[u-u] [GTALUG] Suggestions for stopping occasional spurious use of commercial wi-fi

David Collier-Brown davec-b at rogers.com
Tue Sep 18 09:56:38 EDT 2018 

[Inline]

On 2018-09-17 4:48 p.m., D. Hugh Redelmeier wrote:
> | From: David Collier-Brown via talk<talk at gtalug.org>
> | To: UU<u-u at unixunanimous.org>, GTALUG Talk<talk at gtalug.org>
>
> I don't think that it is great to post a message once to two public
> mailing lists.  It can lead to odd entanglements.  It's fine to
> separately post the same message to two lists.  I'm violating this
> suggestion with this message.
>
> | I have a Rogers-supplied router and cable modem package, which twice has shown
> | significant usage when I was out, once with the original unit and once with
> | their replacement Cisco.ᅵ That makes me suspicious of the current state of
> | authentication for wi-fi schemes (and I use the term "schemes" advisedly: they
> | used to horribly leaky (;-))
>
> Wow.  Interesting.
>
> If it were me, I'd try to figure out who was doing this.  But in
> reality that's probably more work than it is worth.
>
> | What's a good approach? I have considered
> |
> |  * MAC address lists,
>
> MACs a so spoofable.  Why bother?
>
> If I remember correctly, OSX now has a feature that lets you use a
> random MAC on your wireless just to avoid other people tracking you.

It's like a non-obvious lock for a glass door: for some reason you can't 
open the door, and you may not wish to break it.ᅵ This uninvited guest 
seems very unobtrusive. If they're not skilled, they might need to break 
something (like a machine that's already on the net) to get a MAC that 
will work, which would be like breaking the glass door.

> |  * no wi-fi (strictly wired doesn't work with solid concrete walls),
>
> I don't imagine your threat models are so severe that this matters.
> But for the paranoid: even traffic analysis (without decryption)
> reveals a lot.
>
> |  * a second router with a more secure protocol (/is/ there such a
> |    protocol? And will my wife's Mac speak it?))
>
> I think that the best compromise for most individuals who care even a
> bit is:
>
> - Turn off the modem's WiFi and put it in bridge mode.  You may have
>    to repeat this after a power failure or a (generally unannounced)
>    firmware update.
>
>    Why: Rogers has 100% control of the modem (remote provisioning,
>    firmware updates).  They have (if they choose) access to your LAN
>    unless you put something between the modem and the LAN.
>
> - use your own wireless router.  Choose one that has a decent radio
>    and is well supported by OpenWRT.  Run OpenWRT on it.

In the bufferbloat era, I used to run a research openwrt variant , but 
that was for performance, not security.ᅵ I could recreate it at need.

--dave

-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net           |                      -- Mark Twain

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unixunanimous.org/pipermail/u-u/attachments/20180918/415472dc/attachment.html>

More information about the u-u mailing list