So use DMCA Counter-Claim!

In a recent event, it appears that the secure-boot key for the TI-83+ calculator was brute-forced, and Texas Instruments is trying to put the genie back in the bottle by sending out DMCA take down notices. Those receiving the notices are responding foolishly to them instead of filing proper counter-claims. I don't know why.

SECURE BOOT

Many devices are configured so that they will only boot a "signed" operating system. This means that the iPhone's hardware will only boot software signed by Apple, so you cannot install Linux or Windows Mobile on it.

Secure-boot is designed primarily for things that load copyrighted material, like music, videos, and games. However, it's a standard feature of hardware/software development kits. Thus, even simple things like the TI-83+ calculator support secure boot.

The TI-83+'s key was recently cracked with brute-force. This is an interesting milestone. While we have known for some time that it is theoretically practical to crack a 512-bit key, the practical achievement of that feat changes how we think of cybersecurity. That means hackers can pretend to be TI and sign their own operating system for the TI-83+ device. It has implications for everything else using 512-bit RSA keys.

Apparently, the key was cracked with a single desktop computer (dual-core 1.9-GHz) in around 73 days of compute time using software called GNFS (GGNFS+MSieve). It required a database of 52-million relations or 4.9-gigabytes, it used 2.5-gigabytes of RAM.

DMCA TAKEDOWN

TI doesn't like this. Their lawyers have been sending out DMCA "takedown" notices to everyone publishing the key, as well as anybody linking to the key.

Curiously, receivers of the takedown notice have posted "responses" on their sites that have nothing to do with the DMCA. Brandon Wilson has replied to this notice with this response. Tom Cross responds to this notice with this response.

I don't understand the purposes of these responses. They aren't proper "counter-notices" under the DMCA. They have no effect. The lawyers who receive them don't care. They have no impact on publicity. It's like sending a letter to Santa Claus that you didn't like your Xmas presents. It's like yelling at your car when it breaks -- the car doesn't really care. Such responses have no effect on anything.

The law is like code. Actually, the law IS code. We use computer "code" as an analogy for the original definition of code as used in law. The original DMCA notice is programmed according to a specific code. If you want your response to have an effect, it must likewise be coded according to the law.

Consider this line from the original TI takedown notice:

"I hereby confirm that I have a good faith belief that use of the Illegal Material in the manner complained of in this letter is not authorized by the copyright owner"

That line doesn't exist because the sender wanted it to be there, it exists because the law [512(c)(3)(A)(v)] requires such a statement. It's code.

COUNTER-CLAIM

You have to respond in the same code. Simply assert that the material was taken down in error, and that you consent to the jurisdiction of the local federal courts to decide the matter, and that you'll have to put the content back on your site within 14-days. Here is an example counternotice from ChillingEffects.org. They have a automatic counter-notice form here.

This situation is a bit more complicated than that. The original takedown notices are in error. It's not like TI sending a takedown notice to blogger.com to remove something on this blog. In Tom Cross's case, he is both the operator AND the person posting the content.

Of course, when you do this, you are asking TI to sue you. They probably won't, but it's a chance you'll be taking. They spam out a bunch of these letters without ever really caring if people comply with them or not. But here's the thing: you can't sit at home and whine about how unfair the man is. You have to be willing to stand up for what you believe in.

THE TIME AND PLACE

The place to make your arguments is in the courts. That's the only place where they will listen.

In your discussions with TI, they don't explain to you why they think it's infringing. They simply promise you, under threat of perjury, that they have good reasons to think so. Likewise, you don't state your reasons for believing the opposite. You simply state, under threat of perjury, that you have good reason to disagree.

Then, you both go to court and explain your reasons.

Making your arguments to TI will have no effect. They have selective deafness. If they listened to your arguments, they might believe them, and would no longer be able to, in good faith, send out takedown notices. Therefore, no matter how many e-mail you send them, they won't listen.

It's like debt collectors (which many in this economic climate may have dealings with). Arguing that you don't owe them anything doesn't work, they don't care, they aren't listening. But can simply tell them that you believe (in good faith) you don't owe them any money. They then have to stop calling you (according to the legal code) and address the issue in the courts.

I AM A BASTERD, NOT A REVOLUTIONARY

I don't like the DMCA. I'm not going to cave to the man like this. I don't think these links infringe copyright. I don't know the link these guys were asked to take down, but I believe it is "http://www.unitedti.org/index.php?showtopic=8888" (or maybe this link to the older Google cache of that page). Therefore, TI may be sending a message to Google in the near future asking them to take this down. If they do, this will be my counter-claim (to Google/Blogger):

In regards to the material at "http://erratasec.blogspot.com" removed by you pursuant to 17 U.S.C. Section 512. I have a good faith belief that this material was removed or disabled in error as a result of mistake or misidentification of the material. I declare that this is true and accurate under penalty of perjury under the laws of the United States of America.
For the purposes of this matter, I consent to the jurisdiction of the Federal District Court for the judicial district in Northern Geogia. I also consent to service of process by the person providing notification under Section 512(c)(1)(C) or that person's agent. However, by this letter, I do not waive any other rights, including the ability to pursue an action for the removal or disabling of access to this material, if wrongful.
Having complied with the requirements of Section 512(g)(3), I remind you that you must now replace the blocked or removed material and cease disabling access to it within fourteen business days of your receipt of this notice. Please notify me when this has been done.
I appreciate your prompt attention to this matter. If you have any questions about this notice, please do not hesitate to contact me.

Sincerely,
Robert David Graham
robert_david_graham@yahoo.com

Intel’s Atom vs. Cybersecurity

Intel has two new exciting CPUs: the low-powered "Atom" and the fast "Nehalem" aka. Core i7. I thought I'd cover some points related to the Atom processor.

WHAT MAKES IT DIFFERENT

The Atom sacrifices performance for power efficiency. It's roughly 1/10th as fast as the fastest desktop processor, but consumes 1/100th the electrical power.

It's a completely new design. Intel's current processors (like the Nehalem/Core-i7 and the Core2) are derived from the line of processors first shipped in 1998 as the "Pentium Pro" or "P6". The major difference in the designs is that the mainstream processors are "out-of-order", whereas the Atom is "in-order/hyper-threaded". That means for single-threaded applications, the Atom is roughly half as fast in comparison.

The major competitor to the Atom is the "CULV" or "Consumer Ultra Low Voltage" processors from Intel. You'll see equivalent netbook/notebook designs from manufacturers like Asus, Acer, or MSI that look otherwise identical except for the processor: either a 1.6-GHz Atom or a 1.4-GHz Core2-Solo/CULV. Because of the in-order vs. out-of-order, the single threaded tasks will be half as fast on the Atom machines. On the other hand, in applications that can take advantage two threads, the Atom machine is just as fast the CULV machine.

DISPOSABLE COMPUTING

In my pentests, I need computers that I can damage, lose, or deliberately throw away. The Atom forms the basis for more cheap $200 "netbook" computers. This is less than our hourly consulting rate, so fits the bill perfectly.

These are great for "wired" assessments, where I'm running tools like Nessus to scan behind the firewall or sniff packets from a (100-mbps) connection.

These are even better for "wireless" assessments, where I need to leave a computer outside a building scanning, or setting up an "evil twin" to trick employees. Maybe somebody will have discovered the computer and taken it, maybe it gets rained on -- it's only $200, so it's not a big deal.

The devices are also extremely small and portable. We can travel with a bunch of them on the plane in our carry-on luggage. They are also damn sexy: I've never been one to mess up my laptop with stickers and trinkets, but it's fun to decorate the cheap netbooks.

This story is apparently about a pentest/hack where the perp sent netbooks to an office appearing from HP, but likely containing malware.

VIRUS ANALYSIS

I'm infecting my Windows netbooks with viruses. It's pretty easy to clone a small system, infect it with a virus, then restore the cloned image.

I prefer doing this because I get a more "real" assessment of the virus. A lot of them check for VMware, a lot of them check for "known" IP addresses. I can take a netbook to a public cafe, log on there, infect my computer, then sniff the traffic with a second computer. It simulates a much more "real" environment for the virus.

LOW POWER

Like all such geeks, I have a large test lab running many operating systems and servers. These systems run 24-hours a day. This causes a large electricity bill. I've converted most of these to Atom processor systems, such as the Eee Box desktop computer (typically 15 watts), netbooks (10 watts), and I'm thinking of the Acer easyStore home server.

This is has had a noticeable effect on my server room, drastically reducing temperatures. It's a big drop from a system running over 100-watts at idle to one running 15-watts.

Note that the Atom processor itself run at just a couple watts, but the remaining chips in the system run at 10 to 15 watts. I notice that on the lowest power system I have, it's less than 1 watt difference between "sleep" mode and "password cracking" mode.

FULL FEATURE

The Atom processor line supports all the recent major features of Intel processors, such as "virtualization", "NX" bit, SSE3, 64-bit, hyper-threading, and so on.

Strangely, there isn't a single version of the processor that supports all these features at the same time. The ones that support 64-bit don't support the VT virtualization extensions (although you can still do the older form of virtualization). According to this website, a guy is running ESXi on a Dell Mini 9.

Intel has a nice site for comparing features of the Atom processor.

PASSWORD CRACKING

One of the biggest changes in the Core2 processor (vs. the older Pentium M and Pentium 4) is that the SSE instructions ran at the full 128-bit. Prior to that, while SSE registers were 128-bits wide, they would only process the first 64-bits in one clock cycle, then the second 64-bits in the next clock cycle. Thus, the Core2 represented an 2x increase in SSE speed.

That was one of my biggest questions for the Atom: is their SSE implementation like the old processors or the new processors? I couldn't find this documented anywhere, so I had to benchmark my password cracking code (which uses SSE instructions).

I assumed the worst, but was pleasantly surprised: the Atom processor executes a full 128-bits in a single clock cycle. That means that for SSE code, a 1.6-GHz Atom will be faster than a 1.4-GHz Core2-solo/CULV at password cracking. This is indeed the results that I get. Likewise, my dual-core Atom 330 system (Eee Box) is as fast as my dual-core MacBook Air 1.86-GHz Core 2 Duo (faster, even, because the cooling often kicks in throttling the CPU).

Note that the processors require different optimizations. The Atom requires a very simple code that can be easily hyperthreaded. The Core2 requires manually interleaving two streams of instructions that run in a single thread.

Since 100% CPU usage is roughly the same electrical power usage as 0%, I leave password cracking running in the background on Atom servers.

SMALL DEVICES


These netbooks use close to the same power as other devices in my home. My WRT54G uses 8-Watts, my Acer Aspire uses 12-Watts (picture on right) with screen turned off and battery removed (while running password cracker at 100% CPU). The WRT54G is a WiFi access-point/router from Cisco that is famous for hackers replacing the firmware with their own special Linux distros. With only 4-megs of flash and 16-megs of RAM, it's much more limited than netbooks that start at 4-GIGS of flash and 512-megs of RAM.

You can install "soft APs" to convert a netbook into an access-point, and install other goodies like intrusion-detection systems and firewalls. While they are far from perfect, they can make nice little home devices.

X86 VS ARM

In theory, RISC processors (especially ARM) should be a better solution for low-powered, highly-functional devices. There are lots of nice ARM solutions (like this wallplug computer or bigger devices like this one). The new ARM Cortex 9 looks extremely sexy.

Yet, these don't turn out so well in practice. These ARM devices don't work like computers I'm familiar with. I can't simply stick in a CD or USB drive, boot the machine, and install my favorite distro with my favorite developer tools. Instead, I have to install ARM cross compilers on my Linux box and go from there. It's very annoying. I'd be willing to go through the effort if I'm developing a special device to sell to customers, but I'm not willing to bother if I just want to create a device for myself. It's just easier to get a $200 netbook.

There is also some value with familiarity of the x86 instruction set. While Atom's in-order design is a radical departure from previous Intel CPUs, old rules for optimizations generally apply. More importantly, things like SSE behave the same, and work elegantly, whereas in the ARM process, multimedia instructions are a bit weird.

CONCLUSION

I like the Atom because I can now throw a cheap computer at a problem and solve it, especially my ever hotter server room.

The Sins of the FSF

As Microsoft launches closed-source "Windows 7", the FSF has created a website about Windows 7 Sins, detailing 7 sins that Windows makes. I thought I'd rebut their claims.


1. Poisoning education The FSF claims that Microsoft "Microsoft spends large sums on lobbyists and marketing to corrupt educational departments". Well, so does the "free-software" movement. There are unpaid enthusiasts everywhere trying to convince educational departments to move to open-source like Linux. There are also big multinationals (Sun, IBM) selling hardware/services that lobby government for laws favoring open-source. They are no more truthful about the advantages/costs of open-source than Microsoft is of Windows.

What makes Microsoft different, however, is that they listen to children. They spend hundreds of millions on usability exercises listening to children using Windows. They believe that only by listening to children can you "empower" them. On the 7-sins website, the FSF has a picture of the OLPC or "One Laptop Per Child". The OLPC was created for children by a bunch of professors, but was made without any user input from the children themselves. The only feedback from children are photo opportunities where children are encouraged to confirm how wonderful the system is, in a truly Orwellian fashion.

2. Invading privacy The FSF has a point here, I won't deny this one. I will point out that right now, this privacy invasion is tiny. While it's a bad principle, it's not so bad in practice.

3. Monopoly behavior The FSF claims that "nearly every computer purchased has Windows pre-installed". This is a lie. More computers ship with Linux (a "free" operating system) than Windows. The only place Microsoft dominates is the desktop. Everywhere else, from mobile phones to wireless access-points to home media devices to Internet servers, Microsoft loses out to Linux (and other operating systems). It's the "free" operating system Linux that dominates the world - it's only the desktop where Microsoft dominates.

Moreover, Microsoft is losing the war for the desktop. Computing has moved to the cloud, where Linux dominates. Less and less time is spent with applications installed on the desktop and more and more time is spent with web-based services accessible via any device, such as mobile phones.

Microsoft is in the position IBM was in the 1980s, when the world moved away from mainframes (dominated by IBM) and embraced desktop computers. Today, people are moving away from the desktop. Linux will never unseat Microsoft on the desktop - but it will become the eventual victor as the desktop becomes irrelevant. The FSF demeans itself by continuing to fight against a has-been company like Microsoft trying to undo its victory of the past; it should be fighting for new markets in the future.

4. Lock-in The FSF claims "Microsoft regularly attempts to force updates on its users, by removing support for older versions of Windows and Office". This is so not true. Microsoft does the reverse, supporting old technologies long after it becomes uneconomical to do so. Microsoft continues to support Windows NT, developed in the 1990s - as long as you pay extra for it. The only thing that stops is free support.

Even Linux deals with the fact that technology changes, and they have to remove support for older stuff from the default kernel. The 'atime' issue is one of the more amusing examples of this. If you've got an old version of Linux, and there is a problem needing to be fixed, you'll have to pay somebody to fix it -- just like Microsoft.

More amusing is the GNU public license viral "lock-in", which is more of a fight against other open-source licenses rather than a fight against closed-source.

5. Abusing standards The FSF claims that Microsoft tries to block standardization. This isn't true. I've been through numerous standardization efforts, I know how this works. Standards are driven by people who have a narrow focus on an ideal implementation, but who have little experience in the dirty practical details. In this case, they are driven by people who have never created their own word processor, but who want to tell word processing companies how to do their job. Microsoft is fighting for support of features that would be obvious to anybody who has written world-processing software, but which the standards body doesn't understand.

The Internet was created by people who created working implementations FIRST, and then standardized the implementation SECOND. Microsoft is fighting a standards process that works the other way around. Adopting Microsoft's format would be the smartest thing for the standard's body to do.

6. Enforcing Digital Restrictions Management (DRM) I agree partially with the FSF here. I believe that if YOU buy something, it should support YOUR rights. It should not support SOMEBODY ELSES rights over YOURS. On the other hand, I don't use Microsoft's Media Player - I use VLC. The media player isn't part of the operating system, it's just an application. Using Windows does not stop you from using things like iTunes or VLC.

7. Threatening user security This is another outright lie by the FSF. The history of Windows vulnerabilities is no worse than Linux. A "virus" is something that spreads among desktops - since Linux has virtually no desktops, it of course has virtually no viruses. The lack of Linux viruses doesn't mean Linux is better, it simply means that hackers go after the biggest target.

More importantly, Microsoft has become the leader in security, both in terms of how code is written (like the SDL) as well as features in the operating system (like ASLR). It is Linux and the open-source community that is catching up with Windows security, and not the other way around.

Summary The FSF pretends to claim the "moral high ground", so few question them. Yet, they are an Orwellian organization based upon the 1984 slogan that "Freedom is Slavery". While they the polar opposite of Microsoft, that doesn't make them any less sinful.

$169 Eee 900 disposable computer

At Woot.com, they are selling a Eee 900 netbook for $169 (today only, of course).

It's a limited computer, of course, but that's not the point. What makes it wonderful is that it's disposable. We use these in pentesting, leaving it behind attached to a wired network, or wifi scanning. It has an Atheros WiFi chip, which is the best under Linux for Wifi pentesting. The great thing about it is that if it's destroyed, lost, or stolen, you are out just $170. What's also cool is that you can boot from SD cards with different versions of Linux (e.g. Backtrack), for a complete set of pentest tools.

Another option, btw, is the Acer Aspire One AO751h. I saw one at Costco for $329. It also has an Atheros WiFi for pentesting. However, that unit is 11.6 inches with a full sized keyboard. I've sat in a cramped car pentesting with the Eee 900 -- it would've been much easier with that Acer unit.

I got my mom a Eee 1000he (she travels a lot) for $300. Unfortunately, she doesn't get the idea of "disposable" computer and takes care of it like it's something valuable. She keeps it in the case, even with the slip of cloth inside between the screen and keyboard. She wipes off fingerprints. In my mind, she should treat it more like I treat my MacBook Air, which has picked up numerous dents and scratches since I got it 10 months ago.

A recent episode of the series "Burn Notice" showed the main character leaving behind a netbook monitoring a network. It looked like a product placement and was not material to the plot, but it shows the sort of thing I do with pentesting.

SQL injection not sophisticated

I was reading this news story about the recent 130-million stolen credit card numbers. The story says:

According to the Justice Department, the suspects used a sophisticated hacking technique called an "SQL injection attack"...

SQL injection is not sophisticated. It is extremely easy. A million teenage hackers around the world know how to break into websites using SQL injection.

This is the reason SQL injection is so common. The programmers who create websites believe that SQL injection is a "theoretical" vulnerability that does not endanger their websites in practice. They are wrong -- it's easy for someone of average hacking skill to exploit.

Because these programmers don't believe in the problem, SQL injection problems are wide-spread. They seem to be everywhere I look. Here are some recent examples:

• Breitbart.com
  
• UN.org
  
• http://dev.indigopapa.tv/clients/arctic/statsXML.php?name=pe'n
  

The news article should have instead said "Hackers used the well-known SQL injection technique" rather than the "sophisticated" technique.

UPDATE: Dan Goodin at The Register gets it right, describing it as a garden-variety exploit. I guess that's the difference between IT press and mainstream press: for one, it's "garden-variety", for the other, it's "sophisticated".

Clear(tm) WiMax

I got the "Clear" WiMax service. Here is a quick review of the service.

As the picture shows, Speedtest.net reports that I'm getting 7-mbps and 500-kbps up with 73-ms latency. This is competitive with wired speeds. I usually get high-speed service all around Atlanta. I also get service in Portland and Las Vegas, the other two cities currently supported. I'd guess that I will get service in future cities Clear will support.

However, coverage sucks. Signal at home sucks, even though it's in the middle of the coverage area, and occasionally I don't get coverage in other parts of Atlanta. More importantly, Clear doesn't work outside of metropolitan areas.

In contrast, while my AT&T 3G is much slower, it always works -- even in unpopulated areas. If the 3G service doesn't work, AT&T's service backs off to 2G "EDGE" dial-up speeds, so I can still at least send/receive e-mail.

The reason for Clear's coverage issues is that it can't have the same coverage as mobile phones. In the case of mobile phones, a carrier will buy spectrum from the government that covers an entire city, or possibly an entire state. That means they can put up towers wherever they want to maximize coverage and connectivity. Clear's WiMax is different. They are using the 2.5-GHz "education" band. This is spectrum given away to education institutions (high-schools, universities, churches) a few decades ago. It was intended for local education TV broadcasts, but virtually no school used it. Clear has leased this spectrum for their WiMax service. This means that coverage is spotty because they need to have to nearby school license their spectrum. This means coverage is likely never going to be as good as mobile phone coverage.

The Clear service is unlimited, so I can run BitTorrent on the connection (in theory, I haven't tried it yet). In contrast, AT&T has a bandwidth cap of around 5-gigabytes. I few months ago, I left last.fm running, exceeded the AT&T bandwidth cap, and got stuck with a $500 overage bill.

Both AT&T 3G and Clear cost roughly the same. I've got two USB Clear adapters for $55/month (so two people can use it simultaneously).

I haven't done any security yet. I'll get around to cracking the baseband adapter on my adapter, and writing software for the USRP. This will probably take a while before I get around to it.

UN's website still vulnerable after 2 years

Two years ago today, I blogged about a defacement of the UN.org website. I noted that while they removed the defaced webpages, they had not yet fixed the vulnerability.

I checked today, and they STILL haven’t fixed the SQL injection vulnerability that led to their defacement. Hackers can still deface their website at will. Just put a quote in the ASP parameter and off you go, such as http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=10'5.



There are a couple lessons here. The first is that no matter how simple the fix, organizations like the UN cannot do it. Despite the fact a high-school intern can fix the bug in 5-minutes, the bureaucracy means that the organization must spend tens of thousands of dollars to fix the bug. A project manager needs to coordinate with external consultants. They need to plan the timeline of the change, and verify it works. They need to get agreement from various levels of management who don’t understand cybersecurity and are likely to veto the change.

The other lesson is that the cost of NOT fixing the bug is low. The UN can simply live with the problem, and clean up after every hack. The site only contains articles, it contains nothing else interesting (like private financial information). Even with such a simple and obvious vulnerability, they are unlikely to get hacked more than once or twice a year (indeed, it appears they haven’t gotten hacked for the last two years).

Together, both these things means that it’s cheaper for the UN to cleanup after each break-in rather than fix the vulnerability. At least, this is what their management feels.

Astroturfing AV: When the wolves guard the hen house

Like any typical morning, I woke up, picked up my iPhone, fired up a twitter app and prepared to be educated about current happenings in the world. I was initially bored when I stumbled across a blog post on the Kapersky Lab Security sponsored site "threatpost" entitled “Some Researchers Lack Basic Ethics”. I assumed that I would read another generic article about AV researchers selling warez to the Russian Mafia or something truly nefarious along those same lines. Instead I was treated to a thinly disguised PR talking point by a Kaspersky researcher, Roel Schouwenberg. The central theme to Schouwenberg's post was the vilification of ethicless researchers who demonstrate how easily an attacker can evade signature based AV systems.

The evil ethics-lacking incident drawing the ire of Schouwenberg is a University of Michigan project, Polypack. The Polypack Project is a website that demonstrates how Crimeware-as-a-Service, a generic term describing anyone who creates malware for a system, works with specific detected malware sample that the user uploads to the site. To quote Schouwenberg:

“The idea behind the site is that people can upload (detected) malware files and make them undetected by as many anti-virus products as possible.”

Being able to tell how easy a malware sample can be made undetected by various AV products...could you think of anything worse for an AV sales person?

I visualize how this conversation went down: A Kaspersky sales guy didn’t make his anti-virus product sales numbers and blamed it on the Polypack Project. Without further questioning, the PR people immediately dispatched a researcher to debunk the accuracy and validity of this project. You can tell this isn’t an earnest effort by Schouwenberg to educate a reader, at no point does Schouwenberg ever provide a link to the project so that the reader can review and make the decision for themselves Schouwenberg and the PR people are banking on the laziness of their reader.

The Polypack Project can be found here with the research paper here. Contrary to the claims of PR people at an AV sales company, I think this project is a good piece of engineering and evaluation of a failing technology. Through this project, a user can determine which AV system fails to detect a higher number of malware (aka viruses). In turn, a large company can spend less money, time, and resources deploying a highpriced signature based AV system if they know it has the most holes. Hrm, why is Kapersky afraid of this sort of open testing? The crowning jewel of Schouwenberg's post is when he cites numbers for how many samples are received and analyzed in a day. He makes the numbers sound almost overwhelming and intends to convey the message that “we can’t protect you from the bad guys if we have to spend time handling shortcomings in our engine pointed out by projects like this”. Schouwenberg fails to point out that technology like the Polypack Project is useless to criminals as criminals have their own tools for these types of testing.

Unfortunately for Kapersky (and other AV sales companies), projects such as the Polypack Project highlight the fallacy that signature based AV products can protect anything other than sales numbers. Could you imagine a slightly different scenario: "Cigarette company employee states that research into tobacco/cancer link is unthical?"

@30k feet

I'm logged on to the Internet (for $10) on Delta using "gogo internet", a WiFi service on the plane. So, I pulled out my WiFi tools to see what was going on.

Here is my speedtest. It claims I should be getting 1.7-mbps down with 128-ms latency, but subjectively it feels slower. As I'm browsing, it can suddenly stop and take many seconds for a website to appear. I bet that it's because the wireless connection to the ground isn't continuous, but keeps coming and going.


The network is 802.11abg (2.4-GHz and 5-GHz). Unfortunately, my tools only run on 'bg' adapters, but NetStumbler uses the 'a' adapter built into the laptop to show all the possible access points, as shown in the picture below:


There appear to be three access points at three locations in the plane (on three channels 1 6 and 11). I can tell they are at three spots because their signal strengths are different. I'm guessing they are in the front, middle, and back of the plane. These are Cisco access points that create multiple virtual access points for each physical access-point. Of these virtual access-points, one is open with a visible SSID of "gogointernet", the others are WEP and WPA encrypted and invisible. I have no idea why they are there. Notice also that we see the obligatory laptop with the peer-to-peer network "Free Internet WiFi" somewhere on the plane.


When I look at channel 1, I see a Blackberries and iPhones connected. I see these throughout the airport (along with Nintendo DSs and PSPs). I think these devices are automatically connecting to whichever access-point they can without their owner's knowledge. I walked down the plane and didn't see anybody with their phone out, so I'm guessing their phone is in their pocket/bag (and not turned off like they were asked).


If we look at the raw beacon packet, we can see that these devices are typical Cisco access points:


From a security point of view, there is nothing too interesting here. Like the inflight entertainment systems, the gogo WiFi service isn't interconnected with anything else in the plane, so there is no danger to the plane from this system being hacked. Ultimately, it's the same threat as any other WiFi hotspot (i.e. your cookies/passwords can be stolen if you don't encrypt everything).