×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Queensland Police to Look For Unsecured WiFi Spots

samzenpus posted more than 2 years ago | from the going-down-under-cover dept.

Australia 255

OzPeter writes "As a part of National Consumer Fraud week, the Queensland Police are going war driving in order to identify insecure WiFi setups. From the press release: 'The War Driving Project involves police conducting proactive patrols of residential and commercial areas to identify unprotected connections. Police will follow this up with a letterbox drop in the targeted area with information on how to effectively secure your connection.' While some people may like having an open WiFi AP its interesting to see that the Police also feel that 'Having WEP encryption is like using a closed screen door as your sole means of security at home. The WPA or WPA2 security encryption is certainly what we would recommend as it offers a high degree of protection.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

255 comments

How times have changed (4, Interesting)

Aaron B Lingwood (1288412) | more than 2 years ago | (#39448325)

Merely 15 years ago I was doing the exact same thing and have been, on umpteen occasions, questioned, detained, given a 'move on' notice or just generally harassed.

Re:How times have changed (4, Insightful)

davester666 (731373) | about 2 years ago | (#39448407)

Being able to flash a badge lets you get away with murder...why would wardriving be on the do-not-do list?

It's Basic Infrastructure (5, Interesting)

mdm42 (244204) | more than 2 years ago | (#39448337)

I have an open Wifi setup. My attitude is that connectivity has become basic infrastructure, and all "lock it down" freaks have just bought into the agenda of ISPs who don't want us to share bandwidth to boost their own profits.

If you're a guest in my home, you're welcome to use the bandwidth, along with the lights and water. Can you imagine visitig a friend only to be told, "Look, here's the PIN code to unlock the lights, and here's the key in case you want to wash your hands." Ridiculous. I accept that there's a risk of someone lurking in their car outside the property boundary to leech off my internet connection, but there's a risk of someone stealing water from my outside, unprotected taps, too. OTOH, if bandwidth were shared freely everywhere there'd be no need to sneak around "stealing" it, would there?

It's the 21st Century, man. Get over it!

Re:It's Basic Infrastructure (3, Insightful)

Anonymous Coward | more than 2 years ago | (#39448367)

I'd be more worried about an identity thief stealing data than a passerby leeching bandwidth. Easier to just wall it off. FWIW, we just post the password on the fridge, so our actual guests can use it if they want.

Re:It's Basic Infrastructure (5, Interesting)

hawkinspeter (831501) | about 2 years ago | (#39448635)

What I do is use a WPA2 network that all my devices use and an open network for guests to use that is firewalled from accessing the other network. That gives me the best of both worlds.

My attitude is that if I'm out and about and want to get WIFI, I'd like other people to provide open guest networks, so it makes sense for me to provide one for other people to use.

Re:It's Basic Infrastructure (0)

Anonymous Coward | about 2 years ago | (#39448911)

How do you do this? Would you please be kind enough to explain or point me to a tutorial on how this is done? Thank you for your time and effort.

Cheers!

Re:It's Basic Infrastructure (4, Informative)

Stalks (802193) | about 2 years ago | (#39449033)

A linux box, iptables experience and a couple of WiFi cards/AP would be ideal, however there is an easier way..

Your ADSL/Cable router plugged into your ISP offers unprotected WiFi.

Buy another cable router and plug it into the above router offering protected WiFi behind its own NAT/Firewall.

Internet <--> ROUTER <--> ROUTER <--> LAN

Re:It's Basic Infrastructure (1)

N!k0N (883435) | about 2 years ago | (#39449053)

A linux box, iptables experience and a couple of WiFi cards/AP would be ideal, however there is an easier way..

Your ADSL/Cable router plugged into your ISP offers unprotected WiFi.

Buy another cable router and plug it into the above router offering protected WiFi behind its own NAT/Firewall.

Internet <--> ROUTER <--> ROUTER <--> LAN

yep, pretty much this. Just takes a little fighting to get things playing nice (i.e. tomato/ddwrt ... but you were gonna do that anyway, right?) Only thing you have to do then is make sure your devices aren't on the public one. Granted, it's also a good idea to limit the public ap, so people can't saturate your connection...

Re:It's Basic Infrastructure (1)

Anonymous Coward | about 2 years ago | (#39448659)

Or someone using your connection for downloading illegal content (pirating DVDs, music etc, or worse things such as child pornography) completely anonymously because when they track you down they find you not the guy in the car outside.

Re:It's Basic Infrastructure (1)

Anonymous Coward | more than 2 years ago | (#39448375)

I have an open Wifi setup. My attitude is that connectivity has become basic infrastructure, and all "lock it down" freaks have just bought into the agenda of ISPs who don't want us to share bandwidth to boost their own profits.

As I have previously pointed out, this approach has the additional benefit that, should you be accused of any criminal wrongdoing based on where your IP address, you can more easily raise a reasonable doubt that it was you who left the tracks. I'm not saying that leaving your WiFi open is going to get you off the hook, but the more you lock down your modem, the easier you make it for a potential prosecutor to pin the wrap on you

Re:It's Basic Infrastructure (3, Interesting)

Anonymous Coward | about 2 years ago | (#39448399)

Fon router project allows this.
you share 10% of your bandwidth on the open guest SSID, which is on a separate WLAN from yours.
Good if you have couch surfers stay allot too.

I agree that everyone locking down their wifi is just get sucked into the fear mentality. If all routers shared a small amount of their bandwidth you would not need to use GSM, and could make calls from almost anywhere using Viber for example or another SIP like service.
The mobile phone companies would also be forced to provide a better service because there was another alternative available when your mobile.

It maybe also be that the opens source routers like Tomatos USB offer multiple SSID's

Ged

Re:It's Basic Infrastructure (1)

Anonymous Coward | about 2 years ago | (#39448841)

As I have previously pointed out,

Bruce Schneier has pointed out, you mean....

this approach has the additional benefit that, should you be accused of any criminal wrongdoing based on where your IP address, you can more easily raise a reasonable doubt that it was you who left the tracks.

Yes, you can... as part of your legal defense at your trial.
Reasonable Doubt is what a Jury has to overcome to convict you. Reasonable Suspicion is all the cops need to get a warrant... and if your wifi is open that's a good enough reason to kick down your door without asking questions at 3AM and confiscate all your gear.

A guy like Bruce would get a polite request, maybe a phone call or an email, from the cops to send them copies of all his security logs, so that they could catch whoever used his open wifi.

Besides, Bruce also said the rest of your network should already be secured. In which case, the wifi security is weak enough to not be worth wasting time over since your existing multi-layered model takes care of everything already.

Re:It's Basic Infrastructure (1)

Anonymous Coward | about 2 years ago | (#39449009)

Bruce Schneier has pointed out, you mean...

No I meant me, right here on Slashdot a year or two ago. I doubt I was the first, nor will I be the last.

Reasonable Doubt is what a Jury has to overcome to convict you.

Thanks for that dude, but I kinda picked that up at law school. ;)

Reasonable Suspicion is all the cops need to get a warrant... and if your wifi is open that's a good enough reason to kick down your door without asking questions at 3AM and confiscate all your gear.

In your jurisdiction perhaps, but in mine (not QLD but close) a warrant won't issue merely on the basis of an open WiFi, there needs to be reasonable grounds to suspect an offence has been committed. Or did you mean, already holding the warrant, they will kick your door down because your WiFi is open? That too is unlikely. Having secured the warrant, the state of your WiFi is pretty much immaterial to how they will go about executing it. It goes without saying that if you have incriminating data on your gear, leaving your WiFi open pretty much useless.

A guy like Bruce would get a polite request, maybe a phone call or an email, from the cops to send them copies of all his security logs, so that they could catch whoever used his open wifi.

Which, of course, he would refuse.

Re:It's Basic Infrastructure (2)

gl4ss (559668) | about 2 years ago | (#39448463)

I have an open Wifi setup. My attitude is that connectivity has become basic infrastructure, and all "lock it down" freaks have just bought into the agenda of ISPs who don't want us to share bandwidth to boost their own profits.

that's the problem when the wide area wireless isp's and local cabled isp's are the same entity.

Re:It's Basic Infrastructure (3, Interesting)

Aaron B Lingwood (1288412) | about 2 years ago | (#39448465)

My attitude is that connectivity has become basic infrastructure

I concur. I would like to see connections open everywhere with the option of limited surfing as Guest (should the host feel generous) or having to authenticate to my ISP (or the NBN or some central authority/network) through this random open connection, and have all usage billed to my account.

Re:It's Basic Infrastructure (2, Interesting)

Anonymous Coward | about 2 years ago | (#39449027)

Me too. And that's why I think what the Queensland police is doing is sort of OK. I don't want to use someone's Wifi if the they don't mean to leave it open. My stance is that an open network is open to everyone, practically, legally and morally, because it uses a public resource, advertises itself as open and in no way gives any indication that it is not meant to be open, even though that is trivially easy to do. People who don't want strangers on their Wifi should turn on encryption, and if that's what the police tells them, then I'm fine with it. I have a hunch that the police will do quite a bit of fearmongering on top of that, and that's not OK. But I don't want to step on people's toes when I use someone else's Wifi, so if you don't want me there, put up the virtual fence.

Re:It's Basic Infrastructure (0)

Anonymous Coward | about 2 years ago | (#39448479)

I'd be worried more about the fact everything you send over wireless may not be encrypted...

Re:It's Basic Infrastructure (2)

Chrisq (894406) | about 2 years ago | (#39448639)

I'd be worried more about the fact everything you send over wireless may not be encrypted...

But all the important stuff is over SSL/TLS anyway

Re:It's Basic Infrastructure (4, Informative)

hawkinspeter (831501) | about 2 years ago | (#39448645)

Use HTTPS Everywhere https://www.eff.org/https-everywhere/> and make sure that any confidential data is over https and then it doesn't matter that the WIFI is un-encrypted.

Re:It's Basic Infrastructure (0)

Anonymous Coward | about 2 years ago | (#39448547)

And then you get arrested because you IP was linked to downloading child porn. Have fun!

Re:It's Basic Infrastructure (2, Insightful)

Anonymous Coward | about 2 years ago | (#39448601)

Unfortunately the ISP cartel in Australia charge like wounded bulls and most (all?) plans are capped, so if your neighbour decides they like your connection you can burn your plan with ease.

Guests in my home are also welcome to use my WiFi - let me type the password in for you.....In the same way I give them the spare key and travel pass.

Re:It's Basic Infrastructure (0)

Anonymous Coward | about 2 years ago | (#39448771)

Meh, you may complain about the "ISP cartel" in Australia but it is miles ahead of the crap they have in the USA. Not all plans are capped but unless you are on wireless broadband, most just throttle once you hit your cap rather then charge massive overage fees. All plans must clearly state the data limits that you have too.

    My current plan through TPG is ADSL2+ over Telstra's network which costs me $60 per month for 100gb/100gb. I get the maximum speed which my modem will connect at. If I were in a TPG owned DSLAM coverage area then I could get it cheaper or more data.

Re:It's Basic Infrastructure (1)

Errtu76 (776778) | about 2 years ago | (#39448631)

Exactly!

Mine is encrypted though with 'acomplicatedpassword' which is very easy to type so I never get the odd looks I get whenever someone asks me for the passphrase.

Re:It's Basic Infrastructure (4, Insightful)

mvar (1386987) | about 2 years ago | (#39448689)

You should be more worried if someone uses your WiFi internet connection to do something illegal. Next moment the cops will be raiding your house, seizing all your hard drives for further examination, while you go through all the hell of the legal process attempting to prove that you are not an elephant. No thanks, if a guest wants to access my wifi he should ask for the password and take the extra 30 seconds needed to type it in.

Re:It's Basic Infrastructure (4, Interesting)

im_thatoneguy (819432) | about 2 years ago | (#39448693)

I have an open Wifi setup. My attitude is that connectivity has become basic infrastructure, and all "lock it down" freaks have just bought into the agenda of ISPs who don't want us to share bandwidth to boost their own profits.

Screw the ISP I don't want my cheap-ass neighbors slowing my Netflix down to a crawl while they download 10 seasons of some anime shit.

If we all "had internet" and people stuck to HTTP web traffic I wouldn't care. But I've had roomates before--hell I have myself as a roomate and I know that my internet is not big enough for the both of me from time-to-time let alone neighbors.

If I had a gig-e pipe they could be free to do as they please but I don't pay for my apartment building's electric bill, I pay for mine. And based on the fact that I can't even leave my laundry detergent on my little spot of shelf in my apartment building without it being used up in a couple weeks (and 2 loads of laundry from me) I know if they could secretly plug their water into my tap they would.

If I'm playing TF2 I expect there to be 0 torrenting and streaming on my connection so that my pings stay reasonable. It's bad enough knowing if one of my computers found an 'interesting' RSS feed let alone having two moochie neighbors.

Re:It's Basic Infrastructure (0, Flamebait)

Anonymous Coward | about 2 years ago | (#39448743)

I have an open Wifi setup. My attitude is that connectivity has become basic infrastructure, and all "lock it down" freaks have just bought into the agenda of ISPs who don't want us to share bandwidth to boost their own profits.

If you're a guest in my home, you're welcome to use the bandwidth, along with the lights and water. Can you imagine visitig a friend only to be told, "Look, here's the PIN code to unlock the lights, and here's the key in case you want to wash your hands." Ridiculous. I accept that there's a risk of someone lurking in their car outside the property boundary to leech off my internet connection, but there's a risk of someone stealing water from my outside, unprotected taps, too. OTOH, if bandwidth were shared freely everywhere there'd be no need to sneak around "stealing" it, would there?

It's the 21st Century, man. Get over it!

Sweet, where do you live? I need to download some child porn, DDOS several government and military sites, setup a proxy relay, upload some Al Quada training manuals, run a password guesser against a few banking sites, and email out some death threats. Your connection sounds like it will do the trick quite nicely.
Secure your network and stow that "Bandwidth is freeee maaaaaan" garbage. It's not free, it takes resources to provide, and fewer people paying means less bandwidth being added to the infrastructure.

I personally don't secure my wireless, because the only way out of my local network is through a secured tunnel which uses much more robust security than anything the wifi standards employ. So the cops are welcome to tell me how insecure my wifi is, and root around my honeypot all they want, but nobody is going to get to actually do anything useful.

Re:It's Basic Infrastructure (1, Informative)

VortexCortex (1117377) | about 2 years ago | (#39448773)

I have an open Wifi setup

I have a SSL Strip and other ARP Poisoning MITM Attacks. What's your home address?
Do you ever buy anything online? Would you like any script-kiddie to see AND MANIPULATE everything you do online?

Here's some advice for you ignorant folk who insist on leaving their WIFI insecure: Turn on WPA. This defeats ARP Poisoning via per client encryption keys. WAIT! Hold your uneducated retorts for just a second: Set the password to "Welcome" and the SSID to "Password is Welcome". You can stencil "Our WIFI password is 'Welcome'." on a sign in the yard if needed, but the SSID broadcast should be more than enough. Get the teenager down the street to configure your network if you don't know how to RTFM and configure the router.

Take the time to share free WIFI the right way, or not at all.

Re:It's Basic Infrastructure (1)

Anonymous Coward | about 2 years ago | (#39449087)

That doesn't help at all. A shared secret can only prevent shenanigans if it is kept secret among trusted entities. A public secret isn't a secret and can therefore not be used for authentication. An attacker could set up a relay mimicking your access point and do all the packet mangling they want.

If you wanted to do this right, you'd have to set up public key cryptography based access point authentication. There is no easy and free way of doing this though.

People who use some random stranger's network should always consider the network hostile. The attacker might not be the neighbor's kid who exploits people who use your access point. The attacker might be you, who provides the access point.

Re:It's Basic Infrastructure (1)

BurningFeetMan (991589) | about 2 years ago | (#39448829)

You obviously don't have a bus stop outside of your house! Waiting for the bus is great when you've still got one bar of reception from your home wifi. ;)

Re:It's Basic Infrastructure (1)

cmdr_tofu (826352) | about 2 years ago | (#39449091)

Not that i've rtfad or anything but i think isps in au and nz have metered charge systems. so if a neighbor uses your bw, you pay. They have every incentive to use your bw instead of their own (raising your bill).

Here in usa, i have no security on my wifi either, but it only grants access to my lan. To use the internet, openvpn is required. I usually relax that for guests as i cannot support every client.

Accountability (5, Insightful)

rwa2 (4391) | more than 2 years ago | (#39448347)

Plus, it's easier for them to book you for thought crimes they catch you committing via their IP taps. They'll have none of that "but my wifi is open -- it could have been anyone" defense. That won't work for you, sir, you'll be held accountable for whatever flows through your pipes!

Re:Accountability (2)

Aaron B Lingwood (1288412) | about 2 years ago | (#39448429)

Including Simpsons porn [qt.com.au]

Re:Accountability (1)

georgeaperkins (1715602) | about 2 years ago | (#39448545)

Gosh is that Simpsons thing a joke? Had to check the calender that its not 1st April yet. How ridiculous

Re:Accountability (2)

Aaron B Lingwood (1288412) | about 2 years ago | (#39448617)

Gosh is that Simpsons thing a joke?

No joke. Photos of small-breasted woman, regardless of age, is also considered child-porn.

Re:Accountability (1)

dbIII (701233) | about 2 years ago | (#39448705)

That was another Conroy (Australian Communications Minister) brainfart that luckily never made it into law. Business as usual from the man that said there was a Lesbian Cabal plotting to halt the national broadband network. If it had made it into law as proposed a "jailbait" photo could have been of a merely topless woman over 40. Such a thing has no place in a nation where breastfeeding in public is still accepted and not a crime and would even be insane in a place still upset over an exposed nipple at the Superbowl.

Re:Accountability (1)

Aaron B Lingwood (1288412) | about 2 years ago | (#39448711)

That was another Conroy (Australian Communications Minister) brainfart that luckily never made it into law.

/me breathes a sigh of relief

Re:Accountability (2)

NoMaster (142776) | about 2 years ago | (#39448755)

No joke. Photos of small-breasted woman, regardless of age, is also considered child-porn.

Bullshit. [somebodyth...ildren.com]

As to the actual story, the police already wander around public car parks checking to see if you've secured your car, and leave a flyer under the wiper. If the car is secure they tick the "Congratulations!" box; if not, they tick a box describing why your car is insecure. A quick Google tells me that this is also fairly common in the Good Ol' US of A.

Don't see anybody complaining about that, though. Apparently, the police knowing that somebody within a street or two has an open WiFi AP is worse than them physically touching your property and potentially building a database of who habitually doesn't lock their cars...

Re:Accountability (1)

houghi (78078) | about 2 years ago | (#39448433)

And good for them. They will also warn if you have left your car door unlocked and motor running. At that moment you should not claim that your car was stolen and used in a robbery. Well, you could, but would have a LOT of explaining to do.

OTOH the majority of people will have absolutely no clue that their Wifi is open and will be grateful that they were warned.

Re:Accountability (1)

Anonymous Coward | about 2 years ago | (#39448459)

In Queensland, your more likely to get a fine that a warning for leaving your car do unlocked and motor running, as that is a crime.

Re:Accountability (0)

Anonymous Coward | about 2 years ago | (#39448723)

It's a lot more likely that you're the one in your own car when the crime is committed than the scenario where the ip address points to the true criminal. I wish people would stop using awful analogies.

australian Accountability (3, Interesting)

johnjones (14274) | about 2 years ago | (#39448467)

thats exactly it !

realistically hacking a wpa setup by a person with no experience is pretty unsecured
(do you really want to know how many people have password1 or changeme...)

have a look at this:

http://open.youyuxi.com/

australia is censored beyond what I certainly expected...

regards

John Jones

Google (4, Interesting)

Aaron B Lingwood (1288412) | more than 2 years ago | (#39448353)

Doesn't google already have this data?

This looks like a money grab from this years' budget

The QPS is always complaining that they do not have enough funding to pay their staff. Now they are wasting precious manhours to mine data that they could easily purchase (or even receive for free) from Google.

wifi security (0, Informative)

Anonymous Coward | more than 2 years ago | (#39448355)

If you don't have a secure WiFi then you may as well turn off the firewall on your network.

Re:wifi security (5, Interesting)

Anonymous Coward | more than 2 years ago | (#39448387)

Insecure WiFi != Insecure network.

At home I have two WiFi network over the same AP, one is open an the other use WPA2, they are in independent networks and with a firewall between both, plus the open is capped to use at max 2mbps.

Re:wifi security (1)

johnjones (14274) | about 2 years ago | (#39448483)

yes thats a very decent way to do things however in australia we have cap's so I would not want to give away my allowance...

living in other places I was unlimited and had no problem doing exactly what you do and giving away a portion of my bandwidth to those in need

maybe someone would help me out one day...

regards

John Jones

Finaly! (2)

V!NCENT (1105021) | more than 2 years ago | (#39448359)

Finaly an actual initiative to protect and serve the people! A little faith in government restored.

Ignoring the FUD about Identity theft (1)

Anonymous Coward | more than 2 years ago | (#39448361)

It's too easy finding a strong (as in signal), open, public WIFI signal these days for there really be any incentive to run around "hacking" WEP or even dealing with weak and unreliable signal issues that one faces using an open connection inside a building.

Shit, if you want to commit fraud, take a clean machine to any McDonalds in the country and you can fraud away to your heart's content.

WEP and WPA are both worthless (0)

Anonymous Coward | more than 2 years ago | (#39448371)

Use WPA2/AES with an uncommon SSID and a complex password, or GTFO.

I wonder what they will say (5, Funny)

Anonymous Coward | more than 2 years ago | (#39448379)

NSW police may be interested in my wifi ssid "Police_Surveillance_Van_71A"

Haven't WPA/WPA2 been broken yet? (0, Insightful)

Anonymous Coward | more than 2 years ago | (#39448385)

I thought "WiFi encryption protocols are easily breakable" was the fifth law of thermodynamics or something.

Broken security (1, Informative)

NoobixCube (1133473) | about 2 years ago | (#39448411)

Wifi security, including WPA and WPA2, is already broken. It's the equivalent of locking your house up with a six pin tumbler lock. It keeps the honest and the curious out, but it's nothing to someone who really wants in.

Re:Broken security (1)

gl4ss (559668) | about 2 years ago | (#39448475)

it's still illegal to break it.

unless, of course, it seems if you're a cop.

Re:Broken security (1)

FireFury03 (653718) | about 2 years ago | (#39448587)

it's still illegal to break it.

unless, of course, it seems if you're a cop.

The police aren't breaking anything, AFAICT they are just listening to the beacon from the access points and seeing if it is flagged as encrypted.

Re:Broken security (1)

allo (1728082) | about 2 years ago | (#39449097)

google got a lot of trouble for doing so. because its inevitable they capture some actual content of connections on insecure wlans.

Re:Broken security (4, Informative)

SilentChasm (998689) | about 2 years ago | (#39448481)

As far as I know WPA/WPA2 isn't broken, only WPS's PIN mode (enter an easy 8 digit number instead of a complicated alphanumeric passphrase). Granted you can still bruteforce the PSK itself instead of the PIN but then you've just got the same problem of weak passwords that many other things do.

Re:Broken security (4, Informative)

thegarbz (1787294) | about 2 years ago | (#39448541)

WPA and WPA2 isn't broken. There's only a configuration problem in WPS (a system designed to bypass having to enter a WPA key, who thought that was a good idea anyway?). Even that isn't broken as such. The effect is that the brute force attack has been simplified to the point where it is achievable to actually perform rather than having to brute force the entire array of usable keys. A simple configuration change that either fixes the problem or better yet limits the number of tries or the rate of tries for connecting using WPS would instantly make it secure again.

The irony? Older access points which support WPA and WPA2 but don't support WPS are quite secure.
The double irony? I have never had WPS actually work on my access point even when the PIN is known, so I'm amazed that this is a suitable attack vector in the first place.

Re:Broken security (1)

jamesh (87723) | about 2 years ago | (#39448735)

WPA and WPA2 isn't broken.

WPA w/TKIP isn't 'broken' in the strictest sense of the word, but is considered insecure enough that there is no good reason to use it if all your hardware supports WPA2.

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Security [wikipedia.org]

Re: broken is apparently a matter of opinion? (0)

Anonymous Coward | about 2 years ago | (#39449001)

Your link says (of WPA-TKIP):

The flaw does not lead to key recovery, but only a keystream that encrypted a particular packet, and which can be reused as many as seven times to inject arbitrary data of the same packet length to a wireless client. For example, this allows someone to inject faked ARP packets which make the victim send packets to the open Internet. This attack was further optimized by two Japanese computer scientists Toshihiro Ohigashi and Masakatu Morii.[16] Their attack doesn't require Quality of Service to be enabled. In October 2009, Halvorsen with others made further progress, enabling attackers to inject larger malicious packets (596 bytes, to be more specific) within approximately 18 minutes and 25 seconds.[17].

Emphasis mine. If you use WPA-TKIP, an attacker can make you start sending him all your packets in less than 20 minutes. And if you use QoS, you're even more fucked, because (again, according to your link):

In February 2010, a new attack was found by Martin Beck that allows an attacker to decrypt all traffic towards the client. The authors say that the attack can be defeated by deactivating QoS, or by switching from TKIP to AES-based CCMP.[18]

So in conclusion: attacker gets all your outbound traffic in 20 minutes (and gets all your inbound traffic too if you use QoS). But somehow that's not "broken?"
Either you've just got your head in the sand, or you're a black hat trying to convince potential marks to keep using WPA-TPIK.

Re:Broken security (1)

virb67 (1771270) | about 2 years ago | (#39448615)

And no matter what kind of lock you place on your house's door a sledgehammer will probably knock it down pretty easily. So what's your point exactly?

Possible Abuse (3, Interesting)

Aaron B Lingwood (1288412) | about 2 years ago | (#39448413)

I find it odd that QPS Media has failed to supply the public with any technical information on what tools they are using and the scope of the exercise
Are they simply searching for wireless networks? Or going as far as trying default passwords?
Are they geocaching MAC Addresses and SSIDs that will be used in other investigations?
Are they sniffing traffic? Are they collecting any personally identifiable information?

While this is a nice service, I do think this does not fall under the purview of the state police
If this is simply a SIGINT operation in disguise, it is better left to the DSD or ASIO
If this is simply a community service, the state governement should use grants to coerce the industry to extend their voluntary code of practice so that ISP's are responsible for making their customers aware of the risks as part of the signup process.

Re:Possible Abuse (1)

AHuxley (892839) | about 2 years ago | (#39448611)

DSD/ASIO would be getting every packet in and out of Australia by default over any telco link.
If your chatting with Africa, Asia or the Middle East- your on a list shared with the UK, NSA ect..
As for sniffing traffic, they would do that as a drift net - all flagged p2p files, forums, chatrooms - going after the person and ip.
MAC Addresses and SSIDs that will be used in other investigations would really be long term with unmarked vans/cars.
It sounds like a simple tool that shows a pad lock or no padlock - just like any consumer device, but it cost Australian taxpayers a lot.
Some telco contractor did good with this deal :)

Re:Possible Abuse (2)

FireFury03 (653718) | about 2 years ago | (#39448633)

While this is a nice service, I do think this does not fall under the purview of the state police

Why not? The police are in the business of crime prevention as well as catching criminals.

Breaking into someone's house and stealing their stuff is a crime. If you do it, the police will (hopefully) come after you and lock you up. The police also have programmes whereby they will tour the neighbourhoods and if they spot some bit of bad security they will knock on the door and tell you about it so you can fix it *before* someone takes advantage of it.

Breaking into someone's network is a crime*. If you do it, the police will (hopefully) come after you and lock you up. In this case, the police are also running a programme whereby they will tour the neighbourhoods and if they spot some bit of bad security they will knock on the door and tell you about it so you can fix it *before* someone takes advantage of it.

What's the difference?

(* cracking someone's security, even if it's lowly WEP, is a crime and should be punished - if someone is running any kind of encryption then it is clear that they don't want to let you into the network. On the other hand, I very much believe that it should _not_ be a crime to use an open network, because there is no reasonable way to know that it wasn't intended to be an open hotspot. I would, however, expect these police to tell you "did you know your network is open, here's how to lock it down" to help people who may have left it open by accident. Getting helpful information from the police does *not* mean you can't ignore it if you actually want to run an open network though).

If this is simply a community service, the state governement should use grants to coerce the industry to extend their voluntary code of practice so that ISP's are responsible for making their customers aware of the risks as part of the signup process.

What kind of "voluntary code of practice" are you talking about? Its true in the past that access points shipped with encryption turned off, but that hasn't been the case for years. So these days the people with open APs are generally either still running old hardware, or are intentionally running them open. I can't see what "code of practice" is going to help with either of these situations.

Re:Possible Abuse (1)

Aaron B Lingwood (1288412) | about 2 years ago | (#39448707)

While this is a nice service, I do think this does not fall under the purview of the state police

Why not?

The Commonwealth Criminal Code completely covers all aspects of unauthorised access. Computer crime has always been a federal crime. The federal police have the experience and resources to deal with this. In the past, I had reported (read: attempted to report but was refused) several minor computer crimes that involved my network or my workplaces. Usually theft of services/data. The state police had ZERO understanding. I realise that QPS have, for almost a decade, really focused on strengthening their tech ability and understanding. I just remain sceptical or perhaps it is just scorn.

What kind of "voluntary code of practice" are you talking about?

I am of the opinion that the majority of ISP subscribers buy their hardware from the ISP and sometimes this is the only option. Many ISP's also charge a setup fee which often also covers support and configuration. Such a code of practice could ensure that this configuration/support covers such things as education and assistance with securing WiFi.

these days the people with open APs are generally either still running old hardware, or are intentionally running them open.

With the role out of the NBN, most Queenslanders will be up for new hardware well before every street in the state has been audited. Implementing this code in time would mean that EVERY NBN subscriber would be at least aware of the security issues and I can see this approach possibly saving ISP's money.

Re:Possible Abuse (1)

drsmithy (35869) | about 2 years ago | (#39448749)

On the other hand, I very much believe that it should _not_ be a crime to use an open network, because there is no reasonable way to know that it wasn't intended to be an open hotspot.

By your logic, it's reasonable to assume anyone without a fence and locked door is inviting me in for dinner.

Re:Possible Abuse (2)

FireFury03 (653718) | about 2 years ago | (#39448937)

On the other hand, I very much believe that it should _not_ be a crime to use an open network, because there is no reasonable way to know that it wasn't intended to be an open hotspot.

By your logic, it's reasonable to assume anyone without a fence and locked door is inviting me in for dinner.

No. Public areas (parks, etc) are usually clearly marked as such - it is pretty easy to tell the deifference between a park and someone's unfenced garden.

On the other hand, wifi has a flag in the protocol explicitly to tell you if it is public or private and there is no other sensible way to tell this. Unfortunately, access points that are accidentally left open will also be broadcasting an "I am a public hotspot" flag, even though the owner didn't intend to do this.

As an example, if you go for a coffee in "Bob's café" and you find an open access point called "bobs_wifi", are you to assume that this is intended to be used by the customers of the café, or should you assume that Bob lives above the café and this is his personal wifi that has been set up incorrectly? (And yes, it's pretty common for cafés to provide free wifi in the form of an open access point and not even bother to advertise the fact).

Another example: I have accidentally used someone's personal wifi in the past - it was an open access point that was broadcasting a pretty generic SSID (something like "BTOpenSpace"). BT provide internet connections to homes and businesses (with associated wifi kit), but they also provide public hotspots under a variety of names (BTOpenZone, BTFon and a few others). Without a good knowledge of all the hotspot providers and ISPs, it is impossible to know which ones are private and which are public without trusting that the ones that advertise themselves as public really are (as it turns out, the BTOpenSpace one was someone's home ADSL, but I didn't realise this until afterwards).

Also, anything that automatically looks for public wifi hotspots can *only* trust what the access point is advertising itself to be - since no human is reviewing its decisions, there are no judgement calls. My SIP handset will auto-associate with any public network if it can't find my private one - it isn't going to ask me every time it needs to change network, so even if your network has the SSID of "private_keep_out", it'll still happilly use that network if your AP is advertising itself as a public hotspot.

So sorry, since legitimate public hotspots are very common and there is no way to tell them apart from incorrectly configured private access points, I can't see how it can be considered a crime for someone to use a private hotspot that is advertising itself as being public. This isn't like an obvious private garden not having fences, it's more like an unfenced garden with a bloody great sign outside it saying "please come in".

Re:Possible Abuse (0)

Anonymous Coward | about 2 years ago | (#39449043)

The internet is quite different. The internet is made to be used by people all over the world. How are you supposed to know whose wifi is deliberately open and whose isn't? There is just no reasonable way to tell. With a house, you can knock or ask for permission.

Your analogy is awful.

Re:Possible Abuse (1)

stephanruby (542433) | about 2 years ago | (#39448955)

I find it odd that QPS Media has failed to supply the public with any technical information on what tools they are using and the scope of the exercise

Also, why are they limiting themselves to wifi only? Unsecured trash cans, unsecured cable boxes, and cheap mailboxes can be another way for people to steal your data. And in bad neighborhoods, unsecured backyards, unsecured windows, and easy to break doors, are a boon for criminals. If they're going to have someone driving around inspecting security issues, they might has well give that person multiple things to look for -- to save on gas.

Re:Possible Abuse (1)

Lumpy (12016) | about 2 years ago | (#39449021)

You have a fine here for having breakable glass windows. This encourages crime.

Re:Possible Abuse (1)

Aaron B Lingwood (1288412) | about 2 years ago | (#39449085)

Also, why are they limiting themselves to wifi only? Unsecured trash cans, unsecured cable boxes, and cheap mailboxes can be another way for people to steal your data.

This is one of the reasons I suspect this may be a SIGINT operation by the state police so they don't have to keep giving up jurisdiction or credit to the feds.

what's next (0)

Anonymous Coward | about 2 years ago | (#39448443)

police going around to everyone's door trying to open it?

Re:what's next (2)

Aaron B Lingwood (1288412) | about 2 years ago | (#39448487)

police going around to everyone's door trying to open it?

Some police beats in shopping centres check parked cars and leave a nice little letter with a nice big fine if they find one unlocked.

Re:what's next (0)

Anonymous Coward | about 2 years ago | (#39448505)

and why is it illegal to leave your car unlocked ? Maybe I want to dispose of it, a wrecker wont accept it, cant afford to dump it, and no, its not insured so I wont try to claim insurance.

Re:what's next (1, Informative)

Aaron B Lingwood (1288412) | about 2 years ago | (#39448551)

and why is it illegal to leave your car unlocked ?

It is illegal as it encourages opportunistic crime resulting in more paperwork for the old bill.
It is quite difficult to type up reports when your fingers are all sticky from doughnut icing.

Re:what's next (0)

Anonymous Coward | about 2 years ago | (#39448795)

Any crime is the fault of the criminal. Your actions may have made the crime easier, but you did not participate in the crime. Your car is your property. Leave it unlocked if you want to. Disregard anyone who tells you otherwise.

Re:what's next (1)

Aaron B Lingwood (1288412) | about 2 years ago | (#39448897)

I once purchased a new Jeep Wrangler softtop.

Being a new car, I was being very careful ensuring that the car was always locked and parked under a streetlight at night.
Didn't help. Had the window panels slashed on 2 occasions in the first month of ownership. Once for some pocket change, and another for a work uniform.
Replacement panels are $1,200 a pop. I resorted to ALWAYS leaving the car unlocked to prevent this kind of vandalism. Never had a problem again.
Over the next 2 years, I only received a single $40 fine for leaving the vehicle unlocked. Argued the ticket and it was retracted.

Re:what's next (1)

Anonymous Coward | about 2 years ago | (#39448533)

hahaha They NEVER leave a Fine on a car for being unlocked. Stop stirring shit dude. They just leave a notice saying its unsecure etc etc.

Re:what's next (2)

Aaron B Lingwood (1288412) | about 2 years ago | (#39448605)

They NEVER leave a Fine on a car for being unlocked.

Never [sunshineco...ily.com.au] Say [brisbanetimes.com.au] Never [whirlpool.net.au]

Re:what's next (2, Insightful)

blackest_k (761565) | about 2 years ago | (#39448785)

That law is ridiculous, i've had several locked cars broken into and the damage due to breaking in has always cost more than anything stolen. Generally the only thing of value is a couple of euro and the radio which although it has bluetooth, mp3 cd cost 56 euro a new door or window costs a lot more to fix than replacing the radio.

The engine immobiliser still works you need a proper coded key for the ignition to work, you might still steal the car but the door locks are not going to be much of a barrier honestly.

Sure sometimes i might be carrying something of value when it makes the cost of repairing the car less than the cost of the stolen goods but then i would lock it.

however in practical terms the cost of a break in is my insurance excess (500 euro) + the loss of noclaims discount which is around 75% a loss of (750 euro).

A friend of mine had his lorry fuel tank syphoned in a locked patrolled yard no less, the police said he should have a locking cap on the tank. well that is all well and good until you realise the tank would still have been broke into and the tank damaged in the process and his lorry would have been off the road making him unable to meet his contracts. While annoying and expensive to lose fuel that way the alternative could cost him a lot more maybe even his business.

  Security is a trade off and it makes no sense to ensure the cost of flimsy security measures costs more than the things stolen in the first place.

Safe wi-fi spot (1)

hcs_$reboot (1536101) | about 2 years ago | (#39448469)

If anyone has a secure wi-fi spot, will the "I did not download that file, someone did by accessing my wi-fi" excuse remain valid?

Re:Safe wi-fi spot (1)

gnasher719 (869701) | about 2 years ago | (#39448493)

If anyone has a secure wi-fi spot, will the "I did not download that file, someone did by accessing my wi-fi" excuse remain valid?

If your WiFi is secured, then you don't need the defense because nobody will use your WiFi to download files.

Re:Safe wi-fi spot (2)

Aryden (1872756) | about 2 years ago | (#39448535)

If your WiFi is secured, then you don't need the defense because only those who really want to will use your WiFi to download files.

FTFY

Re:Safe wi-fi spot (1)

Aaron B Lingwood (1288412) | about 2 years ago | (#39448573)

If anyone has a secure wi-fi spot, will the "I did not download that file, someone did by accessing my wi-fi" excuse remain valid?

If your WiFi is secured, then you don't need the defense because nobody will use your WiFi to download files.

If your WiFi is secured and someone, through luck or through skill, manages to identify with your AP and use your connection for nefarious deeds, you no longer have that defence. I always keep an open but isolated, bandwidth-limited channel. I use a secure channel for myself and my guests.

Re:Safe wi-fi spot (0)

Anonymous Coward | about 2 years ago | (#39448651)

and will hold up in a court of law ? I guess if it is bandwidth limited, and actually routes to the net, then I guess so. I its just a powered on wifi with no LAN connection then I guess maybe not. interesting idea though. What if its call 'McDonald Open WiFi'. Will that work assuming there if a McDonald's around the corner ? Or is is MAC based ? Which then I ask, Is there a 'machanger' equivalent for modems ? and what about the TOR network ?

Money must grow on trees in Queensland (2)

anarkhos (209172) | about 2 years ago | (#39448571)

to pay for this crap

Re:Money must grow on trees in Queensland (0)

Anonymous Coward | about 2 years ago | (#39448833)

No, but it is just underground, waiting to be dug up.

A crackdown on plausible deniability! (0)

Anonymous Coward | about 2 years ago | (#39448589)

This is NOT to protect citizens!

This is to make it easier to link people to activities on the Internet.

I think it is now illegal to have open Wifi in some places! Hello, police state!

Why bother? (1)

Datamonstar (845886) | about 2 years ago | (#39448621)

I mean, it's a fine and commendable effort & all, but it's just bound to go WOOOOSH!!! to most citizens anyway. In fact, that goes for many of the cops too, I'd bet. Just leaving a letter talking about a screen door isn't really going to cut it for people who just expect to plug in a device and have it work perfectly automagically.

I understand WEP is bad but ... (0)

Anonymous Coward | about 2 years ago | (#39448629)

I understand WEP is trivial to crack but I have too many devices that only have WEP connectivity.
Have no money to upgrade and in many case no new devices exist that would replace the old ones.
To me, my WEP setup means to anyone else "locked door" and nothing else, the fact that the door is flimsy does not detract from the fact it is a locked door.
my SSID is NOENTRY

Re:I understand WEP is bad but ... (1)

jamesh (87723) | about 2 years ago | (#39448737)

I had a WEP SSID for my daughters Nintendo DS, but had it locked down to the point that a hacker without a DS wouldn't be able to do much with it.

WOTAM (0)

Anonymous Coward | about 2 years ago | (#39448845)

Wait of time and money.

I broadcast about 120 open AP's (4, Funny)

Lumpy (12016) | about 2 years ago | (#39448989)

All of them named Linksys, Dlink, Wireless, etc... and all to a single router that is connected to nothing at all.

It significantly reduces the volume of idiot neighbors that do not configure their new wireless as many times they will connect to me instead.

Works great, when I shut it off, I see no more default router names.

It also screws with the wardrivers, I look at some of the maps every few months and see my location with a giant pile of AP names around my building.

Ugh (0)

Anonymous Coward | about 2 years ago | (#39449093)

So are they going to force me to lock my door too?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...