Defcon "Warballoon" Finds 1/3 of Wireless Networks Unsecured 209
avatar4d writes "Networkworld is reporting about a warballooning operation (similar to wardriving) that was disallowed by the management at the Riviera Hotel in Las Vegas, but was covertly launched anyway. The team found approximately 370 networks, and about a third of those were unsecured. In addition to that, the project managed to show how trusting the local law enforcement agencies really were: 'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'"
So let's get this straight (Score:5, Insightful)
If the police flip out over something we do, they're overreacting idiots that don't understand technology.
But if the police don't flip out over something we do, they're underreacting idiots who aren't keeping us safe.
Mmkay.
The Police just waved? (Score:5, Insightful)
Re:i hate you all (Score:2, Insightful)
From TFA
Something less bellicose might not have caught anyone's attention.
A better word than bellicose would be childish.
Re:Only 1/3? (Score:5, Insightful)
Re:The Police just waved? (Score:5, Insightful)
Agreed. The statement in the summary "...the project managed to show how trusting the local law enforcement agencies really were..." infuriates me. Police are not supposed to be harassing people left and right, trying to uncover illegal or just unsanctioned activities. The police were friendly, waved, and didn't bother to investigate something that by all rights did not look overtly illegal. They acted appropriately.
I would much prefer that law enforcement err on the side of trust and friendliness. This probably means that some fraction of illegal actions will go undetected and unpunished (note that only a small fraction of those illegal actions are truly dangerous and unethical)... but that is the 'price' of freedom.
Again, I applaud the police for not flipping out when they see people engaging in activities that they don't exactly understand (but for which there is no evidence of illegal action).
And what did you want the police to do? (Score:5, Insightful)
Oh now they're too trusting?!
What do you want?!
Should they have played hardball and interrogated them, maybe arrested them and confiscated their equipment until they could ascertain they were safe so you could have a post about "out of control" law enforcement again?
Perhaps they should've called out the bomb squads ala the Mooninites bomb scare? [wikipedia.org]
I, for one, vastly prefer this response.
Re:So let's get this straight (Score:5, Insightful)
You make a good point, however I guess I would ask why any rational society would expect just those two modes of operation. Neither seems that useful. Wouldn't it be more logical to expect either the police to come over and say hi, or to take a note of the registration and car details (not necessarily visibly)? A standard social engineering technique used time immemorial has been to look as though you should be somewhere. Only an idiot looks suspicious, and it's not the idiots who should concern the police the most.
In the first case, it's basic community policing 101. You don't prevent crime by looking intimidating, you prevent crime by being aware of what's happening and understanding why. The second option also works on the premise of being aware, but looks for standard social engineering practices and patterns, rather than cause-and-effect.
In neither case is flipping out a productive or useful method. It doesn't help you recognize where or when problems are likely to occur, and only helps you catch the more dysfunctional criminals who are likely causing the least of the social headaches. However, it is by far the most common method used, because it's easy. Catching competent criminals is much harder, much more expensive, and gives a police department a worse score on offenses dealt with.
Re:Networks on The Strip (Score:5, Insightful)
Exactly. 1/3 is actually a pretty good number, and shows that the casinos are taking security seriously. Plus, I wonder how many networks they didn't even see because they weren't broadcasting their SSIDs. This whole thing seems to be much more about doing something cool and making a lot of noise than any kind of serious analysis.
Sounds good (Score:3, Insightful)
Not 'Unsecured'. It's 'Open System' (Score:5, Insightful)
802.11 APs that people refer to as being 'unsecured' are in fact broadcasting a beacon declaring them to be 'Open System'. It is right there in the spec, section 8.2.2.2 .
'Open System' means exactly that. Come on it. We're open.
This is a good thing. I don't secure my wireless LAN. I secure my computers. If people want to borrow a bit of my bandwidth, go right ahead. My neighbor does it all the time when he can't get his crappy cable internet to work.
This should be encouraged. Call them 'Open' and call it a good thing.
Re:Networks on The Strip (Score:4, Insightful)
Re:So let's get this straight (Score:1, Insightful)
I think its more likely that the local police know that Defcon is attended by law enforcement officials from local to international jurisdictions, intelligence analysts and operatives, the press, professional and academic security researchers, various *Hats, and finally your slightly anti-social hacker geeks. That makes its difficult for the local police to know who they can bust without suffering any career-ending consequences.
Why shouldn't they be? (Score:3, Insightful)
Why shouldn't they be? Why should people out in the open with laptops automatically be assumed to be criminals? No matter what they were doing, odds are the cops wouldn't have to technical knowledge to make a proper judgment anyway. Suppose these guys really were up to no good, and the cops questioned them about it. "We're just playing some network video games officer."
Or is the use of a portable computer in public now considered criminal behavior?
solution to problem (Score:2, Insightful)
Log into their routers and turn the security on for them.
You know 98% of those unsecured APs also had the default password, right?
But seriously, is it now illegal to scan for networks to see how many are unencrypted???
I would say the only hint of anything illegal would be if they logged on to the networks. But even that shouldn't get the police to come and beat you.
Transporter_ii
"Unsecured" does not mean wide open.. (Score:1, Insightful)
Just because there is no WEP/WPA running, it does not mean the network is insecure or wide open - did they actually bother to test this, or they are calling these scores simply based on the presence or lack of WEP/WPA? There are plenty of solutions sitting on channels that are unencrypted on link-level, like f.e. a simple VPN tunnel, or an authorative gateway.
Tempest in a Teapot (Score:5, Insightful)
You say that like it's a bad thing. Most WiFi networks are of such low power to render them effectively useless beyond a few feet of the origin of the signal. In my neighborhood with houses on half-acre to acre lots I can detect half a dozen networks. A couple are 'insecure,' but the signal is one bar in strength. Besides, I'm detecting them with my own network, so why do I want to 'steal' their bandwidth? Mine is faster. There aren't many people who want to cruise the neighborhood looking for unsecured signals so they can use their laptop in the privacy of their own automobile to surf the net. How uncomfortable is that? I surf with my feet propped up, a beer on the table, and the dog curled up at my feet.
Then there are those networks that are intentionally unsecured. The local library has a router intentionally pointed at the parking lot (Gasp!) In the downtown area every hotel is within range of an unsecured network. They even have a placard that tells you how to connect--free!
Sure, there are probably guys into taking advantage of you if your network is unsecured. Perhaps the issue is more prevalent in an apartment house or a dorm than single family residences, but I think this is more of a theoretical issue than a practical one. You can hypothesize your way to wild conclusions, but in the end, is this REALLY a serious problem?
Re:i hate you all (Score:5, Insightful)
More to the point about finding unsuspecting piggybackers, I don't see how it should be expected that the law should get involved to quickly unless a serious crime has been committed. I find this particularly alarming:
So they'd prefer if the police stopped and strip search everyone doing something they considered suspicious? What kind of hackers are they if they think authority needs to always get up close and personal with anyone doing anything remotely out of the ordinary.
It's a good thing that the police had a look, could see that a crime wasn't being committed, and decided to continue looking for something worthy of their time, not a bad thing as the absurd summary seems to suggest.
Socially Engineering the Police (Score:3, Insightful)
They were cool and casual, and did not run from the cops. If they had stared at the cruiser with that "OMG, we're busted" look, or even worse, run away; there might have been trouble. You hear stories like this all the time--the guy who gets pulled over for a warning about going 10 miles over the limit, and he's cool and the cop never finds out he's got joints in the glovebox. Then, on the other side there's the guy who's initially done nothing wrong and ends up getting his whole car searched by dogs, and getting detained for an hour just because he acted suspiciously.
Re:i hate you all (Score:1, Insightful)
Why does everybody jump on that? The article is a statement of fact. The police came by and looked, the hackers waved at them, the police waved back. Where's the criticism? It could just as well mean that the authors were delighted and found it commendable that the police did not make a fuss about an innocent site survey. Give the police some credit. Maybe they're not "trusting" but exhibiting good situational awareness?
Re:Tempest in a Teapot (Score:3, Insightful)
The attacker wouldn't necessarily own a house in your neighborhood either. Maybe they rented a van? Maybe one of your neighbors is in a position at work that puts them in touch with sensitive data, and someone follows them home? Or, maybe someone launches a balloon 4 or 5 miles away and collects everything scattershot for a couple of hours, then hones in on those interesting location in a car. As unlikely as those scenarios are, why not just click the damn "WPA2" radio button on the stupid gui and make yourself a somewhat harder target?
Re:cops just waved (Score:3, Insightful)
"wtf are you talking about? korea has more fiber backbone than the US. Its government funded much so like land lines and telephone poles are here. I know a few korean gamers as well after playing gunz online a bit. Like the #1 fps I bet even more hacked/modded than quake."
You don't know the difference between North and South Korea.
Are you an American?
Thanks for the sour persimmons, cousin. (Score:3, Insightful)
.
and the next time the geek pulls some damn full stunt in Vegas will the cops be so warm and fuzzy?
Meaningless figures (Score:4, Insightful)
Stories keep getting posted about the number of networks which are unsecured like it's some kind of problem. The vast majority of those networks are SUPPOSED to be unsecured. They're probably open networks designed for free public use - like the ones you get around New York parks which have been installed by Google or the hotpots in coffee shops such as Starbucks.
In the UK, all BT Openworld public access hotspots are unsecured as well. You can't actually use them though, unless you log in as they have an HTTP intercept until you log in.
Unless they can differentiate between intentionally open public hotspots in Starbucks (etc) and unsecured home access points in naive people's houses, then any figures are totally meaningless.