Thread: Is it theorectically or practically even possible to mooch off if a typical WISP
View Single Post
  #6   Report Post  
Posted to misc.phone.mobile.iphone,alt.internet.wireless,sci.electronics.repair
Aardvarks Aardvarks is offline
external usenet poster
  
Posts: 57
Default Is it theorectically or practically even possible to mooch off if a typical WISP
On Mon, 25 Jul 2016 08:15:41 -0700, Jeff Liebermann wrote:

The end that the WISP sees is the hard one to spoof, isn't it?

I certainly didn't say that. Some client bridge radios partition
their firmware into the part you can replace (e.g. DD-WRT) and the
part that remains untouched (boot loader, MAC addresses, encryption
keys, serial numbers, manufacturing details, etc). Changing these are
possible and fairly easy if you own a logic analyzer, hot air SMT
desoldering station and an SPI bus serial EPROM programmer.
'
Heh heh. Yeah, if I only had a hot air SMT desoldering station, I could
change my MAC address too.

However, the leech could also use a commodity wireless card crammed
into a PC, and do everything in software, where it is super trivial to
tweak the MAC address. No worries about WPA2 encryption because the
MAC address and control frames are sent unencrypted.

OK. But that's a lot of work to just get free WiFi from a WISP, and still
more has to be done so as not to get caught (which, I state, would be
virtually impossible and certainly not worth the $100/month WiFi fee).

Security by obscurity has it's merits. Anyone who is willing to spend
a few hundred dollars on hardware, and spend many hours hacking, in
order to save a few dollars in service charges, needs to take a
remedial finance class.

Yup. That was my point to the guy, nospam, who accused me of stealing my
WISP just because I knew enough about WISP to spout the words reasonably
coherently.

What I do know is that it wouldn't be easy for me, and even for you, it
wouldn't be easy not to get caught (since your house doesn't move all that
fast except that you're near the fault line so it jumps a few feet every
hundred years or so).

The creative protocols are not for security. The problem is that
802.11 was originally designed to handle a small number of client
radios per access point. CSMA/CA works nicely for that because
there's plenty of time between packets to allow for collision backoff.
However, when dealing with a much larger number of users, the
probability of collisions increases rather dramatically, until nothing
works. Also, minor network overhead, such as ARP requests and
broadcasts, become a major nuisance as they proceed to become the
dominant traffic (because broadcasts go to everyone). So, new
protocols, based on token passing (VTP-CSMA) or polling are used,
which are more efficient for larger systems.

This makes sense that the protocols they are all starting to use (except
Loren, and Herman was *always* using the new protocols) are for
communication reasons, and not for security.

Still, Dave switched his Santa Cruz company off of the WiFi protocol a few
years ago (maybe 5 years ago?) even though all his equipment was still
2.4GHz for a long time. Without that specialized protocol knowledge, nobody
with a 2.4GHz radio is gonna connect to him, with or without security.

They all run a watchdog of some sort.
Usually just arpwatch and traffic graphs.

Actually, they also log stuff because I talk to one local WISP who tells me
he is sick of getting take-down notices for most of his customers, so he
has assigned everyone a static IP address just to make his logging
backtracks easier. To him, since he just has to forward the notice, he's
not irritated by the notice - but by the need to figure out who it was. He
solved that by giving everyone a static IP address.

Luckily, most of these guys are very nice guys (except Dave over by you who
is only exceeded in crassness by Brett, his Arizona support guy who has an
utterly amazing lack of customer service support skills.

With most WISPs, over the air bandwidth is the main limitation to how
many customers they can handle. If you add a leech anywhere on the
system, which increases usage beyond normal, it's a problem.

I would agree. But I see a few hundred homes on the connection I'm on, and
there are multiple APs they're connected to, even on the same tower (Loma
Prieta is the main tower but others exist in the surrounding hills). They
have fiber-optic backhauls, so, the way "I" understand it (I'm just a
customer though) is that they aren't limited by their backhaul but by the
number of access points they set up and their painting coverage.

I hate to ruin your illusions, but I never was much of a hippie.
Glorified poverty doesn't didn't have much of an appeal. I did try
becoming a beatnik as a teenager and a protester in college, but not a
hippie.
http://802.11junk.com/jeffl/pics/jeffl/

Wow, Jeff. Interesting picture. I've seen the insides of your routers, and
lots of your test equipment over the years, but that 1975 picture sure did
look beatnik hippy to me!

Is that a park-ranger uniform? Big Basin?

PS: What do you think about the possibility of tapping into a Starbucks in
downtown Santa Cruz from Loma Prieta?

Zilch. Too much interference along the path on both 2.4 and 5Ghz.
Loma to SCZ is about 9 miles. Over 5 miles, one sees timeouts and the
ACK timing needs to be tweaked. You can see the SSID's of distant
stations (because broadcasts do not need ACK's) but you can't connect.

Interesting. Yes, I have seen SSIDs of the sort of a LOS from Loma Prieta
down to Santa Cruz, where I couldn't get better than about -85dBm at the
best but there was never the necessary SNR headroom of a half dozen to a
dozen decibels. I didn't even think about ACKS but the radio does
automatically adjust for distance.

However, without the interference, one can do it by violating the FCC
rules with a big dish. I've done this and even under ideal
conditions, aiming the dish, and keeping it aligned, is a major
problem.

Mine is a 27dBm output -94dBm sensitivity 5GHz Rocket M5,
(https://dl.ubnt.com/datasheets/rocke..._Datasheet.pdf)
although I have 28dBM -97dBm 2.4GHz Rocket M2s and nano bridges and even
high-power bullets scattered all about the hillside.

I had a talk with Ubiquiti support over in San Jose, and they said the
AirOS firmware was set that you couldn't possibly go over the 1 Watt legal
limit of the 5 GHz frequency power output (which itself is ten times higher
than the 2.4 GHz band legal limit), once you set the country (which is
usually set to the USA because the limits are highest in the USA).

They told me that you can try, but the firmware won't let you, even though
it might *report* that it's over the legal limit.

Also, at that range and lousy SNR, throughput is gonna be
rather low. Incidentally, I know of several point to point links
between Loma and various sites on 5GHz that get really good speeds and
reliable performance. I'm not sure of the ranges, but most seem to be
between 5 and 10 miles.

My connection is at the higher end of that 5 to 10 mile range, and my
throughput is just OK. I have clear LOS with nothing in the first Fresnel
zone too.

However, both sides use decent hardware, dish
or panel antennas, and a clear line of sight, which is not what you'll
find at Starbucks.

This is correct. The biggest problem though, I thought, was that the
*transmitter* at Starbucks would be the major limitation. Basically I
figured we could transmit a strong signal to the Starbucks AP, but without
a far better antenna, the signal from Starbucks would never get back in
sufficient 6 to 10 decibel strength over the noise to us.

Besides, the downtown SCZ Starbucks is surrounded
by tall buildings on all 4 sides (I used to fix Heinz's computers when
he had the microscope shop in the basement under Starbucks).

Ah, yet another pragmatic obstacle to overcome, borne from experience.
Reply With QuoteReply With Quote