[GRLUG] MIFI Choices

[Mike Williams]

On 05/26/2011 06:12 AM, Adam Tauno Williams wrote:
> On Wed, 2011-05-25 at 19:34 -0400, Mike Williams wrote:
>> I haven't heard anything about it in a while, but there was a proposed
>> "Internet Safety Act" a couple of years ago that would require anyone
>> that offers public Internet access has to keep two years of logs that
>> could be used to identify the person behind a temporary IP address. This
>> is a ridiculous amount of record-keeping for a small organization and
>> would make Comcast's proposal completely impractical. Unless they're
>> monitoring and recording everything at their end, which is an even more
>> disturbing prospect!
> They do, I assure you.  It really isn't that hard.  RADIUS server's will
> log the association information to a database if the wireless network is
> secured; otherwise WAPs can communicate, and do, via either SNMP traps
> or just syslog messages when they acquire a new association - then your
> NMS just records this information.  It is pretty much
> works-out-of-the-box for wireless hardware.
>
I was referring to that Comcast Mobile thing, and I was assuming it ran 
NAT for random open connections. If so, sending MAC address information 
upstream would be tricky unless they centralized DHCP, which I suppose 
is possible but would be weird.
>> Honestly, I don't see what it would accomplish anyway. Unless you
>> require everyone to log in with a unique certificate, the most you're
>> going to get is a wireless MAC address, and those can easily be faked.
> I've had this conversation with law enforcement.
>
> I accomplishes quite a lot; because something can be easily faked
> doesn't mean it is.  If it can lead you back to a computer then the
> computer can be inspected forensically - *you* may know what you are
> doing and wipe data, etc...  that places you in a very very very small
> group of people.  The *vast* majority of brains walking aren't aware of
> the concept of a MAC address or wireless association.  It's just magick.
> No matter how many times people see something on CSI:Toledo they don't
> make the connection.
>
It is entirely possible that I'm projecting my own familiarity with the 
concept onto those who don't actually have it. But that brings up the 
question of if you have the MAC address for a computer that was doing 
something nasty, how hard is it to find that physical computer if it 
moves around? I know the first few (four?) digits of a MAC identify the 
manufacturer of the card, but that won't be very specific. Take 
something like the Centrino package on my laptop, and I don't think the 
MAC would even tell you whether it's a Dell or a Toshiba!
>> Wireshark depends a bit on the encryption used. With anything less than
>> WPA2 it behaves as you described, and two computers connected to the
>> same access point with the same password can "see" each other's traffic.
>> If you use WPA2, even with a known initial passcode, the encryption keys
>> negotiated for each connection are unique. You can still, in theory,
>> reverse the initial conversation and get the key, but it's much harder.
> The encryption of the wireless network is irrelevant.  If you are the
> wireless provider [either using your own MIFI device, home WAP, or you
> are Comcast] then you just watch the traffic upstream. Most traffic,
> especially social-media crap, is not encrypted.  And sharing of a WAP is
> usually, for obvious reason, performed by operating it in the Open.
That was more about the professor and wireshark example than anything 
else. But it's almost as easy to run WPA2 encryption using a simple 
public wireless passphrase. I've seen a couple of places that use the 
business's name or phone number for that, although they don't always use 
good enough encryption to amount to anything more than a digital "No 
Trespassing" sign. And for the record, Facebook now supports SSL 
connections if you enable it, but most forums are still wide open.
> On the other hand: using an Open wireless network is itself perfectly
> safe - just encrypt your traffic end-to-end like should always be
> happening anyway.  I've always been puzzled about the wailing and
> gnashing of teach about bad wireless encryption: encrypt the *data* and
> trust no connection - because the upstream network [the Internet!] is an
> Open network.
On this, we agree. With modern hardware, the computational overhead of 
running SSL is minimal. I think Google quoted something like a 5% 
increase in CPU utilization when they forced SSL in GMail, so the excuse 
of increased expense really isn't valid. Unfortunately, there's no way 
to force end-to-end encryption for websites that don't offer it. The 
closest I can come up with is having a VPN out in the cloud and running 
everything through that while you're using a public wifi, but those are 
unfortunately fairly difficult to set up. That would protect you, 
mostly, from the guy next to you listening in on your connection, but it 
would still be possible for things to be intercepted at the other end. I 
have a friend in Vancouver who runs a cloud server, but he hasn't gotten 
around to making FreeSWAN or something work properly.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.