[TriLUG] Wireless at Lowes

Greg Brown gregbrown at mindspring.com
Mon Dec 1 21:30:25 EST 2003 

Good question.  I have two really basic scripts that I have croned on a 
daily basis.  The first goes through /var/log/messages and builds a 
list of who logged in to my edge box and at what time - and I didn't 
see any odd data there.

The next script looks at the bytes in and out on my RR facing ethernet 
card.  Here's where I saw the big error.  I think the kid first started 
to steal my signal on a Friday night when I was deep into my ground 
school textbooks for the next day's flight school class.  I hadn't 
logged in and neither had my wife but I saw a tremendous amount of 
bandwith (well, a bunch, maybe not tremendous) sucked up that I 
couldn't account for.  This got me started to look around and that's 
when I first saw a mac address that didn't start with 00:30:65 (the 
Macs) or 00:02:2D (my stray Orinoco cards which really aren't in use 
anymore).  Anyway, that was enough for me to know someone was there.. 
and had the kid not bragged to enough people finding him would have 
been more of a chore.. though it would have gotten me down the IPSec 
road a lot sooner.

Greg


On Monday, Dec 1, 2003, at 11:04 US/Eastern, Ben Pitzer wrote:

> Greg,
>
> Out of curiosity, how did you go about determining that there was an 
> attempt
> on your WEP key, and by whom?  I'm really rather curious, because 
> there are
> at least 7 or 8 wireless points in my neighborhood, though we are 
> spread out
> enough to not step on each other's channels.  Were I to sit in the 
> middle of
> my back yard, however, I'm fairly certain that I could get good enough
> signal to connect to at least 3 or 4 of them, other than my own.
> Additionally, I only know of 2 others, besides my own, that use WEP 
> keys.
>
> I'd just like to keep an eye out to see if someone is trying to get in 
> on my
> network (despite my MAC filtering), and if you can provide us with some
> procedures for doing this, I'd be grateful.
>
> Incidentally, this might make a good class at some point:  Intrusion
> detection, specifically with an eye towards doing it without having to
> scrape through thousands of lines of logs every day.  Intrusion 
> detection
> and reporting for the SOHO/home user.  Anyone think they could teach 
> that
> one?
>
> Regards,
> Ben Pitzer
>
> ---------------------------------------------
>
> "Those that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety."
>  --Ben Franklin--
>
>
>
>
>> -----Original Message-----
>> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org]On
>> Behalf Of Greg Brown
>> Sent: Sunday, November 30, 2003 10:51 PM
>> To: Triangle Linux Users Group discussion list
>> Subject: Re: [TriLUG] Wireless at Lowes
>>
>>
>> I've actually been looking into this and I don't have a clear answer
>> however the law is fairly clear that if you DO attach to a network in
>> any way, shape, or form and you cause damage or otherwise use that
>> connection for malicious activity you are in violation of many laws.
>>
>> Now, there is a big difference between using a program like 
>> netstumbler
>> which listens for ESSID broadcasts and actually hopping on a wireless
>> network (yeah, yeah, NS does some broadcasting to initiate responses
>> but let's keep the argument simple).  I've done the latter several
>> times by accident but since I wasn't doing anything malicious, and I
>> changed my network when I discovered my error, I don't see how a jury
>> could convict me if I did break the law (assuming that I could get a
>> jury that could understand networks and such).
>>
>> The neighbor kid was dumb enough to try to crack my wep keys.  The
>> first time it happened I walked over to his house and had a sit-down
>> with him and his parents.  I made it clear the next time he tried it I
>> would be contacting law enforcement.  There hasn't been a second time
>> though I am moving to IPSec over OpenBSD to combat such activity in 
>> the
>> future.
>>
>> Greg
>>
>> On Sunday, Nov 30, 2003, at 21:45 US/Eastern, Mike Johnson wrote:
>>
>>> z [zzd at contentdb.net] wrote:
>>>
>>>> Curious, is it legal to attach to any wireless network that does not
>>>> have
>>>> security provisions in place? e.g Attaching to your neighbors access
>>>> point
>>>> for faster than modem downloads, or sitting in the parking lot
>>>> outside an
>>>> office block?
>>>
>>> Is it legal to use a scanner to listen in on your neighbor's cordless
>>> phone?  Were it not explicitly illegal, would you still do it?  Would
>>> it
>>> still be okay?
>>>
>>> The question is: just because you can, should you?
>>>
>>> Mike
>>> --
>>> "If life hands you lemons, YOU BLOW THOSE LEMONS TO BITS WITH
>>>  YOUR LASER CANNONS!" -- Brak
>>>
>>> GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD
>>> 95D1
>>> GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
>>>
>>> <mime-attachment>--
>>> TriLUG mailing list        :
>>> http://www.trilug.org/mailman/listinfo/trilug
>>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>>
>> --
>> TriLUG mailing list        : 
>> http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>>
>
> -- 
> TriLUG mailing list        : 
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>

More information about the TriLUG mailing list