well, even the blind have their darker sides. Also war driving can be a useful tool for discovering unsecured wifi devices. I have educated more than one neighbor around here on the virtues of proper security awareness. btw, the one neighbor who was using my connection without permission had already run afoul of the copyright police before, so he tried to use everyone else's connections around here. I have since talked with all neighbors around him and gotten them to lock down their routers. I can just imagine him sitting there seething trying to figure out how everyone around him became so secure all of the sudden.

btw, I am also publishing a little how to in the local neighborhood newsletter here for all those who use fat pipe internet services (cox, DSL, DSS, Dish, etc.) and putting together a tutorial on how to lock down and limit access to a router. This got included in the last publication of the SPARC news letter in both English and SPanish The first of these was called "setting your router password and disabling remote access". I also included my email for those who have model specific questions. So, isn't it a wonder that said email box had a lot of responses in it with questions on how to do a great many things. Most of them start with the question: how do I find the ip address for my router? It's a basic question that a lot of people never think to ask until they are required to.

It is interesting that you mention "the escapist". In a lot of ways, its a version of the "turner diaries". Some lessons to be learned from that reading as well. And now, I will just bet that the FBI will be looking at me because of the mention of just 1 title. ah well, I am well read. :)

anyway, there are going to always be those in any community who will seek to control others through their will to power. Depending on their ethics, this could be a good thing, or a very bad thing. Right now, there is a lot of the latter going on here in the general public these days (what with people shouting down others or threatening violence because they don't agree with their politics). we have to be better than that.

-eric
from the central office of the Technomage Guild, rare books Dept.

On Mar 25, 2017, at 6:58 PM, Vara La Fey wrote:
<div bgcolor="#FFFFFF" text="#000000"><p>Ok, not a big deal. I won't worry about typing emoticons and
such, since your reader has prolly handled them since the alpha
version. I'm just always impressed by how well blind people can
navigate, since we are highly visual creatures building highly
visual cultures. But I know very little about the actual methods.</p><p>There will always be exploiters, even blind wardrivers - and I'm
not sure if I'm happy about <i>that </i>kind of equal
accessibility. :-P But the existence of exploiters doesn't mean
society needs to remove every exploitable item.</p><p>And if you had implemented only the security proposed in Victor's
"educational" nanny system, how would that have stopped your
neighbor from hacking your router? How much "educational"
material, to prevent how many types of exploit, is enough?</p><p>I'd love to see a non-intrusive education program made easily
available.</p><p>Or a security-checking app that fine-tooths the user's system and
covers the basics in a wider scope than malware-stompers and such
currently do. Presumably they're out there, but I haven't ever
actually noticed one - or looked for one. All I've ever seen
(other than a few specifics I've researched) is piecemeal stuff
here and there: WinDOS "PC issues" alerts, the usual stompers, the
usual setup prompts, the usual "important" updates (which often
are more trouble than worth and get rolled back). I've noticed
nothing coherent and integrated.<br>
</p><p>Either way, I'm always going to call out people who
self-righteously think they're superior enough take up my time
lecturing me about my actions for my own alleged "good". Always.
If the Steve Litt types get offended, I'm ok with that.</p><p>Bova is a name I haven't encountered in a while. Every now and
then I could stand to read some good escapist (semi-?) libertarian
<blockquote cite="mid:5396D655-3FF3-477F-B5FA-F0105DF44CC7@icloud.com" type="cite">totally blind here.
<div>I use a screen reader, and a braille device. I still run into
problems with sites that just aren't usable with either (and
sometimes I am even forced to go to windows just to use a
browser I can't use on this mac). as for feeling sorry, don't. I
don't make a big deal of it and neither should you.</div>
<div>btw, getting back on subject here, I recently had a run-in
with my ISP (cox) when they sent me a nasty note claiming I was
sharing infringing content. I tracked it down to the router
(which had apparently been hacked). Stupid little Linksys device
didn't have very good security on it. So, I burned in a dd-wrt
image, changed a lot of settings and now I don't have that
neighbor using my connection for his bit torrent activities.
btw, I found the exploit that said neighbor used over on
wikileaks vault7 page. Right now, I am testing the device with a
linux laptop using reaver and john the ripper (and pwgen to
create the rainbow file). So far, it has taken a better part of
2 days and it still hasn't guessed the passphrase. One of the
first things I did after replacing the system image on the
router was to turn off the PIN for the device. WIth that on,
Reaver was able to take just 5 minutes to break the connection
and gain entrance.</div>
<div>so, if I can do this here at home, its a sure bet that some
of these places with a wide open router are getting a lot of
illicit traffic (and its also a sure bet that someone is pulling
a man-in-the-middle attack to get info they shouldn't have). so,
believe me, if it can happen to me (an experienced IT person),
it can happen to anyone who doesn't take the time to secure
their devices.</div>
<div>btw, to give you an idea of how strong my passphrase is, its
a minimum of 200 characters (including spaces), run through a
jive converter and then converted to 1337 using one of the known
converter websites. so, good luck guessing it. :) I also use mac
address filtering here and even have my SSID broadcast hidden.</div>
<div>btw, back on the subject of accessibility for a moment… the
guys who developed Reaver got contacted by me several years
back. I asked them if it could be possible to include a couple
of packages on their live CD (specifically ORCA and an audio
driver). They did and the tool is completely accessible for the
blind war driver. :) so, it doesn't hurt to ask. :)</div>
<div>from the central office of the Technomage Guild, network
breakages R us Dept.</div>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000"><p>Oooh, now your sig places you with the Brave New World
dept. Heh. Perfect timing.</p><p>I'd love to de-Google, but as with Fakebook, that's
where the party is. Even worse is that Google's products
are pretty good.</p><p>Speaking of FB, they keep hitting me with a security
verification when I go to my page to login. Fortunately
my Firefox gives me its usual login screen and easily
bypasses that.</p><p>I'm sorry to hear that you're blind, but I'm also
curious how you navigate so well. I've never heard of a
captcha solver, but now and then I'll click the
gimme-a-new-one button or the say-it-aloud button. And
my vision isn't good, but not blind. Can you see the
captchas at all, or do you navigate by text-to-speech
and a braille keyboard?<br>
<blockquote cite="mid:C40A0AAF-3B10-470D-9304-E49047DFCD06@icloud.com" type="cite">yes, they are. I even have a captcha solver
tool here, but it's only effective 50% of the time.
Google is, by far, the worst offender of the lot when it
comes to this type of http interception and presentation
<div>from the central office of the Technomage Guild,
Brave new world Dept.</div>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000"><p>Mmm hmm. But at least nobody will know that
you're streaming the footage of his arrival.</p><p>Are these captcha-blockings you mention the
same as when Google and others intercept you
when they detect that you're not trying to
login from the same IP as your previous
logons? Back when I last used Tor to actually
login to an account, sites I used weren't
doing that kind of interception. I've merely
browsed with Tor since.<br>
</p><p>- Vara<br>
<blockquote cite="mid:4E03AC1C-3C30-4297-80DF-722CDDD12C89@icloud.com" type="cite">That is the other problem I have
seen with TOR. Any slower and the second
coming of christ will arrive sooner. :)
<div>from the central office of the Technomage
Guild, Editors choice dept.</div>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000"><p>I'm all for education. I'm a
trans-girl, and believe me, I would
like to educate people a little
about us. But I wouldn't take it
upon myself to intrude on their time
for a 3 Minute Love unless they're
trying to hurt someone.<br>
</p><p>I don't want people semi-forcing
content on me. And the desired
"campaign" is exactly that. It's sad
that everyone here who comments
keeps asserting the "safety"
benefits, without a care in the
world about the sheer intrusiveness
and the obvious socio-political
abuses of systems like that becoming
commonplace. Which hopefully they
won't.</p><p>I don't need a VPN and have never
set one up, but I don't doubt the
security of a VPN/Tor combination.
And if you are really afraid of
snoops and spooks, encrypt all your
text traffic with large PGP keys.
But I rarely use Tor because it's
horribly slow, and PGP because it's
an extra few steps. But they are
always there for those special
occasions. :-)</p><p>- Vara<br>
<blockquote cite="mid:4EF5D72B-DFFB-4ECA-BDB1-A5CB66859068@icloud.com" type="cite">well, if you don't want
to deal with bad certs, redirected
https,etc, you can either not use
that router/service or get a VPN and
secure all your traffic. And yes, I
will not use paywall systems of any
kind, they have no business knowing
what my credentials are.
<div>Lastly, if I want real
security, a combo of VPN and TOR
cannot be beat. I use private
internet access for the VPN and
also have a TOR node setup here.
the TOR node will not be connected
until after the VPN comes up. why
let my ISP know I am running a TOR
node here at home? The only issue
I have with this is that my search
engine queries don't work right
(mostly, I get blocked and asked
to solve a captcha, which is not
doable for the blind most times)</div>
<div>Anyway, do what you must, but
education should be the first item
on the list when it comes to net
<div>from the central office of
the Technomage Guild, Security
applications dept.</div>
<meta content="text/html;
charset=utf-8" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000"> First you
were talking about open
hotspots. Then you were
talking about https. Now
you are talking about ssl.<br>
But all the while you're
still just talking about
monitoring and restricting
the activity of 3rd
parties on 4th party
systems. And it seems
really important to you
for some reason.<br>
Please, waste time and
effort and money patenting
your <i>spyware </i>chaperone
system that monitors web
activity with the intent
of <i>creating
consequences </i>for
activity which you - or
your intended customer -
opines is "invalid". I
doubt very many people
will buy into it because
there is no upside for
them. Even when they alter
it to fit their own
agenda, they just anger
their customers who can
click OK for EULAs and
enter logins, but cannot
bypass your 3 Minute Hate.<br>
If it can detect an
"invalid" certificate,
then by changing a couple
code lines (if even), it
can detect anything else
about an attempted site
visit. Of course this
ability is ancient now,
but less evil
implementations of it
merely censor by blocking,
which is bad enough. Yours
is "educational" - and
it's interesting that <i>you
</i>put the quotes around
that word yourself - for
the purpose of taking up
other people's time with
<p>If it became common, it
would become a mandatory
advertising medium
anytime anyone clicked
on a competitor's site,
or a site with bad
reviews for your
customer. If it became
law, it would become a
mandatory propaganda
delivery system anytime
anyone clicked on a site
containing any kind of
dissenting viewpoint.</p><p>Are you hoping to
create one of those
conditions? If so,
</p><p>Because this sure looks
like more than just
wanting to manipulate
lesser people into a
system designed to
reinforce your wishful
feelings of superiority.
There has to be a more
compelling reason that
you're this overly
concerned about what 3rd
parties do on 4th party
</p><p>Which, btw, brings up
the fact that your
system is not equivalent
to EULAs or logins or
pay systems, because the
connection provider has
the right to set
conditions for using
their connection. Your
spyware idea is to
harass people who are
using <i>other people's</i>
connections.</p><p>I'm not an expert on
web connection
technology per se, but
it seems that Tor would
nicely wire around all
SSL issues after the
initial connection to
the now-restricted
hotspot. You certainly
make a great case for
using it, even if just
on general principle. So
what would you do about
that?</p><p>I don't think your
grandmother wants you
monitoring her activity.
I don't think <i>anyone
</i>wants you monitoring
their activity. But you
seem to want to do it
anyway. And no one but
me is saying boo to
you. :-(</p><p>As to the trivia: I
personally have never
had trouble from
visiting a site with an
"invalid certificate" of
any kind, because that
stuff simply isn't 100%
maintained. Obviously I
am careful where I go
and what I click and
download anyway. I do
not so easily ignore
"known malware site"
warnings, and if in
doubt about a site I
reflexively check the
web address. <a moz-do-not-send="true" href="http://MyBank.Phishing.com/">MyBank.Phishing.com</a> and <a moz-do-not-send="true" href="http://Phishing.com/MyBank">Phishing.com/MyBank</a> do not get
clicks from me. But
that's all beside the
<blockquote cite="mid:CAA_Swr=tOvKCDNfi=Cit9ccggBX=joHuFZShLFn=hm7ik+X67Q@mail.gmail.com" type="cite">
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">On
Mar 20, 2017
3:36 PM, "Vara
La Fey" <<a moz-do-not-send="true" href="mailto:varalafey@gmail.com">varalafey@gmail.com</a>> wrote:<br type="attribution">
<blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><p>OMG!!</p><p>First of
all, you'd be
them if
telling them
"validity" has
any real
meaning. (But
now you're
talking about
<div dir="auto">I mean
validity as in
trusted roots that
have been shipped
with your OS or
browser. Surely you
don't mean these are
meaningless. AFAIK
they are very
reliable as long as
you never accept
bogus certs. If you
accept bogus certs
"all the time", I
really hope you know
what you're doing.
Pretty much any
important site
should have working
<div dir="auto"><br>
<div dir="auto">There
is a reason why all
the browsers freak
out when you get a
bad cert, but users
still click "add
exception". My
captive education
portal would give
real consequence to
this with the 3
minute power point
slideshow and
mandatory quiz. I
wonder if this is
already patented. .
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> <br class="webkit-block-placeholder">
</div><p>Second, why
do you think
you have any
right to put
speed bumps in
the way of
people who are
doing nothing
to you? <br>
<div dir="auto">Plenty
of businesses do
this already for
captive portals and
forcing users to log
in, pay, or accept
an EULA. They are
already tampering
with your SSL
connection in order
to redirect you to
the portal. I'm just
suggesting to use
this technology for
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> <br class="webkit-block-placeholder">
</div><p>Third, if
needs internet
just educate
her, or refuse
to keep fixing
the problems
she encounters
in her
ignorance - if
she really is
all that
ignorant. I
hope you
install a
without her
because then
you'd be just
any other
with just any
<div dir="auto">Well,
I'm lazy. I'd much
rather have an
ongoing passive
education program
for anyone that uses
that router. Maybe
only 1 in 1000
requests trigger the
"test", or once a
month per mac
address maybe. If
grandma fails the
test I can get an
email so I can call
her up and gently
chastise her.
"Grandmaaaa, did
you accept a bogus
SSL certificate
again? Hmmm?"</div>
<div dir="auto"><br>
<div dir="auto">As far
as consent goes, I'm
only talking about
routers you own or
have permission to
modify. That should
go without saying.</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> <br class="webkit-block-placeholder">
</div><p>Fourth, if
<i>you </i>need
"speed bumps"
on <i>your </i>router,
<i>you </i>are
free to have
them. One of
the great
things about
freedom - from
government or
from meddling
busybodies -
is that <i>you
</i>get to be
free too.</p>
<div dir="auto">My
post is in the
context of
businesses or
individuals that
provide Internet to
the public.
businesses and
individuals have the
freedom to do this
kind of SSL
interception, since
they've already been
doing it for years
without any
Personally I'm
disturbed that
businesses will try
to get me to accept
their SSL cert for
their Wi-Fi portal,
but I know the
technology leaves
little choice. One
trick is to ignore
the cert and try
again with a non SSL
<div dir="auto"><br>
<div dir="auto"><span style="font-family:sans-serif">It is pretty ironic that the first thing
these captive
portals ask users
to do is blindly
accept a bogus SSL
cert. It is
really just a sad
state of affairs
that we are
literally training
people to accept
bad SSL
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><p>For years
my Firefox has
had an option
to "always use
HTTPS", and
I'm sure all
other modern
browsers do as
well. Plus, <a moz-do-not-send="true" href="http://Mozilla.org/">Mozilla.org</a> has a
free plugin -
I think it's
from <a moz-do-not-send="true" href="http://EFF.org/">EFF.org</a> - called "HTTPS Everywhere". It's all
very easy to
use, and will
be almost
transparent to
<div dir="auto">This
won't do anything to
protect you/grandma
from bogus ssl
certs. Imagine
connecting to a bad
AP at Starbucks that
is proxying all your
SSL connections.
Your only defense is
trusted roots and
knowing not to
accept bogus SSL
certs. If only we
had a captive
router-based SSL
education program...
<div dir="auto"><br>
<div dir="auto"><br>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> <br class="webkit-block-placeholder">
<div class="elided-text">
<blockquote type="cite">
<div dir="ltr">A
system like I
would just be
tool" to
people to use
It wouldn't
stop you from
just a speed
bump. Now
that I've
thought about
it I'd really
like to
something like
this on my
router. . .
heck, my own
router. . .<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Mar 20,
2017 at 2:50
PM, Vara La
Fey <span dir="ltr"><<a moz-do-not-send="true" href="mailto:varalafey@gmail.com" target="_blank">varalafey@gmail.com</a>></span>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><p>Oh HELL
no!! What kind
mentality do
you want
people to
adopt??</p><p>I accept
all the time
because the
whole idea of
is crap in the
first place -
they are NOT
maintained -
and years ago
I got tired of
that procedure
warning me
for sites that
were perfectly
valid.</p><p>I've never
had a problem.
Of course I'm
also careful
where I go,
certificate or
<span class="m_3664614906642159284HOEnZb"><font color="#888888"><p>- Vara<br>
<div class="m_3664614906642159284h5">
PM, Brien
<blockquote type="cite">
<div dir="ltr">Maybe
router should
do SSL
by default.
If a user
accepts a
they are taken
to a page that
scolds them
and informs
them about the
huge mistake
they made,
forces them to
read a few
slides and
take a quiz on
network safety
allowing them
on the
Maybe do the
same for
non-ssl HTTP
traffic, etc..
. <br>
Mon, Mar 20,
2017 at 1:55
PM, Matt
Graham <span dir="ltr"><<a moz-do-not-send="true" href="mailto:mhgraham@crow202.org" target="_blank">mhgraham@crow202.org</a>></span>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Mon, Mar
20, 2017 at
12:29 PM,
Victor Odhner
<<a moz-do-not-send="true" href="mailto:vodhner@cox.net" target="_blank">vodhner@cox.net</a>>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I’m really
annoyed that
so many
offer open
WIFI when it
would be<br>
so easy to
secure those
hot spots.
hotels, and
the waiting<br>
rooms of auto
are almost
100% open.<br>
</span> [snip]<span><br>
On 2017-03-20
13:20, Stephen
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This is
usually done
as a means to
be easy for
</span> Pretty
much this.
Convenience is
more valuable
than security
in most
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
they’d be
happy to do
the right
thing if we
could explain
it to the
right people.<br>
</span> I'm
not sure this
would happen.
Setting up
passwords and
passwords has
a non-zero
cost and
offers zero
benefits for
most of the
people who are
using the
And as another
poster said,
what about
passwords to
tens of
thousands of
people is sort
of difficult.
"Just watching
the game" is
not an option;
people want to
pictures of
themselves at
the game.<br>
OTOH, the last
time I looked
at the access
points visible
from my living
room, almost
all of them
had some sort
of access
enabled. Maybe
there's a
forming that
"my access
point" ~= "my
back yard" and
"open access
point" ~= "a
public park"?<br>
[0] Having a
more educated
would make the
benefits more
visible, but
it's very
difficult to
make people
care about
these things.<span class="m_3664614906642159284m_6778587083276554415HOEnZb"><font color="#888888"><br>
-- <br>
Crow202 Blog:
<a moz-do-not-send="true" href="http://crow202.org/wordpress" rel="noreferrer" target="_blank">http://crow202.org/wordpress</a><br>
There is no
Darkness in
But only Light
too dim for us
to see.</font></span>
<div class="m_3664614906642159284m_6778587083276554415HOEnZb">
<div class="m_3664614906642159284m_6778587083276554415h5"><br>
mailing list -
<a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe,
or to change
your mail
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></div>
