[OpenWireless Tech] The police came to the AP owner first, then sniffed the air to find real culprit

Wed Jan 2 18:08:46 PST 2013

I appreciate your input, but I don't think we need to be so black and
white and fatalistic about the situation. I think lots of people run
open wireless networks right now with no first-hop protection, and that
doesn't make them idiots. As SSL is adopted more and more, people are
getting real security in place of WPA2-PSK which doesn't protect them
from anyone who knows the shared secret anyway.

As far as "hacks" go, I think VPN is a bit of a hack, but if as an AP
operator you feel more comfortable running a VPN, then I say go for it.
If you want to create a system that tunnels clients through VPNs
automatically, I agree that sounds hard and complicated, but I encourage
people to run with the idea if they are optimistic that there is
something workable. Progress in technology often happens through hacks
on existing systems (hell, Certificate Authorities in SSL are a hack),
as opposed to everyone neatly deciding to switch to a new and better
system (e.g. IPv6 adoption which has been painfully slow).

I think unauthenticated EAP-TLS is a hack too, but I agree that progress
can be made to make it smoother and there has been some discussion on
this list about it already. In short, if we work on all of these
solutions in parallel without spending so much energy knocking down
other people's ideas, more progress will be made. That's not to say
there isn't room for criticism, but I think it's more productive in the
form of detailed feedback once projects are under way.

Regarding the legal situation, yes, there are lots of laws. In addition
to there being no printed code, I've read that it is doubtful that the
code is even internally consistent (!). But I don't see how that general
point is all that salient to the particular issue of open wireless. I
think much more important is the fact that the legal situation is
developing around open wireless right now and could evolve in a number
of directions. This makes the movement all the more important, since we
want to establish strong legal precedents that protect people running
open networks. Sure, not everyone will want to do it right now, and many
will never do it regardless of the technological and legal landscapes.
But some people are doing so, and more will as the tech gets better. The
answer isn't just to declare it to be too risky, but to maximally
support the pioneers who are keeping APs open, so that we don't fall
into a world of inefficient, costly, closed wireless.

On 01/02/2013 05:16 PM, californiajack at tormail.org wrote:
> That is exactly the problem with adoption of OpenWireless:
>
> 1. technical
> 2. legal
>
> Which is to say:
>
> 1. no encryption: fear of non-IPsec/non-TLS information leakage
> 2. no accountability: fear of being accused of child pr0n
>
> Which is to say:
>
> 1. technically-proficient (smart) people won't use it
> 2. non-proficient (stupid) people won't use it
>
> Which is to say OpenWireless is doomed to failure.
>
> The solution to OpenWireless is IEEE 802.11, NOT IPsec. We need an EAP
> method for OpenWireless. You people are looking for an easy solution. You
> are looking for a solution that can be provided with current software:
>
> This ignorance will make this project fail.
>
> (Not to say you are ignorant--I am speaking to the list here, and everyone
> in general.) IPsec tunneling (the VPN "solution" I always hear about) is a
> hack. It has always been a hack. It was a fairly good hack, but a hack
> nontheless. It adds confidentiality to a single hop in the connection to
> the Internet. It requires a server-client infrastructure, which is to say
> someone has to setup a VPN/IPsec tunnel server somewhere, at which all
> data is decrypted and exposed. You can't, for the most part, run an
> OpenVPN on the AP; the VPN concatenator must be another server. People are
> not going to setup an OpenVPN server. People are not going to trust you to
> run a VPN server, giving you sole control and visibility of their data.
> Given that each client would have to implement this NON-STANDARD hack,
> well, like I said, no one in their right mind will or should do that.
> That's right: I RECOMMEND NO ONE USE THE VPN OF AN UNTRUSTED 3RD PARTY. I
> don't recommend my grandma setup her own OpenVPN server.
>
> There is only one solution, the solution which everyone's cognitive
> dissonance would rather ignore: fix the IEEE 802.11 setup! RSN (Robust
> Security Network i.e. IEEE 802.11i) is the equivilent of OpenVPN on every
> wireless client, and RSN is already supported by all current OS.
>
> Unfortunately, as I have said earlier, quotes from people like security
> expert Bruce Schneier are somewhere between laughable and scary. While I
> am guessing he uses IPsec (VPN) on top of his IEEE 802.11 and below his
> TCP and HTTP, I am actually a little offended he just plain bitched out
> and chose someone else's hack than fix the problem.. It is just so sad to
> see WPA and RSN thought of as equivilent; you can have RSN without any
> shared secrets or PKI. (At least theoretically.) I know *why* Bruce
> Schneier bitched out, and it isn't because Bruce Schneier is a bitch.
> Bruce Schneier bitched out because "apt-get install openvpn" was MUCH
> easier than "git clone git://w1.fi/srv/git/hostap.git; git clone
> git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-testing.git;
> vi;". If Schneier won't, and you won't, and I can't do what is needed (I
> am still reading hostapd code; the EAP-UNAUTH-TLS commits were
> eye-openning, but..) then:
>
> This project, OpenWireless, and the ideals behind it, will fail.
>
> Sad, but true. Our collective cognitive dissonance in this matter is going
> to cause problems. You will continue to pull your hair out, saying to
> yourself "my setup works fine, why won't people adopt it?" because the
> truth, that your setup isn't fine--its a hack--will just plain prevent
> OpenWireless from going anywhere. The 1st step is admitting there's a
> problem. Everyone knows, deep down, OpenVPN is a hack. Tunneling IPsec is
> great, but the Internet can't be built on IPsec tunnels. It has to be made
> with RSN, IPsec ESP, and TLS. In fact, VPN isn't even used anymore at my
> university, which is to say it is dead. Because if my University stopped
> using it, that shit must be fucked. (My university is fairly technically
> inept, historically.)
>
> My university uses (gasp!) IEEE 802.11i RSN. No VPN. Take the protocols
> that are used for my university's wifi, which are standard in Windows
> Vista, and take out client authentication, and there's your OpenWireless.
> BAM! Litterally, the only thing wrong with their wifi is the client
> authentication; because we want wireless to be open. The solution is not
> to disable RSN and pretty much use 1990s wifi tech then hack hack hack
> with OpenVPN on top.
>
> The solution is not more protocols, its less. Like I said before, if BTNS
> WG wouldn't have bitched out then disbanded, we might have gotten
> EAP-BTNS, but EAP-TLS with a non-retarded TLS implementation would do
> nicely, too. ("I tried to connect to [Gmail,eBay, etc.], but its kept
> asking for a "x.509 client certificate"--I didn't know what that was, so I
> didn't connect to [Gmail,eBay, etc.] securely. I followed Bruce Schneier's
> advise and just disbaled authentication and disabled encryption.") This is
> not simple. BUT! But it is the correct solution, and it is logistically
> possible because wifi clients wont have to install IEEE 802.11i RSN.
>
> And that's just 1. That's why smart people won't use OpenWireless. For the
> other reason, reason 2, is more complex.
>
> You have a Bible in your house? Have you ever seen one? OK, do you have
> the Penal Code in your house? Have you EVER seen it in person? Don't
> fucking lie--you have never seen the law in person. California does not
> actually print the Penal Code, so I KNOW you don't have one. When you get
> over any confusion in that sentence, and gradually pass into outrage (that
> the government doesn't actually even print the fucking law--only 3rd
> parties do, and they sell it at exorbitant prices.) If you wanted a
> printed copy of the law (state law is what really matters, not federal
> law, because the FBI does not have HUNDREDS OF THOUSANDS of police
> officers like California does), not only would you have to be rich, but
> you would have to have a VERY large bookshelf. Notice how California put
> California law online? Yeah, they were fucking sued before they put the
> law online. The government, the legislature actually, had to be sued to
> put the law online. And California is far more open when it comes to law
> than say countries like the UK, where distributing the law is actually
> illegal (the law of the UK is copyright property of the Queen, and
> distributing copyright without her permission is illegal--pretty much the
> opposite of the US, where its all public domain) And the UK is FAR more
> open than its European counterparts, or any other non-European country.
> (At least they have their law online--if only to be so massive an
> unorganized to be useless. Dammit UK! France and California codified their
> laws in the 1800s!)
>
> So the solution to people's fear about police kidnapp--er, arrest, is an
> even bigger problem. Fix the technical solution first, and leave the
> problem of not being able to read the 200,000 sections of law in
> California (about 150,000 in the USC and 50,000 in California Codes), plus
> county codes and municipal codes (which are by default misdameanor crimes
> in California--I don't know how many, but in Los Angeles County for
> example possession of a shortwave radio in your car is a crime--although
> very few people know this--LA County has 10,000,000 people BTW, and no one
> knows who runs the Government of Los Angeles County), another
> 20,000-50,000 regulations in the Code of Federal Regulations (CFR) and
> California Code of Regulations (CCR), federal Supreme Court decisions,
> federal appeals court decisions, California Supreme Court decisions,
> California appeals court decisions, and probably more levels of
> government, and figuring out what the law is to some later date. Yes, that
> problem is pretty big. Really: fix EAP first. Law is the never-never land
> of logic, and there are no such things as happy thoughts.
>
> --
> californiajack
>
>> This link caught my eye
>>
>> http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-pornography-innocent_n_852996.html
>>
>> My sense is that the push-back against fear of sharing wifi is both
>> technical eg VPN/VLAN and evidential, by which I mean if we can get to a
>> state whereby IP address is considered as an indicator of further interest
>> and not automatically proof of guilt then that offers an altogether more
>> easy/effective/comfortable proposition for mass adoption and availability
>> of openwireless.
>>
>> Guy
>>
>> On Tue, Nov 27, 2012 at 10:17 AM, Natanael <natanael.l at gmail.com> wrote:
>>
>>> CJDNS is not designed for these purposes. It is not like I2P or Tor,
>>> only
>>> routing is "dynamic". You'd need a VPN in place already or some kind of
>>> Dynamic DNS to create a link between the laptop/phone node and the home
>>> router node. It also don't provide internet access sharing on it's own,
>>> in
>>> this way ut resemble I2P.
>>> Den 27 nov 2012 11:09 skrev "Christian Huldt" <christian at solvare.se>:
>>>
>>> Maybe we should take a look at cjdns?
>>>> Someone here knows something about it?
>>>> I'm not that well-informed, but it seems it should be able to deal with
>>>> a
>>>> few of those issues...
>>>>
>>>> And I quite recently stumbled upon the term "WPA guest access", I think
>>>> in was in relation to coovaChilli...
>>>>
>>>>
>>>> http://cjdns.info/
>>>> http://en.wikipedia.org/wiki/**Cjdns
>>>> <http://en.wikipedia.org/wiki/Cjdns>
>>>> http://www.reddit.com/r/**darknetplan/<http://www.reddit.com/r/darknetplan/>
>>>>
>>>> Andy Green skrev 2012-11-27 08:24:
>>>>
>>>>> Hi -
>>>>>
>>>>> Sure, if you're able to flat out run open APs more power to your
>>>>> elbow.
>>>>>
>>>>> Most people sitting on a personal internet connection aren't in that
>>>>> situation and need something else to happen if they will participate.
>>>>> In
>>>>> terms of reach, it's those guys that are all around us and could make
>>>>> a
>>>>> huge difference.
>>>>>
>>>>> Calling normal people making rational decisions faced with legal facts
>>>>> in their locality 'cowards' as some are doing is not the right
>>>>> 'something else' to unstick them. If people have a more convincing
>>>>> idea
>>>>> for those people than what's being discussed about vpn, I'm certainly
>>>>> interested to hear it.
>>>>>
>>>>> -Andy
>>>>>
>>>>> Brad Knowles <brad at shub-internet.org> wrote:
>>>>>
>>>>>     On Nov 26, 2012, at 8:22 PM, Andy Green (æž—å®‰å»¸)
>>>>> <andy at warmcat.com>
>>>>> wrote:
>>>>>
>>>>>         But you're right, it adds a hurdle compared to just sitting
>>>>>         there with an unencrypted AP. But for consumers, the truly
>>>>> open
>>>>>         AP ship has sailed a while ago, they will no longer do it.
>>>>>
>>>>>
>>>>>     I think that there may be some places left in this world where we
>>>>> could have truly open APs, but they are certainly few and far between.
>>>>>  Nevertheless, I'm not willing to give up on that possibility.
>>>>>
>>>>>     OTOH, I do think that the majority of people will either refuse to
>>>>> run an OpenWireless site at all, or they will insist that it allow
>>>>> only
>>>>> VPN-secured connections.  These people might be in countries like
>>>>> Germany
>>>>> where there is clearly a very real legal threat, or
>>>>>       in
>>>>>     places where the threat is less well-defined.  But the fear of
>>>>> what
>>>>> might happen would still keep the bulk of the potential participants
>>>>> away.
>>>>>
>>>>>     I see no reason why we should treat these two solutions as
>>>>> mutually
>>>>> exclusive.
>>>>>
>>>>>
>>>>>     HTTP is not XOR with HTTPS.  Some sites will support one or the
>>>>> other but not both, but most sites either allow both or already use
>>>>> some
>>>>> mixture of both.
>>>>>
>>>>>     Yes, this can complicate things in the context of serving web
>>>>> sites,
>>>>> but I don't think that necessarily has to be a problem for us.  There
>>>>> are
>>>>> additional design considerations that need to be taken into account,
>>>>> but I
>>>>> think we can handle that.
>>>>>
>>>>>
>>>>>     I should be able to provide a free entry point
>>>>> forvpn-required.openwireless.**org<http://forvpn-required.openwireless.org>
>>>>> <
>>>>> http://vpn-required.**openwireless.org<http://vpn-required.openwireless.org>>
>>>>>  and anyone who wants to connect to that network using a VPN-enabled
>>>>> client
>>>>> should be able to do so.  But if you don't have a VPN-enabled client,
>>>>> you
>>>>> would not be able to use my netwo
>>>>>       rk
>>>>>     connection.
>>>>>
>>>>>     If my neighbor wants to provide a free entry point
>>>>> forunencrypted.openwireless.**org<http://forunencrypted.openwireless.org>
>>>>> <
>>>>> http://unencrypted.**openwireless.org<http://unencrypted.openwireless.org>>
>>>>>  and take some extra risk (perhaps minimal, or maybe real), then they
>>>>> should be able to do that, too.
>>>>>
>>>>>     --
>>>>>     Brad Knowles <brad at shub-internet.org>
>>>>>     LinkedIn Profile: <http://tinyurl.com/y8kpxu>;
>>>>>
>>>>>
>>>>>
>>>>> ______________________________**_________________
>>>>> Tech mailing list
>>>>> Tech at srv1.openwireless.org
>>>>> https://srv1.openwireless.org/**mailman/listinfo/tech<https://srv1.openwireless.org/mailman/listinfo/tech>
>>>>>
>>>>>
>>>> ______________________________**_________________
>>>> Tech mailing list
>>>> Tech at srv1.openwireless.org
>>>> https://srv1.openwireless.org/**mailman/listinfo/tech<https://srv1.openwireless.org/mailman/listinfo/tech>
>>>>
>>> _______________________________________________
>>> Tech mailing list
>>> Tech at srv1.openwireless.org
>>> https://srv1.openwireless.org/mailman/listinfo/tech
>>>
>>>
>> _______________________________________________
>> Tech mailing list
>> Tech at srv1.openwireless.org
>> https://srv1.openwireless.org/mailman/listinfo/tech
>>
>
> _______________________________________________
> Tech mailing list
> Tech at srv1.openwireless.org
> https://srv1.openwireless.org/mailman/listinfo/tech

-- 
Dan Auerbach
Staff Technologist
Electronic Frontier Foundation
dan at eff.org
415 436 9333 x134