Wireless
August 15, 2002
What the FBI Doesn't Get (About Wireless Security)

A week or two ago, the FBI got freaked out about wireless networks.

Their conclusions were confused, at best. Luckily Paul Holman, Theodore Pham,
Merin McDonell, and Skyler Fox had a nice mailing list thread to help put everything into perspective.

Thanks to Paul, Theodore, Merin, and Skyler for giving me permission to publish this email exchange in-tact.

(Theodore Pham) Say I forget my wallet containing my credit cards in a restaurant. Wardriving/warchalking is essentially posting a sign saying my wallet is sitting their out in the open and it contains credit cards. That signage in and of itself is NOT THEFT. But the moment someone uses my credit cards without my specific permission IS THEFT. My credit cards should NOT be
considered a public resource just because I FORGOT to put my wallet back in
my pocket out of public access.


(Merin McDonell) I think your wallet analogy is wrong. I think an apple tree is better. You have a nice big apple tree in your back yard and the apples fall in your neighbors yard and in the alley. Is it a crime if people eat the apples that
are on the ground and off your property? If you DON'T want anyone to eat any
of the apples that grew on your tree, if for some reason you need all 347
apples, you could trim your tree so that all the branches end right on your
property line and all of the apples would fall in your yard. Done.

Original letter sent out by FBI

From: Bill Shore [mailto:billshore@fbi.gov]
Sent: Monday, July 08, 2002 9:56 AM
To: billshore@fbi.gov
Subject: Wireless networks - Warchalking/Wardriving

It has recently been brought to my attention that
individuals/groups have been actively working in the Pittsburgh area as
well as other areas of the United States including Philadelphia, and
Boston, and the rest of the world for that matter, to identify locations
where wireless networks are implemented. This is done by a technique
identified as "Wardriving." Wardriving is accomplished by driving around
in a vehicle using a laptop computer equipped with appropriate hardware
and software http://www.netstumbler.com/ to identify wireless networks
used in commercial and/or residential areas. Upon identifying a wireless
network, the access point can be marked with a coded symbol, or
"warchalked." This symbol will alert others of the presence of a
wireless
network. The network can then be accessed with the proper equipment
and
utilized by the individual(s) to access the Internet, download email, and
potentially compromise your systems. In Pittsburgh, the individuals are
essentially attempting to map the entire city to identify the wireless
access points, see here,

http://mapserver.zhrodague.net/cgi-
bin/mapserv?mode=browse&layer=all&layer=q
uadsheets&layer=borough&layer=roads&layer=ap&zoomdir=1&zoomsize=2&imgxy=458+
165&imgext=-80.175489+40.268422+-79.733217+40.621536&map=%2Fmnt%2Fhog%2Fwebs
ites%2Fmapserver%2Fpublic_html%2Fpa%2Fpgh.map&savequery=true&program=%2Fcgi-
bin%2Fmapserv&map_web_imagepath=%2Fmnt%2Fhog%2Fwebsites%2Fmapserver%2Fpublic
_html%2Ftmp%2F&map_web_imageurl=%2Ftmp%2F&img.x=250&img.y=197.


Also, check this article from pghwireless.com,
http://www.pghwireless.com/modules.php?name=News&file=article&sid=19

Identifying the presence of a wireless network may not be a
criminal violation, however, there may be criminal violations if the
network is actually accessed including theft of services, interception of
communications, misuse of computing resources, up to and including
violations of the Federal Computer Fraud and Abuse Statute, Theft of
Trade
Secrets, and other federal violations. At this point, I am not aware of
any malicious activity that has been reported to the FBI here in
Pittsburgh, however, you are cautioned regarding this activity if you
have
implemented a wireless network in your business. You are also highly
encouraged to implement appropriate wireless security practices to
protect
your information assets,
http://www.cert.org/research/isw/isw2001/papers/Kabara-31-08.pdf

There are several articles available with additional details
including http://www.warchalking.org as well as
http://www.pghwireless.com. A copy of the coding symbols is
attached in .pdf format. If you notice these symbols at your place of
business, it is likely your network has been identified publicly.

If you believe you may have been compromised or if you have any
questions regarding this activity, you are encouraged to contact the
appropriate law enforcement agency. The FBI office in Pittsburgh and
High
Tech Crimes Task Force can be contacted at 412-432-4000.

Bill Shore
Special Agent
FBI-Pittsburgh
3311 East Carson Street
Pittsburgh, PA 15203
412-432-4395
billshore@fbi.gov

Letter from Paul Holman to Bill Shore

To: billshore@fbi.gov
From: Paul Holman <pablos@shmoo.com>
Subject: [XGEEKS] Wireless networks - Warchalking/Wardriving

Bill,

Blocking public access to a wireless access point is a simple matter
of configuration. While this measure will not provide a great deal
of security, it is enough to stop casual surveillance and abuse of
resources.

As both an active member of community wireless networking
initiatives, and an expert on internet security, I would encourage
the FBI, and all other entities to consider open access points as a
shared resource available to all. Anyone not wishing to share their
resources can easily prevent it using the various controls built into
all wireless access points.

Drawing the line here is both practical and rational. It requires no
further legislation, no technical development, and affords the
greatest flexibility for innovation and exploration of how we can all
benefit from wireless networking technology.

Please feel free to contact me with any questions about this
approach. If you're interested, I'm happy to expand on any aspect of
wireless network security.

Thanks,

pablos.
--
Paul Holman
The Shmoo Group
pablos@shmoo.com
415.420.3806


From: "Theodore Pham" <telamon@roguesolutions.com>
To: <dev@seattlewireless.net>, <billshore@fbi.gov>
Cc: <xgeeks@lists.soma.net>, <tsg@shmoo.com>, <dev@seattlewireless.net>
Subject: [XGEEKS] Re: Wireless networks - Warchalking/Wardriving

With all due respect Paul, I think you are missing the point.

NOT everyone who owns and operates a wireless network has the technical
savvy to understand the implications of the way they configure their
wireless equipment. The rapid growth and popularity of wireless networks
has been a direct result of the dropping prices of equipment and the ease
with which this equipment can be installed.

Being a wireless networking consultant in the Pittsburgh area, and having
experimented with Netstumbler to map out channel usage (for the purposes of
evaluating the feasibility of a shared, potentially commercial, wireless
network) I find that the majority of networks are setup with NO type of
public access blocking AND with the DEFAULT out of the box parameters. As a
reseller of wireless networking equipment, I find most of my customers have
LITTLE TO NO idea that by just plugging one of these boxes into their DSL or
cable line they are making their networks open to the world. They choose
wireless networking for the simplicity and asthetic values.

The fact of the matter is that wireless equipment is connected to some type
of internet connection and that connection is paid for by the owner of the
wireless equipment. I have always been of the opinion that the use of any
resource I have NOT paid for or been given SPECIFIC PERMISSION to use is
THEFT.

Say I forget my wallet containing my credit cards in a restaurant.
Wardriving/warchalking is essentially posting a sign saying my wallet is
sitting their out in the open and it contains credit cards. That signage in
and of itself is NOT THEFT. But the moment someone uses my credit cards
without my specific permission IS THEFT. My credit cards should NOT be
considered a public resource just because I FORGOT to put my wallet back in
my pocket out of public access.

If you want to allow public access to your wireless network, then that is
your choice and I encourage you to post some signage indicating that fact.
And for your sake I would also post some terms of service for those who
would seek to use your wireless network for malicious purposes.

Sincerely,
Theodore Pham
Rogue Solutions


Subject: Re: [XGEEKS] Re: Wireless networks - Warchalking/Wardriving
From: "Merin McDonell" <merin@merin.net>
To: Theodore Pham <telamon@roguesolutions.com>
CC: xgeeks@soma.net

I'm not at all savvy about this kind of technical stuff, so in this case I
feel especially qualified to reply. I'm just a dumb user, however every
program I use has to be configured and you can choose whether or not you
have a password to access it. So...if I were to venture to set up a wireless
network, which I can't believe is so easy to install, I'd be sure to look at
the directions since it is, uh, wireless, and I get the concept that it
doesn't stop at the walls of my house.

I think your wallet analogy is wrong. I think an apple tree is better. You
have a nice big apple tree in your back yard and the apples fall in your
neighbors yard and in the alley. Is it a crime if people eat the apples that
are on the ground and off your property? If you DON'T want anyone to eat any
of the apples that grew on your tree, if for some reason you need all 347
apples, you could trim your tree so that all the branches end right on your
property line and all of the apples would fall in your yard. Done.
______________________________________________________________________
* Merin McDonell * Graphic Designer * 415-826-3500 * mm@merin.net*


From: "skyler fox" <skyler_fox@hotmail.com>
To: <billshore@fbi.gov>
Cc: <xgeeks@lists.soma.net>, <tsg@shmoo.com>
Subject: Re: [XGEEKS] Re: Wireless networks - Warchalking/Wardriving


I find the argument that digital access, and the access to your wallet are
similar, quite confusing. In one case we are talking about a resource that
exists in time(access to the network) and in the other, access to a limited
an irreplaceable resource (your cash). Only in the most remote circumstances
will someone surfing the net on your wireless network translate into any
loss that you would be cognizant of. I understand that people pay money to
have DSL access in their home, I pay the current exorbitant rate myself. But
it would take a herd of hackers to impact the usage I put on the line. In
fact most times during the day, the system is idle. You could make the
argument, which the Telco industry would hate, that communal use of a single
DSL line makes more sense than over-amping a single house.

There is certainly no excuse for a corporate network to be exposed. Any
company that does not control it's network, and computers is guilty of
malfeasance. It would be on the order of not locking the door.

You are right that most people are ignorant of what is necessary to protect
their line, but as we have seen all through the computer revolution, there
is a price to be paid for the power the computer gives you.
-----------------------------------------------------------------------------
This is the pho mailing list, managed by Majordomo 1.94.4.

To send a message to the list, email pho@onehouse.com.
To send a request to majordomo, email majordomo@onehouse.com and put your
request in the body of the message (use request "help" for help).
To unsubscribe from the list, email majordomo@onehouse.com and put
"unsubscribe pho" in the body of the message.

*****

Theodore,

I think you may have dropped this conversation already, but just in
case, I'll complete my discussion here. The crux of our disagreement is
where to draw the line on how you advertise/explain/discover/determine
policy. Based on the current state of the technology, and societal
issues in play, I'm suggesting that we draw the line where it is most
practical. If a wireless network is configured to allow association and
provide an internet connection, then it should be construed as something
intended to do that. You are actually advocating the same thing, but
with a "fail closed" social/legal policy rather than my "fail open"
approach. To make that happen, you want the burden to be on those
running free networks to advertise them as such. The current technology
doesn't cleanly support this, and I prefer the burden to be on those
running closed wireless networks to keep them that way. This is how it
works for web servers, and all the issues about what happens when things
go wrong are covered by legislation/policies/social norms that out of
band from this issue.

Thanks for the discussion, I had been meaning to bring this issue up.

pablos.

On Monday, August 5, 2002, at 09:58 PM, Theodore Pham wrote:
>
> Again, you are confusing access to a resource with LEGAL USE of a
> resource.
> Yes, most web servers are meant to be a public resource and yes some
> block
> access to only authorized individuals. But consider what happens if
> Microsoft tomorrow accidentally posts a portion of the Windows XP source
> code on their website? Are you allowed to use it? Are you allowed to
> incorporate it into your products because you just happen to have gotten
> access to the code? If you park your car on a public road and leave it
> unlocked accidentally, is it legal for me to jump in and drive away
> with it?
> If someone hacks into a online store and posts their credit card
> database on
> the front page of the store, am I allowed to use the credit card
> numbers?
> ACCESS DOES NOT ENTITLE AUTHORIZED USE.
>
> It costs me money to have a SDSL line run into my house. And that SDSL
> line
> and the associated wireless network are a resource I OWN. If I wish to
> leave the whole dang network open for my ease of use, does the network
> still
> belong to me? YES. Does that give you the right to use my property
> without
> first asking me? NO. I might say yes, I'll kindly let you use this.
> Or
> no, I don't want you using my network. But in the end that is my
> decision
> and I don't waive that right just because I choose or forget to put a
> lock
> on it.
>
>> On wireless security:
>>
>> A typical wired network is wildly insecure, adding a wireless access
>> point with all the security features enabled (WEP, MAC auth, etc.)
>> would
>> reduce security. So most APs are put outside a firewall. In this
>> case,
>> association with the AP would provide internet access and nothing more.
>> Surveillance of the network does not require association. In a typical
>> home or office network that has no firewall, adding a wireless AP for
>> convenience without thinking of security will be a liability. I
>> contend
>> that the security implications are not affected by whether users
>> associate and use the network connection. If the AP is unsecured, your
>> network is insecure, and no law can save you.
>
> Yes, not securing your network is a liability to the owner of the
> network.
> I'm not arguing that it isn't.
> I'm not arguing with you over security at all. But your statement is
> that
> ANY resource which IS NOT SPECIFICALLY restricted should become a public
> resource. This is where I think you miss the point. I believe the
> statement should be ANY resource SPECIFICALLY ADVERTISED as public
> should be
> considered a public resource. I don't think my attaching a wireless AP
> to
> my network and choosing NOT to secure or FORGETTING to secure it should
> be
> taken to mean I'm SPECIFICALLY ADVERTISING it as public.
>
>> On fixing security:
>>
>> Wireless networking equipment vendors should be lobbied to fix WEP,
>> implement captive portal (NoCatAuth) functionality, and enable these
>> features by default. Almost all of them have horrible management
>> tools,
>> these should be drastically improved for usability. Organizations
>> concerned about security should learn that the issues on wireless
>> networks are the same as for wired networks, just magnified. The same
>> approach needs to be taken in order to make significant security gains.
>> Use strong authentication and encrypted protocols. WEP doesn't count.
>> VPNs, SSH & SSL do. Anything less will only serve to give users a
>> false sense of security.
>
> I agree. Any organization worried about it's information should take
> the
> precautions to preserve and secure it comensurate with the value of the
> information. But again, I'm not arguing with you over how secure or
> insecure wireless is.
>
>> On free access:
>>
>> When you are walking or driving around, how often do you see a license
>> agreement posted to indicate where you can go? Probably never. You go
>> wherever you want because there are roads and paths that just happen to
>> be accessible. You don't know what is public and what is private land,
>> you just make reasonable guesses. If somebody doesn't want you on
>> their
>> roads, or their property, then they post signs telling you not to go
>> there. Or gates and fences, or walls, maybe even towers with machine
>> guns. It turns out you can drive coast to coast, on almost any
>> continent, without reading a single license agreement that tells you
>> where you can go. You just avoid the ones that tell you where you
>> can't
>> go. I'm fine with that. I'd like to have my internet access work the
>> same way.
>
> How often do you drive through someone's backyard on your way to work?
> Just
> because there isn't a fence there and just because your car is capable
> of
> driving over their lawn, do you? I don't see a sign that says DON'T
> DRIVE
> THROUGH MY LAWN posted, but I don't take that to mean that I can. In
> fact,
> I don't recall every driving on a private road where I haven't done so
> INTENTIONALLY without permission of the owner or without paying a toll.
>
>> Lastly, it is important to understand that the current wireless
>> protocols have no mechanism for communicating their usage policy. The
>> way it works today, you wave your laptop around, connect to a network
>> and see if it works. Prior to that it is impossible to know if it is a
>> free network. Wardriving and Warchalking are legitimate ways to
>> find/test/use free wireless networks and we should keep it that way.
>
> I agree that wardriving and warchalking can be legitimately used to
> find/test/use wireless networks. But I think there must be some
> protocol
> established to contact the owner of the network in question and ask
> their
> permission BEFORE you go and ADVERTISE their network as freely
> accessible.
> I don't own your house, but just because I can see it and take photos
> of it,
> does that mean I can rent it out for a party or place it on the market
> for
> sale? Basically, if you want to use what possibly could be a public
> resource, EXPEND THE EXTRA EFFORT TO FIND OUT IF IT IS REALLY PUBLIC.
>
>> Thanks, pablos.
>>
>> Paul Holman deployed the first SeattleWireless Community Network link
>> <http://www.seattlewireless.net> and is a member of The Shmoo Group of
>> security, crypto & privacy professionals <http://www.shmoo.com>. The
>> Shmoo Group builds AirSnort for demonstrating the limitations of WEP
>> security and created the Global Access Wireless Database (GAWD), the
>> first online database of open wireless access points.
>>
>> On Monday, August 5, 2002, at 06:09 PM, Theodore Pham wrote:
>>
>>> With all due respect Paul, I think you are missing the point.
>>>
>>> NOT everyone who owns and operates a wireless network has the
>>> technical
>>> savvy to understand the implications of the way they configure their
>>> wireless equipment. The rapid growth and popularity of wireless
>>> networks
>>> has been a direct result of the dropping prices of equipment and the
>>> ease
>>> with which this equipment can be installed.
>>>
>>> Being a wireless networking consultant in the Pittsburgh area, and
>>> having
>>> experimented with Netstumbler to map out channel usage (for the
>>> purposes of
>>> evaluating the feasibility of a shared, potentially commercial,
>>> wireless
>>> network) I find that the majority of networks are setup with NO type
>>> of
>>> public access blocking AND with the DEFAULT out of the box parameters.
>>> As a
>>> reseller of wireless networking equipment, I find most of my customers
>>> have
>>> LITTLE TO NO idea that by just plugging one of these boxes into their
>>> DSL or
>>> cable line they are making their networks open to the world. They
>>> choose
>>> wireless networking for the simplicity and asthetic values.
>>>
>>> The fact of the matter is that wireless equipment is connected to some
>>> type
>>> of internet connection and that connection is paid for by the owner of
>>> the
>>> wireless equipment. I have always been of the opinion that the use of
>>> any
>>> resource I have NOT paid for or been given SPECIFIC PERMISSION to use
>>> is
>>> THEFT.
>>>
>>> Say I forget my wallet containing my credit cards in a restaurant.
>>> Wardriving/warchalking is essentially posting a sign saying my wallet
>>> is
>>> sitting their out in the open and it contains credit cards. That
>>> signage in
>>> and of itself is NOT THEFT. But the moment someone uses my credit
>>> cards
>>> without my specific permission IS THEFT. My credit cards should NOT
>>> be
>>> considered a public resource just because I FORGOT to put my wallet
>>> back in
>>> my pocket out of public access.
>>>
>>> If you want to allow public access to your wireless network, then that
>>> is
>>> your choice and I encourage you to post some signage indicating that
>>> fact.
>>> And for your sake I would also post some terms of service for those
>>> who
>>> would seek to use your wireless network for malicious purposes.
>>>
>>> Sincerely,
>>> Theodore Pham
>>> Rogue Solutions
>>>
>>>
>>> ----- Original Message -----
>>> From: "Paul Holman" <pablos@shmoo.com>
>>> To: <billshore@fbi.gov>
>>> Cc: <xgeeks@lists.soma.net>; <tsg@shmoo.com>;
>>> <dev@seattlewireless.net>
>>> Sent: Monday, August 05, 2002 8:19 PM
>>> Subject: Wireless networks - Warchalking/Wardriving
>>>
>>>
>>>> Bill,
>>>>
>>>> Blocking public access to a wireless access point is a simple matter
>>>> of
>>>> configuration. While this measure will not provide a great deal of
>>>> security, it is enough to stop casual surveillance and abuse of
>>>> resources.
>>>>
>>>> As both an active member of community wireless networking
>>>> initiatives,
>>>> and an expert on internet security, I would encourage the FBI, and
>>>> all
>>>> other entities to consider open access points as a shared resource
>>>> available to all. Anyone not wishing to share their resources can
>>>> easily prevent it using the various controls built into all wireless
>>>> access points.
>>>>
>>>> Drawing the line here is both practical and rational. It requires no
>>>> further legislation, no technical development, and affords the
>>>> greatest
>>>> flexibility for innovation and exploration of how we can all benefit
>>>> from wireless networking technology.
>>>>
>>>> Please feel free to contact me with any questions about this
>>>> approach.
>>>> If you're interested, I'm happy to expand on any aspect of wireless
>>>> network security.
>>>>
>>>> Thanks,
>>>>
>>>> pablos.
--
Paul Holman
The Shmoo Group
pablos@shmoo.com
415.420.3806


Posted by Lisa at August 15, 2002 10:09 AM | TrackBack
Me A to Z (A Work In Progress)
Comments

Lisa, that's one hell of a long blogjob. - pablos.

Posted by: Paul Holman on August 15, 2002 02:16 PM
Post a comment
Name:


Email Address:


URL:


No free link advertizing is allowed here. If you post a commercial link in this comment you agree to pay me $500 per link pursuant to the Terms posted here. Type "AGREE" here:

Comments:


Remember info?