Is it theorectically or practically even possible to mooch off if a typical
WISP

In the iPhone newsgroups, a typical Apple Fundamentalist assumed I mooch
off of my SF Bay Area Santa Cruz Mountain WISP simply because I get my
Internet connection over the air via a WISP ISP a couple of mountains away.

In my response to this iOS right winger, who is used to so used to paying
through the nose for everything that he can't even comprehend the *concept*
of legitimate freeware, I told him (nospam) that I can't possibly even
*think* of how a typical WISP would accidentally allow moochers.

While I used to have a 2.4GHz Rocket M2, I switched to the less noisy 5GHz
Rocket M5 which has vertical and horizontal channels that are set by the
WISP (who logs into the antenna to set it up from afar).

Certainly the WISP keeps logs of all connections, and, in my case, he has
to assign a static IP address to *each* customer.

So, this question is only one of theoretical/practical possibilities.

Is it even theoretically or practically possible to mooch off of your WISP
provider without him knowing about it (assuming he's a normal conscientious
WISP using all the normal tools that a WISP would use).

On Mon, 25 Jul 2016 02:36:20 +0000 (UTC), Aardvarks
wrote:

Is it theorectically or practically even possible to mooch off if a typical
WISP

Sigh. Do you really expect me to post detailed instructions on how it
might be done?

I'll assume that the leach has a compatible wi-fi client bridge radio,
a decent dish or panel antenna, a good location to see the WISP access
point antenna, and is able to associate (synchronize with the pseudo
random spread spectrum spreading code). Basically, the means the
leach can get a "connect" indication from his client bridge radio.

The next obstacle is how much security has the WISP installed to
protect his system. Nobody runs a wide open system, without
encryption and no passwords. For a minimum, the WISP is certain to
authenticate the MAC address of the client bridge radio. MAC
addresses are easily spoofed, but this is mostly for identifying and
blocking radios that are attempting to connect, but don't belong on
the system.

The next layer is WPA2-AES-Enterprise encryption and authentication.
Unlike the typical home wi-fi router, which uses WPA2-AES-PSK
(pre-shared key), WPA2-AES-Enterprise does not have a single
encryption key for the entire system. A new and unique key is issued
for each connection and at regular intervals. Even if you could crack
the encryption key, it would only be good for a maximum of 3600
seconds. The RADIUS authorization and 802.1x authentication system
would also have a stored login and password.

There are a bunch of other tricks to improve security that are used,
which I don't want to disclose or discuss. Most do not really prevent
someone from breaking into the system, but rather act as a burglar
alarm to identify attempted breakins.

I would say that trying to get past WPA2-AES-Enterprise, even with
inside information, is not possible (unless you're the NSA). Spoofing
an existing connection or working WISP customer is somewhat less
difficult. One would need the previously mentioned hardware list, a
means of tweaking the client bridge MAC address, the RADIUS login and
password, and inside knowledge of what the WISP is using for
authentication. One would also need to somehow disable the real
customer as it would not do to have two client bridge radios trying to
authenticate using identical credentials. That will certainly set off
alarms (if the WISP pays attention to alarms and reads the log files).
That's possible, but hardly practical, and certainly not reliable.

Leeching is usually NOT done by trying to connect to the WISP access
point. Instead, it's done by connecting to the wireless router
installed by the WISP customers. In other words, the neighbors. These
are typical home wireless commodity routers, secured by a single
WPA2-AES-PSK password key. If you know the key (or its hash code),
and have good RF connectivity to the neighbors wireless router, you're
on the system.

So, to answer your question... yes, it's theoretically possible but
no, it's not easy, practical, worthwhile, or reliable. Incidentally,
it's also a crime and legally actionable as "theft of services" which
increases the element of risk.


--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Sun, 24 Jul 2016 21:05:10 -0700, Jeff Liebermann wrote:

Sigh. Do you really expect me to post detailed instructions on how it
might be done?

Hi Jeff,
I knew you'd be on either a.i.w or s.e.r (although you hang out more on the
latter nowadays, I think).

I'll assume that the leach has a compatible wi-fi client bridge radio,
a decent dish or panel antenna, a good location to see the WISP access
point antenna, and is able to associate (synchronize with the pseudo
random spread spectrum spreading code). Basically, the means the
leach can get a "connect" indication from his client bridge radio.

The theoretical leach would be me (but I already have free WiFi access from
my WISP in return for being an access point for him) so the question really
*is* theoretical, and you actually know all the WISPs in this area (let's
not state their company or real names, for privacy reasons, but you know of
Loren at H.....p and Dave at S.....t and Mike at R...........s, and Herman
at E.....c, etc., who are the respective WISP proprietors).

The next obstacle is how much security has the WISP installed to
protect his system. Nobody runs a wide open system, without
encryption and no passwords.

Exactly!
Nobody runs a wide open system where leaches can just latch on for any
reasonable period of time.

Loren is the least restrictive, Herman is the most restrictive - with the
others in between on security.

For a minimum, the WISP is certain to
authenticate the MAC address of the client bridge radio. MAC
addresses are easily spoofed, but this is mostly for identifying and
blocking radios that are attempting to connect, but don't belong on
the system.

Actually, as you pretty well know, that end of the MAC address is, think,
the harder one to spoof (I think it was you who told me that long ago).

But let me confirm...

The end that the WISP sees is the hard one to spoof, isn't it?

The next layer is WPA2-AES-Enterprise encryption and authentication.

Yup. While Loren doesn't even use encryption on the 802.11 equipment, he
has plenty of 900MHz equipment which has to be specially set up, and Mike,
for example also makes use of non-wifi protocols. So does Dave and Herman's
system isn't at all compatible with customer owned equipment.

Unlike the typical home wi-fi router, which uses WPA2-AES-PSK
(pre-shared key), WPA2-AES-Enterprise does not have a single
encryption key for the entire system. A new and unique key is issued
for each connection and at regular intervals. Even if you could crack
the encryption key, it would only be good for a maximum of 3600
seconds. The RADIUS authorization and 802.1x authentication system
would also have a stored login and password.

Yup. And that doesn't even count the protocol tricks that these guys use to
get better bandwidth throughput and noise rejection.

There are a bunch of other tricks to improve security that are used,
which I don't want to disclose or discuss. Most do not really prevent
someone from breaking into the system, but rather act as a burglar
alarm to identify attempted breakins.

They all run a watchdog of some sort.

I would say that trying to get past WPA2-AES-Enterprise, even with
inside information, is not possible (unless you're the NSA).

Actually, I have more knowledge than most because I'm a repeater so I am
sometimes called to do troubleshooting to save them a visit - but for this
discussion - we should assume I'm a normal customer of the WISP.

Spoofing
an existing connection or working WISP customer is somewhat less
difficult. One would need the previously mentioned hardware list, a
means of tweaking the client bridge MAC address, the RADIUS login and
password, and inside knowledge of what the WISP is using for
authentication.

You also need the protocol information, and the IP address information, but
presumably you could sniff that over the air.

One would also need to somehow disable the real
customer as it would not do to have two client bridge radios trying to
authenticate using identical credentials. That will certainly set off
alarms (if the WISP pays attention to alarms and reads the log files).
That's possible, but hardly practical, and certainly not reliable.

Yup. While doing a site discovery isn't hard, you have to also crack the
admin password on the radio, which changes frequently, among other hurdles.

Leeching is usually NOT done by trying to connect to the WISP access
point.

Agreed. It's just too hard to do and too easy to get caught since a house
doesn't move all that fast.

Instead, it's done by connecting to the wireless router
installed by the WISP customers.

OK. That's *easy* by way of comparison. But we weren't talking about
breaking into the homeowners' SOHO router (which is a different topic
altogether).

In other words, the neighbors. These
are typical home wireless commodity routers, secured by a single
WPA2-AES-PSK password key. If you know the key (or its hash code),
and have good RF connectivity to the neighbors wireless router, you're
on the system.

Yes. Plenty of neighbors have wide open networks. Sigh.
They're the Santa Cruz 60's hippy trusting type of people.
You know ... people like you!
(jk - you're too knowledgeable to be trusting!)

So, to answer your question... yes, it's theoretically possible but
no, it's not easy, practical, worthwhile, or reliable. Incidentally,
it's also a crime and legally actionable as "theft of services" which
increases the element of risk.

Yup. Just what I had thought.

The Apple iOS "experts" blandly accuse people of this stuff, not even
taking into account *any* of the many potential hurdles, not the least of
which that a house doesn't move all that fast and is easy to locate when
stealing WISP bandwidth.

If you're not the NSA, then you're probably not hacking into the WISP.
It's just not feasible.

Thanks for your insight!

PS: What do you think about the possibility of tapping into a Starbucks in
downtown Santa Cruz from Loma Prieta?

On Mon, 25 Jul 2016 05:39:41 +0000 (UTC), Aardvarks
wrote:

The theoretical leach would be me (but I already have free WiFi access from
my WISP in return for being an access point for him) so the question really
*is* theoretical, and you actually know all the WISPs in this area (let's
not state their company or real names, for privacy reasons, but you know of
Loren at H.....p and Dave at S.....t and Mike at R...........s, and Herman
at E.....c, etc., who are the respective WISP proprietors).

I think I've met them all and certainly recognize the companies.
However, I'm not currently doing WISP work and haven't worked with any
of the companies for many years. Hint: I gave up tower climbing over
20 years ago.

For a minimum, the WISP is certain to
authenticate the MAC address of the client bridge radio. MAC
addresses are easily spoofed, but this is mostly for identifying and
blocking radios that are attempting to connect, but don't belong on
the system.

Actually, as you pretty well know, that end of the MAC address is, think,
the harder one to spoof (I think it was you who told me that long ago).

But let me confirm...

The end that the WISP sees is the hard one to spoof, isn't it?

I certainly didn't say that. Some client bridge radios partition
their firmware into the part you can replace (e.g. DD-WRT) and the
part that remains untouched (boot loader, MAC addresses, encryption
keys, serial numbers, manufacturing details, etc). Changing these are
possible and fairly easy if you own a logic analyzer, hot air SMT
desoldering station and an SPI bus serial EPROM programmer.

However, the leech could also use a commodity wireless card crammed
into a PC, and do everything in software, where it is super trivial to
tweak the MAC address. No worries about WPA2 encryption because the
MAC address and control frames are sent unencrypted.

Yup. While Loren doesn't even use encryption on the 802.11 equipment, he
has plenty of 900MHz equipment which has to be specially set up, and Mike,
for example also makes use of non-wifi protocols. So does Dave and Herman's
system isn't at all compatible with customer owned equipment.

Security by obscurity has it's merits. Anyone who is willing to spend
a few hundred dollars on hardware, and spend many hours hacking, in
order to save a few dollars in service charges, needs to take a
remedial finance class.

Yup. And that doesn't even count the protocol tricks that these guys use to
get better bandwidth throughput and noise rejection.

The creative protocols are not for security. The problem is that
802.11 was originally designed to handle a small number of client
radios per access point. CSMA/CA works nicely for that because
there's plenty of time between packets to allow for collision backoff.
However, when dealing with a much larger number of users, the
probability of collisions increases rather dramatically, until nothing
works. Also, minor network overhead, such as ARP requests and
broadcasts, become a major nuisance as they proceed to become the
dominant traffic (because broadcasts go to everyone). So, new
protocols, based on token passing (VTP-CSMA) or polling are used,
which are more efficient for larger systems.

They all run a watchdog of some sort.

Usually just arpwatch and traffic graphs.

OK. That's *easy* by way of comparison. But we weren't talking about
breaking into the homeowners' SOHO router (which is a different topic
altogether).

With most WISPs, over the air bandwidth is the main limitation to how
many customers they can handle. If you add a leech anywhere on the
system, which increases usage beyond normal, it's a problem.

Yes. Plenty of neighbors have wide open networks. Sigh.
They're the Santa Cruz 60's hippy trusting type of people.
You know ... people like you!
(jk - you're too knowledgeable to be trusting!)

I hate to ruin your illusions, but I never was much of a hippie.
Glorified poverty doesn't didn't have much of an appeal. I did try
becoming a beatnik as a teenager and a protester in college, but not a
hippie.
http://802.11junk.com/jeffl/pics/jeffl/

The Apple iOS "experts" blandly accuse people of this stuff, not even
taking into account *any* of the many potential hurdles, not the least of
which that a house doesn't move all that fast and is easy to locate when
stealing WISP bandwidth.

PS: What do you think about the possibility of tapping into a Starbucks in
downtown Santa Cruz from Loma Prieta?

Zilch. Too much interference along the path on both 2.4 and 5Ghz.
Loma to SCZ is about 9 miles. Over 5 miles, one sees timeouts and the
ACK timing needs to be tweaked. You can see the SSID's of distant
stations (because broadcasts do not need ACK's) but you can't connect.
However, without the interference, one can do it by violating the FCC
rules with a big dish. I've done this and even under ideal
conditions, aiming the dish, and keeping it aligned, is a major
problem. Also, at that range and lousy SNR, throughput is gonna be
rather low. Incidentally, I know of several point to point links
between Loma and various sites on 5GHz that get really good speeds and
reliable performance. I'm not sure of the ranges, but most seem to be
between 5 and 10 miles. However, both sides use decent hardware, dish
or panel antennas, and a clear line of sight, which is not what you'll
find at Starbucks. Besides, the downtown SCZ Starbucks is surrounded
by tall buildings on all 4 sides (I used to fix Heinz's computers when
he had the microscope shop in the basement under Starbucks).


--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Per Jeff Liebermann:
tower climbing

In my book, those guys are, along with tree trimmers, modern-day heroes
in the sense of the old Inuit kayak hunters: One bad move or error in
judgment and you die.
--
Pete Cresswell

On Mon, 25 Jul 2016 08:15:41 -0700, Jeff Liebermann wrote:

The end that the WISP sees is the hard one to spoof, isn't it?

I certainly didn't say that. Some client bridge radios partition
their firmware into the part you can replace (e.g. DD-WRT) and the
part that remains untouched (boot loader, MAC addresses, encryption
keys, serial numbers, manufacturing details, etc). Changing these are
possible and fairly easy if you own a logic analyzer, hot air SMT
desoldering station and an SPI bus serial EPROM programmer.
'
Heh heh. Yeah, if I only had a hot air SMT desoldering station, I could
change my MAC address too.

However, the leech could also use a commodity wireless card crammed
into a PC, and do everything in software, where it is super trivial to
tweak the MAC address. No worries about WPA2 encryption because the
MAC address and control frames are sent unencrypted.

OK. But that's a lot of work to just get free WiFi from a WISP, and still
more has to be done so as not to get caught (which, I state, would be
virtually impossible and certainly not worth the $100/month WiFi fee).

Security by obscurity has it's merits. Anyone who is willing to spend
a few hundred dollars on hardware, and spend many hours hacking, in
order to save a few dollars in service charges, needs to take a
remedial finance class.

Yup. That was my point to the guy, nospam, who accused me of stealing my
WISP just because I knew enough about WISP to spout the words reasonably
coherently.

What I do know is that it wouldn't be easy for me, and even for you, it
wouldn't be easy not to get caught (since your house doesn't move all that
fast except that you're near the fault line so it jumps a few feet every
hundred years or so).

The creative protocols are not for security. The problem is that
802.11 was originally designed to handle a small number of client
radios per access point. CSMA/CA works nicely for that because
there's plenty of time between packets to allow for collision backoff.
However, when dealing with a much larger number of users, the
probability of collisions increases rather dramatically, until nothing
works. Also, minor network overhead, such as ARP requests and
broadcasts, become a major nuisance as they proceed to become the
dominant traffic (because broadcasts go to everyone). So, new
protocols, based on token passing (VTP-CSMA) or polling are used,
which are more efficient for larger systems.

This makes sense that the protocols they are all starting to use (except
Loren, and Herman was *always* using the new protocols) are for
communication reasons, and not for security.

Still, Dave switched his Santa Cruz company off of the WiFi protocol a few
years ago (maybe 5 years ago?) even though all his equipment was still
2.4GHz for a long time. Without that specialized protocol knowledge, nobody
with a 2.4GHz radio is gonna connect to him, with or without security.

They all run a watchdog of some sort.
Usually just arpwatch and traffic graphs.

Actually, they also log stuff because I talk to one local WISP who tells me
he is sick of getting take-down notices for most of his customers, so he
has assigned everyone a static IP address just to make his logging
backtracks easier. To him, since he just has to forward the notice, he's
not irritated by the notice - but by the need to figure out who it was. He
solved that by giving everyone a static IP address.

Luckily, most of these guys are very nice guys (except Dave over by you who
is only exceeded in crassness by Brett, his Arizona support guy who has an
utterly amazing lack of customer service support skills.

With most WISPs, over the air bandwidth is the main limitation to how
many customers they can handle. If you add a leech anywhere on the
system, which increases usage beyond normal, it's a problem.

I would agree. But I see a few hundred homes on the connection I'm on, and
there are multiple APs they're connected to, even on the same tower (Loma
Prieta is the main tower but others exist in the surrounding hills). They
have fiber-optic backhauls, so, the way "I" understand it (I'm just a
customer though) is that they aren't limited by their backhaul but by the
number of access points they set up and their painting coverage.

I hate to ruin your illusions, but I never was much of a hippie.
Glorified poverty doesn't didn't have much of an appeal. I did try
becoming a beatnik as a teenager and a protester in college, but not a
hippie.
http://802.11junk.com/jeffl/pics/jeffl/

Wow, Jeff. Interesting picture. I've seen the insides of your routers, and
lots of your test equipment over the years, but that 1975 picture sure did
look beatnik hippy to me!

Is that a park-ranger uniform? Big Basin?

PS: What do you think about the possibility of tapping into a Starbucks in
downtown Santa Cruz from Loma Prieta?

Zilch. Too much interference along the path on both 2.4 and 5Ghz.
Loma to SCZ is about 9 miles. Over 5 miles, one sees timeouts and the
ACK timing needs to be tweaked. You can see the SSID's of distant
stations (because broadcasts do not need ACK's) but you can't connect.

Interesting. Yes, I have seen SSIDs of the sort of a LOS from Loma Prieta
down to Santa Cruz, where I couldn't get better than about -85dBm at the
best but there was never the necessary SNR headroom of a half dozen to a
dozen decibels. I didn't even think about ACKS but the radio does
automatically adjust for distance.

However, without the interference, one can do it by violating the FCC
rules with a big dish. I've done this and even under ideal
conditions, aiming the dish, and keeping it aligned, is a major
problem.

Mine is a 27dBm output -94dBm sensitivity 5GHz Rocket M5,
(https://dl.ubnt.com/datasheets/rocke..._Datasheet.pdf)
although I have 28dBM -97dBm 2.4GHz Rocket M2s and nano bridges and even
high-power bullets scattered all about the hillside.

I had a talk with Ubiquiti support over in San Jose, and they said the
AirOS firmware was set that you couldn't possibly go over the 1 Watt legal
limit of the 5 GHz frequency power output (which itself is ten times higher
than the 2.4 GHz band legal limit), once you set the country (which is
usually set to the USA because the limits are highest in the USA).

They told me that you can try, but the firmware won't let you, even though
it might *report* that it's over the legal limit.

Also, at that range and lousy SNR, throughput is gonna be
rather low. Incidentally, I know of several point to point links
between Loma and various sites on 5GHz that get really good speeds and
reliable performance. I'm not sure of the ranges, but most seem to be
between 5 and 10 miles.

My connection is at the higher end of that 5 to 10 mile range, and my
throughput is just OK. I have clear LOS with nothing in the first Fresnel
zone too.

However, both sides use decent hardware, dish
or panel antennas, and a clear line of sight, which is not what you'll
find at Starbucks.

This is correct. The biggest problem though, I thought, was that the
*transmitter* at Starbucks would be the major limitation. Basically I
figured we could transmit a strong signal to the Starbucks AP, but without
a far better antenna, the signal from Starbucks would never get back in
sufficient 6 to 10 decibel strength over the noise to us.

Besides, the downtown SCZ Starbucks is surrounded
by tall buildings on all 4 sides (I used to fix Heinz's computers when
he had the microscope shop in the basement under Starbucks).

Ah, yet another pragmatic obstacle to overcome, borne from experience.

On Mon, 25 Jul 2016 16:31:01 +0000 (UTC), Aardvarks
wrote:

Heh heh. Yeah, if I only had a hot air SMT desoldering station, I could
change my MAC address too.

I bought mine on eBay for about $80. However, it's not quite as easy
as reading all the data from the original chip, editing it, and
putting it back. Many such eeproms have protected areas that can't be
directly read. My luck in dealing with these has been dismal.
Fortunately, such chips are priced a little higher than ordinary
eeproms, making their use in price conscious consumer hardware rather
limited. Some details:
https://www.maximintegrated.com/en/app-notes/index.mvp/id/3771

OK. But that's a lot of work to just get free WiFi from a WISP, and still
more has to be done so as not to get caught (which, I state, would be
virtually impossible and certainly not worth the $100/month WiFi fee).

Suggestions: When looking at costs, I try to annualize the numbers.
To many financially marginal users, $1200/year is well worth the
effort and would subsidize a fairly substantial collection of
electronic burglar and reverse engineering tools.

Yup. That was my point to the guy, nospam, who accused me of stealing my
WISP just because I knew enough about WISP to spout the words reasonably
coherently.

Oddly, I have the opposite problem. Because I know too much about
wireless (and cellular) security, readers automatically assume that I
spend my evenings in front of a computah, merrily hacking my way into
as many systems as possible. This is hardly that case, but it does
improve my otherwise lackluster and boring image.

What I do know is that it wouldn't be easy for me, and even for you,

If it were easy, it would not be fun.

This makes sense that the protocols they are all starting to use (except
Loren, and Herman was *always* using the new protocols) are for
communication reasons, and not for security.

Yep. Because these protocols often do not show up on Wi-Fi sniffer,
finder, and site survey programs, they present a serious interference
potential. I've been told that some have 802.11b compatible beacons,
but I haven't seen any.

Luckily, most of these guys are very nice guys (except Dave over by you who
is only exceeded in crassness by Brett, his Arizona support guy who has an
utterly amazing lack of customer service support skills.

Although we haven't talked in a long time, I don't have any problems
with Brett. No clue on the rest of the company. Several friends and
customers use their mesh wireless service. I don't hear any
complaints, so I presume it mostly works.

I would agree. But I see a few hundred homes on the connection I'm on, and
there are multiple APs they're connected to, even on the same tower (Loma
Prieta is the main tower but others exist in the surrounding hills). They
have fiber-optic backhauls, so, the way "I" understand it (I'm just a
customer though) is that they aren't limited by their backhaul but by the
number of access points they set up and their painting coverage.

The limiting factor is what I call "air time" or how much time it
takes to send something. Since wireless is a shared medium, only one
transmitter can use the bandwidth at a time. If that transmitter
happens to be running extremely slow due or is spewing junk, there
will not be enough "air time" to service the rest of the channel
users. Details if you need them.

Incidentally, mountain tops tend to have fiber backhauls because
that's all the telcos will provide these days. Copper is so 20th
century and so unreliable.

http://802.11junk.com/jeffl/pics/jeffl/

Wow, Jeff. Interesting picture. I've seen the insides of your routers, and
lots of your test equipment over the years, but that 1975 picture sure did
look beatnik hippy to me!

I used a bad title. It was really about 1970. I was scheduled to
renew my drivers license and needed a suitable disguise. I shaved off
the beard but kept the mustache after the license arrived. The common
description was "motorcycle thug", not beatnik.

Is that a park-ranger uniform? Big Basin?

Nope. I was cheap and tended to wear military surplus clothes, much
to the irritation of my father, who owned a factory in the L.A.
garment district. At the time, the industry was pushing "polyester
blend" crap. I wanted cotton and the only way to get it at affordable
prices was military surplus. I think I had about 20 identical shirts.
I still do much the same thing today, but no more military surplus
clothes.

Interesting. Yes, I have seen SSIDs of the sort of a LOS from Loma Prieta
down to Santa Cruz, where I couldn't get better than about -85dBm at the
best but there was never the necessary SNR headroom of a half dozen to a
dozen decibels. I didn't even think about ACKS but the radio does
automatically adjust for distance.

It adjusts, but only to a point. If the timeout is less than the
flight time, it will retry BEFORE the ACK is received. Many outdoor
radios have a "long distance" check box in the settings to increase
the timeout. Few home wireless routers have this feature.

They told me that you can try, but the firmware won't let you, even though
it might *report* that it's over the legal limit.

Ignoring the legal limit, cranking up the power output to unreasonable
levels usually causes the output stage to go non-linear. This is not
a good thing and will produce distortion and errors. Better lower
power and linear, than higher power and distorted. I found some
photos where someone demonstrated this on a WRT54G, but can't locate
the URL right now.

However, both sides use decent hardware, dish
or panel antennas, and a clear line of sight, which is not what you'll
find at Starbucks.

This is correct. The biggest problem though, I thought, was that the
*transmitter* at Starbucks would be the major limitation. Basically I
figured we could transmit a strong signal to the Starbucks AP, but without
a far better antenna, the signal from Starbucks would never get back in
sufficient 6 to 10 decibel strength over the noise to us.

That would probably be the major limitation. However, it won't be
because of insufficient RF from Starbucks. It will be because even
the narrowest beamwidth dish antenna at your end, will pickup hundreds
of other wi-fi devices along the line of sight. Starbucks signal will
be buried under the interference.

Try Fing on your iphone or Android device at the local wi-fi hot spot:
https://play.google.com/store/apps/details?id=com.overlook.android.fing&hl=en
It will give you a list of what is connected to the local wireless
router. If you look through the list, you'll also get a list of
wireless cards and devices, which can usually be helpful in
identifying the hardware. It's quite common to find desktops and
outdoor client bridge radios, which are not what one would expect to
see at Starbucks. I know one local hot spot that routinely has
between one and three Ubiquiti radios connected.

Gone to replace the LNBF on a C band dish for the 4th(?) time. It's
not tower work but still slightly dangerous.

--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Tue, 26 Jul 2016 09:05:17 -0700, Jeff Liebermann wrote:

Suggestions: When looking at costs, I try to annualize the numbers.
To many financially marginal users, $1200/year is well worth the
effort and would subsidize a fairly substantial collection of
electronic burglar and reverse engineering tools.

This is a good point to annualize costs.
Saving $1,200 a year for ten years is a serious tool cache!

Oddly, I have the opposite problem. Because I know too much about
wireless (and cellular) security, readers automatically assume that I
spend my evenings in front of a computah, merrily hacking my way into
as many systems as possible. This is hardly that case, but it does
improve my otherwise lackluster and boring image.

That makes sense. Over the years, on a.i.w, you have joked that you could
break in to many home broadband routers, simply because people don't secure
them properly.

Although we haven't talked in a long time, I don't have any problems
with Brett. No clue on the rest of the company. Several friends and
customers use their mesh wireless service. I don't hear any
complaints, so I presume it mostly works.

Good for you that you can communicate well with Brett. I guess he doesn't
insult you as much as he insults less knowledgeable people.

Dave is just as cocky in sales. Contrast that with how Loren deals with the
hoi polloi who are his customers, and it shows that these small WISP
outfits have entirely different personalities when you deal with them.

The Comcast & satellite customers don't get that "personal" connection with
the proprietors!

Incidentally, mountain tops tend to have fiber backhauls because
that's all the telcos will provide these days. Copper is so 20th
century and so unreliable.

The mountain top I'm using *does* have a fiber-optic backhaul, so, as you
noted, it's the "airtime" that limits my bandwidth (plus any throttling
done by the AP operator).

I used a bad title. It was really about 1970. I was scheduled to
renew my drivers license and needed a suitable disguise. I shaved off
the beard but kept the mustache after the license arrived. The common
description was "motorcycle thug", not beatnik.

I bleached and sandpapered my fingerprint when I went for a license.
Heh heh ... it was the wrong thumb!
I was sore for a week!

Nope. I was cheap and tended to wear military surplus clothes, much
to the irritation of my father, who owned a factory in the L.A.
garment district. At the time, the industry was pushing "polyester
blend" crap. I wanted cotton and the only way to get it at affordable
prices was military surplus. I think I had about 20 identical shirts.
I still do much the same thing today, but no more military surplus
clothes.

I buy at the military surplus stores all the time. That's where I get my
boots, for example. And all my rope for climbing on the mountain. I don't
think I have shirts though. I do love their parachute line which I use for
lots of things except shoelaces! [Parachute line sucks at long hiking boot
laces - you have to rub Elmers glue on the slippery line just to get some
friction from the dried residue - ask me how I know.]

It adjusts, but only to a point. If the timeout is less than the
flight time, it will retry BEFORE the ACK is received. Many outdoor
radios have a "long distance" check box in the settings to increase
the timeout. Few home wireless routers have this feature.

I use the Rockets mostly nowadays, where AirOS has some pretty good
diagnostics (I love the noise interference waterfall display information!)

Ignoring the legal limit, cranking up the power output to unreasonable
levels usually causes the output stage to go non-linear.

I keep to the limit. I'm pretty much *at* the legal limit though, since my
AP is something along the lines of 10 miles away (or so).

That would probably be the major limitation. However, it won't be
because of insufficient RF from Starbucks. It will be because even
the narrowest beamwidth dish antenna at your end, will pickup hundreds
of other wi-fi devices along the line of sight. Starbucks signal will
be buried under the interference.

I agree, even at 5GHz, noise is *everywhere*, so, I need a good dozen
decibels above the noise to connect.

It would be *fun* to actually connect to a downtown library or coffeeshop
from ten miles away; but, it's just not pragmatic unless I'm within a mile
or two.

It's quite common to find desktops and
outdoor client bridge radios, which are not what one would expect to
see at Starbucks. I know one local hot spot that routinely has
between one and three Ubiquiti radios connected.

Ah, that's what I thought.
I would guess that a mile or two LOS is no problem.
But ten miles is too far, at least for me.

Gone to replace the LNBF on a C band dish for the 4th(?) time. It's
not tower work but still slightly dangerous.

Good luck. I bought an orange OSHA-compliant safety harness from a military
surplus store if you ever want it. I never used it! You can have it. It has
a big aluminum D ring sewn to the middle of the harness for safety
tethering.

On Tue, 26 Jul 2016 21:32:44 +0000 (UTC), Aardvarks
wrote:

This is a good point to annualize costs.
Saving $1,200 a year for ten years is a serious tool cache!

No need to go beyond 1 year. The idea is to have a common cost
reference so that you can better compare various methods of payment.
$100/month doesn't seem like much, until you annualize the costs.

That makes sense. Over the years, on a.i.w, you have joked that you could
break in to many home broadband routers, simply because people don't secure
them properly.

It's not a joke. Most scripted router attacks include a list of well
known login and password combinations. The manufacturer default
passwords are always included. Few manufacturers force the user to
change the default password. So much for my "secure by default"
campaign.

Good for you that you can communicate well with Brett. I guess he doesn't
insult you as much as he insults less knowledgeable people.

He's been very nice and polite to me when I call. Of course, that was
many years ago and I haven't had a good reason to call recently, which
might explain why I don't have a problem with Brett.

The Comcast & satellite customers don't get that "personal" connection with
the proprietors!

The do with me. How many customers would bother asking Comcast or the
bird people about their broken kitchen appliances, home entertainment
boxes, or phone systems? Last week, I did a service call where I
spend about an hour on the computers, and another hour programming the
various TV/hi-fi/satellite/dvr/media-player remote controls. Now,
that's what I call a personal connection.

I bleached and sandpapered my fingerprint when I went for a license.
Heh heh ... it was the wrong thumb!
I was sore for a week!

I would be angry for much longer than a week. Fingerprints are
digitized, scanned for patterns, and classified so that they can be
easily searched and located. The fingerprints must pass a sanity
check or you get to redo the whole ordeal from the beginning. That's
what happened to me the last time I went for a drivers license exam. I
had to go back to the fingerprint window once or twice (I forgot
which) until the computah was happy.

I do love their parachute line which I use for
lots of things except shoelaces! [Parachute line sucks at long hiking boot
laces - you have to rub Elmers glue on the slippery line just to get some
friction from the dried residue - ask me how I know.]

Yech. Go thee unto thy local hardware store, and get some "liquid
tape" from the electrical section. Something like this:
http://www.hobbyhangar.co.nz/images/liquid%20tape.jpg
If you just slop it onto the parachute shrouds, you'll make a mess and
it won't work. I had to dilute it in some kind of solvent (I forgot
what I used). Paint it onto the parachute shrouds and quickly wipe
off the excess. The rubber ends up between the strand, which should
help convert the parachute shrouds into something it was never
intended to do.

Gone to replace the LNBF on a C band dish for the 4th(?) time. It's
not tower work but still slightly dangerous.

Good luck. I bought an orange OSHA-compliant safety harness from a military
surplus store if you ever want it. I never used it! You can have it. It has
a big aluminum D ring sewn to the middle of the harness for safety
tethering.

We moved and installed the dishes a few months ago:
http://802.11junk.com/jeffl/antennas/dish-move-project/index.html
http://802.11junk.com/jeffl/antennas/dish-new-install-project/index.html
The plan is now set in concrete, literally. The big 3 meter dish is
strong and flat enough that I can just climb up with a ladder and work
standing on the dish. No need to climb anything or use a harness. The
current problem is that both LNBF's crap out when they get hot. One
recovers when shaded by a cardboard box. The other does not. We have
2 generations of LNBF's that use DRO (dielectric resonant oscillators)
which are responsible for the temperature drift. These were replaced
by yesterday with PLL (phase lock loop) type LNBF's, which didn't work
at all. The problem was traced to the DC voltage supplied by the
stone age digital audio receivers, which are set to a single output
voltage and know nothing about switching between vertical and
horizontal polarization. Looks like I get to build a power supply,
switch, injector, RF isolator, volt/amp monitor, flashing lights, etc
panel.


--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On 2016-07-27 22:24:35 +0000, Jeff Liebermann said:

On Tue, 26 Jul 2016 21:32:44 +0000 (UTC), Aardvarks
wrote:


I bleached and sandpapered my fingerprint when I went for a license.
Heh heh ... it was the wrong thumb!
I was sore for a week!

I would be angry for much longer than a week. Fingerprints are
digitized, scanned for patterns, and classified so that they can be
easily searched and located. The fingerprints must pass a sanity
check or you get to redo the whole ordeal from the beginning. That's
what happened to me the last time I went for a drivers license exam. I
had to go back to the fingerprint window once or twice (I forgot
which) until the computah was happy.

Wait until "Live Scan" hits the DMV. That involves fingers and thumbs
of both hands and palm prints. Currently "Live Scan" is required for
all sorts of stuff from criminal background checks to various
professional licences from nurse/RN, EMS/EMT, teachers and a whole
bunch more, with an expanding list of trades and professions requiring
that sort of clearance.
https://oag.ca.gov/fingerprints

--
Regards,

Savageduck

On Wed, 27 Jul 2016 15:24:35 -0700, Jeff Liebermann wrote:

We moved and installed the dishes a few months ago:
http://802.11junk.com/jeffl/antennas/dish-move-project/index.html
http://802.11junk.com/jeffl/antennas/dish-new-install-project/index.html

Wow. To me, a "dish" is a Rocket M5!
Yours are far larger than mine!

On Fri, 29 Jul 2016 02:54:41 +0000 (UTC), Aardvarks
wrote:

On Wed, 27 Jul 2016 15:24:35 -0700, Jeff Liebermann wrote:

We moved and installed the dishes a few months ago:
http://802.11junk.com/jeffl/antennas/dish-move-project/index.html
http://802.11junk.com/jeffl/antennas/dish-new-install-project/index.html

Wow. To me, a "dish" is a Rocket M5!
Yours are far larger than mine!

Think bigger:
https://www.google.com/search?q=big+dish+antenna&tbm=isch

If you want to play with a really big (30 meter) dish, the Jamesburg
Earth Station is nearby:
https://en.wikipedia.org/wiki/Jamesburg_Earth_Station
http://www.jamesburgdish.org

--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Thu, 28 Jul 2016 22:54:37 -0700, Jeff Liebermann wrote:

Think bigger:
https://www.google.com/search?q=big+dish+antenna&tbm=isch

We have dishes like that at Stanford, as you well know, which can be seen
from 280 heading north to SF.

Mine can go about 10 miles reliably, but it's only about 18 inches or so in
diameter.