Re: Marriott wifi blocking
Most crimes not committed by government entities have to go through an indictment-trial-conviction sequence before punisihment is administered. Except in Chicago. Whereas most crimes committed by government entities go through the same process and are then not punished. Owen
Re: Marriott wifi blocking
On 10/4/2014 01:37, Owen DeLong wrote: Most crimes not committed by government entities have to go through an indictment-trial-conviction sequence before punisihment is administered. Except in Chicago. Whereas most crimes committed by government entities go through the same process and are then not punished. I wasn't going to go there--that gets me banned a lot. But I do think that an related AP at the curb outside is entitled to a trial before the death ray is unleashed against it. -- The unique Characteristics of System Administrators: The fact that they are infallible; and, The fact that they learn from their mistakes. Quis custodiet ipsos custodes
Re: Marriott wifi blocking
On 10/3/14, 10:03 PM, Larry Sheldon wrote: On 10/3/2014 22:26, Hugo Slabbert wrote: On Sat 2014-Oct-04 08:37:32 +0530, Suresh Ramasubramanian ops.li...@gmail.com wrote: Wifi offered by a carrier citywide, or free wifi signals from a nearby hotel / park / coffee shop.. Perfect example (thanks) of why cutting off network attachment points would be fair game while effectively attacking other WLANs has collateral damage. Most crimes not committed by government entities have to go through an indictment-trial-conviction sequence before punisihment is administered. Except in Chicago. And Ferguson. -- -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Marriott wifi blocking
On 10/4/2014 01:37, Owen DeLong wrote: Most crimes not committed by government entities have to go through an indictment-trial-conviction sequence before punisihment is administered. Except in Chicago. Whereas most crimes committed by government entities go through the same process and are then not punished. I wasn't going to go there--that gets me banned a lot. But I do think that an related AP at the curb outside is entitled to a trial before the death ray is unleashed against it. Some laws that are broken require one to remain in jail until trial completion, whenever one is found to be a threat to other members of society. So in a virtual society perhaps virtual cell walls would be appropriate ? Bob Evans CTO
Re: Marriott wifi blocking
- Original Message - From: Majdi S. Abbas m...@latt.net I've seen this in a few places, but if anyone encounters similar behavior, I suggest the following: - Document the incident. - Identify the make and model of the access point, or controller, and be sure to pass along this information to the FCC's OET: http://transition.fcc.gov/oet/ Vendors really need to start losing their US device certification for devices that include advertised features that violate US law. It would put a stop to this sort of thing pretty quickly. Majdi makes an excellent point, but I want to clarify it, so no one misses the important subtext: It is OK for an enterprise wifi system to make this sort of attack *on rogue APs which are trying to pretend to be part of it (same ESSID). It is NOT OK for an enterprise wifi system to make this sort of attack on APs which *are not trying to pretend to be part of it* (we'll call this The Marriott Attack from now on, right?) Rogue AP prevention is a *useful* feature in enterprise wifi systems... but *that isn't what Marriott was doing*. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Marriott wifi blocking
On 10/04/2014 10:23 AM, Jay Ashworth wrote: Majdi makes an excellent point, but I want to clarify it, so no one misses the important subtext: It is OK for an enterprise wifi system to make this sort of attack *on rogue APs which are trying to pretend to be part of it (same ESSID). It is NOT OK for an enterprise wifi system to make this sort of attack on APs which *are not trying to pretend to be part of it* (we'll call this The Marriott Attack from now on, right?) Rogue AP prevention is a *useful* feature in enterprise wifi systems... but *that isn't what Marriott was doing*. So I work in a small office in a building that has many enterprise wifi's I can see whether I like it or not. What if one of them decided that our wifi was rogue and started trying to stamp it out? Mike, this seems like it might be a universally bad idea...
Re: Marriott wifi blocking
On 4 Oct 2014, at 12:35, Michael Thomas wrote: On 10/04/2014 10:23 AM, Jay Ashworth wrote: So I work in a small office in a building that has many enterprise wifi's I can see whether I like it or not. What if one of them decided that our wifi was rogue and started trying to stamp it out? It happens daily. We have 22 offices around the world, each in downtown towers. We use Cisco WLCs, and those controllers see constant deauth frames coming from people above us, below us, and from the four sides around us. It is a real battle. The only thing to do is use lots of APs in the office so as to keep the power levels down. In a couple of cases our office managers personally visited the offices of people above, below, and across from us and discussed the problem. It helped. Mike, this seems like it might be a universally bad idea... It isn't a bad idea, as we need to protect our corporate networks. But there are unintended consequences, to be sure.
Re: Marriott wifi blocking
On Oct 4, 2014, at 06:56 , Bob Evans b...@fiberinternetcenter.com wrote: On 10/4/2014 01:37, Owen DeLong wrote: Most crimes not committed by government entities have to go through an indictment-trial-conviction sequence before punisihment is administered. Except in Chicago. Whereas most crimes committed by government entities go through the same process and are then not punished. I wasn't going to go there--that gets me banned a lot. But I do think that an related AP at the curb outside is entitled to a trial before the death ray is unleashed against it. Some laws that are broken require one to remain in jail until trial completion, whenever one is found to be a threat to other members of society. So in a virtual society perhaps virtual cell walls would be appropriate ? In a virtual society, nobody's life is endangered. I don't know of any cases (under US law) where someone has been held without bail for economic crimes. Obviously, some societies allow one to be held without bail for almost anything, but I don't think that fits the original premise. Owen
Re: Marriott wifi blocking
- Original Message - From: Chris Marget ch...@marget.com You [I] said: It is OK for an enterprise wifi system to make this sort of attack *on rogue APs which are trying to pretend to be part of it (same ESSID). I'm curious to hear how you'd rationalize containing a copycat AP under the current rules. In fact, I remain fuzzy on when spoofed de-auth frames would *ever* be okay when used against unwilling clients within the FCC's jurisdiction given their position that spoofed control frames constitute interference under part 15 rules. This thread and similar discussions elsewhere contain assertions that enterprise networks need to defend themselves in some circumstances, or that containing an AP with a copycat SSID would certainly be okay. I'm not so sure. The need to manage our RF space arguments ring hollow to me. I certainly understand why someone would *want* to manage the spectrum, but that's just not anyone's privilege when using ISM bands. If the need is great enough, get some licensed spectrum and manage that. I wasn't making that argument. I was making the if someone tries to pretend to be part of my network, so that my users will inadvertantly attach to them and possibly leak 'classified' data, *then that rogue user is making a 1030 attack on my network*. A copycat AP is unquestionably hostile, and likely interfering with users, but I'm unconvinced that the hostility triggers a privilege to attack it under part 15 rules. In addition to not being allowed to interfere, we also have: You're not attacking it, per se; you are defensively disconnecting from it *users who are part of your own network*; these are endpoints *you are administratively allowed to exert control over*, from my viewpoint. 2. This device must accept any interference received, including interference that may cause undesired operation. Certificate-based authentication would solve that problem anyway, wouldn't it? Probably. And yes, any system big enough to do this stuff is likely big enough to run 1x as well. A rogue AP plugged into a wired port is best solved at the wired port, I'm not sure anyone was actually mooting this. Even large private campuses like oil refineries probably wouldn't be in the clear doing this sort of thing unless they're able to stop law enforcement, delivery drivers, paramedics and firefighters at the gate in order to get them to agree to receive spoofed de-auth frames. Again: you've shifted topics here from enterprise rogue protection (stay off *my* ESSID) to Marriott Attack (stay off all ESSIDs that *aren't* mine); different thing entirely. I make a clear distinction (now that it's not 3am :-) between what Marriott is doing, and what enterprises doing rogue protection are doing, as noted above. Still not a lawyer. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Marriott wifi blocking
On Sat, Oct 4, 2014 at 2:47 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Chris Marget ch...@marget.com You [I] said: It is OK for an enterprise wifi system to make this sort of attack *on rogue APs which are trying to pretend to be part of it (same ESSID). I'm curious to hear how you'd rationalize containing a copycat AP under the current rules. snip The need to manage our RF space arguments ring hollow to me. I certainly understand why someone would *want* to manage the spectrum, but that's just not anyone's privilege when using ISM bands. If the need is great enough, get some licensed spectrum and manage that. I wasn't making that argument. Yes, sorry. I presented two arguments. Only the one about copycat SSIDs is yours. I was making the if someone tries to pretend to be part of my network, so that my users will inadvertantly attach to them and possibly leak 'classified' data, *then that rogue user is making a 1030 attack on my network*. A copycat AP is unquestionably hostile, and likely interfering with users, but I'm unconvinced that the hostility triggers a privilege to attack it under part 15 rules. In addition to not being allowed to interfere, we also have: You're not attacking it, per se; you are defensively disconnecting from it *users who are part of your own network*; these are endpoints *you are administratively allowed to exert control over*, from my viewpoint. Okay, so we're not talking about wholesale containment of the copycat AP, but rather management of our own client devices which, by definition, we can't interfere with. Because they're ours. That approach sounds perfectly reasonable. I wonder, absent certificates, how one can be certain about the identity of the client, and if such a narrowly scoped containment mechanism is actually implemented by the various checkboxes available to enterprise wifi administrators. I make a clear distinction (now that it's not 3am :-) between what Marriott is doing, and what enterprises doing rogue protection are doing, as noted above. Is it clear exactly what enterprises going rogue protection are up to? I've asked several, gotten wildly different answers. Keeping my clients off copycat APs sounds reasonable. More aggressive action might not be. Thanks.
Re: Marriott wifi blocking
On 10/04/2014 11:47 AM, Jay Ashworth wrote: A copycat AP is unquestionably hostile, and likely interfering with users, but I'm unconvinced that the hostility triggers a privilege to attack it under part 15 rules. In addition to not being allowed to interfere, we also have: You're not attacking it, per se; you are defensively disconnecting from it *users who are part of your own network*; these are endpoints *you are administratively allowed to exert control over*, from my viewpoint. The problem is that there's really no such thing as a copycat if the client doesn't have the means of authenticating the destination. If that's really the requirement, people should start bitching to ieee to get destination auth on ap's instead of blatantly asserting that somebody owns a particular ssid because, well, because. Mike
Re: Marriott wifi blocking
Sounds likely at least in unlicensed bands Jared Mauch On Oct 3, 2014, at 8:15 PM, Mike Hale eyeronic.des...@gmail.com wrote: So does that mean the anti-rogue AP technologies by the various vendors are illegal if used in the US? On Fri, Oct 3, 2014 at 4:54 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Ricky Beam jfb...@gmail.com It doesn't. The DEAUTH management frame is not encrypted and carries no authentication. The 802.11 spec only requires a reason code be provided. What's the code for E_GREEDY? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Marriott wifi blocking
On Sat, 4 Oct 2014, Michael Thomas wrote: The problem is that there's really no such thing as a copycat if the client doesn't have the means of authenticating the destination. If that's really the requirement, people should start bitching to ieee to get destination auth on ap's instead of blatantly asserting that somebody owns a particular ssid because, well, because. In the enterprise environment that there's been some insistence from folks on this list is a legitimate place to block rogue APs, what makes those SSIDs, yours? Just because they were used first by the enterprise? That doesn't seem to hold water in an unlicensed environment to me at all. If the Marriott can't do this, I don't think anyone can, legally. Now, granted, if I'm doing it with the intent to disrupt the corporate network or steal data, there's certainly other laws to deal with that, but I don't think even that is justification for spoofed deauth. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: Marriott wifi blocking
On Oct 4, 2014, at 12:39 , Brandon Ross br...@pobox.com wrote: On Sat, 4 Oct 2014, Michael Thomas wrote: The problem is that there's really no such thing as a copycat if the client doesn't have the means of authenticating the destination. If that's really the requirement, people should start bitching to ieee to get destination auth on ap's instead of blatantly asserting that somebody owns a particular ssid because, well, because. In the enterprise environment that there's been some insistence from folks on this list is a legitimate place to block rogue APs, what makes those SSIDs, yours? Just because they were used first by the enterprise? That doesn't seem to hold water in an unlicensed environment to me at all. Pretty much... Here's why... If you are using an SSID in an area, anyone else using the same SSID later is causing harmful interference to your network. It's a first-come-first-serve situation. Just like amateur radio spectrum... If you're using a frequency to carry on a conversation with someone, other hams have an obligation not to interfere with your conversation (except in an emergency). It's a bit more complicated there, because you're obliged to reasonably accommodate others wishing to use the frequency, but in the case of SSIDs, there's no such requirement. Now, if I start using SSID XYZ in building 1 and someone else is using it in building 3 and the two coverage zones don't overlap, I'm not entitled to extend my XYZ SSID into building 3 when I rent space there, because someone else is using it in that location first. I can only extend my XYZ coverage zone so far as there are no competing XYZ SSIDs in the locations I'm expanding in to. If the Marriott can't do this, I don't think anyone can, legally. If I set up something on an SSID Marriott is already using, then my bad and they have the right to take appropriate defensive action to protect their network. If I stand up a new network using an SSID Marriott isn't already using, then they have no right to cause harmful interference to that network. Sharing the same channels using different SSIDs, while it may degrade performance (of both networks) isn't technically what I would call harmful interference, nor is it considered such by the FCC. That's just a matter of sharing the spectrum as intended in the products certified for that service. Now, granted, if I'm doing it with the intent to disrupt the corporate network or steal data, there's certainly other laws to deal with that, but I don't think even that is justification for spoofed deauth. Depends on whether you were the first one using the SSID in a particular location or not. Sure, this can get ambiguous and difficult to prove, but the reality is that most cases are pretty clear cut and it's usually not hard to tell who is the interloper on a given SSID. Owen
Re: Marriott wifi blocking
On 10/04/2014 01:33 PM, Owen DeLong wrote: On Oct 4, 2014, at 12:39 , Brandon Ross br...@pobox.com wrote: On Sat, 4 Oct 2014, Michael Thomas wrote: The problem is that there's really no such thing as a copycat if the client doesn't have the means of authenticating the destination. If that's really the requirement, people should start bitching to ieee to get destination auth on ap's instead of blatantly asserting that somebody owns a particular ssid because, well, because. In the enterprise environment that there's been some insistence from folks on this list is a legitimate place to block rogue APs, what makes those SSIDs, yours? Just because they were used first by the enterprise? That doesn't seem to hold water in an unlicensed environment to me at all. Pretty much... Here's why... If you are using an SSID in an area, anyone else using the same SSID later is causing harmful interference to your network. It's a first-come-first-serve situation. Just like amateur radio spectrum... If you're using a frequency to carry on a conversation with someone, other hams have an obligation not to interfere with your conversation (except in an emergency). It's a bit more complicated there, because you're obliged to reasonably accommodate others wishing to use the frequency, but in the case of SSIDs, there's no such requirement. Now, if I start using SSID XYZ in building 1 and someone else is using it in building 3 and the two coverage zones don't overlap, I'm not entitled to extend my XYZ SSID into building 3 when I rent space there, because someone else is using it in that location first. I can only extend my XYZ coverage zone so far as there are no competing XYZ SSIDs in the locations I'm expanding in to. If the Marriott can't do this, I don't think anyone can, legally. If I set up something on an SSID Marriott is already using, then my bad and they have the right to take appropriate defensive action to protect their network. No. Seriously, no. Biggest come, biggest serve doesn't do a damn bit of good dealing with the actual problem which is one of authentication. Think of this with the big I internet without TLS. What you're asking for is complete chaos. Stomping on other AP is an arms race in which nobody wins. If I want to guarantee that I only connect to $MEGACORP AP's, I should be using strong authentication, not AP neutron bombs to clear the battlefield. Mike
Re: Marriott wifi blocking
From: Jay Ashworth j...@baylink.com Again: you've shifted topics here from enterprise rogue protection (stay off *my* ESSID) to Marriott Attack (stay off all ESSIDs that *aren't* mine); different thing entirely. Don't forget the 3rd stay off this channel go use another used at large scale events where for the masses to get a workable service a few have to give up the right to spray their wifi on whichever channel they wish. The Marriott may have not been fined had they been doing this rather than stay off all channels because we wish to charge for them. I've not seen if they were stopping other SSID on all channels or just the ones they were using. brandon
Re: Marriott wifi blocking
You could monitor it with something like airodump-ng and send deauth packets if its not associated with your own BSSID(s) On 3 October 2014 21:06, David Hubbard dhubb...@dino.hostasaurus.com wrote: Saw this article: http://www.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fine/ The interesting part: 'A federal investigation of the Gaylord Opryland Resort and Convention Center in Nashville found that Marriott employees had used containment features of a Wi-Fi monitoring system at the hotel to prevent people from accessing their own personal Wi-Fi networks.' I'm aware of how the illegal wifi blocking devices work, but any idea what legal hardware they were using to effectively keep their own wifi available but render everyone else's inaccessible? David
Re: Marriott wifi blocking
I would think this would not sit very well with the providers. They've likely installed equip nearby to the hotel conv.ctr in order to adequately handle the concentration of devices at that location. True? On Fri, Oct 3, 2014 at 4:16 PM, Michael O Holstein michael.holst...@csuohio.edu wrote: legality is questionable insofar as this device must not cause harmful interference of PartB but how it works is by sending DEAUTH packets with spoofed MAC addresses rouge AP response on Cisco/Aruba works like this. Regards, Michael Holstein Cleveland State University From: NANOG nanog-boun...@nanog.org on behalf of David Hubbard dhubb...@dino.hostasaurus.com Sent: Friday, October 03, 2014 4:06 PM To: NANOG Subject: Marriott wifi blocking Saw this article: http://www.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fine/ The interesting part: 'A federal investigation of the Gaylord Opryland Resort and Convention Center in Nashville found that Marriott employees had used containment features of a Wi-Fi monitoring system at the hotel to prevent people from accessing their own personal Wi-Fi networks.' I'm aware of how the illegal wifi blocking devices work, but any idea what legal hardware they were using to effectively keep their own wifi available but render everyone else's inaccessible? David -- Greg Moberg, Director, NerveCenter Engineering LogMatrix, Inc | http://www.logmatrix.com/ | CommunityForum http://community.logmatrix.com/LogMatrix/ | Blog http://www.logmatrix.com/Blog Telephone: +1 (800)892-3646 http://www.logmatrix.com http://www.twitter.com/NerveCenter http://www.linkedin.com/company/logmatrix?trk=ppro_cprof https://www.facebook.com/Logmatrix?sk=page_insights http://www.youtube.com/user/logmatrixchannel
Re: Marriott wifi blocking
On Sat, Oct 4, 2014 at 12:48 PM, SML s...@lordsargon.com wrote: On 4 Oct 2014, at 12:35, Michael Thomas wrote: On 10/04/2014 10:23 AM, Jay Ashworth wrote: So I work in a small office in a building that has many enterprise whether I like it or not. What if one of them decided that our wifi was rogue and started trying to stamp it out? It happens daily. We have 22 offices around the world, each in downtown towers. We use Cisco WLCs, and those controllers see constant deauth frames coming from people above us, below us, and from the four sides around us. It is a real battle. The only thing to do is use lots of APs in the office so as to keep the power levels down. Well, based on the Marriott incident, it seems that what you need to do is figure out where the Deauths are coming from via direction finding and start sending written notices to your neighbors, and if the behavior persists --- follow them up with some FCC interference complaints. https://esupport.fcc.gov/ccmsforms/form2000.action -- -JH
Re: Marriott wifi blocking
On Sat, Oct 04, 2014 at 01:33:13PM -0700, Owen DeLong wrote: On Oct 4, 2014, at 12:39 , Brandon Ross br...@pobox.com wrote: On Sat, 4 Oct 2014, Michael Thomas wrote: The problem is that there's really no such thing as a copycat if the client doesn't have the means of authenticating the destination. If that's really the requirement, people should start bitching to ieee to get destination auth on ap's instead of blatantly asserting that somebody owns a particular ssid because, well, because. In the enterprise environment that there's been some insistence from folks on this list is a legitimate place to block rogue APs, what makes those SSIDs, yours? Just because they were used first by the enterprise? That doesn't seem to hold water in an unlicensed environment to me at all. Pretty much... Here's why... If you are using an SSID in an area, anyone else using the same SSID later is causing harmful interference to your network. It's a first-come-first-serve situation. Just like amateur radio spectrum... If you're using a frequency to carry on a conversation with someone, other hams have an obligation not to interfere with your conversation (except in an emergency). It's a bit more complicated there, because you're obliged to reasonably accommodate others wishing to use the frequency, but in the case of SSIDs, there's no such requirement. Now, if I start using SSID XYZ in building 1 and someone else is using it in building 3 and the two coverage zones don't overlap, I'm not entitled to extend my XYZ SSID into building 3 when I rent space there, because someone else is using it in that location first. So your position is that if I start using Starbuck's SSID in a location where there is no Starbuck, and they layer move in to that building, I'm entitled to compel them to not use their SSID? I can only extend my XYZ coverage zone so far as there are no competing XYZ SSIDs in the locations I'm expanding in to. Is ther FCC guidance on this, or is this Regulations As Interpreted By Owen? Depends on whether you were the first one using the SSID in a particular location or not. Sure, this can get ambiguous and difficult to prove, but the reality is that most cases are pretty clear cut and it's usually not hard to tell who is the interloper on a given SSID. It's usually easy to tell, but I doubt the FCC would find it relevant. There's a lot of amateur lawyering ogain on in this thread, in an area where there's a lot of ambiguity. We don't even know for sure that what Marriott did is illegal -- all we know is that the FCC asserted it was and Mariott decided to settle rather than litigate the matter. And that was an extreme case -- Marriott was making transmissions for the *sole purpose of preventing others from using the spectrum*. -- Brett
Re: Equinix Sales
I have a contact. I ill dig it up. On 10/3/14, 10:33 AM, Daniel Corbe co...@corbe.net wrote: Equinix Sales seem impossible to reach. Should I just give up and go through a sales agent or can someone from Equinix sales contact me off-list?
Re: Marriott wifi blocking
On Sat, Oct 4, 2014 at 5:58 PM, Brett Frankenberger rbf+na...@panix.com wrote: ... So your position is that if I start using Starbuck's SSID in a location where there is no Starbuck, and they layer move in to that building, I'm entitled to compel them to not use their SSID? This would be why commercial entities often use their trademark identifiers as part of the SSID. You can compel them (briefly) not to use the SSID, until they sue you for trademark infringement and serve cease-and-desist orders against you for unlicensed and unauthorized use of the Starbucks name. Totally separate realm of enforcement, and in many ways far more effective. Matt
