Slashdot Mirror
WLAN Visualization Meets GIS Mapping
martin dodge writes "The Wireless Ntwork Visualization Project (Univ. of Kansas)
has an interesting alternative to just dot maps of wlan base stations. These guys are mapping out the zone of availability using gis. nice maps using aerial photographs backdrops as well.
If you are interested, check out other ways of mapping 802.11b network infrastructure.
"
In effect, map data stored in a database. I've seen maps like those in the article before. The first I saw was in 1993, but it didn't have nice colors. It was from a company that determined FM signal coverage, when given the location of the transmitter and its signal strength.
Best Slashdot Co
Combined with a database containing the address of cable modem subscribers, Comcast can now conveniently use this data to ferret out their subscribers "stealing" from them using 802.11b. Watch for the Comcast van in your neighborhood!
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
I have a question about the specific mechanics of this: What is the behaviour of 802.11b cards passing multiple nodes at high speed?
If you're driving down a highway with continuous 802.11b coverage and all the APs are set up to allow external access using some common agreed upon collection of settings (no WEP, a standard network name, etc), how well would a card support switching from AP to AP within seconds of each other?
Yes it does, as it is well known that crackers and script kiddiez are GIS master and professional surveyors, map and aieral photography experts, this will create a mass cracking.
The implications are horrendus... toasters biting their users, dogs being shaved, and showers riunning only tiped water.
It's is more horrible than giving Saddam 20-30 nuclear bombs and the corridnates to all key US targets.
Useful but check out the dynamically generated node map from http://www.pdxwireless.org It's updated as the nodes go on and off.
A more difficult problem might be routing of reply packets... if you're constantly switching IPs, then the webpage you requested two seconds ago is being delivered to the AP you were connected to back then.
These were done years ago for FM radio coverage and many "more sophisticated" ham radio repeaters back in the late 80's. It's pretty cool and accurate enough. (although not very accurate inbetween distant points unless you add a topo data set to the GIS dataset.. Grass is an excellent GIS package for Linux that gives linux users the power of multi-million dollar GIS systems in their basement... and this is a great way do use that cool tool.
Do not look at laser with remaining good eye.
What is the behaviour of 802.11b cards passing multiple nodes at high speed?
Your 2.4GHz card will overclock to 4.8GHz with twice the bandwidth if you travel at the speed of light down the highway.
For doing this type of war driving, you don't need to actually connect to each AP. The card is put into a low-level promiscuous mode, so it can receive all packets. Every AP sends out a continuous stream of 'beacon' packets which the software can use to determine what networks are available. Also, at least on Prism-based cards, you get both a signal and noise measure for every packet received. So you just drive around snarfing up packets, and every one you get you can check for the source MAC address (to determine the AP) and the S/N ratio. No need to talk to the AP's at all, it's totally passive.
One thing you do need to do is change channels. 802.11b specifies 11 channels (in the US), so to be thourough you should check them all. To be efficient, you can only check 1,6,11 because that's what everybody uses. Depending on how many channels you are checking and how fast you scan puts a limit on how fast you can drive and expect to pick everything up.
Of course, if you are just checking out coverage for a specific AP, you can stay on it's channel and wander around the immediate area to get lots of good data points about it's coverage. It all depends on what exactly you are trying to accomplish.
You can see it in action here
Its very handy to get a clearer idea of where exactly those pesky APs are when you blat past them in a batmobile with a pringles tin sticking out the roof...
The secret of success is honesty and fair dealing. If you can fake those, you've got it made. (Marx)
Last year i took my laptop & gps & a few perl scripts and mapped out the wireless access at my campus (UCSD). I made some maps too. Pretty fun!
http://www.cs.ucsd.edu/~ghamerly/wireless.html
Wireless is dangerous - the only real defense right now is to make your network harder to get into than the guy down the street, so Joe Randomsniffer will hit them, not you.
Much like network administration, really - there is no secure box, but if you're more secure than the average, you aren't a tempting target, and will be passed over in favor of the clueless hordes who are ripe for the picking.
A really dedicated person who wants into you specifically? Very little you can do to keep them out, especially if you run wireless.
Not sure of the generic solution, but Alverion, Formerly Breezecom sell a solution that allows roaming speeds up to 60MPH. Not sure if it is a technical limit, or one of the lawyers telling them not to advertise anything faster for fear of idiot suits like the ones facing cellphone manufacturers in the coming decade. Yes jurror's my client is an idiot, and yes it was his fault he was eating a big mac while talking on the cellphone in an ice storm, but you must find the cellphone industry responsible of contributory neglegince and award my client 22 million dollars in compensation.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
hand-over is what you want, i.e. the ability to have a permanent session when you switch from one transmitter to another.
It is embedded in cellular networks (PCS, GSM, 3G, etc.) but is not (I think) a 802.11b feature, which was built for home, soho networks, not wireless internet coverage.
Besides, even if you could negotiate a transaction fast enough to keep the overhead low, the lack of a persistent ip address and connection scheme (firewalls) would make it difficult to work.
OTOH, a telecom-carrier operated wireless network is easy to standardize, and made for this type of thing (I remember having an half hour phone call on a 180mph train in France).
The real issue here is cost :
802.11b works because it's cheap and can be built by geeks, but hasn't got the features of a telecom network that's expensive to install, operate, and that nobody is really willing to pay for. (the market just isn't here yet : Metricom, anyone)
Besides, most features were supposed to come with 3G networks, but with fear of bankruptcy in the telecom sector, there is little chance we see this working before two years.
just my 0.02 euros
"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers." Bill Gates,
Can anybody comment on the following:
.11b network has 128wep, MAC list restriction, and SSID broadcast turned off. I realise that someone can sniff the traffic and decrypt the packets by cracking WEP, but this would otherwise prevent them from doing something ON the network, right?
Linksys (and other folks) have a flag that disables the SSID broadcast 'feature' of their basestations.
According to netstumbler.com:
"Linksys' latest firmware update for WAP11 includes closed network support. It disables the SSID beacon broadcast and as a result no longer shows up on either the Boingo or CyberPixie roaming clients, nor on Apsniff or NetStumbler network discovery tools. "
Is this REALLY a security 'adder' or can folks discover the network in other ways?
Our
We're investigating adding our VPN to the mix, but it's a non-trivial network topology change for a group that really doesn't have sensitive data.
"Draco dormiens nunquam titillandus."
Also, most GIS work is done using ESRI's GIS and Mapping software.
If you want more information, then you'll probably need to contact them. The list is just a basic set of things that should be done, but rarely are. You wouldn't even imagine how many access points don't even have the default password changed.
I also betcha Cambridge maps as one, big, continuous WLAN. f*ckers.
dinner: it's what's for beer
Tell that to the military, or to NASA, or to anyone else with a $100million hunk of metal in the sky.
Put a firewall behind the AP, and use some kind of secure tunnel (such as SSH) to get to a functional part of the network.
They are so far off from the best current practices that it's quite pathetic. Anyone who gives a list of security tips like that is unlikely to get my business as an burgler alarm system vendor.
With netstumbler, it's easy to map out your freshly discovered APs easily. After you have returned from some wardriving, simply export your netstumbler log, and upload it here. It will output a Microsoft MapPoint 2002 file which will display a pushpin covered map which shows you all the APs that you just discovered.
The parent posts in this thread weren't talking about just detecting networks, they were talking about using the network while roaming at high speed. I don't think that's possible, because your IP address would change every time you switched to a different access point.
I have actually done seamless roaming while streaming video at 75mph with the breezecom equipment. I believe that technically very high roaming speeds are possible with more dense configurations of AP's.
The first problem is that the breezecom stuff is FHSS which is a little bit easier to "roam" than DSSS, simply because you can hear neighboring AP's without having to switch channels as you do with DSSS, thus you know more about neighboring AP's.
The next problem is that the network has to be specially designed to support roaming clients. It has to have intelligence on the ethernet side of the AP's to teach the network about roaming client routing, so that packets always get to where they need. In large WLAN's, AP's are all rarely connected via a 100mbps backbone or the like. They are often connected with layer 3 switches, or worse -- routers, such that roaming is near impossible anyway without using special client software that implements MobileIP (or even ipv6)
The final problem with the way that breezecom does it is that their roaming is proprietary. The AP's preauthenticate clients before they show up, saving time after switching. It's not compatible with 802.11, though "regualr" 802.11 FHSS cards can indeed roam on breezecom equipment.
The fast roaming modes do not work on the breezecom direct sequence 802.11b equipment. You must be going 5mph or practically 10mph to roam seamlessly (ie without a data stream interruption) on this equipment.
i worked for a cell phone company a couple of years ago and the tech support was constantly tied up with calls, and the refurbishment warehouse with functioning returns, because people assumed that the coverage maps provided by the company were accurate binary state renditions of coverage (i.e. if you're within the area you can make a call, and if you're outside it you can't). for instance, if you use a road map to drive to the next state, when you cross the line, you're in that state, there's not a 74% probability that you're there (it's 100%). of course cell phone maps are only probability maps related to tower placement, signal strength, and topography, but most people choose from experience not to see it that way, as all their experience has been with road maps.
so you'd get people calling in who tried to make calls downtown/in their basement/behind a hill, or whatever, convinced that their phones were broken cuz they could not get a signal when the map said they could ... often they'd just return a functioning phone and get a replacement mailed to them. it was a horrendous waste of money. ideally the customers need to be told that there's only a probability of making a call from any particular area. but i guess the marketing dept. would put a stop to that.
...depending on the crowd. Among plenty of academics (especially geographers) GIS = Geographic Information Science. Partly this is because there is quite a bit of ongoing research into the techniques and principles underpinning the technology.
:(
The other reason is that there actually is (in an ideal world) a bit of expertise required--and familiarity with geography, and no I'm not talking about "What's the capital of so-and-so"--to fully understand what you are doing with the data.
I've found a great deal of folks in the public and non-profit sectors who are far too cavalier with their interpretations of data that they crunched on for a while...they think that because they used expensive software they must be getting some real value out of it.
Anyway, the point is that it's not some black box technological marvel. There is plenty of Science (geographic, statistical, etc etc) behind the Systems.
GRASS GIS is cool but sadly I work at a Winders shop, so it's ArcGIS for me (and plenty of contact with the abhorrent DBF file format).
When I worked for Sprint and other Clients we had mapping similar to this made using software such as Planet made by MSI. Planet was cool, it would help map out coverage for a given area. However it was still needed to go out and drive the network. I worked a project in Tijuana using some equipment made by DTI that had 8 scanners in it and would record about a thousand channels of data to be later displayed on a map. It was cool when you would look at the map and actualy see the coverage of each cell tower based on the driving that had been done.
---- Fight to protect your right to keep and arm bears! ummmm... ya I think that's right....
You're claim that their security tips are useless is silly.
> use wep (airsnort)
Using WEP is the same as remembering to lock the doors of your hose. People can still pick the locks, but they have to be determined to get in.
> obscure your ssid (set client ssid to ANY)
This should be combined with the suggestion below to turn of SSID broadcasts.
> change default passwords on APs (duh)
Just because its obvious to you, doesn't mean it isn't worth mentioning. People are stupid and need to be reminded of the obvious.
> disable broadcast ssid, but you can't (haha)
Funny, on all of the Access Points I've dealt with, there was either an option called Disable Broadcast SSID, or Closed Network. Checking these meant that you had to know the SSID in order to attach to the network.
> upgrade firmware (what's that gonna do)
Why should we apply patches to Apache or IIS? What's it gonna do?
> enable MAC filtering (Lucent WaveLAN cards have a tool to set their MAC address)
Yes, but there are 2^48 MAC addresses. Guess which ones are allowed to attach to my network.
> Turn off your access points when you are not using them (how mann people are going to do that)
I agree that this is unlikely to happen. But that doesn't mean that it isn't a legitimate way to keep people from using it.
Wave point placement and antenna selection (attacker can use a 12dBi yagi and point it straight at your house)
This point I don't know enough about. It is probably the least useful of any of the suggestions. Especially since most people tend to use the antennas that come with their Access Points
-> Capt Cosmic <-
I have been playing with Mapserver and it really rocks for online stuff. It only recently went sort-of-production with 3.5, but with support for PostGIS and PHP, it is great. Having tried both, IMHO, it's far more accessible than ESRI's ArcIMS.
Xix.
"Everything is adjustable, provided you have the right tools"