Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security

Airports As Secure As 802.11b 137

Posted by michael from the free-upgrade-to-first-class dept.
INO_Fiend writes: "SF Gate is running a story about how at both Denver and San Jose Int'l American Airlines has been using unencrypted wireless to connect the curb check-in with the rest of their networks. They tested this by grabbing a laptop and hanging around the airport. I guess I might finally have something to do with a laptop and a WiFi card the next time I fly..."
This discussion has been archived. No new comments can be posted.

Airports As Secure As 802.11b More

Airports As Secure As 802.11b

Comments Filter:

  • Changi International (Score:4, Interesting)

    by Will Sowerbutts ( 91222 ) on Saturday January 19, 2002 @09:15AM (#2867876) Homepage
    Changi International airport in Singapore has free access to the Internet over 802.11b in large parts of the airport. They also have modules with a bunch of power sockets and RJ45 jacks in the center of numerous desks in case you're low on power or limited to wired Ethernet.

    Changi International rules in general, actually.

    • Re:Changi International (Score:1, Funny)

      by Anonymous Coward
      Just make sure you aren't packing any sticks of gum.
      • Or any porno magazines, encryption... (banned there as well)

        Come to think of it, you could leave out the 'subversive' Western newspapers as well, since Singapore is a 'single party system' which in other words implies that it is a dictatorship. It isn't as bad as some dictatorships, but it is still somewhat opressive.
        OTOH, their utopian ideals about improving their society are often quite pathetic, (like banning gum and pornography) while others are quite disturbing (like using corporal punishment).
        • > while others are quite disturbing (like using corporal punishment).

          Why is that disturbing? IT WORKS!!! It gives people that commit wreckless crimes that endanger other people WHAT THEY DESERVE!

          I think that's a fine punishment for rape, any crime involving a gun, drunk driving, and maybe other things (spamming? :-) )

          They have a very low crime rate there, and I bet corporal punishment is one of the reasons. Law abiding citizens that don't endanger others have NOTHING to fear.
          • Law abiding citizens that don't endanger others have NOTHING to fear.

            More specifically, people not *accused* of a crime have nothing to fear. Because law enforcement often makes mistakes, things like corporal and capital punishment often affects innocent people. That's why both are illegal in most developed nations, and the US is considered odd for still allowing capital punishment, and Singapore is considered odd for allowing both
    • sorry...late post, I know.

      Changi International rules in general, actually.

      Agreed. It is a fantastic airport. It's always a pleasure to fly through there. I have found, however, that the 802.11b access is quite lacking compared to, say, the Austin airport. First of all I could not find any way to connect using WiFi. No networks came up when I did a scan, even in "designated areas". Furthermore, when I went to the computer center to get some help they tossed me a plastic bag with a wireless card, a cd, and printed instructions. The instructions were pretty much for installing the drivers only ... no help on actually finding an AP, etc. Of course I had my own wireless card so hardware and drivers were not an issue. The help desk person didn't know anything about wireless access, so I ended up just plugging into the RJ-45, which admittedly was fine with me.

      I was only there twice in early january, so maybe the problems may have been solved, but accessing the wireless lan is not nearly as easy as when I am waiting for a plane in austin.

  • Oh well... (Score:1, Redundant)

    by jabapi ( 548478 )
    Everything's just as secure as the weakest point.

  • Great idea... (Score:2, Insightful)

    by ImaLamer ( 260199 )
    I guess I might finally have something to do with a laptop and a WiFi card the next time I fly...

    I'm sure you are breaking a large number of laws. If not, I'm sure some bills will be sponsored in your name!

    Please kids, don't try this. Messing with aircraft [anything] is a big no-no. Someone was on local TV once complaining about the airport noise level. This hillbilly said that he would shoot at a plane if the didn't stop going over his house. Stupid, stupid man. He was arrested and even served 3 days.

    Reminds me of this Gallagher joke: Why don't they just give the homes by the airport to deaf people?

    • Re:Great idea... (Score:5, Interesting)

      by swb ( 14022 ) on Saturday January 19, 2002 @09:38AM (#2867918)
      Why don't they just give the homes by the airport to deaf people?

      It's no joke. My brother is profoundly deaf and he says the deaf community is totally clued into both cheap, airport-proximate housing and high-wage airport groundcrew jobs.

      In fact, my brother works at the airport on the ground crew. When he first started his boss gave him a hard time about not wearing ear protection. My brother ended up showing him an audiologist report that indicated he needed SPL levels above 130 db just to get any registerable stimulus.

    • Re:Great idea... (Score:2, Interesting)

      by Wells2k ( 107114 )
      Reminds me of this Gallagher joke: Why don't they just give the homes by the airport to deaf people?

      What has always annoyed me are these people that build next to an airport that has been there for many years (some dating back to before World War II), then have the gall to complain a couple of years later about the jet noise they hear every day because of the airport that was there when they built their dream homes. If they didn't want the jet noise in the first place, they should have built somewhere else.

      Common Air Force bumper sticker: Jet Noise: The Sound of Freedom

      • Re:Great idea... (Score:2, Interesting)

        by swb ( 14022 )
        What has always annoyed me are these people that build next to an airport that has been there for many years (some dating back to before World War II), then have the gall to complain a couple of years later about the jet noise they hear every day because of the airport that was there when they built their dream homes.

        It was one thing to hear a couple dozen turbo prop flights a day in 1955. It's quite another to hear a jet engine every 3 minutes for an hour every other hour every day.

        And what qualifies as "close"? Most of the people that I know that bitch about airport noise live *miles* away from the airport, but because the fsck'n jets need 10-15 miles of low-altitude approach for landing and at least 10 miles of big-throttle thrust to get up far enough where they can't rattle the china cabinet, they're "too close".

        All airports should have a 15 mi buffer zone of industrial/shopping/non-residential BS around them.
        • Yeah, here where the Cincinnati-N.KY iNational is located, it's all industrial.

          I worked near there outside, and it was loud. There was only one house, because the airport bought the rest, and we always wondered who lived there.

          The people who complained however lived in Ohio, while the 'port is actually in Ky. It was because they were rich and thought that the flights should go over the 'lesser' neighborhoods. Thankfully no one bought that idea.
        • I doubt that they'll be anything like a 15 mile buffer zone around any airport in the near future. I personally have stopped noticing the noise from the airport here(here being, 2 or 3 miles north of Reagan National Airport). Of course its not the noise I'm concerned about, its moreso one of those damn things dropping out of the sky because the pilot is drunk or something.
        • You ever live under the concorde flight path? (Between Heathrow and Staines) - It used to be that everyone in my town had to stop talking between 9:50 and 10:00 every morning, as the sound level was too much to hear anything else. Sermons were interrupted, business was done in sign language, and radio shows may as well not have bothered.

          It's only a strip about a mile wide which is affected; I guess we're gonna have it again now that concorde is flying once more.
          • I thought concorde's waited until they were offshore to break the sound barrier.
            Are concorde's louder when flying at "normal" speeds?
            • No, they're louder when they've just taken off, and they're mustering power to keep themselves off the ground at low speed. It also means they're lower, and hence closer to you.

              It would be impossible for any government to allow supersonic overflights of urban areas by anything as big as Concorde - put it this way, the European courts just kicked out plans for night-landings in london on the basis of "right to a good night's sleep"

              Maybe I can sue the coffee company on that one ;-)
            • The flights out of Paris used to go supersonic above the Channel Islands. You didn't hear the planes before or after the sonic boom; it was just amusing to watch all the rich inhabitants getting angry as their expensive houses shook.
      • What has always annoyed me are these people that build next to an airport that has been there for many years ... then have the gall to complain a couple of years later about the jet noise they hear every day because of the airport that was there when they built their dream homes. If they didn't want the jet noise in the first place, they should have built somewhere else?

        There's a legal doctrine about that. It's called "moving to a nuisance". Basically if you move into proximity with an annoyance that predates your move it's your fault for moving there and you have no gripe.

        But enforcement of the doctrine in courts tends to be spotty in some places. Colorado and Oregon generally laugh such people out of court. But California seems to be the home of successful nuisance suits.

        This kind of thing happens to small private-plane airports all the time. Developer builds devopment next to one, and after the people move in they drive the airport out of business with suits.

        One such small-plane airport in Colorado came up with a great idea: After they'd gotten the suit laughed out of court, they bought up the fancy new houses that had been built next to their fence for a song. Then they put gates in the fence and ran driveways from the BACK of the carports to the taxiway. And resold the fancy houses at a significant profit to people with private planes - who NEVER complained about airport noise. B-)

        I understand several other small airports in similar situations have done the same thing, or even had developers build such houses deliberately, and there's now a term for such a development - "Air Park" or something to that effect.

    • Re:Great idea... (Score:3, Interesting)

      by mgv ( 198488 )
      Messing with aircraft [anything] is a big no-no

      I keep on thinking that you really shouldn't be able to mess with airplanes that easily. I mean, if a gameboy can bring down a 747, why don't they make the things a little more secure. Well, thats why they tell us to turn our electronic equipment off during a flight, isn't it? Although how you turn off your digital watch is beyond me.

      Anyway, I don't think that you would get access to the plane itself, just the airport computer systems. Which should be locked down fairly well I would presume, as most employees would have to have limited access only to the bits of the system that they were entitled to use, even if you could get onto the network itself.

      In fact, in a site as big as an airport, you would have to assume that the network was compromised from the start - after all, anyone could find a spare network port even before wireless. You couldn't provide security on the basis of physical network access limitations.

      Just because we have 802.11b doesn't really change alot in terms of security.

      My 2c worth.

      Michael
      • > Well, thats why they tell us to turn our
        > electronic equipment off during a flight, isn't it?

        Actually no. It's so that the flight crew has your complete attention in case of an emergency. That way, nobody is listening to his walkman, and nobody has his computer on his lap. It's essentially the same reason that you put your tray-tables and seat-backs up... so you can get out of your seat and run to an exit if there's a crash!
        • that may a supporting reason, but actually the primary reason is due to concerns about EMR interfering with the aircraft systems.

          eg, mobile phones: before they cracked down on their use, the pilots often would /hear/ phones negotiating with base stations in their headsets. (hold an active mobile near a radio or monitor sometime).

          so in addition to banning mobile phones (use of or switched on) on flights, they've also cracked down on use of any electronic gear to be safe.

          • Re:Great idea... (Score:2, Interesting)

            by mgv ( 198488 )

            Mobile phones are also banned because they had big problems in taking out a network if used in the air - especially the old analouge ones. They broadcast at full power all the time. With line of sight to most towers in a metropolitan area, they would take out a channel in every base station.

            If everyone rang as the plane was over the metro area ("hi honey, im coming in to land now, see you for dinner") then you can take out an entire cities mobile phone capability.

            actually the primary reason is due to concerns about EMR interfering with the aircraft systems.

            I still worry about this one. Really, they ought to shield their electronics better. It shouldn't be that easy to wreck the navigation stuff on a plane. Otherwise what is to stop a terrorist on a hilltop from aiming a parabolic dish at the tarmac? This is a critical concern now. Why board a plane to down it if you could do it with almost total safety from a distance?

            Michael
    • Actually as a deaf person...

      I can tell you that deafness does indeed heighten your other senses. Jets going over like that would feel like an earthquake.

      • *blushing* (Score:1, Offtopic)

        by ImaLamer ( 260199 )
        I didn't mean offense, it's just one of those silly things that Gallagher points out.

        I know from working next [literally] to an airport that it's like a train going by.

        While I've got you in the conversation, I know it's off topic, but can I get a brief impression of Cochlear Implants? Like what do you think of them.

        I watched the coolest thing on PBS about a family which was debating on getting one for their daughter. The family was all deaf, and they ended up not getting it for her. The brother of the father had a deaf daughter [or son?] that got one, and they were going back and forth about what to get. Really a great show.

        I think I wouldn't want to get one, but that is because I could see the deaf families point of view a little better. They wanted their child to stick with the culture, and the language that they are actually blessed to be a part of.

        Can I get your 2 cents? Feel free to e-mail me, I'm very interested in this subject. Seems like a great device, but not for everyone.

    • Re:Great idea... (Score:2, Informative)

      by JohnDoe031181 ( 548688 )
      "...I'm sure you are breaking a large number of laws..."

      Does this mean that you are breaking the law when you happen to overhear a conversation between two business men about an ipo and use this information to your advantage in the stock market? If people choose not to implement anykind of encryption or other security measures, albeit there aren't many available as of yet for this particular application, its similar to leaving the front door of your house wide open when you go to work. Surely if you are robbed, and the person responsible is caught, you'll at least get a funny look from the judge. Furthermore, if someone looks in your front door, are they breaking the law because they now know how your living room is decorated? Really....Fences only keep honest people honest...

      • Re:Great idea... (Score:3, Informative)

        by ImaLamer ( 260199 )
        This is cock and bull.

        First we are talking about a network related to airport security. If you argue with the Flight Crew you can be arrested by the FAA... this is pre-sept 11th.

        The open door thing? We aren't testing products or networks transmitting misc traffic. If you leave your door open you're stupid, but coming inside is still illegal. If somoene looks into your front door... that is legal. Cops can do this to provide a weak search.

        Being that the reporters haven't been arrested, we know that it's ok to walk into the 'port and see if you can get on the network. But! when you start using that network to browse the web, or shift data to make it look like you are boarding the plane with your bomb....

        I mean, if you are going to use someone else's argument... know what it is. The argument you are trying to use is about port scanning and the like, not abusing the private network of an airline. Last time I checked that was 100% illegal.

        If I dial into Microsoft that's ok. If I connect and download the source to XP... thats' not. Even if I just want to use them as an ISP, it's illegal.

        Just because you left the door open doesn't mean you invited the neighborhood in.
        • You're argument builds on the assumption that there is no security measure in place whatsoever. Really....who invests in a wireless LAN on that magnitude and dosen't implement a firewall? Do you really believe that people are going to be able to walk in with an 802.11 card and just start downloading porn? Possible, though not likely.

          Also, who said anything about using their network for malicious acts? Not I.

          The argument I was aiming for was that although the actions are legal, how can one transmit data in the open air with no security policy whatsoever and point fingers when my laptop happens to snag the packets? I believe that eventually, when more and more of these cases go to litigation, judges will begin enforcing the laws proportionately to the amount of effort an organization puts into protecting its own interests. Thats all....

          • You're argument builds on the assumption that there is no security measure in place whatsoever. Really....who invests in a wireless LAN on that magnitude and dosen't implement a firewall? Do you really believe that people are going to be able to walk in with an 802.11 card and just start downloading porn? Possible, though not likely.

            I though your argument was as long as the door is open..?

            Also, who said anything about using their network for malicious acts? Not I.

            No, you don't have to do anything 'malicious'. As soon as you realize that you are on their network... which is closed, you've broken the law. It's that unauthorized access part that gets ya'.

            Really, it doesn't matter if your root password is one of the classics. Hell, doesn't matter if you have it set to let anyone in... if you don't want them on, then they shouldn't be.

            Airports are a major concern because the potential problems. If you are there collecting packets, then you are knowingly breaking the law.

            You can't claim that the data is floating there waiting to be taken, or that it's a free network, it's not. All they have to do is put up a sign: "Use of 802.11b Cards In This Terminal Is Not Permitted" They are covered, like when you see the 'lost or stolen sign'.

            Get it? Terminal?

            I'm tired. But all in all, they should do a lot to prevent access. Is the reason why they are so open because they were using the technology before it became widespread? I don't know the timelines.
            • You are absolutely right.

              Do you at least agree with my assumption that judges will change the way cases are ruled in the near future due to current judges realizeing they've been dead for years and getting replaced by current technology...

          • who invests in a wireless LAN on that magnitude and dosen't implement a firewall?

            Someone clueless. Someone with no mental model or theoretical understanding of how all this technology works. Especially if the shiny box says on the outside that it is secure. It helps if this bullet point is printed in bright colors. If your superiors believe you and trust you, then they sign off and spend the money.



            ...how can one transmit data in the open air with no security policy whatsoever...

            Everyone always has a security policy. It is not possible to not have a policy.

            Your policy may be that everything is wide open with no security. But then that is your policy. You have a policy, even if it isn't written down. If you didn't plan a policy, then the very implementation of your network and how you designed it is the expression of your policy. If the policy is unstated, that doesn't mean it doesn't exist -- it merely has never been stated. But you still have a policy.

            Stating a policy doesn't mean you have to write it down. When you begin designing a firewall, even a set of iptables rules on your box at home, you have a policy in mind as you write the iptables rules -- even if you don't think of it in such terms. This is true even if you never made an actual design step of first stating your policy (not necessarily writing it down).

            I would have stated it as: how can they have a policy of allowing unencrypted (and unauthenticated?) data to be transmitted in the open air? Or as: do they know that their network probably violates their security policy?
      • Does this mean that you are breaking the law when you happen to overhear a conversation between two business men about an ipo and use this information to your advantage in the stock market?
        Yes it does! Once you overhear the conversation, you are in possession of inside information and are not supposed to take advantage of it. Make a big enough purchase or sale, and the SEC will come knocking at your door...

  • Las Vegas airport (Score:3, Informative)

    by Anonymous Coward on Saturday January 19, 2002 @09:37AM (#2867917)
    It's not wireless, but the Las Vegas airport has these open Ethernet ports in the floor. You can walk up to them, plug in an Ethernet cable, and start prowling around the network (sniffing, going out to the Internet, etc.).
    • how would you get an IP address? DHCP?
    • have you actually tried it?

      just because there's a socket doesn't mean it's actually plugged into anything at the other end.

      lots of places have sockets, put they still have to be patched into the switch/hub before they DO anything...

      it's based on the realization that you don't know where you will want a computer 5 years down the road, so you make it easy to hook them up later anywhere and everywhere.

  • True in dallas too (Score:5, Informative)

    by Kevinv ( 21462 ) <.kevin. .at. .vanhaaren.net.> on Saturday January 19, 2002 @09:40AM (#2867924) Homepage
    I accidently connected to an AA wireless network in Dallas. This was way before 9/11. At first I thought it was a freebie for exec flyers, once i realized it was their business network i disconnected.

    they had a dhcp server that assigned ip/dns to anyone that connected.

    didn't even think about it again until i read this article.

    • Re:True in dallas too (Score:3, Interesting)

      by King_TJ ( 85913 )
      Yeah, and what really gets me is the difficulty in implementing basic levels of security in the wireless devices, even when it's "supported" in their firmware!

      EG. I have a Dell-branded residential gateway over here. It's really a Lucent RG-1000 though.
      Despite reading for quite a while now that "Lucent supports the ability to restrict wireless access based on MAC address of the wireless NIC attempting to connect to it." - I couldn't ever find this option in any of my setup software.

      Knowing that Dell might not have the best setup software around, I went to Lucent's site and downloaded their latest firmware and setup program. Got the firmware updated ok, but nope - still no MAC address options anywhere. Waited a few months, and saw yet another new firmware update. Tried again, but nope - still no MAC option.

      Finally, I grabbed a freeware utility called "FreeBase" for Windows, which said it could program all Lucent wireless gateways. At last, there was the option to add MAC addresses!

      Judging by all the searching and experimenting I had to do to add a security option to my own gateway at home, it's no wonder the airports are having problems.

  • funny title (Score:2, Redundant)

    by crayz ( 1056 )
    Apple's implementation of 802.11b is called "Airport". So I wasn't too surprised to read that Airport is as secure as 802.11b
  • Wonder if you can surf the net from their internal network? Beats paying for any of those overpriced kiosks
  • Airports are as secure as... I thought they were talking about Apple Airports (those funny round things). Still kinda cool, unless the airports get hacked.
  • "American Airlines spokesman Gus Whitcomb said that Luster and Comerford exaggerated the security risk because their companies provide security services. " Yeah right.
    • How come that it is always what they say when you prove that you can break in...? You actually have to do some real damage for these people to wake up, and obviously, you can't.

  • My experience (Score:4, Informative)

    by Anonymous Coward on Saturday January 19, 2002 @10:35AM (#2868054)
    Sorry, I am posting anonymous.

    The airline that I worked at (until just after 9/11) had a similar setup. An average sized hub airport probably has roughly 1700 things with an IP address. To help out, I used a machine with arpwatch to help keep track of what was running and to monitor changes. About 5-15 times a week, I saw non airport workstation names and mac addresses of nic's that we did not have. Luckily we did not have anything with a DHCP server running or everyone of these computers would have fit right in. We had coverage at every ticketing area and every gate, not hard to get a good signal.
    My purpose is not network security, only an installer and maintainer of the network and systems, so I made note of our insecure wireless network to our networking group and got nothing back. When I had left about a year after bringing this up, nothing had changed. With so many levels of IT support and groups of people protecting their specialized interests at the company, it was nearly impossible to find someone that could step back and look at more then what they were currently responsible for. I guess we needed a "wireless network security" position before anyone would care to address this.
    I don't know what you would do once on the network. Sure you could sniff around but I doubt you would get anything useful from the scheduling and ticketing part of the traffic.
    • No, but you _could_ sniff and figure out what IP ranges they used, then guess an unused IP in range. Most places don't have in-house firewalling or anything (THEY SHOULD between wireless and rest of net) so you could just jump on.
    • Ehh... ticket spoofing?

      You should really let the FBI know about the details.

  • Just because it is insecure at the wireless level, doesn't mean its insecure at the check-in level.

    After all, if they have a firewall, and the wireless is on the public side of the firewall, then it should be pretty secure- the check in desks would have to use tunnelling to connect, but that can be arbitrarily well encrypted.

  • I am working for airport Check in IT branch (Score:3, Informative)

    by aepervius ( 535155 ) on Saturday January 19, 2002 @10:46AM (#2868081)
    It is a big firm in Europa. AFAIK we do not use the above mentionend standard but we use another standard for baggage check in and baggage follow up. The system is so complex that even *us* the programmer have sometimes difficulty with it. The hic is the following : would it be worth for a terrorist to learn the system when they can get it easier to fake the control band of the baggage with the so called "bag tag" (simple paper a serial number and a code bar) or have an insider in the baggage loading worker team. On the other hand 6 monthes ago I would have said "terrorist learning to fly a plane to pill it into a building ? Unprobable. They could do things in a far easier way than such a long term plan.". So maybe we have to starts worry...
  • I thought that was one of the things that the new regulations after 9/11 got rid of.

    Either way, I'm sure those systems have additional encryption a few layers up. No sane persion trusts WEP. Even if the net isn't encrypted at the wireless level, it only matters (and is better) if it's encrypted a few layers up. (IPSec, SSL, or the like.)
  • Well, I don't know much about cryptology, but I figured that if you use symmetric cipher, and the keys are distributed based physical contact between the devices. Then, you only allow devices to connect based on signatures made with the keys that have been in physical contact, would that be feasible?

  • Unencrypted and secure (Score:3, Informative)

    by LinuxHam ( 52232 ) on Saturday January 19, 2002 @11:39AM (#2868238) Homepage Journal
    Drexel University does a great job of securing their otherwise unencrypted wireless traffic with a VPN [drexel.edu].

  • Gotta Love it... (Score:1, Interesting)

    by Anonymous Coward
    They have a vested interest in trying to make mountains out of mole hills to drive up demand for their products

    In my experience, the folks responsible for implementing wireless have no clue of the risks. When confronted, they go back to their wireless vendor and pose the question, the vendor responds with a load of BS they can't comprehend and because they have no idea what has been said, it must be secure.

    Groups charged with security often don't get their hands dirty with this - they are too busy changing passwords. Mention 'airsnort' and it usually is followed with a blank stare.

    Auditors can check physical network security which now includes wireless. For the airlines under 'wartime', this should be mandatory - but it probably won't be...

    Denial isn't just a big river in Egypt

  • a note about denver (Score:2, Informative)

    by anwnn ( 246920 )
    denver has a wireless network setup throughout the airport. there's no password to get on the network, however if you try to browse the web, etc. you'll run into their proxy which will prompt for a username and password.

    it's quite easy to guess their user and pass combo, just think about what they used when they had to "test" the network.
  • In the US, at least,NOW is not the time to be screwing around at airports with ANYTHIN, never mind ANYTHING you do Illegally at an airport CAN be considered a FEDERAL offense.

    Im as much of a guy that would throw an 802.1b card on my laptop and scan with it as the next slashdot geek, BUT there is a time and a place for all thing. The Airports and airlines should be notified, if they dont rectify it then take the next step, we got maniac bastards with shoe bombs trying to drop this stuff out of the air, YOU might not see anything of use, but not many Slashdotters are terrorists. They may, It needs to be secured, I fly and more importantly my FAMILY flies.

    There is a time and a place for fun and screwing around with stuff. An Airport isnt the place and this isnt the time, Would you wack a beehive in a closed room for the fun of it ?.

    Hell If I was in charge of Airport security, after seeing this I would set up a honeypot and get ahold of a 200 dollar rdf and start nabbing anyone that tried this, thow em up on federal charges and let shit lands where it may.

    I KNOW its insecure an it need to be fixed, be fucking responsible for once in you life and do something responsible with that info, like find the person in charge and let them know, give them resources they obviously dont have to get it fixed. Your a Geek heres you chance to do something that actually might matter.

    Next time you mom, or dad, or brother flies think, he I hope theres a bunch or dipshits sitting around the airprt sniffing stuff they have no business, GOD know the potential hazzard that exists here for bridging networks to something OTHER than Curb Check in.
    • Does anybody read the articles? Aparently not...

      Various people at the airlines were notified about this. One answer - the people saying that this is a problem are trying to make a buck because they work for security companies. The right people are being notified, they're just ignoring the problem.

      If I turn on my laptop in an airport, and I happen to have an 802.11b card that picks up a signal and then receives an IP address from a DHCP server I'm sure as hell not at fault. Unless somebody wants to make turning on a computer in an airport a crime.

      It's called security, apparently the airlines think the National Guard troops carrying the M16's will stop this threat too.
    • For an airline, to leave their wirless network at the airport completely unprotected is grossly negligent. This is something that you don't need to "deliberately hack into"--my wireless card would connect to that network if I turned on my laptop near one of their base stations. What do you propose now? Arrest anybody who turns on their laptop in the airport?

      It is your kind of attitude that is responsible for the security holes that allow terrorist attacks in the first place. Airlines and airports must fix these problems preemptively. Apparently, they are unwilling to pay what that costs in this competitive market. It takes a big bang or public relations disaster to have them act decisively. If the people who found this problem just spoken to someone "in charge", nothing would have happened.

      The temptation to haul anybody in on federal charges who does something that might be suspicious is unacceptable. We live in a free society, and lots of people will do things that are harmless but that my strike someone as suspicious. As in other areas of security, it's foolish to assume that the bad guys will have less knowledge than the general public, and it's foolish to assume that the bad guys won't have the resources to find the security problems easily and with low risk of detection. If you arrest everybody who appears to be trying to discover holes in your security systems, you'll mostly end up arresting harmless and you give police the tools to arrest anybody at their discretion; just about any activity can be construed to be suspicious. That's called a police state. Maybe that's where you want to live, but I don't. As far as security is concerned, the "get-tough" approach is a cop-out for companies that don't want to pay the money necessary for doing security right. It gives the appearance of security without delivering actual security.

      Companies that have such security holes should get stiff fines, retroactively and for as long as the security holes persist. That's the only way to force them to invest the money up-front necessary to make their systems secure. And if that isn't sufficient, there needs to be federal regulations specifying rules and requirements for things like networking, screener training and salary, etc. People who discover security holes should be left alone (unless they try to take advdantage of them to do something illegal, of course).

    • do something responsible with that info, like find the person in charge and let them know, give them resources they obviously dont have to get it fixed.

      That's probably the best chance you have of getting yourself arrested: telling an airline employee you just accessed their private network without authorization.
    • Since various airlines have been notified about
      this and have done nothing so far, I would propose the following:

      Have a computer savy individual hook up with a reporter.
      Have them go to the airport together and sniff the net.
      Capture a bunch of data, go back to the office, and write an article about it.

      I bet something would be done about it then.
      I would involve a reporter so they have a tougher time portraying you as a terrorist or criminal.

      Someone sitting at the coffee shop working on their laptop would not look out of place.

      Perhaps people would argue that you are alerting terrorists to this possibility.
      But, it is already posted here on /. and I would not want to trust MY family's safety to
      "security by obscurity".
    • Hell If I was in charge of Airport security, after seeing this I would set up a honeypot and get ahold of a 200 dollar rdf and start nabbing anyone that tried this, thow em up on federal charges and let shit lands where it may.
      First of all, Airport security has been stretched to their limits. The majority of these people are minimum wage employees. The managers are slightly above that. They are probably not educated enough to even know what a honey pot is. Secondly, why put in the money and resources to setup a honeypot rather than fix the problem in the first place? A great deal could be done by setting up encryption on the WiFi cards. People will say that encryption is not hack-proof..but 128bit encryption is better than 0 encryption. Also, if you make people have to hack the encryption, they are then knowingly and willingly committing a crime. As it stands, it's hard to tell who is committing a crime and who is just stumbling onto the network.
      I KNOW its insecure an it need to be fixed, be fucking responsible for once in you life and do something responsible with that info, like find the person in charge and let them know, give them resources they obviously dont have to get it fixed. Your a Geek heres you chance to do something that actually might matter.
      The article actually says that the people in charge were informed but their response was "American Airlines spokesman Gus Whitcomb said that Luster and Comerford exaggerated the security risk because their companies provide security services." Since we're all geeks, we know that when there is an unsecure system, it is totally negligent to keep it up unsecured. They took down the curbside checkin system for approximately a month after 9/11, but put it back up in late October. This is just another of many vulnerabilities within the system.
    • Apparently from what your responses were, I did not make my intent clear, I AGREE , ALMOST 100% with what all of you are saying, I agree.

      My original post was meant more as a warning than ANYTHING else.

      The POTENTIAL for disaster here is enormous, your right it shouldnt be there. THINK of the systems, youve ALL seen networks that were so horribly configured as to allow bridge access to systems you should have NEVER been able to see, let alone due to their importance , never be on that network in the first place, but they are, and there is access at times.

      If this is know,and it hasnt been fixed, the RIGHT people dont know, that is what I am saying, the PEONS might not care, but their bosses do, or the regulators but I guarentee they didnt go to their bosses and say "Hey I screwed up th original install now it swiss cheese" INFORM it anonymously, I know the FAA, if there was ever a more hell bent on regs govt unit this is it. If the right people ther BELIVE this is a threat in ANY way to Air Saftey, they will pull the plug on it soo damm fast youd get whiplash watching.

      Your 18 years old and have a buddies laptop an WiFi , This is TRULY worth having a FELONY on your record to dick around with, Ok, guess what FELONS cant VOTE.

      Im also not saying let them know the source, this would be stupid, as some have said this is probably the fastest way to get arrested youself.

      The comment I made about "If I was Airport Security" was , think for a second filp roles, FEAR is one of the best detterents. In germany at Frankfurt Airport I saw 2 airport security guards beat a guy within an inch of his life just because he made a snap ass comment to them, then they let him go, litterally crawl away., This was my first trip to Europe and Germany, 1987. NOW I can tell you Myself and my Brother were scared shitless of the cops, we mided or business, and had a lot of fun. In france we let our hair down a little, my brothre was on the other end of the police beating this time, the rest of the 6 weeks in europe even HE was shall we say on his best behavior.

      Security through obscurity , no dosent work, detterence through FEAR does, and if I were in charge thats what I would use as well. NOONE here can tell me FEAR of CONSEQUENCES isnt a detterent.
      SOOOOO, If YOU were in charge of airport security and hauled a couple of sacrificial lambs up by piano wire, I BET you'd have a hell of a lot less script kiddies messing with the lan, not a solution , but less is better.

      And WHY Cant I exceed 250 damm pounds under FAR part 103 ????? (Thats just a mior bitch, I can tell you its unsettling at times to fly an aircraft that you weigh more than. *NOTE This has nothing to do with the above parent article :)
    • PLEASE stop CAPITALIZING random WORDS! Thank you!
    • Get a grip. A cornerstone of our criminal justice system is that "criminal" acts require an overt act known to be criminal, or at least reasonably expected to be so.

      What this means, in practice, is that every door into an airport is clearly marked. It's not a crime to walk through an unmarked door. Walking past a door clearly marked "authorized personnel only" is a different matter.

      Now look at this "problem." Computers with wireless LAN cards will automatically try to establish a connection... and these airports are offering these connections complete with DHCP and DNS services. They know that this will happen automatically whenever the owner turns on the computer, yet they've taken no action to restrict access to their system or warn travellers to avoid using their computers.

      Yet you want to send the police to arrest these travelers for felonies - attempts to interfere with airport operations - for doing nothing that isn't routine in countless other places.

      Worse, as some other posters have pointed out these networks can often be accessed from outside of the main terminal. A business traveler may innocently turn on his laptop in his hotel room and inadvertently connect to the airport network - and it's *his* fault for failing to anticipate this problem?

      If somebody is there and clearly trying to compromise the system, throw the book at them. But if an airport just has lax security, direct your anger at the airport/airlines, not the innocent travelers.

    • Hell If I was in charge of Airport security, after seeing this I would set up a honeypot and get ahold of a 200 dollar rdf and start nabbing anyone that tried this, thow em up on federal charges .



      So, let me get this straight... If you were in charge, then instead of fixing the holes, you would concentrate on throwing people in federal prison, for being bright enough to notice and point out the security flaws you had failed to notice. Good plan. Don't let anyone question your security.

      In fact, this story was a good way to highlight the problem in a prominent enough way to actually get something done about it. If we threw these people in jail then nothing would be done and the security hole would remain !

      --
  • So, let me see if I have this right. The US Government's great idea to prevent terrorism is a system to ensure that you can't check you bomb filled bag onto a flight and then go home?

    I am continually amazed by how backward the USA is sometimes. Here in the UK we have had this system for as long as anyone can remember. That is why then you check-in at Heathrow they ask all those tedious questions about if you have been given anything to carry and if anyone could have messed with your luggage. If you don't turn up at the gate, they literaly search through the hold and take your bags off. This of course can take ages!

    Some years ago a terrorist made friends with a presumably not terribly bright girl and persuaded her to carry a bag on an El Al flight for him. Fortunately, a security guard thought the bag looked suspiciously heavy and found the bomb in it.

    • The us airlines would do this for international flight, but I guess they thought it was too much hassle for domestic flights. After all, no-one had tried to blow up domestic us flights by leaving bombs on board.
    • I was under the impression this was already being done (pre-9/11). Whenever I checked in for a flight I was always asked the standard litany ("Anyone ask you to carry anything? Bags out of your sight?" etc.) and there were numerous occasions that we waited at the gate for someone to either show up or their bags removed from the plane.
      • No it wasn't done prior to 9/11. I missed a connecting flight from LAX to SFO and my bags flew ahead of me. I was astounded. I suppose the bags had already travelled from Sydney. However, you do regain control of them in LAX before you put them back on to a conveyor belt.

        In Australia, planes are often held up because people haven't shown.

  • So IOW... (Score:2, Interesting)

    by Max Threshold ( 540114 )
    ...a cracker with the know-how could theoretically check their own luggage.

    That's nice.
    • No, a cracker with the know-how could check a bomb filled bag as yours. Your bags get on, his bag gets on, you get on, the plane takes off. He's in the airport bar waiting for the news to give him a pat on the back. Just because you can't come up with every way to decisively exploit every security hole doesn't mean that someone else can't. Remember that the 9/11 terrorists were more educated than our airport security people need to be.

      The day the baggage matching started, CNN had a guy to take a morning flight to document all this. No muss, no fuss, but his flight was cancelled because of maintainance issues. He didn't even get on the plane, the plane never went anywhere, but his bag made it to his destination. There's matching for you.

      Another loophole is that you can get off at a layover and your bags will continue on their merry way. That probably means you can miss your connection but your bag will make it.

      I'm sorry, I forgot that airports are at their most secure ever now, thanks to the Army National Guard!

  • Practical usage? (Score:2, Informative)

    by MoneyT ( 548795 )
    While the network may have been viewable is there really a practical application to this?

    All baggage checked at curbside is simply registered witht eh flight recorder saying that this bag is here, this is how much it wieghs. The only possible thing I could think of doing with access to the wireless net is removing a bag from the list, but what does that do?

    Since all bags are also scanned (espesialy since 9/11) after they've been checked, it seems to me that hacking the curbside checkin is completely useless. In order to be effective, a terrorist would have to physicaly have and item on the plane. And that would be possible regardless of whether it was done curbside or at the counter. Personaly I don't see a big issue here, but they should be using at least the basic encryption (I know the airport software as basic encryption, I would assume the oher stuff does)

    -Tevis
    • Since all bags are also scanned (espesialy since 9/11) after they've been checked

      No, they aren't. Airlines haven't invested in X-Ray machines for checked baggage, and where they have, they mostly haven't put them into use due to the "prohibitive" costs of hiring and training personnel qualified to operate them.

      The new airport security measures are a sad Dostoyevskian joke.

    • Re:Practical usage? (Score:2, Insightful)

      by Tazzy531 ( 456079 )
      How bout this scenario: A terrorist checks a bag with a bomb within. Then uses the vulnerability to delete the log that he checked it. Since a number of airlines haven't invested in xrays and there might still be some holes in the check-in system, it gets through and there is no log of which bag actually contained the plane.

  • Computerworld coverage (Score:2, Informative)

    by randolph ( 2352 )
    There is extensive coverage in Computerworld, here [computerworld.com].

  • San Diego (Score:2, Informative)

    by althalus ( 520424 )
    While staying at the Sheraton for the Open Source Convention/Perl Conference last year, I tried getting on to the local wireless network provided. Great during the sessions. The only problem was our room was at the far end of the hotel by the airport. Couldn't get a peep from the conference network out there, but I got an IP and DNS from the airport, and a great connection at that.
  • About two months ago I was at Denver International Airport and I decided to plug in my Wi-Fi card (SSID: "Denver Int'l Airport", no WEP). I was able to get an IP address from their DHCP server but any attempt to access the web redirected me to a generic username/password entry screen.

    I figured they were going to offer a for-pay service to business travelers. It's alarming that they would be using this for actual airport services!
  • Now that airports know that anyone can get on to their lans, it's now a free service...

Slashdot Top Deals

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Close