[OpenWireless Tech] The police came to the AP owner first, then sniffed the air to find real culprit​​

[Eugene Smiley]

On Wed, Nov 28, 2012 at 8:14 PM, "Andy Green (林安廸)" <andy at warmcat.com>wrote:

> On 11/29/2012 08:27 AM, the mail apparently from Eugene Smiley included:
>
>> There many VPN options. Until this movement gains traction, the
>>
> individual AP owners Use Cases are what will determine their chosen
>> route. Incomplete list of options:
>>
>> Open. Zero AP protection.
>>
>> + Easiest to implement.
>> + Cheapest to implement.
>> + Most open.
>>
>
> Yes... but it does not lead to the most open result.  All the APs around
> have reacted to it by turning it off and hiding behind WPA.  So we must be
> careful with what we mean by "open" and especially "most open".


I'll leave that to another thread related to Campaigning for OpenWireless.

Andy's VPN (aka E.T. phone home). The user connects back to their home
>> router. AP blocks all non-VPN traffic.
>>
>> + Puts content responsibility on the user.
>> - Complex. Effort required of AP-Owner and AP-User to connect.
>>
>
> You mean like WPA that everyone is using?  It need not be any more complex
> than cutting and pasting a cert around in your browser at home.


WPA is easy compared to setting up a VPN, firewall rules, and some form of
dyndns all at once. WPA is easy compared to flashing firmware on your
router were someone has already magically set up a VPN, firewall rules, and
dyndns.

- Excludes anyone who doesn't have a home internet connection or BYO VPN
>
>> service.
>>
>
> Yes.


That will limit the growth of the network. The more barriers in place the
fewer AP-Users you will have. This is far from what I think of as open.

Anecdote: I just spent 12 days, 1200 miles from home. For half that time, I
had access to a AP that I knew the passphrase. The other 6 days I used an
almost out of range open router. Had I not had that open AP I am capable of
cracking a WEP AP. Ignore the legality of it, it's a barrier that the
average user isn't likely to bother with.

- Least open. How does one find out how to join the network?
>
> What do you mean?  The APs use beacons like everything else.  They can get
> started with an SSID convention like vpo-myAP, all use the same SSID like
> "vpn-only", or maybe eventually deploy bits in the beacon packet to load
> balance and advertise they're VPN-only. What's the problem there?


The problem I point to is that one has to already know about the network
before one needs it. More barriers. I can't just fly 1200 miles, click on
an open AP and go. More barriers.


External VPN. The AP owner drops all GuestAP traffic into a paid VPN
>
>> service.
>>
>> ~ Issues go to VPN provider who have varying TOS and laws depending on
>> the jurisdiction and level of logging
>> - Additional cost to AP owner.
>> - Additional setup effort for AP owner.
>> + Isolated from Police action. Legal action varies based on VPS service,
>> jurisdiction, and VPS provider.
>> + Content from sites restricted by GeoIP can be accessed depending on
>> exit point, i.e. Hulu, BBC, etc.
>> + Open. User sees no hurdle to connecting.
>>
>
>  - anyone nearby can sniff any client traffic in clear
>  - client is not protected from malicious AP logging, meddling or
> poisoning your traffic / DNS
>

Irrelevant to the AP-Owner protecting their interests. This is a AP-User
issue. As an AP-User, I don't do anything require sensitive information
over clear channels. Not true of all users. THAT is a user education issue.


>  - since the AP operator gave his credit card to the vpn service provider,
> his identity is firmly glued to the VPN server endpoint IP that his
> credentials pay for.  He lives next door to Jimmy Saville. What could
> possibly go wrong?


Have OpenWireless recommend that all AP-Owners signup for their accounts
under a business name. You think the police are going to break down a door
of a McDonald's or Starbucks? Option 2: Use a VPN in another jurisdiction.


>  Tor/I2P. All AP data routed onto Anonymizing Networks.
>>
>> - Speed limited due to overhead and limited Exit Nodes
>> - Tor/I2P blocked by some ISP and VPS providers.
>> + Easy to implement
>> + Hard to track, but not impossible. Chance of Police or Legal action
>> against AP owner low provided steps are taken to reduce troubling exit
>> node traffic.
>> + Open. User sees no hurdle to connecting.
>>
>
> This has the same problems from not fixing unencrypted shared access to
> the AP as earlier
>
>  - anyone nearby can sniff any client traffic in clear
>  - client is not protected from malicious AP logging, meddling or
> poisoning your traffic / DNS
>

Again, irrelevant to the AP-Owner providing service.


>  - Tor will also be blocked by some end-user sites, since it'll be
> associated with the more toxic content or abuse they get along with just
> normal people using tor


I missed that negative. You are correct, but it is not that common.


Personally I work in the technology industry and live in Taipei.  Many of
> the major home AP manufacturers are either based or design here.  If the
> EFF put its imprimatur on a particular scheme, they had arranged a legal
> strategy with declaratory judgements in the major legal areas to show AP
> owners it was different from running just unencrypted AP and had good
> reason to expect it was safe, and it was built into most popular APs and
> was promoted, I think it could really make a big difference.
>

Have any connections inside of TP-Link? The AP I am toying with right now
is the WR703N travel router and would love to have a source for them in the
U.S. besides Ebay and Alibaba.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/tech/attachments/20121128/ae774c2a/attachment.html>