[u-u] [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi
D. Hugh Redelmeier
hugh at mimosa.com
Mon Sep 17 16:48:02 EDT 2018
| From: David Collier-Brown via talk <talk at gtalug.org>
| To: UU <u-u at unixunanimous.org>, GTALUG Talk <talk at gtalug.org>
I don't think that it is great to post a message once to two public
mailing lists. It can lead to odd entanglements. It's fine to
separately post the same message to two lists. I'm violating this
suggestion with this message.
| I have a Rogers-supplied router and cable modem package, which twice has shown
| significant usage when I was out, once with the original unit and once with
| their replacement Cisco. That makes me suspicious of the current state of
| authentication for wi-fi schemes (and I use the term "schemes" advisedly: they
| used to horribly leaky (;-))
Wow. Interesting.
If it were me, I'd try to figure out who was doing this. But in
reality that's probably more work than it is worth.
| What's a good approach? I have considered
|
| * MAC address lists,
MACs a so spoofable. Why bother?
If I remember correctly, OSX now has a feature that lets you use a
random MAC on your wireless just to avoid other people tracking you.
| * no wi-fi (strictly wired doesn't work with solid concrete walls),
I don't imagine your threat models are so severe that this matters.
But for the paranoid: even traffic analysis (without decryption)
reveals a lot.
| * a second router with a more secure protocol (/is/ there such a
| protocol? And will my wife's Mac speak it?))
I think that the best compromise for most individuals who care even a
bit is:
- Turn off the modem's WiFi and put it in bridge mode. You may have
to repeat this after a power failure or a (generally unannounced)
firmware update.
Why: Rogers has 100% control of the modem (remote provisioning,
firmware updates). They have (if they choose) access to your LAN
unless you put something between the modem and the LAN.
- use your own wireless router. Choose one that has a decent radio
and is well supported by OpenWRT. Run OpenWRT on it.
Why: firmware from the manufacturers is crappy in known and unknown
ways. Other third party firmware providers are badly constituted
(dictatorships, NDAs, glued together bits of binary stuff).
- alternatively use a little PC and install whatever amuses you as
software to make it a router.
Why not: takes more resources than just using OpenWRT on consumer
router hardware. Cost, time, electricity, noise, heat, risk of
misconfiguring, maintenance effort.
Why: more flexible, more controllable. Sometimes better
performance. Can perform server roles (email, web, ...).
This is what I do. I run CentOS an two of my three consumer-grade
internet connections. I run Fedora 28 on the other -- that adds to
the maintenance burden (so many updates!).
- alternative: <https://omnia.turris.cz/en/>
I'd like this to be a great solution but I don't know whether it is.
It's not as inexpensive as I'd like.
One of my connections is gigabit from Rogers. Ordinary wireless
routers cannot pass 1G though unless proprietary NAT hardware
acceleration is used. That hardware is not supported by OpenWRT.
Even if it were, there are serious restrictions on what can be done to
the packet before it gets punted to the software path.
My little PC solution seems to handle gigabit just fine. I use Zotac
ZBoxes that come with two gigabit ethernet ports (only a few do). My
gigabit gateway is an RI323Nano (out of production). My others
(untested for gigabyte throughput) are both CI321NANO. These cost me
about the same as an expensive router. I don't use them for providing
WiFi. I use a couple of consumer WiFi routers as (just) APs.
As for WiFi passwords: make them long and replete with entropy. I use
the mkpasswd command that is part of the expect package. Don't use
the magic button on the router to make the password crap easier: it
can make you vulnerable. Typing these is very error-prone so I use a
USB flash drive to carry them to a new system.
More information about the u-u
mailing list