Digiland DL718M tablet: a review

The Digiland DL718M tablet is an inexpensive (sub-$40) tablet sold at consumer electronics stores like Best Buy. Make no mistake, it’s a basic tablet for basic needs. But given reasonable expectations you can buy one of these and be happy with it.

This isn’t a new market by any stretch. But it seems like tablets in this price range are usually Black Friday specials, or only available on online marketplaces far abroad. The Digiland DL718M is one you can get today if you want.

Read more

DD-WRT needs to be saved, but I won’t bet on it happening

A college classmate asked me if there’s anything to the stories that DD-WRT might potentially get locked out due to new FCC regulations.

Unfortunately the answer is yes, there may be something to it.

Read more

How to find inexpensive routers to run DD-WRT

I’ve been using and recommending DD-WRT for years, but it’s getting harder to find inexpensive routers to run DD-WRT. Many inexpensive routers now use non-Broadcom chipsets that DD-WRT and other third-party firmware don’t support well, or at all.

But there’s still a way to get inexpensive, compatible routers that isn’t likely to change any time soon.

Read more

Build the best, most secure wifi in your neighborhood

My neighbor asked me for advice on setting up wi-fi in his new house. I realized it’s been a while since I’ve written about wi-fi, and it’s never been cheaper or easier to blanket your house and yard with a good signal.

Blanketing your house and yard while remaining secure, though, is still important.

Read more

What to look for in a wireless access point

A good way to eliminate dead zones in your house where wifi doesn’t work is to add one or two wireless access points to your setup.

Access points, thankfully, are no longer stupid expensive–they used to cost twice as much as a router in spite of being nothing more than a cut-down router–but almost every access point I’ve looked at has one or more compromises built in. That said, if you want something you can plug in and configure by filling out three or four things, you might be willing to live with those compromises.

Read more

Initial upgrade reports on the HP Stream and Pavilion Mini

Earlier this year at CES, HP introduced its HP Stream Mini ($180) and Pavilion Mini ($320 and $450) mini-desktops. They’re small, inexpensive, and in the case of the Stream, silent. They turn out to be surprisingly upgradeable as well. Ars Technica has details and benchmarks, but of course I have my own priorities based on their discoveries.

Read more

If you’ve been delaying upgrading your network, keep delaying

If you’ve been procrastinating about deploying 450-megabit (802.11n) wi-fi to your house, I have a reason for you to procrastinate a while longer: Gigabit wireless (802.11ac).

It’s only about twice as fast as its predecessor, which pales next to the 8x improvement 802.11n provided over 802.11g, but if you’re wanting to stream HD media through your house, you’ll notice the difference.
Read more

Attack of the $99 Droid-Pads

A 7-inch, underpowered Android tablet that may or may not be available at your corner Walgreen Drug Store is made some big waves today.  It’s underpowered, but it’s supposedly on sale for 99 bucks. Regular retail price is $129.

Yes, for 99 bucks, it’s a toy. But it could be a fun toy. Read more

How to secure your wi-fi router

It’s not enough to know what to look for in a router. I wanted to get some solid advice on wi-fi network security. Who better to give that advice than someone who built an airplane that hacks wi-fi? So I talked to WhiteQueen at http://rabbit-hole.org, the co-builder of a wi-fi hacking airplane that made waves at Defcon.

Hacker stereotypes aside, WhiteQueen was very forthcoming. He’s a white hat, and I found him eager to share what he knows.

“Hypothetically speaking, if you lived next door to me, how long would it take you to get into my wi-fi network?” I asked him.

Surprisingly–at least it surprised me–if you use WPA2 with a strong password, you can make it take years. While I can’t keep him out indefinitely, it’s entirely possible to make it so difficult that anyone not specifically targeting me will just move on to someone else. And you can too.

Why should I care?

Perhaps you heard in the last couple of years about credit card information being leaked out of TJ Maxx and Marshalls store networks. A 29-year-old Cuban-American named Albert Gonzalez admitted to the theft and re-selling of 170 million credit card numbers from 2005-2007. He stole them off poorly secured wireless networks.

The September 2010 issue of Hakin9 magazine (hakin9.org) details the crime, and how it could have been prevented.

WhiteQueen pointed me to page 47, which showed a diagram of Gonzalez’ wardriving setup. All of the equipment is easily obtained, or fabricated using instructions that are readily available.

Passwords

If your password is something like “popcorn,” he can break it in less than 45 minutes. Dictionaries containing a couple million possible weak passwords exist.

So, what’s a good password? He recommends something 14-25 characters long, mixed case, with a couple of numbers and special characters, not substituting numbers and symbols for vowels, l337-style. th!sIz@s3cur3p@ssw0rd! isn’t quite what it claims to be. Use a random password generator, he says. A Google search will turn up web pages that will generate them for you.

You don’t have to type that password all that often, he said, so the pain/security tradeoff isn’t all that high.

WPA2 vs. WPA vs. WEP

You can forget about WEP. There are enough vulnerabilities in WEP that he can break it in minutes. WEP is effectively like the lock on your screen door, only useful for keeping honest people out.

Consider this. There are free tools that run on Android that crack WEP. You can’t install it from Google’s app store–you have to root the phone–but anyone with a little determination can do it. It might take 30 minutes a typical Android phone from 2010 to break a WEP network, but 2011’s phones should be able to do it in about five, which is about how long it takes an Atom netbook, circa 2010, to do the job.

WPA is better, but it also has vulnerabilities. There are automated tools for breaking WPA too. For $17, WPA Cracker will attempt to break a WPA network, and on average, it takes 40 minutes. And it’s not the only option out there.

If you’re serious about keeping someone with his abilities out, use WPA2.

You can increase the security of your WPA or WPA2 network by hibernating or turning off your laptop when you’re not using it. Attacks against WPA require something with an active connection to be using it at the time.

SSID

Setting your SSID to not broadcast is an old security trick, but it doesn’t gain you much anymore.

He said you might as well broadcast your SSID. Wireless networks just work better if you broadcast it, and you don’t slow a hacker down very much by not broadcasting it. You just make the hacker stop and run a tool to look for hidden SSIDs. Not broadcasting the SSID hurts you a lot more than it hurts him, he said.

But don’t include easily identifiable information in your SSID. Keep your last name, house number, and street out of it. Personal information not only helps an attacker identify his target, but it also helps a hacker create a personalized dictionary to run against your network.

Pick something with no connection to you. The more meaningless, the better. The more bland, the better. Don’t make it something that identifies your network as belonging to you, and don’t make it something that makes it look like you’re hiding something interesting.

The best is just a plain old number (other than your house number), or random gibberish.

WhiteQueen said there are mainly two reasons a lowlife might want to get into a network. Either you have data he wants, or he wants to use your network to jump off and do something else. That could be jumping off to hack another network, effectively using you to cover his tracks. Or it could be downloading illegal stuff he doesn’t want to use his own network to download.

Preventing the second case is easy. If your network is harder to hack than your neighbors’, that guy will always pick the guy whose network is wide open, or the guy who never changed his password from the factory default, or the guy who’s still running WEP.

So, the simple advice of using WPA2 with a strong password protects you from that guy.

For extra protection against someone who specifically wants to get into your network to get at your data, he recommends a second router. Or turn off wi-fi completely.

Plug one modem into your router. Assign that router an address space of 10.something. You can set the password to something your laptop-toting houseguests won’t mind typing in, but of course, you want to balance enough strength into it so that passers-by jump on someone else’s network instead of abusing yours. Ten characters, mixed case, with one number and one special character would be reasonable.

Then, plug a second router’s WAN port (not one of its Ethernet ports) into a LAN port in the first router. Assign that router a 192.168 address space. Either turn off its wireless, or turn on WPA2 and assign a nice, strong password to it. Plug your desktop PCs, your NAS, and that kind of stuff into the second router.

For the security paranoid, the two routers should be different. Different revisions of the same model could be OK (such as an early, pre-v5 Linksys WRT54G or WRT54GL based on Linux and a later v5-v8 WRT54G based on VxWorks), but different models or different brands entirely is better. That way, if someone uses a vulnerability in one to get through, he still has to get through a second one to get to your network. Of course, don’t forget to change the default passwords on your routers.

Vulnerabilities in wireless routers do come up from time to time. http://www.cvedetails.com/ has a nice database of vulnerabilities, which you can search by vendor and product. Fortunately, vulnerabilities that crash the router are a lot more common than vulnerabilities that let someone come in and do something.

Fixing them is just a matter of downloading the latest firmware from the vendor and installing it.

Hackin9 adds another step: Lock down the router to allow a limited number of connections. If you have two computers, set the router to only allow two connections. Then hard-code the MAC address of those machines. The procedure to do this varies from router to router.

The moving target

It took about five years for a vulnerability to be found in the original WPA. And brute-force attacks–trying every possible password–are much more practical now than they were in years past. The typical $500 consumer PC of today is a supercomputer compared to anything that was available in 2001.

So far, there are no known vulnerabilities in WPA2, so in 2010 the only way in is to use brute force.

Here’s some good news: A dictionary suitable for cracking 8-character passwords using all 95 of the easily typable characters on the U.S. keyboard would require approximately 11.91 petabytes to store. The largest available hard drive in 2010 is 3 terabytes–an order of magnitude smaller–so it’s safe to say we’re still a few years away from being able to store that kind of information on the desktop.

A dictionary file suitable for hacking 14-character passwords goes consumes a mere 4 brontobytes. What’s a brontobyte? One brontobyte would hold approximately 1,000 copies of the World Wide Web, circa 2010, in its entirety.

This is a bit of an oversimplification, but in 1990, consumer hard drives were measured in megabytes. In 2000, they were measured in gigabytes, and today, in 2010, they’re measured in terabytes. We may be pushing 2020 before we get to petabytes. So it’s more likely that someone will discover a flaw in WPA2 before that’s practical to store. But that, too, will take time.

But don’t feel too secure. A hacker who wants in will throw every dictionary he has at you. And WhiteQueen said hackers tend to collect passwords as they discover them, and add them to their dictionaries. He said humans aren’t very good at being random, so when they find a password one human used, there’s a good chance another human will use it.

The second-best thing you can do is stack the odds in your favor. The best thing you can do is keep your wi-fi turned off.

What to look for in a router

I revisit the topic of what to look for in a router every six or seven years. As important as it always was, I think it’s even more important today, as there are a number of underpowered routers on the market and it’s best to avoid them.

This post originated in 2010. I revised it for 2017 needs, and by the time I was done, I’m not sure much of my 2010 text was left. But that’s OK.

Read more