Disney World Goes 802.11b

LighthouseJ writes "Over at CNN they report that Disney World in Florida has a 47-square mile 802.11b wireless LAN through the park with 200 access points. The move comes after visitors complaints that they couldn't use credit cards at every place in the park. Plus, it allows "cast members" to offer guests goods and services anywhere, not restricted to where the credit card machine is at. The man responsible, Murshid S. Khan, Director of Telecommunications and Technology Support sees this as a valuable technology, citing mobility and flexibility as the main reasons for the switch. Khan goes on to say that the system is protected by a 128-bit encryption scheme and software installed to detect intrusions. When he was asked if visitors will have access to the wireless network, CNN quotes him to say: 'We need you to come to the park and enjoy the park,' he said. 'If we start opening Internet cafes, you won't do that.' He's a smart man." So, running AirSnort wouldn't probably be the best idea? *grin*

How long will it be?

[D3]

Before they get cracked and decide this was not a good idea?

Re:How long will it be?

Khan goes on to say that the system is protected by a 128-bit encryption scheme and software installed to detect intrusions.

How long will it be?
Until you read the whole article before posting?

--Josh Coalson

Re:How long will it be?

OOOH 128 bit WEB and IDS. That'll stop the big bad hackers....

Re:How long will it be?

Ummm, yeah. I meant WEP. Keyboards suck.

Re:How long will it be?

Unlikely to be a keyboard problem, since the "P" is quite far from the "B". More likely a bug in wetware.

Probably more protection than WEP

[Raleel]

If they only have WEP, I won't spend a dime there. But I bet they are not dorks, they probably have everything done over a real encryption scheme

Re:Probably more protection than WEP

[Dudio]

Yup. Ian Goldberg gave a very interesting presentation on cracking WEP at BlackHat Vegas this year. None for me, thanks.

I'm inclined to agree with you that Disney couldn't possibly be dumb enough to rely on WEP alone, but then I wouldn't have thought ETrade was stupid enough to put their login credentials in a cookie vulnerable to cross-site scripting attacks either.

Re:Probably more protection than WEP

[monkeydo]

According to the presentation the conclusion was that brute forcing WEP keys was _not_ feasable. They concluded it would take >200 days to crack a 40bit key, the attacks against weak ICV's claim to succed in 24-48 hours depending on data flow. If you use equipment that doesn't have the ICV problem and you use WEP correctly you can be relativly safe.
Granted there are attacks against WEP, but they are _trivial_ to defend against if one knows what they are doing. I think Disney probably employs a few network security engineers and consulted with the big boys before they deployed this.
All those who keep claiming that 802.11 is insecure
a) don't really know what they are talking about
and
b) are repeating some other chicken little's BS

WEP can certainly be deployed insecurely, and by default will keep out a determined enemy for less than 2 days, but that does not mean 802.11 cannot be deployed securely. If you use the right hardware and configure it correctly 802.11 is as secure as a wired LAN. Add to that some type of VPN and it's probably more secure than most wired LAN's.

Re:Probably more protection than WEP

[Dudio]

Good points. I'd forgotten that the decryption vulnerability is based on the assumptions of weak IV generation and a fixed keystream. My apologies - it's been a while since July ;)

If you use the right hardware and configure it correctly 802.11 is as secure as a wired LAN
I think this is what you meant, but "correct configuration" in this context generally means walling off wireless portions of the network in the same manner as you wall off the internet. By treating the 802.11 segment(s) as potentially insecure, you can maintain your overall security posture.

Re:Probably more protection than WEP

[monkeydo]

Although many designers are now treating 802.11 networks like the Internet it is not strictly necessary, or always a good idea. Whether you treat your WLAN as untrusted depends on your security policy, but putting it in your DMZ and using VPN to your LAN is not always a requirement because it is actually possible to configure the WLAN itself so that it is secure enough for most environments. Of course, some companies run IPSEC over regular LANs so security is always relative.

I want to know...

[nll8802]

How long before that network is comprimised. In a matter of days People will probablly know what websites Mickey has been to (www.nakedmice.com) or what Mickey purchases online. (Probablly Real Dolls )

Re:I want to know...

[Fesh]

Compromised? How long until somebody drops a jammer in a trash can? Talk about pissed-off customers.

'Course, I'm totally clueless about the jam-resistance qualities of 802.11. I suppose that it's actually pretty hard to disrupt the signal with interference, otherwise it wouldn't make a terribly good wireless protocol...

Re:I want to know...

[deander2]

Actually, my 2.4ghz cordless phone does a real nice job jamming my 802.11 network. ;-)

Re:I want to know...

[led]

in a trash can it's probably easy to find.
but if you put it in a roller coaster....

Re:I want to know...

Damn straight. Disney world needs military grade encryption and 100% reliability, with multiple redudant systems, all so people can get a yogurt at the kiosk with a credit card. They really
need to hire groups of roving "spook patrols" that conduct sigint sweeps of the park, and do cavity searches on all guests so nobody pulls the prank you've suggested.

Geez. Get a life. The "trash disruptor" you suggested would work at best until the next trash removal cycle--usually about 3 hours in the sparkling Disney city.

Re:I want to know...

Umm...wouldn't it be sorta easy to find a jammer? You'd be able to see what networks went down, ascertain the general area, and then go searching for something plugged into an electrical outlet or large enough to carry a medium size battery. If it moved, the easier to track down, esp. if you have a video setup for security.

And if it was a concern, I'd bet there was probably a signal meter they could come up with to detect 2.4 transmissions broad enough to cause such a disruption.

Re:I want to know...

[tabacco]

Heh... do you have any idea how often trash cans get emptied in Disney parks? and once they're emptied, they go into a compactor. That would be the end of any jammer in under an hour :)

Things the visitor can do besides surf the web

[pres]

There are things the user could use besides surf the web. For instance, a little app on your wireless device that let you check the length of lines at the rides, the reservations at a restaurant etc.
Still, just as is, it is cool.

Re:Things the visitor can do besides surf the web

[Mondrames]

A realatively inexpensive device (solar maybe) for the kids' shirt. You lose your kid? Go to the security desk, and they can find what AP your kid is closest too.

Also could be used to collect better metrics on which Guests prefer which attractions. Like Slot Club cards at casinos. Maybe you can get perks if you blow a lot of money in the gift stores (Glass Castle anyone?)

I'm sure there's other uses too.

Re:Things the visitor can do besides surf the web

[jmauro]

I don't think that you can surf the web. Just because they use Ethernet and IP does not mean that they are connected to the Internet at large. Taking into account that this system handles lots of credit card orders (even encrypted) it would make more sense if the entire system was on its own isolated network.

Re:Things the visitor can do besides surf the web

[TGK]

See, that's why I don't understand the resistance to making this technology available to customers. You charge an exhorbidant rental fee for one of these things, make sure it's well set up and easy to use and you're in buisness. It would be nice to have a way to tell when the line for space mountain is really short. I'd appreciate a searchable restaurant database with the ability to make reservations. Or howabout we sling a GPS device into it and let the damn thing give directions? If you've ever gotten lost in Disney world you know what I'm talking about.

Lots of people collect "character" autographs (yes really), it wouldn't be hard to have these devices tell you where characters are in the park. The commercial applications of this are simply astounding... the only reason I can think of for Disney not utilizing it is the fear of someone breaking the system. To me, that says the security is sub-par.

Re:Things the visitor can do besides surf the web

[Mac+Nazgul]

moderate this up, he makes a very valid point

Re:Things the visitor can do besides surf the web

[0xA]

... the only reason I can think of for Disney not utilizing it is the fear of someone breaking the system. To me, that says the security is sub-par.

I'd have to disagree with that. Running some sort of public access network on the same wireless segment you are doing credit card authorizations on would be silly.

Re:Things the visitor can do besides surf the web

[m3000]

the only reason I can think of for Disney not utilizing it is the fear of someone breaking the system.

But if that's the case, why are they allowing credit card numbers to go through it? Anyways, great ideas. The character seeker would be HUGE.

Re:Things the visitor can do besides surf the web

[pa-guy]

Great idea, except most wireless devices (PDA's etc) don't use 802.11b.

Re:Things the visitor can do besides surf the web

Not public access, keep it encrypted. That way Disney is the only vendor of these Digital Tourguides (I oughta TM that). As it stands there's nothing on the network but credit cards. Nothing is stoping me from bringing in my own equipment (SMALL equipment) to crack it. Disney risks nothing by marketing and renting idiot proof palms or some such which are so neutered as far as their functionality goes as to make any attempt to crack the network an exercise in futility. I'm not talking about giving these people Cray IVs...

Re:Things the visitor can do besides surf the web

[Lish]

A realatively inexpensive device (solar maybe) for the kids' shirt. You lose your kid? Go to the security desk, and they can find what AP your kid is closest too.

They have similar things already in use in theme parks. A water park I went to last summer had a system where you would check out a transmitter for each family member, on a wristband like a watch. You could take your transmitter to a viewing station and it would pinpoint on a map where the other members of the group were. So the kids can go off on their own and the parents can still keep tabs on them, or large groups don't have to wander around looking for each other. Pretty slick, IMHO.

Re:Things the visitor can do besides surf the web

[fliplap]

yeah, neither do most credit card readers. You can get 802.11b attachment for most new PDAs

Re:Things the visitor can do besides surf the web

[burtonator]

> A realatively inexpensive device (solar maybe) for > the kids' shirt. You lose your kid? Go to the
> security desk, and they can find what AP your kid > is closest too.

%shell%: ping johny.doe.disneyland.disney.com
ping: unknown host johny.doe.disneyland.disney.com

"ah... Mam... We have a problem..." :(

Re:Things the visitor can do besides surf the web

[malibucreek]

It's not wait times. But it is at least wireless ride ratings and reviews.

Re:Things the visitor can do besides surf the web

[trcooper]

The article I read doesn't mention anything about IP. While it's probable that they are, they could be using another protocol other than IP.

Hmmm... SNA would be cool :p

Re:Things the visitor can do besides surf the web

[trcooper]

Hmmmm... They may already have this... They have these pins that light up during parades, fireworks shows and certain attractions. I would figure that they work on some sort of timer, but maybe they're 802.11 devices.

Re:Things the visitor can do besides surf the web

[Christopher+Bibbs]

Disney already has a system in place called SmartPass which allows visitors to "reserve" a place in line so they can go off and do other things (shop) and come back later without having to wait in a huge line. They also get the added benefit of knowing which rides you went on and where you were shopping before hand (your park access card is your room key, park ticket, SmartPass, credit card, Big Brother device, etc).

I won't get into it because it's to OT, but they also have biometric scanners at the gates for season pass holders (no privacy policy, 'natch).

Re:Things the visitor can do besides surf the web

[Galvatron]

Especially if, instead of an overhead map, it gave the kids clues. Maybe have a "parent" mode with the map, and a "kid" mode with just the clues, so if the kids start getting frustrated, the parents can point them in the right direction.

That probably wouldn't do good things for the kids' problem solving ability, but it would likely be popular nevertheless.

Re:Things the visitor can do besides surf the web

You can't do that! There are like ten mickey's at any given time, and it would totally ruin the magic! Maybe you could slip an eigth dwarf in or something, but not an extra mickey. The kids would cry.

Re:Things the visitor can do besides surf the web

[brerbeaver]

>

They tried it at Animal Kingdom a few months or so ago.

Re:Things the visitor can do besides surf the web

[FlamingLaird]

Wireless token ring wouldn't work... The token would fall out right away...

Porn on the roller coaster

Sweet! Streaming porn while you whirl till you hurl!

Big deal

[alen]

I got out of the US Army last year and my last duty station was in Italy. I worked at the General Staff level and used my government credit card to pay for many dinners with visiting VIP. Imagine my surprise when paying for a dinner the restaurant owner brought out a wireless credit card machine. And this was a year and a half ago.

Re:Big deal

[sideshow]

And this was a year and a half ago.

I think the point of the story is that Disney is using tech you can go buy down at Circuit City.

Re:Big deal

[vidarh]

There's many places in Europe, companies - especially courier services etc. - use either wireless LAN enabled credit card machines, or GSM based ones, depending on the range they need to cover. It's been quite common for several years.

Re:Big deal

I've been using credit and ATM cards at gasoline stations (petrol pumps) for more than 6 years in the U.S.. Did you think that Shell or Mobil had modem hookups to banks?

Re:Big deal

[arson1]

I've been using credit and ATM cards at gasoline stations (petrol pumps) for more than 6 years in the U.S.. Did you think that Shell or Mobil had modem hookups to banks?

are you saying you think those are wireless?

Re:Big deal

No, but ever notice the little dishes on the roof? Sattelite != wireless

And the key is

magic (all lowercase)

This is great!

[SumDeusExMachina]

Whoo hoo! Not only do you probabaly get a monster connection to the internet, but you could probably get on it really easy considering that wireless ethernet has almost no access controls.

You know, some people go to Disney World to meet Mickey Mouse, others go for the rides. I think I'll go for the killer Quake III experience ;)

Bad ST reference:

[FortKnox]

It was later found that Khan had stolen the Genesis machine, and killed Kirk's son!!

Sorry, you can mod me down, now.

Re:Bad ST reference:

Khan didn't kill Kirk's son. The klingon's did in the third movie prior to the Genesis planet being destroyed.
KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN!

If they're smart, it won't be IP...

[rekoil]

or at least, if it /is/ an IP network, each device will be a VPN client. I would presume Disney has enough money to hire people smart enough to not depend on WEP for security.

Then again, larger companies have done dumber things...

-C

Re:If they're smart, it won't be IP...

[the_2nd_coming]

true, if they were smart, they could have their own proprietary protocol made up and have all the systems use that. thatway no one can bring a powerbook or Dell laptop with wireless access to hack the system since the protocol would not be supported. then Disney could let people rent all those cool little devices to help navigate the park.

Re:If they're smart, it won't be IP...

[CheeseMunkie]

A good start might be >a href="http://skip.incog.com/">SKIP, to secure the IP layer... On top of WEP for the 802.11b layer... Plus SSL or SSH tunnels for the application layer ... Wrap the whole thing in IPsec, if you must, and this would be pretty secure. Of course, someone will stand just outside the gate with a sniffer and break the thing eventually... Only question is whether Disney will upgrade before or after.

i tried to get on the network there..

i had my pocket pc and an 802.11 card, couldn't get on on even find a network where i was at...

for more info...http://www.flashenabled.com/mobile

cheers,

pt

Bad place to ask the question

It's a bad place to ask the question, but here it goes -- Is there a windows version of airsnort out there anywhere? I found netstumbler, but it won't decrypt the keys.

Re:Bad place to ask the question

[xtremex]

Why even USE Windows? Just make a new partition and install Linux...it's not that hard.

enjoy the park...

[sluggie]

"We need you to come to the park and enjoy the park"

Imagine your laptop in one hand, some candy in the other one and getting chased by 23 security officers running over and knocking down mickey and his fellows...

I'm sure this scene is going to make it into "password: swordfish 2"

this sounds like a big heap of enjoyment to me ;)

Re:enjoy the park...

[frankmu]

ya don't need a laptop to do this, just get yourself a Sharp Zaurus, and plug your wireless 802.11b in, and run airsnort.

Re:enjoy the park...

[sluggie]

come on! don't ruin the tense in this scene ;)

besides that the zaurus is a cool piece of hardware...

headlines

[josh253]

2 million credit card numbers stolen from disney world by 12 year old with laptop...

Hmmmph.

[dcigary]

Proof positive that the Slashdot editors only accept posts from people that they like. I submitted this on the 18th and it was rejected even before I could do a screen refresh.

2001-11-18 18:41:49 Disney's Wireless Magic Kingdom (articles,news) (rejected)

God, I love the smell of burning Karma in the morning....

Re:Hmmmph.

[FortKnox]

Do what I do, once you are about to submit, copy the entire article you are about to post, submit it, then put it in your journal. You can't forge the time and date on those, so it brings your point home even better (I already have an article in there that I was rejected on, then someone was accepted a day or two later).

My theory isn't that they only accept from people they like (I'm rejected all the time, and in the hof for submissions), its the author that reads it and finds it interesting. Something Hemos finds interesting might be something michael hates. So look at the "science" section (usually michael with a sprinkling of timothy), and try to write articles similar so michael will accept you.
Just my personal theory.

Re:Hmmmph.

[jonnythan]

Hmm..isn't it the case that one editor can reject a story, and it's just gone? Whereas many people may have submitted this, yours could have gotten read by an editor that didn't think it was /. worthy. LightHouseJ's (or whoever it was) happened to get read by an editor who thought it was.

It's Slashdot, get the fuck over it.

Re:Hmmmph.

I dont know if this is just coincedence but in your journal under the heading read "this journal entry" links to nothing. I assumed its a link to an article you were rejected on. Mabey darker forces are at work here....

Re:Hmmmph.

[TheTomcat]

Not only that..

if you have a good write-up, and not just "hey, look at this article about Disney and 802.11", it's more likely to get posted.

S

Re:Hmmmph.

[Legion303]

You have to Slashdot Slashdot with submissions. Resubmit at a different time of day if the first one was rejected.

-Legion

Re:Hmmmph.

[Syberghost]

I've found that everything I submit has somebody else's version (usually a /. staffer) posted within three days, but with fewer links and/or less cogent commentary. I just content myself with the knowledge that I was first and better.

Re:Hmmmph.

[ChristTrekker]

I completely agree with this theory. I've noticed that timothy tends to post the sort of stories that I'm interested in. It's only natural that the authors will pick the submissions that interest them, and throw the rest in the bucket.

This points out a possible flaw in the /. authors' process. Perhaps instead of accepting/canning story submissions, authors should accept only and leave the others in the inbox. If nobody else accepts a story within 3 days, it automatically goes in the bucket. If michael cans a story, Hemos isn't going to be able to accept it any more. If it's submitted again the next day, maybe it will get lucky and Hemos will see it before michael, but you never know.

Re:Hmmmph.

you may want to fix your sig. underline 1984 and name the charactor that said it rather than Orwell cause the way it is writen it loks like Orwell said it in the year 1984 when in reality it was whats-his-name(can't recall I read it a long time ago) in the book 1984. after that you can by by George Orwell.

Re:Hmmmph.

[FortKnox]

Or an option on submitting (checkboxes?) on which authors you are submitting to (or what authors you don't want to submit to).

That way I can submit to Taco, Hemos, or Timothy, and avoid michael and JonKatz.

It's a crapshoot on which of the three it will get to, and it could cause someone to get backed up with too many submissions, but I think it is worth trying...

Re:Hmmmph.

better?
(-:

(no <u> support in sigs...)

S

Re:Hmmmph.

[Asphalt]

Yeah, join the club.

I posted the article about Safeweb closing down, almost at the moment that Safeweb closed down. It was ignored.

A day or two later, the exact same revelation came across under someone else's headline.

I don't think anybody here assumes that the author of an article is the first person to report the event. If they do, they shouldn't. They could be the 58th person to report it. Luck of the draw, os something else, I suppose.

It's a private site, they choose who they want, when they want.

That's the benefit of running one's own show.

Re:Hmmmph.

[ChristTrekker]

You also run the risk if misjudging an author's interests. I might know that CmdrTaco likes stories about robotics, but not know that michael does too. If I only submit to CmdrTaco, he might overlook it or delete it simply by being overwhelmed by submissions, whereas michael would have had the time to review and (maybe) post it. You're right, it's a crapshoot either way.

Re:Hmmmph.

[LighthouseJ]

haha, I know exactly how you feel. I've submitted more than a couple articles to Slashdot and they got denied, a week later, they magically show up, submitted by a person other than myself.

I don't know if it's proof positive that they like me (if anyone hasn't discovered I'm the one that submitted the article), they don't even know me beyond my user information.

Hacking it

[Syberghost]

They say they have "software" that detects intrusions. That doesn't seem to imply much about tracking you down to the square foot.

OTOH, I don't recall ever seeing a laptop, so you'll stick out like a sore thumb unless you're in the bathroom with a PDA.

They do search bags currently. ALL bags, even diaper bags.

Also, there's an active Linux community among their IT people. There are definitely pockets of clue there, and it's likely that would extend to their IT security people as well.

Re:Hacking it

That's easy to get past, take a kid with a diaper bag, and make sure there's a good smelly one in there. Ziploc your 802.11b-enabled PDA in a baggy and toss it in the diaper. I promise you the security people will not open it up. There, you are in.... :)

Re:Hacking it

Mmm, you can believe whatever you want. I live in Orlando, same as you do, and frequently use my premium annual passport to get in. Next time I'm goin with the Xircom wireless module in my Visor though. All this so soon after some unscrupulous individual hax0red their Buy-A-Memory kiosks at Epcot. The mouse has got a short memory, eh. Do you really trust the security prowess of a company that doesn't hire longhairs?

Re:Hacking it

[Scoria]

So hide the PDA in a dirty diaper. "WHOOOOO! You can pass," said the security guard. :)

Re:Hacking it

[dennism]

It says this covers 47 square miles... that's the entire Disney World property -- including the resorts. They might check your bags coming into the parks, but they sure ain't going to be checking all of your baggage for laptops -- especially since laptops aren't banned!

But, it does make it a bit easier to find you, doesn't it, if you're sitting in your hotel room with a laptop?

Re:Hacking it

for what its worth, I took a laptop into the park yesterday. They searched the bag, saw it was a laptop, and didn' thave a problem w/it.

Re:Hacking it

Fifteen year old script kiddies don't usually have a baby to bring along as a prop in their hacking adventures.

And anybody with a kid has grown up sufficiently to not find that kind of stuff worth the time.

Re:Hacking it

Do you really trust the security prowess of a company that doesn't hire longhairs?

Do you trust the security prowess of a company that hires stoners? I mean, really. It's fun to get stoopid with toxic plants but it's a pretty pathetic way to live a life.

Re:Hacking it

[Ryan+Amos]

I'm not sure that hacking Disney's network would be worth using a PDA covered in shit. Just me though... O:)

Re:Hacking it

I was confused whether he meant stoner or longhair. They may drug test (insurance reasons - same as every other damn corp. out there today) or they may discriminate based on appearance: You are selling an image in $Disney_Park. Long hair on men is not in keeping with their style.

Re:Hacking it

[Scoria]

That's what they made plastic baggies for. ;P

Re:Hacking it

They only check bags. Keep it in your pocket and there's no prob.

Scale is *the* problem

[john@iastate.edu]

It's a lot harder to do something for 150,000 people at a time than 150.

It's not just a matter of buying 1000 whatevers that worked for the guy doing it for 150.

Are they near an airbase?

[lumpenprole]

Because I'd hate for wireless Mickey 2001 to start picking up air traffic chatter

Hi kids! I sure hope you enjoy the RED LEADER, RED LEADER THIS IS TANGO ONE. and make sure to visit our LOCKED, COCKED, AND READY TO BURN TANGO ONE, WHAT'S YOUR STATUS?

And hey, under the recent terrorism bills wouldn't that qualify Mickey as a terrorist? There's be a trial to top OJ.

Re:Are they near an airbase?

[sharkey]

RED LEADER, RED LEADER THIS IS TANGO ONE.

Don't you mean:
Red 5: "OK, we're going in, we're going in at full throttle. That ought to keep those fighters off our backs!"
Red 3: "Luke, at that speed will we be able to pull out in time?"
Red 5: "It'll be just like Beggar's Canyon back home!"

Re:Are they near an airbase?

[sharkey]

"Look at the size of that thing!"

Re:Are they near an airbase?

well, they do have there own airport for vip's

Re:Are they near an airbase?

[MobileDude]

>>"Look at the size of that thing!"

I get this comment a lot....

Not a worthwhile target

[Walter+Bell]

Credit card numbers alone are not as useful as they used to be for scam artists. Nowadays, in order to do anything useful with a CC#, a thief will need:

• The billing address of the card to do any sort of mail order / online purchase.
  
• The cardholder's signature. Often merchants will want a faxed copy of the sig (and maybe a xerox of the card) for ordering laptops and other valuables. And that's when they're shipping to the cardholder's home address.
  
• The 3-digit validation code from the back of the card. Paypal, C2IT, and most "online cash" places demand it now; many merchants do as well.
  
• The cardholder's SSN, MMN, and DOB. In order to make any changes to the account (like adding extra addresses), they will need to authenticate themselves.
  

Credit card fraud is substantially less profitable now than it was 15 years ago when I did it. Back then, you could buy a new computer over the phone with a number that Credit Master spit out. Merchants have wised up now. (The thing I wonder about is why the banks' interest rates have gone up since then. No offense intended, but it's probably just a greedy jew thing.) Nowadays it's easier to steal money by hijacking PayPal accounts from Sircam-0wned machines and defrauding other online payment systems.

~wally

Re:Not a worthwhile target

Reminds me of the story of the two women who stole my grandfather's credit card number, copying it down from a sales receipt. The FBI investigated, and it turned out the idiots shipped the package to their home address. Not very successful there.

Re:Not a worthwhile target

[Dimwit]

"No offense intended, but it's probably just a greedy jew thing." - And I'm not supposed to take offense at that? What the bloody hell?

Sorry, this is totally off-topic...but I had to say something. Well, that and that this post has been modded up...ah, well. Nothing I can do - I chose not to moderate. Hopefully for obvious reasons. :)

Re:Not a worthwhile target

[silversurf]

I not jewish and I'm still greedy :-)

Seriously, I think we all are in some way or another, whether it's money or something else. After all, you commited credit card fraud, that seems pretty greedy to me...

BTW, how is someone not supposed to take offense to that? I can think of about 1 million different ways to say the banks are greedy with about being a bigot.

-s

Re:Not a worthwhile target

[vsync64]

• The 3-digit validation code from the back of the card. Paypal, C2IT, and most "online cash" places demand it now; many merchants do as well.

That might not be so crucial. I don't know about other places, but at the unnamed large chain office supply store where I work, we only check the CID on AmEx. I point out that Visa and MasterCard have both had it for years, and ask why we don't check that too. "Because only American Express has it." "That's not true. Look here." "Oh. Well, that's just the way it is."

And of course, for point-of-sale you don't need the address, and I don't need to explain how rarely cashiers do a proper signature or ID check...

Re:Not a worthwhile target

[tim_maroney]

For all the questions asked and objections raised, you have yet to either defend or apologize for your overtly anti-Semitic statement, "it's probably just a greedy jew thing." Is it your feeling that this nauseating comment was somehow justified, or that it is such a minor issue that it is beneath your notice?

You said, "I'm proud to be a Black man." Well, congratulations, you've just reinforced the stereotype that all African-Americans are anti-Semites. Now that's something to be proud of!

I'm glad I know it's not true, and that bigots like yourself do not represent the entire black community. But I see more than enough of this crap, and it makes me wonder just how bad the problem is.

Tim

The first thing I thought of...

[pi+radians]

Not another wireless mouse!

Ba-dum-pa-chi! Thanks folks, I'll be here all night!

I want

[Individualist]

Why doesn't my university get something like that?

VPN

[Tweezer]

The article doesn't mention if the entire 802.11b network is run over a VPN. If it's not I'm sure it wont be too long before we all find out.

They said no visitor access

Hey, pay attention. The guy said that they want people to enjoy "the park" so they won't let visitors have access. Depending on the scheme 128bit security does seem a bit weak, but it cannot be any worse than buying things online.

Good reason why they'll never offer 'Net access...

[Jason+Levine]

While on my honeymoon in DisneyWorld this year, my wife and I took quite a few of their Behind the Scenes tours. On the Epcot one, we found out why Disney will most likely never let people have 'Net access in their parks. (At least not in public places.)

Our tour guide said that they actually did have a kiosk there a few years back that let people browse the web and check their web-based e-mail. He checked on the kiosk once and found that some pervert had left up a XXX e-mail and changed the wallpaper. He wouldn't elaborate on what it was, but he said it shocked even him.

Luckily for them, they were able to remove the offensive material before anyone noticed. Still, as a place that bills itself as "family-friendly," they simply can't take the risk that it would happen again (and more high profile).

Our tour guide kept the possibility open that they would resume 'Net access with some types of safeguards against this, but no safeguard is 100%. Public Internet access is just not a high-priority item for Disney. (Believe me, there's so much to do at Disney World, that you won't have time to browse the Net.) The PR risks of another abuse far outweigh any customer gains.

CNN lies, it's not a 47 square mile cloud

[SkywalkerOS8]

Only about 35% of the 47 square miles owned by The Walt Disney Company in Central Florida is developed. I highly doubt they went through the expense of creating a WLAN cloud that covers marshland. I doubt that even the hotel resort properties are covered either. It probably only the 4 theme parks, the 3 water parks, Downtown Disney and maybe Fort Wilderness near Pioneer Hall. That drops the square mileage significantly. Even with the hotel areas its only a fraction of 47 square miles. I really hate bad reporting.

Re:CNN lies, it's not a 47 square mile cloud

[GiMP]

As per another one of my posts.. I noticed that they had this network over a year and 1/2 ago, it may have only been in testing then.. or perhaps they just didn't want to advertise it until they worked out some security issues..

But.. it did cover the hotels. The nice thing for us about this is that you don't have to worry about sneaking a laptop into the park if you are staying at one of the hotels.
Infact, it was at the hotel I originally noticed it as I was glacing around waiting for my bus :) There was an antenna coming from a amplifier connected to a wireless card coming from their cash register. :)

Re:CNN lies, it's not a 47 square mile cloud

[rhost89]

Umm amplifing 2.4 ghz is illegal as far as i know, it is microwave, so if they were, and i doubt it, you got a nice healthy dose of microwave radiation during your vacation, but with the ozone hole and tha gama rays a little microwave isnt going to hurt us now is it ;9

Re:CNN lies, it's not a 47 square mile cloud

[GiMP]

It is ok with regulation. I work at an isp which is looking at deploying an 802.11b network. We have an amplifier on it. I don't know how good for our health it is, but i've stood next the the antenna for extended periods of time with no apparent problem.

Re:CNN lies, it's not a 47 square mile cloud

[_ph1ux_]

tried to have kids lately?

Re:CNN lies, it's not a 47 square mile cloud

[alienmole]

tried to have kids lately?

That'd be gamma rays. Microwaves would just cook your flesh, which certainly could stop you from having kids, but you'd probably notice something was up.

Re:CNN lies, it's not a 47 square mile cloud

[mgblst]

This would prevent you from having kids the same way the creature from the black lagoon is preventer from having kids!

Restraunts have been doing this for a while.

I spent the summer living in Germany and traveled extensively in Europe. I wouldn't hesitate to guess that i came across 5-10 restraunts that used this to handle orders. It was great i didn't have to worry about someone running off with my credit card.

Re:Restraunts have been doing this for a while.

[Dudio]

Yeah, you just have to worry about the haX0r sitting in the park across the street. I have enough faith in Disney's renowned paranoia to believe that they took measures to protect their network; I have no faith that the average restaurant owner will do anything more than plug in a Linksys access point and call it done.

Re:Restraunts have been doing this for a while.

[Craig+Davison]

The average restaurant owner buys a full system preconfigured by somebody who knows what they're doing - pads/card readers, dialer, everything. No PCs and no storebought access points involved.

Hack Disneyworld

[Bonker]

By definition, any given network is crackable. It's just a matter of time, right?

Here are some exploits that we can be sure of seeing in the future:

1. 'It's a Small World' animatronic dolls reprogrammed via wireless network to share their cultural feelings via a massive animatronic orgy of all nations.

2. Michael Jackson's "Captain Eo 3D" video replaced with low-quality MPEG of a video taken of what really happened at Macaully Caulkin's last birthday party.

3. Ride Space Mountain during DDOS season? Only if you're feeling suicidal. You never know when that modified Nimda worm is going to kick in.
4. Parade of Lights all flash in sequence to spell out "L33+ X1DD135 OWNZ JOO DIZNY"

5. Animatronic Abe Lincoln now shouts, "Beefcake. BEEFCAKE!!!!"

Re:Hack Disneyworld

[lww]

I think I'd rather try stealing from DeBeer's, Fort Knox or the Mafia or something much less dangerous to my health...

Have you ever been stuck on the Small World ride when the little boats get backed up? Ten minutes is what they do to the people they like (customers). Imagine how long you'd be strapped into the boat if they're catch you hacking? *shudder*

Re:Hack Disneyworld

By definition, any given network is crackable.

you have a strange idea of the definition of "network" dude.

Re:Hack Disneyworld

[Bob+McCown]

Drifting OT here, but I have to share this. A week or so ago, my ladyfriend came home and said "Damnit, Ive had $KIDS_SONG in my head all day, and its all your fault!" (I had put the CD on the night before for my son). I said "The cure is worse than the cold, you know..." She said "Cant be..."

I started singing:
"It's a small world after all,
It's a small world after all,
It's a small world after all..."

She yelled at me.

Re:Hack Disneyworld

The cure is only worse than the cold if it wasn't a Barney song

Only news is that people have noticed it

[GiMP]

I took note of their network over a year and half ago when I went there with my Highschool senior class.

I noticed the cash registers were connected to an 802.11b network.. also, I spotted some computers as well.

I didn't have an 802.11b card at the time, and my only laptop had suffered a terrible accident.. so I wasn't able to do any 'diagnostics', but I thought it was interesting. Maybe next time I'll bring my PowerBook /w 802.11b card and go to work.

See, you don't need to worry about getting into the park with your laptop.. Because this also extends to their hotels and probably their on-site buses as well.

Re:Only news is that people have noticed it

[Sc00ter]

Only problem with that is untill recently with the new base station they just added to their lineup is that Apple Airport stuff isn't 128bit, so you won't be able to get onto their 128bit network. :(

Re:Only news is that people have noticed it

[90XDoubleSide]

The hardware was 128-bit capable for several months before the software came out, so it may still work. If not, just hold out for an 802.11g card ;)

Re:Only news is that people have noticed it

[dgoodman]

Actually, Apple provided a firmware update to thier AirPort cards to upgrade them to 128bit encryption: this way they don't have to make a new card, and all the old card owners (like me) are still happy.

have fun
dongoodmnan

Eventually a cash-less park?

[acroyear]

Disney could eventually use this to lead to a 100% cashless park (increasing patron safety in the long run -- less need for cash might lead to less to gain for purse-snatching).

Yes, we all agree that this network may be risky for transfering credit card info around, but they could over time move to a "disney dollar" card, where you pre-load the disney card with your credit card as you enter or on the phone or whatever, then use that disney card within the park grounds to buy whatever. Disney can then provide insurance against fraud against that card instead of worrying about being libel against Visa and AmEx in the case of number theft over the airwaves...

The other advantage is that Disneys own systems could authorize the sale over the Disney card instead of having to send out to a Visa/MC/AmEx authorizer off site-- it would be considerably faster that way (since the system could be built up front to support the average # of visitors on site), especially during holiday seasons...

Just a thought...

Re:Eventually a cash-less park?

...and then they can do whatever the heck they want with those "disney dollars", and think about the extra money they will get, because if they're like everyone else, you won't be able to cash out your remaining Disney Dollars back to real dollars when you leave the park...

Re:Eventually a cash-less park?

[kawika]

The park is pretty much cashless if you stay at a Disney hotel. You can use your hotel card to charge stuff anywhere and get the combined bill when you check out.

Re:Eventually a cash-less park?

[Putz19]

When I was at Disney back in early 1990's I remember my parents giving me a "credit card" that was Disney's. I got food at the hotel we were at and it charged it to the room bill. This is mainly what you are talking about, so it has been done for over 10 years now.

Re:Eventually a cash-less park?

[acroyear]

In other words, they've already moved mostly into that direction...so much for me thinking originally... ;-)

Re:Eventually a cash-less park?

[tuiterwyk]

Yep, we were there this summer (Disney World, Orlando).

For the most part I was impressed. Could use them everywhere, even to buy a coke.

Each adult had one card, was our room key, park ticket, and charge card. They issued cards for the kids, but they didn't have charge privileges (our choice if I recall) }:-)

One thing that I did find annoying was that they many times would ask you for your name and write it manually on the charge slip, seemed rather redundant!

Said it was in case the system went down !?!(Of course, what sort of answer would you expect from an hourly wage "cast member" selling hot dogs and chicken nuggets?)

Re:Eventually a cash-less park?

[dennism]

The other advantage is that Disneys own systems could authorize the sale over the Disney card instead of having to send out to a Visa/MC/AmEx authorizer off site-- it would be considerably faster that way (since the system could be built up front to support the average # of visitors on site), especially during holiday seasons...

And cheaper as well... by combining all of those credit transactions into a single transaction at the end of the stay or the day, they can save some of the merchant fees as well.

I think they already do this to a degree -- as I recall from two years ago, you could have some things charged to your room if you stayed in one of their resorts. This could just be an extension of that.

Re:Eventually a cash-less park?

[__aafutm5472]

I was at Disney World in April for a Disney Cruise (4 days in the park, 3 days on the cruise ship). They already have something similar to this.

First off, you only have to check in once, and they give you two room key cards. You use them to get into your room, get into the park, purchase things (anywhere they take a credit card, you can use your 'Key to the World' card). When it came time to get on the boat, we used that as our boarding pass, and it also got us into our stateroom. Everything on the cruise ship could be put on this card.

When you originally checked in, you had the option of putting everything that went on the card onto a credit card. Worked great and I barely needed cash the entire time. Very cool.

How about something useful

[Quizme2000]

They should rent out wireless digital cameras, whenever a pic is taken its upload via 802.11 and before they leave the park, the got prints of the family vacation.
Also a previous article said it would be used to play music around the park based on location. IMHO, kinda of a waste for just CC's.

Re:How about something useful

They were beta testing this sometime ago when I was there. I visited Disney's Animal Kingdom, and was handed a device that had a PDA-form factor. It had a wireless network card, as well as a low-resolution digital camera attached. There were 4 buttons along the bottom, and pressing a different sequence of buttons (the sequence was given at various locations) I could learn more about the group of animals or plants I was looking at. The digital camera took 35 pictures and transmitted them wirelessly, so I could pick them up when I left the park. This was about 2 years ago, and they said it was VERY early in the testing. So, it sounds like this kind of thing may be coming along soon.

Could be fairly secure

[wiredog]

The article doesn't say they are using tcp/ip. Doesn't look like it has internet access either. Probably requires some sort of username/pasword combo (possibly built into the devices) to log on to the LAN. If the encryption is properly implemented (a big if) it could be very secure.

Re:Good reason why they'll never offer 'Net access

[m3000]

I've been there multiple times over the course of the year (annual passes are great things) and I remember the kiosks the guide was talking about. They were still up the last time I was there, but they were whitelisted. Meaning that only the websites that Disney had approved were allowed, anything else not on their list was automatically blocked. The whitelisting seemed to work quite well. Interestingly enough, Slashdot was readable, so I guess someone in the Internet department at WDW likes his news for nerds.

Re:Good reason why they'll never offer 'Net access

[Rogerborg]

• Our [Disney] tour guide said [...] some pervert had left up a XXX e-mail and changed the wallpaper [on a public terminal]. He wouldn't elaborate on what it was, but he said it shocked even him

Probably some of that sick, perverted, Godless Pixar stuff. ;-)

If rather than when

[ackthpt]

I wouldn't bet my credit card number on it not being cracked, but at the least they do seem to be thinking forward on security, by detecting attempts to access their network.

If you were planning to crack a network and steal purchase information, there's easier places, like dumpster diving, as I still see the occasional receipt with full number and expy on it blow down the streets with other stray litter.

Re:If rather than when

[led]

Well the god thing about getting cards in Disney is the quantity.
There are businesses (ilicit) that live on selling working credit cards, there is an entire market built around it, a few years back a service wich provided working cards for a month costed about $150.
Usualy they crack some badly administred site and get the entire list of cards, but with something like this it's probably less risky to just listen to disney's wireless.

Re:Good reason why they'll never offer 'Net access

[Erasmus+Darwin]

"(Believe me, there's so much to do at Disney World, that you won't have time to browse the Net.)"

I wouldn't mind being able to browse the Net while standing in line. Hell, even surfing through a white-list filter would be better than nothing.

Re:Good reason why they'll never offer 'Net access

[Bonker]

(Believe me, there's so much to do at Disney World, that you won't have time to browse the Net.)

And here I am thinking that the best way to while away those 1-2 hour waits in line for all the most popular attraction would be with Unreal Tournament or Q3Arena. If lag became an issue because of the sheer number of devices and users drawing bandwidth, you could always play something turn-based, like CivNet.

How long will it be before they get nailed anyway?

[Svartalf]

Unless they're using IPSec or something like it, they're vulnerable. WEP doesn't secure worth spit even with 128 bits because they implemented the whole protocol as an insecure system. Also of note is the fact that there is pretty much no commercial IDS software that would effectively catch someone doing something bogus in time to find them in a wireless context.

It's pure bravado that bases their claims of security- unless they have a security staff sweeping the entire park with DF gear, they're NOT going to catch anyone doing something illegitimate on their WLAN.

"entire system was on its own isolated network"

[da5idnetlimit.com]

Oh,

you mean a wireless isolated network...

wireless as in broadcasted ?
that + isolated is quite a nice one 8)

Encrypted as in "please hack me, cos I'm full of family card codes and serialz" ?

Oh, isolated as in "no internet connection".

Yes ! an isolated broadcasted encrypted credit card numbers cahoot !
in a place full of "teenagers" that could try to snort & hack...

Possibly using a Palm VII (or wireless Pocketpc) to catch and forward the packet...

Oh God, I think I'll try and take a vacation. possibly in Orlando 8)

Why ain't I 15 !?!

Re:"entire system was on its own isolated network"

fyi kid, the palm vii doesn't do 802.11. it's wireless connectivity is based on a two-way pager network.

Really?

[Svartalf]

With the electronic transactions that we have nowadays, you're going to see less and less of that sort of thing being possible. They're going to resort to snooping WLANs like Disney is setting up if they can. Sad thing is, they claim it's 128 bit encrypted- is that WEP or IPSec? If it's WEP, they might as well be broadcasting in the clear.

Re:Really?

[ackthpt]

Something Disney or anyone else can do, is sell cards with a certain amount of credit at the park, similar to phone cards. I've received a few of these in lieu of gift certificates. Up to now Disney has issued their own money for use in the park, this would appear to be a minor change, then once the cards are exhausted they could be collector items, with various themes on them, like they do with the money. Sometimes better security is just a matter of a slight change in practice.

Re:Really?

[Scyber]

They kinda have that already. If you stay in the resort you can use your Magnetic stripe room key to charge anything your want and it appears on your bill. There is a max amount that you can specify when you check in.

It was very convenient to have when I was there in September.

Lines at Rides

[ackthpt]

For instance, a little app on your wireless device that let you check the length of lines at the rides,

Hey, my GPS can do that! And considering ±3 metres with the length of the usual line, that would produced a reasonable degree of accuracy. It would be pretty cool to spend a day at D/World or D/Land with a GPS tracking you around like Billy of Family Circus (BTW, there's a couple good spoofs of F.C. in the latest Bizzaro collection.)

Still, you need something to do while standing in line at these parks for 40 minutes waiting to get on a 30 second ride.

"Look, mummy, is that man tying calculators together?"
"No, Bobby, he's a creep trying to crack the 802.11b network and 128bit encryption and steal our credit card info to sell to bin Laden"

Cracking the Protocol...

[Orne]

Since you posted that AirSnort link, I was curious, so I popped over to sourceforge and downloaded it. Part of their documentation says: "For a key length of 128 bits, this translates to about 1500 packets." then it goes on to describe how you can search for certain constants (starts with 0xAA, etc) within the packet to see which random keys were successful. Interesting stuff, and definitely a clever way to decode: thanks to flaws in the logic, every bit rate can be reduced to 8-bit encryption.

However, once you've collected your packets and broken the key, you now have a decoded packet. Well, what does that mean? You have the framing information (packet length, header) and the message body (which is just raw data).

I'd bet a 7-day park-hopper pass that the data in the packet's body is encrypted a second time with a more reliable scheme. If there's one thing Disney knows how to do well, its make money, and they can't risk the bad PR for this to foul up.

Re:Cracking the Protocol...

[jageryager]

Last I knew AirSnort couldn't crack Cisco/Aironet stuff.

Also, it's not hard to imagine Disney using some proprietary security solutions such as a RADIUS server for added security on top of WEP. RADIUS can be configured to change the WEP key every so many minutes.

And finally like everyone else said, it's not hard to imagine Disney using some extra encryption for the actual card number.

Re:Cracking the Protocol...

[RustyTaco]

Also, it's not hard to imagine Disney using some proprietary security solutions such as a RADIUS server for added security on top of WEP. RADIUS can be configured to change the WEP key every so many minutes.

It's called LEAP. And yes, it's a cisco-specific thing at the moment. They are working with the appropriate standards bodies(IEEE) to get something like it into the spec books. MS has some preliminary version implemented in XP, though I don't really think 802.1x has be ratified yet.
It does do exactly what you suggested though. It uses some sort of hash-based authentication so that your actual identifying information never sees the air(encrypted or not). It's backed by a RADIUS server and changes the per-client WEP key at a user defined interval.
It makes the likes of airsnort pretty much useless, if used right. Airsnort needs a fairly large amount of traffic to analize, but with a key lifetime of 5-10minutes it just isn't going to get the amount of traffic it needs before the key changes. And even if it does, the key still changes. Back to square one.

- RustyTaco

Re:Cracking the Protocol...

[richj]

Also, it's not hard to imagine Disney using some proprietary security solutions such as a RADIUS server for added security on top of WEP. RADIUS can be configured to change the WEP key every so many minutes.

It's trivial to change the WEP keys on the AP, the hard part is changing them on the clients and keeping them synch'ed. Besides, I don't think WEP was designed to run credit transactions across :)

I think a more likely scenerio is they have a fairly dirty "Wireless Network" that is traversed by whatever devices they're using. Those devices would have a robust authentication system allowing them off their dirty network and through a firewall. It wouldn't be too difficult to implement this with smart cards and IPSec.

If you bring a 802.11 device onto their network, you'd be able to get a signal, obviously, but I'd find it highly unlikely that you could run a sniffer and get anything useful.

Re:How long will it be before they get nailed anyw

[TheMidget]

WEP doesn't secure worth spit even with 128 bits because they implemented the whole protocol as an insecure system.

We already know that, and probably Disney does too. But who says that they aren't using some application-level encryption on top of WEP. Crack WEP, and you'll be staring at an additional layer of encryption (SSL, whatever).

More opportunity for revenue generation

Plus, it allows "cast members" to offer guests goods and services anywhere, not restricted to where the credit card machine is at.

Just wait till your little crumb-cruncher gives a hug to the the "cast member" dressed as Mickey, and Mickey asks for your credit card to run through the card machine inside his suit.

They prolly wont do that?

[arnoroefs2000]

Because as far as I know at Disney's, they don't wanna let you know how long their lines are sometimes, they use specific techniques to hide that, for instance the scary Alien thingy, you got like 3 halls before it where you get to wait in groups, so it looks like yur already on the ride, but it's basically a glorified queue :)

Tell that to the joker that bought $2300 of stuff.

[Svartalf]

Recently, I had lost my CC and had a new one issued- the only individual that I'd given the new number to was a Hell Desk employee at my ISP to get my autobilling straightened out. 3 days later someone bought some $2300 on the card from a car parts place in Houston (performance parts for some GM car...). I've gotten it straightened out- but they successfully used it.

Almost nobody checks billing addresses over the phone or online.

Nobody asks for a signature for mailorder or online purchases- how would they DO that.

Nobody that I've dealt with in recent times asked for the validation code from the back of the card- in general, I don't believe they do.

Nobody attempts to change the account- they just try to purchase with it. In many cases they succeed.

All it would take for someone to take you for several hundred dollars is to make a duplicate card (Easy with a magstripe writer) and use it at those pay at the pump gas pumps. No validation, no checking, no PIN.

Funny thing I heard about Disney..

[jcr]

I heard a rumor that some of the employees at Disney World in California started referring to the place as "Mauschwitz". Management got royally pissed, sent around a memo forbidding the use of the term, and without skipping a beat, everyone switched to "Duckau".

-jcr

Re:Funny thing I heard about Disney..

disney world in california? whene did they build that? i like disney land but I would kill for a disney world in CA. just being a smart ass, dont take any offense to this post

Re:Funny thing I heard about Disney..

[tabacco]

As a Disneyland castmember, I can assure you that that's pretty much untrue. I have yet to hear a single person utter either of those terms.

Generally, with the meager amount Disney pays us, a person has to really love the place to work there. For that reason, you don't get a whole lot of people who really hate it -- they go elsewhere.

who dunnit?

[headwick]

"The man responsible, Murshid S. Khan, Director of Telecommunications and Technology Support"

I graduated UCF with my Computer Engineering Degree in 2000. For our senior design projects, Disney came and solicited us heavily to work on their projects. Free labor, helping a poor college student out with an idea, free labor, did I mention free labor. This project along with several others were mentioned. My comments regarding network security concerns were treated as pessimism. Needless to say I did not lend my time for Disney's free labor.

Old stuff

[da5idnetlimit.com]

Residing in europe for some time now (hmm, since I was born ? 8) I can tell you this is old stuff.

Every (most) credit card are smartcard for 15 years in France. The credit card machine is in fact an autonomous code checker. It won't transmit your code on the air, but check it locally, then make a confirmation number that encrypt the acceptation code and your card references.

this number is either send remotely for acceptation by the central bank computer (above $500) or just locally accepts if the amount is small.

thoses devices existed before in Infrared transmission, and now use local radio link.

This allows a faster and more secure way than just the stupid magnetic strip...

Hoping to read from you 8)

Useful if you can extract the value afterwards...

[Svartalf]

I could see a "Disney" card where you can charge it up w/Cash value and use it like a credit card- with the ability to get a cash refund/credit for anything not used when you leave the park. Otherwise, it's no different than those gift cards Wal-Mart, Target, etc. are selling.

Re:Good reason why they'll never offer 'Net access

[Junta]

Interesting that slashdot made it to the white list. It may be that bad images may not make it through, but with some if the comments and ASCII art trolls, I'm surprised Disney was willing to risk it..

Whatever

What would a thief do with several hundred dollars worth of gas? How would he store it - are you talking about the con artists who happen to own tanker trucks? Do people sell stolen gasoline on the streets where you live?

Try buying computer equipment and having it shipped to your workplace (instead of your home). Everybody runs the addresses through AVS nowadays. And I have personally had to FAX in a copy of my driver's license, my credit card, and my siggy for a big purchase.

Re:Whatever

[phillymjs]

What would a thief do with several hundred dollars worth of gas?

One of my friends lost one of his credit cards. He reported it as soon as he realized it, but not before the person who found it apparently called all his friends and relatives and they all had a 'free fill-up' party with it. The dude then went and bought a few PlayStations, I think in a Funcoland. There were a few other odd purchases, but I think the CC company finally put a halt on the card when dude tried to buy a computer somewhere.

Nothing could really be done about the pay-at-the-pump gas station, but the stores should have at least matched the signature on the card to the signatures on the receipts. My friend got back copies of the thief's receipts and the times they forged my friend's signature on them, the signatures were not even CLOSE. A few times the thief just signed another arbitrary name. Even so, the purchases sailed through no problem until the CC company's computers apparently noticed an aberration from the normal buying patterns on that card.

Fortunately, the CC company ate the costs instead of sticking them on my friend, but he had to fight like hell for a while to get them to do it.

~Philly

Re:Whatever

[cloudmaster]

Heck, my card isn't even signed. Maybe one out of every 20 merchants actually asks to see my driver's license to verify my name with a photo, the rest just don't care. It says right on the card "don't accept this without a signature". Sigh. Lazy workers'll get you every time.

Re:Whatever

[mandelbaum]

"Fortunately, the CC company ate the costs instead of sticking them on my friend, but he had to fight like hell for a while to get them to do it."

Not true! The CC company just collects fees from the merchants and then charges back the merchants for the goods. The store loses the money and the product. Because of this, the credit card companies have no incentive to ever fix this problem. It's really frustrating.

-aaron

Re:Whatever

Not true! The CC company just collects fees from the merchants and then charges back the merchants for the goods. The store loses the money and the product. Because of this, the credit card companies have no incentive to ever fix this problem. It's really frustrating.

And that's how it ought to be. How the heck do you think that the credit card company is going to fix the fact that the merchant doesn't bother to turn the card over and look at the (forged) signature.

There are several ways of verifying that a credit card was used by an authorized individual

1. Signature
2. Photo ID
3. PIN on back of card
4. Card holder address

If the majority of credit card fraud was perpitrated by people who could forge all of those (which certainly can be done), then I would argue that the CC companies ought to do something about their lax authentication. But the fact is, in the vast majority of cases the problem is with the merchant failing to use any of those authentication methods, trusting merely "possesses the card number" as sufficient for authentication. This is the merchants' problem and they should be prepared to pay for the times thier chosen authentication method fails.

Re:Whatever

[mark_lybarger]

i agree the merchants eat their mistake. why should the cc company have to verify who is using the card? that's the responsibility of the personing calling in the card. that's like making a bank responsible for someone writing out stolen checks at the local wal-mart. the merchant is the one who's suppose to know that he's going to get his money.
maybe you would suggest having fingerprint verification systems in place for all merchants, such that the credit card companies could then verify the person using the card?

Re:Whatever

[sulli]

Apparently it's common practice to use stolen cards at gas stations, to see if the card is still valid. Of course the fraud protection guys watch for this too - 5 x $2.00 gas purchases, interleaved with expensive computer parts, within a few days would almost certainly get the card cancelled. From what I've read about the subject.

Compared to IPSec, SSL is weaker...

[Svartalf]

It's got vulnerabilities, just like WEP does- just not as exploitable. For a small subnet (and this constitutes that...) SSL's only moderately secure- because an attacker will know up-front that there's financial stuff predominately on this WLAN. If you're in on WEP, then you can then snoop for SSL weaknesses without them knowing, etc. If they're relying on most of the encryption techniques out there, it'll keep most of the script kiddies from pulling something off- but nobody else.

I only see three problems with this:

[A_Non_Moose]

One, if they run NAT everything will resolved back to disney.com.

Two, who could trust such an..ahem.."Mickey Mouse Operation".

Three, their DHCP will probably charge by the address's lease life, which will be lobbied by congress to last the life of the laptop/user+ 90 years now? Talk about a revenue stream...oye.

Re:I only see three problems with this:

Never mind reading the article - you can't even manage to read the summary. Visitors will *NOT* have access. This is for the used for the parks internal network, not to provide internet access to dumbasses with laptops.

This wouldn't be that hard

[Our+Man+In+Redmond]

The last time I was in a Disney Store I noticed that they sell gift cards, accepted only at Disney Stores, that you can load with any amount up to $500. (These are similar to the ones most major chains sell these days, from B. Dalton to Target.) I forgot to ask whether they were accepted at the parks, but it wouldn't surprise me, since in some ways Disneyland is the world's biggest Disney Store.

It doesn't seem like it would be that difficult to adapt the cards to the technology. In fact it would make some things easier -- include a card on the back of each Annual Pass, for instance, and the passholder would automatically get their 10% discount on park purchases, plus they'd be more likely to store money on the card (which of course could only be used to buy stuff from Disney).

As good as Disney is at extracting money from patrons, this seems like a natural for them.

Won't protect you much...

[Svartalf]

All you need to do is monitor the ethernet frames or whatever else is coming in on the RF modem. All using a goofball protocol does is ensure that script kiddies don't get in on first base of hacking the net.

Re:Won't protect you much...

[the_2nd_coming]

isn't that who they have about 90% to worry about?
also, it would allow them to come up with some realy cool stuff built into the protocol, and perhaps even before the connection can be granted, the device has to be authorised to communicate by a central server based on a name. if some one tries to hack it , an alarm can sound and a built in locator can give security the persons location. creating their own Protocol can reduce risk a tramendus amount and let them add nice fetures that you could not get in IP.

Re:Won't protect you much...

That's your cue, dweeb:

come in and drone something about 'security through obscurity not working' or whatnot.

We know you've got it in you.

False assumptions....

[coyote-san]

Don't assume that just because you were never bored, ON YOUR HONEYMOON I might add!, that nobody else is never bored either, or never has other reasons to remain connected. Besides the obvious down time in lines, at meals, etc., there's the fact that some people have older relatives near death, younger relatives near childbirth, etc. You can't put your life on hold, and carrying celphones everywhere is not always an option.

As for the kiosk abuse, that's completely irrelevant when you're talking about people using their own wireless devices. Think anyone is going to leave an expensive laptop or PDA lying around? If they keep it with them, then it's easy to identify the person responsible for the images.

Re:False assumptions....

[Jason+Levine]

When's the last time you were at DisneyWorld? We were there for 9 days, 8 nights and still didn't get to go on all the rides/see all the shows we wanted to see.

However, as an added incentive to get guests to stay onsite, perhaps Disney should offer in-hotel Internet access. They could do a disk image of the room's PC and, after each guest checks out, restore it to it's "Disney approved" state. This could help eliminate the possibility of one guest mucking up the PC for all future guests.

But public Internet terminals would just have too much potential for abuse. And not that many people are going to carry their laptops/PDAs around at DisneyWorld browsing the 'Net while walking the parks. Not to mention, who would provide tech support when a visitor couldn't get their Palm to connect to the DisneyNet? It's just not feasible for them. If you need to keep in touch with events at home, there are phones in the hotel rooms.

Fill up their car several times...

[Svartalf]

Think for a moment that you might not catch a bogus $20 gas purchase- especially if it was done in your normal area of operation. They could concievably fill up 5 or 10 times if they're lucky enough.

As for "everybody" running the addresses through the AVS- that might be your experience, but not mine. 1) If they had, this purchase that this joker made on my new account # wouldn't have went in the first place (wouldn't have made it through- no ID, etc.), and 2) I have yet to be accosted for drivers license, card, etc. for purchases not going to my house.

I've not done computer equipment purchases via mail/online lately, so I don't know about that- but I DO know about other stuff and it doesn't seem to be as you claim.

Additional information-crypto and GUEST TRACKING?

[thermowax]

More info to be found at http://www.computerworld.com/storyba/0,4125,NAV47_ STO65816,00.html . They mention that it involves "128 bit encryption", which certainly leads one to think 128b WEP, but remain cagey about further security- I'll vager VPN. One thing that did catch my eye was the guest tracking. They propose the innocuous example of insuring guests have all returned to a cruise ship- but I think that sets a dangerous precedent...

Anyone else see Westworld/Futureworld? ;)

Thermowax

Wireless networks

[Rupert]

People really have no clue about how to secure wireless networks.

I'm sitting here typing this while I wait for Jim "Open Source is Un-American" Allchin to deliver the keynote at the Windows Embedded Developers Conference. I have already found one guy on the un-WEPed 802.11b network with his C: drive mapped as \\steven2\c

Down to the last foot--triangulation

[chainsaw1]

If someone was attempting to break into a wireless network, should you be able to find the access point they are using and triangulate the signal they are broadcasting with based on what channel they are communication to the base station with? This is how the FCC finds unlicenced raido stations, etc...

Granted the signal is weaker, but you can really narrow the search by inly examining the area around the base station the person is using..

I'm surprised nobody thought of it yet

We could use the network to distribute DeCSS throughout all of Disney World. Now wouldn't that get the attention of the MPAA.

The funniest thing I've ever seen...

[infinite9]

While working for the rat-king a number of years ago, I went to lunch in the cafeteria under the magic kingdom. I walked in and saw Snow White, in complete costume and makeup, sitting on her boyfriend's lap smokign a cigarette.

Maybe Snow can start start taking credit cards to turn tricks in the alleys of main street. :-D

Re:Tell that to the joker that bought $2300 of stu

[Pope+Slackman]

Nobody asks for a signature for mailorder or online purchases- how would they DO that.

While it isn't done often, it does happen.
They do it by fax machine or snail mail, and it's a real PITA, especially when you don't have a fax machine.

I bought a MC218 (Psion 5mx copy) from Expansys in the UK, and
they had me fax over a signed photocopy of my card and my driver's license before they'd run my order.
Not sure if they do this for all orders or just for international ones tho.

C-X C-S

Yes it is, and here's why

[chainsaw1]

Any information needed to make a purchase is stored. Typically up until now it has been CC# and exp date. As you mentioned, more information is being required now to make the same purchase.

However, for one click shopping, etc. that many online retailers have (where no signature is required or signature is on a digital pad), they still have to store all that extra information, because it's needed to authenticate the purchase. So when anyone stumbles across your database, they still have the access to the information they need, they just need to grab 5 columns instead of 2.

The only method you mentioned that would solve this is faxing the signatures. And if the signature is digital (UPS, MicroCenter, etc), it's probably stored as a LOB in the database in a picture format anyway, and the Hacker now has a printable version of your signature. Also, most e-tailers don't have your signature because it's impracticle to get it from you. Remember, just because your CC was stolen from somewhere that needs a signature, it can still be used somewhere that doesn't

Re:Yes it is, and here's why

So you're saying that the Disney people collect your billing address and SSN at the point of sale, when you charge a hot dog to your credit card? Didn't think so.

Re:Yes it is, and here's why

[chainsaw1]

I'm saying that if, in order to get the credit card vendor to let you charge a customer for a hot dog you need to get their SSN, then that SSN will be recorded with the other information.

It doesn't matter how many pieces of information are required to confirm a credit sale, all those pieces have to be stored so they can be passed on to MasterCard or whoever. And since they are stored, they can be accessed.

Does _all_ the information for the sale need to be stored? probably not, but merchants tend to do it anyway in case there is an issue with the billing or for one-clikc shopping (or, in Disney's case, room-card-swipe shopping)

DMCA + DECSS + Disney....

I have a plan....
Great idea to have fun w/ their networks.
Alter the headers in the packets to contain DeCSS (now shortened to a few lines).... Love to see the looks on their eyes when they have their own Trademarked material floating through the air....

Wouldn't the request just timeout?

[Nerftoe]

ping: unknown host johny.doe.disneyland.disney.com

If johny doe was lost, wouldn't the ping request just timeout?... because when they put the "tracking shirt" on the kid, they would need to put in a dns entry of johny.doe.disneyland.disney.com which is bound to the ip address on the shirt-device. Therefore, the host would be known, but would time out because the kid is out of the park. Right?

Re:Wouldn't the request just timeout?

[led]

# traceroute johny.doe.disneyland.disney.com
traceroute to johny.doe.disneyland.disney.com
1 gw.helpdesk.disneyland.disney.com 0 ms 0 ms 0ms
2 air50.wireless.disneyland.disney.com 20 ms 15 ms 15ms
3 shrederroom.wireless.disneyland.disney.com 100ms 70ms 200ms
4 johny.doe.disneyland.disney.com 90ms 232ms 156ms

ops we got a problem

They'll have security

[LinuxHam]

There's no way that Disney wouldn't take network security VERY seriously for this project. Although it does make me a bit nervous they placed so much emphasis on the 128-bit encryption.

I tcpdumped about 10 megs of data snarfed from the most wirelessly connected university in America, and besides broadcast queries for NT servers and floods of IPX SAP frames coming from network printers, the *only* packet of interest I got was the output of a finger some guy ran against his own OpenBSD box on campus. And I later found plenty of security-related posts from this guy on usenet, too. How's that for irony?

I went home and reviewed web pages describing their security infrastructure due to the weakness of 802.11b, and it was very intense. Beyond Kerberos. If Disney's doing this specifically to mobilize credit card readers, I've gotta say that wireless has been weakened long enough for them to not have any excuse to do it right.

Not to mention, with IBM's Tomorrow World being such a big hit in Epcot (and Disney closing DIG, their Internet venture), I'm SURE we had something to do with their planning and deployment. And I totally agree with the others who have said that enabling wireless PDA's such as line checking, maps, and restaurant reservations.

What equipment?

[spoggle]

Does anyone know what brand of radios & APs they're using?

Re:What equipment?

there best bet would be breezecom equipment, since most of it is not compatible with other cards/ap's

heh

[British]

Great, instead of war driving, people will be doing war riding on "It's a small world after all".

Why should Disney care what I do?

[jabber01]

If I've already paid admission, and can't get knick-knacks and food from anywhere but their shops, why should Disney care if I come for the attractions, or the Wireless?

After I've bought my ticket, I'm IN the park. IIRC, the rides don't cost anything but time after that. I'd much rather check tomorrows weather on my Pilot, plan out my next day at Epcot while in line at Magic Kingdom's Pirates of the Carribean, and just shoot out a quickie "Wish you were here" email over lunch, than have to wait until I get home to do these things.

It's not about 'enjoying the park'. It's about the cost of providing the additional service. It's always about the MONEY. This is DISNEY people.. They have a Copyright on FUN, remember?

Is this true or an urban legend?

I spent three days underground in Epcot, and I saw a janitor smoking and a manager-type politely asked, "Hey, could you do me a favor? Could you put that out please?" My guess is that although smoking is allowed in rest areas, that people in costumes would not be smoking.

Here is what a quick web search shows:

• Reports:
  "I never thought I would recover from seeing Snow White smoking behind the fence" view
  "I once saw Snow White backstage smoking her cigarette and snarling: "Well tell the kid to fuck off, I'm on my break." view
• Contrapositive:
  "Walt Disney made sure that Disneyland visitors would never turn a corner in Fantasyland to see Snow White smoking a Virginia Slim" view
• Fiction:
  "Standing off to one side, Snow White watched the scene in obvious disgust, chain-smoking one unfiltered Camel after another." view

Re:Is this true or an urban legend?

[infinite9]

In this case, I saw it first hand. But I'm not surprised this is the kind of thing that ends up as urban legend. Disney is often the target of urban legends. There is a lot of silliness that goes on at disney though. Employees (I mean cast members) have been scolded for refering to people in mickey mouse costumes. That actually is Mickey Mouse! My step father was an architect for disney for 25 years. My mother was a secretary for disney for 9 years. I saw the light after only 8 months. In disney, they call it pixey dust. It's like a magic brainwashing dust that gets sprinkled on you when you arrive at work. You're supposed to believe you're in another world while working. It's the only job I've ever had where I was ordered to smile.

FIRST

[lostchicken]

The US FIRST Robotics national competition is in EPCOT.

Boy, we're gonna have a field day with this ;-)

Re:FIRST

[LOWORBIT]

Ya it should be a great year. I know i'll be dragging a laptop with a 802.11b card with me to nationals, maybe 802.11a will be out by then, ah wishful thinking...

Meatspace is different

[Walter+Bell]

But what you're forgetting is that while it may be easy to get a couple dozen card numbers off of alt.2600.hackerz, it's pretty hard to forge an actual card unless you're in cahoots with the cashier. (which leaves a trail that somebody will eventually follow if you card enough stuff.) Ever wonder why the register asks you for the last 4 digits of the account number? It's so that scammers can't rewrite the magstripe on an existing card with a "custom" account number.

So you can sniff Disney's 802.11b network and get a bunch of (account, expiration date) tuples that you can't use anywhere, or you can pick pockets to steal cards that you can use offline. The former is scalable but unprofitable. The latter is profitable but not scalable.

Banks learn from their mistakes pretty quickly. Don't be surprised if POS terminals start getting retrofitted so that a PIN is required for credit purchases as well as debit purchases, in the next few years.

~wally

Re:Meatspace is different

[vsync64]

Ever wonder why the register asks you for the last 4 digits of the account number?

Ours don't.

It's so that scammers can't rewrite the magstripe on an existing card with a "custom" account number.

But yes, I understand the reasoning behind such precautions.

Re:Meatspace is different

I've been noticing that the "last 4" trend is being reversed by many retailers. Wal-Mart and Menards don't even look at your credit card anymore (you slide it yourself) - and they sell some pretty expensive stuff, like electronics and power tools. Betcha somebody with a stripe writer is going to have a field day this Christmas season.

I wouldn't touch that network with mickey's dick.

[_pi-away]

Are you kidding me? It's one thing playing with those networks in normal society, in normal society there's due process. But haven't you people heard about disney jail? They can hold you there indefinitely for any reason they deem fit, that scares the hell out of me.

802.11 != internet connection

This is most likely an Internet connection. It has got to be a private network connection, and I'd imagine they are using something like IPSec for security, and have the network name broadcast disabled in the APs.

As they said, they don't want people using the network for Internet access, and I see no reason why they would have Internet on this network.

Don't like my capering eh?

When you get to hell, tell them Itchy sent you!

Lets hope they have repeaters

Otherwise there will be dead spots. Roller coasters tend to obstruct radio waves.

When I worked at Incredible Universe before it got bought ca. 1996-1997. We had wireless "Telxon" pads that worked as portable terminals for scanning in customer orders. There were times where we would have to stand on a chair and point them at antennas to get them to work. I guess the visible metal warehouse style ceilings caused problems as well as all of the electronic stuff running.

Re:Lets hope they have repeaters

[LinuxHam]

I have too much of a migraine to look this up right now, but there's a special coax designed for 802.11. It has holes in the shielding. Yes, it's true that there's definitely signal loss over distance down the copper, but this stuff is designed for wireless-enabling hallways and rooms separated by concrete, such as classrooms.

You can run this stuff all along the walkways and gutters of buildings to fill in most of the dead spots in the open areas.

Possible internet access on the network...

[LOWORBIT]

I really didn't give this much thought until i noticed somebody mentioned the FIRST competition being held in spring there. US FIRST I've been to the competition before, and they try to give internet access/network drops in the pit area for contact and information (it helped save us last year, grabbing a copy of the bot's code of our site that we forgot to bring) so I do believe we'll have indirect access to the network through wired access points. Why create another network when one's in place. So it is very possible that internet access on the network, also you never know what kinda db software their using, if they connect to a local system or a system for the three disney parks. It would seem to me that it is highly unlikly that they don't have internet access, even if it's only for disney exec to look at the latest people flashing at splash mountain -LOWORBIT

Re:Good reason why they'll never offer 'Net access

[Johnboi+Waltune]

It was probably the goatse.cx guy with Mickey Mouse ears Photoshopped in for effect.

Re:Well, they must not like the guy too much....

[Gannoc]

Check out the scores on his recent posts.

;)

Now -that- is comedy

Thanks for making me laugh. The thought of shredded Johny Doe brings tears to my eyes. More food for the musk ox at Animal Kingdom, I reckon.

Correction

"Plus, it allows "cast members" to offer guests goods and services anywhere, not restricted to where the credit card machine is at." That should be "...not restricted to where the credit card machine is at, asshole." Or did you not go to Harvard?

VPN over 802.11b?

[nbahi15]

I wonder if they are using IPsec over the 802.11b network? I know I would.

Hmph...

[Svartalf]

The anti-semitism isn't becoming.

Do you HONESTLY think that the SS is going to chase down someone ripping people off for a couple of hundred dollars here or there?

Besides, with the numbers, all they'll do is purchase a handfull of things using a card that has some bogus name on the card that matches up with the bogus ID they have. Gasoline would be included with this because at that point because they just wouldn't be caring about it (If the Secret Service were all that special (I'm not saying that they don't do their jobs- it's just that there's not all that many of them...) there wouldn't BE much credit fraud- which isn't true at all.).

Re:Good reason why they'll never offer 'Net access

[tabacco]

While I can't speak for Walt Disney World, Disneyland allows 'internet access' of a sort. If you head over to Innoventions in Tomorrowland, you'll find 'internet' kiosks. Unfortunately, they've ensured security by denying at the firewall level any site not on the GO network. (*.go.com)

Smartcards in France.

[pi_rules]

If I'm not mistaken one of the engineers of the system tried warning the French government that it was possible to make a smart-card that could be fake; ie: not really "filled" with real money. Nobody would listen so he finally made one, bought some subway tickets and mailed them to the government proving that it could be done.

Then they threw him in jail for stealing the subway tickets. Anybody else remember this or have more info on it?

Redifines security hack

[DiveX]

>They do search bags currently. ALL bags, even diaper bags.

Maybe, but not very well. For the past three of the four times I have been there since Sept 11 (my girlfriend and I have season passes) I was able to walk around the security stands without even being noticed. I cannot, for the life of me, figure out why they search the bags, yet do nothing to search the person. A couple of shootings at Disney would demoralize the US more than shootings pretty much anywhere else. An entire AK-47 can be broken down into pieces that fit in a pants leg or under a large sweatshirt. Everything of destructive power that is carried in a bag can be carried on one's person. Thay are pretty clueless about technology anyway. I often take in my nightvision scope (a lot of neat things to see in Space Mountain, Spaceship Earth, and Pirates of the Caribean) and didn't even get a second look yet they made me disassemble my Camelbak water pouch. I don't know if they would stop a laptop or not. One can claim it is for download pictures or showing Disney DVDs to the kids at dinner when they get tired and cranky.

Re:Good reason why they'll never offer 'Net access

[satsuke]

They sorda have public internet access .. at least in the food area of the DisneyQuest facility they have open access internet points .. using some horrible browser like thing .. think of a secured mozilla with a theme that takes 1/3 of the screen>

of course it's filtered .. no slashdot .. no newgrounds.com .. no theonion.com

Satsuke

New lyrics for Mickey Mouse club theme song

[Zen+Mastuh]

The inevitable consequence is that the network will be very insecure, so let us mess with the lyrics:

"M-I-C-K-E-Y...
Why? Because w3 0wnz0r j00!!!!"

Well, it is a lot easier than saying "because 802.11b doesn't specify encryption at the physical level".

I was just there

[mr100percent]

In Epcot, the small souvenir stands all had what looked like paper towel tubes wrapped in wire. Those were the 802.11 antennas, but they were there for over a year.

In Disney/MGM, some popcorn and hotdog stands still couldn't take charge cards as of last week, so I guess it's still being rolled out.

Re:I was just there

A few weeks ago, at the Epcot Food & Wine festival, many of the streetside vendor booths ere glad to take my room card for payment for food, and beverage. I also used the card at other mobile locations in Animal Kingdom, magic Kingdom, and MGM. WHile I didn't look for it specificly,
I seem to recall the same type of POS palmtop devices in use at some of the resorts' outdoor venues and attractions.

Water parks do this now

[DiveX]

Obviously it is hard to carry around cash, wallets, etc in the water park. Now you can get a wristband with a barcode that gets associated with a credit card. Then you just get the armband scanned for your food/gift purchases. They will only scan intact bands and if you notice that your band is missing (it should not be too difficult) then go to the closest register and they can cancel the barcode immediately.

What type of services?

[kr4jb]

Plus, it allows "cast members" to offer guests goods and services anywhere...
A ride with Minnie on Space Mountain... priceless.

Re:What type of services?

Give me Ariel...yerf!

Done it...

[brerbeaver]

Guess I'm a typical Slashdotter when I say I've used my laptop at Disney World before. I'm a local and spend quite a bit of time in the parks, especially Epcot. On more than one occasion I've hauled the laptop in when it's rainy and there's not much else to do. If you look, you'll find access points at kiosks all over the place. Look harder and you'll find RJ-45 jacks too. Fear of the mouse police has stopped me from plugging in, but I must admit this artice is almost an invite. Too bad I've got a Cisco Aironet card, which AirSnort doesn't support. Don't care about CC numbers, but they've got some cool stuff on the intranet. They're searching all bags after the 11th, and with this article, I don't think bringing the laptop would be such a great idea anymore. As mentioned in another comment, they used to have unrestricted access at more than one exhibit in Innoventions, including Apple. Nowadays the only way to get access there is if you know someone at the IBM exhibit. Access at the computer centers at the resorts is dialup and priced like highway robbery, though I heard they're planning to get DSL. You can get access at the Wonderland Cafe at DisneyQuest, but that's protected by MS Proxy Server. Disney's been trying out some high tech stuff recently, like palm-esque GPS navigators at Animal Kingdom and blinky LED buttons triggered by IR. Even better, they're planning interactive "Park Pal" toys, with over 100 trigger points in the Magic Kingdom alone.

As for ordering bus shuttles...

[Jonny+Baseball]

I'm a local to WDW, and I currently am working for the mouse. I read in the article that they were saying they would use the palm pilots with networking to call up shuttles (aka buses). Well, not surprising, they tried to roll this out last spring and it failed, miserably. They started at about 8 in the morning, and within ten minutes the whole system crashed. Bus wait times went up to an hour, and several GSMs (Guest Service Managers) were promptly brought to the ground and pummeled mercilessly by guests. After a few weeks, the costs got too high so they canned all the non-essential people involved with the project. Figures.

Re:As for ordering bus shuttles...

[brerbeaver]

Yep - they tried it with Palm VII's, and it was a nightmare. They use alpha-pagers to update the wait boards too.

I would use an Internet cafe

[suprax]

I don't know about everyone else but when I went to Disney World a few years ago I was dying for Internet access. I had not bought my laptop then and looked everywhere for someplace to log onto the Internet while I was there. I have to be connected where-ever I go and if Disney had an Internet cafe, even if the price was expensive (like everything else), I would have used it no doubt.

Anyone else feel this way or am I just too big of a geek? :)

Re:I would use an Internet cafe

[brerbeaver]

They've got one - the Wonderland Cafe at DisneyQuest. Food by the Cheesecake Factory, unlimited use of the terminals (provided it's not too busy), and protection by MS Proxy Server. (Some stuff is blocked) It's $30 to get in, or included some of the more fancy passes. I had to get some directions off Mapquest the other day and stopped by DisneyQuest to use those terminals for 10 min. (Got one of the Premium Annuals, unlimited admission to everything) I'm not sure what the guy meant about no Internet Cafe's, they've got the DQ one, and even tried sticking pay kiosks in two places at Epcot less than a year ago. They lasted a very short while, and were pulled.

Re:I would use an Internet cafe

You can at DisneyQuest in Downtown Disney. However, the MS Proxy server they are using refused all secure connections I attempted, so it's useless for things like secure web banking,
and e-comherce sites. Unless you use a web based e-mail service, you are SOL for POP/IMAP mail client services, too.

What I really wanted was internet access via ethernet, or 802.11 in the hotel room. I wanna enjoy the park, too, but in this day and age, dialup is simply not adequate from the hotel room.
WDW needs to offer at least some, if nto all rooms with some business-traveler type ameneties such as network connectivity.

wireless network

[danyol]

i installed a wireless network at palm springs highschool. it was for the portables so that they could have internet access. downloads moved from 80-90k and it was like having wireless dsl. security is great since they have to have the right wireless nic in the first place, second they have to have the software installed, third they must have the encryption code, and fourth they must have internet explorer properly configured to even acces the internet. its great walking around with a laptop and still being connected. i even did all the hardware install my self and lined up the shotguns with a laser pen light from radio shack and got a 94% signal strength which is 14% higher than real world situations. its been up for a little over a year now and is still working with maximum efficiency. Its not hard to set up either in fact since its wireless im pretty sure the guy who installed it at disneyland probbably thought it was a snap. you just need power and place to mount it. there are a few more steps to it but its a peice of cake. and once you have it set up right everyone is a happy camper. If you want to set this kind of stuff up you can practically go down to bestbuy and compusa and buy the equipment for youre home. although the proffessional equipment is better quality and usually state of the art, its still the same concept. if you set it up at home you would say is that all there is to it. plus and disneyworld they probbably didnt want to tear up the ground and buildings to install a regular network. wirless is a way cheaper solution because you save a ton of money on labor. it probbably cost them 1/4 of what it would cost if they did a regular network since cat5 only goes 333 ft. max even though ive gotten it to go alot farther. and fibre optics is way to expensive.

security

[danyol]

look guys first someone is going to have to pay to get into the park and walk around everywhere suspiciously even to find out what equipment they are using. i would put it up in the ceiling out of site my self. then they need the software. and while there they would have to find out what software they use and break the encryption code then once they did that then they might have a chance. i personnaly wouldnt waste my time and money doing that. id rather be enjoying myself. if i wanted to get into there system i would do it from home. anyways a wirless network isnt anymore secure than walking up to a free rj port and connecting youre laptop and messing around.