# Wardriving.... well, kinda

## usrbinperl

Under Windows, I've used the shareware version of Cirond WiNc, a handy app that automatically searches for APs or other wireless cards.  I was recently in a New York hotel room and it found a great deal of APs, although my Linksys WPC11 was unable to connect to them due to WEP and other issues.  Anyway, if anyone is familiar with WiNc, what is a good alternative to use under Linux?  Ideally, I'd love a command-line tool that displays available access points and allows the user to connect to them.  Also, what, if any, methods have you guys used to connect to WEP-enabled or otherwise not-openly-available APs?  Basically, tell me everything you know about wardriving under Linux!

Also, what is the best way to go about getting my wlan card up with gentoo?  Is there a particular package to install or file to edit that gentoo prefers its users to employ?  Or should I just do it all manually?

----------

## kwiqsilver

kismet will search for waps, but why are you asking?

You better not be driving around downloading kiddie porn or distributing virii or worms.

----------

## usrbinperl

yep, you caught me, that's exactly what i'm doing.  wouldn't want to just be able to check my email wirelessly.  no way.  kiddie porn all the way.

----------

## kwiqsilver

So why not just use your own connection? Or when in a hotel, the hotel's connection?

It's illegal for you to break into somebody else's wap and steal their bandwidth.

It's legal though to eavesdrop on unencrypted packets that somebody transmits into the air. Just in case you want some good gossip on your neighbors.

----------

## ChopChopMasterOnion

checking your email on a wardriven WAP is a very stupid thing to do.  That, or to log into anything.  Traceable actions are a bad idea to begin with, it's bad enough that they can log your MAC address.

----------

## secondshadow

I'd like to reitterate whats been said already.

First of all, wardriving/walking is illegal.

Logging into someone elses network and commiting any acts without permission is, I do believe, a federal offense. You are stealing, first of all. Thats bad enough, but the you ask about WEP.

Breaking into a secure network I'm pretty sure is illegal as you are comprimising encryption protocols that are in place it prevent such an act to being with. You understand that WEP is encryption right? There isn't an "easy" way to break it. Chances are if WEP is enabled they don't want to you.

Also, if they were smart, those WEP protected WAPs use MAC address filtering as well. Short of being able to re-program the MAC address in your wireless card, there is no way to defeat this. And even if you could you'd have to know an allowed MAC address and pray real hard that that MAC wasn't currently connected. Chances that this is the case are pretty slim. And don't even think about trying to guess MAC addresses. You're talking about every possible address between 00:00:00:00:00:00 and FF:FF:FF:FF:FF:FF. PLUS if logging is enabled you could very well screw yourself. Royaly. Any good network admin would log everything that connects.

Its people like you that make sure that I will NEVER install a wireless network in my house. If I get a laptop, I'll just run network cables into every room. I don't care if its inconvienient, I don't want stupid a**holes running around stealing the bandwidth that I PAY FOR just so they can "check their email." Even if that is, in fact, all you are doing I will say that I hope you get caught and charge. I'm pretty near certain that it would be considered under any number of cybercrime laws and even if you got out of it you would owe a fortune in lawyers fees. Just get a cellphone from T-Mobile with unlimited data transfer and get the adapter to connect it to your laptop and leave everyone else alone. I actually hope a mod reads this and reports your IP address to the feds as you basically confessed to participating in illegal activities.

God I hate stupid people.

----------

## dmwilcox

don't down on the guy for being rather curious about security--its only through the investigation of security that holes are made realized.  US law is a line to deter people who would take advantage of others--not some taboo.

WEP encryption and MAC address locking are both becoming rather standard on (even cheap) wireless routers.  As such you likely won't find an excess of open networks, but if you do BE NICE--its ultimately your intention that will get you caught or not.  (Not all open WAPs are because of ignorance!)

</honey-pot-discussion>

WEP comes in 3 (4 now) strengths: 40,64,128 and 256 bit.  40 is pretty weak and would be the only thing even remotely able to be guessed in a reasonable time.  (perl is the name of the game)

MAC address locking is an easy way to add a bunch of security to a network without impeding one's own entry (damn I hate typing in WEPs).  Though a packet sniffing tool might be able to catch the unencrypted packets (such as ethereal).

Though MAC addresses are surprisingly not fixed in stone under linux from what I've heard--though I couldn't tell you what to change in /proc to do it.  

Nonetheless a MAC is essentially a 48 bit key, with the first three blocks a code for the manufacturer of the NIC.

I don't believe in a policy of making tools illegal, and if we don't test our security WHO WILL

Daniel

white hat by day

----------

## secondshadow

I'm not saying that the tools you would use to warwalk/drive should be illegal, but I do think that the act of warwalking/driving SHOULD be. Its one thing when you are allowed access to the network, its another when you are taking advantage of the fact that someone probably doesn't know enough about computers to secure it. If he were doing it and then letting the folks know that their network security blows then that would be one thing, but he is talking about pirating other peoples bandwidth. If he were asking about testing his own security I wouldn't care. But he asked SECIFICALLY how to defeat WEP it gain access to protected networks, which if he were allowed to access wouldn't be an issue. Testing security is not synonymous with breaking into someone elses network, especially if they didn't ask you to do it. I'm inclined to think that the guise of a hotel is probably just something to make it seem less illegal. If it were just accessing a hotel's network he wouldn't have refered to it as wardriving. Wardriving is pretty specific.

EDIT: PS, law being a line to deter only is a crock. A law against something means ILLEGAL. That doesn't mean "we would really rather you didn't do this," which is what you suggest it means.

----------

## ChopChopMasterOnion

While I agree that his phrasing was less than good, and his intentions probably not in line with your very anti-bandwidth-usage attitude, there are plenty of things which could very well become legitimate reasons for this.  A restaurant and a cafe next door could both have wireless points, or a neighborhood could communally wire up their whole complex for wireless, as has been seen in some areas.   I completely respect your stance on this, and I do in fact secure my own networks, however I like to think that at some point that people will willingly make it feasable to whip out a laptop and check one's email or stocks on the fly without having to hunt down a specific connection of some sort.  In fact, as you yourself stated, I think that the big problem with the idea is anonymized virus-insertion or spamming or such.  Not to get too offtopic, but if you have an insecure network, people are going to use it.  Period.  Neither my idealistic idea of communistic reverie or your rank-and-file "I paid for it and everyone should respect that" are ever going to be realized to their fullest.  

my point:

Be respectful, but also don't be uncharitable either.  Securing your network is wise, because it covers your rear against unscrupulous acts, not just because it saves bandwidth.

Wardriving, while I'm told it is occasionally convenient, is disrespectful and even harmful to the person you are taking advantage of when used for unscrupulous or illegal purposes or for large amounts of data.  

Breaking somebody else's network for the purposes of illegal usage is generally bad, but if you tell them and possibly assist them in securing it rather than taking advantage of it should not be discouraged by the courts or by the citizens.  Helping people is always a good trait, and it's sad that some people can't be thankful for it.

Tools for it are essential for both black hats, white hats, and any other network administrator who is forced to use wireless for one reason or another.

Grabbing packets out of the AEther is one of the reasons wireless is dangerous to your data's security.

Honeypots are an unfortunate development that some feel was made necessary by people taking advantage of open points.  They make it dangerous to wardrive, even more than it was to begin with.

It's sad that because of a handful of uncouth and uncharitable people it's not feasable to have a more open policy towards networking.

----------

## usrbinperl

Thanks for all of the information regarding wireless networking.  I find both the technical and legal issues surrounding the relatively new technology fascinating.  I apologize mostly for the phrasing of my questions and experiences.  Yes, I looked for access points.  Yes, I attempted to connect to unknown networks.  And yes, I am very curious about wireless technology as well as computers in general.  No, I don't intend to break laws.  No, I don't intend to disrupt or "break into" protected networks.  No, I don't intend to cause anyone or anything harm in any way.  I used the term "wardriving" because it is the word with which I most closely associate the process of finding and perhaps connecting to open access points.  As one post suggested, large metropolitan areas may soon become massive hotspots where laptop users may browse the internet and read email.  As you all must know, there are many projects dedicated to achieving just that.  As far as WEP-encryption goes, I'm mostly interested in how secure it actually is.  I've read several articles questioning its ability to keep unwanted users away and have spoken with several people who have expressed similar ideas.  Asking a highly knowledgable community what methods are available for subverting WEP is the best way I know to learn more about its effectiveness.  Hearing personal experiences and ideas is far more useful than reading general articles or toying with it myself.  I understand the negative reaction to my questions, given that my post lacked detail and an indication of my underlying intentions.  As for the posts from secondshadow, I respect your knowledge and opinions on the issue and understand your concern, but am quite taken aback by your perhaps too-quick-to-react reaction.  Immediately suggesting that my intentions were destructive was, quite honestly, very rude.  While my original post may have stereotyped me with a group that would consider planting worms, I can assure you that that is, to me, unthinkable.  The "God I hate stupid people" was a fitting close to your ill-conceived attack and was more ludicrous than offensive.  I do, however, greatly appreciate your ideas and contributed information.  Hopefully our differences can be resolved and this thread can assume an impersonal discussion of wireless networking, from both technical and legal standpoints.

----------

## ChopChopMasterOnion

I'll be in charge of a wireless point with security features at the fire department I volunteer at once we get it, and that will be where I plan to do most of my security testing.  My point at home is rather archaic and as such is strung through my server for security rather than hooking directly through my network, so I can't use it for much WAP-security testing.  However, I have played with ethereal and kismet on it and found that it was really easy to find unencrypted transmissions on it, and that it would be very easy to trace the packets between the usecured point and my laptops.  Fortunately I live in a rural area where there isn't much as far as technical people, so until I have the funds  to get myself a new point I'm relatively secured thanks to my security measures on the server, but it's not as smooth as i'd like it to be.  We're only on 10Mbps LAN and 802.11b, so it's not that fast, and then goes through a server running various countermeasures acting as a secure proxy.  From there it wires into my NAT/modem router, and from there into the phone jack.  Even if someone broke in they would only be able to connect to a modem-speed connection, and have access to my shared distfiles directory.  The firehouse, however, has completely different security needs.  high speed internet, government files that have to be kept secure, and computers that need to be impervious to remote virus attacks.  When the stuff comes in it'll be running a NAT, restricted to certain MAC addresses (my laptops, the department laptop), running as much encryption as the WAP will allow.  Software solutions for actual countermeasures will be restricted to firewalls and some other stuff on the actual machines, since they'll be running Windows XP and don't have all the fun stuff Linux has to offer.  My laptop will be the one taking care of security, and I'll be checking both inside and out via nmap, ethereal, kismet, and a couple dozen other tools I have taken from the annual top 50 security tools article (sorry, I don't have the URL handy).    Passwords will be tested against John the Ripper, and I'll be frequently checking for trojans and viruses, since the people who will be using the computers have no idea how to avoid getting that stuff.

I realize that was more about network structure than breaking in, but thats the name of the game.  Understanding what you're up against as well as what you're working with is key when it comes to securing or breaking a network.

by the way, if anyone has more suggestions for securing my networks, feel free.  I'm always up for more security.

----------

## secondshadow

You can take offense to it all you want, the fact of the matter is you stated that you wanted to know about wardriving specifically. There are a multitude of other, more accurate and descriptive ways you could have phrased your question. For crying out loud, connecting to a "Hotspot" would've even been more appropriate as T-Mobile has a service implemented at airports, cafes, restaurants and the like called "T-Mobile Hotspot." Wardriving/walking have a very specific conotation. Perhaps next time you'll choose your words more wisely. I mean, take a look at the initial responses. They all question your motives. I was just the only one to say it bluntly. As for my reaction being severe? Perhaps. But I just had to recover a friends computer not but two weeks ago from an incident in which a friends machine was left in an unusable state and after a very quick look over I found a file that stood out a bit:

/README_STUPID.TXT

 *Quote:*   

> 
> 
> Isn't warwalking fun?
> 
> 

 

I'm not entirely certain what exactly happened, but I do know why it did. My friend very innocently set up a wireless network. He's not very computer concious so he didn't really know how to secure it properly, or even what WEP meant, much less what it did. As a side-effect, his computer wasn't very secure either. What did this mean? Well, one day I get online and my buddy IM's me:

<friend>: Hey, you busy?

<me>: Not really, why?

<friend>: Two days ago, my computer just stopped working.... won't boot or anything. I was wondering if you could take a look.

<me>: You change anything hardware wise recently?

<friend>: Just my wireless network....

<me>: You set up a wireless network??

<friend>: Yeah. A month and a half ago.

<me>: Urmmmm....I already don't like the sound of this...Lemme grab my box and I'll be over in 30.

<friend>: K. Thanks a lot man. I need to get some stuff off of it really bad....like within the next week.

<me>: Alright. I'll see you then.

<friend>: K.

<me>: l8r

<friend>: cya soon.

Suffice it to say the paper he needed to retrieve had to be re-written. I have a feeling it was just some idiot who just got a laptop and a wireless card and was out "having some fun" and thought it would be funny, but I assure you neither myself nor my friend thought it was even remotely ammusing after spending hours recovering his computer...not to mention the 5 days of data lost in that incident.

So yes, when you say, specifically, wardriving some people will get up in arms about it. I appologize if I offended you but again, wardriving is not something anyone who has been a victim of will take lightly, if the person behind the wheel did anything more than just borrow bandwidth.

And yes, we did secure up his network after that.

@ChopChopMasterOnion: As for breaking into networks not being discouraged... so if I break into an NSA secure network just for giggles, as long as I simply email someone there and tell them "oh by the way, you might want to fix this security hole" then it should be okay? Do you see where that logic not only fails, but would land me in a federal prison? Yes, this is an extreme case, but its used to prove a point. A crime is a crime. I could see it if connecting to someone else's unsecure network was an accident and then you let them know, but intentionally connecting to it and the letting them know its broken not only should land you in jail, but probably will if its not John Q Public's personal router.

@usrbinperl: In short, I appologize to you, usrbinperl, for thinking that your intentions were anything but pure, however on more than a small number of forums I have seen countless posts starting out exactly how your's started ending with "teach me how to warwalk/hack/break into networks/steal bandwidth for free/(otherwise cause mischief or do things that I know I shouldn't but I just want to be a 1337 ha><0R)." I can honestly say that I have 7 screen names blocked because someone found out I use linux and they said "Hey, you use linux. Teach me how to hack into computers. Thats what its used for, right?"

@ChopChopMasterOnion: Make sure that network is, and remains, secured up nice and tight. Try and make heavy use of MAC filtering. 

@dmwilcox: Actually last I checked it should be set in stone. Every MAC address is (supposed) to be unique as I recall from my Data Communications courses. This is something implemented in hardware on the BIOS of the specific device (yes, everything has a BIOS) and cannot, or at least shouldn't be able to be, changed in software on the fly. I actually have a computer, however, that can change it because there is a bug in the BIOS flashing of my computer in which when you re-flash the BIOS it loses its MAC address and you have to use a special tool to reset it, though after you reset the MAC you have to reboot, so its not something you can "just do" like trying to break a password. If you do, however, find a way to do it via /proc or something in linux, let us know. HUGE security hole potential.

----------

## ChopChopMasterOnion

 *Quote:*   

> @ChopChopMasterOnion: As for breaking into networks not being discouraged... so if I break into an NSA secure network just for giggles, as long as I simply email someone there and tell them "oh by the way, you might want to fix this security hole" then it should be okay? Do you see where that logic not only fails, but would land me in a federal prison? Yes, this is an extreme case, but its used to prove a point. A crime is a crime. I could see it if connecting to someone else's unsecure network was an accident and then you let them know, but intentionally connecting to it and the letting them know its broken not only should land you in jail, but probably will if its not John Q Public's personal router.

 

Now you're being outlandish.  I was stating that there are a lot of people with no idea how to administrate their wireless networks, much less secure them, and that if you risk jail by telling them that there is a hole in their system even if it was an accident that it was found, then some other jerk is likely to exploit it.  To discourage helping each other by making black-and-white laws that harm people who actually know a thing or two about network security regardless of situation, intention, and even offering to help avoid problems becoming a problem is just plain stupid.  As is breaking into an NSA server.  The inherent difference is, of course, that the NSA has security people, as does any respectable company.  Helping your neighbors is never, and never will be, immoral.  There's a difference between dropping a text document or an email, and knocking on a neighbor's door offering to help them secure their network.  I certainly don't encourage going around wardriving, in fact I discourage it.  However, especially if I lived in an apartment or was in a hotel, I don't think it would be just to make it a crime to boot my laptop and have it dhcp connect via wireless to an unknown network without my remembering to shut the connection down before my mail auto-checks itself, and certainly if it happened I would like it to be legal for me to tell the owner of the network (if I could find them) that their network was wide open.

 *Quote:*   

> @ChopChopMasterOnion: Make sure that network is, and remains, secured up nice and tight. Try and make heavy use of MAC filtering. 

 

yeah, that's my main plan.  MAC filtering is definitely a must.

----------

## secondshadow

I actually made an exception, if you read carefully, for accidents:

[quote]

I could see it if connecting to someone else's unsecure network was an accident and then you let them know, but intentionally connecting to it and the letting them know its broken not only should land you in jail, but probably will if its not John Q Public's personal router.

[/code]

perhaps my phrasing was a little unclear this time, so let me clarify:

I could see it [being okay] if [you] connecting to someone else's unsecure network were an accident [you forgot before it went to check/send your mail] and then dropped by to let them know, but intentionally connecting to it [(someone else's network)] and then letting them know it is broken not only should land you in jail, but probably will if its not John Q Public's personal router.

Additions were [bracketed] to make them stand out.

Now you're the one being idealistic though. With the way our legal system is set up right now, the grey areas will be exploited faster than you can blink and more effectively than Blaster and WinME holes by well paid lawyers trying to defend the actions of someone who just broke into and stole someone's personal information from their computer via an unsecure network. Do I think all laws should be black and white? Ideally no. But if they are too vague or the grey area too broad it will be exploited and the law will become ineffective.

Now onto your network. One fundemental rule of network security I've learned in my brief encounters with it: Disallow any traffic that isn't essential into the network from the outside world if possible. If the network is to contain some computers with sensitive data you might also consider having a sort of Demiliterized zone. EG: you have your cable modem-> it connects to your router-> all trival/non-high security systems connect to this router which have more lax access permissions (eg port forwarding for servers and such)-> connected to this router is another router box (eg linux computer) This one denies all incoming traffic (see the shorewall 2 interface example for what I mean) and only allows IP Masq -> connected to this are the non-trivial systems which house sensitive data.

----------

## ChopChopMasterOnion

 *secondshadow wrote:*   

> I actually made an exception, if you read carefully, for accidents:

 

 *secondshadow wrote:*   

> Now you're the one being idealistic though. With the way our legal system is set up right now, the grey areas will be exploited faster than you can blink and more effectively than Blaster and WinME holes by well paid lawyers trying to defend the actions of someone who just broke into and stole someone's personal information from their computer via an unsecure network. Do I think all laws should be black and white? Ideally no. But if they are too vague or the grey area too broad it will be exploited and the law will become ineffective.

 

yes, I had a feeling we more or less agreed on the basics of it, I just don't like the idea of risking imprisonment for telling someone their network is insecure if I find it accidently.  It's not something that has happened to me yet, but as I said I live in a rural area and don't see much technical infastructure much less have houses close enough together for it to be an issue.  I'm sure it's far more common in urban centers and apartment complexes.

 *secondshadow wrote:*   

> Now onto your network. One fundemental rule of network security I've learned in my brief encounters with it: Disallow any traffic that isn't essential into the network from the outside world if possible. If the network is to contain some computers with sensitive data you might also consider having a sort of Demiliterized zone. EG: you have your cable modem-> it connects to your router-> all trival/non-high security systems connect to this router which have more lax access permissions (eg port forwarding for servers and such)-> connected to this router is another router box (eg linux computer) This one denies all incoming traffic (see the shorewall 2 interface example for what I mean) and only allows IP Masq -> connected to this are the non-trivial systems which house sensitive data.

 

We don't have much reliable hardware at the station, but I have a hard drive I can install linux on as a trivial system for IP masquerading.  We have a pentium II down there I could put it in, if it works.  If not I can donate, what with it being a volunteer department.  We don't really have any trivial systems in there, just the desktop for state-mandated records and reporting, as well as the laptop which is primarily for training presentations but has integrated wireless and will need to be kept up to date, as well as doing some backups to the desktop (which will have a RAID).

----------

## smart

<cite>

Actually last I checked it should be set in stone. Every MAC address is (supposed) to be unique as I recall from my Data Communications courses. This is something implemented in hardware on the BIOS of the specific device (yes, everything has a BIOS) and cannot, or at least shouldn't be able to be, changed in software on the fly. I actually have a computer, however, that can change it because there is a bug in the BIOS flashing of my computer in which when you re-flash the BIOS it loses its MAC address and you have to use a special tool to reset it, though after you reset the MAC you have to reboot, so its not something you can "just do" like trying to break a password. If you do, however, find a way to do it via /proc or something in linux, let us know. HUGE security hole potential.

</cite>

Welcome to the 4th course in advanced security technology for YOUR enterprise. This year we will learn about advanced techniques of retrieving information about 3l33t bumfuxor haxor style stealth technologies. Here's your entry code, but keep it secret you might trigger feds attention on you and it might be forbidden anyway to let people know about things your local investigator might want to use against you:

man ifconfig

Besides, to think about WEP as a security measure is foolish to start with. Let's see how the chinese do with their asian standard. Maybe it's worth more than marketing bs.

But yea, it keeps SOME of the kids out ...

Erm, does somebody know how to get around CSS ? But probably, as being a widely used standard, we can trust it. They said so. Now YOU say thanks to those that helped you open your eyes (not me, just to prevent trollish flamewars).

----------

## nevynxxx

 *secondshadow wrote:*   

> @dmwilcox: Actually last I checked it should be set in stone. Every MAC address is (supposed) to be unique as I recall from my Data Communications courses. This is something implemented in hardware on the BIOS of the specific device (yes, everything has a BIOS) and cannot, or at least shouldn't be able to be, changed in software on the fly. I actually have a computer, however, that can change it because there is a bug in the BIOS flashing of my computer in which when you re-flash the BIOS it loses its MAC address and you have to use a special tool to reset it, though after you reset the MAC you have to reboot, so its not something you can "just do" like trying to break a password. If you do, however, find a way to do it via /proc or something in linux, let us know. HUGE security hole potential.

 

Not sure if it's quite the same thing, but ifconfig can spoof you mac address, its in all the "howto connect linux to ntl/cable" docs as with ntl you have to register your mac address, using windows only software, easiest way being to regiser on windows then spoof the mac on ur linux box to the mac of the card you used on windows I think. I went the other route and swapped the network cards after I registered, but then again both the boxes were open at the time.

 *Quote:*   

> 
> 
>        hw class address
> 
>               Set  the hardware address of this interface, if the
> ...

 

from the ifconfig man page.

----------

## kwiqsilver

If all you're looking for is a legal wap at your hotel, start staying at choice hotels.  They'll be offering free wifi at all hotels soon.

And for everybody else, if you have a wifi network, use the highest wep you can, and enable mac filtering. I know somebody who had a long discussion with the FBI about downloading kiddie porn, because somebody wardrove his unsecured network. He didn't get charged, but it was still very unpleasant for him.

----------

## latexer

If we look at the protocol level, hopping onto a completely unsecured network is not so legally shady (most lawyers will disagree with my coming argument)

Lets talk low level protocols:

On the hardware level, 802.11a/b/g:

Client: Hey, i've got the same network name set as you do, can i associate with you?

Access Point: Sure, i'm completely fine with you associating with me. I'm here so people can do that.

C: Okay. cool. associated!

On the IP level:

DHCP Client: Hey, this is my MAC, can i maybe have an IP address and router and name server and all that cool stuff?

DHCP Server: Hey, i've not been told anything else besides to hand out IP addresses and info when i'm told to, so sure, here ya go!

DHCP Client: Okay, since you told me to, i guess i'll use these.

So from a protocol level, hopping onto an accesspoint is asking permission the entire time! (:

If this were a verbal agreement between two consenting individuals, the only requirement (IANAL, this is my best recollection from highschool days) is that the agreeing parties be sober, of fit mind, and be over 18.... Well, the over 18 part might be hard for the hardware, but "sober" and "fit mind" are not to hard to translate to hardware terms...

Anyway! the point is that the IPs are being offered. If someone does not consent to these things, then the should say so. By which i mean turn on things like MAC filtering so the conversation goes more like:

Client: Hey, here's my MAC addy, can i associate with you?

Access Point: Who the h*ll are you? I don't know who you are, and i want nothing to do with you! <closes door in face of Client>

See? I'm playing devils advocate here of course, i have a policy of going to coffee shops in NYC that offer free wifi anyway. On my home system, i use WEP that changes semi regularly, along with MAC filtering, and IPSec to protect the actual data flow (since WEP stops casual stuff, but isn't to be relied on for actual security)

okay, i'm done.

-pete

----------

## garn

May I suggest a mod split this topic into Legal/Moral issues vs technical issues?

Anyway you decide your own morals, here's some technical info:

kismet can scan passively for access points, it won't send any packets, just see what packets are floating around and what APs they mention (So if someone just left an AP and the laptop is still looking for it you'll discover that AP, even though it's out of range)

Airsnort will scan for APs and can crack WEP if it gets enough data. How much is enough? I think like 3 million encrypted packets. I left my top in my friends room (he has WEP) and we were gonna see how long it'd take to crack but when I was disabling sleep I messed up so it ended up sleeping before enough packets were gathered (He had to go work on a project and I was working on homework, so we just left it there and couldn't wake it up)

wavemon shows signal strength and some other stuff

ethereal sniffer, can sniff hard wired or wireless networks, if wep is on you won't be able to read anything, if wep is off or you have your device configured for the wep key you'll see everyones packets. Also if mac filtering is on you could see other MACs using the AP.

macchanger You can just use ifconfig ethX hw ether but this has some cool things like setting a random mac, or a random mac of the same type of card (so another wireless card mac address)

That's all I can think of at the moment, be responsible, all that jazz

If I upset anyone one off by giving information that could be misused, feel free to PM me, this thread is cluttered enough.

----------

## ChopChopMasterOnion

I agree with latexer and garn.  Thanks for the technical info, I'l be sure to utilize those tools while securing my network at the department!

----------

## kwiqsilver

I'm definitely going to install wavemon on my notebook tonight, so I can see where in the house the connection is strong.

I'll also try airsnort. At least one person nearby has a network that I'm sometimes getting interference from (once before I hard coded all my settings, my notebook tried to connect to that network instead of mine). That way I could see what channels and stuff they're using and use another.

Does anybody know if you can learn the mac of a wireless client? I have 128-bit WEP and mac filtering set to only allow my two wifi cards, but if somebody can learn the mac of one of them, and change his mac to mine, he'll be one step closer to breaking my network.

----------

## garn

 *kwiqsilver wrote:*   

> Does anybody know if you can learn the mac of a wireless client? I have 128-bit WEP and mac filtering set to only allow my two wifi cards, but if somebody can learn the mac of one of them, and change his mac to mine, he'll be one step closer to breaking my network.

 

Easily. Ethereal will show the MAC, even with WEP.

----------

## usrbinperl

It seems like a cycle of insecurity.  WEP's effectiveness is questionable, so people try MAC filtering.  MAC filtering can be subverted by sniffing out the accepted MACs and using them on the cracker's card.  With MAC filtering's effectiveness now questionable, where does that take us?  Back to WEP?  Or are there yet other alternatives?

----------

## secondshadow

@latexer: While I understand your view here, the fundemental flaw is that software cannot make judgements. It just does what it's told. Think of it this way:

Hypothetically speaking, we will say your arguments are considered valid in a court of law. Now lets consider Some rather nasty virii/worms, Blaster for example. It exploits a security hole, right? Well....from a software standpoint it looks something like this:

Blaster: Hey, Mr. Windows, will you download me cause I've got a slick neato trick to show you

Windows: Errrrr.....I'm a little confused but sure, why not. I haven't been told not to.

Blaster: Now that I'm here, why don't you execute my code. I promise it'll be neat.

Windows: Errrrrr....well.....uhhh....I'm here to load and execute code... so I guess that should be okay.

Blaster: YAY!

The difference is that a person would first say: why should I let you upload yourself to me and/or what does your code do cause I'm not gonna exec you if you don't tell me first and prove it.

Now while humans can be tricked as well, the phrase "tricking a computer" has a fundementally different meaning than "tricking a person." Using personification to justify something that software does I don't think is really valid because the software does simply what its been told, regarless of wether or not the "person" (warwalking computer) would look suspicious to the computer were it sentient.

@usrbinperl: Well, I suppose the technically most secure for of networking would be a landline based network. Its like a cell phone or cordless phone. If call monitering is a concern, you don't use them for sensitive stuff because it just opens up one more problem for you. Now I realize that this isn't convienient or feasible in some places, but then you are forced to take that risk.

@ChopChopMasterOnion: I meant to post a neat article that may be of interest to you on "port knocking." I'll post the link once I find it again. You may find it of interest.

----------

## ChopChopMasterOnion

 *secondshadow wrote:*   

> While I understand your view here, the fundemental flaw is that software cannot make judgements.

 

That's why it's a security hole.  Social engineering works the same way.  However, the inherent difference is that in social engineering, you have a false pretense, whereas on a wide open wireless network, every client who requests access does so in exactly the same way.  The mode that packet grabbers use is called promiscuous mode because it operates in the same way as an open WAP in that it will take packets from anyone regardless of trust or security.  It just does what it's told.  To quote you again, and on something I agree with:

 *secondshadow wrote:*   

> Now while humans can be tricked as well, the phrase "tricking a computer" has a fundementally different meaning than "tricking a person." Using personification to justify something that software does I don't think is really valid because the software does simply what its been told, regarless of whether or not the "person" (warwalking computer) would look suspicious to the computer were it sentient.

 

 *secondshadow wrote:*   

> ]@ChopChopMasterOnion: I meant to post a neat article that may be of interest to you on "port knocking." I'll post the link once I find it again. You may find it of interest.

 

Sounds like an interesting article.  I look forward to you posting it.

----------

## Koon

 *usrbinperl wrote:*   

> It seems like a cycle of insecurity.  WEP's effectiveness is questionable, so people try MAC filtering.  MAC filtering can be subverted by sniffing out the accepted MACs and using them on the cracker's card.  With MAC filtering's effectiveness now questionable, where does that take us?  Back to WEP?  Or are there yet other alternatives?

 

The solution is in AP-based strong authentication (for example using a back-end Radius server) and/or VPN with PKI. That takes care of the two needed aspects : strong authentication and strong encryption. The problem is the lack of standards which means that for the moment every solution is very custom. Standard 802.11x is coming soon though.

-K

----------

## secondshadow

For all you security nuts out there who want to make sure that noone even gets the chance to attempt to brute-force a weak password (or at least make it a pain in the a** to do it), I introduce to you:

Port Knocking

http://www.linuxjournal.com/article.php?sid=6811&mode=thread&order=0

I actually found this article to be rather interesting and I very well may look into implementing it on my server here at home for the ssh server. Why? Just because. Another technique is to set the real server to a non-standard port and have several other ports that sound out what seems to be an ssh banner and key request which is mostly just to fool port scanners and to irritate the person doing the scanning. An extension of this is if 2 or more of these fake "servers" gets a hit within a given time period would be to have the real one actually shut down for a little bit and instead run a fake one in its place, say for 10 minutes, which should be long enough for the person to have passed over it. I think the first half of this idea is mention in the port knocking article....I think. I know I read it somewhere. The second half was mine   :Twisted Evil: 

----------

## ChopChopMasterOnion

I'll have to see what I can do about fitting that in on the box I will set up to seperate the dmz for the important records.

----------

## numbaonestunna

 *usrbinperl wrote:*   

> It seems like a cycle of insecurity.  WEP's effectiveness is questionable, so people try MAC filtering.  MAC filtering can be subverted by sniffing out the accepted MACs and using them on the cracker's card.  With MAC filtering's effectiveness now questionable, where does that take us?  Back to WEP?  Or are there yet other alternatives?

 

Plenty of things you can do.  You can treat it like the insecure network that it is, and force all clients to vpn to a central terminal.  You can also put up an authenticated proxy so that no one can browse the web for free off of your wireless network.  You can further utilize some sort of authentication (like LEAP) to get on the network in the first place.  Finally you can have dynamic keys that cycle every so often that are either A) programmed into the card or B) you have to issue out to clients.  Now eventually someone might be able to get all your WEP keys, but they'll have to wait a good GOOD long time... (I've tried cracking 128-bit wep with airsnort, left it running for 4 months with 1500 interesting packets, and still haven't cracked it yet... imagine if they're using 256-bit WEP!)

----------

## viperlin

so far i've been looking into this as my freinds and i go warwalking around town, (i yet to have a wifi card though)

it is not illigal in the UK to go wardriving/waranything

it is not illigal to map wireless lans

it is yet to be decided on weather it is illigal to use the internet connection correctly (browsing, etc) (personally a ping or 2 i think should be fine, to see if you can get access to the internet)

when scanning you can spoof your MAC address, when doing anything you can spoof your MAC address, it should never be used too seriously.

when i get my Access Point it is going in the DMZ, or i will set it up specially using different subnets and IP ranges (one range i give to people i trust, the other is dhcp for people driving past, i may or may not enable WEP.

----------

## viperlin

 *numbaonestunna wrote:*   

>  *usrbinperl wrote:*   It seems like a cycle of insecurity.  WEP's effectiveness is questionable, so people try MAC filtering.  MAC filtering can be subverted by sniffing out the accepted MACs and using them on the cracker's card.  With MAC filtering's effectiveness now questionable, where does that take us?  Back to WEP?  Or are there yet other alternatives? 
> 
> Plenty of things you can do.  You can treat it like the insecure network that it is, and force all clients to vpn to a central terminal.  You can also put up an authenticated proxy so that no one can browse the web for free off of your wireless network.  You can further utilize some sort of authentication (like LEAP) to get on the network in the first place.  Finally you can have dynamic keys that cycle every so often that are either A) programmed into the card or B) you have to issue out to clients.  Now eventually someone might be able to get all your WEP keys, but they'll have to wait a good GOOD long time... (I've tried cracking 128-bit wep with airsnort, left it running for 4 months with 1500 interesting packets, and still haven't cracked it yet... imagine if they're using 256-bit WEP!)

 

if you go and read the manual page (again?) it clearly states the more packets the faster, try transfering a few GB over your network and get about 10 million encrypted packets.

then try it  :Smile: 

----------

## appetitus

 *secondshadow wrote:*   

> Logging into someone elses network and commiting any acts without permission is, I do believe, a federal offense. You are stealing, first of all. 

 

Are you a lawyer?  A prosecutor?  Like most gentoo users, this is some guess based on your belief.  You will have a great deal of difficulty proving "what" has been stolen without full cooperation of the accused.  English law is ancient and property based, so what tangible property has stolen?  Can you produce "it" in court?

 :Cool: 

----------

## ChopChopMasterOnion

once again it's shown clearly thatone man's salvage is another man's theft.  I personally think it's silly to claim ownership of bandwidth one wouldn't be using anyway, and were it not for prosecutors associating IP addresses to a person (which is fairly dubious in and of itself, since countless people run rooted windows boxes and have no idea), it'd be far more practical to allow free access to one's internet connection than it currently is.  Then I could just secure my network inside and let anyone who wanted to use my internet connection.  But as it stands right now, there's too much liability in not tightening down my security.

bottom line:  I'm not protecting my bandwidth, i'm just covering my ass.

----------

## tcaptain

 *ChopChopMasterOnion wrote:*   

> once again it's shown clearly thatone man's salvage is another man's theft.  I personally think it's silly to claim ownership of bandwidth one wouldn't be using anyway, and were it not for prosecutors associating IP addresses to a person (which is fairly dubious in and of itself, since countless people run rooted windows boxes and have no idea), it'd be far more practical to allow free access to one's internet connection than it currently is.  

 

That's all well and good.  However, what if my net connection is metered?  For me there is only one choice for high speed internet access and the deal limits my upload/downloads.  Last thing I want is some guy using up my bandwidth.  Sure, its just for email, or a quick webpage, but you know, it adds up, and if the wardriver isn't the only one using it...it adds up fast.

Fact is, maybe you don't see bandwidth as theft...but if someone's use of it causes me extra expenses without authorization (ie: I didn't intend to leave my network open for anyone to use) then it IS theft...not salvage.

Your argument would be fine (and I would agree with it), if we had more "unlimitted bandwidth" deals...however, if someone accesses a network by cracking the WEP or taking advantage of the user's inexperience, there is no way he can know for sure that he is not incurring additional expense to the network's "owner".

----------

## viperlin

i see leaving the network unencrypted as leaving it public, it's like leaving the doors open at a shop overnight, people are bound to come in and look around, but only bad people will actually steal something.

if you want it private, make it WEP'ed even 64bit WEP. that marks it private and innocent wardrivers will carry on. the bad ones will try and crack it.

(i just like mapping wireless networks, it's a fun project, the most i do is ping google.com to see if the open network is connected to the internet to add that to the map.)

----------

## johntramp

hi, I have been reading through this thread and I am wondering how safe my network would be to a wardriver or whatever you want to call them.  With kismet I can detect 5 wireless networks without any use of an external antenna, so I presume they can all see me too. I have mac filtering with only the 3 wireless cards we use in this house added to the filter.  There is no WEP or any form of encription used in it.  Will this be secure enough if someone was willing to try and break in, or should I have something more to be safe?

I know you could say you can never have enough security, but I don't like the idea of having to add wep passwords to every computer I install a wireless card on.

Thanks  :Smile: 

----------

## viperlin

your best bet is just use WEP, it's not hard or anything, MAC filtering can theoretically be faked, i can do it on normal NIC's but have yet to get it to work on my wifi card so that the AP picks up the changed MAC.

set WEP 128 on the AP & add the password to the settings on the 3 laptops, about 5 mins work....

----------

## nightblade

 *johntramp wrote:*   

> I have mac filtering with only the 3 wireless cards we use in this house added to the filter.  There is no WEP or any form of encription used in it.  Will this be secure enough if someone was willing to try and break in, or should I have something more to be safe?
> 
> I know you could say you can never have enough security, but I don't like the idea of having to add wep passwords to every computer I install a wireless card on.
> 
> 

 

If you don't have WEP enabled, at least it will be possible to read your data (unless some higher level encryption is used). Mac filtering only prevents transmitting but, as other ppl pointed out, it can be bypassed. So you might want to consider WEP.

Keep in mind that attacks against WEP have a statistical nature: it's all about gathering enough packets encrypted with the same key: some Initialization Vectors, which are strings that are sent in clear with each packet in order to let the receiver calculate the decryption key, leak a few fractions of bits of the WEP key. You need about 2000-4000 "weak" packets in order to perform an attack against the key, and that means several millions of packets sniffed from your network. You can use airsnort in order to get an estimate of the time needed for a determined attacker to break in, depending on the average load of your wireless network. When you get that time, a good practice would be to change the key consequently: if your estimate says that you can crack the key in 2 weeks, you should change the key every 10 days or so, which is not a very hard task, if you only have 3 wireless cards working.

Or you can simply switch to WPA, if your hardware/software supports it. WPA fixes most of WEP flaws.

----------

## epretorious

 *kwiqsilver wrote:*   

> I'm definitely going to install wavemon on my notebook tonight, so I can see where in the house the connection is strong.

 

Wavemon is an excellent tool. I use it all the time for adjusting/relocating WAP's.

 *Quote:*   

> I'll also try airsnort.... That way I could see what channels and stuff they're using and use another.
> 
> Does anybody know if you can learn the mac of a wireless client?

 

Kismet is also an excellent tool. Kismet displays MAC addresses of all AP's and stations in the general vecinity.

----------

## ercxy

Hi guys,

First of all thanks to all , I learned alot.. I want to look at the problem upside down. Let's assume i stay in hotel, i connect to wireless network offered by the hotel for their customer.  WEP is not enabled. Does this mean everybody in the network can easily sniff my http,ftp, mail(pop3,imap).. sessions ? how about crypted protocols ssh,ssl?.. If i connect to my bank account, credit card account they may steal my important informaton? .. I know there is allways a way to  do these stuff, but how easy in this case? ..How about if WEP is enabled (I know they  wiil use something stupid like the name of hotel or whatever.. )

I don't want  all the technical details (in case someone blame me or forum about trying to learn and teach crime stuff)  just tell me how i can protect myself (i don't want trivial solution "don't use it!"  for now if it is that bad i may consider even not to turn on my laptop on these places ), I am just a coencerned laptop user. 

thanks

----------

## GentooBox

 *ercxy wrote:*   

> Hi guys,
> 
> First of all thanks to all , I learned alot.. I want to look at the problem upside down. Let's assume i stay in hotel, i connect to wireless network offered by the hotel for their customer.  WEP is not enabled. Does this mean everybody in the network can easily sniff my http,ftp, mail(pop3,imap).. sessions ? how about crypted protocols ssh,ssl?.. If i connect to my bank account, credit card account they may steal my important informaton? .. I know there is allways a way to  do these stuff, but how easy in this case? ..How about if WEP is enabled (I know they  wiil use something stupid like the name of hotel or whatever.. )
> 
> I don't want  all the technical details (in case someone blame me or forum about trying to learn and teach crime stuff)  just tell me how i can protect myself (i don't want trivial solution "don't use it!"  for now if it is that bad i may consider even not to turn on my laptop on these places ), I am just a coencerned laptop user. 
> ...

 

If the Access-point is not encrypted with WEP, then everyone can connect to the network and sniff everyones data.

Of the air (everyones packets)

or by useing TCP/IP connection filtering (only your packets)

Both ways the attacker can read ALL your unencrypted data really easy by just useing a sniffer.

encrypted data like SSH, HTTPS can be snifed, but it will not be useable to the attacker unless he decrypts the data.

----------

## viperlin

your safest bet is to, as said above, use SSL connections for everything, SSH will be fine, any bank data will be most likely ssl encrypted (check the page is https and the certs are ok) 

if you have a decent home connection, try openVPN, you'll have to look that up a bit though..

----------

## guero61

Wow... this thread got quite out of hand with all the name-calling, angry words, and such.

Just as an IT professional providing wireless security direction in a very LARGE way, I thought I'd bring my opinion/experience to bear.

I run a Gentoo laptop at work for my sniffing and troubleshooting needs; there are a wonderful number of absolutely excellent tools available for use in Gentoo.  For example, should I want to test something filtered by MAC; instead of picking out the specific MAC I'm using (since I have several dozen PCMCIA cards piled here in front of me), I just run 'ifconfig eth0 00DEADBEEF00'.  Done deal; easy and humorous.  Kismet is a _great_ tool for picking out not only available networks/clients/etc., it also has built-in heuristics for identifying network problems and troublemakers - like people running active sniffers, doing network probing, excessive CRC errors, etc.

Yes, I've cracked wireless networks - both professionally and personally.  Usually it's been due to inappropriate configuration of access control.  MAC filtering and WEP are rather easily broken/spoofed.  The only way to provide a 'truly' secure wireless connection is to run a VPN, preferably over WEP.  Auto-generate your WEP key at the 26-character level; don't use those foolish 'password' systems - so much more susceptible to brute-force attacks!  Multiple levels of security is the only way of even starting to control access; MAC filtering is not even a consideration - it's trivially circumvented and not scalable.

Here's an idea, one I use in my own home network:

My home network is un-wepped.  This AP is on a dedicated NIC on my firewall server - any traffic in or out of it _has_ to go through the firewall.  For my friends and family that come by with wireless devices I have allowed 10kbps of unsecured internet access from this network - it cannot see the rest of my internal systems.  However, should someone authenticate via VPN to the firewall, they now get full LAN/internet access.  Did I forget to mention that I keep rolling packet logs of the rate-limited system?  That way, should something untoward occur, I can easily go back and find out precisely what.

Linux has all the tools you need to successfully seek out networks, whether by interest (radar detectors, anyone?) or intent.  There are over 200 APs on my 7-mile drive between work and home, over 30% of which are insecure and at default configurations.

----------

## rex123

I also run a totally unencrypted wireless network at home.

You are all welcome to drive by, steal my bandwidth, read my email and store amusing messages about what fun wardriving is on my hard drive. I'd hate to think that busy people would need to spend ages boringly cracking complex encryption just to get to read my hard drive.

----------

## nightblade

 *rex123 wrote:*   

> I also run a totally unencrypted wireless network at home.
> 
> You are all welcome to drive by, steal my bandwidth, read my email and store amusing messages about what fun wardriving is on my hard drive. I'd hate to think that busy people would need to spend ages boringly cracking complex encryption just to get to read my hard drive.

 

What if someone performs some illegal activity using your Internet connection ? Like issuing a couple of commands to some botnet in order to start a DDoS, or launching a few exploits against some server that had been previously scanned. Or, worse, what about implanting some trojan that "phones home", providing later access to your network without the need of being physically near, and letting somebody use your hard disk to store child porn ?

You might not care about ppl reading your emails, but you might not want to be used as a decoy for criminal actions...

----------

## rex123

 *nightblade wrote:*   

> 
> 
> What if someone performs some illegal activity using your Internet connection ? Like [...]

 

They have to find me first :)

Apart from the fact that I live in a place that makes wardriving difficult, I like, as far as possible, to take the view that other computer users can be more or less trusted as much as I can. If I found an open wireless connection nearby, I wouldn't feel the slightlest twinge of guilt about using it, but I'd let the owner know. This seems to me to be in the general spirit of computer use. I draw the line at allowing viruses and worms into my home network, though.

----------

## nightblade

 *rex123 wrote:*   

> 
> 
> Apart from the fact that I live in a place that makes wardriving difficult
> 
> 

 

Of course, if you live in a lonely house on the top of a hill, we can probably assume that abusers wll look for other open nets  :Smile: 

 *Quote:*   

> 
> 
> I like, as far as possible, to take the view that other computer users can be more or less trusted as much as I can. If I found an open wireless connection nearby, I wouldn't feel the slightlest twinge of guilt about using it, but I'd let the owner know. This seems to me to be in the general spirit of computer use. I draw the line at allowing viruses and worms into my home network, though.

 

Reminds me of Dr.Stallman himself, who avoided using passwords for his accounts because in his opinion it was against the spirit of free knowledge.

The point is that the world we live in is not perfect, and if you want to provide some service, you have to take into account that among 1,000,000 honest and nice users you will find 1 or 2 bad apples that might abuse your trust and get you into legal trouble. Providing a free and open AP is nice, but just be aware of the associated risks and take some precautions  :Smile: 

----------

## OdinsDream

Just calm down everyone. I know this is uncommon, but were you to drive by my home with a wireless network scanner, you'd see that my SSID is: )(welcome

Yes, check your e-mail, look at that e-bay auction, browse metafilter, see what the latest stock quotes are, whatever you want. There are generous people out there, and not everyone who wardrives is evil. If you outlaw walking around and sniffing wireless transmissions, you outlaw the potential for a community-driven free wireless net. Several small college towns have projects like this. I secure my internal network - I don't rely on WEP. I do log all the connections.

Please, let's keep this civil and on-topic: To the author, I use Kismet with an Orinoco card and antenna from http://www.fab-corp.com/ and a serial GPS puck-style antenna. If you have any questions about my setup or use, please feel free to ask.

----------

## nightblade

 *OdinsDream wrote:*   

> 
> 
> Please, let's keep this civil and on-topic: 

 

My posts were not intended to flame anyone... sorry if I gave this impression.

My only point is that if you want to provide a free AP (which I think is overall a nice idea) you just have to take some precautions in order to avoid abuses...

----------

## dausha

Guys,

I am in law school, but I've not finished so IANAL and this is not legal advice.

First, an unsecure door is not a consent to theft, as one suggested. I recall one specific case where a ten year-old saw an open garage with a bicycle in it. He took the bike in front of his friends who ratted him out. He was arrested and convicted of first degree burglary.

If you found the back door to my house open, and decided to take a nap on my couch (or shower in my bathroom), that would be trespassing--you did not have my consent. Yes, English (and American) property law is based on ancient laws (all the way back to 1066, thank you Mr. the Conqueror), and property law says that *my* home is *my* castle. Enter at your own peril.

Fast forward to the 21st century. The great thing about common law is it derives itself from experience, which is why I hate legislators codifying common law. If you wardrive and *connect* to a network, you have effectively broken and entered. If you use my bandwidth, even if I am not using it, you have stolen from me. As the owner of that connection (or a lessor, who still exercises owners rights), I have a right to decide who will/not use my connection. If you use without my consent, you have violated my property rights.

Now, this does not illegalize a community deciding to create a municipal open network, because if the owners of those connections *consent,* then it is not illegal (assuming, of course, that the ISP allows such sharing; Speakeasy comes to mind).

Sure, that may not make sense, if I'm not using the bandwidth, why *not* let you borrow a bit. However, when somebody takes a joy ride in your car w/o your consent, I'm sure you won't complain, either.

That said, I'm not here to rain on anybody's parade. I'm hear to learn how I can use my linux laptop on a MAC-controlled network I already have access to (the integral wireless only works w/ Windows, and I cannot sacrifice that in my personal linux zealotry). Like a crowbar or a pistol, all these tools have legitimate uses, so there's no harm in discussing them. Just don't use them inappropriately. Although, to some (not on this thread), that might sound like "nice axe, Mr. Manson, visiting a friend?"

----------

## OdinsDream

I hate to get all technical, but there's an important distinction to be made between wireless network connectivity and open doors/garages/what have you.

Here's the difference. An open door would be the equivalent of a wireless AP sending out no beacons. The distinction is important to make not only technically, but practically, as well, since a majority of consumer wireless equipment is designed to self-organize and connect to the strongest signal automatically. I'm sure we can agree that when my laptop connects to my neighbor's signal instead of mine (because I'm at the far end of my own house), I'm not stealing anything or breaking any law. That would be ridiculous.

So, the technical stuff - the wireless equipment is not designed like a house with an open door. These devices are designed to cooperate with eachother, and they do so with protocols. Protocols should be a great word to find as a lawyer, because, hey, it's like a little contract you can read. Here's how I see the wireless protocols:

You set up an AP, and, by default, it starts broadcasting beacons that contain all the information necessary for a client to connect to the network. In fact, it's actively waiting to hand out DHCP leases, by default. The machine is designed to cooperate out of the box with any client.

A client walks by, and is, by default, reading beacon packets waiting to find one strong enough to automatically connect. The very second it snags your AP's invitation beacon, it replies to the AP and kindly asks it for a DHCP lease. The AP checks to make sure there are no restrictions on such a lease, and, assuming there aren't, a lease is granted. The client receives the DHCP lease information, says thanks to the AP, and configures itself to operate with that network.

No users were ever involved in this negotiation, because there's a protocol in place to handle such negotiations.

That's why this stuff cannot be compared to an open door, at least not by anyone who's willing to examine what's going on here. If you don't understand the protocol, well that's another thing altogether. People -can- be guilty of setting up unsecured AP's, but we cannot just redefine the protocol to better reflect how some people would -like- their network to behave.

I would liken an open door to an AP that has beacon broadcasting disabled. If you actively sniff traffic on an AP like that, and then connect, that's when I'd say it's likely to be viewed as illegal, since the client is initiating the transaction.

These machines are not mystery boxes, though many people believe them to be. They operate by strict, predictable guidelines. Theft of service is an entirely different matter, unrelated to actually conneting to the AP. Once someone browses to the external internet, they're using your ISP, and that opens up a completely different can of worms.

----------

## dausha

First, I'm sure we're going off topic, and I apologize. I suppose after this round we should go offline? 

I should say up front, I consider myself a techie first, a law student second. I'm in law school to understand the rules of society, not to go about thrashing people with them. I support the open-source community because I have benefited and enjoyed it for so many years. I also support the notion of wireless-on-demand wherever I want to use it (but worry that the government will find a way to profit through subsequent taxation).

I'll concede the technical distinctions, Odin, and I agree. But, I think that's not my point. I've accidently connected to my neighbor because I was closer to their node. But, as soon as I noticed (and I did almost immediately), I reconfigured my laptop to avoid that node.

There are two angles here with a bit of conflict. On the technical side, APs are designed to behave a certain way, including handshaking. By nature they are promiscuous. From a legal side I'm advancing an argument that says that to exploit that nature to intentionally trespass on somebody's network may present a legal issue.

I would disagree with you abit with your analogy. To me, an open garage door is akin to the typical out-of-the-box default AP, open and sending out its SID. A closed-but-unlocked back door is the AP that does not send out a SID. WEP is a locked door, which to me is very accurate because locked doors only keep out honest people. Maybe MAC address is an automatic garage door opener--allegedly synced to a controller, but can be spoofed?

Perhaps a different way of comparing the two (open garage v. default AP) is like a large backyard that people use as a short-cut. Nothing to prevent people from using it, and being open and quicker "invites" people to use it. However, that is still trespass by those who accept that implied invitation.

My point is two-fold: If you're intentionally on somebody's network then you are trespassing. The tools discussed in these threads are not akin to drug paraphenalia where posession equals intent to do bad things. I'm annoyed with people who tend to think the tools are bad when its how people use them

Regarding being guilty of setting up insecure nodes. A property owner is not "guilty" of not erecting fence to keep off trespassers (like everything in law, there are exceptions I won't delve into).

So, I don't think we disagree except in how we explain our POV.  :Smile: 

Regards,

Ben

----------

## OdinsDream

Very true, I see your point. The problem lies in the flaws of analogies to properly represent what's going on, I think. There's an engineering/technical discussion, and there's a separate moral discussion. For me, that's an important distinction to make right away. I regularly drive around with my laptop turned on, and by default, it connects to signals. It isn't my intention to wardrive, yet some would say I am.

I would just hate to see a lack of understanding of the protocols these technologies operate on being used in a courtroom, of all places, to wrongfully criminalize innocuous behaviour.

Theft of service is a serious matter, but I think it's entirely separate from the wardriving issue.

One thing I hope I never see in my lifetime is the death of the principle of airwaves owned by the people, not by companies or laws. That principle has allowed for a lot of innovation and education, and I would hate to see it treated as a box that someone can own. Ultimately, that's what makes an analogy to physical property incongruent, and inherently flawed, not that they aren't fun, here's another one!

Default AP broadcasting SID: Kid with a lemonade stand shouting "FREE LEMONADE, FREE LEMONADE!"

Default AP not broadcasting SID: Kid with a lemonade stand not shouting, but if you asked him "Hey, is this free lemonade?" He'd say "Sure!"

WEP/WPA AP: Kid with lemonade stand and a rifle.

Oh, and in the first two cases, to extend the analogy to most home users, the kid's parents would be completely unaware he was giving lemonade away for free that they had purchased, and they would be really mad if they found out he was selling it. (parents = typical home user, in this case)

----------

## someguy

the guy just asked about a tool i dont think it should break off onto criticizing/

imho tho i think that wardriving isnt and should not be illegal if they dont fix there crap then thats there problem i have dealt with enough morons and have tryed to explain the concept of securtiy only to get bitched at because they dont want to go through the trouble 

thats there fault ....

----------

## dausha

Someguy, I agree in part with what you're saying--people who don't use protection should not complain. It's like somebody living in New York complaining that his car was stolen when he left the windows down and the keys sitting on the dash. However, the problem for non-techies is to comprehend the "harm" of a default-promiscuous AP.  Perhaps manufacturers should make APs default-locked, and provide tools that allow the owner to easily add wireless devices--rather than leave the windows down. Maybe have a unique WEP for each unit and require MAC with that WEP to work?

In the alternative, I'd be open to city sponsored WANs, but I'm afraid that gives the city too much insight into what I view in the privacy of my home office.

----------

