just noticed on the AT&T website
that it appears that if you have DSL,
your account settings should work with WiFi
at McDonalds... and some other locations.
On Oct 31, 6:23 pm, "P.Schuman" <pschuman_NO_SPAM...@interserv.com>
wrote:
> just noticed on the AT&T website
> that it appears that if you have DSL,
> your account settings should work with WiFi
> at McDonalds... and some other locations.
In the past it was a $1.99 per month add-on to your SBC DSL account,
but last month it went for free. If you only have SBC dial-up, it was
$20; but I don't know if that has changed.
P.Schuman <pschuman_NO_SPAM_ME@interserv.com> wrote:
> just noticed on the AT&T website that it appears that if you have DSL,
> your account settings should work with WiFi at McDonalds... and some
> other locations.
The search age offers both "basic" and "premier" locations.
> I'm guessing there is a signon webpage,
> and you merely supply your ATT/SBC/DSL info & password.
There's a very McDonald's-like captive portal screen with an AT&T login
button and a Waypoint login... I forget what else.
The name and password used to authenticate your DSL connection is the same
that you use at McDonald's.
If you forget to launch a new browser, you seem to get an IP address that
is heavily filtered.
My DSL account doesn't seem to match the requirements for free WiFi access,
but it worked, and I didn't do any other signup. The SSID "attwifi" is
available for free. Other partners are only available at additional cost,
with the at&t premier package, I think. Or maybe they are all free now.
> The name and password used to authenticate your DSL connection is the same
> that you use at McDonald's.
Great, a whole new way for users to lose the security of their account.
Sniff the wifi traffic and then go hack the users' e-mail, web and other ISP
services. Then start hitting the other stuff because the same
account/password is what they used on a whole bunch of other services.
On Wed, 31 Oct 2007 20:23:32 -0400, "Bill Kearney"
<wkearney-99@hot-mail-com> wrote in
<8ZCdnU1tF6YZgbTanZ2dnUVZ_veinZ2d@speakeasy.net> :
>> The name and password used to authenticate your DSL connection is the same
>> that you use at McDonald's.
>
>Great, a whole new way for users to lose the security of their account.
>Sniff the wifi traffic and then go hack the users' e-mail, web and other ISP
>services. Then start hitting the other stuff because the same
>account/password is what they used on a whole bunch of other services.
>
>Gee, thanks but no...
Why not use VPN? There are a number of good commercial services, in
addition to free (ad supported) Hotspot Shield.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
>> The name and password used to authenticate your DSL connection is the same
>> that you use at McDonald's.
>
>Great, a whole new way for users to lose the security of their account.
>Sniff the wifi traffic and then go hack the users' e-mail, web and other ISP
>services. Then start hitting the other stuff because the same
>account/password is what they used on a whole bunch of other services.
The login screens are SSL encrypted, so the logins are not going to be
sniffed. However, the traffic is not encrypted, so a VPN is
recommended.
<http://www.mcdonalds.com/wireless/find_hotspot/unitedstates/faq/technology.html>
>Gee, thanks but no...
What I find amusing (or disgusting) is that any wireless provider that
has a functional authentication server, such as AT&T obviously does,
can also provide RADIUS based authentication, which the typical
wireless client has no problem using. The client and access point can
then be issues a unique one time WPA-RADIUS encryption key, and all
the traffic is encrypted.
On Wed, 31 Oct 2007 19:27:29 -0700, Jeff Liebermann <jeffl@cruzio.com>
wrote in <mbdii3lihs4orppiusdjdj6ulullfmpalq@4ax.com>:
>What I find amusing (or disgusting) is that any wireless provider that
>has a functional authentication server, such as AT&T obviously does,
>can also provide RADIUS based authentication, which the typical
>wireless client has no problem using. The client and access point can
>then be issues a unique one time WPA-RADIUS encryption key, and all
>the traffic is encrypted.
I suspect the issue is support -- it's bad enough when users can connect
automatically, and it's a nightmare to support the handing out and use
of one-time keys.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
John Navas <spamfilter1@navasgroup.com> hath wroth:
>On Wed, 31 Oct 2007 19:27:29 -0700, Jeff Liebermann <jeffl@cruzio.com>
>wrote in <mbdii3lihs4orppiusdjdj6ulullfmpalq@4ax.com>:
>
>>What I find amusing (or disgusting) is that any wireless provider that
>>has a functional authentication server, such as AT&T obviously does,
>>can also provide RADIUS based authentication, which the typical
>>wireless client has no problem using. The client and access point can
>>then be issues a unique one time WPA-RADIUS encryption key, and all
>>the traffic is encrypted.
>
>I suspect the issue is support -- it's bad enough when users can connect
>automatically, and it's a nightmare to support the handing out and use
>of one-time keys.
That's not exactly the way it would (should?) work. The RADIUS server
delivers the encryption key to both the access point and the client. I
have WPA-RADIUS working at several installations without any
modifications to the client computer. In all cases, the user is
issued a login and password, which are also entered in the RADIUS
server. Administering this is a PITA for a small coffee shop, but
AT&T already does everything that's necessary for their DSL customers,
so there's no added effort involved. The only changes are to convince
AT&T and Wayport to consolidate their authentication methods and to
enable WPA-RADIUS in their wireless access points. That can't be done
at this time because of bureaucracy and more important, because the
access point will not handle multiple encryption modes (WPA-RADIUS and
unencrypted). Two access points would solve that problem, but that's
a major expense that's probably not justified.
> For just the McDonald's locations with wireless, see:
> <http://www.mcdonalds.com/usa/rest_locator.html>
Why would you want to overlook the others?
As I was sitting in the McDonald's parking lot, I found several WAPs, some
with names that might indicate they were quite a ways away, maybe 1/4 mile
or more. McDonald's, Burger King, Kentucky Fried Chicken, and a couple of
"locked" with familiar business names that I didn't think were even in the
immediate vicinity.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
On Wed, 31 Oct 2007 23:30:37 -0700, Jeff Liebermann <jeffl@cruzio.com>
wrote in <g6sii31k4dnhu955ke87n9o82vjgtopqr8@4ax.com>:
>John Navas <spamfilter1@navasgroup.com> hath wroth:
>
>>On Wed, 31 Oct 2007 19:27:29 -0700, Jeff Liebermann <jeffl@cruzio.com>
>>wrote in <mbdii3lihs4orppiusdjdj6ulullfmpalq@4ax.com>:
>>
>>>What I find amusing (or disgusting) is that any wireless provider that
>>>has a functional authentication server, such as AT&T obviously does,
>>>can also provide RADIUS based authentication, which the typical
>>>wireless client has no problem using. The client and access point can
>>>then be issues a unique one time WPA-RADIUS encryption key, and all
>>>the traffic is encrypted.
>>
>>I suspect the issue is support -- it's bad enough when users can connect
>>automatically, and it's a nightmare to support the handing out and use
>>of one-time keys.
>
>That's not exactly the way it would (should?) work. The RADIUS server
>delivers the encryption key to both the access point and the client. I
>have WPA-RADIUS working at several installations without any
>modifications to the client computer.
Trust me, I know how it is supposed to work. ;)
>In all cases, the user is
>issued a login and password, which are also entered in the RADIUS
>server. Administering this is a PITA for a small coffee shop, but
>AT&T already does everything that's necessary for their DSL customers,
>so there's no added effort involved.
The real effort is support, because lots of people don't know what to
do, or simply forget their credentials (or worse, post their credentials
on a PostIt Note for everyone to see).
>The only changes are to convince
>AT&T and Wayport to consolidate their authentication methods and to
>enable WPA-RADIUS in their wireless access points. That can't be done
>at this time because of bureaucracy and more important, because the
>access point will not handle multiple encryption modes (WPA-RADIUS and
>unencrypted). Two access points would solve that problem, but that's
>a major expense that's probably not justified.
What's really needed is to train users in authentication, but that just
ain't gonna happen, so there's really no point to messing that way.
Surely you know how expensive support is. ;)
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
>Jeff Liebermann <jeffl@cruzio.com> wrote:
>> dold@22.usenet.us.com hath wroth:
>
>> >I use http://www.jiwire.com/search-hotspot-locations.htm for my searches.
>
>> For just the McDonald's locations with wireless, see:
>> <http://www.mcdonalds.com/usa/rest_locator.html>
>
>Why would you want to overlook the others?
Sorry. That wasn't my intention. The thread was about McDonald's and
I thought it would be more relevent to use the McDonalds wireless
search page.
>As I was sitting in the McDonald's parking lot, I found several WAPs, some
>with names that might indicate they were quite a ways away, maybe 1/4 mile
>or more. McDonald's, Burger King, Kentucky Fried Chicken, and a couple of
>"locked" with familiar business names that I didn't think were even in the
>immediate vicinity.
That's odd. There are 4 McDonald's in the People's Republic of Santa
Cruz County. All of them have limited range. I can just barely use
them in their own parking lot (without additional antenna gain). My
guess(tm) is that Wayport has intentionally turned down the power on
their transmitters to limit range to the premisis. I've seen the same
at some other hot spots. Several that I maintain have the tx power
turned down to 10mw. However, I've given up eating junk food, so I
don't know if its universal among their installations.
John Navas <spamfilter1@navasgroup.com> hath wroth:
>Trust me, I know how it is supposed to work. ;)
In God we trust. Everyone else pays cash.
I'm not sure I completely understand how RADIUS authentication really
works. As usual, setting up RADIUS wireless authentication turned
into a major project. The SQL server was my major challenge. I even
read the instructions. I eventually made it work, but ended up with
more questions on how it works, than answers.
List of RADIUS servers:
<http://en.wikipedia.org/wiki/List_of_RADIUS_Servers>
>The real effort is support, because lots of people don't know what to
>do, or simply forget their credentials (or worse, post their credentials
>on a PostIt Note for everyone to see).
Passwords suck. I've degenerated into becoming a archive for my
customers passwords, a rather dangerous and wasted exercise. I'm
somewhat of a fan of X.509 authentication, with a USB dongle
containing the certificates, but even that's become a mess, with my
medical office customers, when someone forgets their dongle at home. I
have some hope that the growing use of thumbprint identification will
eliminate password management problem.
>>The only changes are to convince
>>AT&T and Wayport to consolidate their authentication methods and to
>>enable WPA-RADIUS in their wireless access points. That can't be done
>>at this time because of bureaucracy and more important, because the
>>access point will not handle multiple encryption modes (WPA-RADIUS and
>>unencrypted). Two access points would solve that problem, but that's
>>a major expense that's probably not justified.
>
>What's really needed is to train users in authentication, but that just
>ain't gonna happen, so there's really no point to messing that way.
Nope. You missed my point. The problem I'm trying to solve is
prevent wireless sniffing of hot spot traffic. If the traffic were
encrypted with a unique one time WPA key delivered by a RADIUS server,
sniffing would be impossible. I have a 2nd experimental access point
running this way at a customers, and so far, it's working.
>Surely you know how expensive support is. ;)
Nope. I rarely pay for support. However, the customers that call me
on their cell phone, while sitting at a random wireless hot spot,
asking how to login or connect, certainly know how expensive I can be.
>>What's really needed is to train users in authentication, but that just
>>ain't gonna happen, so there's really no point to messing that way.
>
>Nope. You missed my point. The problem I'm trying to solve is
>prevent wireless sniffing of hot spot traffic. If the traffic were
>encrypted with a unique one time WPA key delivered by a RADIUS server,
>sniffing would be impossible. I have a 2nd experimental access point
>running this way at a customers, and so far, it's working.
I think you've missed my point. What you propose requires messing with
authentication on the client computer -- it doesn't work that way out of
the box.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
John Navas <spamfilter1@navasgroup.com> hath wroth:
>On Thu, 01 Nov 2007 19:03:23 -0700, Jeff Liebermann <jeffl@cruzio.com>
>wrote in <gg0li35j89eic0ni9ofrsfcmkit7hghcec@4ax.com>:
>
>>John Navas <spamfilter1@navasgroup.com> hath wroth:
>
>>>What's really needed is to train users in authentication, but that just
>>>ain't gonna happen, so there's really no point to messing that way.
>>
>>Nope. You missed my point. The problem I'm trying to solve is
>>prevent wireless sniffing of hot spot traffic. If the traffic were
>>encrypted with a unique one time WPA key delivered by a RADIUS server,
>>sniffing would be impossible. I have a 2nd experimental access point
>>running this way at a customers, and so far, it's working.
>I think you've missed my point. What you propose requires messing with
>authentication on the client computer -- it doesn't work that way out of
>the box.
If you enable WPA-RADIUS on the access point, and AT&T goes to RADIUS
authentication, then there are no changes that need to be made on the
client end.
All current wireless clients auto detect the method of authentication,
and supply a corresponding dialog box for login if required. The user
types in the login and password and that's all. Both the access point
and the client get a unique WPA key from the RADIUS server, for the
session, which makes it secure. If the system operators need a "Click
OK to assume responsibility" splash page, it can be presented AFTER
the login, and not before as is currently the practice.
I do agree that it doesn't work the way I describe "out of the box".
It requires some configuration on the access point, in addition to the
RADIUS server and SQL server. There's also the nightmare of user
password administration. However, once this is done, a hot spot user,
with an existing account, can simply walk in with a laptop that has no
additional software, login/authenticate via RADIUS, and have a secure
and encrypted wireless connection. At least that's the way I've
experienced it.
What part of the WPA-RADIUS login process doesn't work the way I
described? I did have to manually tinker with the "key supplied by
server" setting with XP Wireless Zero Config, but that was fixed when
I installed some updates. The Buffalo, Netgear, and DLink clients all
connected without this added step. Also, I had a problem when I
changed a users password, as WZC just complained that the login
failed, but didn't bother to supply a new login dialog. That's
apparently a WZC bug as the other clients did it right.
So, what part of the WPA-RADIUS login and authentication process
doesn't work the way I described with the stock XP clients? Note that
I'm not talking about the existing McDonalds/AT&T/Wayport system,
which doesn't use WPA-RADIUS.
>>I think you've missed my point. What you propose requires messing with
>>authentication on the client computer -- it doesn't work that way out of
>>the box.
>
>If you enable WPA-RADIUS on the access point, and AT&T goes to RADIUS
>authentication, then there are no changes that need to be made on the
>client end.
The "changes" are that the user has to remember and type in a userid and
password, which will result in many more support issues. With an open
system it just connects automatically. With WPA-PSK, it's configured
once and then never again. With VPN, most clients can be configured
once and then never again.
>... There's also the nightmare of user
>password administration.
And that's my point. Not to mention credentials written down and pasted
on the computer for all to see. Can you say "false sense of security"?
;)
>However, once this is done, a hot spot user,
>with an existing account, can simply walk in with a laptop that has no
>additional software, login/authenticate via RADIUS, and have a secure
>and encrypted wireless connection. ...
Sure, but I've personally had better luck with VPN, which can be
configured once, works anywhere, not just on specific hotspots, and can
even be configured to engage automatically.
>What part of the WPA-RADIUS login process doesn't work the way I
>described? I did have to manually tinker with the "key supplied by
>server" setting with XP Wireless Zero Config, but that was fixed when
>I installed some updates. The Buffalo, Netgear, and DLink clients all
>connected without this added step. Also, I had a problem when I
>changed a users password, as WZC just complained that the login
>failed, but didn't bother to supply a new login dialog. That's
>apparently a WZC bug as the other clients did it right.
All that results in increased support cost.
Again, I personally think VPN is a better idea.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
>>The real effort is support, because lots of people don't know what to
>>do, or simply forget their credentials (or worse, post their credentials
>>on a PostIt Note for everyone to see).
>
>Passwords suck.
Yep!
>I've degenerated into becoming a archive for my
>customers passwords, a rather dangerous and wasted exercise.
My own policy is to have absolutely nothing to do with client passwords
-- too much liability. When a client forgets a password, I have a new
temporary one generated and sent, with a flag that forces the client to
change it, plus logic to prevent weak passwords.
>I'm
>somewhat of a fan of X.509 authentication, with a USB dongle
>containing the certificates, but even that's become a mess, with my
>medical office customers, when someone forgets their dongle at home.
That problem, plus the problem of security breach if the dongle is lost
or stolen, has discouraged me from using that approach.
>I
>have some hope that the growing use of thumbprint identification will
>eliminate password management problem.
Me too, but only some hope, since it's still not completely reliable --
still fails too often, and the low end units are still pretty easy to
spoof.
>>What's really needed is to train users in authentication, but that just
>>ain't gonna happen, so there's really no point to messing that way.
>
>Nope. You missed my point. The problem I'm trying to solve is
>prevent wireless sniffing of hot spot traffic. If the traffic were
>encrypted with a unique one time WPA key delivered by a RADIUS server,
>sniffing would be impossible. I have a 2nd experimental access point
>running this way at a customers, and so far, it's working.
Likewise, except my own preference is for VPN, which is universal (not
just limited to specific hotspots); can be configured once; and set to
work automatically. In addition, I don't have to depend on the local
infrastructure working properly or on the integrity of the local
infrastructure provider. (If possible, I recommend the client having
its own VPN server, as I do.)
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
John Navas <spamfilter1@navasgroup.com> hath wroth:
>The "changes" are that the user has to remember and type in a userid and
>password, which will result in many more support issues.
Ok, allow me to propose a dumb compromise. Just hang the WPA-RADIUS
login and password on the wall of the hot spot. Something trivial
like:
login: McDonalds
passwd: free-lunch
Each user now gets an encrypted session. It won't stop someone from
loggin in from the neighbors or the parking lot, but the wireless
sessions can't be sniffed and the keys can't be recovered. Of course,
this requires a local RADIUS server, but those are available.
>With an open
>system it just connects automatically. With WPA-PSK, it's configured
>once and then never again. With VPN, most clients can be configured
>once and then never again.
Sure, but you indicated that I was changing the client somehow.
Storing a password isn't changing the client. However, adding a VPN
shim is. Are you somehow suggesting that installing and configuring a
VPN client is somehow superior to just the WPA-RADIUS login and
password? If so, I beg to differ.
>>... There's also the nightmare of user
>>password administration.
>
>And that's my point. Not to mention credentials written down and pasted
>on the computer for all to see. Can you say "false sense of security"?
>;)
YAPTF (yet another password to forget). Fine. Use a trivial login
and password as I suggested above. Nothing to remember, but you get
an encrypted session for free.
>>However, once this is done, a hot spot user,
>>with an existing account, can simply walk in with a laptop that has no
>>additional software, login/authenticate via RADIUS, and have a secure
>>and encrypted wireless connection. ...
>
>Sure, but I've personally had better luck with VPN, which can be
>configured once, works anywhere, not just on specific hotspots, and can
>even be configured to engage automatically.
You haven't tried it my way. I'll admit it's not perfect, but it will
deliver an encrypted session in the end, which eliminates some (not
all) of the benifits of a VPN.
>>What part of the WPA-RADIUS login process doesn't work the way I
>>described? I did have to manually tinker with the "key supplied by
>>server" setting with XP Wireless Zero Config, but that was fixed when
>>I installed some updates. The Buffalo, Netgear, and DLink clients all
>>connected without this added step. Also, I had a problem when I
>>changed a users password, as WZC just complained that the login
>>failed, but didn't bother to supply a new login dialog. That's
>>apparently a WZC bug as the other clients did it right.
>
>All that results in increased support cost.
If you mean users forgetting their passwords, that's true. There are
various password recovery schemes that seem to be tolerable. It's a
problem, but not a show stopper as the bulk of the users can be
expected to remember their own email password (which is what
McDonalds/AT&T uses).
John Navas <spamfilter1@navasgroup.com> hath wroth:
>>I
>>have some hope that the growing use of thumbprint identification will
>>eliminate password management problem.
>
>Me too, but only some hope, since it's still not completely reliable --
>still fails too often, and the low end units are still pretty easy to
>spoof.
I got a demonstration of how to use Jello to clone a finger. It took
a few tries, but eventually worked. I've had mine fail after I got my
fingers cut and greasy from working on my SUV engine. I was able to
use the machine using the password protected back door. It was 4 days
before it would again recognize my fingerprint.
>Likewise, except my own preference is for VPN, which is universal (not
>just limited to specific hotspots); can be configured once; and set to
>work automatically. In addition, I don't have to depend on the local
>infrastructure working properly or on the integrity of the local
>infrastructure provider. (If possible, I recommend the client having
>its own VPN server, as I do.)
Not depend on local infrastructure? I wouldn't consider depending on
internet connectivity to be any better. As for complexity, methinks
the RADIUS server is far more complicated than terminating a VPN.
However, the VPN distributes the complexity between the server and the
client, so the total complexity is about the same.
On Fri, 02 Nov 2007 10:42:03 -0700, Jeff Liebermann <jeffl@cruzio.com>
wrote in <2qmmi3pepsegfql07h1h8q22e5imaggnb2@4ax.com>:
>John Navas <spamfilter1@navasgroup.com> hath wroth:
>
>>The "changes" are that the user has to remember and type in a userid and
>>password, which will result in many more support issues.
>
>Ok, allow me to propose a dumb compromise. Just hang the WPA-RADIUS
>login and password on the wall of the hot spot. Something trivial
>like:
> login: McDonalds
> passwd: free-lunch
>Each user now gets an encrypted session. It won't stop someone from
>loggin in from the neighbors or the parking lot, but the wireless
>sessions can't be sniffed and the keys can't be recovered. Of course,
>this requires a local RADIUS server, but those are available.
That's a good suggestion (and not what I assumed you were proposing).
I nonetheless see some potential problems:
1. It's vulnerable to masquerading, and to malfeasance by the operator.
2. You have to assume the RADIUS server is actually handing out unique
session keys,
3. It's not universal -- only works on certain hotspots.
4. Vulnerable to local wired network sniffing, unlike VPN.
>>With an open
>>system it just connects automatically. With WPA-PSK, it's configured
>>once and then never again. With VPN, most clients can be configured
>>once and then never again.
>
>Sure, but you indicated that I was changing the client somehow.
What I actually said was:
What you propose requires messing with authentication on the client
computer...
As in typing in a userid and password. Sorry for not being more clear.
>Storing a password isn't changing the client. However, adding a VPN
>shim is. Are you somehow suggesting that installing and configuring a
>VPN client is somehow superior to just the WPA-RADIUS login and
>password? If so, I beg to differ.
Fair enough -- I'd personally rather install and configure a VPN client
once that can then be used everywhere securely, but as always YMMV.
>>>However, once this is done, a hot spot user,
>>>with an existing account, can simply walk in with a laptop that has no
>>>additional software, login/authenticate via RADIUS, and have a secure
>>>and encrypted wireless connection. ...
>>
>>Sure, but I've personally had better luck with VPN, which can be
>>configured once, works anywhere, not just on specific hotspots, and can
>>even be configured to engage automatically.
>
>You haven't tried it my way. I'll admit it's not perfect,
As I noted above.
>but it will
>deliver an encrypted session in the end, which eliminates some (not
>all) of the benifits of a VPN.
VPN is inherently more secure, and universal to boot.
I always use VPN when out and about -- don't you?
>>All that results in increased support cost.
>
>If you mean users forgetting their passwords, that's true. ...
I mean it's not universal, leaving the problem of other hotspots.
It's also not as secure.
>>Again, I personally think VPN is a better idea.
>
>OK. I just don't agree in this case.
OK. No biggie. Different strokes and all that sort of thing. :)
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
>>Likewise, except my own preference is for VPN, which is universal (not
>>just limited to specific hotspots); can be configured once; and set to
>>work automatically. In addition, I don't have to depend on the local
>>infrastructure working properly or on the integrity of the local
>>infrastructure provider. (If possible, I recommend the client having
>>its own VPN server, as I do.)
>
>Not depend on local infrastructure? I wouldn't consider depending on
>internet connectivity to be any better.
I was referring to security, not reliability -- sorry for not being more
clear. No matter how secure the wireless connection itself appears to
be, without VPN you're still vulnerable to hacking or other compromise
of the local infrastructure (wired as well as wireless). VPN keeps you
secure to the remote endpoint.
>As for complexity, methinks
>the RADIUS server is far more complicated than terminating a VPN.
>However, the VPN distributes the complexity between the server and the
>client, so the total complexity is about the same.
From the client point of view VPN, when installed and configured to
setup and authenticate automatically, is a universal no brainer, and the
best way to ensure security (IMHO at least).
The remaining vulnerability is then the client computer itself, which is
why I use and recommend ThinkPad computers with security configured
appropriately. Steal my ThinkPad and you still wouldn't be able to
compromise my VPN (or anything else) -- even the hard disk is secure.
You'd have to grab it after I logged on and before I logged off or it
logged itself off automatically, which isn't bloody likely. You'd also
have to deal with my motion detector alarm. ;)
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
John Navas <spamfilter1@navasgroup.com> wrote:
> Likewise, except my own preference is for VPN, which is universal (not
> just limited to specific hotspots); can be configured once; and set to
I used to enjoy the cloaking of a VPN, but ours was changed to a split
tunnel, which exposes me to more traffic than I care for, and the default
is to only route traffic that needs to go into the VPN across the VPN.
Right now I'm stuck with split tunneling, because I need simultaneous
access to two VPNs. I suppose I could adjust my routing to remove the
DHCP-supplied gateway as soon as one of the VPNs became available.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
Jeff Liebermann <jeffl@cruzio.com> wrote:
> >Jeff Liebermann <jeffl@cruzio.com> wrote:
> >> For just the McDonald's locations with wireless, see:
> >> <http://www.mcdonalds.com/usa/rest_locator.html>
> Sorry. That wasn't my intention. The thread was about McDonald's and
> I thought it would be more relevent to use the McDonalds wireless
> search page.
I think it started as the "free wi-fi" from AT&T, but it was about the
appearance of it at McDonald's.
> That's odd. There are 4 McDonald's in the People's Republic of Santa
> Cruz County. All of them have limited range. I can just barely use
Do they have both a Wayport SSID and an attwifi SSID?
In my case (the only McDonald's I've tested), the two SSIDs were very
similar strength. There are only two McDonald's around here, and the
"close" one doesn't have wireless.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
>Do they have both a Wayport SSID and an attwifi SSID?
>In my case (the only McDonald's I've tested), the two SSIDs were very
>similar strength. There are only two McDonald's around here, and the
>"close" one doesn't have wireless.
Dunno, but I'll find out on my way home tonite. As I previously
mumbled, I've given up on junk food and don't frequent McDonald's.
From my Netstumbler logs, it's probably "Wayport_Access" and "AT&T
Wireless". Since the signal strength seems to be identical, they are
probably running dual SSID's on the same access point.
On Fri, 02 Nov 2007 18:11:04 GMT, John Navas
<spamfilter1@navasgroup.com> wrote:
>>Ok, allow me to propose a dumb compromise. Just hang the WPA-RADIUS
>>login and password on the wall of the hot spot. Something trivial
>>like:
>> login: McDonalds
>> passwd: free-lunch
>>Each user now gets an encrypted session. It won't stop someone from
>>loggin in from the neighbors or the parking lot, but the wireless
>>sessions can't be sniffed and the keys can't be recovered. Of course,
>>this requires a local RADIUS server, but those are available.
>That's a good suggestion (and not what I assumed you were proposing).
>I nonetheless see some potential problems:
>
>1. It's vulnerable to masquerading, and to malfeasance by the operator.
I don't see how. Each session has a unique WPA encryption key. In
order to do a man in the middle, session hijack, or AP impersonation,
the attacker would need to first crack the WPA key. Since it's not
stored in the clear anywhere except in the RADIUS server (argh, I
forgot to encrypt it in the SQL database), it can't be extracted and
has to be cracked.
>2. You have to assume the RADIUS server is actually handing out unique
>session keys,
Assumption, the mother of all screwups. Yeah, that's true. A very
quick Google search didn't show any vulnerabilities. I'll do some
more digging on the security sites tonite.
>3. It's not universal -- only works on certain hotspots.
True. Frankly, I don't care if it's not universal. I'm trying to
give my customers some added security by making their hot spots sniff
proof. If the others want to follow my lead, I'm all for it.
>4. Vulnerable to local wired network sniffing, unlike VPN.
True. I can't do anything about the real possibility that someone
might plug into the ethernet and try to sniff the traffic. However,
that's very difficult with an ethernet switched network. The router
traffic all goes directly to the internet. Another local computer
plugged into the switch sees nothing. Someone could substitute a
10/100 hub for the ethernet switch, but that's getting a bit far
fetched.
>What I actually said was:
>
> What you propose requires messing with authentication on the client
> computer...
>
>As in typing in a userid and password. Sorry for not being more clear.
You were clear enough, but used a bad choice of words. login and
password are authorization. 802.1x and RADIUS are authentication.
>Fair enough -- I'd personally rather install and configure a VPN client
>once that can then be used everywhere securely, but as always YMMV.
Which flavor VPN? PPTP, L2TP, IPSec, or SSL. IPSec can be a mess.
The others are very easy at the client end.
>VPN is inherently more secure, and universal to boot.
I'll spare you my horror storied of VPN client compatibility. I
recently spent a fun afternoon trying to bludgeon the Cisco VPN client
3.7 into connecting to a Watchguard SOHO 10 router v5.0. No luck.
However, the new GreenBow IPSec client worked, so the customer is now
debating either replacing a $500 router and licenses, or paying
$45/seat. IPsec VPN may be more secure, but campatibility with
existing hardware is not one the strong points.
<http://www.thegreenbow.com/vpn.html>
>I always use VPN when out and about -- don't you?
I wish you hadn't ask that. One one my laptops, I have 3 different
boot profiles, to handle 3 different IPSec VPN ships that refuse to
coexist in the IP stack. My other two laptops have nothing, mostly
because I don't use them at hot spots. I do use them at clients, but
most (not all) of those use WPA-PSK. My Windoze Mobile 2005 PDA can
probably use a VPN client, but I haven't even looked for one to use.
Incidentally, I finally bought a Canon S5-IS camera. I doubt it will
improve my photography, but it sure looks impressive. Anything with
that many buttons must be powerful.
On Fri, 02 Nov 2007 23:11:26 GMT, Jeff Liebermann
<jeffl@comix.santa-cruz.ca.us> wrote in
<fe9ni31mc3rk3ck87vii4r5v639ultf16s@4ax.com>:
>On Fri, 02 Nov 2007 18:11:04 GMT, John Navas
><spamfilter1@navasgroup.com> wrote:
>>>Each user now gets an encrypted session. It won't stop someone from
>>>loggin in from the neighbors or the parking lot, but the wireless
>>>sessions can't be sniffed and the keys can't be recovered. Of course,
>>>this requires a local RADIUS server, but those are available.
>
>>That's a good suggestion (and not what I assumed you were proposing).
>>I nonetheless see some potential problems:
>>
>>1. It's vulnerable to masquerading, and to malfeasance by the operator.
>
>I don't see how. ...
Simply by spoofing the SSID. ;)
>>2. You have to assume the RADIUS server is actually handing out unique
>>session keys,
>
>Assumption, the mother of all screwups. Yeah, that's true. A very
>quick Google search didn't show any vulnerabilities. I'll do some
>more digging on the security sites tonite.
I'm guessing it would be fairly easy to hack at least some RADIUS
servers to hand out the same session key.
>>3. It's not universal -- only works on certain hotspots.
>
>True. Frankly, I don't care if it's not universal. I'm trying to
>give my customers some added security by making their hot spots sniff
>proof. ...
Different strokes -- I'm usually concerned with wireless clients, not
wireless hosts. Nonetheless, I'm going to keep this in mind for when
I do work with hosts.
>>4. Vulnerable to local wired network sniffing, unlike VPN.
>
>True. I can't do anything about the real possibility that someone
>might plug into the ethernet and try to sniff the traffic. However,
>that's very difficult with an ethernet switched network. The router
>traffic all goes directly to the internet. Another local computer
>plugged into the switch sees nothing. Someone could substitute a
>10/100 hub for the ethernet switch, but that's getting a bit far
>fetched.
Trust me, I've seen it. "How did that get in the closet?!"
>>What I actually said was:
>>
>> What you propose requires messing with authentication on the client
>> computer...
>>
>>As in typing in a userid and password. Sorry for not being more clear.
>
>You were clear enough, but used a bad choice of words. login and
>password are authorization. 802.1x and RADIUS are authentication.
With all due respect, you're splitting hairs, and it's debatable in any
event -- I'm also referring to the issue of SSID spoofing.
>>Fair enough -- I'd personally rather install and configure a VPN client
>>once that can then be used everywhere securely, but as always YMMV.
>
>Which flavor VPN? PPTP, L2TP, IPSec, or SSL. IPSec can be a mess.
>The others are very easy at the client end.
It all depends -- probably TLS most often.
>>VPN is inherently more secure, and universal to boot.
>
>I'll spare you my horror storied of VPN client compatibility. ...
Fair enough, but once working, it tends to stay pretty smooth in my
experience.
>Incidentally, I finally bought a Canon S5-IS camera. I doubt it will
>improve my photography, but it sure looks impressive. Anything with
>that many buttons must be powerful.
Cool! I recently upgraded to a Panasonic DMC-FZ8, which is comparable.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
> mumbled, I've given up on junk food and don't frequent McDonald's.
I didn't _eat_ there! The last time I ate at McDonald's was in Maidstone,
England. I didn't even get out of my car. I picked what I thought was a
parking place close enough to the building, and fired up the laptop.
The inside of several of these "let's get Wi-Fi to draw in more customers"
locations are too loud for my tastes, especially for a VoIP phone
conversation. Besides, I wasn't mooching free Wi-Fi. I was using an
advertised location of my ISP.
> From my Netstumbler logs, it's probably "Wayport_Access" and "AT&T
> Wireless". Since the signal strength seems to be identical, they are
> probably running dual SSID's on the same access point.
That was my thought, dual SSIDs. I didn't say that out loud, because I
wasn't sure it was routinely possible. I don't have logs, but I did save a
profile called attwifi.
Oh, the mappiness of it all... I was going to see if they listed the
SSIDs. The McDonalds restaurant locator says 1077 LAKEPORT BLVD, LAKEPORT,
CA 95453-0058, but the snippet of map shown has the icon in altogether the
wrong spot, on the wrong side of the freeway. If I search for McDonalds in
Google Earth, it has a different address, 1400 Todd Rd Lakeport, CA 95453,
in a different wrong spot, but at least it's on the right road. If I were
getting off the freeway, I would see McDonald's and forget about the map.
If I search for 1077 LAKEPORT BLVD in GE, that's about the right spot.
If I search jiwire, I get the 1077 address and a snippet of map that is too
small to be helpful, but looks like the right place ;-) Gack, the "driving
directions on jiwire stink.
Odd, jiwire asks you for the SSID and MAC when you add a location to
jiwire. I keep meaning to see if that is tied into the Microsoft Locate Me
database. I thought it would be listed with the hotspot information.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
On Nov 2, 4:31 pm, Jeff Liebermann <je...@comix.santa-cruz.ca.us>
wrote:
> On Fri, 2 Nov 2007 21:27:43 +0000 (UTC), d...@22.usenet.us.com wrote:
> >Do they have both a Wayport SSID and an attwifi SSID?
> >In my case (the only McDonald's I've tested), the two SSIDs were very
> >similar strength. There are only two McDonald's around here, and the
> >"close" one doesn't have wireless.
>
> Dunno, but I'll find out on my way home tonite. As I previously
> mumbled, I've given up on junk food and don't frequent McDonald's.
> From my Netstumbler logs, it's probably "Wayport_Access" and "AT&T
> Wire
AT&T WiFi at McDonalds, etc 