[OpenWireless Tech] The police came to the AP owner first, then sniffed the air to find real culprit
"Andy Green (林安廸)"
andy at warmcat.com
Wed Nov 28 18:45:46 PST 2012
On 11/29/2012 10:14 AM, the mail apparently from Eugene Smiley included:
>
>
>
> On Wed, Nov 28, 2012 at 8:14 PM, "Andy Green (林安廸)" <andy at warmcat.com
> <mailto:andy at warmcat.com>> wrote:
>
> On 11/29/2012 08:27 AM, the mail apparently from Eugene Smiley included:
>
> There many VPN options. Until this movement gains traction, the
>
> individual AP owners Use Cases are what will determine their chosen
> route. Incomplete list of options:
>
> Open. Zero AP protection.
>
> + Easiest to implement.
> + Cheapest to implement.
> + Most open.
>
>
> Yes... but it does not lead to the most open result. All the APs
> around have reacted to it by turning it off and hiding behind WPA.
> So we must be careful with what we mean by "open" and especially
> "most open".
>
>
> I'll leave that to another thread related to Campaigning for OpenWireless.
>
> Andy's VPN (aka E.T. phone home). The user connects back to
> their home
> router. AP blocks all non-VPN traffic.
>
> + Puts content responsibility on the user.
> - Complex. Effort required of AP-Owner and AP-User to connect.
>
>
> You mean like WPA that everyone is using? It need not be any more
> complex than cutting and pasting a cert around in your browser at home.
>
>
> WPA is easy compared to setting up a VPN, firewall rules, and some form
> of dyndns all at once. WPA is easy compared to flashing firmware on your
> router were someone has already magically set up a VPN, firewall rules,
> and dyndns.
Well, you might roll your own but what we are talking about is having it
as a checkbox on your home AP configuration page, and have the cert CA
there providing access certs on demand through your browser.
That is a pretty easy one-off action...
> - Excludes anyone who doesn't have a home internet connection or BYO VPN
>
> service.
>
>
> Yes.
>
>
> That will limit the growth of the network. The more barriers in place
> the fewer AP-Users you will have. This is far from what I think of as open.
Everyone I know has a home internet connection and AP. If you're
thinking of hobos not being able to use it, well, they probably lack the
laptop needed to access an unencrypted AP too...
> Anecdote: I just spent 12 days, 1200 miles from home. For half that
> time, I had access to a AP that I knew the passphrase. The other 6 days
> I used an almost out of range open router. Had I not had that open AP I
> am capable of cracking a WEP AP. Ignore the legality of it, it's a
> barrier that the average user isn't likely to bother with.
>
> - Least open. How does one find out how to join the network?
>
> What do you mean? The APs use beacons like everything else. They
> can get started with an SSID convention like vpo-myAP, all use the
> same SSID like "vpn-only", or maybe eventually deploy bits in the
> beacon packet to load balance and advertise they're VPN-only. What's
> the problem there?
>
>
> The problem I point to is that one has to already know about the network
> before one needs it. More barriers. I can't just fly 1200 miles, click
> on an open AP and go. More barriers.
What are these "barriers" you are inventing now?
Assuming you did the one-off VPN pairing with your AP, you go 1200 miles
and click your wireless icon, and select "vpn-only" from there. For
now, once it's associated you'll have to select your vpn server as well,
then you're safely on the Internet. Eventually the OS can understand it
was a vpn-only AP and select the vpn routing automatically.
Compare that to a captive portal that is normal today, you click your
wireless icon, select some kind of paid-for service, it takes you to a
page that at a minimum wants login credentials, or otherwise wants your
credit card details filling in. After doing that, you are insecurely on
an open AP and ready to go.
> External VPN. The AP owner drops all GuestAP traffic into a paid VPN
>
> service.
>
> ~ Issues go to VPN provider who have varying TOS and laws
> depending on
> the jurisdiction and level of logging
> - Additional cost to AP owner.
> - Additional setup effort for AP owner.
> + Isolated from Police action. Legal action varies based on VPS
> service,
> jurisdiction, and VPS provider.
> + Content from sites restricted by GeoIP can be accessed
> depending on
> exit point, i.e. Hulu, BBC, etc.
> + Open. User sees no hurdle to connecting.
>
>
> - anyone nearby can sniff any client traffic in clear
> - client is not protected from malicious AP logging, meddling or
> poisoning your traffic / DNS
>
>
> Irrelevant to the AP-Owner protecting their interests. This is a AP-User
> issue. As an AP-User, I don't do anything require sensitive information
> over clear channels. Not true of all users. THAT is a user education issue.
Nonsense... the AP owner will go out of town one day and be "the
client" himself on someone else's network. It will be extremely
relevant to him too that he is safe. There's no point solving things
for the AP owner and leaving the client insecure, it's a failure.
You yourself went "1200 miles", are you OK with getting scammed using
someone else's AP then so long as you're OK running your AP at home? I
think not.
> - since the AP operator gave his credit card to the vpn service
> provider, his identity is firmly glued to the VPN server endpoint IP
> that his credentials pay for. He lives next door to Jimmy Saville.
> What could possibly go wrong?
>
>
> Have OpenWireless recommend that all AP-Owners signup for their accounts
> under a business name. You think the police are going to break down a
> door of a McDonald's or Starbucks? Option 2: Use a VPN in another
> jurisdiction.
I run a business and the responsible for what that business does is
still me. If something bad happened the manager of the starbucks or
whatever will be hauled in and CCTV footage around scoured. Nobody
wants that happening to them because of something someone else did on
their connection.
The story to people with home routers being, "start a business and try
to hide behind it" does not seem convincing either.
> Tor/I2P. All AP data routed onto Anonymizing Networks.
>
> - Speed limited due to overhead and limited Exit Nodes
> - Tor/I2P blocked by some ISP and VPS providers.
> + Easy to implement
> + Hard to track, but not impossible. Chance of Police or Legal
> action
> against AP owner low provided steps are taken to reduce
> troubling exit
> node traffic.
> + Open. User sees no hurdle to connecting.
>
>
> This has the same problems from not fixing unencrypted shared access
> to the AP as earlier
>
> - anyone nearby can sniff any client traffic in clear
> - client is not protected from malicious AP logging, meddling or
> poisoning your traffic / DNS
>
>
> Again, irrelevant to the AP-Owner providing service.
Hum, what's the point of promoting running honeytraps for clients who
proceed to get scammed? Quickly nobody will use the service if it's
only safe for operators. Both sides of the transaction need to be safe.
> Personally I work in the technology industry and live in Taipei.
> Many of the major home AP manufacturers are either based or design
> here. If the EFF put its imprimatur on a particular scheme, they
> had arranged a legal strategy with declaratory judgements in the
> major legal areas to show AP owners it was different from running
> just unencrypted AP and had good reason to expect it was safe, and
> it was built into most popular APs and was promoted, I think it
> could really make a big difference.
>
>
> Have any connections inside of TP-Link? The AP I am toying with right
> now is the WR703N travel router and would love to have a source for them
> in the U.S. besides Ebay and Alibaba.
I can jump on the MRT and go to Guanghua Digital Plaza and there's a ton
of TP-Link stuff. In fact my router here is TP-Link, it has options
coming out of its options on its web config page. But I wouldn't know
who to pass you on to.
-Andy
More information about the Tech
mailing list