Why You See 'Free Public WiFi' In So Many Places 260
An anonymous reader writes "Almost anywhere you go these days (particularly at airports), if you check for available WiFi settings, you have a pretty good chance of seeing an ad hoc network for 'Free Public WiFi.' Of course, since it's ad hoc (computer to computer) it's not actually access to the internet. So why is this in so many places? Turns out it's due to a bug in Windows XP. Apparently, the way XP works is that if it can't find a 'favorite' WiFi hotspot, it automatically sets up the computer to broadcast itself as an ad hoc network point, using the name of the last connection the computer attempted. So... people see 'Free Public WiFi' and they try to log on. Then their own computer starts broadcasting the same thing, because it can't find a network it knows. And, like a virus, the 'Free Public WiFi' that doesn't work lives on and on and on."
Possible attack vector (Score:5, Insightful)
Re:Possible attack vector (Score:1, Insightful)
You're thinking of attacking people randomly connecting to Public Wi-Fi Networks and you're worried about details like the name?
That's like using a scope when you're shooting ducks in a barrel.
Re:I don't see it very often... (Score:3, Insightful)
Yea I was like wtf. You really don't see a lot of these, maybe 1 or 2 at certain airports but it's hardly newsworthy.
Re:I don't see it very often... (Score:5, Insightful)
I can remember seeing it a few times... like 2 years ago. Sort of like this story...
The next step. (Score:3, Insightful)
Now that this information is public, we're going to start seeing networks called "Free Public Wifi - eatatjoes.com". Good job. Should have just kept quiet about it.
Re:"They Still Use Windows XP?!" (Score:5, Insightful)
I actually downgraded from 7 last year after determining that 7 did absolutely nothing I needed that XP didn't,
Except, not having this bug....for one.
Re:I see this alot (Score:2, Insightful)
What better way is there to implement a wireless connection when the user doesn't have any wireless networking equipment other than their computer?
Re:Not so (Score:1, Insightful)
Wow, you are so wrong.
This is the case if you share an internet connection on a Mac laptop, such as sharing a 3G dongle over WIFI, or sharing a wired internet connection over WIFI
Or a Windows laptop, or a Mac/Windows desktop, or on a Linux box (laptop/desktop/handheld). Linux is AFAIK the best support for AP mode, but even there many chipsets don't work, and most of the ones that do are finicky and painful. Your statement is not wrong, per se, but needlessly specific.
The point of ad-hoc networks is to save battery and CPU resources and be more responsive at the expense of some reliability.
Epic bullshit! CPU utilization is the same, and ad-hoc takes more power, because powersaving (i.e. shutting off power to the receiver when there's no traffic for you) requires an AP whose beacon you can sync to and receive notifications of pending traffic transmitted every nth beacon (if there is traffic for you) In an adhoc, there's no designated party to store+forward, and no timing to listen, so the very concept is implausible.
Re:I see this alot (Score:3, Insightful)
So 'the user buying something' is a better solution than the printer software supporting ad-hoc networks?
We disagree.
Re:"They Still Use Windows XP?!" (Score:3, Insightful)
+1 Depressing
Dude (Score:1, Insightful)
All the people you've described use Apple... Hence no Windows XP...
Re:Un-encrypted ?!? (Score:3, Insightful)
If they are dumb enough to setup their account whithout encryption, they deserve whatever happens to them.
No, they don't.
Re:I see this alot (Score:2, Insightful)
I would guess that concerns about the support costs might be more of a factor than the actual implementation cost.
Re:I see this alot (Score:3, Insightful)
First, I'm not really an authority on this as all I have done is used other people's tools and scripts and read their how-to's and so on. You can call me a script kiddie if you want. You will find a lot of reviews, including videos of people cracking WPA2=AES on the internet. Some of their methods work, some do not- don't get bogged down by the hirer ranked ones as I typically can't get them to work. My understanding is that AES is built into the WPA2 standards by default and your using it regardless. However, how it is used is important.
It's susceptible to dictionary attacks which is actually a lot easier then you think if you know how the person creating the key thinks and can get a known packet. Generally, as I mentioned before, they like to make the key something they can remember which means that a 10 digit phone number somehow associated with the internet account is typically what you need. Some people get a little more constructive but it all points back to the same security strengths of regular passwords I guess. There are attacks that if you can gain access to an existing connected computer (suppose you want on your work network -or girlfriend/neighbor's- network, but they won't give you the key- yet your work laptop -theirs if you have access to it briefly- is already connected), you can either attempt to extract the hash tables storing the key on the computer and crack the key there, or set up a monitoring server at a remote location, then go to a website while monitoring the traffic and then you can crack the encryption a lot more easier because you know a known packet before and after the encryption (details can be found on the web).
One of the drawbacks is that WPA2-AES is not typically used in a way that exploits it's strengths. It's like having a titanium luggage lock with 128 number combination and setting them all to 0-0, 1, 2, 3, 4. I have gotten access to WPA2-AES networks in the past, but the dictionary contained all of the phone numbers the site had and it also was one of the keys. No one seems to want to build a long key of random numbers and signs that they have to input into every wireless device needing access.
If you are worried about security, you shouldn't be running wireless at all- unless your ready to do some enterprise level security and run an IDS with access controls, a radius server, use EAP, and the lot AND have someone monitoring it regularly. Typically, when I do set up wireless networks for businesses that insist on them (granted I'm dealing with small businesses with less then 50 employees), I set them up outside the internal network entirely on it's own IP address then VPN the clients into the network as needed. There are drawbacks with that too. I guess my main point was that you just can't go to best buy and purchase a Dlink- throw it on the network and expect to be completely secure. Some information is more valuable then others as it could carry steep fines and possible jail time in addition to other liabilities if it got out depending on if some law covers it like HIPPA.
Re:So... (Score:3, Insightful)
You just described Windows in a nutshell ;-)