Re: [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-17 Thread James Knott via talk 
On 09/17/2018 04:48 PM, D. Hugh Redelmeier via talk wrote:
> - Turn off the modem's WiFi and put it in bridge mode.  You may have
>   to repeat this after a power failure or a (generally unannounced)
>   firmware update.

I've had my Rogers modem in bridge mode for several years and a few
different  models.  I've never seen that.

---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-17 Thread D. Hugh Redelmeier via talk 
| From: David Collier-Brown via talk 
| To: UU , GTALUG Talk 

I don't think that it is great to post a message once to two public
mailing lists.  It can lead to odd entanglements.  It's fine to
separately post the same message to two lists.  I'm violating this 
suggestion with this message.

| I have a Rogers-supplied router and cable modem package, which twice has shown
| significant usage when I was out, once with the original unit and once with
| their replacement Cisco.  That makes me suspicious of the current state of
| authentication for wi-fi schemes (and I use the term "schemes" advisedly: they
| used to horribly leaky (;-))

Wow.  Interesting.

If it were me, I'd try to figure out who was doing this.  But in
reality that's probably more work than it is worth.

| What's a good approach? I have considered
| 
|  * MAC address lists,

MACs a so spoofable.  Why bother?

If I remember correctly, OSX now has a feature that lets you use a
random MAC on your wireless just to avoid other people tracking you.

|  * no wi-fi (strictly wired doesn't work with solid concrete walls),

I don't imagine your threat models are so severe that this matters.
But for the paranoid: even traffic analysis (without decryption)
reveals a lot.

|  * a second router with a more secure protocol (/is/ there such a
|protocol? And will my wife's Mac speak it?))

I think that the best compromise for most individuals who care even a
bit is:

- Turn off the modem's WiFi and put it in bridge mode.  You may have
  to repeat this after a power failure or a (generally unannounced)
  firmware update.

  Why: Rogers has 100% control of the modem (remote provisioning,
  firmware updates).  They have (if they choose) access to your LAN
  unless you put something between the modem and the LAN.

- use your own wireless router.  Choose one that has a decent radio
  and is well supported by OpenWRT.  Run OpenWRT on it.

  Why: firmware from the manufacturers is crappy in known and unknown
  ways.  Other third party firmware providers are badly constituted
  (dictatorships, NDAs, glued together bits of binary stuff).

- alternatively use a little PC and install whatever amuses you as
  software to make it a router.

  Why not: takes more resources than just using OpenWRT on consumer
  router hardware.  Cost, time, electricity, noise, heat, risk of
  misconfiguring, maintenance effort.

  Why: more flexible, more controllable.  Sometimes better
  performance.  Can perform server roles (email, web, ...).

  This is what I do.  I run CentOS an two of my three consumer-grade
  internet connections.  I run Fedora 28 on the other -- that adds to
  the maintenance burden (so many updates!).

- alternative: 
  I'd like this to be a great solution but I don't know whether it is.
  It's not as inexpensive as I'd like.

One of my connections is gigabit from Rogers.  Ordinary wireless
routers cannot pass 1G though unless proprietary NAT hardware
acceleration is used.  That hardware is not supported by OpenWRT.
Even if it were, there are serious restrictions on what can be done to
the packet before it gets punted to the software path.

My little PC solution seems to handle gigabit just fine.  I use Zotac
ZBoxes that come with two gigabit ethernet ports (only a few do).  My
gigabit gateway is an RI323Nano (out of production).  My others
(untested for gigabyte throughput) are both CI321NANO.  These cost me
about the same as an expensive router.  I don't use them for providing
WiFi.  I use a couple of consumer WiFi routers as (just) APs.

As for WiFi passwords: make them long and replete with entropy.  I use
the mkpasswd command that is part of the expect package.  Don't use
the magic button on the router to make the password crap easier: it
can make you vulnerable.  Typing these is very error-prone so I use a
USB flash drive to carry them to a new system.---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-17 Thread Alvin Starr via talk 

On 09/17/2018 09:07 AM, Howard Gibson via talk wrote:

On Sun, 16 Sep 2018 13:50:14 -0400
James Knott via talk  wrote:


On 09/16/2018 01:45 PM, David Collier-Brown via talk wrote:

What's a good approach? I have considered


Many people use separate routers, as they're not happy with the Rogers
hardware.  I run pfSense on a refurb computer.  All you have to do is
put the modem in bridge mode and connect your router.  Also, you may
want to get something other than a Cisco modem.  Rogers doesn't support
IPv6 on them.  I have a Hitron modem in bridge mode.

My DSL modem has a firewall feature that my vendor recommends not using.  I 
have a wireless router that serves as my firewall, and I have a long security 
key.  I am so glad I took typing in high school.


Take a  look at the TR-069 standard.
It allows a service provider to remotely manage and control the device 
at the customer location.
This can be a great thing if you have unsophisticated customers who need 
help but it does mean that you have complete control over their security 
and can do what you like with their device.


I would suggest that if your concerned about external hacks or access 
get a device that has the TR-069 removed or disabled.


--
Alvin Starr   ||   land:  (905)513-7688
Netvel Inc.   ||   Cell:  (416)806-0133
al...@netvel.net  ||

---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-17 Thread Howard Gibson via talk 
On Sun, 16 Sep 2018 13:50:14 -0400
James Knott via talk  wrote:

> On 09/16/2018 01:45 PM, David Collier-Brown via talk wrote:
> >
> > What's a good approach? I have considered
> >
> 
> Many people use separate routers, as they're not happy with the Rogers
> hardware.  I run pfSense on a refurb computer.  All you have to do is
> put the modem in bridge mode and connect your router.  Also, you may
> want to get something other than a Cisco modem.  Rogers doesn't support
> IPv6 on them.  I have a Hitron modem in bridge mode.

   My DSL modem has a firewall feature that my vendor recommends not using.  I 
have a wireless router that serves as my firewall, and I have a long security 
key.  I am so glad I took typing in high school.  

-- 
Howard Gibson 
hgib...@eol.ca
jhowardgib...@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-16 Thread James Knott via talk 
On 09/16/2018 02:42 PM, Don Tai wrote:
> I am assuming that on the Rogers router you are already using WPA2 and
> that someone has cracked it using a tool like AirCrack-NG (Kali dist
> or download). Physical barriers to limit signal strength will not
> alone protect you. There are numerous tutorials out there on how to
> use Aircrack-NG.

You can't assume people use a decent password.  That's why I suggested
www.grc.com.

BTW, I am currently rereading "The Cuckoo's Egg", by Clifford Stoll.  I
first read it almost 30 years ago, when I was a computer tech
maintaining VAX 11/780 computers, among others.  It's a good read that
describes attacks on a computer and what was done to track down the
attacker.  IIRC, the VAX's had a default account "admin" and password
"password", which often wasn't changed.  So, even with the big systems,
security wasn't always the greatest.  Back in those days, it wasn't all
that hard to walk in from Front St., past the security desk, hop on the
elevator and walk into the data centre.  My wife did that on occasion,
to meet me.  IIRC, there weren't even locks on the data centre doors
until the first Gulf war.

https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-16 Thread James Knott via talk 
On 09/16/2018 03:33 PM, Kevin Cozens via talk wrote:
> On 2018-09-16 02:57 PM, James Knott via talk wrote:
>> Will WPA be cracked in the future ?
>>
>> It's extremely unlikely that WPA will be cracked just like WEP was.
>
> A method of cracking WPA systems that use the Temporal Key Integrity
> Protocol (TKIP) algorithm was found in 2009. It was reported that the
> attack does not work on WPA systems using Advanced Encryption Standard
> (AES) algorithm, or WPA2 devices. However, WPA2 was cracked as of last
> October.
>

Still, it's more effective than relying on properly placing foil.  As I
recall, there's WPA3 in the works, which should be more secure.  Then
again, I suppose they could always set up an RADIUS server.  ;-)


https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA3
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-16 Thread Kevin Cozens via talk 

On 2018-09-16 02:57 PM, James Knott via talk wrote:

Will WPA be cracked in the future ?

It's extremely unlikely that WPA will be cracked just like WEP was.


A method of cracking WPA systems that use the Temporal Key Integrity 
Protocol (TKIP) algorithm was found in 2009. It was reported that the attack 
does not work on WPA systems using Advanced Encryption Standard (AES) 
algorithm, or WPA2 devices. However, WPA2 was cracked as of last October.


--
Cheers!

Kevin.

http://www.ve3syb.ca/   | "Nerds make the shiny things that
https://www.patreon.com/KevinCozens | distract the mouth-breathers, and
| that's why we're powerful"
Owner of Elecraft K2 #2172  |
#include  | --Chris Hardwick
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

[GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-16 Thread James Knott via talk 
On 09/16/2018 02:42 PM, Don Tai wrote:
> I am assuming that on the Rogers router you are already using WPA2 and
> that someone has cracked it using a tool like AirCrack-NG (Kali dist
> or download). Physical barriers to limit signal strength will not
> alone protect you. There are numerous tutorials out there on how to
> use Aircrack-NG.

From the FAQ:

"How can I crack a WPA-PSK network ?

You must sniff until a handshake takes place between a wireless client
and the access point. To force the client to reauthenticate, you can
start a deauth attack with aireplay-ng. Also, a good dictionary is
required."

By avoiding passwords found in the dictionary, you're much less
vulnerable.  A random 63 character string does that.  Here's a sample:

>GZcfs^7w\D$JKE8XZJ(bw#.&'(||c>tt@;yt[]gQ$https://www.aircrack-ng.org/doku.php?id=faq
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-16 Thread Don Tai via talk 
I am assuming that on the Rogers router you are already using WPA2 and that
someone has cracked it using a tool like AirCrack-NG (Kali dist or
download). Physical barriers to limit signal strength will not alone
protect you. There are numerous tutorials out there on how to use
Aircrack-NG.

On Sun, 16 Sep 2018 at 14:36, James Knott via talk  wrote:

> On 09/16/2018 02:32 PM, Don Tai wrote:
> > You can also look into using metal mesh/aluminium foil to limit your
> > router's directionality. For example if you are in an apartment and
> > the router is on the west perimiter, put up some chicken wire blocking
> > access further west. If you are in an apartment with a single floor
> > then reorient your antenna to not transmit your signal higher or lower
> > than your floor. That will further limit access.
> >
>
> WPA2 encryption would be more effective.  Start with a new password.  I
> use the "Perfect Passwords" from www.grc.com to generate 63 random
> characters.
>
>
> ---
> Talk Mailing List
> talk@gtalug.org
> https://gtalug.org/mailman/listinfo/talk
>
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-16 Thread James Knott via talk 
On 09/16/2018 02:32 PM, Don Tai wrote:
> You can also look into using metal mesh/aluminium foil to limit your
> router's directionality. For example if you are in an apartment and
> the router is on the west perimiter, put up some chicken wire blocking
> access further west. If you are in an apartment with a single floor
> then reorient your antenna to not transmit your signal higher or lower
> than your floor. That will further limit access.
>

WPA2 encryption would be more effective.  Start with a new password.  I
use the "Perfect Passwords" from www.grc.com to generate 63 random
characters.


---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-16 Thread Don Tai via talk 
I daisy chain in my own router, then MAC address filtering. Turn off wifi
on the Rogers router. If you are not home during the day you can possibly
programmatically turn off wifi. The MAC address filtering is a bit of work
to maintain, as you need all device MAC addresses, but I've gotten used to
it.

You can also look into using metal mesh/aluminium foil to limit your
router's directionality. For example if you are in an apartment and the
router is on the west perimiter, put up some chicken wire blocking access
further west. If you are in an apartment with a single floor then reorient
your antenna to not transmit your signal higher or lower than your floor.
That will further limit access.

Don

On Sun, 16 Sep 2018 at 13:50, James Knott via talk  wrote:

> On 09/16/2018 01:45 PM, David Collier-Brown via talk wrote:
> >
> > What's a good approach? I have considered
> >
>
> Many people use separate routers, as they're not happy with the Rogers
> hardware.  I run pfSense on a refurb computer.  All you have to do is
> put the modem in bridge mode and connect your router.  Also, you may
> want to get something other than a Cisco modem.  Rogers doesn't support
> IPv6 on them.  I have a Hitron modem in bridge mode.
>
> BTW, when I switched from Cisco to Hitron, I wound up with a significant
> price decrease for my Internet/TV/Home phone service.
>
> ---
> Talk Mailing List
> talk@gtalug.org
> https://gtalug.org/mailman/listinfo/talk
>
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-16 Thread James Knott via talk 
On 09/16/2018 01:45 PM, David Collier-Brown via talk wrote:
>
> What's a good approach? I have considered
>

Many people use separate routers, as they're not happy with the Rogers
hardware.  I run pfSense on a refurb computer.  All you have to do is
put the modem in bridge mode and connect your router.  Also, you may
want to get something other than a Cisco modem.  Rogers doesn't support
IPv6 on them.  I have a Hitron modem in bridge mode.

BTW, when I switched from Cisco to Hitron, I wound up with a significant
price decrease for my Internet/TV/Home phone service.

---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

[GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

2018-09-16 Thread David Collier-Brown via talk 
I have a Rogers-supplied router and cable modem package, which twice has 
shown significant usage when I was out, once with the original unit and 
once with their replacement Cisco.  That makes me suspicious of the 
current state of authentication for wi-fi schemes (and I use the term 
"schemes" advisedly: they used to horribly leaky (;-))


What's a good approach? I have considered

 * MAC address lists,
 * no wi-fi (strictly wired doesn't work with solid concrete walls),
 * a second router with a more secure protocol (/is/ there such a
   protocol? And will my wife's Mac speak it?))
 * something I haven't thought of

--dave

[The usage never runs me over my limit: I think someone is using me for 
downloads that might put /them/ over their limit]


--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
dav...@spamcop.net   |  -- Mark Twain

---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk