Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Defcon "Warballoon" Finds 1/3 of Wireless Networks Unsecured

Soulskill posted more than 6 years ago | from the floating-point-operation dept.

Networking 209

avatar4d writes "Networkworld is reporting about a warballooning operation (similar to wardriving) that was disallowed by the management at the Riviera Hotel in Las Vegas, but was covertly launched anyway. The team found approximately 370 networks, and about a third of those were unsecured. In addition to that, the project managed to show how trusting the local law enforcement agencies really were: 'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'"

Sorry! There are no comments related to the filter you selected.

i hate you all (5, Funny)

blhack (921171) | more than 6 years ago | (#24547017)

Will everybody please STFU about securing your wifi..

Cracking their wep when I'm on the road and without my gear is a pain in the ass!

Re:i hate you all (2, Insightful)

uassholes (1179143) | more than 6 years ago | (#24547137)

A lot of businesses provide unsecured wifi deliberately. Who gives a fuck.

From TFA

Something less bellicose might not have caught anyone's attention.

A better word than bellicose would be childish.

Re:i hate you all (5, Interesting)

Anonymous Coward | more than 6 years ago | (#24547995)

Yes, ours is "unsecured". It gets you to a DNS which answers only one query and an "internet" where the only thing that you can send to is an IPSEC VPN server. Much good may it do you. DefCon should concentrate on real security (is IPSEC as good as OpenVPN or does it's over-compexity make it more vulnerable) and not messing around with pretending to secure your wireless with WEP/WPA and all the other hop by hop garbage.

Re:i hate you all (0)

Anonymous Coward | more than 6 years ago | (#24547197)

If people don't want others on their network, that's their prerogative. Joking aside, you should welcome that they secure their networks instead of leaving them open and suing unsuspecting piggybackers. I will agree with you though that it is a tad disappointing to be in an area where there are plenty access points but they're all locked down.

Re:i hate you all (5, Insightful)

MrNaz (730548) | more than 6 years ago | (#24548007)

More to the point about finding unsuspecting piggybackers, I don't see how it should be expected that the law should get involved to quickly unless a serious crime has been committed. I find this particularly alarming:

In addition to that, the project managed to show how trusting the local law enforcement agencies really were: 'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'

So they'd prefer if the police stopped and strip search everyone doing something they considered suspicious? What kind of hackers are they if they think authority needs to always get up close and personal with anyone doing anything remotely out of the ordinary.

It's a good thing that the police had a look, could see that a crime wasn't being committed, and decided to continue looking for something worthy of their time, not a bad thing as the absurd summary seems to suggest.

Re:i hate you all (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24548895)

Why does everybody jump on that? The article is a statement of fact. The police came by and looked, the hackers waved at them, the police waved back. Where's the criticism? It could just as well mean that the authors were delighted and found it commendable that the police did not make a fuss about an innocent site survey. Give the police some credit. Maybe they're not "trusting" but exhibiting good situational awareness?

Networks on The Strip (5, Informative)

superj711 (992784) | more than 6 years ago | (#24547057)

I don't believe this a good test of "security" since the majority of the hotels on the Strip have multiple unsecure Wifi networks for their guests. You have to go to a launch page first before you're even allowed access, sometimes entering a code.

Re:Networks on The Strip (4, Insightful)

ghoti (60903) | more than 6 years ago | (#24547343)

Exactly. 1/3 is actually a pretty good number, and shows that the casinos are taking security seriously. Plus, I wonder how many networks they didn't even see because they weren't broadcasting their SSIDs. This whole thing seems to be much more about doing something cool and making a lot of noise than any kind of serious analysis.

Re:Networks on The Strip (3, Insightful)

Fulcrum of Evil (560260) | more than 6 years ago | (#24547393)

Broadcasting your SSID is only relevant if you have no traffic. If you have traffic, your SSId shows up anyway.

Re:Networks on The Strip (1, Informative)

Anonymous Coward | more than 6 years ago | (#24547669)

Even if you don't "broadcast the SSID", that just means you're broadcasting an empty SSID: the beacons are still there and contain all information which is necessary to uniquely identify your access point and tell if it's encrypted and how. So yes, of course those networks are going to show up in their stats.

Re:Networks on The Strip (1)

ghoti (60903) | more than 6 years ago | (#24548667)

Interesting, I didn't know that. Still, the Las Vegas Strip is one hotel after the other, they're all bound to have open WiFi for their guests. If this was in a residential area or a business park without any hotels around, 1/3 unsecured would be a completely different matter.

Re:Networks on The Strip (2, Informative)

dfn_deux (535506) | more than 6 years ago | (#24548237)

Thanks for this, I have repeated this comment hundreds of times to various people setting up their networks and yet they still seem to think that setting the essid as "hidden" is providing some small extra security, when in fact it only obscures your network for legitimate users, since anyone sniffing for a networks will see it regardless of whether you have it set to broadcast or not.

Re:Networks on The Strip (2, Informative)

geekymachoman (1261484) | more than 6 years ago | (#24548749)

Depends with what software they have been 'sniffing'.

SSID is broadcasted in 802.11 beacon frame, along with some other stuff.

So if you turn off the SSID broadcasting, you'r removing the SSID info from the body of beacon packet, so regardless you have traffic or no, your AP is gonna show up (without ssid so you will not know the name of ap) in something more advanced then netstubmler. Kismet for example.

This has nothing to do with traffic amount.

Re:Networks on The Strip (2, Informative)

espiesp (1251084) | more than 6 years ago | (#24547913)

As somebody that currently lives a block away from the Luxor and Mandalay Bay, I can accurately say that you don't have to drive far from the strip to find a very high density of wireless access points, with approximately this ratio of secured to unsecured points. Within reach of the confines of my condo I have a buffet of wide open AP.

Take the strip out of the equasion and I think it's still valid.

So let's get this straight (5, Insightful)

yourpusher (161612) | more than 6 years ago | (#24547059)

If the police flip out over something we do, they're overreacting idiots that don't understand technology.

But if the police don't flip out over something we do, they're underreacting idiots who aren't keeping us safe.

Mmkay.

Re:So let's get this straight (2, Funny)

OverlordQ (264228) | more than 6 years ago | (#24547079)

If your UID wasn't so slow I'd have to say "Welcome to Slashdot, you must be new here", but now I'm rather stumped on what to say.

Re:So let's get this straight (0)

Anonymous Coward | more than 6 years ago | (#24549151)

Then why post?

Re:So let's get this straight (2, Funny)

Anonymous Coward | more than 6 years ago | (#24549155)

If your UID wasn't so slow I'd have to say "Welcome to Slashdot, you must be new here", but now I'm rather stumped on what to say.

Yea, slow UID's are terrible.

That's why I supercharged mine.

Re:So let's get this straight (0)

Anonymous Coward | more than 6 years ago | (#24547123)

I can see your point however I do not expect everyone will so allow me to preemptively provide a WHOOOOoooosh for those who are incapable of perceiving contradictions.

Re:So let's get this straight (4, Funny)

lukas84 (912874) | more than 6 years ago | (#24547129)

Police should only employ top specialists in every topic there is, so they can make a judgment on of any situation on site.

That way, when somebody lies on the street and needs a heart transplant, the police can help him on-site. No special equipment needed, a chewing gum and a swiss army knife will do th etrick.

Re:So let's get this straight (2, Interesting)

Pictish Prince (988570) | more than 6 years ago | (#24547323)

If people weren't overspecialized by the public stupefaction system police actually would be able to deal correctly with a larger number of situations. However, this is not in the interests of those who want a stupid, brutal police state.

Re:So let's get this straight (4, Insightful)

jd (1658) | more than 6 years ago | (#24547313)

You make a good point, however I guess I would ask why any rational society would expect just those two modes of operation. Neither seems that useful. Wouldn't it be more logical to expect either the police to come over and say hi, or to take a note of the registration and car details (not necessarily visibly)? A standard social engineering technique used time immemorial has been to look as though you should be somewhere. Only an idiot looks suspicious, and it's not the idiots who should concern the police the most.

In the first case, it's basic community policing 101. You don't prevent crime by looking intimidating, you prevent crime by being aware of what's happening and understanding why. The second option also works on the premise of being aware, but looks for standard social engineering practices and patterns, rather than cause-and-effect.

In neither case is flipping out a productive or useful method. It doesn't help you recognize where or when problems are likely to occur, and only helps you catch the more dysfunctional criminals who are likely causing the least of the social headaches. However, it is by far the most common method used, because it's easy. Catching competent criminals is much harder, much more expensive, and gives a police department a worse score on offenses dealt with.

Re:So let's get this straight (5, Interesting)

Drakonik (1193977) | more than 6 years ago | (#24547499)

A standard social engineering technique used time immemorial has been to look as though you should be somewhere.

Quoted for truth. Several of my teachers told my class that if we wanted to, we could just wander around the school instead of going to classes, as long as we looked like we were on an errand. I'm not sure whether I should think that it's cool that I could get past authority figures by simply acting like I know that I belong, or whether I should be scared that someone who knows how to act like they belong somewhere can generally get access to that place.

Re:So let's get this straight (1)

sumdumass (711423) | more than 6 years ago | (#24548911)

When I was in school, and I'm hoping your talking about high school and not colledge, but we had hall passes. Restroom passes were wood things made of different shapes so if you were on the wrong floor or in a difference corridor it was easily noticed. If you were going to get something from your locker or for the teacher of whatever, you had a hand written hall pass on a off shade of yellow paper and you were asked for it if you were seen by a monitor or another teacher going somewhere between classes. It was actually quite difficult to skip class and get away with it on school grounds. There were a few ways to do it but not many.

That was 15 years ago when we still had a gun club at school and had trap and skeet competitions. A lot of things have changes since then, some of which might be because of the changes. Of course the guns and ammo were locked up, and you didn't have either until you were in a stall or lane with about 15 rules that could end your participation if you failed to follow them. I can see getting rid of programs like that if they were to stop watching students.

Re:So let's get this straight (1)

Otter (3800) | more than 6 years ago | (#24547645)

Wouldn't it be more logical to expect either the police to come over and say hi, or to take a note of the registration and car details (not necessarily visibly)?

Indeed one might, but it would certainly result in the "overreacting idiots that don't understand technology" hysteria here that the OP suggests.

Re:So let's get this straight (1)

sumdumass (711423) | more than 6 years ago | (#24548967)

With the Dash cams and video recording in police cars nowadays, as well as the license plate recognition systems that locate a license plate and automatically runs it through the computer, it is possible that they had already "take a note of the registration and car details" and such.

If nothing came back with a flag on it, then they would have had a recording of whoever was there at that time if something happened. A little detective work after that could get anyone's identity and make sure something was done or followed up on if a law was broken or something and reported later.

Re:So let's get this straight (0)

Anonymous Coward | more than 6 years ago | (#24547377)

We are talking about Las Vegas here and as it was mentioned in the article a casino had made a complaint to the police. So one has to wonder if the old addage "what happens in Vegas, stays in Vegas" still holds true. Or if they or the police might receive "an offer they can't refuse".

Have to wonder how close the attendees at this conference are being watched and if any slot machines have been hacked yet. Lots to play with in Vegas, especially for those willing to take the risks, both the known and unknown.

Re:So let's get this straight (4, Funny)

NFN_NLN (633283) | more than 6 years ago | (#24547659)

"'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'"

The police probably one-up'd these nerds.

Popo 1: What the fudge, those guys are launching some sort of balloon, let's check it out.
Nerds: I smell bacon, let's wave to them in unison at... .5 Hz, synchronize now.
Popo 2: Wait, wtf. Is that an albino convention... no wait they're all wearing 'Defcon' T's and khaki's. Let's get out of here before they start asking us about the number of joules my tazer outputs. Speaking of which, it just finished charging and I thought I saw a crack head down that last alley. Just wave back and let's get the hell out of here.
Popo 1: I'm with you number two, switching to yellow alert, engines full reverse, Hahahaha.

Re:So let's get this straight (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24547623)

I think its more likely that the local police know that Defcon is attended by law enforcement officials from local to international jurisdictions, intelligence analysts and operatives, the press, professional and academic security researchers, various *Hats, and finally your slightly anti-social hacker geeks. That makes its difficult for the local police to know who they can bust without suffering any career-ending consequences.

Re:So let's get this straight (2, Interesting)

Jarjarthejedi (996957) | more than 6 years ago | (#24547993)

Asking for perfection isn't a bad thing, expecting it is.

In this case, however, I don't see how the officer did anything wrong. A bunch of kids (effectively, you know how geeks get when they're doing something marginally legal with technology) hanging out in a field with a balloon...what are you going to do? I'd say they responded properly, driving in to check it out (probably called in), realizing it wasn't anything important, and making the people aware that they were there before leaving.

The Police just waved? (4, Insightful)

Meshach (578918) | more than 6 years ago | (#24547081)

What else would the Police do with that situation? Is what the people were doing illegal?

Re:The Police just waved? (5, Funny)

hoofinasia (1234460) | more than 6 years ago | (#24547229)

I don't care how big the parking lot, crowd, or equipment...
Geeks with balloons are not scary.

Re:The Police just waved? (4, Insightful)

JustinOpinion (1246824) | more than 6 years ago | (#24547233)

Agreed. The statement in the summary "...the project managed to show how trusting the local law enforcement agencies really were..." infuriates me. Police are not supposed to be harassing people left and right, trying to uncover illegal or just unsanctioned activities. The police were friendly, waved, and didn't bother to investigate something that by all rights did not look overtly illegal. They acted appropriately.

I would much prefer that law enforcement err on the side of trust and friendliness. This probably means that some fraction of illegal actions will go undetected and unpunished (note that only a small fraction of those illegal actions are truly dangerous and unethical)... but that is the 'price' of freedom.

Again, I applaud the police for not flipping out when they see people engaging in activities that they don't exactly understand (but for which there is no evidence of illegal action).

Re:The Police just waved? (1)

aiken_d (127097) | more than 6 years ago | (#24547339)

But I thought everything that wasn't compulsory was forbidden? Surely floating a balloon isn't compulsory, is it?

Re:The Police just waved? (0)

Anonymous Coward | more than 6 years ago | (#24547441)

But I thought everything that wasn't compulsory was forbidden? Surely floating a balloon isn't compulsory, is it?

It is only compulsory at the beginning of armed conflict.

Re:The Police just waved? (2, Interesting)

HiggsBison (678319) | more than 6 years ago | (#24547703)

The police were friendly, waved, and didn't bother to investigate something that by all rights did not look overtly illegal.

Anywhere else in the world it could look like a school science experiment. In Vegas, especially during Defcon, it should be assumed to be a novel approach to gaming a casino.

Re:The Police just waved? (0)

Anonymous Coward | more than 6 years ago | (#24547865)

Riiiiight.

Even if that were true, it is up to the hotel security to contact the police. I sincerely doubt the hotel wants the police harassing all its guests. Especially considering the marketing and unique events hotels/casinos use to attract guests.

Re:The Police just waved? (1)

Cheesebisquit (1324407) | more than 6 years ago | (#24548031)

Agreed. This sort of overcriticism, of assuming everyone should be omnipotent and world class experts at everything they do, is so common in the media and in many peoples way of thinking. Life is hard enough! Let's give each other a break from time to time.

Re:The Police just waved? (2, Interesting)

Angelwrath (125723) | more than 6 years ago | (#24547301)

Let's also remember to mention that:

A. These people were not committing crimes.
B. The cop most likely wouldn't have the foggiest idea what they were doing.
C. Police on the street aren't the ones that track down cyber criminals, that's handled by other organizations.

Only 1/3? (2, Informative)

superid (46543) | more than 6 years ago | (#24547103)

Last weekend I made a quick 5 mile drive and found 105 systems in my average residential neighborhood. 46 were unsecured. About 25 were running WEP.

Re:Only 1/3? (4, Insightful)

chunk08 (1229574) | more than 6 years ago | (#24547153)

I live in a very small farming town. I can pick up 3 networks from my house, there are 5 in town. Mine is the only secure one (WPA2). Try to explain it to anyone else and they'll say "Why shouldn't my neighbors get on my network?"

Re:Only 1/3? (1)

remahl (698283) | more than 6 years ago | (#24547297)

Which, incidentally, is the same that Bruce Schneier says. Go figure.

Re:Only 1/3? (2, Interesting)

hahiss (696716) | more than 6 years ago | (#24547403)

Actually, he recently had a second thought about open wireless connections:

http://www.schneier.com/blog/archives/2008/08/terrorists_usin.html [schneier.com]

He didn't ultimately change his policy, but he rightly points out that "life is easier if the police don't raid your apartment."

Re:Only 1/3? (1)

YrWrstNtmr (564987) | more than 6 years ago | (#24548861)

and they'll say "Why shouldn't my neighbors get on my network?"

I trust my neighbors (mostly).
I trust their kids somewhat less.
I trust their kids' friends not at all.

Re:Only 1/3? (1)

Zadaz (950521) | more than 6 years ago | (#24547467)

I don't even have to go outside to get a large number of samples. From where I sit (in downtown San Francisco) I get 47 wireless networks, 4 of them are unencrypted. (and of those I know two require log-ins.) Or 8.5% are open.

All of this is anecdotal. When I visit my family in Rural Middleparts 100% of the wireless networks are open (1 of 1). Meanwhile in Tokyo something close to 5% or more of networks are open. If it's that high, it's impossible to find a place to connect there because everyone has data plans from their phone company.

I'd love to see some research that shows by area the level of openness and quality of encryption.

Re:Only 1/3? (1)

RabidMoose (746680) | more than 6 years ago | (#24547691)

I have to wonder how many of these "unsecured" networks are setup with MAC address filtering. My home network looks unsecured at first glance, but try getting it to hand out an IP address without being on the whitelist.

Re:Only 1/3? (4, Informative)

anagama (611277) | more than 6 years ago | (#24548207)

I'm not sure if you are making a joke, so just in case you aren't, I'll point out that MAC address filtering is no security at all. Your laptop is transmitting it's MAC as part of the regular wifi transmissions so sniffing it out of the air is trivial with Kismet or Kismac. Spoofing a MAC address is trivial on Linux and Windows machines, a bit more involved to make your OS X Leaopard system able to spoof but not rocket science, and apparently trivial with "spoofmac" on Tiger.

Here's an overview:

http://www.irongeek.com/i.php?page=security/changemac [irongeek.com]

For Linux, if you just want a random MAC to make yourself even more anonymous:
http://www.alobbs.com/macchanger [alobbs.com]

Similar software exists for windows (google "windows macchanger")

Re:Only 1/3? (3, Informative)

zn0k (1082797) | more than 6 years ago | (#24548653)

Spoofing a MAC address is trivial on Linux and Windows machines, a bit more involved to make your OS X Leaopard system able to spoof but not rocket science, and apparently trivial with "spoofmac" on Tiger.


bash-3.2$ uname -a
Darwin Laptop.local 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:36:17 PDT 2008; root:xnu-1228.5.20~1/RELEASE_PPC Power Macintosh
bash-3.2$ ifconfig en0|grep ether
        ether 00:11:24:d5:57:9e
bash-3.2$ sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff
Password:
bash-3.2$ ifconfig en0|grep ether
        ether aa:bb:cc:dd:ee:ff

It's trivial on OS X (Leopard and Tiger), too.

Re:Only 1/3? (1)

anagama (611277) | more than 6 years ago | (#24548775)

You're right -- I have the 9.3.0 PPC kernel and it worked fine on wired and wireless. I was under the mistaken impression you had to patch the kernel to get it to work. Maybe that was old info.

Re:Only 1/3? (1)

RabidMoose (746680) | more than 6 years ago | (#24548849)

I wasn't entirely serious. Encryption is obviously needed to prevent any sniffers from grabbing and spoofing a MAC, but I would honestly like for somebody to spoof a MAC and get onto my network. That would mean there's at least one other person in my apartment complex that knows what they're doing, and possibly a new friend. And as long as they're not from the **AA, I've got nothing to hide, and pleanty to share.

Harriet Island report (1)

British (51765) | more than 6 years ago | (#24549161)

I was at Harriet Island in St. Paul, MN for the Irish fair. Whipped out the laptop, and couldn't find any unsecured AP that had more than 1% strength. ALL the other APs, all with strong signals are secured. Kinda pissed me off as I wanted to check my email.

Warballoon (1)

4D6963 (933028) | more than 6 years ago | (#24547151)

Hill suspects that local authorities might have been spooked by the fact that he called his device a warballoon.

A slight name change sounds necessary then.. How does waterballoon sound?

That's it? (1)

andreyvul (1176115) | more than 6 years ago | (#24547165)

Only 1/3 of (wireless) networks are unsecured? Well then, how am I supposed to connect my DS to the network in order to download torrents to my R4 (via DSLinux)?

Unsecured networks can be a big security risk (-1)

CrazyJim1 (809850) | more than 6 years ago | (#24547219)

Its cool if you don't know how this impacts any nations security. The event that would get everyone worried about unsecured networks hasn't happened. And hopefully it doesn't happen. I'd tell you what the event is, but I don't want to give anyone ideas. Some things are best not spoken.

Re:Unsecured networks can be a big security risk (0)

Anonymous Coward | more than 6 years ago | (#24547289)

FUD. Computer networks are means of communication, no more, no less. Where communication is a bad thing, freedom of speech dies.

Open by choice? (5, Interesting)

ishmalius (153450) | more than 6 years ago | (#24547221)

Don't assume people's motives for having an open AP. Rather than security ignorance, altruism is a perfectly good reason to turn off WEP and WPA.

Re:Open by choice? (1)

the_skywise (189793) | more than 6 years ago | (#24547397)

Especially given that there was a hacking convention going on in town (who might be more inclined to believe in free wireless for all?)

Re:Open by choice? (4, Interesting)

dwater (72834) | more than 6 years ago | (#24547515)

I do.

There's even an organisation around where I live/work that promotes it. It's called wippies :

http://www.wippies.com/www.phtml [wippies.com]

For a free year long commitment, they will send you a free wifi router that will run a second wifi network 'on the side' for other subscribers to use when they're away from home. There's a google map of coverage somewhere on their site, but I can't find it right away...

Re:Open by choice? (1)

TeknoHog (164938) | more than 6 years ago | (#24548279)

I'm also a member of Wippies, but there's nothing altruistic about this subscribers-only network. Then again, I'm wary of keeping a truly open AP, because of the illegal uses that might be traced back to me.

Re:Open by choice? (2, Interesting)

dugenou (850340) | more than 6 years ago | (#24548455)

How similar is this to FON [fon.com] ?

Re:Open by choice? (0)

Anonymous Coward | more than 6 years ago | (#24549027)

http://www.wippies.com/map.phtml

Re:Open by choice? (0)

Anonymous Coward | more than 6 years ago | (#24548755)

I open up my wireless to see if some fool will use it to log into his gmail account. I then use it for spamming.

And what did you want the police to do? (4, Insightful)

the_skywise (189793) | more than 6 years ago | (#24547237)

In addition to that, the project managed to show how trusting the local law enforcement agencies really were: 'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'"

Oh now they're too trusting?!

What do you want?!

Should they have played hardball and interrogated them, maybe arrested them and confiscated their equipment until they could ascertain they were safe so you could have a post about "out of control" law enforcement again?

Perhaps they should've called out the bomb squads ala the Mooninites bomb scare? [wikipedia.org]

I, for one, vastly prefer this response.

I see a new sport coming on (0)

deepgrey (1246108) | more than 6 years ago | (#24547261)

Warballooning! Heck yes.

Just following Schneier's advice... (0)

consumer (9588) | more than 6 years ago | (#24547305)

Re:Just following Schneier's advice... (1)

db32 (862117) | more than 6 years ago | (#24547471)

I have thought about opening mine up, but the problem is that all of my desktop machines are wireless and I have the thing configured to only accept configuration stuff on the wired interface. As a result I have used the same old WEP key for the better part of 6 years.

I'm a bit lazy about my wireless for the same reasons he argues to open one.

Re:Just following Schneier's advice... (1)

topham (32406) | more than 6 years ago | (#24548553)

The difference is, when he hirs his $1000/hr lawyer to defend him from accusations of transmitting child porn, because someone uses his wifi, his reputation as a security researcher will give him a lot of credibility in his opinions.

you and me? not so much. we'd get stuck proving it wasn't us, inspite of the general case of 'innocent before guilty'. by the way, your name would all ready be in the local paper as being involved in child pornography, your name would be attached to sex-offender lists and you would lose your job and possibly driven out of your neighborhood by your neighbors. all that before 2 months goes by and you actually even get a hearing.

have fun.

police just can't win, can they? (1)

speedtux (1307149) | more than 6 years ago | (#24547317)

'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off

If they hadn't, then there would have been a story about how intrusive and incompetent the police was.

The police did the right thing: they judged correctly that there was no imminent danger and drove on. It isn't their job to try to find economic or computer hacking crimes-in-progress, and they have neither the equipment nor the training to do that. And they were smart enough to see that a bunch of geeks playing with balloons are not terrorists.

Re:police just can't win, can they? (1)

Fulcrum of Evil (560260) | more than 6 years ago | (#24547427)

Or they could have questioned the people in the parking lot - something simple that at least shows them making an effort (and making it harder for the blackhats to boot).

Re:police just can't win, can they? (0)

Anonymous Coward | more than 6 years ago | (#24547501)

...and then watch as everyone on /. cries out, "Police state!"

So what's wrong with that? (0)

Anonymous Coward | more than 6 years ago | (#24547329)

I have no problems with the results of that report.

Sounds good (3, Insightful)

Irongeek_ADC (903018) | more than 6 years ago | (#24547357)

Actually, only 1/3 insecure sounds like a great improvement over just a few years ago.

Re:Sounds good (1)

Miasik.Net (599777) | more than 6 years ago | (#24547901)

Actually, only 1/3 insecure sounds like a great improvement over just a few years ago.

What kind of improvement is that? Less networks to connect to when you are in need? Does it really sounds good to you?

Re:Sounds good (1)

legirons (809082) | more than 6 years ago | (#24548707)

only 1/3 are operating a public amenity, and you think that's an "improvement"?!?

Not 'Unsecured'. It's 'Open System' (4, Insightful)

TechyImmigrant (175943) | more than 6 years ago | (#24547367)

802.11 APs that people refer to as being 'unsecured' are in fact broadcasting a beacon declaring them to be 'Open System'. It is right there in the spec, section 8.2.2.2 .

'Open System' means exactly that. Come on it. We're open.

This is a good thing. I don't secure my wireless LAN. I secure my computers. If people want to borrow a bit of my bandwidth, go right ahead. My neighbor does it all the time when he can't get his crappy cable internet to work.

This should be encouraged. Call them 'Open' and call it a good thing.

Re:Not 'Unsecured'. It's 'Open System' (0)

Anonymous Coward | more than 6 years ago | (#24548167)

Ditto. Occasionally a neighborhood realtor finds my network useful to check his email. My SSID is "FreeAccess".

Re:Not 'Unsecured'. It's 'Open System' (0)

Anonymous Coward | more than 6 years ago | (#24548721)

As the IT person at a small to mid size company we have a management backed policy. Broadcast an open guest SSID in the conference rooms and in the break/lunch area's. This way any vendors or employees with there own laptops can use the internet. Sorry, the SSID is on a separate VLAN that terminates in our DMZ. It can only access the internet and uses a DNS sever that is not on our network.
If they cannot get there machines on the wireless network, all of my network jacks in conference rooms and break rooms are on the guest VLAN.

If an employee wants to access company resources they will need to come by the help desk and we will install a certificate onto there company owned laptop.
Management backs us up 100% that we will not allow laptops on the corporate network unless they are owned and imaged by the company.

geeks are bringing us the police state (5, Interesting)

speedtux (1307149) | more than 6 years ago | (#24547401)

Are there really people stupid enough to think that awareness of security holes is something new? Every major piece of infrastructure over the last century has had major security holes. But rather than gleefully exploiting and exposing them for personal fame and fortune, the people who figured it out just shut up about them. Why? Because they understood that fixing those holes would be costly and intrusive, and it would ultimately still not make the system really safe.

So, if you enjoy body cavity searches, universal surveillance cameras, automated defense systems, and dealing with proprietary and intrusive access controls everywhere you go electronically or physically, then go ahead and keep wardriving and warballooning and defconnning.

Just be aware that it is your actions that are bringing us the police state, because once a bunch of geeks stands up and says "hey, your infrastructure isn't secure and we are at risk", then politicians and lawmakers have to act.

Re:geeks are bringing us the police state (1)

twistah (194990) | more than 6 years ago | (#24547813)

You're right, let's all shut up and stop defconning, this way the bad guys won't know how to do bad things and the government will have no right to intrude on our civil liberties, because they only do so when those damn geeks make up some threat about insecure networks and credit cards being stolen and all that other stuff that won't really happen. Really guys you should know better. Can we get this Slashdot thing shut down already?

Re:geeks are bringing us the police state (0)

speedtux (1307149) | more than 6 years ago | (#24548567)

because they only do so when those damn geeks make up some threat about insecure networks and credit cards being stolen and all that other stuff that won't really happen

As I was saying: there are plenty of flaws in networks, software, and protocols. But only a complete moron would think that the right way of dealing with them is to publicize those flaws widely.

You're right, let's all shut up and stop defconning,

How stupid do you have to be to see that DEF CON isn't improving security? DEF CON has been exposing security problems for 15 years, and things have gotten steadily worse. It's not working. The assumption that if you expose security holes, people will fix them and things will improve clearly is wrong.

wow (0, Flamebait)

dodgedodge (166122) | more than 6 years ago | (#24547407)

1/3 of wireless networks are not secured? wow. anyone with netstumbler could figure that out in 5 minutes of driving around.

cops just waved (0)

Anonymous Coward | more than 6 years ago | (#24547425)

That's the most pathetic complaint I've heard in a very long time. Go to North Korea, assholes, you can get your police state fix there.

Re:cops just waved (4, Funny)

couchslug (175151) | more than 6 years ago | (#24547541)

"That's the most pathetic complaint I've heard in a very long time. Go to North Korea, assholes, you can get your police state fix there."

That would be no fun without good connectivity. What good is a police state if I can't rant about it online?

Re:cops just waved (0)

Anonymous Coward | more than 6 years ago | (#24548357)

HAHAHA i jsut found my new sig

"What good is a police state if I can't rant about it online?"

Re:cops just waved (0)

Anonymous Coward | more than 6 years ago | (#24548701)

wtf are you talking about? korea has more fiber backbone than the US. Its government funded much so like land lines and telephone poles are here. I know a few korean gamers as well after playing gunz online a bit. Like the #1 fps I bet even more hacked/modded than quake.

A duh... (1)

WwWonka (545303) | more than 6 years ago | (#24547459)

a third unsecured in a busy metropolitan area? Nooooooooo. I think this article is full of hot air.

Why shouldn't they be? (2, Insightful)

ScrewMaster (602015) | more than 6 years ago | (#24547671)

In addition to that, the project managed to show how trusting the local law enforcement agencies really were.

Why shouldn't they be? Why should people out in the open with laptops automatically be assumed to be criminals? No matter what they were doing, odds are the cops wouldn't have to technical knowledge to make a proper judgment anyway. Suppose these guys really were up to no good, and the cops questioned them about it. "We're just playing some network video games officer."

Or is the use of a portable computer in public now considered criminal behavior?

solution to problem (1, Insightful)

transporter_ii (986545) | more than 6 years ago | (#24547699)

Log into their routers and turn the security on for them.

You know 98% of those unsecured APs also had the default password, right?

But seriously, is it now illegal to scan for networks to see how many are unencrypted???

I would say the only hint of anything illegal would be if they logged on to the networks. But even that shouldn't get the police to come and beat you.

Transporter_ii

"Unsecured" does not mean wide open.. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24547705)

Just because there is no WEP/WPA running, it does not mean the network is insecure or wide open - did they actually bother to test this, or they are calling these scores simply based on the presence or lack of WEP/WPA? There are plenty of solutions sitting on channels that are unencrypted on link-level, like f.e. a simple VPN tunnel, or an authorative gateway.

Re:"Unsecured" does not mean wide open.. (1)

xrayspx (13127) | more than 6 years ago | (#24549007)

"Unsecured" doesn't mean "Unauthenticated", but you can still sit there and listen without authenticating and being able to browse. The hotels do not establish secure tunnels to each client at authentication, for instance.

Please explain... (0)

Anonymous Coward | more than 6 years ago | (#24547749)

why is this article not tagged "free internet!"?

unsecured ? (0)

Anonymous Coward | more than 6 years ago | (#24547755)

what do they mean by unsecured ? my wirelss network (open) dosent reach outside my prorerty I have tested it , my dog is big and noisy and I'm heavily armed and have a bad temper.

Re:unsecured ? (1)

xrayspx (13127) | more than 6 years ago | (#24548871)

Did you test it with a high gain directional antenna? Team Tenacity tested a 7.5 mile radius around their "plan B" location, which included the entire LV strip.

The most entertaining part was when the cop car showed up, they all waved at the cops, and the cop car drove away. Had the intent been bi-directional communication, it would have been kind of hard without a much more stable platform, I'd imagine. But even in a listen-only Kismet setup, 170 networks, 1/3 of which are open is pretty significant.

ONLY 33.3%? (1)

dkarma (985926) | more than 6 years ago | (#24547797)

When I began getting interested in wifi and wardriving most of the books I read indicated that usually about 70% of wifi routers were unsecured. I found typically 40-60% of wifi signals reachable from the road were unencrypted.

Tempest in a Teapot (4, Insightful)

mschuyler (197441) | more than 6 years ago | (#24547989)

You say that like it's a bad thing. Most WiFi networks are of such low power to render them effectively useless beyond a few feet of the origin of the signal. In my neighborhood with houses on half-acre to acre lots I can detect half a dozen networks. A couple are 'insecure,' but the signal is one bar in strength. Besides, I'm detecting them with my own network, so why do I want to 'steal' their bandwidth? Mine is faster. There aren't many people who want to cruise the neighborhood looking for unsecured signals so they can use their laptop in the privacy of their own automobile to surf the net. How uncomfortable is that? I surf with my feet propped up, a beer on the table, and the dog curled up at my feet.

Then there are those networks that are intentionally unsecured. The local library has a router intentionally pointed at the parking lot (Gasp!) In the downtown area every hotel is within range of an unsecured network. They even have a placard that tells you how to connect--free!

Sure, there are probably guys into taking advantage of you if your network is unsecured. Perhaps the issue is more prevalent in an apartment house or a dorm than single family residences, but I think this is more of a theoretical issue than a practical one. You can hypothesize your way to wild conclusions, but in the end, is this REALLY a serious problem?

Re:Tempest in a Teapot (2, Insightful)

xrayspx (13127) | more than 6 years ago | (#24548985)

If you aimed a better antenna at your neighbors house, it would be easy to sniff all their traffic. Now let's say that you're not the well meaning, keep to yourself kind of guy that I'm sure you are, but that you're intent on identity theft or stealing personal or business data. The fact that you can see 1/2 dozen unsecured networks from your house means you live in a pretty target-rich environment. How many of your neighbors might use the same password for AIM or Myspace that they use for Bank of America, or their local login password?

The attacker wouldn't necessarily own a house in your neighborhood either. Maybe they rented a van? Maybe one of your neighbors is in a position at work that puts them in touch with sensitive data, and someone follows them home? Or, maybe someone launches a balloon 4 or 5 miles away and collects everything scattershot for a couple of hours, then hones in on those interesting location in a car. As unlikely as those scenarios are, why not just click the damn "WPA2" radio button on the stupid gui and make yourself a somewhat harder target?

And the only question remaining... (5, Funny)

ladybugfi (110420) | more than 6 years ago | (#24548069)

...was Cory Doctorow in the balloon blogging? http://xkcd.com/239/ [xkcd.com]

Easier Way (0)

Anonymous Coward | more than 6 years ago | (#24548131)

Wouldn't it be easier just to hire a private pilot?

You could cover exactly the area you want, wouldn't risk losing your gear, and wouldn't run afoul of any airspace restrictions (ie if you lost your balloon near the airport.)

DHS has been informed . . . (0)

Anonymous Coward | more than 6 years ago | (#24548527)

'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'

Expect a knock on your door, terrorist sympathizer scum!

How can we Feel Safe (tm) if we have police like this patrolling the streets of our most beautiful and American cities? The terrorist El Hilanizteum should have been maced and beaten and taken into custody as per DHS Secret Directive USA17-76.

What's this country coming to?

"It's no paranoia when they're really after you." -- H. Ross Perot

Socially Engineering the Police (2, Insightful)

istartedi (132515) | more than 6 years ago | (#24548751)

They were cool and casual, and did not run from the cops. If they had stared at the cruiser with that "OMG, we're busted" look, or even worse, run away; there might have been trouble. You hear stories like this all the time--the guy who gets pulled over for a warning about going 10 miles over the limit, and he's cool and the cop never finds out he's got joints in the glovebox. Then, on the other side there's the guy who's initially done nothing wrong and ends up getting his whole car searched by dogs, and getting detained for an hour just because he acted suspiciously.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?