China Releases Own WLAN Security Standard 248
Lownewulf writes "This NetworkWorldFusion article describes the release of the GB15629.11-2003 wireless networking standard in China, a wireless standard similar to 802.11, but with better security. The IEEE is worried that this may lead to the need to support two different standards in wireless networking hardware." ziggyboy adds a link to CNET's article, noting that
"all wireless devices sold in China are required to comply to this standard from December 1."
Tinfoil hat or not? (Score:5, Interesting)
While WLAN equipment sold in China is required to comply with this standard from Dec. 1, a transition period has been granted that extends the compliance deadline for some WLAN products until June 1, 2004.
This sounds terribly rushed. How long have they been working on GB15629.11-2003 for (the
These questions lead me to believe that there are two possibilities here:
- B: The Chinese
government is rushing to get beat the IEEE people to make this an
early standard which will make worldwide adoption easier. Now re-read
A and drop the "on its people". Tell me if you feel better.
That all said, you don't need to wait for these committees to finish fighting to harden your wireless LAN. At work we use IPSec over our 802.11[bg] stuff which is all VLAN'd and routed to an outside interface of our Cisco PIX.On Tinfoil hats and then some (Score:5, Insightful)
Coincidentally, the majority of members of the WI-FI Alliance [wi-fialliance.org] are American companies, so I would be skeptical to pass this off as nothing more than a `shit China is gonna kill us with their low manufacturing costs' response. If the security is supposedly better as the post states, than why not verify this, and migrate to it. Wouldn't that make more sense than basically stating "you're security is good! but it's not a standard so we don't want it"
Re:On Tinfoil hats and then some (Score:3, Insightful)
If we all had a dime for every time someone came up with a new encryption scheme and
Re:On Tinfoil hats and then some (Score:3, Interesting)
national standard ISN'T a vintage, time-worn
cryptosystem? Just because a standard was
issued recently doesn't mean that the material
being standardized isn't old.
Re:Tinfoil hat or not? (Score:5, Insightful)
My guess is that this has to do more with patents than with anything else. China has been consistent in their drive to force the industry towards products that they can manufacture without having to pay patent licensing. Since the Chinese probably don't have much wireless equipment already installed, they don't really care about existing standards based on someone else's patents. They would much rather use their tremendous market power to drive industries towards commoditization.
In short, the relative security of 802.11[bg] is a red herring. They don't give a crap about that, and they won't change their mind if the security in their standard gets busted tomorrow.
The Chinese plan is to force current wireless manufacturers to be compatible with the Chinese standard, and then come out with their own chips that implement the Chinese standard. They can then sell these new chips without paying any patent licensing fees and use their inexpensive labor to undercut the foreign products.
Of course, if it means lower prices for wireless products I am all for it. Heck, I would gladly buy products that only supported the Chinese standard if it worked and was less expensive than the current standards.
Re:Tinfoil hat or not? (Score:2)
Re:Tinfoil hat or not? (Score:3, Informative)
If you are looking for an excuse for a non-tarrif trade barrier China picked a pretty good one here. The IEEE group that designed WEP was originally a closed US only cabal taking its security advice from the US NSA.
The 'standard' will be required for all WiFi gear sold in China, to gain access you have to have a licen
Re:Tinfoil hat or not? (Score:2, Funny)
Bureaucrats Getting Things Done Proactively (Score:2)
Whether the bureaucrats involved wil
Re:Tinfoil hat or not? (Score:3, Insightful)
You're not cynical enough (Score:2)
2. Government declares this technique to be the Chinese standard, effective immediately.
3. Profit!
Re:Tinfoil hat or not? (Score:5, Interesting)
"While WLAN equipment sold in China is required to comply with this standard from Dec. 1, a transition period has been granted that extends the compliance deadline for some WLAN products until June 1, 2004."
This sounds terribly rushed. How long have they been working on GB15629.11-2003 for (the ..-2003 may be a hint)? How well has it been scrutinized by security people?
These questions lead me to believe that there are two possibilities here:
A: This is a system that the Chinese government built weaknesses into to spy on its people.
B: The Chinese government is rushing to get beat the IEEE people to make this an early standard which will make worldwide adoption easier. Now re-read A and drop the "on its people". Tell me if you feel better.
That all said, you don't need to wait for these committees to finish fighting to harden your wireless LAN. At work we use IPSec over our 802.11[bg] stuff which is all VLAN'd and routed to an outside interface of our Cisco PIX.
Personally, I see this as the beginning of the fulfillment of the warnings security experts have raised over the past 10 years which were ignored despite the thirty foot tall letters of fire that said "ignore this at your peril." US Companies and Governments have taken a consistently anti-security stance, fighting the addition and development of more secure products, fighting security research, fighting the exposure of insecure products, etc etc.
Work on cryptography and encryption has to be done outside the US because of shortsighted laws and the aforementioned atmosphere. The crappiness of US wireless technology has been pointed out again and again only to be met with "STFU you terrorist! Do you want to destabilize our economy even more?" Now China is coming out with a better standard and US companies are scared to death people will switch since they refused to develop a decent one.
I am not saying the Chinese method will be the best, either. On the contrary I think that it will be the beginning of a trend of better, more secure products being made in countries other than the US where innovation can actually occur without running afoul of our brain-dead IP and antisecurity laws. China not being a hotbed of innovation normally only suggests that we have much much worse to fear from countries which have a more individualistic culture.
Re:Tinfoil hat or not? (Score:5, Interesting)
For the past few years, China has placed top priority on the development of its golden shield project, which with the help of American companies like Cisco and Canadian companies like lucent, is the most ambitious surveillance project in history. It essentially allows public security (gong'an ju) unprecendented access to citizen's data, both government (i.e. danwei information) and private (email, telephone conversations, text messages, etc.). They want to make sure its citizens aren't discussing democracy, praticing falun gong, or any other unauthorized religion like roman catholicism (or any church that doesn't have a "patriotic" association with the government, or having an unauthorized birth.
I'm laughing at myself cuz I know I sound slightly paranoid, but it's true.
More info on golden shield (these three links are the same report, i'm posting three links as a hedge against any slashdot effect)here [ichrdd.ca] here [totse.com] and here [openflows.org]
*** If you're really interested in this subject, check out Ethan Gutmann's upcoming book losing the new china [amazon.com] his insight and understanding will really blow your mind.
Re:Tinfoil hat or not? (Score:2)
explained as stupidity.
What this is, is someone's cousin got a fab,
so the principal called his brother-in-law
on the central committee, and got him to
push a rule through some puppet engineering
group that guarantees that said cousin will be
first-mover in a multi-billion-yuan market.
Re:Tinfoil hat or not? (Score:2)
> would be able to push through a regulation
> of this level without broader government
> support.
That's very touching naivete. Quid pro quo
is the name of the game, man. It works the
same way here in the U.S. For example, a
fellow I know set up a manufacturing process
for plastic pallets, but he saturated the
U.S. market, so he couldn't grow anymore.
One phone call to his sister's husband later -- he's an assistant to the director of the
U.S. Customs bureau
Re:Tinfoil hat or not? (Score:2)
If the Chinese want to spy on their people, all they need to do is to encourage use of existing 802.11{a,b,g} equipment with WEP encryption, since it is trivial to sniff.
As others have said, the Chinese are sick of paying patent licensing fees to the West. They already build almost everything, and if they keep the patent fees too, they get to keep all the money. So that means that they will want to design their own standards.
Re:Tinfoil hat or not? (Score:2)
China unless they are selling products for
export. This is a domestic market rule
designed to give insiders a big fat monopoly
window to entrench themselves as the market
leader.
New Standard (Score:5, Insightful)
Re:New Standard (Score:3, Insightful)
The Chineese aren't the only sharks in the ocean. The US Government doesn't seem to be promoting much better; they j
Re:New Standard (Score:3, Insightful)
Re:New Standard (Score:2)
The adjective meaning "from or having to do with China" is spelt Chinese, not Chineese. SilentSage (original poster) got it wrong (consistently) and now this new word is propagating. Posting history would indicate that SilentSage is American and you are Canadian. Sic transit gloria mundi.
Re:New Standard (Score:2)
Re:New Standard (Score:3, Insightful)
discredits the autonomous nervous system.
IEEE is not an American standards organization.
It is an international professional organization
which promotes engineering standards globally,
defined by engineers from all over the world,
including China. IEEE is not ANSI.
No, somebody's cousin is gonna make billions
of yuan off of this little rule, and that's
why they came up with it. Corruption, pure
and simple.
802.11i? (Score:4, Funny)
Re:802.11i? (Score:2, Informative)
Judge the product on the merit of the standard's details, not on your expert html skills.
Re:802.11i? (Score:2)
Standard (Score:2)
Rus
So now the 800lb gorilla... (Score:5, Funny)
Flavor of linux (RedFlag)
DVD standards
wireless encryption
Video compression (AVS)
Taikonauts
Access to windows source code
Web searching (Chinese Search Alliance)
CPU architecture (Dragon)
Is anybody else out there as concerned as I am about this?
Re:So now the 800lb gorilla... (Score:5, Insightful)
The US has all of the above (or rather, US *Corporations* do)... I personally think that for this power to be shared among countries is good - too much one way is bad.
I'm not sure I trust US corporations to 'do the right thing' any more than I trust the Chinese government.
David
Re:So now the 800lb gorilla... (Score:2, Insightful)
They're not supposed to be able to profit or spin off of the freeworld's innovation. What was the UN thinking?
I thought the whole point of building a government the right way was so that one day you could reap technelogical benefits for the greater good. But now, after we've made the cake, China gets to eat it too. Something is dreadfully wrong when a country lik
No, they'll get someone else to do it. (Score:3, Insightful)
Oh, for those trolls who might want to respond, "Yeah, but that was a hundred years ago..." might do well to read this link [mindfully.org]. Here's a short excerpt;
Re:So now the 800lb gorilla... (Score:2)
You were saying? [slashdot.org]
Oh, wait. You're right. In China, they charge you for the bullet. That'd never happen here. As you can see, in America, the bullets are supplied as an integral part of the complete RIAA package. :)
not in the USA... (Score:2)
Re:So now the 800lb gorilla... (Score:2)
Well, then you're not very smart. Show me a US corporation that runs over students with tanks, kills millions of inconvenient surplus citizens with manufactured famines, exersizes draconian population control, and has nuclear weapons. Oh, but China hasn't tried to stop us from downloading free MP3's or playing DVDs on our Linux boxes, so I guess it all balances out.
no (Score:2)
I'd be happy to have a Cuba style trade embargo in place with China till they have something aproaching free speach and many of the other provisions of the much abused US Bill of Rights. The idea that we will destabilize their governemt by pouring wealth in
Re:no (Score:2)
China has rather more ecconomic leverage than the US. If China stops buying US bonds (they are the largest government purchaser) the US budget deficit and trade deficit would quickly reach crisis point.
The US budget deficit will be $500 billion this year. The major causes are the tax cuts and the sharply increased spend
Re:So now the 800lb gorilla... (Score:2)
China violates human rights, but they are a long way from "one of the worst" these days. Compared to, say, Saudi Arabia, China is a paragon of personal freedom.
more rope (Score:2)
Very secure devices (Score:3, Funny)
standards joke (Score:5, Funny)
Get Used to It (Score:5, Insightful)
Re:Get Used to It (Score:2)
Re:Get Used to It (Score:2)
(Pssst - hey, buddy: your tinfoil is showing.)
It seems to me that Western governments are trying their best to improve the technical education of their people. Do you have evidence otherwise?
It also seems to me that the "corporate elites" have even less influence on the education level of the average citizen than the government does. To the extent that they do
Re:Get Used to It (Score:2)
Namecalling is the technique of the intellectually bankrupt.
It seems to me that Western governments are trying their best to improve the technical education of their people. Do you have evidence otherwise?
What I would suggest you want to look at here:
Enrollment in Science programs prior [nsf.gov] to H-1b/L-1 [h1b.info] expansion and after. I think what you'll see is that the effect of offering large numbers of visas to those in Scientific and technical fields has been to d [keys2it.org]
Re:Get Used to It (Score:2)
Pot, kettle, black.
Enrollment in Science programs prior to H-1b/L-1 expansion and after.
Fun with statistics, tactic #1: always assume causation. Just because I come home 90% of weekdays just before sunset doesn't mean I cause the sun to set by doing so. There may be other factors at work.
Entrance to technical fields is cyclical, following supply and demand and what's trendy. The pressure of immigration on the job market more constant, s
Re:Get Used to It (Score:3, Insightful)
B15629.11-2003 is a bit of a mouthfull... (Score:5, Funny)
...wouldn't Wi-Chi be better?
Starbucks China... (Score:2)
I saw this in Command & Conquer Generals (Score:5, Funny)
Forget accounting fraud and unethical stock manipulations... The real threat will be obvious when hundreds of men from China gather on the lawn 100 feet away from the Pentagon and pull out their laptops.
Security on AP's is a BAD idea (Score:3, Insightful)
What do people want encrypted? Their credit card numbers? Encryption of sensitive information like CC#'s is (should) be handled by SSL where the data is encrypted BEFORE it leaves the pc. No wireless encryption needed. Their e-mail? If they are sending that sensitive of information, they probably shouldn't use standard e-mail in the first place. They should encrypt a document and then e-mail it or encrypt the e-mail itself.
I am still yet to find a situation where encrypted wireless signals make sense for home or even business situations. If it is a business that is in need of securing their communications, they should use VPN's anyway.
I think it makes more sense for an additional independent circuitry to be installed on AP's that does VPN's and build into wireless cards a VPN client or include VPN software. Hell, even make an externally pluggable device that attaches to an AP so that it can be upgraded as future VPN's get stronger in encryption.
Leave AP's to do what the do best--serve wireless clients.
Re:Security on AP's is a BAD idea (Score:2, Insightful)
Another example... you're using software which reguarly communicates between machines with data (i.e. a database software) but hasn't got the idea of encrypting the sent data build in and your company relies on said program. Therefore, you ge tit to
Re:Security on AP's is a BAD idea (Score:2)
No.
you use a file server
There is no reason a file server can't have a VPN and use that as it's gateway. Any connecting clients (and the Apache server for that matter) can all communitcate over the VPN.
software which reguarly communicates between machines
Again, any and all of these machines can run a VPN client and use their VPN as their gateway.
Next.
Re:Security on AP's is a BAD idea (Score:2)
I guess if everyone used it then the playing field is level again, though.
Re:Security on AP's is a BAD idea (Score:2)
Or use VPN, which sets up an encrypted tunnel at the IP layer, which effectively encrypts all of your transport protocols from the perspective of someone outside of your
Re:Security on AP's is a BAD idea (Score:2)
The security standard is mean to offer equivalent privacy a wire (which is not that private).
I have no trouble with multiple layer of security. Especially that not every site or e-mail server use encryption (SSL) to access their resources. I may not want absolute privacy when sending some e-mail but I don't want everybody in my neighborhood to be able to read them without efforts.
Re:Security on AP's is a BAD idea (Score:2)
That is access control and not an encryption issue. Even still, WEP offers no such guarantee.
Step 1) Sniff wireless packets.
Step 2) Crack WEP keys while you eat your lunch or take a sip of a beverage depending on the level of WEP used.
Step 3) Clone MAC address.
Step 4) Conenct and surf/whatever until you get bored.
The security standard is mean to offer equivalent privacy a wire (which is not that priv
Re:Security on AP's is a BAD idea (Score:3, Interesting)
For instance, suppose you send me an encrypted email that is transmitted over a wireless network at some point in its path. Someone eavesdropping on the wireless almost certainly can't decrypt the message - but they can tell that a message was transferred, and
Re:Security on AP's is a BAD idea (Score:5, Insightful)
Second, anything that is broadcast over the air can be picked up and recorded. If it's not encrypted, you run the risk of letting anything you do on your WiFi. They don't even have to connect to your AP....they could just fire up the laptop with the WiFi card in promiscuous mode and scan away. I agree with you that cc numbers and really important things SHOULD be encrypted befor sent, but personally, I really don't want just anyone else knowing what websites I go to even though I do have nothing to hide.
Lastly, even if you did have some security built into the AP (even if your using something more then WEP), I'd still require a VPN to get to the internal network. As it is, AP's probably don't have the horsepower to do user authentication plus you probably already have LDAP or something else internally for authentication. Plus adding the VPN as a requirement for WiFi users also adds another layer of security.
Re:Security on AP's is a BAD idea (Score:2)
Not if your wireless network is segmented off by the VPN server.
Re:Security on AP's is a BAD idea (Score:2)
In this environment, the concept of stealing bandwidth that is already shared outside your control is somewhat meaningless.
That said, I agree that there should be security in the AP. My reason is that currently law enforcement has inadequate skills to investigate criminal activity originating at a given IP, without implicating the AP owner. As a result, a sec
Three good reasons. (Score:2)
snip..
Encryption of sensitive information like CC#'s is (should) be handled by SSL
Well, for one thing because not everything we want to do is over the HTTPS (or similarly encrypted) protocols. For example, I may not want people to track my web surfing habits, even if its only non-SSL sites.
For another thing, I may not want people to know the hosts I communicate with, even if the payload is encrypted. I don't want them
Hardware encryption is bad, encryption is good. (Score:2)
How about in a doctor's office? Don't tell me that wireless is of no use to doctors, that's short sighted. Wirelessly checking your mail with anthing other than a ssh connection on a university campus is a bad idea. Web browsing with passwords might is a bad idea unless you are 100% sure the website in question encrypts identifying information and anything else you might consider sensitive
It isn't the *data*, it's the *connection*. (Score:2)
Re:Security on AP's is a BAD idea (Score:2)
If that is the case, then why do so many people post as ACs to slashdot? Some people sometimes dont want what they say traced back to them.
Re:Security on AP's is a BAD idea (Score:2)
Re:Security on AP's is a BAD idea (Score:2)
Re:Security on AP's is a BAD idea (Score:2)
Not sure if you mean legacy wireless equipment or legacy computer/software equipment.
Either way, it doesn't matter becuase I am talking about new wireless equipment and computer equipment doesn't care about how its data packets get from point A to point B as long as they do. The only thing needed would be proper drivers.
Re:Security on AP's is a BAD idea (Score:2)
No, you are right. And if you are using WEP, you aren't really securing that data right now.
Which would be more expensive for you--deploying a VPN solution to secure your wireless or being sued for $100 million for someone finding out that John Smith is really the father of Jane Doe's baby or that John Q. has AIDS?
Multiple radio standards not an issue (Score:3, Interesting)
I applaud this! (Score:3, Interesting)
You know what, I'm fed up with this. Might just as well buy this Chinese gear then... (And run IPsec over it).
IEEE (Score:3, Insightful)
MHO: I do not think the IEEE has anything to worry about. For all I care, any Government can release their own home grown networking stack/protocol standard in regards to IEEE's 802.3
Will people accept this new standard? Who will manufactures trust: One Government/Country, or a respected body encompassing more than 380,000 individual members in 150 countries..promoting consensus-based standards?
As a consumer, which would you choose/trust?
Re:IEEE (Score:2)
Well, according to the BBC [bbc.co.uk], there are currently 1,260,000,000 people in China. Last I checked, that's a much larger market that the 380,000 members of the IEEE, and comperable, if not more than, the markets of all those 150 countries combined.
If the Chinese get pretty serious about rolling out computing equipment to their people (and stuff like this new standard suggests that they will), the more than a billi
Re:IEEE (Score:2)
Re:IEEE (Score:3, Insightful)
It is not a choice (Score:2, Interesting)
This poses a couple of issues for international companies. Why spend development money on both a US and China standard? The US does not mandate that you have to use 802.11b, so why not ditch it and go with the Chinese standard, cutting development and support costs in half?
I work in retail. Trust me, consumers really don't care. Hell, half the time they don't even care if what they buy works, so long as they like what it looks l
IEEE worried? (Score:5, Insightful)
Re:IEEE worried? (Score:2)
Dom
Wireless Standards horse (Score:5, Insightful)
So what if china wants their own wireless standard, there are so damn many already, one more quasi-secure wireless network isn't going to be revolutionary.
This is the way the game is played (Score:5, Insightful)
Example: the NTSC, PAL, SECAM, MESECAM, etc standards for broadcast TV. Why do we have so many of them?
Another example: HDTV (US picked 8-VSB, Japan picked COFDM).
China has now realised that it is heavy enough (in "Gorilla" terms) that it is beginning to throw its weight around. A recent example was the new DVD format, EVD [latimes.com]
There is a reason for different TV standards (Score:3, Insightful)
Because TV was invented before the computer chip. Back in the dark mists of time you needed a way to get a clock cycle for your video signal. The easiest way to do this was to use the cycles in your AC mains power. In the US that is 60Hz while in Europe 50Hz was used, leading to two different framerate standards (NTSC is not 30 fps because of a hack performed when color was added to the broadcast sig
Learning from Microsoft (Score:5, Insightful)
Re:Learning from Microsoft (Score:2)
IEEE Worried? (Score:4, Interesting)
Since when did the IEEE become the ultimate authority on standards? It's a USA institution remember. Other countries have their own institutions for this..
And it's not as if the IEEE is the most unbiased institution of them all. Corporate money decides what's a standard more often than not nowadays...
As far as the issue of standards themeselves. Since when do we have to always follow standards, especially others'? If something works better for more people, then bring it on. Progress occurs when breaking with tradition/standards and there is merit to the new system/whatever. Not by blindly following the old standards.
that concern is unjustified (Score:3, Insightful)
That concern is entirely unjustified: 802.11 currently doesn't have any meaningful security. So, there won't be "two different standards", there will be just one: the Chinese one. Let's hope it catches on.
The IEEE should bow its head in shame--802.11's WEP was a complete fiasco and an embarrassment to engineering profession.
WPA (Score:2)
Maybe China doesn't want people to steal bandwidth (Score:3, Insightful)
In the USA, having bucket loads of bandwidth is easy and cheap. However I suppose that isn't the case in China.
Wifi makes it real easy for one to steal another's bandwidth. (Especially with WEP
While China is a communist gov't that doesn't care for freedom of speeh blah blah blah blah. It does need to look out for its own people. I for one see this only has a preemptive measure against what might be a serious problem in the future (especially for China's high population density).
Sunny Dubey
Now I know why communism is bad (Score:2, Insightful)
I've got an idea for a standard (Score:2)
Now, how nice would it be to use an SSL/SSH type connection to your access point? If that wasn't good enough, code a be
Comment removed (Score:3, Interesting)
Oh no! (Score:3, Funny)
ha ha! (Score:3, Interesting)
How about this: the LSB is about to formalise its own unix standard based upon Linux at ISO, despite the 90% similarity between LSB and POSIX. Apparently, the LSB folks claim Linux is sufficiently different and many other bogus Microsoft like arguments.
You think that I am joking ?
Re:So.. (Score:2, Insightful)
If it has better security why isn't it a worldwide standard?
um.. Windows is a worldwide standard. You can't equate the robustness of the product with the number of users.
Re:So.. (Score:3, Insightful)
I'm pretty sure it was chosen for the people and not by the people.
Re:So.. (Score:4, Insightful)
Even most desmocracies were set up by the powerfull and not the 'people' - usuall powerfull internal forces (the revolutionaries with big ideas and lots of guns) or by powerfull outside forces (the invading armby with big ideas and lots of guns).
Re:So.. (Score:3, Insightful)
-j
Re:Primary post! (Score:2, Troll)
Given that this story was released December 10th, why was this modded offtopic? someone with a brain and a sense of humour mod it as funny, please.
Re:Did they really say... (Score:2)
That said, I reiterate my previous epithet...asshats.
Re:Did they really say... (Score:2)
Be realistic. China could probably hack into any wirelesss security standard that you will be allowed to use anyway, not to mention the NSA, or any other self respecting intelligence agency. If you're that important that China wants to spy on you, you shouldn't be using a wireless lan to transfer sensitive data.
Re:Did they really say... (Score:2)
Why could China not make a system with encryption more secure than AES? Nothing indicates it is less secure, either (unless we assume that AES is the insurmountable pinnacle of encryption technology).
My statement was meant to mention what the poster said (that it was supposedly more secure) in a way that pointed out the stupidity of vendors ignoring a (supposedly) more secure option.
Re:Dual Standards (Score:3, Informative)
One standard, several ways of being shafted. Just like DVD zoning