Home Network PC/Mac folder sharing?
March 27, 2008 9:21 PM   Subscribe

If you're using WEP on your router, then that's not secure. Upgrade your router to one that uses WPA Personal minimum.

The 192 network your PC is getting via DHCP is a NAT firewall so theoretically it's protected behind that from being scanned by Internet script kiddies but you should still use the full array of anti-virus, anti-exploit and firewall tools. It's more likely you'll be exploited by downloading some free pr0n with a trojan in it than via your wireless network.

There's probably some secure protocol for doing transmissions between your PC and your Mac that would fairly easy to set up but nothing comes to my mind at the moment...SFTP maybe. I use FTP between my Mac and PC because the protocol is easy to run. I don't bother using further encrypting because the wireless signal is encrypted via WPA and that's secure.

My two cents worth...your mileage may vary.
posted by diode at 9:29 PM on March 27, 2008

If your wireless router is using WEP, then there is no way to make your wireless connections secure. On the other hand, the only way currently known to crack WPA or WPA2 is using dictionary attacks to discover the password that the pre-shared key is derived from. If you use a long (20 character) randomly generated password, WPA/WPA2 is secure.

If you then simply tell Windows to share your photos folder, you should be able to see and use that share from the Mac, and none of your neighbors will see squat; you don't need a tunnel.

The only way you'd need anything like a tunnel is if you've given your neighbors your wireless network key because that's the kind of generous soul you are, but you don't want them to be able to use a packet sniffer to look at your furry pr0n traffic in transit. In that case, using SFTP is indeed likely to be less error-prone than using Windows file sharing via a tunnel.
posted by flabdablet at 10:14 PM on March 27, 2008

In addition to using WPA, check to see if your router has MAC address filtering. Add your iBook's wireless MAC address (found under /Applications/Utilities/Network Utility - look for Hardware Address under the Info tab) and set the router to reject other network devices.
posted by phrayzee at 10:43 PM on March 27, 2008

Automated cracking tools can instantly spoof the attacker's MAC address to match one they see in use on your network, once they've cracked the WPA password. This means MAC address filtering is fairly pointless. Don't do it - it will only cause you grief when you forget you've done it. Same goes for turning off SSID broadcasting.

Your wireless network's security is only as good as your WPA key, so just pick an excellent key and be done with it.
posted by flabdablet at 10:59 PM on March 27, 2008

Use Windows built-in sharing. Password protect your system (of course) and turn off "Simple File Sharing". Share only specific folders, not the entire drive. In the Sharing tab, open Permissions. Allow access to these folders for one specific user account, best bet is to set access to read-only unless you really need read-write or full-control. In both Permissions and in the Security tab, don't specifically Deny access for other accounts or groups, just uncheck all the Allow boxes (this will remove access without actively denying anything, which can cause problems if you've denied Admin access but one of the allowed users is part of the Admin group, etc.).

Change your PC's default Workgroup as well (don't use MSHOME or WORKGROUP). Amazing to me how many people leave it as the default. This won't make anything more secure, but it does slightly complicate the ease of seeing your systems on the network if someone does manage to connect.

I've been sharing files this way for years at home. No issues and no known security breaches. This isn't a tunnel though, it's just straight sharing plus whatever security measures are built in to the systems you are using.
posted by caution live frogs at 5:22 AM on March 28, 2008

Windows shares should show up in Network. Browse the machine name in Network using the Finder (shift-cmd-K to open Network when Finder has focus). You should see the workgroup name; opening that should show you the computer name. Click it to connect. It will ask for your credentials (or click the "Connect as..." button in Leopard); feed it the Windows user name and password. If you have multiple shares it should ask which you want to open. After you've done it once, if you told it to remember the password you should be able to quickly connect at any time by looking in Recent Items from the apple menu.

The share will show up as a mounted network drive on your desktop. (Incidentally you can share printers the same way, but I've had haphazard results with printing from a Mac to a shared printer on a Windows box. Sometimes it works, sometimes it doesn't, depends on the printer and what drivers you choose.)
posted by caution live frogs at 8:14 AM on March 28, 2008

flabdablet: I totally agree with you here, but I think that MAC filtering could/would add another stumbling block for anybody trying to get access.

sidereal: To disable Simple File Sharing in Windows, open up a My Computer window. Go to Tools -> Folder Options -> View tab. Scroll down to the bottom of Advanced Settings and uncheck "Use simple file sharing". This should enable the advanced features when you go to the Sharing tab under a drive/folder's Properties window.

Another thing that comes to mind is if your router has a web admin front end that requires a log-in, give it a strong password that is different than your WEP/WPA password. That way if someone were to crack your WPA password and gain access to your network, they would then have to crack the password for the web front end if they wanted to make changes there.
posted by phrayzee at 10:46 AM on March 28, 2008

My point is that running dictionary attacks against WPA passwords is a job generally done using automated tools, and that those same tools will easily and automatically spoof MAC addresses as needed. There is really no point creating stumbling blocks when the only person who will actually stumble over them is the creator.

Also, it's only XP Professional that gives you the choice of turning Simple File Sharing off - it's baked into XP Home. Which means that (a) using the shared folder from the Mac will probably Just Work, and (b) there is no meaningful way to enforce per-user access restrictions on folders shared over the network (with SFS turned on, from the server's point of view all network users are actually Guest). Using Windows XP Home's inbuilt file sharing on a folder containing your furry pr0n will make it generally available to any user on any computer on your LAN.

I'm looking for something more like a shared drive, and not actually copying the files over to the iBook permanently

OK, then you probably want an ssh server on the Windows box, and MacFUSE and sshfs on your Mac.
posted by flabdablet at 5:19 PM on March 28, 2008

Also: the point I keep trying to make about picking a WPA password is that you can, and should, make it uncrackable. I have never heard of any way to crack WPA except using a dictionary attack against the password. Do not use a WPA password designed to be memorable, or even easy to type. If you generate a long (20 characters or more) password using a random number generator, save it in a text file on a USB memory stick you keep on your keychain, and use copy/paste to put it into all the boxes where it has to go, you can consider your WPA wireless network secure against outside attack. There is then no point in using false-sense-of security measures additional to this.

None of the above applies to WEP, which is just fundamentally broken. WPA good; WEP bad!

I agree that using different passwords for router admin and WPA is a good idea, but not because of any fear of drive-by router tampering via wireless. Rather, there is no particular reason to use a super-strong password for your router's web interface, unless you also need it protected against skilled attackers inside your LAN.

Most routers can be told not to allow access to the admin interface via their wireless ports at all. If you're paranoid, do that, and do all your router admin via a wired connection.
posted by flabdablet at 5:43 PM on March 28, 2008

« Older My 1999 Jeep Grand Cherokee Lt...   |   Learning Geographic Informatio... Newer »

This thread is closed to new comments.