Disney World Goes 802.11b 250
LighthouseJ writes "Over at CNN they report that Disney World in Florida has a 47-square mile 802.11b wireless LAN through the park with 200 access points. The move comes after visitors complaints that they couldn't use credit cards at every place in the park. Plus, it allows "cast members" to offer guests goods and services anywhere, not restricted to where the credit card machine is at. The man responsible, Murshid S. Khan, Director of Telecommunications and Technology Support sees this as a valuable technology, citing mobility and flexibility as the main reasons for the switch.
Khan goes on to say that the system is protected by a 128-bit encryption scheme and software installed to detect intrusions.
When he was asked if visitors will have access to the wireless network, CNN quotes him to say: 'We need you to come to the park and enjoy the park,' he said. 'If we start opening Internet cafes, you won't do that.' He's a smart man." So, running AirSnort wouldn't probably be the best idea? *grin*
How long will it be? (Score:2, Interesting)
If rather than when (Score:2, Insightful)
If you were planning to crack a network and steal purchase information, there's easier places, like dumpster diving, as I still see the occasional receipt with full number and expy on it blow down the streets with other stray litter.
Really? (Score:2)
Re:Really? (Score:2)
Useful if you can extract the value afterwards... (Score:2)
How long will it be before they get nailed anyway? (Score:3, Informative)
It's pure bravado that bases their claims of security- unless they have a security staff sweeping the entire park with DF gear, they're NOT going to catch anyone doing something illegitimate on their WLAN.
Re:How long will it be before they get nailed anyw (Score:1)
We already know that, and probably Disney does too. But who says that they aren't using some application-level encryption on top of WEP. Crack WEP, and you'll be staring at an additional layer of encryption (SSL, whatever).
Compared to IPSec, SSL is weaker... (Score:2)
Probably more protection than WEP (Score:2)
Re:Probably more protection than WEP (Score:1)
I'm inclined to agree with you that Disney couldn't possibly be dumb enough to rely on WEP alone, but then I wouldn't have thought ETrade was stupid enough to put their login credentials in a cookie vulnerable to cross-site scripting attacks [securityfocus.com] either.
Re:Probably more protection than WEP (Score:2, Informative)
Granted there are attacks against WEP, but they are _trivial_ to defend against if one knows what they are doing. I think Disney probably employs a few network security engineers and consulted with the big boys before they deployed this.
All those who keep claiming that 802.11 is insecure
a) don't really know what they are talking about
and
b) are repeating some other chicken little's BS
WEP can certainly be deployed insecurely, and by default will keep out a determined enemy for less than 2 days, but that does not mean 802.11 cannot be deployed securely. If you use the right hardware and configure it correctly 802.11 is as secure as a wired LAN. Add to that some type of VPN and it's probably more secure than most wired LAN's.
Re:Probably more protection than WEP (Score:2, Insightful)
If you use the right hardware and configure it correctly 802.11 is as secure as a wired LAN
I think this is what you meant, but "correct configuration" in this context generally means walling off wireless portions of the network in the same manner as you wall off the internet. By treating the 802.11 segment(s) as potentially insecure, you can maintain your overall security posture.
Re:Probably more protection than WEP (Score:2)
I want to know... (Score:5, Funny)
Re:I want to know... (Score:3, Interesting)
'Course, I'm totally clueless about the jam-resistance qualities of 802.11. I suppose that it's actually pretty hard to disrupt the signal with interference, otherwise it wouldn't make a terribly good wireless protocol...
Re:I want to know... (Score:3, Interesting)
Things the visitor can do besides surf the web (Score:5, Interesting)
Still, just as is, it is cool.
Re:Things the visitor can do besides surf the web (Score:5, Interesting)
Also could be used to collect better metrics on which Guests prefer which attractions. Like Slot Club cards at casinos. Maybe you can get perks if you blow a lot of money in the gift stores (Glass Castle anyone?)
I'm sure there's other uses too.
Re:Things the visitor can do besides surf the web (Score:2, Interesting)
They have similar things already in use in theme parks. A water park I went to last summer had a system where you would check out a transmitter for each family member, on a wristband like a watch. You could take your transmitter to a viewing station and it would pinpoint on a map where the other members of the group were. So the kids can go off on their own and the parents can still keep tabs on them, or large groups don't have to wander around looking for each other. Pretty slick, IMHO.
Re:Things the visitor can do besides surf the web (Score:2, Funny)
> security desk, and they can find what AP your kid > is closest too.
%shell%: ping johny.doe.disneyland.disney.com
ping: unknown host johny.doe.disneyland.disney.com
"ah... Mam... We have a problem..."
Re:Things the visitor can do besides surf the web (Score:2)
Re:Things the visitor can do besides surf the web (Score:4, Insightful)
"entire system was on its own isolated network" (Score:1)
you mean a wireless isolated network...
wireless as in broadcasted ?
that + isolated is quite a nice one 8)
Encrypted as in "please hack me, cos I'm full of family card codes and serialz" ?
Oh, isolated as in "no internet connection".
Yes ! an isolated broadcasted encrypted credit card numbers cahoot !
in a place full of "teenagers" that could try to snort & hack...
Possibly using a Palm VII (or wireless Pocketpc) to catch and forward the packet...
Oh God, I think I'll try and take a vacation. possibly in Orlando 8)
Why ain't I 15 !?!
Re:Things the visitor can do besides surf the web (Score:2)
Hmmm... SNA would be cool
Re:Things the visitor can do besides surf the web (Score:3, Interesting)
Lots of people collect "character" autographs (yes really), it wouldn't be hard to have these devices tell you where characters are in the park. The commercial applications of this are simply astounding... the only reason I can think of for Disney not utilizing it is the fear of someone breaking the system. To me, that says the security is sub-par.
Re:Things the visitor can do besides surf the web (Score:2)
I'd have to disagree with that. Running some sort of public access network on the same wireless segment you are doing credit card authorizations on would be silly.
Re:Things the visitor can do besides surf the web (Score:1)
But if that's the case, why are they allowing credit card numbers to go through it? Anyways, great ideas. The character seeker would be HUGE.
Lines at Rides (Score:1)
Hey, my GPS can do that! And considering ±3 metres with the length of the usual line, that would produced a reasonable degree of accuracy. It would be pretty cool to spend a day at D/World or D/Land with a GPS tracking you around like Billy of Family Circus (BTW, there's a couple good spoofs of F.C. in the latest Bizzaro [bizarro.com] collection.)
Still, you need something to do while standing in line at these parks for 40 minutes waiting to get on a 30 second ride.
"Look, mummy, is that man tying calculators together?"
"No, Bobby, he's a creep trying to crack the 802.11b network and 128bit encryption and steal our credit card info to sell to bin Laden"
Re:Things the visitor can do besides surf the web (Score:1)
They prolly wont do that? (Score:1)
Why should Disney care what I do? (Score:2)
After I've bought my ticket, I'm IN the park. IIRC, the rides don't cost anything but time after that. I'd much rather check tomorrows weather on my Pilot, plan out my next day at Epcot while in line at Magic Kingdom's Pirates of the Carribean, and just shoot out a quickie "Wish you were here" email over lunch, than have to wait until I get home to do these things.
It's not about 'enjoying the park'. It's about the cost of providing the additional service. It's always about the MONEY. This is DISNEY people.. They have a Copyright on FUN, remember?
Re:Things the visitor can do besides surf the web (Score:4, Informative)
I won't get into it because it's to OT, but they also have biometric scanners at the gates for season pass holders (no privacy policy, 'natch).
Porn on the roller coaster (Score:2, Funny)
Big deal (Score:1)
Scale is *the* problem (Score:3, Insightful)
It's not just a matter of buying 1000 whatevers that worked for the guy doing it for 150.
Re:Big deal (Score:1)
I think the point of the story is that Disney is using tech you can go buy down at Circuit City.
Re:Big deal (Score:2)
Old stuff (Score:3, Interesting)
Every (most) credit card are smartcard for 15 years in France. The credit card machine is in fact an autonomous code checker. It won't transmit your code on the air, but check it locally, then make a confirmation number that encrypt the acceptation code and your card references.
this number is either send remotely for acceptation by the central bank computer (above $500) or just locally accepts if the amount is small.
thoses devices existed before in Infrared transmission, and now use local radio link.
This allows a faster and more secure way than just the stupid magnetic strip...
Hoping to read from you 8)
Smartcards in France. (Score:3, Interesting)
Then they threw him in jail for stealing the subway tickets. Anybody else remember this or have more info on it?
This is great! (Score:1, Redundant)
You know, some people go to Disney World to meet Mickey Mouse, others go for the rides. I think I'll go for the killer Quake III experience ;)
If they're smart, it won't be IP... (Score:3, Insightful)
Then again, larger companies have done dumber things...
-C
Re:If they're smart, it won't be IP... (Score:2)
Won't protect you much... (Score:2)
Re:Won't protect you much... (Score:2)
also, it would allow them to come up with some realy cool stuff built into the protocol, and perhaps even before the connection can be granted, the device has to be authorised to communicate by a central server based on a name. if some one tries to hack it , an alarm can sound and a built in locator can give security the persons location. creating their own Protocol can reduce risk a tramendus amount and let them add nice fetures that you could not get in IP.
enjoy the park... (Score:3, Funny)
Imagine your laptop in one hand, some candy in the other one and getting chased by 23 security officers running over and knocking down mickey and his fellows...
I'm sure this scene is going to make it into "password: swordfish 2"
this sounds like a big heap of enjoyment to me
Re:enjoy the park... (Score:1)
headlines (Score:2, Funny)
Hmmmph. (Score:4, Offtopic)
Re:Hmmmph. (Score:1)
My theory isn't that they only accept from people they like (I'm rejected all the time, and in the hof for submissions), its the author that reads it and finds it interesting. Something Hemos finds interesting might be something michael hates. So look at the "science" section (usually michael with a sprinkling of timothy), and try to write articles similar so michael will accept you.
Just my personal theory.
Re:Hmmmph. (Score:3, Offtopic)
I completely agree with this theory. I've noticed that timothy tends to post the sort of stories that I'm interested in. It's only natural that the authors will pick the submissions that interest them, and throw the rest in the bucket.
This points out a possible flaw in the /. authors' process. Perhaps instead of accepting/canning story submissions, authors should accept only and leave the others in the inbox. If nobody else accepts a story within 3 days, it automatically goes in the bucket. If michael cans a story, Hemos isn't going to be able to accept it any more. If it's submitted again the next day, maybe it will get lucky and Hemos will see it before michael, but you never know.
Re:Hmmmph. (Score:2)
That way I can submit to Taco, Hemos, or Timothy, and avoid michael and JonKatz.
It's a crapshoot on which of the three it will get to, and it could cause someone to get backed up with too many submissions, but I think it is worth trying...
Re:Hmmmph. (Score:1, Offtopic)
-Legion
Re:Hmmmph. (Score:2)
Hacking it (Score:4, Interesting)
OTOH, I don't recall ever seeing a laptop, so you'll stick out like a sore thumb unless you're in the bathroom with a PDA.
They do search bags currently. ALL bags, even diaper bags.
Also, there's an active Linux community among their IT people. There are definitely pockets of clue there, and it's likely that would extend to their IT security people as well.
Re:Hacking it (Score:3, Funny)
Re:Hacking it (Score:2)
Re:Hacking it (Score:2)
Redifines security hack (Score:2, Interesting)
Maybe, but not very well. For the past three of the four times I have been there since Sept 11 (my girlfriend and I have season passes) I was able to walk around the security stands without even being noticed. I cannot, for the life of me, figure out why they search the bags, yet do nothing to search the person. A couple of shootings at Disney would demoralize the US more than shootings pretty much anywhere else. An entire AK-47 can be broken down into pieces that fit in a pants leg or under a large sweatshirt. Everything of destructive power that is carried in a bag can be carried on one's person. Thay are pretty clueless about technology anyway. I often take in my nightvision scope (a lot of neat things to see in Space Mountain, Spaceship Earth, and Pirates of the Caribean) and didn't even get a second look yet they made me disassemble my Camelbak water pouch. I don't know if they would stop a laptop or not. One can claim it is for download pictures or showing Disney DVDs to the kids at dinner when they get tired and cranky.
Are they near an airbase? (Score:4, Funny)
Because I'd hate for wireless Mickey 2001 to start picking up air traffic chatter
Hi kids! I sure hope you enjoy the RED LEADER, RED LEADER THIS IS TANGO ONE. and make sure to visit our LOCKED, COCKED, AND READY TO BURN TANGO ONE, WHAT'S YOUR STATUS?
And hey, under the recent terrorism bills wouldn't that qualify Mickey as a terrorist? There's be a trial to top OJ.
Re:Are they near an airbase? (Score:1, Offtopic)
Don't you mean:
Red 5: "OK, we're going in, we're going in at full throttle. That ought to keep those fighters off our backs!"
Red 3: "Luke, at that speed will we be able to pull out in time?"
Red 5: "It'll be just like Beggar's Canyon back home!"
Re:Are they near an airbase? (Score:2)
The first thing I thought of... (Score:5, Funny)
Ba-dum-pa-chi! Thanks folks, I'll be here all night!
VPN (Score:1)
Good reason why they'll never offer 'Net access... (Score:5, Interesting)
Our tour guide said that they actually did have a kiosk there a few years back that let people browse the web and check their web-based e-mail. He checked on the kiosk once and found that some pervert had left up a XXX e-mail and changed the wallpaper. He wouldn't elaborate on what it was, but he said it shocked even him.
Luckily for them, they were able to remove the offensive material before anyone noticed. Still, as a place that bills itself as "family-friendly," they simply can't take the risk that it would happen again (and more high profile).
Our tour guide kept the possibility open that they would resume 'Net access with some types of safeguards against this, but no safeguard is 100%. Public Internet access is just not a high-priority item for Disney. (Believe me, there's so much to do at Disney World, that you won't have time to browse the Net.) The PR risks of another abuse far outweigh any customer gains.
Re:Good reason why they'll never offer 'Net access (Score:2, Interesting)
Re:Good reason why they'll never offer 'Net access (Score:2)
Re:Good reason why they'll never offer 'Net access (Score:4, Funny)
Probably some of that sick, perverted, Godless Pixar stuff. ;-)
Re:Good reason why they'll never offer 'Net access (Score:2)
I wouldn't mind being able to browse the Net while standing in line. Hell, even surfing through a white-list filter would be better than nothing.
Re:Good reason why they'll never offer 'Net access (Score:2)
And here I am thinking that the best way to while away those 1-2 hour waits in line for all the most popular attraction would be with Unreal Tournament or Q3Arena. If lag became an issue because of the sheer number of devices and users drawing bandwidth, you could always play something turn-based, like CivNet.
False assumptions.... (Score:2)
As for the kiosk abuse, that's completely irrelevant when you're talking about people using their own wireless devices. Think anyone is going to leave an expensive laptop or PDA lying around? If they keep it with them, then it's easy to identify the person responsible for the images.
CNN lies, it's not a 47 square mile cloud (Score:5, Insightful)
Re:CNN lies, it's not a 47 square mile cloud (Score:2)
But.. it did cover the hotels. The nice thing for us about this is that you don't have to worry about sneaking a laptop into the park if you are staying at one of the hotels.
Infact, it was at the hotel I originally noticed it as I was glacing around waiting for my bus
Re:CNN lies, it's not a 47 square mile cloud (Score:3, Interesting)
Hack Disneyworld (Score:5, Funny)
Here are some exploits that we can be sure of seeing in the future:
1. 'It's a Small World' animatronic dolls reprogrammed via wireless network to share their cultural feelings via a massive animatronic orgy of all nations.
2. Michael Jackson's "Captain Eo 3D" video replaced with low-quality MPEG of a video taken of what really happened at Macaully Caulkin's last birthday party.
3. Ride Space Mountain during DDOS season? Only if you're feeling suicidal. You never know when that modified Nimda worm is going to kick in.
4. Parade of Lights all flash in sequence to spell out "L33+ X1DD135 OWNZ JOO DIZNY"
5. Animatronic Abe Lincoln now shouts, "Beefcake. BEEFCAKE!!!!"
Re:Hack Disneyworld (Score:2, Funny)
Have you ever been stuck on the Small World ride when the little boats get backed up? Ten minutes is what they do to the people they like (customers). Imagine how long you'd be strapped into the boat if they're catch you hacking? *shudder*
Only news is that people have noticed it (Score:4, Interesting)
I noticed the cash registers were connected to an 802.11b network.. also, I spotted some computers as well.
I didn't have an 802.11b card at the time, and my only laptop had suffered a terrible accident.. so I wasn't able to do any 'diagnostics', but I thought it was interesting. Maybe next time I'll bring my PowerBook
See, you don't need to worry about getting into the park with your laptop.. Because this also extends to their hotels and probably their on-site buses as well.
Re:Only news is that people have noticed it (Score:1)
Re:Only news is that people have noticed it (Score:2)
Eventually a cash-less park? (Score:4, Insightful)
Yes, we all agree that this network may be risky for transfering credit card info around, but they could over time move to a "disney dollar" card, where you pre-load the disney card with your credit card as you enter or on the phone or whatever, then use that disney card within the park grounds to buy whatever. Disney can then provide insurance against fraud against that card instead of worrying about being libel against Visa and AmEx in the case of number theft over the airwaves...
The other advantage is that Disneys own systems could authorize the sale over the Disney card instead of having to send out to a Visa/MC/AmEx authorizer off site-- it would be considerably faster that way (since the system could be built up front to support the average # of visitors on site), especially during holiday seasons...
Just a thought...
Re:Eventually a cash-less park? (Score:1)
This wouldn't be that hard (Score:2)
It doesn't seem like it would be that difficult to adapt the cards to the technology. In fact it would make some things easier -- include a card on the back of each Annual Pass, for instance, and the passholder would automatically get their 10% discount on park purchases, plus they'd be more likely to store money on the card (which of course could only be used to buy stuff from Disney).
As good as Disney is at extracting money from patrons, this seems like a natural for them.
How about something useful (Score:4, Interesting)
Also a previous article said it would be used to play music around the park based on location. IMHO, kinda of a waste for just CC's.
Could be fairly secure (Score:2)
Cracking the Protocol... (Score:4, Insightful)
However, once you've collected your packets and broken the key, you now have a decoded packet. Well, what does that mean? You have the framing information (packet length, header) and the message body (which is just raw data).
I'd bet a 7-day park-hopper pass that the data in the packet's body is encrypted a second time with a more reliable scheme. If there's one thing Disney knows how to do well, its make money, and they can't risk the bad PR for this to foul up.
Re:Cracking the Protocol... (Score:2)
It's trivial to change the WEP keys on the AP, the hard part is changing them on the clients and keeping them synch'ed. Besides, I don't think WEP was designed to run credit transactions across
I think a more likely scenerio is they have a fairly dirty "Wireless Network" that is traversed by whatever devices they're using. Those devices would have a robust authentication system allowing them off their dirty network and through a firewall. It wouldn't be too difficult to implement this with smart cards and IPSec.
If you bring a 802.11 device onto their network, you'd be able to get a signal, obviously, but I'd find it highly unlikely that you could run a sniffer and get anything useful.
who dunnit? (Score:3, Informative)
I graduated UCF with my Computer Engineering Degree in 2000. For our senior design projects, Disney came and solicited us heavily to work on their projects. Free labor, helping a poor college student out with an idea, free labor, did I mention free labor. This project along with several others were mentioned. My comments regarding network security concerns were treated as pessimism. Needless to say I did not lend my time for Disney's free labor.
Additional information-crypto and GUEST TRACKING? (Score:2, Interesting)
Anyone else see Westworld/Futureworld?
Thermowax
Wireless networks (Score:2, Funny)
I'm sitting here typing this while I wait for Jim "Open Source is Un-American" Allchin to deliver the keynote at the Windows Embedded Developers Conference. I have already found one guy on the un-WEPed 802.11b network with his C: drive mapped as \\steven2\c
The funniest thing I've ever seen... (Score:2)
Maybe Snow can start start taking credit cards to turn tricks in the alleys of main street.
Re:Is this true or an urban legend? (Score:2)
They'll have security (Score:2)
I tcpdumped about 10 megs of data snarfed from the most wirelessly connected university in America, and besides broadcast queries for NT servers and floods of IPX SAP frames coming from network printers, the *only* packet of interest I got was the output of a finger some guy ran against his own OpenBSD box on campus. And I later found plenty of security-related posts from this guy on usenet, too. How's that for irony?
I went home and reviewed web pages describing their security infrastructure due to the weakness of 802.11b, and it was very intense. Beyond Kerberos. If Disney's doing this specifically to mobilize credit card readers, I've gotta say that wireless has been weakened long enough for them to not have any excuse to do it right.
Not to mention, with IBM's Tomorrow World being such a big hit in Epcot (and Disney closing DIG, their Internet venture), I'm SURE we had something to do with their planning and deployment. And I totally agree with the others who have said that enabling wireless PDA's such as line checking, maps, and restaurant reservations.
heh (Score:2)
New lyrics for Mickey Mouse club theme song (Score:2)
The inevitable consequence is that the network will be very insecure, so let us mess with the lyrics:
Well, it is a lot easier than saying "because 802.11b doesn't specify encryption at the physical level".
I was just there (Score:2)
In Disney/MGM, some popcorn and hotdog stands still couldn't take charge cards as of last week, so I guess it's still being rolled out.
I would use an Internet cafe (Score:2)
Anyone else feel this way or am I just too big of a geek?
Yes it is, and here's why (Score:2)
However, for one click shopping, etc. that many online retailers have (where no signature is required or signature is on a digital pad), they still have to store all that extra information, because it's needed to authenticate the purchase. So when anyone stumbles across your database, they still have the access to the information they need, they just need to grab 5 columns instead of 2.
The only method you mentioned that would solve this is faxing the signatures. And if the signature is digital (UPS, MicroCenter, etc), it's probably stored as a LOB in the database in a picture format anyway, and the Hacker now has a printable version of your signature. Also, most e-tailers don't have your signature because it's impracticle to get it from you. Remember, just because your CC was stolen from somewhere that needs a signature, it can still be used somewhere that doesn't
Re:Tell that to the joker that bought $2300 of stu (Score:2)
While it isn't done often, it does happen.
They do it by fax machine or snail mail, and it's a real PITA, especially when you don't have a fax machine.
I bought a MC218 (Psion 5mx copy) from Expansys in the UK, and
they had me fax over a signed photocopy of my card and my driver's license before they'd run my order.
Not sure if they do this for all orders or just for international ones tho.
C-X C-S
Re:Whatever (Score:2)
One of my friends lost one of his credit cards. He reported it as soon as he realized it, but not before the person who found it apparently called all his friends and relatives and they all had a 'free fill-up' party with it. The dude then went and bought a few PlayStations, I think in a Funcoland. There were a few other odd purchases, but I think the CC company finally put a halt on the card when dude tried to buy a computer somewhere.
Nothing could really be done about the pay-at-the-pump gas station, but the stores should have at least matched the signature on the card to the signatures on the receipts. My friend got back copies of the thief's receipts and the times they forged my friend's signature on them, the signatures were not even CLOSE. A few times the thief just signed another arbitrary name. Even so, the purchases sailed through no problem until the CC company's computers apparently noticed an aberration from the normal buying patterns on that card.
Fortunately, the CC company ate the costs instead of sticking them on my friend, but he had to fight like hell for a while to get them to do it.
~Philly
Re:Whatever (Score:2)
Re:Lets hope they have repeaters (Score:2)
You can run this stuff all along the walkways and gutters of buildings to fill in most of the dead spots in the open areas.