I have to respectfully question the value of your suggestions.
They all assume administrative control over the AP. What if you're a security-focused user of another trusted AP? By "trusted" I mean that I have personal knowledge that the administrator of the network is cautious, clueful and trustworthy.
1. An easy way to prevent this is to have your Access Point assign you a strange IP address. That way if you normally get 192.168.1.251... and you end up with 192.168.1.1... you have an idea something is wrong.
If I know the brand of AP that I'm targeting to spoof, I also know the default RFC1918/NAT network it uses to assign addresses to clients. I'll assign addresses in the same manner, and I'll probably figure out yours eventually, especially if you just pick a "strange" one from the default subnet.
2. Another way to do this is a bit more complex. If you have another computer or file server at home, set up a webserver. Make sure this system is wired. Set your computer's homepage to that system (using your internal 192.168.x.x ip).
Now whe you open your web browser... if your using your own access point, you can view that site. If your being tricked onto another Access Point... you won't be able to view it.
Hmm. This assumes your webserver is not compromised. And it assumes that everyone uses RFC1918 addresses and NAT on their home network. Most probably do, but some of us don't.
I have a/26 out of a CIDR block. My buddy at work has several/24s of CIDR space. It's a perk of being the network guys for an ISP. I don't NAT a damn thing, because NAT is ugly, broken networking. Ever try putting H.323 through NAT? Yuck.
3...
WEP keys are fairly easy to brute force. They're much stronger methods for this, which I'll leave as an exercise...
My camera has more than enough features for it to be useful to me. I would like to master the included functionality (which I have not made time to do) before I tried adding any.
Besides, my toaster, my POTS phone, my TV, and my watch, are also closed-source but extremely well-featured without my input.
In other words, "No.' I usually buy more features than I use anyway, and like to spend my time on more useful or more entertaining things.
I think much of BS-speak starts as a clever and correct use of a word, but then the hordes of PR folk get ahold of it.
Based on my divergent degrees in and careers in both the black art of PR and the grey art of ISP network engineering, I say, "You're pretty much correct."
While practicing my former career, I used words "creatively, energetically, and dynamically."
In my current career, I use them "correctly". I sleep quite a bit better now.
For quality setups, its even less useful since the video and audio are going to different outputs (speakers and a TV for example)
I'm not sure what kind of "quality" you're talking about.
A "quality" SAT/CAB/HD/DVD setup will send both HDMI, DVI/HDCP, or worst-case component, video and digital audio to a quality receiver or controller/amp stack.
A "quality" receiver/controller will switch the video signals it receives to a HDMI,DVI/HDCP or component output going to a HDTV monitor/projector. A receiver would then send the audio out to connected speakers, while a controller will send line-out audio on 2-to-7 channels to an amp that powers the speakers.
In any case, a setup that doesn't switch video and audio through a central controller isn't "quality".
so he won't hear a thing I say about those bastards while I'm on hold.
Big Brother? Please. Try "lower-middle manager" inside a pissant company within a bottom-feeding industry. The Orwellian factor is so weak I'm not picking up the signal.
Hell, if I can amuse some lacky with a clever blue rant, then I'm happy to oblige. If I had to monitor calls all day I'd probably want to drive my car into a tree.
At about time stamp 0:50 of the video from CNN's Wolf Blitzer March 9, 1999 Late Edition/PrimeTime interview with Al Gore you will watch Al Gore claim that he "took the initiative in creating the Internet"
Yep. And?! Anyone who can't separate the talking point soundbite from fact is either being intentionally obtuse, or is simply a raving moron.
Al Gore, as a member of the US Congress, authored legislation to fund fiber optic research, and spearheaded funding for specific projects that transformed DARPAnet into the "Interweb" whose teet we milk from today. This is provable, well-documented fact, evidenced in public record.
Literate people call this "taking the initiative".
First, I'm not sure your premise is true, because I don't recall that Rockwell's bid was the lowest. I could be wrong.
Second, the question, "Could have the space shuttle been built "better" had we paid more for it?" has no meaningful answer.
You can answer "yes" to your question *and* answer "yes" to the following question, "Could the shuttle have been built 'better' had we paid *less* for it?" Both answers are equally true, because neither rules out the other. There is no direct relationship between the quality of the shuttle and the winning bid.
If, for argument's sake, we paid exactly the right amount and got a perfect shuttle, then the answer to both questions would be "No."
With respect, I think you're confusing several things here.
First, I think you're talking about plugging traditional analog phones into a single VoIP integrated access device (IAD), but I believe the original poster was referring to actual VoIP phones. VoIP phones have Ethernet interfaces and don't have FXO jacks, so they can't receive power from "the phone line". VoIP phones either get their power from PoE or from a wall plug transformer.
Second, I may be misunderstanding, "The phone line output should already power remote phones," but keep in mind the power on the phone line comes from the phone company that provides your POTS service. If you disconnect POTS service in favor of VoIP, then the phone company will no longer put power on the line. That said, VoIP IADs have FXS jacks that will power POTS phones.
A bigger question to me will be what happens when the internet goes down.
The answer to that can be simple or nuanced depending on how you set up your phone services.
In the simplest setup where you rely on your VoIP provider to signal and route all your calls, you will not have working phones.
If your IAD can do local extension call signalling and routing, then your internal calls will still work, but not any VoIP calls to locations outside your LAN.
If your IAD has an FXO port, and you retain POTS service from your telco, then you may plug your IADs FXO port into your POTS service. Then you could route external calls to your telco until your internet connection is fixed. Your IAD must be highly configurable in order to handle this though.
The right metro area is as good as you get with cellphones, too, so that's at least "good enough"
First, that's not correct. Local governments usually have ordinances that dictate separation between cell towers, and that usually ends up being somewhere between 1500 and 10,000 ft. In a high coverage metro, you'll get at least that close to tracking your caller from a single tower. Factor in triangulation from ancillary visible towers, and you can pretty much find a cellphone geographically. Cell phones are easier, because geography is a central technical factor. That's not the case with VoIP. An IP phone can be anywhere, and its IP address can change if you take it to Grandma's and plug it into her cable modem.
Second, have you considered how a VoIP 911 call winds up at a local public safety answering point (PSAP) in the first place? PSAPs don't and won't be using IP phones for some time to come. So 911 calls have to exit the IP network and enter the PSTN before arriving at a PSAP. For calls to even end up at the correct PSAP, the VoIP provider must route it correctly. To do that, the VoIP provider will use last known good phone location informtion, keyed off its phone number, not its IP address. The PSAP operator can already assume you're in their service area, simply because they got the call. And if the provider passes the PSAP good info via E911 (i.e. you keep your location address updated in their service provisioning systems) this is "good enough."
Additionally, the fact that VoIP 911 calls leave the IP world and enter the PSTN before getting to the PSAP completely removes tracerouting as a possible tool.
We cannot identify the location of every IP
Hardly any, probably.
but a lot of addresses without geographical names have known locations.
Known to whom? LAN admins maybe. Cable/DSL ISPs maybe. Definitely not VoIP providers like Vonage that piggyback on cable/dsl broadband services.
This method is not foolproof but it's a start...
Not foolproof? Try "not practical at all."
People get subscriber information...This won't help with 911 but don't be so smug about supposed security.
[sigh] I was only relaying my (reasonably extensive) realworld experience on the topic. Is that being smug?
The last thing I'll say (probably in the whole discussion) is this:
IP phones/IADs have two consistent globally unique identifiers: their assigned phone number and their burned-in ethernet MAC addresses. The phone number is the easiest to associate with a location. For example, one could force and end-user to enter an address whenever/wherever they plug in their phone. This entry could automatically be used when sending E911 location information. No IP mess, no IP fuss. Done.
The last hop with an actual location will be fine.
I'm not 100% sure, but I think you mean the globally routable IP address (or addresses) on a NAT device that translates it to an RFC 1918 (private usage) IP address.
I can't tell you what mine is, because there is none. (Not that I'd post it if there was.) I'll save you the long explanation, but to summarize we're a Telco/ISP with our own PSTN switches so our VoIP never touches the public internet. And all of our VoIP customers' IP phones use non-NATed private IP addresses too.
But, for the sake of argument, let's say we did interface with the public internet using a static globally-routed IP for each phone. And let's say that you can traceroute to it. Just what would you expect traceroute to tell you about my geographic location?
You aren't going to be advertising that address when you make calls outside your local network because otherwise it wouldn't route.
My point was that NAT is one of many reasons why traceroute will not produce accurate location information for IP phones. Another poster cited VPN tunnels. Besides those, I can add MPLS layer two and layer three tunnels, transparent LAN services, firewalls and router ACLs.
If you call me, I can trace the route and, as you put it, come say hi.
Again, even in the ideal case (a traceable static public IP on the phone) where are you getting geographical data? Even if we use geographical DNS naming conventions for our routers--and upstream/intermediate ISPs do the same--best case is that gets you to the right metro area. Maybe. And geographical naming is not a forgone conclusion.
I'll even give you some leeway and add "whois" data to associate my IP address with my company, and from there you can get our HQ street address. But we have multiple locations, in multiple cities, across the state. Which one houses my carcass? Traceroute won't tell you.
If it's a dynamically assigned address, of course, some cooperation from your ISP would be necessary.
As someone whose jobs have included network security engineer, I can assure you that most ISP customer information is private and requires a subpeona for third-party access. So don't expect that kind of help. Even if you're a 911 operator.
Also, you bring up an excellent point. Vonage-type customers will have broadband cable or DSL. Personally, I have Time-Warner at home. Their (ATM?/MPLS?) backbone spans long distances. According to traceroute, the next IP hop is an aggregation router somewhere in Chicago, which is many hundreds of miles from my cable modem.
The wireless Enhanced 911 (E911) rules seek to improve the effectiveness and reliability of wireless 911 service by providing 911 dispatchers with additional information on wireless 911 calls.
The wireless E911 program is divided into two parts - Phase I and Phase II. Phase I requires carriers, upon appropriate request by a local Public Safety Answering Point (PSAP), to report the telephone number of a wireless 911 caller and the location of the antenna that received the call. Phase II requires wireless carriers to provide far more precise location information, within 50 to 300 meters in most cases.
I can tell you why the MN PUC appealed this action:
It was _implored_ to do so by *private sector* Access/Termination-Fee & TDM Circuit-Switch Lovin' Telcos who were seeking to protect their legacy business model and long-established revenue streams.
VoIP was no skin off the guv'ments nose until the RBOCs started screaming bloody hell.
My buddy's house, with stucco out and plaster in, provides a very strong 802.11b-arrier. An AP in his neighbor's house (visible in a window) is only intermittently reachable from his den, standing by his own window, about 22 feet line-of-sight from the neighbor's AP.
My neighborhood, a in a new development, is full of houses made from sticks, vinyl and wallboard. I can easily reach anywhere from 6 to 10 APs from just about anywhere in my house (and only 2 are mine.)
Well the line is a quote from a math jingle I learned in elementary school. It doesn't hold up to rigorous analysis, but neither do most 2nd-graders.
The logic behind the jingle is this: A square is required to have four congruent sides and be a parallelogram and have four right angles. A rectangle is not required to have four congruent sides, but is required to be a parallelogram, and have four right angles. Thus, by definition, a rectangle doesn't meet the requirements of a square.
The flaw, of course, is that if all squares are rectangles, then at least some rectangles are squares.
Slashdot Mirror
I have to respectfully question the value of your suggestions.
/26 out of a CIDR block. My buddy at work has several /24s of CIDR space. It's a perk of being the network guys for an ISP. I don't NAT a damn thing, because NAT is ugly, broken networking. Ever try putting H.323 through NAT? Yuck.
They all assume administrative control over the AP. What if you're a security-focused user of another trusted AP? By "trusted" I mean that I have personal knowledge that the administrator of the network is cautious, clueful and trustworthy.
1. An easy way to prevent this is to have your Access Point assign you a strange IP address. That way if you normally get 192.168.1.251... and you end up with 192.168.1.1... you have an idea something is wrong.
If I know the brand of AP that I'm targeting to spoof, I also know the default RFC1918/NAT network it uses to assign addresses to clients. I'll assign addresses in the same manner, and I'll probably figure out yours eventually, especially if you just pick a "strange" one from the default subnet.
2. Another way to do this is a bit more complex. If you have another computer or file server at home, set up a webserver. Make sure this system is wired. Set your computer's homepage to that system (using your internal 192.168.x.x ip).
Now whe you open your web browser... if your using your own access point, you can view that site. If your being tricked onto another Access Point... you won't be able to view it.
Hmm. This assumes your webserver is not compromised. And it assumes that everyone uses RFC1918 addresses and NAT on their home network. Most probably do, but some of us don't.
I have a
3...
WEP keys are fairly easy to brute force. They're much stronger methods for this, which I'll leave as an exercise...
My camera has more than enough features for it to be useful to me. I would like to master the included functionality (which I have not made time to do) before I tried adding any.
Besides, my toaster, my POTS phone, my TV, and my watch, are also closed-source but extremely well-featured without my input.
In other words, "No.' I usually buy more features than I use anyway, and like to spend my time on more useful or more entertaining things.
Well, I had a Canon G2 that required a firmware upgrade to solve a "blue screen of death" type of problem.
Good point.
It would be interesting to compare intellect "per-capita" for various points in human history.
I think much of BS-speak starts as a clever and correct use of a word, but then the hordes of PR folk get ahold of it.
Based on my divergent degrees in and careers in both the black art of PR and the grey art of ISP network engineering, I say, "You're pretty much correct."
While practicing my former career, I used words "creatively, energetically, and dynamically."
In my current career, I use them "correctly". I sleep quite a bit better now.
For quality setups, its even less useful since the video and audio are going to different outputs (speakers and a TV for example)
I'm not sure what kind of "quality" you're talking about.
A "quality" SAT/CAB/HD/DVD setup will send both HDMI, DVI/HDCP, or worst-case component, video and digital audio to a quality receiver or controller/amp stack.
A "quality" receiver/controller will switch the video signals it receives to a HDMI,DVI/HDCP or component output going to a HDTV monitor/projector. A receiver would then send the audio out to connected speakers, while a controller will send line-out audio on 2-to-7 channels to an amp that powers the speakers.
In any case, a setup that doesn't switch video and audio through a central controller isn't "quality".
What? Isn't "I knew one president" enough of a reference for you? ;^)
so he won't hear a thing I say about those bastards while I'm on hold.
Big Brother? Please. Try "lower-middle manager" inside a pissant company within a bottom-feeding industry. The Orwellian factor is so weak I'm not picking up the signal.
Hell, if I can amuse some lacky with a clever blue rant, then I'm happy to oblige. If I had to monitor calls all day I'd probably want to drive my car into a tree.
At about time stamp 0:50 of the video from CNN's Wolf Blitzer March 9, 1999 Late Edition/PrimeTime interview with Al Gore you will watch Al Gore claim that he "took the initiative in creating the Internet"
Yep. And?! Anyone who can't separate the talking point soundbite from fact is either being intentionally obtuse, or is simply a raving moron.
Al Gore, as a member of the US Congress, authored legislation to fund fiber optic research, and spearheaded funding for specific projects that transformed DARPAnet into the "Interweb" whose teet we milk from today. This is provable, well-documented fact, evidenced in public record.
Literate people call this "taking the initiative".
When the government gets into the "everyone must be equal at all times" game, thats when things start to get ugly.
/look/ at that Bill of Rights. And what are those Ammendments about too?!
Yeah, nothing spells "ugly" like the US Constitution. Just
It'd be like if Sony CD players only played CDs released by Sony.
Like SACD?
First, I'm not sure your premise is true, because I don't recall that Rockwell's bid was the lowest. I could be wrong.
Second, the question, "Could have the space shuttle been built "better" had we paid more for it?" has no meaningful answer.
You can answer "yes" to your question *and* answer "yes" to the following question, "Could the shuttle have been built 'better' had we paid *less* for it?" Both answers are equally true, because neither rules out the other. There is no direct relationship between the quality of the shuttle and the winning bid.
If, for argument's sake, we paid exactly the right amount and got a perfect shuttle, then the answer to both questions would be "No."
With respect, I think you're confusing several things here.
First, I think you're talking about plugging traditional analog phones into a single VoIP integrated access device (IAD), but I believe the original poster was referring to actual VoIP phones. VoIP phones have Ethernet interfaces and don't have FXO jacks, so they can't receive power from "the phone line". VoIP phones either get their power from PoE or from a wall plug transformer.
Second, I may be misunderstanding, "The phone line output should already power remote phones," but keep in mind the power on the phone line comes from the phone company that provides your POTS service. If you disconnect POTS service in favor of VoIP, then the phone company will no longer put power on the line. That said, VoIP IADs have FXS jacks that will power POTS phones.
A bigger question to me will be what happens when the internet goes down.
The answer to that can be simple or nuanced depending on how you set up your phone services.
In the simplest setup where you rely on your VoIP provider to signal and route all your calls, you will not have working phones.
If your IAD can do local extension call signalling and routing, then your internal calls will still work, but not any VoIP calls to locations outside your LAN.
If your IAD has an FXO port, and you retain POTS service from your telco, then you may plug your IADs FXO port into your POTS service. Then you could route external calls to your telco until your internet connection is fixed. Your IAD must be highly configurable in order to handle this though.
CALEA has been a consideration for VoIP service providers (like the one I work for) for several years already.
And my office has used PoE switches for our VoIP phones (which have over 40 ringtones, some 38 of which are mightly annoying) for several years.
The right metro area is as good as you get with cellphones, too, so that's at least "good enough"
First, that's not correct. Local governments usually have ordinances that dictate separation between cell towers, and that usually ends up being somewhere between 1500 and 10,000 ft. In a high coverage metro, you'll get at least that close to tracking your caller from a single tower. Factor in triangulation from ancillary visible towers, and you can pretty much find a cellphone geographically. Cell phones are easier, because geography is a central technical factor. That's not the case with VoIP. An IP phone can be anywhere, and its IP address can change if you take it to Grandma's and plug it into her cable modem.
Second, have you considered how a VoIP 911 call winds up at a local public safety answering point (PSAP) in the first place? PSAPs don't and won't be using IP phones for some time to come. So 911 calls have to exit the IP network and enter the PSTN before arriving at a PSAP. For calls to even end up at the correct PSAP, the VoIP provider must route it correctly. To do that, the VoIP provider will use last known good phone location informtion, keyed off its phone number, not its IP address. The PSAP operator can already assume you're in their service area, simply because they got the call. And if the provider passes the PSAP good info via E911 (i.e. you keep your location address updated in their service provisioning systems) this is "good enough."
Additionally, the fact that VoIP 911 calls leave the IP world and enter the PSTN before getting to the PSAP completely removes tracerouting as a possible tool.
We cannot identify the location of every IP
Hardly any, probably.
but a lot of addresses without geographical names have known locations.
Known to whom? LAN admins maybe. Cable/DSL ISPs maybe. Definitely not VoIP providers like Vonage that piggyback on cable/dsl broadband services.
This method is not foolproof but it's a start...
Not foolproof? Try "not practical at all."
People get subscriber information...This won't help with 911 but don't be so smug about supposed security.
[sigh] I was only relaying my (reasonably extensive) realworld experience on the topic. Is that being smug?
The last thing I'll say (probably in the whole discussion) is this:
IP phones/IADs have two consistent globally unique identifiers: their assigned phone number and their burned-in ethernet MAC addresses. The phone number is the easiest to associate with a location. For example, one could force and end-user to enter an address whenever/wherever they plug in their phone. This entry could automatically be used when sending E911 location information. No IP mess, no IP fuss. Done.
The last hop with an actual location will be fine.
I'm not 100% sure, but I think you mean the globally routable IP address (or addresses) on a NAT device that translates it to an RFC 1918 (private usage) IP address.
I can't tell you what mine is, because there is none. (Not that I'd post it if there was.) I'll save you the long explanation, but to summarize we're a Telco/ISP with our own PSTN switches so our VoIP never touches the public internet. And all of our VoIP customers' IP phones use non-NATed private IP addresses too.
But, for the sake of argument, let's say we did interface with the public internet using a static globally-routed IP for each phone. And let's say that you can traceroute to it. Just what would you expect traceroute to tell you about my geographic location?
You aren't going to be advertising that address when you make calls outside your local network because otherwise it wouldn't route.
My point was that NAT is one of many reasons why traceroute will not produce accurate location information for IP phones. Another poster cited VPN tunnels. Besides those, I can add MPLS layer two and layer three tunnels, transparent LAN services, firewalls and router ACLs.
If you call me, I can trace the route and, as you put it, come say hi.
Again, even in the ideal case (a traceable static public IP on the phone) where are you getting geographical data? Even if we use geographical DNS naming conventions for our routers--and upstream/intermediate ISPs do the same--best case is that gets you to the right metro area. Maybe. And geographical naming is not a forgone conclusion.
I'll even give you some leeway and add "whois" data to associate my IP address with my company, and from there you can get our HQ street address. But we have multiple locations, in multiple cities, across the state. Which one houses my carcass? Traceroute won't tell you.
If it's a dynamically assigned address, of course, some cooperation from your ISP would be necessary.
As someone whose jobs have included network security engineer, I can assure you that most ISP customer information is private and requires a subpeona for third-party access. So don't expect that kind of help. Even if you're a 911 operator.
Also, you bring up an excellent point. Vonage-type customers will have broadband cable or DSL. Personally, I have Time-Warner at home. Their (ATM?/MPLS?) backbone spans long distances. According to traceroute, the next IP hop is an aggregation router somewhere in Chicago, which is many hundreds of miles from my cable modem.
From the FCC:
The wireless Enhanced 911 (E911) rules seek to improve the effectiveness and reliability of wireless 911 service by providing 911 dispatchers with additional information on wireless 911 calls.
The wireless E911 program is divided into two parts - Phase I and Phase II. Phase I requires carriers, upon appropriate request by a local Public Safety Answering Point (PSAP), to report the telephone number of a wireless 911 caller and the location of the antenna that received the call. Phase II requires wireless carriers to provide far more precise location information, within 50 to 300 meters in most cases.
The IP phone on my desk has IP address 10.2.1.57. Traceroute to it and come say "Hi."
See you soon!
There's no need.
Enhanced 911 (E911) services are available from most (if not all) serious VoIP players.
E911, which emerged as a mandate for cell providers, includes location information in the signalling stream.
I can tell you why the MN PUC appealed this action:
It was _implored_ to do so by *private sector* Access/Termination-Fee & TDM Circuit-Switch Lovin' Telcos who were seeking to protect their legacy business model and long-established revenue streams.
VoIP was no skin off the guv'ments nose until the RBOCs started screaming bloody hell.
Maybe it's just a really crappy WAP.
Tested and dismissed. My friend stood in various spots in his yard, further from the AP than his Den window, and could get a loud-and-clear signal.
My buddy's house, with stucco out and plaster in, provides a very strong 802.11b-arrier. An AP in his neighbor's house (visible in a window) is only intermittently reachable from his den, standing by his own window, about 22 feet line-of-sight from the neighbor's AP.
My neighborhood, a in a new development, is full of houses made from sticks, vinyl and wallboard. I can easily reach anywhere from 6 to 10 APs from just about anywhere in my house (and only 2 are mine.)
The Amiga did. And then some.
Excellent argument. Somewhat akin to:
Dude 1: My '83 Chevy Citation was better than your '87 Dodge Daytona.
Dude 2: No. Clearly it wasn't.
Dude 1: Yeah, well the '87 Corvette sure was.
Dude 3: WTF?
I'm Dude 3.
Well the line is a quote from a math jingle I learned in elementary school. It doesn't hold up to rigorous analysis, but neither do most 2nd-graders.
The logic behind the jingle is this:
A square is required to have four congruent sides and be a parallelogram and have four right angles. A rectangle is not required to have four congruent sides, but is required to be a parallelogram, and have four right angles. Thus, by definition, a rectangle doesn't meet the requirements of a square.
The flaw, of course, is that if all squares are rectangles, then at least some rectangles are squares.
Back to regular programming...
Yes, and a square can be a rectangle, but a rectangle can't be a square. Maybe I'm missing your point...