[OpenWireless Tech] The police came to the AP owner first, then sniffed the air to find real culprit
"Andy Green (林安廸)"
andy at warmcat.com
Wed Nov 28 17:14:57 PST 2012
On 11/29/2012 08:27 AM, the mail apparently from Eugene Smiley included:
> On Wed, Nov 28, 2012 at 4:17 PM, Java Nut <javanut20 at hotmail.com
> <mailto:javanut20 at hotmail.com>> wrote:
>
> >You keep speaking like this is decided and that it is the only
> way. While
>
> >it's a great idea, it's not the only way. Until you can provide a
> working
>
> >example, stop bludgeoning the list with this way of thinking. It was
>
> >requested that this list be a source of "I need help with X"
> solutions.
>
> >Your words have merit, but I want to see results.
>
>
> Both ways of using VPNs, Andy's and mine can have merits and are
> both worth discussing and the preference which to use will vary
> among AP owners.
>
>
> I addressed this because Andy speaks about his VPN as it is the only
> option on the table, discarding any other options fitting other AP
> owners Use Cases. I have been at the receiving end of this and didn't
> appreciate it. I think his idea is a good one, but impractical. If he is
> willing to put the effort into it I'll give him his due. He many not
> realize his phrasing is off-putting, but it has people tune him out.
Not sure why you are butthurt about that. My emails are all on the list
and all address the technical issues without personalizing anything.
Since consumer APs are 99.999% of the provisioned and potentially usable
APs out there, I consider those. I have already written more than once
that I think community open wireless schemes are good. But they will
never be more than very localized isolated islands and are a completely
different issue. It's not that I think they should use vpn-only, it's
that what they do is irrelevant compared to the massive amount of
consumer APs that could be liberated.
If you think some other scheme is better suited to the problem of closed
up consumer APs, explain why and we'll talk about it.
> Andy's approach of requiring every guest to go through their own
> pre-arranged VPN does eliminate all the risks I talked about for my
> own approach of making the open AP send all its traffic through a
> nonlogging VPN with clients connecting openly. But as others have
> said, Andy's approach comes at the price of not creating fully open
> wireless.
>
>
> There many VPN options. Until this movement gains traction, the
> individual AP owners Use Cases are what will determine their chosen
> route. Incomplete list of options:
>
> Open. Zero AP protection.
>
> + Easiest to implement.
> + Cheapest to implement.
> + Most open.
Yes... but it does not lead to the most open result. All the APs around
have reacted to it by turning it off and hiding behind WPA. So we must
be careful with what we mean by "open" and especially "most open".
> - Most dangerous to AP owner.
>
>
> Andy's VPN (aka E.T. phone home). The user connects back to their home
> router. AP blocks all non-VPN traffic.
>
> + Puts content responsibility on the user.
> - Complex. Effort required of AP-Owner and AP-User to connect.
You mean like WPA that everyone is using? It need not be any more
complex than cutting and pasting a cert around in your browser at home.
> - Excludes anyone who doesn't have a home internet connection or BYO VPN
> service.
Yes.
> - Least open. How does one find out how to join the network?
What do you mean? The APs use beacons like everything else. They can
get started with an SSID convention like vpo-myAP, all use the same SSID
like "vpn-only", or maybe eventually deploy bits in the beacon packet to
load balance and advertise they're VPN-only.
What's the problem there?
> External VPN. The AP owner drops all GuestAP traffic into a paid VPN
> service.
>
> ~ Issues go to VPN provider who have varying TOS and laws depending on
> the jurisdiction and level of logging
> - Additional cost to AP owner.
> - Additional setup effort for AP owner.
> + Isolated from Police action. Legal action varies based on VPS service,
> jurisdiction, and VPS provider.
> + Content from sites restricted by GeoIP can be accessed depending on
> exit point, i.e. Hulu, BBC, etc.
> + Open. User sees no hurdle to connecting.
- anyone nearby can sniff any client traffic in clear
- client is not protected from malicious AP logging, meddling or
poisoning your traffic / DNS
- since the AP operator gave his credit card to the vpn service
provider, his identity is firmly glued to the VPN server endpoint IP
that his credentials pay for. He lives next door to Jimmy Saville.
What could possibly go wrong?
> Internal VPN. The AP owner has many APs connected to VPNs back to a VPS
> in a datacenter.
>
> - Additional cost, but less than External VPN
> - Additional setup effort for AP owner.
> + Isolated from Police action. Legal action varies based on VPS service,
> jurisdiction, and VPS provider.
> + Content from sites restricted by GeoIP can be accessed depending on
> exit point, i.e. Hulu, BBC, etc.
> + Open. User sees no hurdle to connecting.
Well, it's out of scope for me.
> Tor/I2P. All AP data routed onto Anonymizing Networks.
>
> - Speed limited due to overhead and limited Exit Nodes
> - Tor/I2P blocked by some ISP and VPS providers.
> + Easy to implement
> + Hard to track, but not impossible. Chance of Police or Legal action
> against AP owner low provided steps are taken to reduce troubling exit
> node traffic.
> + Open. User sees no hurdle to connecting.
This has the same problems from not fixing unencrypted shared access to
the AP as earlier
- anyone nearby can sniff any client traffic in clear
- client is not protected from malicious AP logging, meddling or
poisoning your traffic / DNS
- Tor will also be blocked by some end-user sites, since it'll be
associated with the more toxic content or abuse they get along with just
normal people using tor
> SSH Tunneling
>
> ~ Not simple, but not hard
> - Not as fully featured as a traditional VPN.
> - Not very open. Limited to the ports the AP owner is willing to forward.
Yes... actually there's some interesting possibilities to do tunnelling
using websockets on port 80. But this does not go to salving the AP
operator's troubled mind about letting anonymous people do that or
anything else on his AP.
> Hybrid. A complimentary combination of VPN options above.
>
>
> The options listed protect the AP-Owner not so much the AP-User. As an
> AP User I am inclined to protect myself by using my own VPN regardless
> of the protections the AP-Owner provides for himself. I know not all
> users are savvy/smart enough to do this, but educating users is an
> important aspect to this project.
>
> How does each option work with each mobile device on the market
> (Android, iDevice, laptop, etc.)? Not all devices work with the same VPN
> protocols.
Personally I work in the technology industry and live in Taipei. Many
of the major home AP manufacturers are either based or design here. If
the EFF put its imprimatur on a particular scheme, they had arranged a
legal strategy with declaratory judgements in the major legal areas to
show AP owners it was different from running just unencrypted AP and had
good reason to expect it was safe, and it was built into most popular
APs and was promoted, I think it could really make a big difference.
The hurdles are not really technical but first legal to overcome this
reluctance to let anyone near your internet connection and then in terms
of describing what the stack needs to do and promoting it to the people
who can and will build it in as a checkbox item.
Until there's some effort in those directions, which we can't do
organically, I don't think this will be anything except "talk".
-Andy
More information about the Tech
mailing list