It took about one year to write the book and another six months to get it polished and into production. Different writers have different styles. My approach is to set a word goal to be accomplished every day - mine was 1000 words a day, seven days a week. I didn't make it - I averaged about 700! As you might expect the main problem was describing a moving target. In order to be as up to date as possible I had to write the book while the standard was progressing. Sometimes things would change direction. I had to throw away half a chapter when AES/OCB mode was dropped as the mandatory cipher for RSN! In the end the book as published is pretty close to the final draft of the standard. There have been a few tweaks since publication but nothing that really changes the picture.

What are your favorite tools for dealing with security when it comes to wireless networks and why?

Well up to now there have not been too many options. At home I turn everything on that I have. I run WEP and I also use MAC Address filtering. It wouldn't keep out a determined attacker but I think it keeps out the neighbors. At some point I'll upgrade my home stuff to IEEE802.11g and finding cards with WPA will be a priority.


The simplest solution for business use is to keep the access points on separate wiring and run the connection through a firewall to a VPN server. It's a pain. You can see why people are itching to get the new full grade security solution so that they can safely put the access point where wiring already exists.

Despite the insecurities of 802.11, the number of wireless networks is growing rapidly. What should be done in order to raise awareness of wireless security problems?

There are really two classes of problem here. The first is in corporations where the IT staff is fully aware of security risks and take careful protection measures but employees drive a dump truck through the protections by installing an unauthorized wireless LAN. This can be a particular problem in companies that have lots of small branches and offices. All it takes is a proactive manager to go and buy an access point at the local computer store and connect it where his PC used to plug in and you have a breach. Furthermore it's one that is almost impossible for the IT department to detect. The solution here is education by the corporation - education not just rules. People tend to ignore rules because they think the IT departments are "control freaks". But if they understand the dangers they will cooperate.