such as VPNs.

So, for the time being, you can sleep soundly knowing that your WPA2 networks are secure… secure as you make them.