1785: "Wifi"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

User avatar
thunk
Posts: 480
Joined: Sat Apr 23, 2016 3:29 am UTC
Location: Arguably Exiled

1785: "Wifi"

Postby thunk » Fri Jan 13, 2017 5:08 am UTC

Image

alt-text: Further out to the right, it works correctly, but the reason it works still involves the word 'firmware.'

I'm somewhere in the happy middle part of that graph, and I'm glad for it.
Free markets, free movement, free plops
Blitz on, my friends Quantized, GnomeAnne, and iskinner!
troo dat

Mikeski
Posts: 1099
Joined: Sun Jan 13, 2008 7:24 am UTC
Location: Minnesota, USA

Re: 1785: "Wifi"

Postby Mikeski » Fri Jan 13, 2017 6:47 am UTC

The leftmost "works fine" arrow is actually pointing to the neighbor's unsecured wifi.

gimmespamnow
Posts: 49
Joined: Wed Sep 14, 2011 6:35 am UTC

Re: 1785: "Wifi"

Postby gimmespamnow » Fri Jan 13, 2017 6:53 am UTC

So I'm staying in this AirBnb and the listing said it has WiFi...
-I have good signal for a secured network
-Password isn't posted anywhere
-Owner isn't here, we could call him but doesn't seem like that big of a deal.
-Finally find the network info, (and general house details,) on the fridge of the unit below us. (It is a duplex: we are upstairs.) Fortunately nobody is in there, so we can creepily stare in the window.
-Password is waytoolongforthepurposeo6
-Password doesn't work...
-After several times typing in that, I try waytoolongforthepurpose06
-Success. (The piece of paper I'm copying from is typed, it was clearly a lowercase "o")
-Success seems to be relative: I have an IP, but nothing works.
-Wait, ping 8.8.8.8 does work.
-Change the DNS settings.
-Okay, now it is fine.

"Works fine" may be true in Randell's house, but I'm pretty sure that only the most tech savvy got on that WiFi...

tagno25
Posts: 36
Joined: Wed Dec 30, 2009 8:10 am UTC

Re: 1785: "Wifi"

Postby tagno25 » Fri Jan 13, 2017 7:37 am UTC

gimmespamnow wrote:-Wait, ping 8.8.8.8 does work.
-Change the DNS settings.
-Okay, now it is fine.

"Works fine" may be true in Randell's house, but I'm pretty sure that only the most tech savvy got on that WiFi...

I think you forgot a few steps. Like "- Login to router using default username and password" and "- fix incorrect DNS in router", and maybe even "- Flash OpenWRT on router"

hjaltello
Posts: 1
Joined: Fri Jan 13, 2017 8:15 am UTC

Re: 1785: "Wifi"

Postby hjaltello » Fri Jan 13, 2017 8:18 am UTC

I actually stayed at the right. Until I became a little more tech-savvy and moved further ahead. It didn't involve firmware, but rather it involved Linux Kernel Module, a lot of recoding drivers and even more compiling.

User avatar
orthogon
Posts: 3075
Joined: Thu May 17, 2012 7:52 am UTC
Location: The Airy 1830 ellipsoid

Re: 1785: "Wifi"

Postby orthogon » Fri Jan 13, 2017 8:21 am UTC

gimmespamnow wrote:-Password is waytoolongforthepurposeo6
-Password doesn't work...
-After several times typing in that, I try waytoolongforthepurpose06
-Success. (The piece of paper I'm copying from is typed, it was clearly a lowercase "o")
...
"Works fine" may be true in Randell's house, but I'm pretty sure that only the most tech savvy got on that WiFi...

That's dastardly, because anyone who's tech savvy enough to fix the DNS settings is going to be able to tell an "o" from a zero, and is likely not to even try the latter on the basis that everybody knows the difference.

One non-technical user that I was training on our new system kept saying "zero" when he meant "O": I assume this was a kind of hypercorrection, trying to impress the tech guy, but I suppose it's just possible that he was old enough to have used an old typewriter were the same key had to double as both characters.
xtifr wrote:... and orthogon merely sounds undecided.

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 4060
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: 1785: "Wifi"

Postby Soupspoon » Fri Jan 13, 2017 10:38 am UTC

My house is cabled with Cat5 (yeah, could be updated to Cat6/6a, skipping 5e, but not found it necessary - maybe my next house). Works better for me, with the exception of wireless-only tablets, but that's just me. ;)

User avatar
somitomi
Posts: 753
Joined: Fri Nov 06, 2015 11:21 pm UTC
Location: can be found in Hungary
Contact:

Re: 1785: "Wifi"

Postby somitomi » Fri Jan 13, 2017 10:54 am UTC

It's equal to the probability of me bothering to add your device to the MAC address table. Oh right, and that's now full, I need to delete an address at random, because noone has any idea which addresses belong to still active devices. I should get that clean slate project underway now, since apparently I've unofficially become the "Keeper of Routers".
Avatar from Freddino
Image
―◯‐◯ FG Discord◯‐◯―

kelly_holden
Posts: 33
Joined: Wed Apr 23, 2014 7:27 am UTC
Location: Rural New South Wales

Re: 1785: "Wifi"

Postby kelly_holden » Fri Jan 13, 2017 11:19 am UTC

A few days ago, an older friend of mine asked me to come over and help set up her newly installed NBN wifi. She'd plugged the router into the old landline instead of the NBN box. So, yeah, she's at the left.

User avatar
cellocgw
Posts: 2053
Joined: Sat Jun 21, 2008 7:40 pm UTC

Re: 1785: "Wifi"

Postby cellocgw » Fri Jan 13, 2017 2:36 pm UTC

Very Important Question:

Is the Y-axis linear or logarithmic?
https://app.box.com/witthoftresume
Former OTTer
Vote cellocgw for President 2020. #ScienceintheWhiteHouse http://cellocgw.wordpress.com
"The Planck length is 3.81779e-33 picas." -- keithl
" Earth weighs almost exactly π milliJupiters" -- what-if #146, note 7

User avatar
orthogon
Posts: 3075
Joined: Thu May 17, 2012 7:52 am UTC
Location: The Airy 1830 ellipsoid

Re: 1785: "Wifi"

Postby orthogon » Fri Jan 13, 2017 3:48 pm UTC

Mikeski wrote:The leftmost "works fine" arrow is actually pointing to the neighbor's unsecured wifi.

Something like that happened to me. I was trying to get my laptop online at a different site (actually my company's site but with a different WiFi setup), and I couldn't manage to get onto either of the possible networks (despite having help from a local admin guy). Then suddenly I was online: and I couldn't work out why but was already late for the Webex call so I just went with it. Later I realised I'd been using my mobile hotspot from my phone, which I almost never use but which just happened to have got turned on by accident that morning (I don't know how - I'd been wondering what the unfamiliar icon in the notification bar meant, so I know it hadn't just been on for months). That was a freaky coincidence, and lucky too as it hadn't occurred to me to use the hotspot.
xtifr wrote:... and orthogon merely sounds undecided.

Rysto
Posts: 1460
Joined: Wed Mar 21, 2007 4:07 am UTC

Re: 1785: "Wifi"

Postby Rysto » Fri Jan 13, 2017 3:57 pm UTC

A bit of a tangent but as a embedded software developer, I've literally never had a pleasant conversation that included the word "firmware".

User avatar
Heimhenge
Posts: 369
Joined: Thu May 01, 2014 11:35 pm UTC
Location: Arizona desert

Re: 1785: "Wifi"

Postby Heimhenge » Fri Jan 13, 2017 4:39 pm UTC

Soupspoon wrote:My house is cabled with Cat5 (yeah, could be updated to Cat6/6a, skipping 5e, but not found it necessary - maybe my next house). Works better for me, with the exception of wireless-only tablets, but that's just me. ;)


Same here. I installed whole-house Cat-5 while I was building and it was still easy to run the cables. Wireless was new then, and a good friend who worked in IT advised me that hardwired was way better than wireless (which it was back then). Lived happily with that for years. When I got a tablet I decided to add a wireless node to my network up in the attic (older router was still working fine but didn't have wifi).

Then one day when I was out on my deck reading an e-book on my tablet I went into the settings for some reason and discovered there were 2 additional wifi networks available. I'm out in a rural desert area, and my nearest neighbors are like 1/4 mile away, but I was apparently in range. Neither were secured, nor was mine ... never bothered to secure it because I thought I was outa range. My early-model wireless node was supposed to have a range of about 150 feet but I'm up on a hill and had line-of-sight to my neighbors.

So I secured my wifi, and shortly thereafter so did my neighbors. Never did try to get on their networks but wonder to this day what kinda bandwidth I coulda gotten at that fringe range.

User avatar
Keyman
Posts: 337
Joined: Thu Jun 19, 2014 1:56 pm UTC

Re: 1785: "Wifi"

Postby Keyman » Fri Jan 13, 2017 6:05 pm UTC

My first real GOOM(Life)R moment. I am literally leaving my office right now to go home to meet the CenturyLink tech (sometime between 2pm and 6pm) because my home WiFi blew up last night. So, you'll probably be able to guess how that goes by observing a timestamp for my next post.
Nothing could be more ill-judged than that intolerant spirit which has, at all times, characterized political parties. - A. Hamilton

Justin Lardinois
Posts: 58
Joined: Wed Aug 26, 2015 4:47 pm UTC

Re: 1785: "Wifi"

Postby Justin Lardinois » Fri Jan 13, 2017 6:07 pm UTC

Mikeski wrote:The leftmost "works fine" arrow is actually pointing to the neighbor's unsecured wifi.


In my experience this is almost nonexistent. I blame router manufacturers for making their devices password protected by default.

I miss the good old days when I was stuck on dialup, but it didn't matter because none of my neighbors secured their networks.

User avatar
Rombobjörn
Posts: 147
Joined: Mon Feb 27, 2012 11:56 am UTC
Location: right between the past and the future

Re: 1785: "Wifi"

Postby Rombobjörn » Fri Jan 13, 2017 8:02 pm UTC

gimmespamnow wrote:So I'm staying in this AirBnb and the listing said it has WiFi...
-I have good signal for a secured network
-Password isn't posted anywhere
-Owner isn't here, we could call him but doesn't seem like that big of a deal.
-Finally find the network info, (and general house details,) on the fridge of the unit below us. (It is a duplex: we are upstairs.) Fortunately nobody is in there, so we can creepily stare in the window.
-Password is waytoolongforthepurposeo6

I am not rightly able to apprehend the confusion of ideas which would provoke such a setup.

  • If they provide wifi so that guests can access the Internet, then there is no use for link-layer encryption.
  • If there is some insecure service on the local network that needs to be protected with link-layer encryption, then random strangers who rent the house should probably not be allowed to access that service.
  • The set of people who are within range of the wifi but unable to walk to the house and look in the window is bound to be rather small.

Heimhenge wrote:Then one day when I was out on my deck reading an e-book on my tablet I went into the settings for some reason and discovered there were 2 additional wifi networks available. I'm out in a rural desert area, and my nearest neighbors are like 1/4 mile away, but I was apparently in range. Neither were secured, nor was mine ... never bothered to secure it because I thought I was outa range. My early-model wireless node was supposed to have a range of about 150 feet but I'm up on a hill and had line-of-sight to my neighbors.

The range of radio depends on many things: The power of the transmitter, the sensitivity of the receiver, the shape of your antenna, the shape of the other antenna, objects between the antennas, objects near either antenna, the weather, the time of day ... You should never rely on range for security.

You are in good company though. The whole concept of "near-field communication" is based on the same flawed idea of using a limited range instead of authentication.

Cervisiae Amatorem
Posts: 57
Joined: Mon Aug 29, 2011 5:47 pm UTC

Re: 1785: "Wifi"

Postby Cervisiae Amatorem » Fri Jan 13, 2017 8:53 pm UTC

Even further to the right, the line dips to negative as the guest manages to knock out the wifi router for everyone else as well..

User avatar
ucim
Posts: 6859
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 1785: "Wifi"

Postby ucim » Fri Jan 13, 2017 9:34 pm UTC

What I would like is for guest wifi providers (like hotels) to provide the MAC address of their router, and for client wifi programs to display this address. This would allow me to ensure that when I connect to:
Hotelname_free_wifi
I can check to see that it really is wifi provided by Hotelname, and not some other network that was given the name in order to facilitate MitM attacks.

My wifi information tab provides a "hardware address" but it's my own hardware, which isn't much use to me for authentication.

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Heartfelt thanks from addams and from me - you really made a difference.

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 4060
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: 1785: "Wifi"

Postby Soupspoon » Fri Jan 13, 2017 10:26 pm UTC

Rombobjörn wrote:I am not rightly able to apprehend the confusion of ideas which would provoke such a setup.

  • If they provide wifi so that guests can access the Internet, then there is no use for link-layer encryption.
  • If there is some insecure service on the local network that needs to be protected with link-layer encryption, then random strangers who rent the house should probably not be allowed to access that service.
  • The set of people who are within range of the wifi but unable to walk to the house and look in the window is bound to be rather small.

They probably want only guests, not neighbours, to use their wifi. So it is passworded thus (at least in theory) much as a bar might have a "password of the day" on the signal to prevent non-patrons (at least those not patrons-of-earlier-in-the-day) from leaning against the lamppost outside and 'stealing' a bit/a lot of bandwidth without actually patronising.

I read the scenario as that, anyway, plus that likely both units' fridges were probably supposed to have the (supposedly correct) information on them, but for some reason (prior guest in the upper one pocketed the note?) only the one did. Luckily for the BnBer concerned, the shared access hallway/stairwell to both units gives an unobstructed view of at least the other unit's fridge door and note. Whether strangers (or neighbours) get access to the same viewpoint (or know that it would be wirelessly advantageous for them to do so) is not said. Implication is that however much bother the owner of the let wants to go to to allow only guests to potentially abuse the service, they did not consider it enough bother to stick the information somewhere 'deeper' within the flat, or else up next to the entrance (on the inside) perhaps near the light switch but not visible from any externally windowed doors or actual windows...

But just a guess. The teller of the anecdote could clarify, but it doesn't seem that too far fetched.

If I was letting a property, I might either do something similar or go the full paranoid and have two seperate wireless routers that I could manage from a tunnel through the (non-wireless) main router/firewall and set up novel passwords for each guest-stay period in each guest-stay accomodation, giving them the intended password-of-the-stay in advance, activating it for their arrival, deactivating/changing it at noon/whatever upon their departure, perhaps having the main firewall throttle them a bit if they're threatening to spoil the Service Agreement limits with the ISP being used, also some very basic packet monitoring to act as a backstop as come-back in the event there was nefarious use that it would be useful to reveal to cooperate with the authorities in proving that it was somebody else breaking laws on this equipment during their stay. (But one could go too far...)

User avatar
Keyman
Posts: 337
Joined: Thu Jun 19, 2014 1:56 pm UTC

Re: 1785: "Wifi"

Postby Keyman » Sat Jan 14, 2017 12:24 am UTC

Keyman wrote:My first real GOOM(Life)R moment. I am literally leaving my office right now to go home to meet the CenturyLink tech (sometime between 2pm and 6pm) because my home WiFi blew up last night. So, you'll probably be able to guess how that goes by observing a timestamp for my next post.

This long….
Nothing could be more ill-judged than that intolerant spirit which has, at all times, characterized political parties. - A. Hamilton

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 4060
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: 1785: "Wifi"

Postby Soupspoon » Sat Jan 14, 2017 12:47 am UTC

Keyman wrote:
Keyman wrote:My first real GOOM(Life)R moment. I am literally leaving my office right now to go home to meet the CenturyLink tech (sometime between 2pm and 6pm) because my home WiFi blew up last night. So, you'll probably be able to guess how that goes by observing a timestamp for my next post.

This long….

Welcome back, Seven Of Nine, to the Collective. It is good to know that you are reassimilated.

Tub
Posts: 472
Joined: Wed Jul 27, 2011 3:13 pm UTC

Re: 1785: "Wifi"

Postby Tub » Sat Jan 14, 2017 1:33 am UTC

Having a password on their wlan may not be a security thing, but a legal one. Entering a password protected network may be treated differently from entering an open one; in cases of illegal activities the owner may have more liability if the network was not protected against misuse.

I'm currently switching my notebook from gentoo to arch. Everything works, except wlan. Installing non-free drivers took a while (thankfully no firmware issues!), now I need to figure out how to dynamically switch from wired to wireless and back without disrupting existing connections.
Too simple? Well, I also need to unload the kernel drivers every time I disconnect the wlan, otherwise I get a kernel panic. Stupid non-free drivers.

gimmespamnow
Posts: 49
Joined: Wed Sep 14, 2011 6:35 am UTC

Re: 1785: "Wifi"

Postby gimmespamnow » Sat Jan 14, 2017 9:14 am UTC

Rombobjörn wrote:I am not rightly able to apprehend the confusion of ideas which would provoke such a setup.

  • If they provide wifi so that guests can access the Internet, then there is no use for link-layer encryption.
  • If there is some insecure service on the local network that needs to be protected with link-layer encryption, then random strangers who rent the house should probably not be allowed to access that service.
  • The set of people who are within range of the wifi but unable to walk to the house and look in the window is bound to be rather small.


You're assuming the owner is rational and knows something about computers... Given the o vs 0 thing I have my doubts on that, I'm guessing the logic went something like: they bought a router and plugged it in, and it asked them to create a password so they did.

ucim wrote:What I would like is for guest wifi providers (like hotels) to provide the MAC address of their router, and for client wifi programs to display this address. This would allow me to ensure that when I connect to:
Hotelname_free_wifi
I can check to see that it really is wifi provided by Hotelname, and not some other network that was given the name in order to facilitate MitM attacks.


For all but the smallest hotels that wouldn't just be a single MAC address, but a list: depending on the building materials a hotel needs an access point every 5 rooms or so. And of course, the attacker could spoof a MAC from the list too... There is a right way to do this: 802.1X, and make the users verify the certificate signature. It is a pain to setup and support on the hotel and the client side, but once you have it working you can wander around the building and trust that you won't roam onto a rouge access point... Of course, even if you have all that, we also have to assuming the network past the WiFi is secure, (I was in a hotel recently where the switches for each floor lived next to the ice machines, which seems like a bad idea from a moisture standpoint, let alone security) and that you trust all the employees to not just not steal your luggage, but also to not add a device to the wiring closet...

User avatar
ucim
Posts: 6859
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 1785: "Wifi"

Postby ucim » Sat Jan 14, 2017 3:48 pm UTC

gimmespamnow wrote:There is a right way to do this: 802.1X, and make the users verify the certificate signature.
How would that work from either side (or where would I find instructions that I could follow and point a hotel at to follow?)

gimmespamnow wrote:...we also have to assuming the network past the WiFi is secure [...] and that you trust all the employees to not just not steal your luggage, but also to not add a device to the wiring closet...


Yes, locking the door doesn't secure the window. But there's no escaping trust - from hidden "capabilities" in the hardware to suberfuge in each piece of software you use and interact with trust is involved. But at least we can make it require more sophisticated levels of espionage in order to do us harm.

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Heartfelt thanks from addams and from me - you really made a difference.

User avatar
Rombobjörn
Posts: 147
Joined: Mon Feb 27, 2012 11:56 am UTC
Location: right between the past and the future

Re: 1785: "Wifi"

Postby Rombobjörn » Sat Jan 14, 2017 10:55 pm UTC

Tub wrote:Having a password on their wlan may not be a security thing, but a legal one. Entering a password protected network may be treated differently from entering an open one; in cases of illegal activities the owner may have more liability if the network was not protected against misuse.

Maybe such laws exist in some countries. There has apparently been a similar law in Germany, but it may have been changed by now. Unfounded fear of liability that doesn't actually exist seems much more common, for example in Britain.

gimmespamnow wrote:I was in a hotel recently where the switches for each floor lived next to the ice machines, which seems like a bad idea from a moisture standpoint, let alone security

Well, they're vulnerable to a denial-of-service attack by pulling out cables, but other than that I don't see much of a problem from a guest's point of view. Somebody could install a device to eavesdrop on the cables, but that's just one of many points where your traffic might be intercepted. Any countermeasures you take against all the other eavesdropping will thwart that instance too. Somebody might implant something nasty inside the switches, but that's a problem to the hotel rather than to the guests.

ucim wrote:
gimmespamnow wrote:There is a right way to do this: 802.1X, and make the users verify the certificate signature.

How would that work from either side (or where would I find instructions that I could follow and point a hotel at to follow?)

gimmespamnow wrote:...we also have to assuming the network past the WiFi is secure [...] and that you trust all the employees to not just not steal your luggage, but also to not add a device to the wiring closet...

Yes, locking the door doesn't secure the window. But there's no escaping trust - from hidden "capabilities" in the hardware to suberfuge in each piece of software you use and interact with trust is involved. But at least we can make it require more sophisticated levels of espionage in order to do us harm.

What's your threat model here? What kind of attack are you trying to defend against that isn't better countered with TLS, DNSsec and/or a VPN?

Authenticating the network is useful only if your computer will provide some service to the local network that you don't want to provide to the rest of the world. When you connect to a hotel network to access the Internet, then the local network is just the first of many links that your packets will traverse. Attackers can be on any of those links, so your traffic must be secure end-to-end. What does it matter who the first link belongs to? Surely your laptop isn't configured to share your private files on every network you connect to?

User avatar
ucim
Posts: 6859
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 1785: "Wifi"

Postby ucim » Sat Jan 14, 2017 11:41 pm UTC

Rombobjörn wrote:What's your threat model here? What kind of attack are you trying to defend against that isn't better countered with TLS, DNSsec and/or a VPN?
The threat I am thinking of is a rogue wifi spot with a name I would assume indicates it is run by the hotel I'm staying at. If all I know is HiltonWifi and connect to that, and it turns out to be a scammer in the building next door who named his rogue spot HiltonWifi, then I'm vulnerable to MitM at the very least. If MAC addresses were not (easily?) spoofable, and the hotel gave me the MAC addresses of their routers, and my wifi card told me what MAC address it was connecting to, then I could be sure that at least I was connecting to the wifi that I thought I was connecting to.

It also has to be something simple enough for the general user to accomplish (once told how), and it has to be simple to tell the user how to do. Somethng like "right click on the wifi icon and select Properties. It will show lots of technical data. Look for MAC address or Hardware Address. Ensure that the address shown is on this list. If it isn't, they you are not connecting to us."

Yes, the list would have to be kept up to date.

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Heartfelt thanks from addams and from me - you really made a difference.

rmsgrey
Posts: 3630
Joined: Wed Nov 16, 2011 6:35 pm UTC

Re: 1785: "Wifi"

Postby rmsgrey » Sun Jan 15, 2017 3:54 am UTC

ucim wrote:
Rombobjörn wrote:What's your threat model here? What kind of attack are you trying to defend against that isn't better countered with TLS, DNSsec and/or a VPN?
The threat I am thinking of is a rogue wifi spot with a name I would assume indicates it is run by the hotel I'm staying at. If all I know is HiltonWifi and connect to that, and it turns out to be a scammer in the building next door who named his rogue spot HiltonWifi, then I'm vulnerable to MitM at the very least.


MitM of what? If you're communicating outside the hotel, then you've got a whole world of middlemen you're vulnerable to; if you're communicating with the hotel (or what you believe to be the hotel), what data are you happy to share with the hotel, but not with some other WiFi network?

User avatar
Rombobjörn
Posts: 147
Joined: Mon Feb 27, 2012 11:56 am UTC
Location: right between the past and the future

Re: 1785: "Wifi"

Postby Rombobjörn » Sun Jan 15, 2017 3:01 pm UTC

rmsgrey wrote:
ucim wrote:
Rombobjörn wrote:What's your threat model here? What kind of attack are you trying to defend against that isn't better countered with TLS, DNSsec and/or a VPN?

The threat I am thinking of is a rogue wifi spot with a name I would assume indicates it is run by the hotel I'm staying at. If all I know is HiltonWifi and connect to that, and it turns out to be a scammer in the building next door who named his rogue spot HiltonWifi, then I'm vulnerable to MitM at the very least.

MitM of what? If you're communicating outside the hotel, then you've got a whole world of middlemen you're vulnerable to

Right, and TLS, DNSsec and VPN protocols are designed to prevent all the middlemen in the whole world from attacking you – including the one next door. That's why I'm asking: What kind of attack are you afraid that the scammer in the building next door will carry out, that TLS, DNSsec and/or a VPN won't prevent?

ucim wrote:If MAC addresses were not (easily?) spoofable

Anything that isn't cryptographically authenticated is easily spoofable, including MAC addresses.

ps.02
Posts: 378
Joined: Fri Apr 05, 2013 8:02 pm UTC

Re: 1785: "Wifi"

Postby ps.02 » Sun Jan 15, 2017 3:27 pm UTC

Rombobjörn wrote:
ucim wrote:If MAC addresses were not (easily?) spoofable

Anything that isn't cryptographically authenticated is easily spoofable, including MAC addresses.

Or, to put it in the most confusing way possible, anything is easily spoofable unless it's cryptographically authenticated, e.g., with a MAC. (:

ETA: Seriously, I've always been a bit baffled by all those people warning us about public wifi and how you have to be sooooo careful if you connect to it in order to work or whatever. There could be hax0rs! There could be eavesdroppers! I've always thought ... ummm ... compared to where else? The whole Internet has potential eavesdroppers at every level. And for a concrete example, you do realize your DOCSIS cable Internet service at home is a massive broadcast domain, right? That your "network neighborhood" is literally your real neighborhood? That anyone nearby with a cable modem can eavesdrop on you?

I mean, yes, it's true how unsafe public wifi is, but pointing it out implies that your home access is any safer.

tagno25
Posts: 36
Joined: Wed Dec 30, 2009 8:10 am UTC

Re: 1785: "Wifi"

Postby tagno25 » Sun Jan 15, 2017 6:27 pm UTC

ps.02 wrote:ETA: Seriously, I've always been a bit baffled by all those people warning us about public wifi and how you have to be sooooo careful if you connect to it in order to work or whatever. There could be hax0rs! There could be eavesdroppers! I've always thought ... ummm ... compared to where else? The whole Internet has potential eavesdroppers at every level. And for a concrete example, you do realize your DOCSIS cable Internet service at home is a massive broadcast domain, right? That your "network neighborhood" is literally your real neighborhood? That anyone nearby with a cable modem can eavesdrop on you?

I mean, yes, it's true how unsafe public wifi is, but pointing it out implies that your home access is any safer.


The last foot (server and client) is easier to hack/MiTM/sniff than the last mile or any other part of the transport, unless you are a government entity (or work at one of the ISPs on the path).

DOCSIS has link layer encryption. The DOCSIS BPI+ looks like it works similar to WPA-EAP-TLS.

User avatar
Rombobjörn
Posts: 147
Joined: Mon Feb 27, 2012 11:56 am UTC
Location: right between the past and the future

Re: 1785: "Wifi"

Postby Rombobjörn » Sun Jan 15, 2017 7:49 pm UTC

tagno25 wrote:The last foot (server and client) is easier to hack/MiTM/sniff than the last mile or any other part of the transport, unless you are a government entity (or work at one of the ISPs on the path).

If you happen to be there in person, yes. The set of potential attackers is limited to the local neighbourhood plus those who are willing to travel to carry out their attack in your neighbourhood. People who know of a way to break into routers remotely, or to divert traffic through BGP hijacking, don't need to be physically present. They can attack you from anywhere in the world. Although a smaller percentage of people have those skills, it's a smaller percentage of a much greater population.

User avatar
ucim
Posts: 6859
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 1785: "Wifi"

Postby ucim » Sun Jan 15, 2017 11:43 pm UTC

Rombobjörn wrote:The set of potential attackers is limited to the local neighbourhood plus those who are willing to travel...
...and a hotel wifi is a rich target.

Sure, if everything is encrypted end to end there should be no problem; a MitM can't do anything. However, if there is a weak point at the client machine (which is where the weak point is likely to be), then all the rest doesn't matter. And not everything is encrypted. Websites with logins often start http and then switch to https. This is an open invitation for a MitM to make the https request for you.

So... what is the "proper" way for a hotel guest to ensure that they are connecting to a wifi that is trusted, and what is the clearest way to explain it to them?

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Heartfelt thanks from addams and from me - you really made a difference.

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 4060
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: 1785: "Wifi"

Postby Soupspoon » Mon Jan 16, 2017 12:08 am UTC

RJ45 port on the wall by the bed-backboard/above the writing-desk? (The other end of the Cat5/6 not emerging near that icemaker, ideally. A vented corner of the nearest service cupboard, probably. Then you only have to worry about the hacker tendencies of maids who already routinely carry passkeys as a matter of hotel policy.)

Tub
Posts: 472
Joined: Wed Jul 27, 2011 3:13 pm UTC

Re: 1785: "Wifi"

Postby Tub » Mon Jan 16, 2017 12:23 am UTC

ucim wrote:So... what is the "proper" way for a hotel guest to ensure that they are connecting to a wifi that is trusted[..]?

You verify the 802.1X certificate. If the network doesn't have one, you don't trust the network. End of story.

I know you wish it was different, but it isn't.

tagno25
Posts: 36
Joined: Wed Dec 30, 2009 8:10 am UTC

Re: 1785: "Wifi"

Postby tagno25 » Mon Jan 16, 2017 1:24 am UTC

ucim wrote:So... what is the "proper" way for a hotel guest to ensure that they are connecting to a wifi that is trusted, and what is the clearest way to explain it to them?


The "proper" way for the hotels is to use Hotspot 2.0 (ideally release 2), WPA2-EAP, or not to even offer wifi. We all know that most hotels would never chose the last one in a competing market, but the other two could allow them to advertise that they have better "protection" than some of their competition.

User avatar
ucim
Posts: 6859
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 1785: "Wifi"

Postby ucim » Mon Jan 16, 2017 3:11 am UTC

tagno25 wrote:The "proper" way for the hotels is to use Hotspot 2.0 (ideally release 2), WPA2-EAP, or not to even offer wifi.
Not offering wifi is a nonstarter. That's like a bank not offering a safe deposit box "for security".

Is WPA2-EAP an alternative to Hotspot 2.0, or is that what it entails?

If a hotel offers WPA2-EAP or Hotspot2.0, how does a hotel guest easily know that that is what is being connected to? (Can a guest not set up a rogue WPA2-EAP hotspot?)

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Heartfelt thanks from addams and from me - you really made a difference.

tagno25
Posts: 36
Joined: Wed Dec 30, 2009 8:10 am UTC

Re: 1785: "Wifi"

Postby tagno25 » Mon Jan 16, 2017 3:47 am UTC

ucim wrote:Is WPA2-EAP an alternative to Hotspot 2.0, or is that what it entails?

If a hotel offers WPA2-EAP or Hotspot2.0, how does a hotel guest easily know that that is what is being connected to? (Can a guest not set up a rogue WPA2-EAP hotspot?)


WPA2-EAP and Hotspot 2.0 are two different but similar animals.

WPA2-EAP (PSK) would require a username and password, and the authentication server would have a valid TLS certificate. Devices warn when there is an invalid certificate, at least they are supposed to. That would make the barrier for entry harder.

Hostspot 2.0 (R1) required that the user first add a profile to their device before they are able to connect to the network. R2 is supposed to fix that, but not many devices support it yet. It would also require a valid certificate for the authentication server, but one hotel chain could have a single authentication server for all it's properties. Once you have connected at one properties, then you could go to any other property and would automatically and securely connect.

User avatar
Solra Bizna
Posts: 59
Joined: Fri Dec 04, 2015 6:44 pm UTC

Re: 1785: "Wifi"

Postby Solra Bizna » Mon Jan 16, 2017 6:03 am UTC

Appropriately, I spent all day today fixing the wireless in my fiancée's new laptop. Turns out whoever designed its board connected the antenna to the wrong pin. It worked on Windows, naturally, presumably by using the same hack very recent Linux drivers have.

User avatar
ucim
Posts: 6859
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 1785: "Wifi"

Postby ucim » Mon Jan 16, 2017 4:05 pm UTC

Ok, so I see two listings in my wifi: HiltonHotelWifi, and HiltonHotelWifi.

Both use hotspot2

Both have a valid TLS certificate. Both require username and password. Both accept the password given by the hotel documentation.

One of the certificates belongs to International Hotel Services. The other belongs to IHS Inc.

One of them actually belongs to the hotel, the other is a rogue site. Which one is it?

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Heartfelt thanks from addams and from me - you really made a difference.

User avatar
Rombobjörn
Posts: 147
Joined: Mon Feb 27, 2012 11:56 am UTC
Location: right between the past and the future

Re: 1785: "Wifi"

Postby Rombobjörn » Mon Jan 16, 2017 4:46 pm UTC

ucim wrote:However, if there is a weak point at the client machine (which is where the weak point is likely to be), then all the rest doesn't matter.

OK, now we're not talking about a man-in-the-middle attack on your communication, but a direct attack on your computer. If the vulnerability can be exploited with any kind of routable message, then you are again vulnerable to attacks from anywhere in the world. For security of the local link to be relevant, it would have to be a vulnerability that can only be exploited by non-routable means, such as a broadcast packet or a link-local address. That's theoretically possible, but it's a rather narrow category of vulnerabilities. And even if you're connected to the actual hotel network, the attacker can still check in at the hotel and attack you from within the hotel network.

Did you expect the hotel to protect you with a firewall? A firewall that allows guests to do anything they might legitimately want to do, but stops all malicious packets, even previously unseen attacks? Nope, magic firewalls don't exist, and hotel staff can't be expected to be masterly network technicians anyway. If you travel with a computer, then you must keep your OS correctly configured and up-to-date with security patches. There is no way around that.

ucim wrote:And not everything is encrypted.

Thanks to Snowden things are now slowly moving in the right direction, but yes, there is still work to do to get encryption enabled everywhere. Don't use the unencrypted stuff for anything important.

ucim wrote:Websites with logins often start http and then switch to https. This is an open invitation for a MitM to make the https request for you.

Then you must check, once you are on the secure part of the site, that you're still on the right site and that the certificate is valid. Does your browser show the locked padlock icon and the correct domain name? Don't enter your passphrase or any sensitive information, and don't trust any sensitive information that might be displayed, until you've checked this. You can also bookmark the secure login page and go directly there.


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: No registered users and 122 guests