Slashdot Mirror

← Back to Stories (view on slashdot.org)

Disney World Goes 802.11b

Posted by Hemos on from the gonna-get-me-airsnort dept.

LighthouseJ writes "Over at CNN they report that Disney World in Florida has a 47-square mile 802.11b wireless LAN through the park with 200 access points. The move comes after visitors complaints that they couldn't use credit cards at every place in the park. Plus, it allows "cast members" to offer guests goods and services anywhere, not restricted to where the credit card machine is at. The man responsible, Murshid S. Khan, Director of Telecommunications and Technology Support sees this as a valuable technology, citing mobility and flexibility as the main reasons for the switch. Khan goes on to say that the system is protected by a 128-bit encryption scheme and software installed to detect intrusions. When he was asked if visitors will have access to the wireless network, CNN quotes him to say: 'We need you to come to the park and enjoy the park,' he said. 'If we start opening Internet cafes, you won't do that.' He's a smart man." So, running AirSnort wouldn't probably be the best idea? *grin*

11 of 250 comments (clear)

  1. If they're smart, it won't be IP... by rekoil · · Score: 3, Insightful

    or at least, if it /is/ an IP network, each device will be a VPN client. I would presume Disney has enough money to hire people smart enough to not depend on WEP for security.

    Then again, larger companies have done dumber things...

    -C

  2. Re:Things the visitor can do besides surf the web by jmauro · · Score: 4, Insightful

    I don't think that you can surf the web. Just because they use Ethernet and IP does not mean that they are connected to the Internet at large. Taking into account that this system handles lots of credit card orders (even encrypted) it would make more sense if the entire system was on its own isolated network.

  3. Scale is *the* problem by john@iastate.edu · · Score: 3, Insightful
    It's a lot harder to do something for 150,000 people at a time than 150.

    It's not just a matter of buying 1000 whatevers that worked for the guy doing it for 150.

    --
    Shut up, be happy. The conveniences you demanded are now mandatory. -- Jello Biafra
  4. Not a worthwhile target by Walter+Bell · · Score: 0, Insightful
    Credit card numbers alone are not as useful as they used to be for scam artists. Nowadays, in order to do anything useful with a CC#, a thief will need:
    • The billing address of the card to do any sort of mail order / online purchase.
    • The cardholder's signature. Often merchants will want a faxed copy of the sig (and maybe a xerox of the card) for ordering laptops and other valuables. And that's when they're shipping to the cardholder's home address.
    • The 3-digit validation code from the back of the card. Paypal, C2IT, and most "online cash" places demand it now; many merchants do as well.
    • The cardholder's SSN, MMN, and DOB. In order to make any changes to the account (like adding extra addresses), they will need to authenticate themselves.

    Credit card fraud is substantially less profitable now than it was 15 years ago when I did it. Back then, you could buy a new computer over the phone with a number that Credit Master spit out. Merchants have wised up now. (The thing I wonder about is why the banks' interest rates have gone up since then. No offense intended, but it's probably just a greedy jew thing.) Nowadays it's easier to steal money by hijacking PayPal accounts from Sircam-0wned machines and defrauding other online payment systems.

    ~wally
    1. Re:Not a worthwhile target by Dimwit · · Score: 0, Insightful

      "No offense intended, but it's probably just a greedy jew thing." - And I'm not supposed to take offense at that? What the bloody hell?

      Sorry, this is totally off-topic...but I had to say something. Well, that and that this post has been modded up...ah, well. Nothing I can do - I chose not to moderate. Hopefully for obvious reasons. :)

      --
      ...but it's being eaten...by some...Linux or something...
  5. CNN lies, it's not a 47 square mile cloud by SkywalkerOS8 · · Score: 5, Insightful

    Only about 35% of the 47 square miles owned by The Walt Disney Company in Central Florida is developed. I highly doubt they went through the expense of creating a WLAN cloud that covers marshland. I doubt that even the hotel resort properties are covered either. It probably only the 4 theme parks, the 3 water parks, Downtown Disney and maybe Fort Wilderness near Pioneer Hall. That drops the square mileage significantly. Even with the hotel areas its only a fraction of 47 square miles. I really hate bad reporting.

  6. Eventually a cash-less park? by acroyear · · Score: 4, Insightful
    Disney could eventually use this to lead to a 100% cashless park (increasing patron safety in the long run -- less need for cash might lead to less to gain for purse-snatching).

    Yes, we all agree that this network may be risky for transfering credit card info around, but they could over time move to a "disney dollar" card, where you pre-load the disney card with your credit card as you enter or on the phone or whatever, then use that disney card within the park grounds to buy whatever. Disney can then provide insurance against fraud against that card instead of worrying about being libel against Visa and AmEx in the case of number theft over the airwaves...

    The other advantage is that Disneys own systems could authorize the sale over the Disney card instead of having to send out to a Visa/MC/AmEx authorizer off site-- it would be considerably faster that way (since the system could be built up front to support the average # of visitors on site), especially during holiday seasons...

    Just a thought...

    --
    "But remember, most lynch mobs aren't this nice." (H.Simpson)
    -- Joe
  7. If rather than when by ackthpt · · Score: 2, Insightful
    I wouldn't bet my credit card number on it not being cracked, but at the least they do seem to be thinking forward on security, by detecting attempts to access their network.

    If you were planning to crack a network and steal purchase information, there's easier places, like dumpster diving, as I still see the occasional receipt with full number and expy on it blow down the streets with other stray litter.

    --

    A feeling of having made the same mistake before: Deja Foobar
  8. Cracking the Protocol... by Orne · · Score: 4, Insightful

    Since you posted that AirSnort link, I was curious, so I popped over to sourceforge and downloaded it. Part of their documentation says: "For a key length of 128 bits, this translates to about 1500 packets." then it goes on to describe how you can search for certain constants (starts with 0xAA, etc) within the packet to see which random keys were successful. Interesting stuff, and definitely a clever way to decode: thanks to flaws in the logic, every bit rate can be reduced to 8-bit encryption.

    However, once you've collected your packets and broken the key, you now have a decoded packet. Well, what does that mean? You have the framing information (packet length, header) and the message body (which is just raw data).

    I'd bet a 7-day park-hopper pass that the data in the packet's body is encrypted a second time with a more reliable scheme. If there's one thing Disney knows how to do well, its make money, and they can't risk the bad PR for this to foul up.

  9. Re:I want to know... by Anonymous Coward · · Score: 1, Insightful

    Damn straight. Disney world needs military grade encryption and 100% reliability, with multiple redudant systems, all so people can get a yogurt at the kiosk with a credit card. They really
    need to hire groups of roving "spook patrols" that conduct sigint sweeps of the park, and do cavity searches on all guests so nobody pulls the prank you've suggested.

    Geez. Get a life. The "trash disruptor" you suggested would work at best until the next trash removal cycle--usually about 3 hours in the sparkling Disney city.

  10. Re:Probably more protection than WEP by Dudio · · Score: 2, Insightful

    Good points. I'd forgotten that the decryption vulnerability is based on the assumptions of weak IV generation and a fixed keystream. My apologies - it's been a while since July ;)

    If you use the right hardware and configure it correctly 802.11 is as secure as a wired LAN
    I think this is what you meant, but "correct configuration" in this context generally means walling off wireless portions of the network in the same manner as you wall off the internet. By treating the 802.11 segment(s) as potentially insecure, you can maintain your overall security posture.