Should I or shouldn't I...
August 2, 2006 2:01 PM   Subscribe

Just because you're on the 13th floor doesn't mean that the signal can't reach the ground. Also, someone with a directional could easily get into it.

I recommend you abide by the rules, because it is a security issue, but if you're going to break them at least turn off SSID broadcast, DHCP, and at the very least WEP encrypt it, preferably WPA.
posted by cellphone at 2:03 PM on August 2, 2006

Actually, being on the 13th floor is WORSE, because it will broadcast the signal outside of your building more widely.

Basically, with a wireless device, you're opening up your university's network to anyone else outside of the dorms to use.

And they'll be able to, quite easily, figure out who you are, come in and take your wireless router.

So, just plug your laptop in and get a long ethernet cable, because chances are that your room isn't that big anyway.
posted by k8t at 2:03 PM on August 2, 2006

They probably just don't wan't people leaching bandwidth, and they want to be able to pinpoint users using it malicously.

With a directional antenna a wardriver could use your connection even if you're up on 13.

You could probably just get AP and not broadcast your SSID. They would have to get a fairly advanced packet sniffer (kismet) to find you.
posted by aznhalf at 2:05 PM on August 2, 2006

while attending college i had a work study job at the held desk. generally we did not give a shit if students where using their own wifi hardware so long as it did not cause a problem. you would be surprised by the number of people that hook them up incorrectly and fuck up internet access for people on the same subnet. having said that their where a few pricks who had a lot of fun trying to find students breaking the rules.
posted by phil at 2:10 PM on August 2, 2006

Plus if you're on a resnet, I can guarantee you you have a switchport all to your lonesome, so they can shut you off if they need to.

They don't want people in *other* units whom they can't shut off.

Now, if you *configured* it correctly, that wouldn't be an issue, but few people can.

And if everyone had a wireless, no one's would work.

They don't have on-campus wireless that reaches the dorms?
posted by baylink at 2:14 PM on August 2, 2006

technological or moral

1. You'll screw it up and give internet access to all sorts of people. They'll be hosing the pipe. They'll start downloading movies and music and you'll be liable.

2. You won't screw it up but they'll crack your WEP key anyway.

3. The IT department will detect an unknown NIC on their network and shut it down. Maybe they'll suspend your internet access permanently.

4. Youre making work harder for the IT staff. They'll get tons of calls about slow internet and access to sites because their laptops will auto connect to your wifi. In other words your inability to use a cable means a few people are going to have a shitty day at work as they hunt down your rogue access point.
posted by the ghost of Ken Lay at 2:19 PM on August 2, 2006 [1 favorite has favorites]

You could try using an 802.11a access point and card instead of B or G. A is a higher frequency so it doesn't penetrate walls/windows as well as B or G and has a more limited range. Businesses tend to use A when they want to protect their signal from hackers/leechers as much as possible. Here's an about.com article on WiFi standards.
posted by ducksauce at 2:36 PM on August 2, 2006

If you go ahead and set up a wifi router thingy, use WPA, set it up strictly as an access point, and please, for the love of god, disable DHCP. If you don't know what those terms mean, you should probably just buy a longer Cat5.
posted by Brian James at 3:07 PM on August 2, 2006

Yeah, don't mess with this stuff. If they don't want you using it, they can and will keep you from using it if need be. Talk to your university about other options for wifi - but I have to second everyone else; buy yourself a longer cable.
posted by rossination at 3:10 PM on August 2, 2006

g) dont hook up the router incorrectly and start serving out ip address to your dorm mates. so the it folks dont knock on your door when large numbers of people in your building get pissed off because they cant get online anymore.
posted by phil at 3:27 PM on August 2, 2006

Would someone that says "airport wifi thinger" really know how to set up a secure router?
posted by k8t at 3:33 PM on August 2, 2006

The answer to the question is really this simple: if you know exactly what you're doing, go ahead (the fact that you asked suggests that you don't). If you don't, there's nothing wrong with long cables.
posted by reklaw at 3:40 PM on August 2, 2006

q) Get a Linksys WRT54G (or any router that lets you control xmit power) router, replace the firmware with one of the open distros and set your transmission power WAY down so that there is no usable signal beyond your space.
posted by zerokey at 3:40 PM on August 2, 2006

x) If none of the above makes sense to you, DON'T DO IT!
posted by zerokey at 3:41 PM on August 2, 2006

I'm going to be a little polemic so old your horses:

The rule isn't only about YOU..if people can't set up wifi properly and I mean everybody else in campus system, somebody is going to screw up. Yeah one could set rules so that if you do well and configure the router properly then you can enjoy wifi..thats' fine, but as matter of FACT people change and screw up and the more people the worse ; more people means somebody is going to share his access without even noticing. Plus it's all free so STOP fucking with stuff that is provided for free, thank you.

So why dontcha just get a friggin ethernet cable ? Plus it is just a good excuse to kick your ass from the aparment..gimme just ONE excuse that I can easily prove like having a router in YOUR room emit radiation I can easily triangulate. Or so I would do if the admin is from the BOFH school.
posted by elpapacito at 3:43 PM on August 2, 2006

Just because you don't understand the reason for a rule doesn't meant that the paid network professionals who came up with it don't know what they are doing. Don't disobey the rules or you may end up with NO internet access. rather than FREE internet access.
posted by Megafly at 4:28 PM on August 2, 2006

Be wary. Despite the many clever suggestions, the college I attended had IT guys roam the halls with laptops, sniffing out rogue networks. A close friend almost lost internet access for the semester. I've also seen this "sniffing" at two large companies I've worked for.

Also confirm that your college doesn't already have its own WiFi network.
posted by donguanella at 4:41 PM on August 2, 2006

I can't echo more strongly everyone's answers above to the effect of "If you don't understand how to set it up securely, and don't know what things like WPA, DHCP, and SSID mean, then don't do it." Your convenience isn't more important than the school's IT security, and if you don't know more than "airport thingy," then you best not be messing with it. And no matter what you decide to do, read your school's policy for what they'll do if they catch a user setting up a WiFi network, because they'll certainly follow it if/when they find the rogue networks within their walls.

Finally, garethspor, judging by the answers you've marked as best, your mind was already made up... just to be curious, then, why did you ask?
posted by delfuego at 5:13 PM on August 2, 2006

Let me help you out then. You very clearly don't know much about the technology involved. You also demonstrate no idea of the risks of what you are proposing. Finally, you've ignored perfectly accurate and useful advice in favour of the one or two people telling you what you want to hear. That is why people are being condecending.

The risk is not really that *you* will do the wrong thing (after all, you can do that through a wired connection as well), it is that *other* people will do the wrong thing through your insecure wireless connection, which will ultimately hurt you. On top of this, it is extremely easy for you to be found out by your IT department, in which case you're also screwed.

My advice is to read the above thread again very carefully, and look up any terms or concepts you're unfamiliar with. Once you've done that I'm fairly confident you'll be less 'amused' then.
posted by imbecile at 6:03 PM on August 2, 2006 [1 favorite has favorites]

http://maisonbisson.com/blog/post/10296/

College's cant tell you what to do with your WAP.
posted by SirStan at 6:32 PM on August 2, 2006

Certainly they can't. But they *can* refuse to light up the switch port feeding your room. And they can also fail to let you pull in your own service.
posted by baylink at 6:37 PM on August 2, 2006

http://maisonbisson.com/blog/post/10296/

College's cant tell you what to do with your WAP.

Correct. But they don't have to keep providing internet access to your room if you insist on violating their Terms of Use.
posted by sbutler at 6:46 PM on August 2, 2006

how might they be able to enforce it

If they care enough to enforce it, they can easily do so. They just have to roam the halls with a WiFi signal detector that's the size of a keychain and can be bought for $25. Encryption, turning off SSID announcement, etc. won't help because you're still broadcasting a signal.

Why do you want WiFi so badly anyway? Do you really move your laptop around? We humans are creatures of habit -- most people I know tend to use their laptop in one location only even if they have WiFi because they're too lazy to unplug the power cord, printer cord, external porn/MP3 storage, mouse, and other shit. They use WiFi only because they're too fucking lazy to lay an ethernet cable along their baseboards.
posted by randomstriker at 7:18 PM on August 2, 2006

ok, how bad is the security on an apple airport express?

It's not so much an issue of security with the hardware. At some point, just about anything can be cracked.

When it comes to network security, I try to give my users as much information as they can absorb (and I think I do a good job of not being condescending). I'm not a hardass, so if someone came to me and asked for wireless, I would configure it for them and add it to my list of things to monitor. No big deal. At an academic institution, they are typically going to be hardassed (many times, with good reason).

Here's a solution from my pre-wireless days:

Get a cheap 8 port switch. Run long ass cables to your favorite locations in your apartment. I had one in my bedroom, livingroom, kitchen and bathroom. For roaming, use a long ass cable. It's not the best solution, but you'll get used to it. And who knows, maybe your school will implement wireless at some point.
posted by zerokey at 7:57 PM on August 2, 2006

Note that you can probably change the MAC address of the airport device so that its organizationally unique identifier isn't representing Apple's routers anymore, but, say, a standard 3Com hardwired network card. This would be a smart thing to do to prevent software scans from targetting your location as having an Apple airport attached.
posted by odinsdream at 7:59 PM on August 2, 2006

my entire campus (35k+ people) is completely wireless. you get wireless laptops with wifi when you pay your freshman tuition. youre supposed to use it in class, ect.

some stuff from an article i read a while back... i used this info (plus some others) tp secure my network.
1) Change Default Administrator Passwords (and Usernames)
Most Wi-Fi home networks use an access point or router. To set up these pieces of equipment, manufacturers provide Web pages that allow owners to enter their network address and account information. These Web tools are protected with a login screen (username and password) so that only the rightful owner can do this. However, for any given piece of equipment, the logins provided are simple and very well-known to hackers on the Internet. Change these settings immediately. i think its like 192.168.... you get the idea. type that in your web brower and set it up.

2) Turn on (Compatible) WPA Encryption
To function, though, all Wi-Fi devices on your LAN must share the identical encryption settings. Therefore you may need to find a "lowest common demoninator" setting.

3) Change the Default SSID
Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by itself allow anyone to break into your network, but it is a start. When someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring your LAN
.
4) Enable MAC Address Filtering
Each piece of Wi-Fi gear possesses a unique identifier called the "physical address" or "MAC address." Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hacker software programs can fake MAC addresses easily.

5) Disable SSID Broadcast

6) Assign Static IP Addresses to Devices
Turn off DHCP on the router or access point, set a fixed IP address range, then set each connected device to match. Use a private IP range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.

8) Turn Off the Network During Extended Periods of Non-Use

also make sure to have a good software firewall.
posted by Davaal at 10:02 PM on August 2, 2006 [1 favorite has favorites]

I have to second phil's suggestion above. Find a rev1 WRT54g, load DD-WRT on it and then turn down the radio. I was in a similar situation and it worked wonders (along with the standard things like SSID broadcast, etc).
posted by datacenter refugee at 11:44 PM on August 2, 2006

The first 24 bits (sometimes 16) of the mac address is the Organizationally Unique Identifier. This identifies the manufacturer. Some manufacturers go farther in identifying specific hardware beyond the OUI.

This isn't really an issue - set the router's mac address to that of your laptop (or some other computer). I think almost any router supports doing this.
posted by advil at 12:33 AM on August 3, 2006

I asked a similar question about six months ago, and it was exactly the same; a giant humourless IT-admin-blaze-cock pile on. I say do whatever you want, it's a complete fantasy that there are rogue nerds roving around trying to steal your university's precious bandwidth. I'd leave the network wide open, then download all the music and movies you want, and claim it was the guy in the apartment below.
posted by roofus at 1:37 AM on August 3, 2006

Here's the problem.

There's no way to definitely be sure that you're completely secure with a wireless network. Everyone has been giving good suggestions, however that's the fact.

If I'm at a place with my laptop and linux distro, and even if you're SSID Broadcasting is off, and MAC addresses are filtered with WPA encryption, there's still a possibility that SOMEONE could get into your network.

Once they're in your network, it's basically like they're infront of your computer, and since you're not supposed to have a wireless router on the network, you have no defense. They can do anything and it WILL be blamed on you. Were YOU wiring that money to the Cayman Islands?

There are ways to even set it up to be more secure, specifically I liked the suggestion to get a Linksys and install Linux and do tests until you find the power level that will cover your dorm, but will be dead outside your door, I'm sure you could find the tipping point with that method. The problem is still that you have to worry about people below you, or coming in the middle of the night and sitting outside your door with a parabolic antenna.

Long story short, unless you KNOW what you're doing enough to set it up correctly, I probably would just get a ethernet cable, yes it sucks, yes it's sooo 5 years ago, but it's alot harder to use your network, if you need a physical connection to it. In most cases wireless IS the weakest link.
posted by gregschoen at 2:21 AM on August 3, 2006

you're should be your, ack.
posted by gregschoen at 2:22 AM on August 3, 2006

Really long cables, are you for real?

Of course wifi access points are banned, otherwise the helpdesk would have to field setup questions all day. Find the legitimate reasons that they don't want your Airport plugged in and work to solve those. The notion that someone would sit outside the door of your 13th floor apartment with a parabolic dish in order to break your wifi encryption is patently absurd.

The real reason wifi was banned at my school was that many wireless routers are set by default to pull 120 IP addresses from the network to broadcast even if no one is connected. On a subnet without 120 surplus IPs, the network goes down. I set my router to pull just 1 address and it's been working fine for two years.
posted by reeddavid at 3:19 AM on August 3, 2006

The notion that someone would sit outside the door of your 13th floor apartment with a parabolic dish in order to break your wifi encryption is patently absurd.

I constantly check the networks in my apartment complex to see if anyone is running them without WPA and other such vulnerabilities.

I'm not arguing that its VERY likely, but it is possible, and one of the only ways to prepare for problems like that is to think of the worst case scenario.

The idea that the only reason they would ban wireless routers is because of IP addressing is rather shortsighted. Obviously the school would rather not have a bunch of wireless entryways into their network. I certainly wouldn't want 150 wireless routers set up on my network with no idea where they are or who is accessing them.

I have a friend who manages a very large network, stuff like that makes him wake up in a cold sweat at night.
posted by gregschoen at 5:07 AM on August 3, 2006

i would not recommend scoffing at these security questions. anyone who tells you not to worry about your wireless security is a fool or worse. in college i had a roommate who used to hack people for kicks. he got credit card numbers, papers, person IMs - it was ridiculous. he'd print it all out and read it to us. once, he made an antenna, sat outside our room and called me on my cell phone and repeated verbatim what i was typing. then he started typing things on my screen.

you can find articles on how to hijack laptaps - and that includes you mac people - on Digg or slashdot or lifehacker. you can google a million different ways to rip someone's computer. even being wired doesnt protect you. my roomate could hit someone else up who was wireless and get to you thru them. he works for some security firm in DC - but now that i work with children in a computer lab (which blocks mefi but not digg) i spend my entire day fighting preteen hackers. a recent article on digg taught everyone with an internet connection how to jack your laptop at the local starbucks. i had to block the word putty completely. but that doesnt stop everything.

dont take this lightly. if you dont wanna commit to the above recommendations, just go wired. i know laptops are the latest fashion now, but when you'll be sorry when youre writing all those letters to creditors.
posted by Davaal at 6:34 AM on August 3, 2006

The real reason wifi was banned at my school was that many wireless routers are set by default to pull 120 IP addresses from the network to broadcast even if no one is connected.

I'm sorry, reeddavid, but this is one of the most inane statements I've ever read. I challenge you to name one, just one, wireless router or access point that, out of the box, requests and assigns any more than one single globally-addressable network address on its WAN interface -- that's just patently false. Almost every single wireless router or access point on the market operates, out of the box, in NAT mode, meaning that the WAN interface (the interface facing the internet, for the most part) gets a single address, maintains an entirely separate network (the LAN) which can have 200+ hosts and which lives on non-globally-addressable network addresses, and handles all the routing and translation between the two networks.

Hell, I challenge you to name five commonly-available wireless routers that make it easy for you, in any fashion, assign more than one globally-accessible IP address to the WAN interface. On what's by far the most hackable wireless platform, the Linksys WRT54G, you still need to run custom firmware and issue a dozen command-line commands in order to get another address on the WAN interface and routed properly.

Please, don't talk about things you don't understand.
posted by delfuego at 12:22 PM on August 3, 2006

I work in IT at a university. The Uni is your ISP. They need to control access for all sorts of legal reasons, and they need to keep their network at least reasonably secure. They will very likely know if you use an airport. At my uni, on 1st violation, they will disable your access and you will have to have a behind-the-woodshed chat.

Call the Helpesk and ask them why the rule is in place, if there are exceptions, and what the consequences are if it's violated. They will be able to give you better answers than Ask.Me.
posted by theora55 at 3:58 PM on August 3, 2006

Why not, after it's locked down as per above recommendations, plug the power brick in a surge protector with an on/off switch? When you are not using it or when you are not home, flip the switch off.
posted by SparkyPine at 11:38 AM on August 4, 2006

Is this worth a hassle? My buddy who works at a local U that has a situation & policy identical to yours spends part of his working time wandering around finding WAPs. A directional antenna is good enough to figure out what unit a signal is coming from.

Depending on his generosity that day, one of two things happens.

One, he notes the location and leaves a note reminding them of the terms of service and instructing them to turn the unit off immediately. If it's still on the next day he turns off every port in the unit, figuring (accurately) that the other folks in the room will rat out/pressure their roommie. Ports are turned back on sometime in the following 12-72 hours when their department has been assured the problem is resolved.

Two, he immediately turns off every port in the unit, figuring (accurately) that the other folks in the room will rat out/pressure their roommie. Ports are turned back on sometime in the following 12-72 hours when their department has been assured the problem is resolved.

Repeat offenders are referred to the student governing body for sanction.

Your U may or may not handle things differently.
posted by phearlez at 2:48 PM on August 4, 2006

« Older A friend is moving into a year...   |   I'm back at a job I loved, loa... Newer »

This thread is closed to new comments.