Aaron, please explain this in more detail for the non-pros here. Thanks.
Stephen
On 6/10/19, 12:00 PM, "PLUG-discuss on behalf of plug-discuss-request@lists.phxlinux.org" <plug-discuss-bounces@lists.phxlinux.org on behalf of plug-discuss-request@lists.phxlinux.org> wrote:
Send PLUG-discuss mailing list submissions to
plug-discuss@lists.phxlinux.org
To subscribe or unsubscribe via the World Wide Web, visit
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.phxlinux.org%2Fmailman%2Flistinfo%2Fplug-discuss&data=02%7C01%7C%7C18286fbd325b4789400d08d6edd5d8f6%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636957900060219780&sdata=aYnH1yYB9vEAE2NpvKbbPZ%2FWGSBFzSFdW7jCKWF0fIc%3D&reserved=0
or, via email, send a message with subject or body 'help' to
plug-discuss-request@lists.phxlinux.org
You can reach the person managing the list at
plug-discuss-owner@lists.phxlinux.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of PLUG-discuss digest..."
Today's Topics:
1. Privacy on Public WiFi (trent shipley)
2. Re: Privacy on Public WiFi (Aaron Jones)
3. Re: Privacy on Public WiFi (Stephen Partington)
4. Re: Privacy on Public WiFi (Michael Butash)
----------------------------------------------------------------------
Message: 1
Date: Sun, 9 Jun 2019 21:13:09 -0700
From: trent shipley <trent.shipley@gmail.com>
To: Main PLUG discussion list <plug-discuss@lists.phxlinux.org>
Subject: Privacy on Public WiFi
Message-ID:
<CAEFLybLM7VYYy8LrD0gVBc1_e14hCqX0VZnKJyAb_ixHUotz+w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
A while ago I was at the downtown Scottsdale public library with my
computer. They had open, public WiFi--which I was NOT going to use. I
tried to use my mobile phone data, but the reception inside the building
was Terrible!
It seems like the problem of insecure public WiFi should be surmountable.
How hard would it be do develop technology that puts a key on a $1 or $2
USB, that you buy (put a deposit on) at the reception desk (or from a
machine). You also get an FOSS app. The app takes the key on the cheap
USB and securely logs you into the library's (or Starbucks) public WiFi.
The library determines how long the key(s) on the USB is (are) good for.
When you're done. You turn the little USB in for your deposit. The
library wipes the usb clean, puts another key on the usb, and vends it
again.
1) Does this exist at "trivial" cost to the WiFi user?
2) If not, how feasible is it?
3) If it does not exist, and is feasible, who would be interested in this
as a project with a goal of a demo install at a local library, non-profit
coffee house, etc. and RFC?
Trent
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.phxlinux.org%2Fpipermail%2Fplug-discuss%2Fattachments%2F20190609%2F43223bb7%2Fattachment-0001.html&data=02%7C01%7C%7C18286fbd325b4789400d08d6edd5d8f6%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636957900060219780&sdata=HN%2F%2F%2B1bvhtIb4n3NovAae6N2x2FwyYDmMc7NAsy0GVM%3D&reserved=0>
------------------------------
Message: 2
Date: Mon, 10 Jun 2019 04:05:47 -0700
From: Aaron Jones <retro64xyz@gmail.com>
To: Main PLUG discussion list <plug-discuss@lists.phxlinux.org>
Subject: Re: Privacy on Public WiFi
Message-ID: <547F0823-BFD0-41AD-86CB-E9F80AF44896@gmail.com>
Content-Type: text/plain; charset=utf-8
Use a Raspberry Pi as a middle man and a reliable VPN. No cost for the library and 20x safer for you.
Don’t plug stuff into your ports.
> On Jun 9, 2019, at 9:13 PM, trent shipley <trent.shipley@gmail.com> wrote:
>
> A while ago I was at the downtown Scottsdale public library with my computer. They had open, public WiFi--which I was NOT going to use. I tried to use my mobile phone data, but the reception inside the building was Terrible!
>
> It seems like the problem of insecure public WiFi should be surmountable.
>
> How hard would it be do develop technology that puts a key on a $1 or $2 USB, that you buy (put a deposit on) at the reception desk (or from a machine). You also get an FOSS app. The app takes the key on the cheap USB and securely logs you into the library's (or Starbucks) public WiFi. The library determines how long the key(s) on the USB is (are) good for.
>
> When you're done. You turn the little USB in for your deposit. The library wipes the usb clean, puts another key on the usb, and vends it again.
>
> 1) Does this exist at "trivial" cost to the WiFi user?
> 2) If not, how feasible is it?
> 3) If it does not exist, and is feasible, who would be interested in this as a project with a goal of a demo install at a local library, non-profit coffee house, etc. and RFC?
>
> Trent
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.phxlinux.org%2Fmailman%2Flistinfo%2Fplug-discuss&data=02%7C01%7C%7C18286fbd325b4789400d08d6edd5d8f6%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636957900060219780&sdata=aYnH1yYB9vEAE2NpvKbbPZ%2FWGSBFzSFdW7jCKWF0fIc%3D&reserved=0
------------------------------
Message: 3
Date: Mon, 10 Jun 2019 07:54:53 -0700
From: Stephen Partington <cryptworks@gmail.com>
To: Main PLUG discussion list <plug-discuss@lists.phxlinux.org>
Subject: Re: Privacy on Public WiFi
Message-ID:
<CACS_G9wC4XnfBWMxO5WrudPvu8snzOx7wgpz0XPwvGjVuvWGUg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
This is exactly what VPN is designed for.
The reason public wifi is insecure is that it is shared among everyone. Now
if you could build your router to prevent anyone from talking to each other
and just the outside world that would have your desired effect. Or maybe a
partnership with a VPN provider.
On Sun, Jun 9, 2019 at 9:13 PM trent shipley <trent.shipley@gmail.com>
wrote:
> A while ago I was at the downtown Scottsdale public library with my
> computer. They had open, public WiFi--which I was NOT going to use. I
> tried to use my mobile phone data, but the reception inside the building
> was Terrible!
>
> It seems like the problem of insecure public WiFi should be surmountable.
>
> How hard would it be do develop technology that puts a key on a $1 or $2
> USB, that you buy (put a deposit on) at the reception desk (or from a
> machine). You also get an FOSS app. The app takes the key on the cheap
> USB and securely logs you into the library's (or Starbucks) public WiFi.
> The library determines how long the key(s) on the USB is (are) good for.
>
> When you're done. You turn the little USB in for your deposit. The
> library wipes the usb clean, puts another key on the usb, and vends it
> again.
>
> 1) Does this exist at "trivial" cost to the WiFi user?
> 2) If not, how feasible is it?
> 3) If it does not exist, and is feasible, who would be interested in this
> as a project with a goal of a demo install at a local library, non-profit
> coffee house, etc. and RFC?
>
> Trent
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.phxlinux.org%2Fmailman%2Flistinfo%2Fplug-discuss&data=02%7C01%7C%7C18286fbd325b4789400d08d6edd5d8f6%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636957900060229785&sdata=l35B90p9HK1tBnXrNgsQJkRqI2tlu4B75o1QkSCqzFY%3D&reserved=0
--
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.
Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.phxlinux.org%2Fpipermail%2Fplug-discuss%2Fattachments%2F20190610%2F680cacac%2Fattachment-0001.html&data=02%7C01%7C%7C18286fbd325b4789400d08d6edd5d8f6%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636957900060229785&sdata=ksjjZFJScFOAEU%2FBHezjykpGPat6X6eUWBcZxV2j5EE%3D&reserved=0>
------------------------------
Message: 4
Date: Mon, 10 Jun 2019 10:02:06 -0700
From: Michael Butash <michael@butash.net>
To: Main PLUG discussion list <plug-discuss@lists.phxlinux.org>
Subject: Re: Privacy on Public WiFi
Message-ID:
<CADWnDst7FzSqH89gWx_bUHvVcZpYnfvDR0_Dhf86ERSb3=-p6Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
I don't see much of an issue with using public wifi so long as you know
whatever you're doing that is important/sensitive is encrypted. I don't
use any public wifi any more than absolutely required, but otherwise almost
every *responsible* website or service uses tls for https traffic today
anyways, or as stated - you use a vpn to ensure no one locally at least is
sniffing your wifi session. If your websites or services aren't using
https, you shouldn't use them, as even a vpn has to egress to regularly
internet somewhere that has a government (or other) black box sniffing it
too.
I agree, it would be nice if there were a better method of getting public
users encrypted, but without some unique key exchange per user, or at very
least a white-list method (remember the wps buttons that generated a weak
numerical pin?) to make strong, or at least random, it'll remain weak at
best, and probably eventually exploitable.
A hardware solution is a non-starter though. Where does a phone or tablet
have a usb slot to get on? Certainly whoever made it wouldn't support
linux, or a foss solution as it doesn't incentivise anyone to produce said
hardware. Hand out yubikeys, but client software and use is still
problematic even with u2f per os for something like wifi use.
If you did hardware, I'd imagine nfc-based for mobiles, make them come up
and swipe a token to get the pass of the day to get on, and it changes
every day. PC's you just rotate a common key to give to customers every
day and print/display for users inside the establishment every day. Even
just use a one-time token generator with a numeric key held by
*someone(s)*. I've seen medical offices handling guest wifi by changing
keys daily for at least any guest ssid and just printing the daily guest
wifi inside reception, which keeps persistent users from access outside the
establishment doing probably nothing good.
This can be done with any enterprise-ish wifi solution that supports
Private-PSK functions, or many-to-one passwords for the same ssid.
Aerohive, Cisco, Juniper/Mist, Aruba, etc all tend to do this, leverage otp
generation via Duo, Google Authenticator, or other "app".
Even once encrypted, do you still trust the internet source though, that
their router isn't infected from running a 10yr old firmware? You
shouldn't, again vpn, or at least ensuring who you're accessing is using
tls, and you trust their cert.
Interestingly enough being in Santa Monica CA on business. their public
library gets swarmed daily with homeless that really love their free public
wifi there (seems even homeless all have cell phones these days), that I
can only imagine the cesspool of devices there that could be
hijacked/man-in-the-middle'd easily on non-encrypted wifi. Even just build
a fake public access ap to mitm, then infect... Being that I'm there doing
work *for* the city, it's something I have mentioned to folks as a problem.
-mb
On Sun, Jun 9, 2019 at 9:13 PM trent shipley <trent.shipley@gmail.com>
wrote:
> A while ago I was at the downtown Scottsdale public library with my
> computer. They had open, public WiFi--which I was NOT going to use. I
> tried to use my mobile phone data, but the reception inside the building
> was Terrible!
>
> It seems like the problem of insecure public WiFi should be surmountable.
>
> How hard would it be do develop technology that puts a key on a $1 or $2
> USB, that you buy (put a deposit on) at the reception desk (or from a
> machine). You also get an FOSS app. The app takes the key on the cheap
> USB and securely logs you into the library's (or Starbucks) public WiFi.
> The library determines how long the key(s) on the USB is (are) good for.
>
> When you're done. You turn the little USB in for your deposit. The
> library wipes the usb clean, puts another key on the usb, and vends it
> again.
>
> 1) Does this exist at "trivial" cost to the WiFi user?
> 2) If not, how feasible is it?
> 3) If it does not exist, and is feasible, who would be interested in this
> as a project with a goal of a demo install at a local library, non-profit
> coffee house, etc. and RFC?
>
> Trent
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.phxlinux.org%2Fmailman%2Flistinfo%2Fplug-discuss&data=02%7C01%7C%7C18286fbd325b4789400d08d6edd5d8f6%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636957900060229785&sdata=l35B90p9HK1tBnXrNgsQJkRqI2tlu4B75o1QkSCqzFY%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.phxlinux.org%2Fpipermail%2Fplug-discuss%2Fattachments%2F20190610%2Fae831f2c%2Fattachment-0001.html&data=02%7C01%7C%7C18286fbd325b4789400d08d6edd5d8f6%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636957900060229785&sdata=zessCihj8YyH8ohLnXQ8OZy0x1iTannv2nWgRXCnaEE%3D&reserved=0>
------------------------------
Subject: Digest Footer
_______________________________________________
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.phxlinux.org%2Fmailman%2Flistinfo%2Fplug-discuss&data=02%7C01%7C%7C18286fbd325b4789400d08d6edd5d8f6%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636957900060229785&sdata=l35B90p9HK1tBnXrNgsQJkRqI2tlu4B75o1QkSCqzFY%3D&reserved=0
------------------------------
End of PLUG-discuss Digest, Vol 168, Issue 5
********************************************
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)