Thread: Is it theorectically or practically even possible to mooch off if a typical WISP
View Single Post
  #4   Report Post  
Posted to misc.phone.mobile.iphone,alt.internet.wireless,sci.electronics.repair
Jeff Liebermann Jeff Liebermann is offline
external usenet poster
  
Posts: 4,045
Default Is it theorectically or practically even possible to mooch off if a typical WISP
On Mon, 25 Jul 2016 05:39:41 +0000 (UTC), Aardvarks
wrote:

The theoretical leach would be me (but I already have free WiFi access from
my WISP in return for being an access point for him) so the question really
*is* theoretical, and you actually know all the WISPs in this area (let's
not state their company or real names, for privacy reasons, but you know of
Loren at H.....p and Dave at S.....t and Mike at R...........s, and Herman
at E.....c, etc., who are the respective WISP proprietors).

I think I've met them all and certainly recognize the companies.
However, I'm not currently doing WISP work and haven't worked with any
of the companies for many years. Hint: I gave up tower climbing over
20 years ago.

For a minimum, the WISP is certain to
authenticate the MAC address of the client bridge radio. MAC
addresses are easily spoofed, but this is mostly for identifying and
blocking radios that are attempting to connect, but don't belong on
the system.

Actually, as you pretty well know, that end of the MAC address is, think,
the harder one to spoof (I think it was you who told me that long ago).

But let me confirm...

The end that the WISP sees is the hard one to spoof, isn't it?

I certainly didn't say that. Some client bridge radios partition
their firmware into the part you can replace (e.g. DD-WRT) and the
part that remains untouched (boot loader, MAC addresses, encryption
keys, serial numbers, manufacturing details, etc). Changing these are
possible and fairly easy if you own a logic analyzer, hot air SMT
desoldering station and an SPI bus serial EPROM programmer.

However, the leech could also use a commodity wireless card crammed
into a PC, and do everything in software, where it is super trivial to
tweak the MAC address. No worries about WPA2 encryption because the
MAC address and control frames are sent unencrypted.

Yup. While Loren doesn't even use encryption on the 802.11 equipment, he
has plenty of 900MHz equipment which has to be specially set up, and Mike,
for example also makes use of non-wifi protocols. So does Dave and Herman's
system isn't at all compatible with customer owned equipment.

Security by obscurity has it's merits. Anyone who is willing to spend
a few hundred dollars on hardware, and spend many hours hacking, in
order to save a few dollars in service charges, needs to take a
remedial finance class.

Yup. And that doesn't even count the protocol tricks that these guys use to
get better bandwidth throughput and noise rejection.

The creative protocols are not for security. The problem is that
802.11 was originally designed to handle a small number of client
radios per access point. CSMA/CA works nicely for that because
there's plenty of time between packets to allow for collision backoff.
However, when dealing with a much larger number of users, the
probability of collisions increases rather dramatically, until nothing
works. Also, minor network overhead, such as ARP requests and
broadcasts, become a major nuisance as they proceed to become the
dominant traffic (because broadcasts go to everyone). So, new
protocols, based on token passing (VTP-CSMA) or polling are used,
which are more efficient for larger systems.

They all run a watchdog of some sort.

Usually just arpwatch and traffic graphs.

OK. That's *easy* by way of comparison. But we weren't talking about
breaking into the homeowners' SOHO router (which is a different topic
altogether).

With most WISPs, over the air bandwidth is the main limitation to how
many customers they can handle. If you add a leech anywhere on the
system, which increases usage beyond normal, it's a problem.

Yes. Plenty of neighbors have wide open networks. Sigh.
They're the Santa Cruz 60's hippy trusting type of people.
You know ... people like you!
(jk - you're too knowledgeable to be trusting!)

I hate to ruin your illusions, but I never was much of a hippie.
Glorified poverty doesn't didn't have much of an appeal. I did try
becoming a beatnik as a teenager and a protester in college, but not a
hippie.
http://802.11junk.com/jeffl/pics/jeffl/

The Apple iOS "experts" blandly accuse people of this stuff, not even
taking into account *any* of the many potential hurdles, not the least of
which that a house doesn't move all that fast and is easy to locate when
stealing WISP bandwidth.

PS: What do you think about the possibility of tapping into a Starbucks in
downtown Santa Cruz from Loma Prieta?

Zilch. Too much interference along the path on both 2.4 and 5Ghz.
Loma to SCZ is about 9 miles. Over 5 miles, one sees timeouts and the
ACK timing needs to be tweaked. You can see the SSID's of distant
stations (because broadcasts do not need ACK's) but you can't connect.
However, without the interference, one can do it by violating the FCC
rules with a big dish. I've done this and even under ideal
conditions, aiming the dish, and keeping it aligned, is a major
problem. Also, at that range and lousy SNR, throughput is gonna be
rather low. Incidentally, I know of several point to point links
between Loma and various sites on 5GHz that get really good speeds and
reliable performance. I'm not sure of the ranges, but most seem to be
between 5 and 10 miles. However, both sides use decent hardware, dish
or panel antennas, and a clear line of sight, which is not what you'll
find at Starbucks. Besides, the downtown SCZ Starbucks is surrounded
by tall buildings on all 4 sides (I used to fix Heinz's computers when
he had the microscope shop in the basement under Starbucks).


--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Reply With QuoteReply With Quote