Detecting Wireless LAN Users 209
technosavvy writes "With wireless home networks and applications like NetStumbler becoming so popular, it's surprising that there are so few consumer-oriented applications that help monitor who is connecting to your wireless network. Bob Brewin of ComputerWorld lists three tools with this purpose in mind in his article "Tools for detecting rogue wireless LAN users"." I just like running etherape.
Wireless Lan is still in it's infancy... (Score:2, Insightful)
Re:Wireless Lan is still in it's infancy... (Score:1)
Most wireless LANs can be found in places like Starbucks, shopping malls, and airports.
I don't know about you, but I don't expect the idiot who can't understand what a latte is to properly configure a LAN firewall.
Re:Wireless Lan is still in it's infancy... (Score:1, Redundant)
I don't know about you, but I don't expect the idiot who can't understand what a latte is to properly configure a LAN firewall.
I set up and maintain firewalls and wireless networks, but I don't know what a latte is... Mind you I could find out fast enough, I'm just not the coffee type. :-)
Not a complete solution (Score:4, Insightful)
Re:Not a complete solution (Score:2)
NetStumbler for Linux??? (Score:4, Informative)
Re:NetStumbler for Linux??? (Score:1)
URL was *close*, but no cigar. (Score:1)
Kismet is wonderful... AND undetectable. (Score:2)
Interesting little thing about Kismet - Apparently Netstumbler is not entirely passive (Otherwise it wouldn't be detectable). Unless your driver is bugged or you have an unsupported card, Kismet is purely passive. Even better, while NS only works with Orinoco (and maybe Aironet) cards, Kismet works with Prism2 cards.
That said - With the exception of the last of the 3 utilities, most of them seem to be pretty similar to Netstumbler.
Apparently Kismet currently (for whatever reason) seems to ignore Netstumbler packets for some reason, but this is considered to be a bug. Implementing Netstumbler detection is apparently not far off.
Re:Kismet is wonderful... AND undetectable. (Score:2)
Been using Kismet for a few days and it's *great*, other than the fact that the -L option to gpsmap (labeling) is busted.
I HATE the Slashdot Affect (Score:1)
Personally... (Score:3, Interesting)
Re:Personally... (Score:2)
Basically, I don't recommend deploying wireless to any type of network that you care about. Its just not there yet.
Re:Personally... (Score:2)
Maybe not basic wifi. If you don't mind locking yourself into a single vendor, Cisco has some extensions that are supposed to fix the worst flaws in WEP.
It would be foolish to put complete trust in its security, but the same obviously goes for wired networks.
Re:Personally... (Score:1)
Re:Personally... you'd pick socialism. (Score:1, Troll)
John Stossel has shown on his 20/20 TV segment that cities make things WORSE when they run it. Privatize the city water system, and you get cleaner water cheaper. End the city's monopoly on cable TV providers, and you get competition.
Get the phone company out of city regulation, and you get competition.
The same is true over and over and over again. Some cities in foreign countries have been privatizing the roads (so you only pay for what you use, rather than distribute it to people who don't even use the roads), and have seen wide success in those ventures.
I don't want the city controlling anything, especially my data. This idea is frightening to me, and I'd gladly vote with my feet if something like this happened.
Re:Personally... you'd pick socialism. (Score:1)
Yes, implementing a WiFi infrastructure might be done cheaper, more scalable, etc, but compare to the NSF and the current Internet. The NSF put in the standards, and by implementing them, made the standards change je jure become de facto.
Look at all the different cell phone systems we have available to us... pretty great, huh? Except that they are incompatible with each other, have different coverages, and infrastructure is at least tripled to accomadate different standards without tripling the bandwidth.
I think competition is a great thing.. once you have standards in place, not as a knee-jerk reaction to getting the job done best.
Also, Cook county kicks Lake county's ass.
Re:Personally... you'd pick socialism. (Score:2)
The economics of utilities with large capital costs and large captive populations were worked out in the 1880s. The conclusion then was that either a government owned utility, or a highly regulated private monopoly, was the best solution. I don't know of any fundamental law of economics that has changed since then.
sPh
Re:Personally... you'd pick socialism. (Score:2)
Of course they'll find an economist who will say allowing them to run an industry is the most efficient way to do things. Funny thing though how Standard Oil was broken up even though they were the most efficient producer...
An amusing anacdote is that this same agenda had been used by Microsoft to justify its "self-normalizing monopoly" claim. E.g. operating system costs spread over all PCs are lower with a monopoly, and there are no compatibility issues. In a sense, you can see the argument if this economic cost/unit objective is the only criteria you use.
However, there are other consequences, political, economic, behavioral, etc. Monopolies have a slight problem with ending up unaccountable. Fantasies of government regulation aside, the regulators quickly normalize to either being in the monopoly's pay, or get replaced by pro-monopoly officials. Or you'll have scenarios where the regulators control the power and grow their monopoly through special deals with select associates, kickbacks, etc.
Look at the status of both US political parties - both are nearly identical in that they're run by large organizations pursuing dominance in their industry/sector. It doesn't matter if its a union, a fortune 1000, or an industry association, the motivation is the same (and so is the corrution). Enron, RIAA, AFL-CIO, Global Crossing, NAB, etc.
As any honest German will tell you, efficiency shouldn't be your only objective.
*scoove*
Re:Personally... you'd pick socialism. (Score:2)
You can't have competition in Roads. It's not like there are going to be 6 functionally identical roads all going to the same place. so the 1 road that does go there will charge a 100$ per car toll. And you either pay that, or you drive 250 miles out of your way to go around the countryside to get to where you are going. That's not competition.
There's also no motivation to improve the road if there isn't an alternate road people can take.
Kintanon
Re:Personally... you'd pick socialism. (Score:2)
Privatizing some things doesn't make sense: it's too hard to separate out the costs and benefits, too hard to prevent local profit-driven corruption, too hard to do anything without creating a less-efficient regulation regime which is government in all but name.
Give it up.
Ummm.... (Score:3, Informative)
The only service that can't be stolen is free service, and there simply isn't such a beast. Hell, even roads aren't free. If you have an unregistered car (and thus, have paid no taxes), you can't legally use the road.
Re:Ummm.... (Score:2)
Unless you use a bike or walk. I think those are still legal even though one didn't necessarily pay car taxes.
Re:Ummm.... (Score:2)
(It was better in all caps... stupid lameness filter).
Actually... (Score:2)
Re:Personally... (Score:1)
Re:Personally... (Score:1)
Not that im for governmental inovlvement in our lives, but sometimes the general public cant do it on their own..
Re:Personally... (Score:1)
Re:Personally... (Score:1)
Re:Personally... (Score:2, Interesting)
The internet itself has been described as the great equalizer. Grassroots wireless networking has the potential to put one more bullet into the chest of inequality, and then the internet may begin to continue it's evolution from shitstream teevee/radio corporate fuckfest, to the greatest tool mankind has ever made.
Re:Personally... (Score:2)
Which should be fine as long as the owner of the property consents to this use (which it appears is the case), and the other owners of what you're using also consent.
Is the upstream Internet connection aware and consenting to this use? If they're not, you're no more than a thief.
The problem with free Internet that people can't seem to get around is that you've got some things that aren't free, such as:
- the engineers that run the networks you're travelling
- the fiber, cable, submarine cables, etc. that someone put in and maintains
- the switches, routers, servers, etc. needed to run service provider networks (last time I looked, Cisco wasn't giving their stock away for free)
I work my ass off and have taken one hell of a pay cut to bring cheap broadband to small towns. I'll be damned if some freeloader steals from my communities. Let him build his own damn network and pay for his DS3.
evolution from shitstream teevee/radio corporate fuckfest
Oh, you mean like the radiofrequency givaway both parties have sponsored in the US? Or the rule bending for corporate buddies like Clear Channel (psst... donate to our parties and we'll let you own all the radio stations in every market so you can fire the local people and pump canned crap sent via satellite)? Funny how the RIAA loves this - course, they have artist promo deals with Clear Channel too. No wonder radio broadcasting is so vanilla...
In order to fight institutional theft, you've got to recognize property rights and oppose all theft - what belongs to someone else ain't yours! Pay for it or get your own. Otherwise you're just another thief (on the losing side of the battle, as they've got better guns).
*scoove*
Re:Personally... (OT) (Score:1)
It may be a good idea in terms of lowering prices and increasing access (to neighborhoods that currently don't have any broadband options) but anything that's part of a city's infrastructure will be regulated as such. Not to mention that Big Brother won't have to go far to log and snoop on your browsing habits, etc. I can imagine way too much potential for abuse in such a scenario.
Re:Personally... (Score:1)
From the Lobbying side:
Who would pay Cable, DSL money for 384K when you can get 11M from the town? No one. So Cable and DSL and Powell's son will fight such an idea, tooth and claw.
From the Common Sense side:
Once Internet access becomes a government service and drives out the competition (see above) everything on the Internet becomes subject to political censoring.
No religious content: seperation of church and state. No porn, gotta protect the children. No commercial activity from users its a public utility. No hate groups, no hate speech, only politically correct speech.
Each town would build a Great Firewall of China around themselves like in South Park.
Your town could get around 1st amendment issues by saying that this is one of many ways to access the Internet and you are free to sign up with another provider. Only no other provider could exist in your town because it could not compete with a publicly subsidized system.
Don't get me wrong. I was thinking about a public utility wireless network the other day while looking at all the ugly cable strung up through my neighborhood. I would love for it to be a reality but the above causes me to doubt it would ever happen, or be a good thing if it did.
Re:Personally... (Score:4, Insightful)
Why do people think because they have an unmetered, always-on broadband connection they must use it flat-out all the time? I have a cable modem here and don't feel the need to be constantly utilising it to the max.
If I can draw an analogy to the broadband ISPs being similar to the water companies. In the UK, most domestic homes pay a flat rate for their water supplies, for this they have the ability to turn on a tap at any time and not worry about the cost. Fetching your e-mail, light web browsing etc would be the equivalent of washing your hands, flushing the toilet or filling the kettle in terms of demand. A large file download, e.g. the latest distro ISOs would be akin to running a bath, washing your car or watering the garden. A spike in demand, but the water companies ensure that the water pressure is sufficient such that other users in the area are not affected. Same as for the ISPs, they can cope with occassional high demands on the system. Now, imagine the situation if everyone decided to wash their car at the same time or all shared the same bath time, or decided to just leave their taps running because they can.
Heavy users of the water supply (domestic and commercial) are metered and charged appropiately for what they use so why should a resource like bandwidth be any different?
Re:Personally... (Score:2)
I'm pretty sure that's the idea behind Fax spam laws.
Kintanon
Re:Personally... (Score:2)
---snip
Because uses for water do not grow nearly as fast as uses for bandwidth. In enough time, _everyone_ will become a heavy user, so the flat rate model will quickly cease to be used.
Bandwidth:
Once upon a time, my 300 baud applecat modem was more than adequate for my needs and excellent for many phreaking tasks, if I ever needed to "borrow" some wired service from someone, or if I needed to wardial a prefix for carriers (change wired to wireless, change phreaking to launching netstumbler, change wardialing a prefix to wardriving/network discovery...alas, the words change, but...).
That modem could keep up with my typing. Having the results outputted to me at 30 cps (10 bits per byte in my typical config) was annoying but was still more than adequate for most any use; many people stuck behind teletypes were running at 150 bps or slower.
Fast forward 20 years. Where I am sitting now I have two 1.5Mb/s connections bonded together, giving me a 3Mb link, both ways. At my office, we have a fractional T3 running at twice that speed (and we utilize it, as well as a comparable connection at a remote location).
Nowadays the average user complains about their "slow" 44,000 bps connection they get with their dialup modem.
Water:
20 years ago I was a little smaller. But I had the same habits; I drink when I am thirsty etc. etc. My water consumption has remained mostly the same. I drink about 8 glasses of water a day (yeah for me!), before, just for comparison, then I would probably drink 6.
Over almost 20 years my burstable bandwidth needs have increased 10,000 fold. The difference in sustained needs is even larger, as nowadays I've always got some type of data going over that pipe (gnutella, newsfeed, mail, what have you) vs. back in the day that 300 baud modem was actually in use for small parts of the day. I bet in another 20 years this 3Mb connection could very well seem as quaint as the 300 baud modem seems today.
My water needs on the other hand went up 33%. My individual water needs are not likely to ever grow much larger.
Re:Personally... (Score:2)
I would take calls from customers that were complaining that their Internet was down. These were normally people who wouldn't pay their bill for 60 days and wonder why it was off. They even had the nerve to complain that it was like Gas or Water and that we MUST give notice in the mail of their delinquency (it's not like gas or water). These people actually believed it was a NECESSARY item in their lives (giving me the excuse that they couldn't pay their bills b/c they used the Internet for paying it -- I asked them if they ever used checks..)
We do NOT need this to become part of the cities infastructure. I am much happier w/it being controlled by a third party. I am already annoyed w/the electric bill being estimated half the time, and I am REALLY annoyed that natural gas prices have gone up.
Could you imagine getting billed for "estimated bandwith use" or being told that the price of Internet was going up b/c too many people were hogging bandwith? Hell NO.
Re:Personally... (Score:2)
Please, no.
Hmm... the roads in my city are hopelessly broken (save for the ones in the west part of town where all the yuppies live). We joke about putting a sign up saying "Closed for the season" - perpetual construction, engineered by under-the-table deals between our city council and their construction industry buddies. (Thankfully our newspaper did an article this weekend about how outsiders never get the same info the insiders get about bids, and other nonsense).
City-administered garbage service? You mean the scam where they miss my cans one week out of four, and throw them all over when they do? I've videotaped them on windless days letting recycle trash drop more than hit the trucks, and leaving cans in streets. Don't like it? Tough.
Yea, we need Internet service like this. Oh, and I'm sure everyone wants to pay $120/month for $30 Internet. That's the best part of city/municipal administration. We can shift funds from other areas to subsidize it, so we can hide the ineffeciencies.
Eliminate competition and engineer perpetual inefficiency, laziness and unaccountability.
it'd get rid of silly little disputes over 'stealing' or redistributing bandwidth
Do you get unlimited electricity, just because it comes from a municipality? Can you dump anything you want in your trash? Theft is still theft, and rules tend to optimize to the extreme with unaccountable government-run operations.
I've had trash missed because my cans weren't curbside - they were two feet away from curbside. At least once a month, I'll have my entire trash pickup skipped because I have "yard waste" (meaning a neighbor has tossed a twig on top of my trash can, or I've put a scoop of street garbage that has a half-dozen leaves in it).
You can bet your Internet will quickly become universally miserable too. What's that maxim about socialism making everyone equal - equally miserable?
*scoove*
Re:Personally... (Score:2)
Re:Personally...maybe not (Score:2)
OK, there are some lame problems with the current system, the one you mentioned about cable companies penalizing users who subscribe to the system to get high bandwidth is a perfect example. But taking your logic, isn't food even more important than Internet access? If it is, shouldn't we replace all the grocery stores with a government run grocery system? Whould you really want to get your food from a grocery store run by the government? Do you think you would still have a choice to buy at the private stores? How many of them could afford to stay in business if all of their customers were also paying the food tax and getting food at the government store? And what do you think the new prices for food at the remaiming exclusive private stores would be? Could you afford to eat from such stores or would you have to eat whatever the government stores decide is good enough for you?
Look at what has happened to our education system. Sure, there are still private schools, but few can afford to send their children to them and also pay the taxes for the awful government run schools. The school system is so bad that many in government advocate a voucher system, which is an admission of the failure of the public schools. And you want these people to take more control of what we get?
Sure, there are problems with the current system. But ask why. My answer is because we already have too much government medeling in what should have been a free market. By granting monopoly powers to a single phone company and cable company in an area, they have greatly limited the consumer choices for service. Whithout that monopoly, pitching customers the benefit of high speed access and then penalizing them for using it wouldn't be tolerated, there would be other providers who would be glad to take the customers. With the monopoly in place we get they type of system we have. Why not strengthen the monopoly by giving it to the Post Office? No Internet access Saturdays, Sundays or Holidays.
Re:Personally...maybe not (Score:2)
Re:Personally...maybe not (Score:2)
The Internet ain't a road, no matter what it's inventor Al Gore tells us. Reminds me of the "an elephant must be like a tree" story. That's one danger of analogies, some people will carry them to false conclusions and dangerous extremes.
I'm not sure I even like the idea of the government even running our roads, but that's another (off topic) issue. But a road must have access to land (private property) that in most cases completely eliminates the use of that property for any other use. Not so with the Internet. The basic infrastructure there, when run on dedicated lines, can be buried and co-exist with other uses of the property. No "taking" of private property is required as it is with putting down an Interstate highway, just the much less oppressive right of free access through a property (a concept I find no fault with, as it is understood when society grants private ownership to property). There are also various plumbing systems that go below ground and pass through private property. So maybe a much better analogy would be rather than calling the Internet a Information Highway it should be called the Information Sewage System.
Re:Personally... (Score:2)
Not yet anyway, but I can imagine a world in the not-so-distant future that puts people without fast Internet access at a severe disadvantage.
As for your comments on the need for broadband. Most people don't need it most of the time, but do need it occasionally. Some of us need a lot of broadband a lot. It's not to difficult to imagine a system that allows access as needed, while discouraging 'frivilous' use (like emailing 10 MP3's to your buddy every hour). For instance, it sure would be nice to have immediate page loads on a first aid site.
Now would somebody please tell me what jackass modded me down for Offtopic?
An alternative... (Score:2)
Actually it's a pretty cool product, it'll detect access points with SSID broadcast turned off, it'll detect wireless users, it'll even try to break into the access points (haven't used the feature much, so I'm not sure what it tries to do there).
Unfortunately it only runs on Win 2000 (I run it on XP, but that's unsupported), and only works with Orinoco cards and a couple of the known derivatives. On the plus side, it's got all the cool alerting features like SNMP and SMTP, and it has the "authorized list" of access points to minimize false positives...
-Jack Ash
PS: No, I'm not affiliated with ISS, but I run and administer their products at my office, including Wireless Scanner.
Airport (Score:1)
As I recall, it made it very easy to require a password or enable 802.11b encryption, etc.
Airport under Linux (Score:1)
Its cheap, easy to setup und has good security features which can be viewed here [apple.com].
I hope... (Score:1)
Re:I hope... (Score:1)
New Security Model needed for 802.11 networks (Score:5, Interesting)
This is all good for network security assurance and auditing, but doesn't fix the basic security problems with using WLAN 802.11 technology. I suggest that we use a new security model for WLAN security:
1) Obscure SSID names and WEP should not be used on your WLAN just to provide management/users with a false sense of security;
2) Put the WLAN access point outside your firewall (layer 1 security);
3) Use firewall VPN technology for layer 2 security;
4) Use IPSec protocol for network layer 3 encryption;
5) Use digital certificates for layers 4-6 strong authentication;
6) Enforce Corporate security policy on WLAN deployment & use;
7) Regular audit and security assurance work to detect the addition of new WLAN points to your network.
There are good reasons for using WLANs, and you probably can't stop the keeners from adding access points, but you can try to mandate how they will be added in a secure and managable fashion.
Cheers,
-wjc.
Yes. (Score:2)
Re:New Security Model needed for 802.11 networks (Score:1)
Re:New Security Model needed for 802.11 networks (Score:2)
Well... I personally was getting 80 kilobyte/s speeds yesterday, so... no. But it's mainly processor dependent, and I'm not running anything particularly special, 650 Mhz pentium. What the heck are you running VPN on? A P100???
Re:New Security Model needed for 802.11 networks (Score:2)
Re:New Security Model needed for 802.11 networks (Score:2)
Should I just add in MACs to the WiFi allow list by hand? It's not a lot of trouble to do so if you're only hosting one or two visitors at a time, after all, and they will probably never use more than one MAC/adapter. I presume this is something that you can do with a WiFi basestation, a la DHCP. I don't have any equipment yet, so I don't actually know.
Then I can keep the WiFi behind the firewall, and I don't have to worry about a VPN or any of that mess. Does this sound reasonably safe?
And, provided that the functionality I mentioned above *is* available in WiFi basestations, is it present in the AirPort? That's likely the basestation I'd wind up getting, unless someone tells me it's a really bad idea.
Re:New Security Model needed for 802.11 networks (Score:1)
Will it stop a casual user just trying to hook up with your AP to use it for a minute? Sure. But those MAC addresses are being transmitted all the time, so if you actually use your network and someone is listening in, it would be trivial to spoof MAC to gain access.
Re:New Security Model needed for 802.11 networks (Score:2)
Nope. It's fairly easy, but doesn't contribute much to security.
Then I can keep the WiFi behind the firewall, and I don't have to worry about a VPN or any of that mess. Does this sound reasonably safe?
NO! The easiest approach should be (depending on the firewall and wiring, of course) is to add a third NIC to the firewall. Connect the basestation(s) to THAT NIC, and block everything from it except VPN or IPSECed traffic.
I'm 802.11-less for now, but starting to plan a firewall+802.11a/b setup for once I move: probably a mini-PC from these guys [soekris.com] with one of their PCI crypto accelerators. Add OpenBSD with the built-in IPSEC, and I'm a few client-side tweaks away from a fully secure WLAN and firewall, all in one! (That's the theory, anyway...)
Re:New Security Model needed for 802.11 networks (Score:1, Informative)
as for VPN securing your wlan this i can dispute...
a friend and i gave a talk at Black Hat this year on advanced wireless attacks, in this we broke a VPN implimentation wide open with a wireless man in the middle attack, in this attack we forced a victim onto another channel where we then had an AP with the same mac and SSID as his original...this lets us beat any sort of VPN that doesnt use strong two way authentication...
so yes you said to use PKI there, but i submit to you that people are simply not doing this, if they were going to start they would have a long time ago and so any solution that the general populous of administrators deem too cumbersom or otherwise not worth the trouble to impliment will not be...
what you are basicly saying is that all you need is a VPN and you dont need to watch your network...im glad my bank doesnt take this solution for their security, a bank vault with no security cameras...
wireless security is alot harder to attain than wired equivelant...in the end you're going to need more than just network enumeration, vpn's and auditing tools...you are going to need something to monitor and manage the thing, not sure which one of these will prove the best, but im glad someone is working on the problem...
--Abaddon
http://802.11ninja.net
Re:New Security Model needed for 802.11 networks (Score:2)
3) Use firewall VPN technology for layer 2 security;
Are you talking OSI layer here ? If yes, I would be interested in knowing wich VPN technologies operate on that level ...
I found one (Score:1)
network: linksys
user: (null)
pw: admin
ok. They deserve whatever they get.
I would like a log to know which of my neighbors is trying to "share" my bandwidth.
Heheh. Factory Linksys routers. (Score:2)
Orinoco silver, no ext antenna, laptop inside the car (lots of nice metal shielding)
Probably 1/3 of the networks heard (45 found in a relatively short loop) were factory default Linksys boxes.
There are a total of *3* 802.11 networks near my house.
One on Ch11 with a custom SSID (mine - No WEP, I don't really care. I'm in the boonies and not much damage someone could do)
Two on Ch6, one factory default Linksys, one listed as by Kismet. Needless to say, those two weren't going to be getting max performance.
Just like with (Score:2)
Weeeelllll, I didn't install the Wireless encryption software (don't remember the exact name) and would instead unplug the wireless HUB when I wasn't using it. One weekend, I forgot to do this. Out of curiousity, I check the ARP on my DSL switch and found _3_ MAC entries. I only have 2 computers...
Was this my own fault? Yes, absolutely, no question. Was I a moron for not configuring and running the WEP (Wireless Encrption Protocol)? Again, yes. But think about all the wireless LAN products being sold and how many are protected, or NOT protected.
Where has your internet connection been today?
30 wireless security tools (Score:1)
Rendezvous (zeroconf) networking ? (Score:1)
I was fooling around with iChat and its Rendezvous component and I would imagine that when some idiot neighbour connects to your Airport network and forgets to quit iChat,you could be in for a laugh when he gets an instant-message from you
A simple "Who are you and why are you using my Airport network" would be quite a shock I guess.
And a reply from your neighbour stating that you were asking for it because your didn't implement WEP or MAC restriction would be a nice one too
I don't get this (Score:3, Interesting)
You know you're running an unsecured wireless network and you want tools to find the 'rogue' people using it?
You're going to *buy* this tool?
Why don't you just secure the network?
Even WEP, with all its faults, will keep out casual stumblers. Use a VPN if you need real security.
When I see a wireless network with no WEP and a DHCP server, I see a 'welcome Mat'. I assume it's OK for me to check my mail or browse the web a bit.
In fact, I no longer have to do anything to set up my laptop - Os X Jaguar sets up the connection for me.
There's an old saying that good fences make good neighbors - I think that applies to wireless networks as well...
Cheers,
Jim
(PS - Go ahead, be a dork - mod me overrated instead of replying. I no longer care.)
It's a good auditing tool (Score:2)
Re:It's a good auditing tool (Score:2)
Even transparent proxies can keep logs. If you learn to read them, you'll catch a lot of stuff.
I just hate to see tools that try to make up for deficiencies in basic security procedures without correcting them. Having a wireless network is no different than having an ethernet port on your front porch - sure, it can be a convenience, but you have to be aware of the security implications.
Cheers,
Jim
Re:I don't get this (Score:2)
Treat wireless users as though they were coming in from over the internet and you will have very few, if any problems.
If you're familiar with firewalling, you're familiar with the traffic known as UNTRUST. Wireless is UNTRUST. Treating it any other way is just foolish.
Cheers,
Jim
Re:I don't get this (Score:2)
http://slashdot.org/comments.pl?sid=39208
If I have 50 locations that I cannot monitor, they're all going to be outside the firewall with VPNs to the network. (My company has 42 remote locations and we do just fine this way.)
Anyone who hooks up an AP without authorization on my LAN is going to get fired. Same for anyone who *intentionally* leaves the front door unlocked overnight as a convenience. Negligence for the sake of convenience is simply not acceptable in my book.
I think I *do* get it, actually...
Re:I don't get this (Score:2)
No, but if you want to check your email on my wireless lan, you are more than welcome to do so. Want to borrow my phone and make a local call? Sure. Want a glass of water from my tap? Again, though I technically pay for these things, I would share them, with the hopes that others would do the same when I need them.
Those actions don't deprive me of my property. (Unlike your example of stealing my things.)
Oddly, where I live, my ISP allows this and even encourages its members to set up public access points. (http://www.freespot.net/) so...
What were we talking about again?
Cheers,
Jim
Re:I don't get this (Score:2)
Transparent proxying with logging, Intrusion Detection System, Firewall logging.
It's pretty neat and really easy to set up on an old box. Find a packet sniffer that will run on your os of choice, too.
I'd also take a look at NoCat - it's designed for this kind of service exactly.
Cheers,
Jim
Not necessary... just password protect your WLAN (Score:1)
wireless insecurity (Score:3, Informative)
Considering how clueless most people are about technology and how little the average person cares about security it's not the least bit surprising that we're now seeing similar problems with WLAN. My experience has been the typical person's thought process ends at "OOOOOO....I could get one of these and use my laptop in the living room or bedroom or backporch..." and never reaches "would anyone be able to access my data/internet connection without my knowledge".
Look how many viruses are passed along because people don't bother using (or properly using) antivirus. Look how many SPAM'ers and DOS attackes manage to use machines that aren't secured in any real way...
Virii and antivirus software (Score:2)
I have never bothered using an antivirus because I'm careful about where I get my software from. Never have been infected.
For me, AVs just slow the computer down too much.
(Of course, it should be noted that 90% of the time I'm booted into Linux, and 99% of the software downloading I do is under Linux, not Windows.)
Heh. Neighbour 's cordless phone sex (Score:3, Funny)
Suggestion for a new warchalking icon (Score:1)
<Humor>
as per closed node, a complete circle. Below, two figures, composed of a parabola on top, opening down, joining two vertical parallel lines, with the two parallel lines then joining a single horizontal line, forming a close figure. Below the two figures, a number, a slash, and a number.
The meaning of the two figures and numbers:
The calibre and rate of fire of the weapon that will be turned on anyone sniffing the network (the figures I described are 2 rounds of ammunition.)
</Humor>
stealing or not stealing? (Score:2, Interesting)
Those that think anyone with an AP left alive and uncontrolled (no wep, no MAC address lists, no filters) are public use and those that think the above AP is not public.
I'm in the "It's public use" crowd. I equate it to someone playing a radio and if I stop by and listen, I stop by and listen. If someone says 'dont listen to my radio' they'd be wrong to do so, as they're broadcasting it to the public at a volume at which I can here (and for those who say 'radio stations are free, just say 'they are playing a CD in their stereo' instead of radio).
The user is broadcasting a signal to me, I can hear it, I will hear it.
If I'm sitting in the park and open my laptop and there's a network, wide open, my computer ASKS for an IP, it RECEIVES one, and I'm on the net, it's obviously permitted use. If they didn't want me on their network, they wouldn't have given me an ip address when I asked for one. They could have easily denied me that. They chose not to deny it. I knock, they give me a key and invite me in.
I've brought up this argument on wireless lists I'm on and would be interested in knowing what some of the others out there think about it. No, this isn't a troll, intelligent opinions are welcome (hrm, and I'm asking for such on slashdot? Well, there's some wheat amongst the chaff).
Re:stealing or not stealing? (Score:4, Insightful)
The analogy of just "listening to someone's radio" doesn't hold water, because you are not merely passively listening to a private network, you are interacting with it. A better analogy would be watching someone's TV through a window and also controlling which channel is on using an IR universal remote.
However legally speaking, for computer tresspass to occur one must be informed that unauthorized access is not allowed, or it must be plainly obvious to a layman. This is the reason for all those "Authorized Users Only" notices you see on computer systems.
Since when you are sitting in a park requesting WAP based IP access, you don't know whether the access you have has been left intentionally open or not, you should be in the clear.
But only until you read something that informs you otherwise. It is not necessary for the people whose network you are using to perform encryption; they need only post a notice. On the other hand, if they don't post notice, again it's not your fault.
Re:stealing or not stealing? (Score:2)
And what happens if you are in something like Personal Telco's access, and wander 50 feet in some direction in a park into an area where some businesses signal is stronger than Personal Telcos, your machine renegotiates its connection and you're on a different network without even knowing it... Companies that don't bother to disallow untrusted DHCP can't complain if people wandering by have access to their network. They GAVE the access away!
Kintanon
question for network security types... (Score:3, Informative)
Pretty much. (Score:3, Funny)
Sure, WEP is crap and MAC addresses can be spoofed, but unless someone really wants to get you, you're reasonably safe.
Think 'lions and gazelles' - if you're not the slowest gazelle, the lion will probably see easier prey. You just have to stay on your toes...
Now go grab a copy of PGP and encrypt those pictures of your girlfriend that you have in C:¥Private¥Pictures¥JamaicaVacation¥ and you'll be all set...
Cheers,
Jim
For all practical purposes. (Score:2)
Even MAC restrictions (easy to bypass if there's traffic) will discourage probably 90%+ of people who might find your AP. Most people who run sniffers are either a) curious
b) Looking for free access
Those who are malicious might actually go for the MAC-restricted WEP-enabled APs *first* because they prevent the largest challenge and are most likely to have something juicy available if they get in.
So you don't want to be either extreme. Do something midrange. I suggest MAC restrictions rather than WEP. MAC restrictions are harder to "see" than WEP is.
Re:question for network security types... (Score:2)
Anway, I like the thing just fine. I initially tried to setup without using DHCP and had a few problems (but I think this is my networking fumbling). DHCP works no problem. The web based admin is great, but configuring firewall is a pain, but most stuff I use seems to work just fine with the new protocol (udd=something).. that dynamically opens ports inside as you need them. I did manage (with a bit of bumbling) to get the port open for the Network Time stuff -- my mobo has a bad battery and it's easier to turn on Windows Time server and "net time
With the combo above, I can walk to the end cul de sac (aobut 100 yards) and still get on (although it says "weak signal"). This is with a lot of trees, so I consider that pretty good. Anywhere in my yard is no problem. Ever. Even out on my deck (which is a ways from the transmitter-- thru four walls -- including brick exterior).
So: Bottom line, I'm very pleased and impressed with setup ease. I'm a programmer, but pretty neophyte on the networking stuff and I got it set up, with encryption and limiting to certain MAC's and firewall, in one night and three beers. Not bad.
Re:Sorta secure (Score:2)
Why not use unix tools? (Score:1)
ping (usally ends in
arp -a
Really easy, and free!
Secure Setup (Score:2, Informative)
verify by mac address (Score:2)
is there a list of MAC addresses for APs? (Score:2)
So far I haven't been able to find a list of the prefixes used by various manufacturers for their access points. I asked about this on usenet but the only replies I got were the IEEE lists of ALL MAC address prefixes, with no distinction between NICs, APs, switches, etc.
I'm sure various vendors must have compiled such a thing for their auditing tools... but it doesn't seem like there's anything available through Google just yet.
Thanks for any help you can give!
-carl
huh? (Score:2)
etherape for GNU/Linux users (Score:2)
I wont tell you about the pics of a Ballroom-Gown-Wearing-Cross-Dresser who appeared on my GNU/Linux box here in my cube about 15seconds after firing Driftnet up.. scary...
The reason why you don't see it.... (Score:2)
What is wrong with arpwatch? (Score:2)
What is wrong with arpwatch? [lbl.gov]
"apt-get install arpwatch" and the ARP table is monitored for new stations, station changes, etc. You stay up-to-date by email.
Re:you just like saying (typing) etherape.. (Score:1)
"I'll take nal bum covers for 300, Alex"
"That's album covers, Mr. Connery."
"Nonsense, I spent years trying to make an anal bum cover. Failing to do so has been my biggest regret."
Re:I work in an office that pays for bandwidth (Score:2)
No. I think most of the
Now, it would be real funny if you were a spammer making that statement.
Re:I work in an office that pays for bandwidth (Score:2)
Re:I work in an office that pays for bandwidth (Score:2)
Kintanon
Bandwidth Leech (Score:1)
Re:I work in an office that pays for bandwidth (Score:1)
Because it seems to me that the parent and all the replys up to me seem to be missing the point that this story is about programs to prevent people from connecting unauthorized to wireless networks...
Re:I work in an office that pays for bandwidth (Score:1)
MacStumbler... (Score:2, Informative)
get it here [mac.com]
I tested it and it works great
Re:Application (no) (Score:2)