[OpenWireless Tech] The police came to the AP owner first, then sniffed the air to find real culprit
californiajack at tormail.org
californiajack at tormail.org
Wed Jan 2 17:16:00 PST 2013
That is exactly the problem with adoption of OpenWireless:
1. technical
2. legal
Which is to say:
1. no encryption: fear of non-IPsec/non-TLS information leakage
2. no accountability: fear of being accused of child pr0n
Which is to say:
1. technically-proficient (smart) people won't use it
2. non-proficient (stupid) people won't use it
Which is to say OpenWireless is doomed to failure.
The solution to OpenWireless is IEEE 802.11, NOT IPsec. We need an EAP
method for OpenWireless. You people are looking for an easy solution. You
are looking for a solution that can be provided with current software:
This ignorance will make this project fail.
(Not to say you are ignorant--I am speaking to the list here, and everyone
in general.) IPsec tunneling (the VPN "solution" I always hear about) is a
hack. It has always been a hack. It was a fairly good hack, but a hack
nontheless. It adds confidentiality to a single hop in the connection to
the Internet. It requires a server-client infrastructure, which is to say
someone has to setup a VPN/IPsec tunnel server somewhere, at which all
data is decrypted and exposed. You can't, for the most part, run an
OpenVPN on the AP; the VPN concatenator must be another server. People are
not going to setup an OpenVPN server. People are not going to trust you to
run a VPN server, giving you sole control and visibility of their data.
Given that each client would have to implement this NON-STANDARD hack,
well, like I said, no one in their right mind will or should do that.
That's right: I RECOMMEND NO ONE USE THE VPN OF AN UNTRUSTED 3RD PARTY. I
don't recommend my grandma setup her own OpenVPN server.
There is only one solution, the solution which everyone's cognitive
dissonance would rather ignore: fix the IEEE 802.11 setup! RSN (Robust
Security Network i.e. IEEE 802.11i) is the equivilent of OpenVPN on every
wireless client, and RSN is already supported by all current OS.
Unfortunately, as I have said earlier, quotes from people like security
expert Bruce Schneier are somewhere between laughable and scary. While I
am guessing he uses IPsec (VPN) on top of his IEEE 802.11 and below his
TCP and HTTP, I am actually a little offended he just plain bitched out
and chose someone else's hack than fix the problem.. It is just so sad to
see WPA and RSN thought of as equivilent; you can have RSN without any
shared secrets or PKI. (At least theoretically.) I know *why* Bruce
Schneier bitched out, and it isn't because Bruce Schneier is a bitch.
Bruce Schneier bitched out because "apt-get install openvpn" was MUCH
easier than "git clone git://w1.fi/srv/git/hostap.git; git clone
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-testing.git;
vi;". If Schneier won't, and you won't, and I can't do what is needed (I
am still reading hostapd code; the EAP-UNAUTH-TLS commits were
eye-openning, but..) then:
This project, OpenWireless, and the ideals behind it, will fail.
Sad, but true. Our collective cognitive dissonance in this matter is going
to cause problems. You will continue to pull your hair out, saying to
yourself "my setup works fine, why won't people adopt it?" because the
truth, that your setup isn't fine--its a hack--will just plain prevent
OpenWireless from going anywhere. The 1st step is admitting there's a
problem. Everyone knows, deep down, OpenVPN is a hack. Tunneling IPsec is
great, but the Internet can't be built on IPsec tunnels. It has to be made
with RSN, IPsec ESP, and TLS. In fact, VPN isn't even used anymore at my
university, which is to say it is dead. Because if my University stopped
using it, that shit must be fucked. (My university is fairly technically
inept, historically.)
My university uses (gasp!) IEEE 802.11i RSN. No VPN. Take the protocols
that are used for my university's wifi, which are standard in Windows
Vista, and take out client authentication, and there's your OpenWireless.
BAM! Litterally, the only thing wrong with their wifi is the client
authentication; because we want wireless to be open. The solution is not
to disable RSN and pretty much use 1990s wifi tech then hack hack hack
with OpenVPN on top.
The solution is not more protocols, its less. Like I said before, if BTNS
WG wouldn't have bitched out then disbanded, we might have gotten
EAP-BTNS, but EAP-TLS with a non-retarded TLS implementation would do
nicely, too. ("I tried to connect to [Gmail,eBay, etc.], but its kept
asking for a "x.509 client certificate"--I didn't know what that was, so I
didn't connect to [Gmail,eBay, etc.] securely. I followed Bruce Schneier's
advise and just disbaled authentication and disabled encryption.") This is
not simple. BUT! But it is the correct solution, and it is logistically
possible because wifi clients wont have to install IEEE 802.11i RSN.
And that's just 1. That's why smart people won't use OpenWireless. For the
other reason, reason 2, is more complex.
You have a Bible in your house? Have you ever seen one? OK, do you have
the Penal Code in your house? Have you EVER seen it in person? Don't
fucking lie--you have never seen the law in person. California does not
actually print the Penal Code, so I KNOW you don't have one. When you get
over any confusion in that sentence, and gradually pass into outrage (that
the government doesn't actually even print the fucking law--only 3rd
parties do, and they sell it at exorbitant prices.) If you wanted a
printed copy of the law (state law is what really matters, not federal
law, because the FBI does not have HUNDREDS OF THOUSANDS of police
officers like California does), not only would you have to be rich, but
you would have to have a VERY large bookshelf. Notice how California put
California law online? Yeah, they were fucking sued before they put the
law online. The government, the legislature actually, had to be sued to
put the law online. And California is far more open when it comes to law
than say countries like the UK, where distributing the law is actually
illegal (the law of the UK is copyright property of the Queen, and
distributing copyright without her permission is illegal--pretty much the
opposite of the US, where its all public domain) And the UK is FAR more
open than its European counterparts, or any other non-European country.
(At least they have their law online--if only to be so massive an
unorganized to be useless. Dammit UK! France and California codified their
laws in the 1800s!)
So the solution to people's fear about police kidnapp--er, arrest, is an
even bigger problem. Fix the technical solution first, and leave the
problem of not being able to read the 200,000 sections of law in
California (about 150,000 in the USC and 50,000 in California Codes), plus
county codes and municipal codes (which are by default misdameanor crimes
in California--I don't know how many, but in Los Angeles County for
example possession of a shortwave radio in your car is a crime--although
very few people know this--LA County has 10,000,000 people BTW, and no one
knows who runs the Government of Los Angeles County), another
20,000-50,000 regulations in the Code of Federal Regulations (CFR) and
California Code of Regulations (CCR), federal Supreme Court decisions,
federal appeals court decisions, California Supreme Court decisions,
California appeals court decisions, and probably more levels of
government, and figuring out what the law is to some later date. Yes, that
problem is pretty big. Really: fix EAP first. Law is the never-never land
of logic, and there are no such things as happy thoughts.
--
californiajack
> This link caught my eye
>
> http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-pornography-innocent_n_852996.html
>
> My sense is that the push-back against fear of sharing wifi is both
> technical eg VPN/VLAN and evidential, by which I mean if we can get to a
> state whereby IP address is considered as an indicator of further interest
> and not automatically proof of guilt then that offers an altogether more
> easy/effective/comfortable proposition for mass adoption and availability
> of openwireless.
>
> Guy
>
> On Tue, Nov 27, 2012 at 10:17 AM, Natanael <natanael.l at gmail.com> wrote:
>
>> CJDNS is not designed for these purposes. It is not like I2P or Tor,
>> only
>> routing is "dynamic". You'd need a VPN in place already or some kind of
>> Dynamic DNS to create a link between the laptop/phone node and the home
>> router node. It also don't provide internet access sharing on it's own,
>> in
>> this way ut resemble I2P.
>> Den 27 nov 2012 11:09 skrev "Christian Huldt" <christian at solvare.se>:
>>
>> Maybe we should take a look at cjdns?
>>> Someone here knows something about it?
>>> I'm not that well-informed, but it seems it should be able to deal with
>>> a
>>> few of those issues...
>>>
>>> And I quite recently stumbled upon the term "WPA guest access", I think
>>> in was in relation to coovaChilli...
>>>
>>>
>>> http://cjdns.info/
>>> http://en.wikipedia.org/wiki/**Cjdns
>>> <http://en.wikipedia.org/wiki/Cjdns>
>>> http://www.reddit.com/r/**darknetplan/<http://www.reddit.com/r/darknetplan/>
>>>
>>> Andy Green skrev 2012-11-27 08:24:
>>>
>>>> Hi -
>>>>
>>>> Sure, if you're able to flat out run open APs more power to your
>>>> elbow.
>>>>
>>>> Most people sitting on a personal internet connection aren't in that
>>>> situation and need something else to happen if they will participate.
>>>> In
>>>> terms of reach, it's those guys that are all around us and could make
>>>> a
>>>> huge difference.
>>>>
>>>> Calling normal people making rational decisions faced with legal facts
>>>> in their locality 'cowards' as some are doing is not the right
>>>> 'something else' to unstick them. If people have a more convincing
>>>> idea
>>>> for those people than what's being discussed about vpn, I'm certainly
>>>> interested to hear it.
>>>>
>>>> -Andy
>>>>
>>>> Brad Knowles <brad at shub-internet.org> wrote:
>>>>
>>>> On Nov 26, 2012, at 8:22 PM, Andy Green (æå®å»¸)
>>>> <andy at warmcat.com>
>>>> wrote:
>>>>
>>>> But you're right, it adds a hurdle compared to just sitting
>>>> there with an unencrypted AP. But for consumers, the truly
>>>> open
>>>> AP ship has sailed a while ago, they will no longer do it.
>>>>
>>>>
>>>> I think that there may be some places left in this world where we
>>>> could have truly open APs, but they are certainly few and far between.
>>>> Nevertheless, I'm not willing to give up on that possibility.
>>>>
>>>> OTOH, I do think that the majority of people will either refuse to
>>>> run an OpenWireless site at all, or they will insist that it allow
>>>> only
>>>> VPN-secured connections. These people might be in countries like
>>>> Germany
>>>> where there is clearly a very real legal threat, or
>>>> in
>>>> places where the threat is less well-defined. But the fear of
>>>> what
>>>> might happen would still keep the bulk of the potential participants
>>>> away.
>>>>
>>>> I see no reason why we should treat these two solutions as
>>>> mutually
>>>> exclusive.
>>>>
>>>>
>>>> HTTP is not XOR with HTTPS. Some sites will support one or the
>>>> other but not both, but most sites either allow both or already use
>>>> some
>>>> mixture of both.
>>>>
>>>> Yes, this can complicate things in the context of serving web
>>>> sites,
>>>> but I don't think that necessarily has to be a problem for us. There
>>>> are
>>>> additional design considerations that need to be taken into account,
>>>> but I
>>>> think we can handle that.
>>>>
>>>>
>>>> I should be able to provide a free entry point
>>>> forvpn-required.openwireless.**org<http://forvpn-required.openwireless.org>
>>>> <
>>>> http://vpn-required.**openwireless.org<http://vpn-required.openwireless.org>>
>>>> and anyone who wants to connect to that network using a VPN-enabled
>>>> client
>>>> should be able to do so. But if you don't have a VPN-enabled client,
>>>> you
>>>> would not be able to use my netwo
>>>> rk
>>>> connection.
>>>>
>>>> If my neighbor wants to provide a free entry point
>>>> forunencrypted.openwireless.**org<http://forunencrypted.openwireless.org>
>>>> <
>>>> http://unencrypted.**openwireless.org<http://unencrypted.openwireless.org>>
>>>> and take some extra risk (perhaps minimal, or maybe real), then they
>>>> should be able to do that, too.
>>>>
>>>> --
>>>> Brad Knowles <brad at shub-internet.org>
>>>> LinkedIn Profile: <http://tinyurl.com/y8kpxu>;
>>>>
>>>>
>>>>
>>>> ______________________________**_________________
>>>> Tech mailing list
>>>> Tech at srv1.openwireless.org
>>>> https://srv1.openwireless.org/**mailman/listinfo/tech<https://srv1.openwireless.org/mailman/listinfo/tech>
>>>>
>>>>
>>> ______________________________**_________________
>>> Tech mailing list
>>> Tech at srv1.openwireless.org
>>> https://srv1.openwireless.org/**mailman/listinfo/tech<https://srv1.openwireless.org/mailman/listinfo/tech>
>>>
>>
>> _______________________________________________
>> Tech mailing list
>> Tech at srv1.openwireless.org
>> https://srv1.openwireless.org/mailman/listinfo/tech
>>
>>
> _______________________________________________
> Tech mailing list
> Tech at srv1.openwireless.org
> https://srv1.openwireless.org/mailman/listinfo/tech
>
More information about the Tech
mailing list