| Post 21 made on Wednesday January 30, 2008 at 02:28 | ...it's new! |
Peter Dewildt Loyal Member |
| |
| As far as the mobile phone comparison goes, it must be realised that the design cycle for a Pronto is much longer than for a mobile phone. The 9600 was released 18 months ago - its design was locked in a long time before that - maybe 3 years ago or more. |
Peter
Pronto 1000 (retired), Pronto TSU7000, RFX6000 (retired)
Pronto 2xTSU9600, RFX9400 | [ Reply | Quote & Reply |
| Post 22 made on Wednesday January 30, 2008 at 15:29 | ...it's new! |
bcc Long Time Member |
| |
| On Wednesday January 30, 2008 at 02:21, Peter Dewildt said... |
| I'm not confused. Bert was implying that, if he had a Pronto using WPA, he could communicate at "n" speed. |
Ok, it just looked that way. The fact that you suggested that the pronto can't be changed from 802.11g in response to a discussion about WPA suggested that you thought n vs g was relevant to the discussion, when in fact it is not. The wireless security problem of the pronto shouldn't get bogged down in an orthogonal speed discussion, which is what I wanted to point out. |
| [ Reply | Quote & Reply |
| Post 23 made on Wednesday January 30, 2008 at 15:45 | ...it's new! |
bcc Long Time Member |
| |
| On Wednesday January 30, 2008 at 02:28, Peter Dewildt said... |
| As far as the mobile phone comparison goes, it must be realised that the design cycle for a Pronto is much longer than for a mobile phone. The 9600 was released 18 months ago - its design was locked in a long time before that - maybe 3 years ago or more. |
My wireless access point, with WPA support, came out in 2003. (Just a consumer grade model at that).
Widespread reports on the completely insecure nature of WEP have been out for years as well.
It's not as if WPA was some new emerging technology that was not viable or was generally thought of as superfluous while the current prontos were being designed. |
| [ Reply | Quote & Reply |
| Post 24 made on Wednesday January 30, 2008 at 15:47 | ...it's new! |
bcc Long Time Member |
| |
| [oops was just trying to edit my previous post for clarity; can't delete this post now...] |
| [ Reply | Quote & Reply |
| Post 25 made on Wednesday January 30, 2008 at 19:15 | ...it's new! |
bert003 Junior Member |
| |
What I ment is that when I want to implement my Pronto into my main network, not only WPA2 must downgrade to WEP, but also all my wireless computers have to downgrade from 'N' to 'G' speed. I know the Pronto does 'G' but that's not a problem. The other computers have to go downgrade to 'G' to because they must use WEP too.
At least with my router. For that reason I mentioned 'N'.
But besides complaining about the lack of WPA2, which should be added by Philips, I am looking for a workaround.
So I am thinking of a separate (WEP) router which connects my Pronto + RFX9400 extender + the second NIC in my HTPC. With a different IP-range and subnet. Then I feel quite safe. At least as long my HTPC is turned off.
My question is: Can a small router like the Linksys WRT54GC work as a router without using of an internet connection? Can I just leave the WAN port alone and use the 4 LAN ports? From the downloadable manual I can't see an option to turn off Internet access, but the screendumps are just to small to see it very good. |
| [ Reply | Quote & Reply |
| Post 26 made on Thursday January 31, 2008 at 09:48 | ...it's new! |
AC4LT Long Time Member |
| |
| On Wednesday January 30, 2008 at 19:15, bert003 said... |
| My question is: Can a small router like the Linksys WRT54GC work as a router without using of an internet connection? |
Yes, you can do that. Then the only systems at risk are whatever you connect to that AP. But, if any of those systems have access back to your main WPA network (perhaps because they are connected via a wired net or a second wireless card) then you've still left your main network vulnerable if there's any risk that those systems could be hacked. You need to decide your own risk comfort level.
For me that wasn't an option because my receiver can stream internet radio and so needs access to more than just a local-only net. Since the primary goal for me for a remote like this was to have it get info from the receiver and a streaming file server everything needed to be on the same. Instead I bought a harmony one. Not nearly as sophisticated but it handles the control aspect well. Of course it lacks the extent of customizability of the prontos and the ability to display feedback from devices that can provide status info, but it will serve until someone manages to coexist with a modern network. |
| [ Reply | Quote & Reply |
| Post 27 made on Thursday January 31, 2008 at 11:04 | ...it's new! |
Techeeze Junior Member |
| |
Okay I feel like we are all beating a dead horse here and getting caught up in semantics. The fact of the matter is that the Pronto does not support any security mechanisms stronger than WEP. IMO this is a huge issue and one that definitely warrants some production/solution efforts by the Philips team, or at least a formal explanation. I understand the design cycle that Peter mentions in this post, but that still does not make it okay that the Pronto line of remotes are asking users AND installers to open up a HUGE hole in one’s home or business network. Seriously guys you will have to spend thousands of dollars on your networking infrastructure to segment out a WEP VLAN that would protect your co-existing WPA infrastructure properly. It is not as simply as just plugging in another Linknsys, Netgear, D-Link, etc … wireless router and putting it on WEP. You will have to have enterprise class networking gear that you can segment out into separate VLAN’s in order to do this correctly. And even then you are still opening up a hole if you need it to talk to another device on your wired or WPA network. So it is just not feasible. And as WEP is definitely growing long in the tooth, cracking it is just becoming more and more wide spread. And your neighbor kids that used to just go door-bell ditching are now sitting at home wondering if they can break into your home network. And trust me ……. They can.
So let me ask this ………. If you were installing some home automation in (or are fortunate enough to own) a multi-million dollar home, would you always leave all of the doors in the home unlocked and the alarm turned off just because it was a nice neighborhood and you could trust everyone around the home? My guess is …………….. ABSOLUTELY NOT. But that is exactly what you would be doing by setting up a WEP network in these houses. While a thief may not be able to walk in and steal any physical items, I would imagine that the computers of that home would contain all of the information one might need to steal someone’s identity, financial information, and plenty of other private information. And what’s worse they could be doing this while the owners are sitting in the home enjoying ALL of the hard work you did without EVER knowing it until it was too late. So they pretty much could be in there 24/7 whether the owner was there or not. Then if that does happen, and it is discovered how this occurred, “Do you want to be in that situation”? I DO NOT and hope Philips addresses this issue quickly.
On a side note I do not believe that the Pronto’s wireless adapter is compatible with 802.11 A or N. So if you have a wireless network that operates solely over one of these bands then it WILL NOT work with the Pronto. But fortunately since 802.11 B and G are much more widely accepted most wireless routers and/or wireless access points support the Band G bands to some extent.
Again just my 00000010 bits. Thanks |
| [ Reply | Quote & Reply |
| Post 28 made on Friday February 8, 2008 at 12:45 | ...it's new! |
Duckyduck Junior Member |
| |
| On Wednesday January 30, 2008 at 02:28, Peter Dewildt said... |
| As far as the mobile phone comparison goes, it must be realised that the design cycle for a Pronto is much longer than for a mobile phone. The 9600 was released 18 months ago - its design was locked in a long time before that - maybe 3 years ago or more. |
Nope, if I'm correct they were going from idea to product in 9 months. Somewhere on the net you can find a (Dutch) article describing this process. |
| [ Reply | Quote & Reply |
| Post 29 made on Saturday February 9, 2008 at 07:59 | ...it's new! |
pbuechel Junior Member |
| |
hi Philips,
under no circumstances we will use any WLAN equipment which is not WPA or WPA2 capable. So your new remotes are out of race.
We will then use Windows Mobile PPC.
bye |
| [ Reply | Quote & Reply |
| Post 30 made on Saturday March 22, 2008 at 17:29 | ...it's new! |
hunger Long Time Member |
| |
| Support for WPA has been required for Wi-Fi certification since August 31, 2003. I find it shocking that Philips, a Wi-Fi Alliance member, does not include support for WPA in the Pronto TSU9400, a product released in 2007. |
| [ Reply | Quote & Reply |
| Post 31 made on Saturday June 28, 2008 at 04:53 | ...it's new! |
RexSub Long Time Member |
| |
| I heard from Philips on Thursday that they are about to release (next week) a white paper detailing how to set up one network with WPA (for your LAN) and another with WEP (for your Pronto). Not sure if it is going to be using one router, or how, but that's what they said. |
| [ Reply | Quote & Reply |
| Post 32 made on Saturday June 28, 2008 at 09:33 | ...it's new! |
nyjklein Long Time Member |
| |
That's just ridiculous! We need WPA support, not instructions on how to do what we already know how to do (i.e. kludges to make partly secure what should be fully secure).
And unless Philips has decided to release their own router firmware, it won't be one router/WAP.
Jeff |
| [ Reply | Quote & Reply |
| Post 33 made on Saturday June 28, 2008 at 17:46 | ...it's new! |
Wim J Long Time Member |
| |
| On Saturday June 28, 2008 at 04:53, RexSub said... |
| I heard from Philips on Thursday that they are about to release (next week) a white paper detailing how to set up one network with WPA (for your LAN) and another with WEP (for your Pronto). Not sure if it is going to be using one router, or how, but that's what they said. |
One will at least need a "smart"-switch an two accespoints to get this working imho.
But even then, with a WPA and WEP accespoint on the same network security is less than with just one WPA acces point. With a smart switch one adds some security by defining which traffic is allow between the network parts, and what is not allowed. But that's basicly all |
| [ Reply | Quote & Reply |
| Post 34 made on Monday June 30, 2008 at 07:45 | ...it's new! |
Chris Horn Founding Member |
| |
| On Saturday June 28, 2008 at 04:53, RexSub said... |
| I heard from Philips on Thursday that they are about to release (next week) a white paper detailing how to set up one network with WPA (for your LAN) and another with WEP (for your Pronto). |
If that's true, then the current PRONTO TSU 9x00 range is plain DEAD.
We have home servers and mass storage devices which contain lots of sensible or valuable data and that are supposed to be controlled by PRONTOs.
I know networking methods pretty well (DMZ, managed switches and VLANs come to mind first) and have deployed such scenarios in the past.
As long as a WEP connected device is supposed to exchange bits with the storage devices of whatever flavour, it cannot be made secure. Firewall rules between subnets or MAC address filtering do not help.
Everyone saying the opposite either has no clue or is in the sales army. The latter then produces whitepapers to 'solve' this.
The only valid approach to do it right is to make WPA2 an option to choose from! Period. |
If you don't want to get better you stop being good. | [ Reply | Quote & Reply |
| Post 35 made on Monday June 30, 2008 at 16:01 | ...it's new! |
TEZ1701 Junior Member |
| |
I was at a meeting at cedia and spoke to some of the guys from philips, they are not going to add wpa because of the time taken to reconnect if it drops out, but they are going to produce a white paper in the next week showing how you can run along side on a wep network without security being comprimised, dont know how but once I get the E-mail I will be happy to share.
Also no intention of adding n card to pronto because of the increase in power required, the next model 9800 has a hard wire ethernet port if thats any help but not available untill september.
If someone wants to crack your network and knows there stuff it won't matter what you use, it just takes time, knowlege and the programs to do it all available on the net.
Sorry if I've got the wrong end of the stick but pronto do promote running a seperate network alongside your own network, not very practical I know |
| [ Reply | Quote & Reply |
| Post 36 made on Tuesday July 1, 2008 at 06:34 | ...it's new! |
nyjklein Long Time Member |
| |
This idea that "If someone wants to crack your network and knows there stuff it won't matter what you use" is simply not true. WEP encrypted WLANs are trivial to crack with readily available tools no matter what the network administrator has done. WPA2 PSK has not been cracked and is extremely secure if the encryption key is well chosen (and preferably changed periodically).
Jeff |
| [ Reply | Quote & Reply |
| Post 37 made on Tuesday July 1, 2008 at 06:51 | ...it's new! |
Chris Horn Founding Member |
| |
| On Monday June 30, 2008 at 16:01, TEZ1701 said... |
| a white paper in the next week showing how you can run along side on a wep network without security being comprimised, dont know how ... |
Exactly this is the problem.
As long as we control devices within our security zone from outside (eg with a PRONTO) there is absolutely no way of doing this securely if the device itself is not connected in a secure way (eg WEP). No matter what whitepapers they produce.
You can setup a DMZ, do firewalling between secure and insecure subnets and whatever comes to mind. As long as you put a hole in there to control something on the inside, you're open.
What sense would it make to have my Pronto in a DMZ that is allowed to read weather data and RSS feeds from the internet but not control my SlimServer/SqueezeCenter that runs on my home server? Among other things, that's what I have this remote for!
The WEP encryption has been broken some long time ago and you need approx. a minute to have the key in plain text on your screen. The sending MAC address along with the IP address of my PRONTO is in the header of each and every packet that is sent.
MAC spoofing is trivial, the IP doesn't even have to be obtained via DHCP as it is known anyway but could be done as well. And then you (as an attacker) have all the routes to explore that are open to my PRONTO.
Even worse, an attacker can surf the web from my account/public IP and I am hold liable for what he does. Great idea! (and a very big deal in Germany)
The _only_ way to prevent this is to deny access outside of my DMZ for the PRONTO which doesn't make sense for the reasons already mentioned.
A whitepaper cannot change this. WPA2 as a user's choice can.
As long as your name is not Friday and you don't live on an island this is an invalid approach to overcome the situation of missing WPA2 encryption (which all competitors seem to have now, btw!).
I eMailed with Mr. Roels (Training & Commercial Engineer Home automation) from PHILIPS about this and send him links to the RC forum threads dealing with WPA and PRONTOs. Until I get a different notice I suspect the worst (a whitepaper).
I'll update my RC profile to contain my eMail address. Anyone willing to discuss this is encouraged to do so. In this forum or by eMail.
Cheers from the ol country
Chris Horn
This message was edited by Chris Horn on Tuesday July 1, 2008 at 11:53. |
If you don't want to get better you stop being good. | [ Reply | Quote & Reply |
| Post 38 made on Tuesday July 1, 2008 at 08:11 | ...it's new! |
Lyndel McGee Loyal Member |
| |
Chris,
You should instead email prontoteam at philips dot com. |
Lyndel McGee
Philips Pronto Addict/Beta Tester
View EscientPronto 1.0.2 Docs - http://www.mediafire.com/do...hp?yyfzfzzok5z | [ Reply | Quote & Reply |
| Post 39 made on Tuesday July 1, 2008 at 08:37 | ...it's new! |
Chris Horn Founding Member |
| |
Lyndel, I was given his e-ddress by my distributor to be the one to contact.
I'll gladly refer the Team to these threads.
Done.
This message was edited by Chris Horn on Tuesday July 1, 2008 at 18:04. |
If you don't want to get better you stop being good. | [ Reply | Quote & Reply |
| Post 40 made on Tuesday July 1, 2008 at 09:26 | ...it's new! |
SimonO Long Time Member |
| |
Chris, Mr. Roels has told me on more than one occasion that WPA will be included as an option in a future firmware, HOWEVER at CEDIA he seemed to indicate the opposite. It's obviously not a simple fix or they would have released it by now - they could release it tomorrow as an option, but what would be the point?
I agree that it should be able to do WPA - but it doesn't. If you can't live without it, then you're going to have to go with another system :-(... |
SO AV™ Level 3 Certified | [ Reply | Quote & Reply |
