[Mother]

Quote:

Originally Posted by stedewa

What about ? : If we change SSID or WPA key on our AP. It should be not more possible to change the settings in Whisher. So we need a web interface to manage our AP(s)..

That's one of the beauties of Whisher - it does not touch your AP at all. If you want to change the SSID, you can do it using the normal management interface for your router, but visitors using Whisher will always see the nickname you have chosen, instead of the SSID. Thus, changing the SSID does not have an effect on how Whisher presents your AP to others.

Regards,

Mike

[AustinTX]

I think he means "if we change our SSID or key aboard the router, then Wishers can no longer find our hotspot or connect to it because their database has the old info".

Also, some people might do silly things like register a whole new AP each time they change their SSID, and end up with a whole bunch "owned" by them.

Finally, Whisher should require people to change their router's default SSID (i.e., "Linksys", "2wire", etc.) (perhaps it allready does this?).

[Mother]

Quote:

Originally Posted by AustinTX

I think he means "if we change our SSID or key aboard the router, then Wishers can no longer find our hotspot or connect to it because their database has the old info".

Ah...that is the reason why Whisher doesn't care about the SSID, and relies on the MAC address of the router

Quote:

Also, some people might do silly things like register a whole new AP each time they change their SSID, and end up with a whole bunch "owned" by them.

Following on the above, we check the MAC address, so unless we have a bug, you shouldn't be able to register the same AP twice.

Quote:

Finally, Whisher should require people to change their router's default SSID (i.e., "Linksys", "2wire", etc.) (perhaps it allready does this?).

The concept of the nickname was implemented to avoid having to ask people to do this. Whisher will match the MAC addresses to the right nicknames and welcome messages, and show them instead of the SSID. We welcome people changing their SSIDs to show they are registered with Whisher, for example, to 'Free WiFi whisher.com'

Regards,

Mike

[AustinTX]

Quote:

Originally Posted by Mother

Ah...that is the reason why Whisher doesn't care about the SSID, and relies on the MAC address of the router

AHHH! Yes, that negates my worries! I had not thought of using the MAC address.... it seems an obvious choice, now. Good job, Whisher!

[nptohc]

Um..... I have a HUGE security concern then!!

DO NOT CHANGE YOUR SSID TO ANYTHING AT ALL MENTIONING WHISHER!!

If I am a hacker wardriving until I find a WLAN that can be accessed using WHISHER - what is stop me firing up something like "netstumbler" getting the MAC address of the WLAN AP.

Firing up some software to "mimic" the WLAN AP with the same Mac Address - surely then WHISHER would attempt to log in to the AP (based on it's MAC) using the stored WEP key.

Which the software pretending to be an AP would then provide me with?

Note - apart from running netstumbler I do not know how to do the rest - but I do know that 1) it can be done and 2) some googling probably would get me the information and tools I needed.

Whilst I am not saying that I am about to go out and do this - what is to stop a hacker doing it?

Though at the same time - it's probably much easier for a hacker to just log in using WHISHER. So my biggest concern - is there anyway disable to local community thingy - because I would rather strangers logging on to my AP with WHISHER did not have access to my local LAN - and it would seem that for people to be able to "see" who else is logged on to my AP, and to be able to share files locally that there would have to be local TCP/IP communication. Meaning that Windows XP (in it's default "Automatically search for Network Folders and Printers" mode) would start offering strangers access to my shared folders - and of course using Windows XP Home there is no way to password protect them!

Now please understand - I think WHISHER is a fantastic concept - but please take these security issues very seriously - I have "provisionally" registered my AP in public mode - but I shall be keeping a close eye on the network.

Many thanks.

Andy

[AustinTX]

Quote:

Originally Posted by nptohc

DO NOT CHANGE YOUR SSID TO ANYTHING AT ALL MENTIONING WHISHER!!

You can change your SSID to anything at all, and change it any time you like. The Whisher Client will still recognise it by MAC address, and the Whisher hotspot finder map at whisher.com will still show it. Whishers *want* their hotspots to be found. If a Whisher wants to ban a person, or restrict the hotspot to buddies-only, then the Whisher Client will not let them connect.

Mother: could you tell us if non-buddies and banned persons get only a *filtered* list of AP locations? Or if this is intended in the future?

[nptohc]

That was not my point - my point was by changing your SSID to something mentioning WHISHER then it gives "would-be-hackers" the equivalent of a big huge red flashing neon sign saying "I run whisher"

As I pointed out above - a hacker need only get your AP's MAC address using a simple program like netstumbler, pretend to be your AP using it's MAC address and then the WHISHER client will quite happily provide the hacker with the WEP key because as far as it is concerned - it is talking to a registered MAC address.

The hacker then can close WHISHER, connect to YOUR AP using the provided WEP key - and is subject to none of the limitations they would be if they were connected to your AP using WHISHER.

All I am saying is until this has been investigated - do not advertise you are running a WHISHER AP by changing the SSID until this has been fully investigated.

[AustinTX]

Well, I don't know about you, but none of my wifi APs will tell me what incorrect WEP or WPA keys were used to attempt access.

[nptohc]

I didn't want to have to simplify this - because otherwise the script kiddies will attempt it.

Step 1) Find a WHISHER WLAN

Step 2) Visit the Physical location and fire up netstumbler to get the WLAN MAC address

Step 3) Visit websites (like) the following: http://airsnarf.shmoo.com/rogue_squadron/index.html
- this particular system does not tell you what WEP key was used - because it is an open system.


on second thoughts - it doesnt matter - i came across another site - which shows how easy it is to get a WEP key - even without WHISHER.

http://docs.lucidinteractive.ca/inde...eless_Networks

Andy

[Mother]

Hi guys,

I've been travelling most of the day, so excuse the late jump into the thread.

First of all - there are many many ways someone could crack WEP/WPA. WPA and WPA2 with a strong key (that is, do not use a word in the dictionary, but rather a random string of characters and punctuation symbols, etc. - subject well trodden) is what is most secure at this time.

We have repeated this over and over again, if you believe behind your WiFi there are treasures so vast to warrant a cracker wasting his time trying to gain access, then don't share with Whisher. Actually, don't share at all, as you don't know what zero-day security holes a particular device could have, or even better, don't use WiFi - it is by default an insecure technology, and add-on encryption just makes it safer. We just give you the tools to make sharing a) more fun, and b) safer than just leaving your hotspot with no encryption. We of course take security very seriously, but we don't take it as an argument to kill our project. If a criminal wants to do something bad, he can go to any of the thousands of open signals that can be found in most populated areas of the world - why choose yours in particular, and make his life more complicated?

You don't really have to change your SSID at all - people can find you in the online maps, and anyone passing by your hotspot with Whisher will see the nickname you have chosen, the welcome message, and the icon that signals it is being shared. The SSID will not be shown at all, so changing it is only useful for promoting Whisher and letting others who don't use it yet that they can get access with the client.

We should be worried about realistic scenarios, but not believe that suddenly our hostpots are going to be the target of crackers driving around in vans looking for a prey. Statistics show that these sort of attacks are minuscule, compared to the chance of losing your credit card details to a rogue waiter at a restaurant or service station. In Barcelona we now have mafias replacing the whole front of ATMs with fake ones that will swipe your card's info, pin code, and send it via GPRS to their HQ through a built-in modem.

I don't intend to discard your concerns, just put them into a global perspective, and of course, I welcome your comments & questions!

Best regards,

Mike