20 Feb
2005
20 Feb
'05
6:21 p.m.
Hi everybody,
This has little to do with Linux but more with security. If this request
is off topic, simply diregard it and I won't do it again, I promise :).
As the Lilux people seem to have legal knowledge about things in
Luxembourg and great ideas/advices on how things work with government, I
thought I could ask this here.
I happened to bump into two 15/16 year old guys who were wardriving in
my "Cite". I was quite impressed. Actually, they were by foot. One
holding the PC and the antenna, the other holding a piece of paper
probably writing the details of their discoveries.
Well, this is only my personal opinion but I cannot help myself and
think about what they would do if they found an unprotected network.
My questions are:
How to make people aware of the dangers?
Write to the city hall to ask them to produce a small piece of paper and
put it into people's brief cases?
Organize some kind of event? with whom? by whom? Maybe this was already
done?
Are there organizations that care about those awarness programs and
would be glad to help?
Does anybody know if foreign governments have such programs?
As you see, I don't know much but I was willing to try something.
Thanks for any suggestions/advices/ideas :)
Paulo
20 Feb
20 Feb
8:28 p.m.
There's nothing illegal in trying to be connected to an opened network,
even wirelessly.
I saw members of the "Golf Club Grand-Ducal" being surprised that they
might get connected to the Internet from the club house, by using the
golf club wireless network. What's wrong with this, if the network is
opened ? If it is opened, what law should prevents you to use it ?
If I leave money on the sidewalk, I don't expect a law to force the
discoverer to return it to me...
Now, if you try to force the access to a computer that prompts you a
legal warning like "Access to this server is strictly limited to the
authorized users", then you've been warned that you entered a private
property. But even, I'm not sure there are laws against this in
Luxembourg. There are defenitely such laws in USA and other states of
EU, but I'm not aware of such laws in Luxembourg.
Even in the UK (London), young guys are writing with chalk wireless
network characteristics on buildings and sidewalks to make easier the
connections of future unexpected users. I never read anything about an
arrest of such guys. A recent study made in the US showed that a
majority of the corporate wireless networks where opened or weakly
protected. For me, having such a wireless network at home is like
putting an unattended ethernet outlet outside your home: you just
publish to anybody all what is on your home network: advocate letters,
private e-mails, web browser cookies and history (so potentially your
sexual preferences with lot of details). I'm not yet convinced that the
new 802.11X encryption mechanism is safe, so I strickly advice for the
time being to consider wireless connection as practically unavalaible,
or equivalent to an open network, until proof of security is obtained
from other peoples than the related hardware vendors.
What is strange to me is that GSM technology is older, much more widely
used, and gives potentially interesting informations and ways to gain
money if cracked (I'll not explain you how. Just imagine yourself) and
seems to be safe up to now. I don't expect somebody to call using my GSM
credit without my chip, as I don't expect anybody unautorized to listen
to my conversations when using a GSM. (Lady Di was using a wireless
analog phone, not a GSM). It even offers strong authentication, what
wireless network does not yet (if I'm well informed). So why the
wireless vendors, that suffers strongly from justified untrust regarding
the security of their network, didn't managed from years to secure their
devices ???
Other experiences I had (through customers) was that devices from
different vendors were poorly interoperating (limited distance, rapid
performance degradation, ...) and that it was very limited when used in
a armed concrete building or even an old traditional house, made of
stone. Also, with accessible Gigabit Ethernet devices and switches, and
DSL+ technology (bringing up to 25 Mb/s Internet connection soon), I
think current wireless technology (802.11G) is really limited: the
standard specify 54 Mb/s _*shared*_ bandwidth on each of the three
channels. Knowing that only three channels is too few to garantee the
usability of the technology in all topologies, don't expect to use more
than one such channel. Compare 54 Mb/s (maximum theorical shared
bandwidth) with 1000 Mb/s switched, there's no hesitation.
As already explained in this mailing-list, if you really need this
technology, consider the wireless segment as opened, put firewalls at
each connecting point, and establish VPN on this unsecure link. Good luck.
/"How to make people aware of the dangers ?"
/
If the people you are speaking aobut are using Internet Explorer on
Windows connected to the Internet, I don't see the point of warning them
about the dangers of wireless technology... They are already opened to
the world !
Cegecom made a PLC (Power Line Carrier) test in Luxembourg around 2000.
They connected a village through the power outled to the Internet. No
possible check about the amount of connection using each home access
point. No filtering at all. Not even a network topology separating the
homes. In this case, when you clicked on 'Network Neighborhood", you had
really a picture of your neighborhood's network ! Amazing ! So what's
wrong with opened wireless networks ???
By the way, this mailing-list and club is not about Linux but about free
software in general, opened to other near technologies, such as
OpenSource and BSD.
Paulo Ribeiro a écrit :
Hi everybody,
This has little to do with Linux but more with security. If this
request is off topic, simply diregard it and I won't do it again, I
promise :).
As the Lilux people seem to have legal knowledge about things in
Luxembourg and great ideas/advices on how things work with government,
I thought I could ask this here.
I happened to bump into two 15/16 year old guys who were wardriving in
my "Cite". I was quite impressed. Actually, they were by foot. One
holding the PC and the antenna, the other holding a piece of paper
probably writing the details of their discoveries.
Well, this is only my personal opinion but I cannot help myself and
think about what they would do if they found an unprotected network.
My questions are:
How to make people aware of the dangers?
Write to the city hall to ask them to produce a small piece of paper
and put it into people's brief cases?
Organize some kind of event? with whom? by whom? Maybe this was
already done?
Are there organizations that care about those awarness programs and
would be glad to help?
Does anybody know if foreign governments have such programs?
As you see, I don't know much but I was willing to try something.
Thanks for any suggestions/advices/ideas :)
Paulo
_______________________________________________
Lilux-help mailing list
Lilux-help(a)lilux.lu
http://lilux.lu/mailman/listinfo/lilux-help
--
Brent Frère
Private e-mail: Brent(a)BFrere.net
Postal address: 5, rue de Mamer
L-8280 Kehlen
Grand-Duchy of Luxembourg
European Union
Mobile: +352-021/29.05.98
Fax: +352-26.30.05.96
Home: +352-307.341
URL: http://BFrere.net
If you have problem with my digital signature, please install the appropriate authority
certificate by browsing https://www.cacert.org/certs/root.crt.
21 Feb
21 Feb
11:56 a.m.
There's nothing illegal in trying to be connected
to an opened network,
even wirelessly.
I saw members of the "Golf Club Grand-Ducal" being surprised that they
might get connected to the Internet from the club house, by using the
golf club wireless network. What's wrong with this, if the network is
opened ? If it is opened, what law should prevents you to use it ?
If I leave money on the sidewalk, I don't expect a law to force the
discoverer to return it to me...
nice metaphore but it's not as easy as this ...
Now, if you try to force the access to a computer that prompts you a
legal warning like "Access to this server is strictly limited to the
authorized users", then you've been warned that you entered a private
property. But even, I'm not sure there are laws against this in
Luxembourg. There are defenitely such laws in USA and other states of
EU, but I'm not aware of such laws in Luxembourg.
this is infact a legal grey zone, some lawyers might well find somewhere
an article prohibiting this but there is no real law about the sole
"getting access" thing, everything more you do is already considered as an
intrusion (using the others Internet connection too) as is illegal
(strictly speaking) !
Even in the UK (London), young guys are writing with chalk wireless
network characteristics on buildings and sidewalks to make easier the
connections of future unexpected users. I never read anything about an
arrest of such guys. A recent study made in the US showed that a
majority of the corporate wireless networks where opened or weakly
protected. For me, having such a wireless network at home is like
putting an unattended ethernet outlet outside your home: you just
publish to anybody all what is on your home network: advocate letters,
private e-mails, web browser cookies and history (so potentially your
sexual preferences with lot of details).
is an Internet connection not the same ?
I'm not yet convinced that the
new 802.11X encryption mechanism is safe, so I strickly advice for the
time being to consider wireless connection as practically unavalaible,
or equivalent to an open network, until proof of security is obtained
from other peoples than the related hardware vendors.
wireless can be made pretty secure by using standard encryption and
firewalling principles
What is strange to me is that GSM technology is older, much more widely
used, and gives potentially interesting informations and ways to gain
money if cracked (I'll not explain you how. Just imagine yourself) and
seems to be safe up to now. I don't expect somebody to call using my GSM
credit without my chip, as I don't expect anybody unautorized to listen
to my conversations when using a GSM. (Lady Di was using a wireless
analog phone, not a GSM). It even offers strong authentication, what
wireless network does not yet (if I'm well informed). So why the
wireless vendors, that suffers strongly from justified untrust regarding
the security of their network, didn't managed from years to secure their
devices ???
GSM technology is far less secure than standard wireless (!!), the thing
is that the hardware (antennas) is less common and not so "handy" too, but
with the new smartphones it could become really interessting ...
Other experiences I had (through customers) was that devices from
different vendors were poorly interoperating (limited distance, rapid
performance degradation, ...) and that it was very limited when used in
a armed concrete building or even an old traditional house, made of
stone. Also, with accessible Gigabit Ethernet devices and switches, and
DSL+ technology (bringing up to 25 Mb/s Internet connection soon), I
think current wireless technology (802.11G) is really limited: the
standard specify 54 Mb/s _*shared*_ bandwidth on each of the three
channels. Knowing that only three channels is too few to garantee the
usability of the technology in all topologies, don't expect to use more
than one such channel. Compare 54 Mb/s (maximum theorical shared
bandwidth) with 1000 Mb/s switched, there's no hesitation.
well mobility is a BIG argument ...
As already explained in this mailing-list, if you really need this
technology, consider the wireless segment as opened, put firewalls at
each connecting point, and establish VPN on this unsecure link. Good luck.
/"How to make people aware of the dangers ?"
/
If the people you are speaking aobut are using Internet Explorer on
Windows connected to the Internet, I don't see the point of warning them
about the dangers of wireless technology... They are already opened to
the world !
FUD
Cegecom made a PLC (Power Line Carrier) test in Luxembourg around 2000.
They connected a village through the power outled to the Internet. No
possible check about the amount of connection using each home access
point. No filtering at all. Not even a network topology separating the
homes. In this case, when you clicked on 'Network Neighborhood", you had
really a picture of your neighborhood's network ! Amazing ! So what's
wrong with opened wireless networks ???
in 2000 the data protection law was not in place in Luxembourg, that could
have drastically changed their approach
By the way, this mailing-list and club is not about Linux but about free
software in general, opened to other near technologies, such as
OpenSource and BSD.
Paulo Ribeiro a écrit :
> Hi everybody,
>
> This has little to do with Linux but more with security. If this
> request is off topic, simply diregard it and I won't do it again, I
> promise :).
>
> As the Lilux people seem to have legal knowledge about things in
> Luxembourg and great ideas/advices on how things work with government,
> I thought I could ask this here.
>
> I happened to bump into two 15/16 year old guys who were wardriving in
> my "Cite". I was quite impressed. Actually, they were by foot. One
> holding the PC and the antenna, the other holding a piece of paper
> probably writing the details of their discoveries.
>
> Well, this is only my personal opinion but I cannot help myself and
> think about what they would do if they found an unprotected network.
>
> My questions are:
> How to make people aware of the dangers?
> Write to the city hall to ask them to produce a small piece of paper
> and put it into people's brief cases?
> Organize some kind of event? with whom? by whom? Maybe this was
> already done?
> Are there organizations that care about those awarness programs and
> would be glad to help?
> Does anybody know if foreign governments have such programs?
Some answers ...
The ministry of economy has a "new" project (CASES) that has the aim to
raise awareness rlated to NIS (Network and Information Security). It's
website www.cases.lu is the national NIS portal, and bytheway I'm the
project manager ;)
We (CASES) are thinking about this for sometime now and will probably have
a large campaign about wireless this year in collaboration with the CNPD
(National data protection comittee, www.cnpd.lu) which probably will
include a wardriving ... it's too early to say more.
Another group I know that did wardriving stuff and published their "study"
is the CLUSSIL (www.clussil.lu) in collboration with CSRRT-LU
(www.csrrt.org.lu) (I'm also a member of both ;).
I could continue writing pages, cause security is my job, but well I hope
this helps for the start...
ciao,
pst
As you see, I don't know much but I was willing to try something.
Thanks for any suggestions/advices/ideas :)
Paulo
_______________________________________________
Lilux-help mailing list
Lilux-help(a)lilux.lu
http://lilux.lu/mailman/listinfo/lilux-help
--
Brent Frère
Private e-mail: Brent(a)BFrere.net
Postal address: 5, rue de Mamer
L-8280 Kehlen
Grand-Duchy of Luxembourg
European Union
Mobile: +352-021/29.05.98
Fax: +352-26.30.05.96
Home: +352-307.341
URL: http://BFrere.net
If you have problem with my digital signature, please install the
appropriate authority certificate by browsing
https://www.cacert.org/certs/root.crt.
_______________________________________________
Lilux-help mailing list
Lilux-help(a)lilux.lu
http://lilux.lu/mailman/listinfo/lilux-help
7206
days inactive
7207
days old
2 comments
3 participants
participants (3)
-
Brent Frère -
pascal.steichen@lilux.lu -
Paulo Ribeiro