[OpenWireless Tech] The police came to the AP owner first, then sniffed the air to find real culprit

"Andy Green (林安廸)" andy at warmcat.com
Thu Jan 3 04:26:05 PST 2013 

On 03/01/13 20:03, the mail apparently from californiajack at tormail.org 
included:
>> On 03/01/13 15:08, the mail apparently from californiajack at tormail.org
>> included:
>>
>>>> solutions in parallel without spending so much energy knocking down
>>>> other people's ideas, more progress will be made. That's not to say
>>>
>>> These are old ideas, and knocking them down is as easy as knocking WEP
>>> down. They are suboptimal, and people should be made aware of the HUGE
>>
>> What do you mean by comparing VPN to WEP, that it is insecure like WEP?
>>    It is not.
>
> VPN is a suboptimal solution like WEP. A (rather beautiful) hack, like WEP.

Words like "suboptimal" and "hack" are not adding anything to 
understanding the issues: they're, well, just, like your opinion, man. 
You haven't shown anything more optimal that delivers the same result 
and I don't agree it is a hack layering the encryption like that.

> The flaw in WEP was technical; practically is was painless. The flaw in
> VPN is practical and logistical vis-a-vis OpenWireless; technically it is
> rock solid.
>
>>
>>> weaknesses, in this case the weakness is primarily that VPN is a
>>> client-server solution, and asking all clients and all servers to
>>> implement it will end up in the same situation we are in now. The
>>> weakness
>>
>> SSL is a "client server solution" that has done great and has spread to
>> even computationally weak and inexpensive clients, hell even HTTP is a
>> "client server solution".  So is WPA / AP model itself.  Not sure what
>> insight you think it is bringing to the table to say that VPN is bad
>> because there are clients and servers.  It's already proposed that home
>> routers become the "VPN server" for the remote owner solving
>> provisioning and secure setup for VPN clients by doing it at his home
>> network as a one-off.
>>
>
> I'm saying VPN plain isn't need for a baseline security. As I say, its the

What exactly is "a baseline security"?

The major problem with offering open access points is the liability 
assumed by the AP operator for what the clients do with his IP address.

Only a clientside VPN solution addresses this critical point.  Since I 
do not see a resurgence of open, Internet-connected APs occurring unless 
something changes the liability issue, I think this IS part of any 
"baseline", whatever that means.

>>> really isn't a protocol one, but one of application. The proof is in the
>>> pudding: because VPN as a solution to wifi has already been recommended
>>> a
>>> long time ago, and no one uses it a decade later because it is
>>> impractical
>>> and hack-ish.
>>
>> Plenty of people use corporate VPN over unsecured Wifi, because it's a
>> very nice solution allowing the use of even hostile APs without
>> compromising ability to use content from the secure network safely.
>> Those are characteristics we can all benefit from.
>
> Plenty of people use [IPsec, Skype...] over unsecured Wifi, because it's a

That's a different subject: you claimed "no one uses [VPN] a decade 
later because it is impractical and hack-ish", and that's completely false.

>> The additional benefit above that is that VPN-only APs can decouple
>> themselves from responsibility for what that secure client traffic is,
>> since the AP IP is not used to get it from the Internet.
>>
>> Do you have a way to get those characteristics from a better scheme?
>> Let's talk about that if so.
>
> Uhh...? Which IP is used to forward your data to your remote, off-site VPN
> concatenator then? You can't just pick random IPs as your source address
> and expect them to route back; of course the AP IP (as you call it, I
> assume you mean a local network or router provided or recognized IP) is
> goin to be used. At that point, the local hotspot still has the same
> "responsibility for what that secure client traffic is" as it did without
> your VPN or whatever other IP data you sent, VPN or HTTPS or whatever.
> They can never decouple themselves, the IP addresses are theirs, and you
> need their IP addresses to communicate with the Internet, including your
> VPN.
>
> I think you misunderstand Internet networking, or you have not adequetly
> explained the scenario.

If I associate with an unencrypted AP using a VPN on my client, my VPN 
"server" is my home router box, and I bring up reddit in my browser: 
reddit just sees my home IP address in its logs.  If I post something 
bad like "xyz is a dumbass", an enraged xyz can get a court order for 
Reddit's logs and find my home IP and I get my no doubt well-deserved 
punishment for impugning the reputation of the dumbass.  There's nothing 
floating about to implicate the innocent AP owner who happened to be the 
first hop: nobody will pound on his door at 3am.

Do you see now that might help encourage AP owners to allow VPN-only 
connections from random clients?  Or, do you have a better scheme that 
delivers the same kind of result?

-Andy

More information about the Tech mailing list