- Is it theorectically or practically even possible to mooch off if a typical WISP - 6 Updates
- strange cable? - 4 Updates
| Aardvarks <aardvarks@a.b.c.com>: Jul 25 02:36AM Is it theorectically or practically even possible to mooch off if a typical WISP In the iPhone newsgroups, a typical Apple Fundamentalist assumed I mooch off of my SF Bay Area Santa Cruz Mountain WISP simply because I get my Internet connection over the air via a WISP ISP a couple of mountains away. In my response to this iOS right winger, who is used to so used to paying through the nose for everything that he can't even comprehend the *concept* of legitimate freeware, I told him (nospam) that I can't possibly even *think* of how a typical WISP would accidentally allow moochers. While I used to have a 2.4GHz Rocket M2, I switched to the less noisy 5GHz Rocket M5 which has vertical and horizontal channels that are set by the WISP (who logs into the antenna to set it up from afar). Certainly the WISP keeps logs of all connections, and, in my case, he has to assign a static IP address to *each* customer. So, this question is only one of theoretical/practical possibilities. Is it even theoretically or practically possible to mooch off of your WISP provider without him knowing about it (assuming he's a normal conscientious WISP using all the normal tools that a WISP would use). |
| Jeff Liebermann <jeffl@cruzio.com>: Jul 24 09:05PM -0700 On Mon, 25 Jul 2016 02:36:20 +0000 (UTC), Aardvarks >Is it theorectically or practically even possible to mooch off if a typical >WISP Sigh. Do you really expect me to post detailed instructions on how it might be done? I'll assume that the leach has a compatible wi-fi client bridge radio, a decent dish or panel antenna, a good location to see the WISP access point antenna, and is able to associate (synchronize with the pseudo random spread spectrum spreading code). Basically, the means the leach can get a "connect" indication from his client bridge radio. The next obstacle is how much security has the WISP installed to protect his system. Nobody runs a wide open system, without encryption and no passwords. For a minimum, the WISP is certain to authenticate the MAC address of the client bridge radio. MAC addresses are easily spoofed, but this is mostly for identifying and blocking radios that are attempting to connect, but don't belong on the system. The next layer is WPA2-AES-Enterprise encryption and authentication. Unlike the typical home wi-fi router, which uses WPA2-AES-PSK (pre-shared key), WPA2-AES-Enterprise does not have a single encryption key for the entire system. A new and unique key is issued for each connection and at regular intervals. Even if you could crack the encryption key, it would only be good for a maximum of 3600 seconds. The RADIUS authorization and 802.1x authentication system would also have a stored login and password. There are a bunch of other tricks to improve security that are used, which I don't want to disclose or discuss. Most do not really prevent someone from breaking into the system, but rather act as a burglar alarm to identify attempted breakins. I would say that trying to get past WPA2-AES-Enterprise, even with inside information, is not possible (unless you're the NSA). Spoofing an existing connection or working WISP customer is somewhat less difficult. One would need the previously mentioned hardware list, a means of tweaking the client bridge MAC address, the RADIUS login and password, and inside knowledge of what the WISP is using for authentication. One would also need to somehow disable the real customer as it would not do to have two client bridge radios trying to authenticate using identical credentials. That will certainly set off alarms (if the WISP pays attention to alarms and reads the log files). That's possible, but hardly practical, and certainly not reliable. Leeching is usually NOT done by trying to connect to the WISP access point. Instead, it's done by connecting to the wireless router installed by the WISP customers. In other words, the neighbors. These are typical home wireless commodity routers, secured by a single WPA2-AES-PSK password key. If you know the key (or its hash code), and have good RF connectivity to the neighbors wireless router, you're on the system. So, to answer your question... yes, it's theoretically possible but no, it's not easy, practical, worthwhile, or reliable. Incidentally, it's also a crime and legally actionable as "theft of services" which increases the element of risk. -- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558 |
| Aardvarks <aardvarks@a.b.c.com>: Jul 25 05:39AM On Sun, 24 Jul 2016 21:05:10 -0700, Jeff Liebermann wrote: > Sigh. Do you really expect me to post detailed instructions on how it > might be done? Hi Jeff, I knew you'd be on either a.i.w or s.e.r (although you hang out more on the latter nowadays, I think). > point antenna, and is able to associate (synchronize with the pseudo > random spread spectrum spreading code). Basically, the means the > leach can get a "connect" indication from his client bridge radio. The theoretical leach would be me (but I already have free WiFi access from my WISP in return for being an access point for him) so the question really *is* theoretical, and you actually know all the WISPs in this area (let's not state their company or real names, for privacy reasons, but you know of Loren at H.....p and Dave at S.....t and Mike at R...........s, and Herman at E.....c, etc., who are the respective WISP proprietors). > The next obstacle is how much security has the WISP installed to > protect his system. Nobody runs a wide open system, without > encryption and no passwords. Exactly! Nobody runs a wide open system where leaches can just latch on for any reasonable period of time. Loren is the least restrictive, Herman is the most restrictive - with the others in between on security. > addresses are easily spoofed, but this is mostly for identifying and > blocking radios that are attempting to connect, but don't belong on > the system. Actually, as you pretty well know, that end of the MAC address is, think, the harder one to spoof (I think it was you who told me that long ago). But let me confirm... The end that the WISP sees is the hard one to spoof, isn't it? > The next layer is WPA2-AES-Enterprise encryption and authentication. Yup. While Loren doesn't even use encryption on the 802.11 equipment, he has plenty of 900MHz equipment which has to be specially set up, and Mike, for example also makes use of non-wifi protocols. So does Dave and Herman's system isn't at all compatible with customer owned equipment. > the encryption key, it would only be good for a maximum of 3600 > seconds. The RADIUS authorization and 802.1x authentication system > would also have a stored login and password. Yup. And that doesn't even count the protocol tricks that these guys use to get better bandwidth throughput and noise rejection. > which I don't want to disclose or discuss. Most do not really prevent > someone from breaking into the system, but rather act as a burglar > alarm to identify attempted breakins. They all run a watchdog of some sort. > I would say that trying to get past WPA2-AES-Enterprise, even with > inside information, is not possible (unless you're the NSA). Actually, I have more knowledge than most because I'm a repeater so I am sometimes called to do troubleshooting to save them a visit - but for this discussion - we should assume I'm a normal customer of the WISP. > means of tweaking the client bridge MAC address, the RADIUS login and > password, and inside knowledge of what the WISP is using for > authentication. You also need the protocol information, and the IP address information, but presumably you could sniff that over the air. > authenticate using identical credentials. That will certainly set off > alarms (if the WISP pays attention to alarms and reads the log files). > That's possible, but hardly practical, and certainly not reliable. Yup. While doing a site discovery isn't hard, you have to also crack the admin password on the radio, which changes frequently, among other hurdles. > Leeching is usually NOT done by trying to connect to the WISP access > point. Agreed. It's just too hard to do and too easy to get caught since a house doesn't move all that fast. > Instead, it's done by connecting to the wireless router > installed by the WISP customers. OK. That's *easy* by way of comparison. But we weren't talking about breaking into the homeowners' SOHO router (which is a different topic altogether). > WPA2-AES-PSK password key. If you know the key (or its hash code), > and have good RF connectivity to the neighbors wireless router, you're > on the system. Yes. Plenty of neighbors have wide open networks. Sigh. They're the Santa Cruz 60's hippy trusting type of people. You know ... people like you! :) (jk - you're too knowledgeable to be trusting!) > no, it's not easy, practical, worthwhile, or reliable. Incidentally, > it's also a crime and legally actionable as "theft of services" which > increases the element of risk. Yup. Just what I had thought. The Apple iOS "experts" blandly accuse people of this stuff, not even taking into account *any* of the many potential hurdles, not the least of which that a house doesn't move all that fast and is easy to locate when stealing WISP bandwidth. If you're not the NSA, then you're probably not hacking into the WISP. It's just not feasible. Thanks for your insight! PS: What do you think about the possibility of tapping into a Starbucks in downtown Santa Cruz from Loma Prieta? |
| Jeff Liebermann <jeffl@cruzio.com>: Jul 25 08:15AM -0700 On Mon, 25 Jul 2016 05:39:41 +0000 (UTC), Aardvarks >not state their company or real names, for privacy reasons, but you know of >Loren at H.....p and Dave at S.....t and Mike at R...........s, and Herman >at E.....c, etc., who are the respective WISP proprietors). I think I've met them all and certainly recognize the companies. However, I'm not currently doing WISP work and haven't worked with any of the companies for many years. Hint: I gave up tower climbing over 20 years ago. >the harder one to spoof (I think it was you who told me that long ago). >But let me confirm... >The end that the WISP sees is the hard one to spoof, isn't it? I certainly didn't say that. Some client bridge radios partition their firmware into the part you can replace (e.g. DD-WRT) and the part that remains untouched (boot loader, MAC addresses, encryption keys, serial numbers, manufacturing details, etc). Changing these are possible and fairly easy if you own a logic analyzer, hot air SMT desoldering station and an SPI bus serial EPROM programmer. However, the leech could also use a commodity wireless card crammed into a PC, and do everything in software, where it is super trivial to tweak the MAC address. No worries about WPA2 encryption because the MAC address and control frames are sent unencrypted. >has plenty of 900MHz equipment which has to be specially set up, and Mike, >for example also makes use of non-wifi protocols. So does Dave and Herman's >system isn't at all compatible with customer owned equipment. Security by obscurity has it's merits. Anyone who is willing to spend a few hundred dollars on hardware, and spend many hours hacking, in order to save a few dollars in service charges, needs to take a remedial finance class. >Yup. And that doesn't even count the protocol tricks that these guys use to >get better bandwidth throughput and noise rejection. The creative protocols are not for security. The problem is that 802.11 was originally designed to handle a small number of client radios per access point. CSMA/CA works nicely for that because there's plenty of time between packets to allow for collision backoff. However, when dealing with a much larger number of users, the probability of collisions increases rather dramatically, until nothing works. Also, minor network overhead, such as ARP requests and broadcasts, become a major nuisance as they proceed to become the dominant traffic (because broadcasts go to everyone). So, new protocols, based on token passing (VTP-CSMA) or polling are used, which are more efficient for larger systems. >They all run a watchdog of some sort. Usually just arpwatch and traffic graphs. >OK. That's *easy* by way of comparison. But we weren't talking about >breaking into the homeowners' SOHO router (which is a different topic >altogether). With most WISPs, over the air bandwidth is the main limitation to how many customers they can handle. If you add a leech anywhere on the system, which increases usage beyond normal, it's a problem. >They're the Santa Cruz 60's hippy trusting type of people. >You know ... people like you! :) >(jk - you're too knowledgeable to be trusting!) I hate to ruin your illusions, but I never was much of a hippie. Glorified poverty doesn't didn't have much of an appeal. I did try becoming a beatnik as a teenager and a protester in college, but not a hippie. <http://802.11junk.com/jeffl/pics/jeffl/> >stealing WISP bandwidth. >PS: What do you think about the possibility of tapping into a Starbucks in >downtown Santa Cruz from Loma Prieta? Zilch. Too much interference along the path on both 2.4 and 5Ghz. Loma to SCZ is about 9 miles. Over 5 miles, one sees timeouts and the ACK timing needs to be tweaked. You can see the SSID's of distant stations (because broadcasts do not need ACK's) but you can't connect. However, without the interference, one can do it by violating the FCC rules with a big dish. I've done this and even under ideal conditions, aiming the dish, and keeping it aligned, is a major problem. Also, at that range and lousy SNR, throughput is gonna be rather low. Incidentally, I know of several point to point links between Loma and various sites on 5GHz that get really good speeds and reliable performance. I'm not sure of the ranges, but most seem to be between 5 and 10 miles. However, both sides use decent hardware, dish or panel antennas, and a clear line of sight, which is not what you'll find at Starbucks. Besides, the downtown SCZ Starbucks is surrounded by tall buildings on all 4 sides (I used to fix Heinz's computers when he had the microscope shop in the basement under Starbucks). -- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558 |
| "(PeteCresswell)" <x@y.Invalid>: Jul 25 12:14PM -0400 Per Jeff Liebermann: > tower climbing In my book, those guys are, along with tree trimmers, modern-day heroes in the sense of the old Inuit kayak hunters: One bad move or error in judgment and you die. -- Pete Cresswell |
| Aardvarks <aardvarks@a.b.c.com>: Jul 25 04:31PM On Mon, 25 Jul 2016 08:15:41 -0700, Jeff Liebermann wrote: > keys, serial numbers, manufacturing details, etc). Changing these are > possible and fairly easy if you own a logic analyzer, hot air SMT > desoldering station and an SPI bus serial EPROM programmer. ' Heh heh. Yeah, if I only had a hot air SMT desoldering station, I could change my MAC address too. :) > into a PC, and do everything in software, where it is super trivial to > tweak the MAC address. No worries about WPA2 encryption because the > MAC address and control frames are sent unencrypted. OK. But that's a lot of work to just get free WiFi from a WISP, and still more has to be done so as not to get caught (which, I state, would be virtually impossible and certainly not worth the $100/month WiFi fee). > a few hundred dollars on hardware, and spend many hours hacking, in > order to save a few dollars in service charges, needs to take a > remedial finance class. Yup. That was my point to the guy, nospam, who accused me of stealing my WISP just because I knew enough about WISP to spout the words reasonably coherently. What I do know is that it wouldn't be easy for me, and even for you, it wouldn't be easy not to get caught (since your house doesn't move all that fast except that you're near the fault line so it jumps a few feet every hundred years or so). > dominant traffic (because broadcasts go to everyone). So, new > protocols, based on token passing (VTP-CSMA) or polling are used, > which are more efficient for larger systems. This makes sense that the protocols they are all starting to use (except Loren, and Herman was *always* using the new protocols) are for communication reasons, and not for security. Still, Dave switched his Santa Cruz company off of the WiFi protocol a few years ago (maybe 5 years ago?) even though all his equipment was still 2.4GHz for a long time. Without that specialized protocol knowledge, nobody with a 2.4GHz radio is gonna connect to him, with or without security. >>They all run a watchdog of some sort. > Usually just arpwatch and traffic graphs. Actually, they also log stuff because I talk to one local WISP who tells me he is sick of getting take-down notices for most of his customers, so he has assigned everyone a static IP address just to make his logging backtracks easier. To him, since he just has to forward the notice, he's not irritated by the notice - but by the need to figure out who it was. He solved that by giving everyone a static IP address. Luckily, most of these guys are very nice guys (except Dave over by you who is only exceeded in crassness by Brett, his Arizona support guy who has an utterly amazing lack of customer service support skills. > With most WISPs, over the air bandwidth is the main limitation to how > many customers they can handle. If you add a leech anywhere on the > system, which increases usage beyond normal, it's a problem. I would agree. But I see a few hundred homes on the connection I'm on, and there are multiple APs they're connected to, even on the same tower (Loma Prieta is the main tower but others exist in the surrounding hills). They have fiber-optic backhauls, so, the way "I" understand it (I'm just a customer though) is that they aren't limited by their backhaul but by the number of access points they set up and their painting coverage. > becoming a beatnik as a teenager and a protester in college, but not a > hippie. > <http://802.11junk.com/jeffl/pics/jeffl/> Wow, Jeff. Interesting picture. I've seen the insides of your routers, and lots of your test equipment over the years, but that 1975 picture sure did look beatnik hippy to me! Is that a park-ranger uniform? Big Basin? > Loma to SCZ is about 9 miles. Over 5 miles, one sees timeouts and the > ACK timing needs to be tweaked. You can see the SSID's of distant > stations (because broadcasts do not need ACK's) but you can't connect. Interesting. Yes, I have seen SSIDs of the sort of a LOS from Loma Prieta down to Santa Cruz, where I couldn't get better than about -85dBm at the best but there was never the necessary SNR headroom of a half dozen to a dozen decibels. I didn't even think about ACKS but the radio does automatically adjust for distance. > rules with a big dish. I've done this and even under ideal > conditions, aiming the dish, and keeping it aligned, is a major > problem. Mine is a 27dBm output -94dBm sensitivity 5GHz Rocket M5, (https://dl.ubnt.com/datasheets/rocketmgps/Rocket_M_GPS_Datasheet.pdf) although I have 28dBM -97dBm 2.4GHz Rocket M2s and nano bridges and even high-power bullets scattered all about the hillside. I had a talk with Ubiquiti support over in San Jose, and they said the AirOS firmware was set that you couldn't possibly go over the 1 Watt legal limit of the 5 GHz frequency power output (which itself is ten times higher than the 2.4 GHz band legal limit), once you set the country (which is usually set to the USA because the limits are highest in the USA). They told me that you can try, but the firmware won't let you, even though it might *report* that it's over the legal limit. > between Loma and various sites on 5GHz that get really good speeds and > reliable performance. I'm not sure of the ranges, but most seem to be > between 5 and 10 miles. My connection is at the higher end of that 5 to 10 mile range, and my throughput is just OK. I have clear LOS with nothing in the first Fresnel zone too. > However, both sides use decent hardware, dish > or panel antennas, and a clear line of sight, which is not what you'll > find at Starbucks. This is correct. The biggest problem though, I thought, was that the *transmitter* at Starbucks would be the major limitation. Basically I figured we could transmit a strong signal to the Starbucks AP, but without a far better antenna, the signal from Starbucks would never get back in sufficient 6 to 10 decibel strength over the noise to us. > Besides, the downtown SCZ Starbucks is surrounded > by tall buildings on all 4 sides (I used to fix Heinz's computers when > he had the microscope shop in the basement under Starbucks). Ah, yet another pragmatic obstacle to overcome, borne from experience. |
| Micky <NONONObobbyburns1111@gmail.com>: Jul 25 04:23AM -0400 A friend gave me what looks like a network cable, with a modular plug with 8 slots, but the only ones with wires are slots 1,2,3 and 6. What is this cable meant for? |
| jack4747@gmail.com: Jul 25 01:33AM -0700 Il giorno lunedì 25 luglio 2016 10:23:48 UTC+2, Micky ha scritto: > A friend gave me what looks like a network cable, with a modular plug > with 8 slots, but the only ones with wires are slots 1,2,3 and 6. > What is this cable meant for? a photo might help... Bye Jack |
| frank <frank@invalid.net>: Jul 25 08:37AM > Il giorno lunedì 25 luglio 2016 10:23:48 UTC+2, Micky ha scritto: >> A friend gave me what looks like a network cable, with a modular plug >> with 8 slots, but the only ones with wires are slots 1,2,3 and 6. RJ-45 plug has 8 contacts (slots?), and wiring only 1,2 and 3,6 pairs makes a 10 Mbit/s cable, either straight or crossed. It could be made to connect an old 10 BASE-T network card or it's just a leftover from the previous century. Frank |
| Andy Burns <usenet@andyburns.uk>: Jul 25 02:31PM +0100 Micky wrote: > A friend gave me what looks like a network cable, with a modular plug > with 8 slots, but the only ones with wires are slots 1,2,3 and 6. > What is this cable meant for? Fast ethernet (100Mbps) only uses pins 1, 2, 3 & 6, all eight are used for Gigabit ethernet, do the pairs cross over 1/2->3/6 or straight through 1/2->1/2? |
| You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page. To unsubscribe from this group and stop receiving emails from it send an email to sci.electronics.repair+unsubscribe@googlegroups.com. |
No Response to "Digest for sci.electronics.repair@googlegroups.com - 10 updates in 2 topics"
Post a Comment