Slashdot Mirror
Airports As Secure As 802.11b
INO_Fiend writes: "SF Gate is running a story about how at both Denver and San Jose Int'l American Airlines has been using unencrypted wireless to connect the curb check-in with the rest of their networks. They tested this by grabbing a laptop and hanging around the airport. I guess I might finally have something to do with a laptop and a WiFi card the next time I fly..."
I'm reading slashdot for a very long time, but lately more and "slashdot suck"/"die slashdot die" posts turn up here and they didn't even got modded down to -5 immediately. I can't stand this anymore.
Slashdot was the best news site for geeks on the internet for years, is the best now and will be the best in the next 10 years. Some points are usually critized about slashdot and I'll discuss them now and show how these "critics" are all just crackpipe rants.
- Some people rant about the "low quality"
of slashdot but this is nonsense. Slashdot features interesting
and high level topics. If you don't agree you are either too stupid
to understand the stories posted here or you are some artsy-fartsy
ivory-tower scientist who has no clue what's going on in the real
world and occupies himself all the time with useless artifical
academic problems.
- Some people rant about the missing "originality" of the stories,
because slashdot summarizes the stories and other sites and posts
the summaries here. Firstly there is always a link to the original
story, so this "stealing content" argument is all nonsense.
Secondly the summary enables you to discuss the topic without chewing
through a long boring, artsy-fartsy article of e.g. the N.Y. Times.
Thirdly slashdot collects information form all different sites a normal
geek would never visit, because e.g. they want some privacy tainting
"free" registration (not free, because you pay with information
about you social behavior) or they grossly advertise for companies like
Microsoft.
- Some people rant about the spelling in the articles. This
is the most anally fixiated argument I ever heard. No real geek
cares about your spelling. It's important what you have to say
and not how you say it. And I'm sure Taco and co. would have
added a spell checker to slashdot already, but every decent
programmer (not VB jerks) knows how difficult it is to intergrate
external programs into server side perl code in a secure way
(or do you want slashdot h4x0r3d ?).
- Some people rant about John Katz. This is nonsense too.
John is the best colummn writer on slashdot. If you don't agree
you are surely too stupid to understand his marvelously written articles
or you envy him for his surpreme literal skills.
John is the only top level journalist who ever had cared about geeks
and their lifes. Many people rant about this hellmouth book, but don't
you see that it serves to draw attention to the torture and cruelity
geek undergo in their lifes because "they don't fit in" ???
I think just for his effords to make the lifes of geeks better
in a cruel and heartless society he should get at least the pulitzer
price. He also earns this prices for his high quality contributions
to journalism.
- Some people rant about the hypocracy on slashdot towards
open software. But this is nonsense. Open software is much better
than any form of closed software always.
Because it doesn't get the support from the PR drones of big companies
it can use all help it gets from everywhere.
So it is 100 percent ok to be much
more critical towards closed software. And being too critical is not
much loss because even good closed software is just the lesser evil.
Who are these people who critize slashdot all the time ?Well I think we know them all - they are the very same bullies who tortured you in school, low brained meat-heads and trend slime. People who can't stand all people who don't fit into their shallow ideals of ideal poeple.
They can't stand that geeks have a save place where they can exchange their ideas.
They can't stand that geeks earn much more and are much better off with their high level jobs as web programmers and network admins.
They can't stand that geeks have created a superior software system, GNU/Linux and *BSD, that's why they are advocating MS products.
They can't let live geeks in peace and therefore are making trouble here on slashdot.
Yes, I know this will modded down, but I don't care about karma and like I said in the beginning there are some things which just must be said.
Changi International airport in Singapore has free access to the Internet over 802.11b in large parts of the airport. They also have modules with a bunch of power sockets and RJ45 jacks in the center of numerous desks in case you're low on power or limited to wired Ethernet.
Changi International rules in general, actually.
This is my post!
Seriously... what a lame fp... you should have used the words nigger and kike a lot more
I must burn in hell, suffer and pay for my sins
But Gods the one who's losing, Satan always wins!
woot
Everything's just as secure as the weakest point.
They have tons of those 5.60$ and hour minimum wage "securtity specialists"
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
difficult it is to intergrate external programs into server side perl code in a secure way (or do you want slashdot h4x0r3d ?).
So what? Who the hell cares? Why don't you just shut the hell up? Why are you so fond of this piece of crap? Are you getting paid by the editors? or just a fuck hole for all of them?
I guess I might finally have something to do with a laptop and a WiFi card the next time I fly...
I'm sure you are breaking a large number of laws. If not, I'm sure some bills will be sponsored in your name!
Please kids, don't try this. Messing with aircraft [anything] is a big no-no. Someone was on local TV once complaining about the airport noise level. This hillbilly said that he would shoot at a plane if the didn't stop going over his house. Stupid, stupid man. He was arrested and even served 3 days.
Reminds me of this Gallagher joke: Why don't they just give the homes by the airport to deaf people?
Get your Unix fortune now!
Some penguins have smashed my windows! What am i going to do?
Nerds should be killed! Before computers, they were left to die on the streets!
Hah... now I feel safe... my name address and phone number are flying through the air for anyone to pluck out. What ever happened to airport security?
I find it amusing that anyone can even joke about screwing around with an airport right about now.
It's not wireless, but the Las Vegas airport has these open Ethernet ports in the floor. You can walk up to them, plug in an Ethernet cable, and start prowling around the network (sniffing, going out to the Internet, etc.).
I accidently connected to an AA wireless network in Dallas. This was way before 9/11. At first I thought it was a freebie for exec flyers, once i realized it was their business network i disconnected.
they had a dhcp server that assigned ip/dns to anyone that connected.
didn't even think about it again until i read this article.
Apple's implementation of 802.11b is called "Airport". So I wasn't too surprised to read that Airport is as secure as 802.11b
Wonder if you can surf the net from their internal network? Beats paying for any of those overpriced kiosks
just much much easier to accomplish.
scary
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
Airports are as secure as... I thought they were talking about Apple Airports (those funny round things). Still kinda cool, unless the airports get hacked.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
"American Airlines spokesman Gus Whitcomb said that Luster and Comerford exaggerated the security risk because their companies provide security services. " Yeah right.
I didn't mean offense, it's just one of those silly things that Gallagher points out.
I know from working next [literally] to an airport that it's like a train going by.
While I've got you in the conversation, I know it's off topic, but can I get a brief impression of Cochlear Implants? Like what do you think of them.
I watched the coolest thing on PBS about a family which was debating on getting one for their daughter. The family was all deaf, and they ended up not getting it for her. The brother of the father had a deaf daughter [or son?] that got one, and they were going back and forth about what to get. Really a great show.
I think I wouldn't want to get one, but that is because I could see the deaf families point of view a little better. They wanted their child to stick with the culture, and the language that they are actually blessed to be a part of.
Can I get your 2 cents? Feel free to e-mail me, I'm very interested in this subject. Seems like a great device, but not for everyone.
Get your Unix fortune now!
Sorry, I am posting anonymous.
The airline that I worked at (until just after 9/11) had a similar setup. An average sized hub airport probably has roughly 1700 things with an IP address. To help out, I used a machine with arpwatch to help keep track of what was running and to monitor changes. About 5-15 times a week, I saw non airport workstation names and mac addresses of nic's that we did not have. Luckily we did not have anything with a DHCP server running or everyone of these computers would have fit right in. We had coverage at every ticketing area and every gate, not hard to get a good signal.
My purpose is not network security, only an installer and maintainer of the network and systems, so I made note of our insecure wireless network to our networking group and got nothing back. When I had left about a year after bringing this up, nothing had changed. With so many levels of IT support and groups of people protecting their specialized interests at the company, it was nearly impossible to find someone that could step back and look at more then what they were currently responsible for. I guess we needed a "wireless network security" position before anyone would care to address this.
I don't know what you would do once on the network. Sure you could sniff around but I doubt you would get anything useful from the scheduling and ticketing part of the traffic.
Just because it is insecure at the wireless level, doesn't mean its insecure at the check-in level.
After all, if they have a firewall, and the wireless is on the public side of the firewall, then it should be pretty secure- the check in desks would have to use tunnelling to connect, but that can be arbitrarily well encrypted.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"It is a big firm in Europa. AFAIK we do not use the above mentionend standard but we use another standard for baggage check in and baggage follow up. The system is so complex that even *us* the programmer have sometimes difficulty with it. The hic is the following : would it be worth for a terrorist to learn the system when they can get it easier to fake the control band of the baggage with the so called "bag tag" (simple paper a serial number and a code bar) or have an insider in the baggage loading worker team. On the other hand 6 monthes ago I would have said "terrorist learning to fly a plane to pill it into a building ? Unprobable. They could do things in a far easier way than such a long term plan.". So maybe we have to starts worry...
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
I thought that was one of the things that the new regulations after 9/11 got rid of.
Either way, I'm sure those systems have additional encryption a few layers up. No sane persion trusts WEP. Even if the net isn't encrypted at the wireless level, it only matters (and is better) if it's encrypted a few layers up. (IPSec, SSL, or the like.)
retrorocket.o not found, launch anyway?
If I know American Gov. they will fix it the best way: banning wireless networking! :)
my name address and phone number are flying through the air for anyone to pluck out
You mean like this ?
Oh, and don't forget, you've attached that information to the outside of your luggage, so that any disgruntled baggage handler with a score to settle because he dropped your 80 pound suitcase on his toe can come find you and settle the score.
Face it, your name, address, and phone number are in the public domain now. Nothing you can do will stop it.
Well, I don't know much about cryptology, but I figured that if you use symmetric cipher, and the keys are distributed based physical contact between the devices. Then, you only allow devices to connect based on signatures made with the keys that have been in physical contact, would that be feasible?
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Drexel University does a great job of securing their otherwise unencrypted wireless traffic with a VPN.
Intelligent Life on Earth
Actually, that's not a really accurate statement. The people in Ohio were complaining because the runways run north-south and the air traffic was routed directly over their houses at low altitude in the late hours of the night. And, large portions of that area aren't "rich" as you put it - I believe the area is mostly lower-middle-class, and they had a real noise complaint. Now, air traffic after 10PM flys in and out of the one east-west runway, and does in fact fly over some "lesser" neighborhoods. However, they mostly fly over empty space, with the (louder) takeoffs going west and the (quieter) landings coming in from the east. However, a flight coming from the north will often pass over eastern Cincinnati at relatively low altitude as they enter the flight pattern.
In my experience, the folks responsible for implementing wireless have no clue of the risks. When confronted, they go back to their wireless vendor and pose the question, the vendor responds with a load of BS they can't comprehend and because they have no idea what has been said, it must be secure.
Groups charged with security often don't get their hands dirty with this - they are too busy changing passwords. Mention 'airsnort' and it usually is followed with a blank stare.
Auditors can check physical network security which now includes wireless. For the airlines under 'wartime', this should be mandatory - but it probably won't be...
Denial isn't just a big river in Egypt
denver has a wireless network setup throughout the airport. there's no password to get on the network, however if you try to browse the web, etc. you'll run into their proxy which will prompt for a username and password.
it's quite easy to guess their user and pass combo, just think about what they used when they had to "test" the network.
In the US, at least,NOW is not the time to be screwing around at airports with ANYTHIN, never mind ANYTHING you do Illegally at an airport CAN be considered a FEDERAL offense.
Im as much of a guy that would throw an 802.1b card on my laptop and scan with it as the next slashdot geek, BUT there is a time and a place for all thing. The Airports and airlines should be notified, if they dont rectify it then take the next step, we got maniac bastards with shoe bombs trying to drop this stuff out of the air, YOU might not see anything of use, but not many Slashdotters are terrorists. They may, It needs to be secured, I fly and more importantly my FAMILY flies.
There is a time and a place for fun and screwing around with stuff. An Airport isnt the place and this isnt the time, Would you wack a beehive in a closed room for the fun of it ?.
Hell If I was in charge of Airport security, after seeing this I would set up a honeypot and get ahold of a 200 dollar rdf and start nabbing anyone that tried this, thow em up on federal charges and let shit lands where it may.
I KNOW its insecure an it need to be fixed, be fucking responsible for once in you life and do something responsible with that info, like find the person in charge and let them know, give them resources they obviously dont have to get it fixed. Your a Geek heres you chance to do something that actually might matter.
Next time you mom, or dad, or brother flies think, he I hope theres a bunch or dipshits sitting around the airprt sniffing stuff they have no business, GOD know the potential hazzard that exists here for bridging networks to something OTHER than Curb Check in.
Sig went tro...aahemmm.....fishing........
I am continually amazed by how backward the USA is sometimes. Here in the UK we have had this system for as long as anyone can remember. That is why then you check-in at Heathrow they ask all those tedious questions about if you have been given anything to carry and if anyone could have messed with your luggage. If you don't turn up at the gate, they literaly search through the hold and take your bags off. This of course can take ages!
Some years ago a terrorist made friends with a presumably not terribly bright girl and persuaded her to carry a bag on an El Al flight for him. Fortunately, a security guard thought the bag looked suspiciously heavy and found the bomb in it.
...a cracker with the know-how could theoretically check their own luggage.
That's nice.
While the network may have been viewable is there really a practical application to this?
All baggage checked at curbside is simply registered witht eh flight recorder saying that this bag is here, this is how much it wieghs. The only possible thing I could think of doing with access to the wireless net is removing a bag from the list, but what does that do?
Since all bags are also scanned (espesialy since 9/11) after they've been checked, it seems to me that hacking the curbside checkin is completely useless. In order to be effective, a terrorist would have to physicaly have and item on the plane. And that would be possible regardless of whether it was done curbside or at the counter. Personaly I don't see a big issue here, but they should be using at least the basic encryption (I know the airport software as basic encryption, I would assume the oher stuff does)
-Tevis
T Money
World Domination with a plastic spoon since 1984
There is extensive coverage in Computerworld, here.
So usually when i do not know the exact word for something, I try to guess how it could be in english :).
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Boingo has rolled out APs in many locations in airports around the country. Yet another use for a laptop w/WLAN (I hate the term Wi-Fi) in an airport.
Is redundancy retroactive now? The only other comment mentioning Apple Airport was posted 4 minutes after this one
Fucking stupid moderators.
While waiting for a flight at Hartsfield I've busted out my laptop and sniffed Delta Airlines unencrypted access points. If I was an asshole I could have gotten Skymiles and credit card information on people. Scary stuff.
It is your kind of attitude that is responsible for the security holes that allow terrorist attacks in the first place. Airlines and airports must fix these problems preemptively. Apparently, they are unwilling to pay what that costs in this competitive market. It takes a big bang or public relations disaster to have them act decisively. If the people who found this problem just spoken to someone "in charge", nothing would have happened.
The temptation to haul anybody in on federal charges who does something that might be suspicious is unacceptable. We live in a free society, and lots of people will do things that are harmless but that my strike someone as suspicious. As in other areas of security, it's foolish to assume that the bad guys will have less knowledge than the general public, and it's foolish to assume that the bad guys won't have the resources to find the security problems easily and with low risk of detection. If you arrest everybody who appears to be trying to discover holes in your security systems, you'll mostly end up arresting harmless and you give police the tools to arrest anybody at their discretion; just about any activity can be construed to be suspicious. That's called a police state. Maybe that's where you want to live, but I don't. As far as security is concerned, the "get-tough" approach is a cop-out for companies that don't want to pay the money necessary for doing security right. It gives the appearance of security without delivering actual security.
Companies that have such security holes should get stiff fines, retroactively and for as long as the security holes persist. That's the only way to force them to invest the money up-front necessary to make their systems secure. And if that isn't sufficient, there needs to be federal regulations specifying rules and requirements for things like networking, screener training and salary, etc. People who discover security holes should be left alone (unless they try to take advdantage of them to do something illegal, of course).
While staying at the Sheraton for the Open Source Convention/Perl Conference last year, I tried getting on to the local wireless network provided. Great during the sessions. The only problem was our room was at the far end of the hotel by the airport. Couldn't get a peep from the conference network out there, but I got an IP and DNS from the airport, and a great connection at that.
Since various airlines have been notified about
/. and I would not want to trust MY family's safety to
this and have done nothing so far, I would propose the following:
Have a computer savy individual hook up with a reporter.
Have them go to the airport together and sniff the net.
Capture a bunch of data, go back to the office, and write an article about it.
I bet something would be done about it then.
I would involve a reporter so they have a tougher time portraying you as a terrorist or criminal.
Someone sitting at the coffee shop working on their laptop would not look out of place.
Perhaps people would argue that you are alerting terrorists to this possibility.
But, it is already posted here on
"security by obscurity".
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
Higher pay == more applicants.
If you have 10 jobs to fill and 100 applicants, you get to be real picky about what kind of people you accept. 10 jobs and 11 applicants doesn't let you be so choosy.
Get a grip. A cornerstone of our criminal justice system is that "criminal" acts require an overt act known to be criminal, or at least reasonably expected to be so.
What this means, in practice, is that every door into an airport is clearly marked. It's not a crime to walk through an unmarked door. Walking past a door clearly marked "authorized personnel only" is a different matter.
Now look at this "problem." Computers with wireless LAN cards will automatically try to establish a connection... and these airports are offering these connections complete with DHCP and DNS services. They know that this will happen automatically whenever the owner turns on the computer, yet they've taken no action to restrict access to their system or warn travellers to avoid using their computers.
Yet you want to send the police to arrest these travelers for felonies - attempts to interfere with airport operations - for doing nothing that isn't routine in countless other places.
Worse, as some other posters have pointed out these networks can often be accessed from outside of the main terminal. A business traveler may innocently turn on his laptop in his hotel room and inadvertently connect to the airport network - and it's *his* fault for failing to anticipate this problem?
If somebody is there and clearly trying to compromise the system, throw the book at them. But if an airport just has lax security, direct your anger at the airport/airlines, not the innocent travelers.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Hell If I was in charge of Airport security, after seeing this I would set up a honeypot and get ahold of a 200 dollar rdf and start nabbing anyone that tried this, thow em up on federal charges .
So, let me get this straight... If you were in charge, then instead of fixing the holes, you would concentrate on throwing people in federal prison, for being bright enough to notice and point out the security flaws you had failed to notice. Good plan. Don't let anyone question your security.
In fact, this story was a good way to highlight the problem in a prominent enough way to actually get something done about it. If we threw these people in jail then nothing would be done and the security hole would remain !
--
What has always annoyed me are these people that build next to an airport that has been there for many years ... then have the gall to complain a couple of years later about the jet noise they hear every day because of the airport that was there when they built their dream homes. If they didn't want the jet noise in the first place, they should have built somewhere else?
There's a legal doctrine about that. It's called "moving to a nuisance". Basically if you move into proximity with an annoyance that predates your move it's your fault for moving there and you have no gripe.
But enforcement of the doctrine in courts tends to be spotty in some places. Colorado and Oregon generally laugh such people out of court. But California seems to be the home of successful nuisance suits.
This kind of thing happens to small private-plane airports all the time. Developer builds devopment next to one, and after the people move in they drive the airport out of business with suits.
One such small-plane airport in Colorado came up with a great idea: After they'd gotten the suit laughed out of court, they bought up the fancy new houses that had been built next to their fence for a song. Then they put gates in the fence and ran driveways from the BACK of the carports to the taxiway. And resold the fancy houses at a significant profit to people with private planes - who NEVER complained about airport noise. B-)
I understand several other small airports in similar situations have done the same thing, or even had developers build such houses deliberately, and there's now a term for such a development - "Air Park" or something to that effect.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
802.11b is *so* over done. Here's some news from the front lines: everyone knows it sucks, they don't care and they're willing to take the risk. How the hell do you think Ethernet got so popular?
The *real* story (which would have been obvious if the "journalists" had taken some time to do actual research), revolves around the wireless systems that are used to transmit cargo inventories, passenger lists and other such epherma to the terminal operations centers prior to "docking and unlocking". It's slow speek, low-tech wireless stuff, but you can buy the equipment required to monitor and interject in the back of Monitoring Times. I'll laugh when the FBI gets called out to intercept the first Saudi Air flight who reports that every passenger's name is some variation on "Osama Bin Laden".
The second no-brainer stories revolve around:
Screwing with ground radar on a busy foggy day
Setting up a large, intermittant Tesla coil
Highjacking "offical" parts and substituting low quaility counterfits or functional replacements containing bombs at the maintenance depots.
Just cruzed through SFO after reading the article. No problem getting 5 connects....I wonder our boy wonder GW Bush would still be smirkin' if he knew...
regarding the palestinian terrorist giving his Irish girlfriend a bomb to carry:
The terrorist was ENGAGED to the poor girl, and she was pregnant at the time.
imagine sending your wife and unborn kid as unknowing human-bombs .
(this is actually covered in a recent 60-minutes show)
About two months ago I was at Denver International Airport and I decided to plug in my Wi-Fi card (SSID: "Denver Int'l Airport", no WEP). I was able to get an IP address from their DHCP server but any attempt to access the web redirected me to a generic username/password entry screen.
I figured they were going to offer a for-pay service to business travelers. It's alarming that they would be using this for actual airport services!
No, I don't want to explore the Recycle Bin.
Now that airports know that anyone can get on to their lans, it's now a free service...