AT&T WiFi at McDonalds, etc

On Fri, 02 Nov 2007 10:58:52 -0700, Jeff Liebermann wrote in :

I was referring to security, not reliability -- sorry for not being more clear. No matter how secure the wireless connection itself appears to be, without VPN you're still vulnerable to hacking or other compromise of the local infrastructure (wired as well as wireless). VPN keeps you secure to the remote endpoint.

From the client point of view VPN, when installed and configured to setup and authenticate automatically, is a universal no brainer, and the best way to ensure security (IMHO at least).

The remaining vulnerability is then the client computer itself, which is why I use and recommend ThinkPad computers with security configured appropriately. Steal my ThinkPad and you still wouldn't be able to compromise my VPN (or anything else) -- even the hard disk is secure. You'd have to grab it after I logged on and before I logged off or it logged itself off automatically, which isn't bloody likely. You'd also have to deal with my motion detector alarm. ;)

Reply to
John Navas
Loading thread data ...

I used to enjoy the cloaking of a VPN, but ours was changed to a split tunnel, which exposes me to more traffic than I care for, and the default is to only route traffic that needs to go into the VPN across the VPN.

Right now I'm stuck with split tunneling, because I need simultaneous access to two VPNs. I suppose I could adjust my routing to remove the DHCP-supplied gateway as soon as one of the VPNs became available.

Reply to
dold

I think it started as the "free wi-fi" from AT&T, but it was about the appearance of it at McDonald's.

Do they have both a Wayport SSID and an attwifi SSID? In my case (the only McDonald's I've tested), the two SSIDs were very similar strength. There are only two McDonald's around here, and the "close" one doesn't have wireless.

Reply to
dold

Dunno, but I'll find out on my way home tonite. As I previously mumbled, I've given up on junk food and don't frequent McDonald's. From my Netstumbler logs, it's probably "Wayport_Access" and "AT&T Wireless". Since the signal strength seems to be identical, they are probably running dual SSID's on the same access point.

Reply to
Jeff Liebermann

I don't see how. Each session has a unique WPA encryption key. In order to do a man in the middle, session hijack, or AP impersonation, the attacker would need to first crack the WPA key. Since it's not stored in the clear anywhere except in the RADIUS server (argh, I forgot to encrypt it in the SQL database), it can't be extracted and has to be cracked.

Assumption, the mother of all screwups. Yeah, that's true. A very quick Google search didn't show any vulnerabilities. I'll do some more digging on the security sites tonite.

True. Frankly, I don't care if it's not universal. I'm trying to give my customers some added security by making their hot spots sniff proof. If the others want to follow my lead, I'm all for it.

True. I can't do anything about the real possibility that someone might plug into the ethernet and try to sniff the traffic. However, that's very difficult with an ethernet switched network. The router traffic all goes directly to the internet. Another local computer plugged into the switch sees nothing. Someone could substitute a

10/100 hub for the ethernet switch, but that's getting a bit far fetched.

You were clear enough, but used a bad choice of words. login and password are authorization. 802.1x and RADIUS are authentication.

Which flavor VPN? PPTP, L2TP, IPSec, or SSL. IPSec can be a mess. The others are very easy at the client end.

I'll spare you my horror storied of VPN client compatibility. I recently spent a fun afternoon trying to bludgeon the Cisco VPN client

3.7 into connecting to a Watchguard SOHO 10 router v5.0. No luck. However, the new GreenBow IPSec client worked, so the customer is now debating either replacing a $500 router and licenses, or paying $45/seat. IPsec VPN may be more secure, but campatibility with existing hardware is not one the strong points.

I wish you hadn't ask that. One one my laptops, I have 3 different boot profiles, to handle 3 different IPSec VPN ships that refuse to coexist in the IP stack. My other two laptops have nothing, mostly because I don't use them at hot spots. I do use them at clients, but most (not all) of those use WPA-PSK. My Windoze Mobile 2005 PDA can probably use a VPN client, but I haven't even looked for one to use.

Incidentally, I finally bought a Canon S5-IS camera. I doubt it will improve my photography, but it sure looks impressive. Anything with that many buttons must be powerful.

Reply to
Jeff Liebermann

On Fri, 02 Nov 2007 23:11:26 GMT, Jeff Liebermann wrote in :

Simply by spoofing the SSID. ;)

I'm guessing it would be fairly easy to hack at least some RADIUS servers to hand out the same session key.

Different strokes -- I'm usually concerned with wireless clients, not wireless hosts. Nonetheless, I'm going to keep this in mind for when I do work with hosts.

Trust me, I've seen it. "How did that get in the closet?!"

With all due respect, you're splitting hairs, and it's debatable in any event -- I'm also referring to the issue of SSID spoofing.

It all depends -- probably TLS most often.

Fair enough, but once working, it tends to stay pretty smooth in my experience.

Cool! I recently upgraded to a Panasonic DMC-FZ8, which is comparable.

Pretty impressive night shot on full auto:

formatting link
Action shots on the water:
formatting link
?set_albumName=album124
formatting link
Have fun with your new camera!

Reply to
John Navas

I didn't _eat_ there! The last time I ate at McDonald's was in Maidstone, England. I didn't even get out of my car. I picked what I thought was a parking place close enough to the building, and fired up the laptop.

The inside of several of these "let's get Wi-Fi to draw in more customers" locations are too loud for my tastes, especially for a VoIP phone conversation. Besides, I wasn't mooching free Wi-Fi. I was using an advertised location of my ISP.

That was my thought, dual SSIDs. I didn't say that out loud, because I wasn't sure it was routinely possible. I don't have logs, but I did save a profile called attwifi.

Oh, the mappiness of it all... I was going to see if they listed the SSIDs. The McDonalds restaurant locator says 1077 LAKEPORT BLVD, LAKEPORT, CA 95453-0058, but the snippet of map shown has the icon in altogether the wrong spot, on the wrong side of the freeway. If I search for McDonalds in Google Earth, it has a different address, 1400 Todd Rd Lakeport, CA 95453, in a different wrong spot, but at least it's on the right road. If I were getting off the freeway, I would see McDonald's and forget about the map. If I search for 1077 LAKEPORT BLVD in GE, that's about the right spot.

If I search jiwire, I get the 1077 address and a snippet of map that is too small to be helpful, but looks like the right place ;-) Gack, the "driving directions on jiwire stink.

Odd, jiwire asks you for the SSID and MAC when you add a location to jiwire. I keep meaning to see if that is tied into the Microsoft Locate Me database. I thought it would be listed with the hotspot information.

Reply to
dold

One AP, but dual SSID. I've seen the gear in the back room.

Reply to
nevtxjustin

snipped-for-privacy@22.usenet.us.com hath wroth:

In Scotts Valley, CA, the local McDonalds shows: SSID=Wayport_Access and SSID=attwifi It's a dual SSID access point. The MAC addresses were sequential and the signal strengths identical. Signal strength was about -65dBm on my cell phone in the parking lot. I arrived about midnight and they were closed. I was too tired/lazy to try logging in and surfing. Maybe later.

Scotts Valley has a strip mall I call "junkfood row". It has McDonalds, Burger Kind, Subways, Taco Bell, a pizza joint, and several small takeout places and sandwitch shops. More of the same on the other side of the road. I only saw wireless SSID's from McDonalds and some of the pizza. Nothing from the other fast food dispensaries.

That would make a good conspiracy theory. It should be easy enough to compare results. (Translation: I'm too lazy to do it).

Maybe a new site: "Hidden SSID's of the rich and famous."

Drivel: One of my friends was trying to be helpful with his new GPS by supplying me with "exact" locations of local cell sites and access points. Everything was about 200ft off towards the west. I soon determined that his GPS was set for NAD27 datum, while most everything else is WGS84. Anyway, many of the databases were generated from Netstumbler logs, which locate hot spots in the middle of the road where the sniffer was located, and not at its actual location. If the data was generated with a high gain directional antenna, it's possible to pickup AP's that are located quite far from the road, resulting in even larger position errors. Few war drivers seem to correct their log files before posting them.

Reply to
Jeff Liebermann

They have to get the location information from somewhere...

Maybe he was working from paper USGS Topo maps, which are NAD27, or at least, doing that often enough that he keeps his GPS set that way.

Point of highest SNR, IIRC, so unless you drove over the top of the antenna, it likely would not be "correct". I went to the effort of mapping the strengths in one of the available exports from NetStumbler to semi-triangulate the signal, but if you're in a car, that's kinda directionally biased.

Reply to
dold

snipped-for-privacy@22.usenet.us.com hath wroth:

Yep. That's what he was doing. Most printed USGS maps are still NAD27. They are sloooooooooooowly moving toward NAD83, which is almost identical to WGS84. I've been told that their new satellite based (SRTM) maps are going to be WGS84 based, but that's not official yet. Meanwhile:

I was thinking of building a rotating directional antenna contrivance. It would record a series of vehicle positions and bearing (maximum signal strength) lines, which would hopefully cross at the real location. That's the way I do hidden transmitter hunts.

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.