Slashdot Mirror
Disney World Goes 802.11b
LighthouseJ writes "Over at CNN they report that Disney World in Florida has a 47-square mile 802.11b wireless LAN through the park with 200 access points. The move comes after visitors complaints that they couldn't use credit cards at every place in the park. Plus, it allows "cast members" to offer guests goods and services anywhere, not restricted to where the credit card machine is at. The man responsible, Murshid S. Khan, Director of Telecommunications and Technology Support sees this as a valuable technology, citing mobility and flexibility as the main reasons for the switch.
Khan goes on to say that the system is protected by a 128-bit encryption scheme and software installed to detect intrusions.
When he was asked if visitors will have access to the wireless network, CNN quotes him to say: 'We need you to come to the park and enjoy the park,' he said. 'If we start opening Internet cafes, you won't do that.' He's a smart man." So, running AirSnort wouldn't probably be the best idea? *grin*
Before they get cracked and decide this was not a good idea?
Do really dense people warp space more than others?
If they only have WEP, I won't spend a dime there. But I bet they are not dorks, they probably have everything done over a real encryption scheme
-- Who is the bigger fool? The fool or the fool who follows him? --
How long before that network is comprimised. In a matter of days People will probablly know what websites Mickey has been to (www.nakedmice.com) or what Mickey purchases online. (Probablly Real Dolls )
--
FearLinux.com
There are things the user could use besides surf the web. For instance, a little app on your wireless device that let you check the length of lines at the rides, the reservations at a restaurant etc.
Still, just as is, it is cool.
Sweet! Streaming porn while you whirl till you hurl!
or at least, if it /is/ an IP network, each device will be a VPN client. I would presume Disney has enough money to hire people smart enough to not depend on WEP for security.
Then again, larger companies have done dumber things...
-C
"We need you to come to the park and enjoy the park"
;)
Imagine your laptop in one hand, some candy in the other one and getting chased by 23 security officers running over and knocking down mickey and his fellows...
I'm sure this scene is going to make it into "password: swordfish 2"
this sounds like a big heap of enjoyment to me
2 million credit card numbers stolen from disney world by 12 year old with laptop...
They say they have "software" that detects intrusions. That doesn't seem to imply much about tracking you down to the square foot.
OTOH, I don't recall ever seeing a laptop, so you'll stick out like a sore thumb unless you're in the bathroom with a PDA.
They do search bags currently. ALL bags, even diaper bags.
Also, there's an active Linux community among their IT people. There are definitely pockets of clue there, and it's likely that would extend to their IT security people as well.
It's not just a matter of buying 1000 whatevers that worked for the guy doing it for 150.
Shut up, be happy. The conveniences you demanded are now mandatory. -- Jello Biafra
Because I'd hate for wireless Mickey 2001 to start picking up air traffic chatter
Hi kids! I sure hope you enjoy the RED LEADER, RED LEADER THIS IS TANGO ONE. and make sure to visit our LOCKED, COCKED, AND READY TO BURN TANGO ONE, WHAT'S YOUR STATUS?
And hey, under the recent terrorism bills wouldn't that qualify Mickey as a terrorist? There's be a trial to top OJ.
Disclaimer: MINAA (Mummy! I'm Not An Animal!)
Not another wireless mouse!
Ba-dum-pa-chi! Thanks folks, I'll be here all night!
sin(6cos(r)+5A)
While on my honeymoon in DisneyWorld this year, my wife and I took quite a few of their Behind the Scenes tours. On the Epcot one, we found out why Disney will most likely never let people have 'Net access in their parks. (At least not in public places.)
Our tour guide said that they actually did have a kiosk there a few years back that let people browse the web and check their web-based e-mail. He checked on the kiosk once and found that some pervert had left up a XXX e-mail and changed the wallpaper. He wouldn't elaborate on what it was, but he said it shocked even him.
Luckily for them, they were able to remove the offensive material before anyone noticed. Still, as a place that bills itself as "family-friendly," they simply can't take the risk that it would happen again (and more high profile).
Our tour guide kept the possibility open that they would resume 'Net access with some types of safeguards against this, but no safeguard is 100%. Public Internet access is just not a high-priority item for Disney. (Believe me, there's so much to do at Disney World, that you won't have time to browse the Net.) The PR risks of another abuse far outweigh any customer gains.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Only about 35% of the 47 square miles owned by The Walt Disney Company in Central Florida is developed. I highly doubt they went through the expense of creating a WLAN cloud that covers marshland. I doubt that even the hotel resort properties are covered either. It probably only the 4 theme parks, the 3 water parks, Downtown Disney and maybe Fort Wilderness near Pioneer Hall. That drops the square mileage significantly. Even with the hotel areas its only a fraction of 47 square miles. I really hate bad reporting.
By definition, any given network is crackable. It's just a matter of time, right?
Here are some exploits that we can be sure of seeing in the future:
1. 'It's a Small World' animatronic dolls reprogrammed via wireless network to share their cultural feelings via a massive animatronic orgy of all nations.
2. Michael Jackson's "Captain Eo 3D" video replaced with low-quality MPEG of a video taken of what really happened at Macaully Caulkin's last birthday party.
3. Ride Space Mountain during DDOS season? Only if you're feeling suicidal. You never know when that modified Nimda worm is going to kick in.
4. Parade of Lights all flash in sequence to spell out "L33+ X1DD135 OWNZ JOO DIZNY"
5. Animatronic Abe Lincoln now shouts, "Beefcake. BEEFCAKE!!!!"
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
I took note of their network over a year and half ago when I went there with my Highschool senior class.
/w 802.11b card and go to work.
I noticed the cash registers were connected to an 802.11b network.. also, I spotted some computers as well.
I didn't have an 802.11b card at the time, and my only laptop had suffered a terrible accident.. so I wasn't able to do any 'diagnostics', but I thought it was interesting. Maybe next time I'll bring my PowerBook
See, you don't need to worry about getting into the park with your laptop.. Because this also extends to their hotels and probably their on-site buses as well.
Yes, we all agree that this network may be risky for transfering credit card info around, but they could over time move to a "disney dollar" card, where you pre-load the disney card with your credit card as you enter or on the phone or whatever, then use that disney card within the park grounds to buy whatever. Disney can then provide insurance against fraud against that card instead of worrying about being libel against Visa and AmEx in the case of number theft over the airwaves...
The other advantage is that Disneys own systems could authorize the sale over the Disney card instead of having to send out to a Visa/MC/AmEx authorizer off site-- it would be considerably faster that way (since the system could be built up front to support the average # of visitors on site), especially during holiday seasons...
Just a thought...
"But remember, most lynch mobs aren't this nice." (H.Simpson)
-- Joe
They should rent out wireless digital cameras, whenever a pic is taken its upload via 802.11 and before they leave the park, the got prints of the family vacation.
Also a previous article said it would be used to play music around the park based on location. IMHO, kinda of a waste for just CC's.
"Get them before they get....
The article doesn't say they are using tcp/ip. Doesn't look like it has internet access either. Probably requires some sort of username/pasword combo (possibly built into the devices) to log on to the LAN. If the encryption is properly implemented (a big if) it could be very secure.
Best Slashdot Co
I've been there multiple times over the course of the year (annual passes are great things) and I remember the kiosks the guide was talking about. They were still up the last time I was there, but they were whitelisted. Meaning that only the websites that Disney had approved were allowed, anything else not on their list was automatically blocked. The whitelisting seemed to work quite well. Interestingly enough, Slashdot was readable, so I guess someone in the Internet department at WDW likes his news for nerds.
Probably some of that sick, perverted, Godless Pixar stuff. ;-)
If you were blocking sigs, you wouldn't have to read this.
If you were planning to crack a network and steal purchase information, there's easier places, like dumpster diving, as I still see the occasional receipt with full number and expy on it blow down the streets with other stray litter.
A feeling of having made the same mistake before: Deja Foobar
I wouldn't mind being able to browse the Net while standing in line. Hell, even surfing through a white-list filter would be better than nothing.
There's many places in Europe, companies - especially courier services etc. - use either wireless LAN enabled credit card machines, or GSM based ones, depending on the range they need to cover. It's been quite common for several years.
(Believe me, there's so much to do at Disney World, that you won't have time to browse the Net.)
And here I am thinking that the best way to while away those 1-2 hour waits in line for all the most popular attraction would be with Unreal Tournament or Q3Arena. If lag became an issue because of the sheer number of devices and users drawing bandwidth, you could always play something turn-based, like CivNet.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Unless they're using IPSec or something like it, they're vulnerable. WEP doesn't secure worth spit even with 128 bits because they implemented the whole protocol as an insecure system. Also of note is the fact that there is pretty much no commercial IDS software that would effectively catch someone doing something bogus in time to find them in a wireless context.
It's pure bravado that bases their claims of security- unless they have a security staff sweeping the entire park with DF gear, they're NOT going to catch anyone doing something illegitimate on their WLAN.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
With the electronic transactions that we have nowadays, you're going to see less and less of that sort of thing being possible. They're going to resort to snooping WLANs like Disney is setting up if they can. Sad thing is, they claim it's 128 bit encrypted- is that WEP or IPSec? If it's WEP, they might as well be broadcasting in the clear.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Since you posted that AirSnort link, I was curious, so I popped over to sourceforge and downloaded it. Part of their documentation says: "For a key length of 128 bits, this translates to about 1500 packets." then it goes on to describe how you can search for certain constants (starts with 0xAA, etc) within the packet to see which random keys were successful. Interesting stuff, and definitely a clever way to decode: thanks to flaws in the logic, every bit rate can be reduced to 8-bit encryption.
However, once you've collected your packets and broken the key, you now have a decoded packet. Well, what does that mean? You have the framing information (packet length, header) and the message body (which is just raw data).
I'd bet a 7-day park-hopper pass that the data in the packet's body is encrypted a second time with a more reliable scheme. If there's one thing Disney knows how to do well, its make money, and they can't risk the bad PR for this to foul up.
"The man responsible, Murshid S. Khan, Director of Telecommunications and Technology Support"
I graduated UCF with my Computer Engineering Degree in 2000. For our senior design projects, Disney came and solicited us heavily to work on their projects. Free labor, helping a poor college student out with an idea, free labor, did I mention free labor. This project along with several others were mentioned. My comments regarding network security concerns were treated as pessimism. Needless to say I did not lend my time for Disney's free labor.
~ fact is not dependant upon your belief therein. ~ ~ Have I therefore become your enemy because I tell you the truth?
Residing in europe for some time now (hmm, since I was born ? 8) I can tell you this is old stuff.
Every (most) credit card are smartcard for 15 years in France. The credit card machine is in fact an autonomous code checker. It won't transmit your code on the air, but check it locally, then make a confirmation number that encrypt the acceptation code and your card references.
this number is either send remotely for acceptation by the central bank computer (above $500) or just locally accepts if the amount is small.
thoses devices existed before in Infrared transmission, and now use local radio link.
This allows a faster and more secure way than just the stupid magnetic strip...
Hoping to read from you 8)
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
I could see a "Disney" card where you can charge it up w/Cash value and use it like a credit card- with the ability to get a cash refund/credit for anything not used when you leave the park. Otherwise, it's no different than those gift cards Wal-Mart, Target, etc. are selling.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Interesting that slashdot made it to the white list. It may be that bad images may not make it through, but with some if the comments and ASCII art trolls, I'm surprised Disney was willing to risk it..
XML is like violence. If it doesn't solve the problem, use more.
It's got vulnerabilities, just like WEP does- just not as exploitable. For a small subnet (and this constitutes that...) SSL's only moderately secure- because an attacker will know up-front that there's financial stuff predominately on this WLAN. If you're in on WEP, then you can then snoop for SSL weaknesses without them knowing, etc. If they're relying on most of the encryption techniques out there, it'll keep most of the script kiddies from pulling something off- but nobody else.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
The last time I was in a Disney Store I noticed that they sell gift cards, accepted only at Disney Stores, that you can load with any amount up to $500. (These are similar to the ones most major chains sell these days, from B. Dalton to Target.) I forgot to ask whether they were accepted at the parks, but it wouldn't surprise me, since in some ways Disneyland is the world's biggest Disney Store.
It doesn't seem like it would be that difficult to adapt the cards to the technology. In fact it would make some things easier -- include a card on the back of each Annual Pass, for instance, and the passholder would automatically get their 10% discount on park purchases, plus they'd be more likely to store money on the card (which of course could only be used to buy stuff from Disney).
As good as Disney is at extracting money from patrons, this seems like a natural for them.
Someone you trust is one of us.
All you need to do is monitor the ethernet frames or whatever else is coming in on the RF modem. All using a goofball protocol does is ensure that script kiddies don't get in on first base of hacking the net.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Don't assume that just because you were never bored, ON YOUR HONEYMOON I might add!, that nobody else is never bored either, or never has other reasons to remain connected. Besides the obvious down time in lines, at meals, etc., there's the fact that some people have older relatives near death, younger relatives near childbirth, etc. You can't put your life on hold, and carrying celphones everywhere is not always an option.
As for the kiosk abuse, that's completely irrelevant when you're talking about people using their own wireless devices. Think anyone is going to leave an expensive laptop or PDA lying around? If they keep it with them, then it's easy to identify the person responsible for the images.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
More info to be found at http://www.computerworld.com/storyba/0,4125,NAV47_ STO65816,00.html . They mention that it involves "128 bit encryption", which certainly leads one to think 128b WEP, but remain cagey about further security- I'll vager VPN. One thing that did catch my eye was the guest tracking. They propose the innocuous example of insuring guests have all returned to a cruise ship- but I think that sets a dangerous precedent...
;)
Anyone else see Westworld/Futureworld?
Thermowax
People really have no clue about how to secure wireless networks.
I'm sitting here typing this while I wait for Jim "Open Source is Un-American" Allchin to deliver the keynote at the Windows Embedded Developers Conference. I have already found one guy on the un-WEPed 802.11b network with his C: drive mapped as \\steven2\c
--
E_NOSIG
While working for the rat-king a number of years ago, I went to lunch in the cafeteria under the magic kingdom. I walked in and saw Snow White, in complete costume and makeup, sitting on her boyfriend's lap smokign a cigarette.
:-D
Maybe Snow can start start taking credit cards to turn tricks in the alleys of main street.
Disconnect your television. Do your own research. Draw your own conclusions. They're probably lying. Don't be a sheep.
Nobody asks for a signature for mailorder or online purchases- how would they DO that.
While it isn't done often, it does happen.
They do it by fax machine or snail mail, and it's a real PITA, especially when you don't have a fax machine.
I bought a MC218 (Psion 5mx copy) from Expansys in the UK, and
they had me fax over a signed photocopy of my card and my driver's license before they'd run my order.
Not sure if they do this for all orders or just for international ones tho.
C-X C-S
Any information needed to make a purchase is stored. Typically up until now it has been CC# and exp date. As you mentioned, more information is being required now to make the same purchase.
However, for one click shopping, etc. that many online retailers have (where no signature is required or signature is on a digital pad), they still have to store all that extra information, because it's needed to authenticate the purchase. So when anyone stumbles across your database, they still have the access to the information they need, they just need to grab 5 columns instead of 2.
The only method you mentioned that would solve this is faxing the signatures. And if the signature is digital (UPS, MicroCenter, etc), it's probably stored as a LOB in the database in a picture format anyway, and the Hacker now has a printable version of your signature. Also, most e-tailers don't have your signature because it's impracticle to get it from you. Remember, just because your CC was stolen from somewhere that needs a signature, it can still be used somewhere that doesn't
- Sig
What would a thief do with several hundred dollars worth of gas?
One of my friends lost one of his credit cards. He reported it as soon as he realized it, but not before the person who found it apparently called all his friends and relatives and they all had a 'free fill-up' party with it. The dude then went and bought a few PlayStations, I think in a Funcoland. There were a few other odd purchases, but I think the CC company finally put a halt on the card when dude tried to buy a computer somewhere.
Nothing could really be done about the pay-at-the-pump gas station, but the stores should have at least matched the signature on the card to the signatures on the receipts. My friend got back copies of the thief's receipts and the times they forged my friend's signature on them, the signatures were not even CLOSE. A few times the thief just signed another arbitrary name. Even so, the purchases sailed through no problem until the CC company's computers apparently noticed an aberration from the normal buying patterns on that card.
Fortunately, the CC company ate the costs instead of sticking them on my friend, but he had to fight like hell for a while to get them to do it.
~Philly
Heck, my card isn't even signed. Maybe one out of every 20 merchants actually asks to see my driver's license to verify my name with a photo, the rest just don't care. It says right on the card "don't accept this without a signature". Sigh. Lazy workers'll get you every time.
There's no way that Disney wouldn't take network security VERY seriously for this project. Although it does make me a bit nervous they placed so much emphasis on the 128-bit encryption.
I tcpdumped about 10 megs of data snarfed from the most wirelessly connected university in America, and besides broadcast queries for NT servers and floods of IPX SAP frames coming from network printers, the *only* packet of interest I got was the output of a finger some guy ran against his own OpenBSD box on campus. And I later found plenty of security-related posts from this guy on usenet, too. How's that for irony?
I went home and reviewed web pages describing their security infrastructure due to the weakness of 802.11b, and it was very intense. Beyond Kerberos. If Disney's doing this specifically to mobilize credit card readers, I've gotta say that wireless has been weakened long enough for them to not have any excuse to do it right.
Not to mention, with IBM's Tomorrow World being such a big hit in Epcot (and Disney closing DIG, their Internet venture), I'm SURE we had something to do with their planning and deployment. And I totally agree with the others who have said that enabling wireless PDA's such as line checking, maps, and restaurant reservations.
Intelligent Life on Earth
Great, instead of war driving, people will be doing war riding on "It's a small world after all".
If I've already paid admission, and can't get knick-knacks and food from anywhere but their shops, why should Disney care if I come for the attractions, or the Wireless?
After I've bought my ticket, I'm IN the park. IIRC, the rides don't cost anything but time after that. I'd much rather check tomorrows weather on my Pilot, plan out my next day at Epcot while in line at Magic Kingdom's Pirates of the Carribean, and just shoot out a quickie "Wish you were here" email over lunch, than have to wait until I get home to do these things.
It's not about 'enjoying the park'. It's about the cost of providing the additional service. It's always about the MONEY. This is DISNEY people.. They have a Copyright on FUN, remember?
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
I have too much of a migraine to look this up right now, but there's a special coax designed for 802.11. It has holes in the shielding. Yes, it's true that there's definitely signal loss over distance down the copper, but this stuff is designed for wireless-enabling hallways and rooms separated by concrete, such as classrooms.
You can run this stuff all along the walkways and gutters of buildings to fill in most of the dead spots in the open areas.
Intelligent Life on Earth
In this case, I saw it first hand. But I'm not surprised this is the kind of thing that ends up as urban legend. Disney is often the target of urban legends. There is a lot of silliness that goes on at disney though. Employees (I mean cast members) have been scolded for refering to people in mickey mouse costumes. That actually is Mickey Mouse! My step father was an architect for disney for 25 years. My mother was a secretary for disney for 9 years. I saw the light after only 8 months. In disney, they call it pixey dust. It's like a magic brainwashing dust that gets sprinkled on you when you arrive at work. You're supposed to believe you're in another world while working. It's the only job I've ever had where I was ordered to smile.
Disconnect your television. Do your own research. Draw your own conclusions. They're probably lying. Don't be a sheep.
If I'm not mistaken one of the engineers of the system tried warning the French government that it was possible to make a smart-card that could be fake; ie: not really "filled" with real money. Nobody would listen so he finally made one, bought some subway tickets and mailed them to the government proving that it could be done.
Then they threw him in jail for stealing the subway tickets. Anybody else remember this or have more info on it?
>They do search bags currently. ALL bags, even diaper bags.
Maybe, but not very well. For the past three of the four times I have been there since Sept 11 (my girlfriend and I have season passes) I was able to walk around the security stands without even being noticed. I cannot, for the life of me, figure out why they search the bags, yet do nothing to search the person. A couple of shootings at Disney would demoralize the US more than shootings pretty much anywhere else. An entire AK-47 can be broken down into pieces that fit in a pants leg or under a large sweatshirt. Everything of destructive power that is carried in a bag can be carried on one's person. Thay are pretty clueless about technology anyway. I often take in my nightvision scope (a lot of neat things to see in Space Mountain, Spaceship Earth, and Pirates of the Caribean) and didn't even get a second look yet they made me disassemble my Camelbak water pouch. I don't know if they would stop a laptop or not. One can claim it is for download pictures or showing Disney DVDs to the kids at dinner when they get tired and cranky.
Cave, wreck, and deep diver.
The inevitable consequence is that the network will be very insecure, so let us mess with the lyrics:
Well, it is a lot easier than saying "because 802.11b doesn't specify encryption at the physical level".
"What is the sound of one belly slapping?"
In Epcot, the small souvenir stands all had what looked like paper towel tubes wrapped in wire. Those were the 802.11 antennas, but they were there for over a year.
In Disney/MGM, some popcorn and hotdog stands still couldn't take charge cards as of last week, so I guess it's still being rolled out.
I don't know about everyone else but when I went to Disney World a few years ago I was dying for Internet access. I had not bought my laptop then and looked everywhere for someplace to log onto the Internet while I was there. I have to be connected where-ever I go and if Disney had an Internet cafe, even if the price was expensive (like everything else), I would have used it no doubt.
:)
Anyone else feel this way or am I just too big of a geek?