Give me wireless freedom!
September 1, 2007 1:59 PM
I want to have a wireless router in my dorm room, but it's not technically allowed. Can I sneak something in?
So, I've been at college for a week now, and I'm already desiring a wireless connection in my room. The wired ethernet works fine when I'm at my desk, but my dorm room is more like a "suite" with 2 bedrooms connected by a common room, and I'd like to be able to sit on the couch in the common room and still get on the Internet.
The common room has 2 ethernet jacks, but both are currently in use by roommates who have their computers set up out there. Unplugging one of theirs to put mine in really isn't an option, so the obvious answer is a wireless access point that I can plug into my ethernet jack. However, the dorm doesn't really want students to do this.
I'm not really concerned about creating a security vunerability--I'm pretty sure I can lock down the network enough so that I'm the only one who can get on it. However, I need advice on two aspects of this. First, I don't really want the school's IT people knowing that I have this set up. Is there a way I can make the wireless router/access point invisible to them, from a network admin standpoint? And second, what steps should I take to lock the network down? I'm not as concerned with the security aspect of it, but rather I don't want a bunch of people mooching off of the connection because the amount of usage could start to look suspicious.
Any help would be greatly appreciated! To reiterate, here are my questions:
1. How can I hide a wireless router in such a way that the IT people will be unable to easily see that it's attached to my ethernet jack? (Talking about electronically, of course, its not like they search the rooms for that kind of thing)
2. What steps can I take to make sure I'm the only one that can get on? I've heard of MAC address filtering, WPA/WPA2 encryption, and hiding the SSID, but which of these do I need to do?
Thanks!
So, I've been at college for a week now, and I'm already desiring a wireless connection in my room. The wired ethernet works fine when I'm at my desk, but my dorm room is more like a "suite" with 2 bedrooms connected by a common room, and I'd like to be able to sit on the couch in the common room and still get on the Internet.
The common room has 2 ethernet jacks, but both are currently in use by roommates who have their computers set up out there. Unplugging one of theirs to put mine in really isn't an option, so the obvious answer is a wireless access point that I can plug into my ethernet jack. However, the dorm doesn't really want students to do this.
I'm not really concerned about creating a security vunerability--I'm pretty sure I can lock down the network enough so that I'm the only one who can get on it. However, I need advice on two aspects of this. First, I don't really want the school's IT people knowing that I have this set up. Is there a way I can make the wireless router/access point invisible to them, from a network admin standpoint? And second, what steps should I take to lock the network down? I'm not as concerned with the security aspect of it, but rather I don't want a bunch of people mooching off of the connection because the amount of usage could start to look suspicious.
Any help would be greatly appreciated! To reiterate, here are my questions:
1. How can I hide a wireless router in such a way that the IT people will be unable to easily see that it's attached to my ethernet jack? (Talking about electronically, of course, its not like they search the rooms for that kind of thing)
2. What steps can I take to make sure I'm the only one that can get on? I've heard of MAC address filtering, WPA/WPA2 encryption, and hiding the SSID, but which of these do I need to do?
Thanks!
I'm sure someone else will post the tech needed to do this, but apple's airport express is small and portable. You can always set it up to be hidden. I think there are even smaller routers/WAPs that power over ethernet, but I don't know for sure.
posted by monkeymadness at 2:08 PM on September 1, 2007
posted by monkeymadness at 2:08 PM on September 1, 2007
This is pretty risky, and I would advise against doing it because if you get caught, you might be disciplined. Find out what the possible penalties are, and know what you're getting into to before going forward.
That said, kids do this on campus all the time and as such, most IT staffs are on the lookout for rogue access points. They might simply be walking around with a pocket pc or laptop and net stumbler. They might also have more advanced software solutions that scan for unauthorized wireless devices.
1. Clone your actual computer's MAC address to the router.
2. Use encryption.
3. Password protect your network.
4. Do not broadcast your SSID.
5. Use the MAC filter to only allow yourself onto the network.
Once again, don't confuse my advice for encouragement to actually do this! Go forth at your own risk, because in addition to being punished, you're also held responsible for what happens on your network connection should someone else find their way in and cause trouble.
posted by tomorama at 2:13 PM on September 1, 2007
That said, kids do this on campus all the time and as such, most IT staffs are on the lookout for rogue access points. They might simply be walking around with a pocket pc or laptop and net stumbler. They might also have more advanced software solutions that scan for unauthorized wireless devices.
1. Clone your actual computer's MAC address to the router.
2. Use encryption.
3. Password protect your network.
4. Do not broadcast your SSID.
5. Use the MAC filter to only allow yourself onto the network.
Once again, don't confuse my advice for encouragement to actually do this! Go forth at your own risk, because in addition to being punished, you're also held responsible for what happens on your network connection should someone else find their way in and cause trouble.
posted by tomorama at 2:13 PM on September 1, 2007
BTW -- check out this similar AskMe thread from last year.
posted by ericb at 2:19 PM on September 1, 2007
posted by ericb at 2:19 PM on September 1, 2007
The common room has 2 ethernet jacks, but both are currently in use by roommates who have their computers set up out there. Unplugging one of theirs to put mine in really isn't an option, so the obvious answer is a wireless access point that I can plug into my ethernet jack.
Another obvious answer is to use a NAT'ing hub.
posted by mpls2 at 2:20 PM on September 1, 2007
Another obvious answer is to use a NAT'ing hub.
posted by mpls2 at 2:20 PM on September 1, 2007
Well, for one thing, they actually do not need to roam your halls to find your network. For example, Cisco has some fantastic wifi managers that will show you all rogue wireless networks any of your access points detect. If they happen to have a staff wifi network in your dorms, or a network in a nearby building, they will be able to find your network. (whether they actually will bother doing anything is of course another question, but you can't really plan on being undetectable)
Why not just get a wired ethernet switch for the common area? Not as sexy as the wifi solution, but you won't have to worry about the school administration or nosey neighbors.
posted by icebourg at 2:20 PM on September 1, 2007
Why not just get a wired ethernet switch for the common area? Not as sexy as the wifi solution, but you won't have to worry about the school administration or nosey neighbors.
posted by icebourg at 2:20 PM on September 1, 2007
At least at the university I work at, some techies (primarily engineers with no life) make hunting wireless routers a priority. Some of them are pretty nerdy and have some pretty extreme detection tools.
Get a hub and a long ethernet.
posted by melissam at 2:29 PM on September 1, 2007
Get a hub and a long ethernet.
posted by melissam at 2:29 PM on September 1, 2007
Less illicit, depending on the particular rules, and cheaper, would be to simply drop in a dirt cheap dumb hub in the common room so you're effectively adding another ethernet jack.
Do you have to register MAC address to get a network connection? In that case, spoofing would not only be a good idea, but required. I tend to think tomorama's advice would work, but it's up to you to judge the competency of your school IT team. The other detectable thing would be the NAT - I've read that NAT, implying the existence of a router, can be detected by the port numbers the router will use. You'd have to figure out your router into a bridge mode or whatever to just push the packets through without fiddling with them, but I really doubt they'd be competent or conscientious enough to check for this.
The other thing to worry about is that, if caught, you may have the little (and geeky) people with a little authority problem here. The school year I was in dorms, I was twice one of the unlucky selected to have my MAC address turned off for illegal downloading (which everyone was doing, of course). The second time, I just spoofed my roommate's MAC address. He worked as a lackey for the IT people, so naturally, his was never turned off for anything, and our computers, being plugged into a little hub in our room, were able to share the same MAC address and IP address with surprisingly few problems.
posted by TheOnlyCoolTim at 2:37 PM on September 1, 2007
Do you have to register MAC address to get a network connection? In that case, spoofing would not only be a good idea, but required. I tend to think tomorama's advice would work, but it's up to you to judge the competency of your school IT team. The other detectable thing would be the NAT - I've read that NAT, implying the existence of a router, can be detected by the port numbers the router will use. You'd have to figure out your router into a bridge mode or whatever to just push the packets through without fiddling with them, but I really doubt they'd be competent or conscientious enough to check for this.
The other thing to worry about is that, if caught, you may have the little (and geeky) people with a little authority problem here. The school year I was in dorms, I was twice one of the unlucky selected to have my MAC address turned off for illegal downloading (which everyone was doing, of course). The second time, I just spoofed my roommate's MAC address. He worked as a lackey for the IT people, so naturally, his was never turned off for anything, and our computers, being plugged into a little hub in our room, were able to share the same MAC address and IP address with surprisingly few problems.
posted by TheOnlyCoolTim at 2:37 PM on September 1, 2007
Why is it ok for two people to have their computers permanently in the common room?
posted by k8t at 2:41 PM on September 1, 2007
posted by k8t at 2:41 PM on September 1, 2007
I would advise against it. I happen to work at a university, and controlling access to the network via wireless is a huge priority because of the opportunities for remote security breaches.
There's a good chance that they require you to register your MAC with the residential network. So you'd need to spoof your computer's MAC -- not a huge problem. You'd also have to have something in between it to mask the SNMP identification strings and other scanable elements... which they likely already have recorded for the current NIC in your laptop. (Ex: They see that your MAC stays the same, but the text device ID string that can be pulled off by some arcane means that I don't quite understand changes from "BROADCOMM 100-T ETHERNET" to "LINKSYS 100T" and boom, they got ya.)
On top of that, packet-level analysis can tell if you're NAT-ing or not. NAT is forbidden on our residential network, which means it's likely forbidden on yours too... mostly because college students constantly try to bend the rules that are put there for the network's protection. ;)
Now, what WOULD be a good solution would be to go to your residential staff and ask them to start campaigning for dorm-wide wireless to be set up. This would likely require that the hall pony up money to your ResNet, but you can put a collection up for it. Basically, you either then have to have a WAP certificate on your laptop and/or VPN through a DMZ into the actual campus network via the big enterprise CISCO antennas.
posted by SpecialK at 2:43 PM on September 1, 2007
There's a good chance that they require you to register your MAC with the residential network. So you'd need to spoof your computer's MAC -- not a huge problem. You'd also have to have something in between it to mask the SNMP identification strings and other scanable elements... which they likely already have recorded for the current NIC in your laptop. (Ex: They see that your MAC stays the same, but the text device ID string that can be pulled off by some arcane means that I don't quite understand changes from "BROADCOMM 100-T ETHERNET" to "LINKSYS 100T" and boom, they got ya.)
On top of that, packet-level analysis can tell if you're NAT-ing or not. NAT is forbidden on our residential network, which means it's likely forbidden on yours too... mostly because college students constantly try to bend the rules that are put there for the network's protection. ;)
Now, what WOULD be a good solution would be to go to your residential staff and ask them to start campaigning for dorm-wide wireless to be set up. This would likely require that the hall pony up money to your ResNet, but you can put a collection up for it. Basically, you either then have to have a WAP certificate on your laptop and/or VPN through a DMZ into the actual campus network via the big enterprise CISCO antennas.
posted by SpecialK at 2:43 PM on September 1, 2007
Less illicit, depending on the particular rules, and cheaper, would be to simply drop in a dirt cheap dumb hub in the common room so you're effectively adding another ethernet jack.
Residential networks typically use port-level security that forbids two clients on one jack. Don't do this, you'll get your port locked.
posted by SpecialK at 2:44 PM on September 1, 2007
Residential networks typically use port-level security that forbids two clients on one jack. Don't do this, you'll get your port locked.
posted by SpecialK at 2:44 PM on September 1, 2007
Marked a few best answers but they're all good, thanks for the help.
k8t: The dorm rooms aren't really that big, and that was the only solution for us to all have enough room. Those two guys pretty much just put their stuff out there and it wasn't very worth it to argue with them.
I'll probably just end up getting a really long cable and running it from my room when I want to do that. It's a shame, but I suppose it's safest.
Maybe I'll get a job with IT next semester :P
posted by DMan at 2:51 PM on September 1, 2007
k8t: The dorm rooms aren't really that big, and that was the only solution for us to all have enough room. Those two guys pretty much just put their stuff out there and it wasn't very worth it to argue with them.
I'll probably just end up getting a really long cable and running it from my room when I want to do that. It's a shame, but I suppose it's safest.
Maybe I'll get a job with IT next semester :P
posted by DMan at 2:51 PM on September 1, 2007
I'm pretty sure I can lock down the network enough so that I'm the only one who can get on it.
No, you can't. Breaking WEP and WPA is trivial these days. WiFi is inherently insecure.
On a scale of 1 to 10, 10 being something like brute-force cracking an SSH session (say, 3DES or RSA), cracking WPA/WEP barely rates 1.
This is why your schools IT department doesn't want you to have one. Speaking as someone who has worked as a full time employee in the central IT department - I know for a fact that they make great sport of finding rogue network hardware.
IT grunts get bored. They scan networks. Its their job. I used to spend hours and hours scanning and probing our networks, looking for rogue file servers and hubs.
We don't do it because we're cops or poindexters. We do it because it's shit like this that gives us huge headaches later. We'd honestly rather play video games, but we hate having to clean up the mess of others.
If someone grabs your node and gains access to the campus LAN, they can do all kinds of nasty stuff. Like stalk students. Gain access to internal-only phone lists. Insert virus payloads, or attack other machines on the LAN. Sniff for banking or other private information.
Even worse? If they have the right toys, they don't even need a granted IP address to sniff WiFi. MAC and IP address filtering doesn't prevent the RF signal from being eavesdropped on. They can just grab the RF signal out of the air, log it and take it home to crack and analyze at their leisure.
This is why your school wants to run their own WiFi networks. They can handle authorization via a secure server like Radius. They can log who accesses the network. They can segment the network and protect the wired portion from the wireless portion. They know where the AP points are, what the broadcast footprint of them is, and even how to cross-check those physical locations with security video footage if there's a problem.
Get a wired hub or switch that'll accept DHCP/NAT and a nice long ethernet cable.
Alternatively - petition your IT department or student body for campus-authorized WiFi in your dorm hall.
posted by loquacious at 2:54 PM on September 1, 2007
No, you can't. Breaking WEP and WPA is trivial these days. WiFi is inherently insecure.
On a scale of 1 to 10, 10 being something like brute-force cracking an SSH session (say, 3DES or RSA), cracking WPA/WEP barely rates 1.
This is why your schools IT department doesn't want you to have one. Speaking as someone who has worked as a full time employee in the central IT department - I know for a fact that they make great sport of finding rogue network hardware.
IT grunts get bored. They scan networks. Its their job. I used to spend hours and hours scanning and probing our networks, looking for rogue file servers and hubs.
We don't do it because we're cops or poindexters. We do it because it's shit like this that gives us huge headaches later. We'd honestly rather play video games, but we hate having to clean up the mess of others.
If someone grabs your node and gains access to the campus LAN, they can do all kinds of nasty stuff. Like stalk students. Gain access to internal-only phone lists. Insert virus payloads, or attack other machines on the LAN. Sniff for banking or other private information.
Even worse? If they have the right toys, they don't even need a granted IP address to sniff WiFi. MAC and IP address filtering doesn't prevent the RF signal from being eavesdropped on. They can just grab the RF signal out of the air, log it and take it home to crack and analyze at their leisure.
This is why your school wants to run their own WiFi networks. They can handle authorization via a secure server like Radius. They can log who accesses the network. They can segment the network and protect the wired portion from the wireless portion. They know where the AP points are, what the broadcast footprint of them is, and even how to cross-check those physical locations with security video footage if there's a problem.
Get a wired hub or switch that'll accept DHCP/NAT and a nice long ethernet cable.
Alternatively - petition your IT department or student body for campus-authorized WiFi in your dorm hall.
posted by loquacious at 2:54 PM on September 1, 2007
Residential networks typically use port-level security that forbids two clients on one jack. Don't do this, you'll get your port locked.
Due to shortage of jacks, hubs were actually distributed in my dorm, which was good since that sharing a MAC trick was only going to work on a dumb hub.
I forgot the real answer: move off campus, where all the cool kids live, where you can run wireless networks, drink alcohol, cook, light candles, and inject heroin all day long without people lording their little bit of authority over you.
posted by TheOnlyCoolTim at 3:00 PM on September 1, 2007
Due to shortage of jacks, hubs were actually distributed in my dorm, which was good since that sharing a MAC trick was only going to work on a dumb hub.
I forgot the real answer: move off campus, where all the cool kids live, where you can run wireless networks, drink alcohol, cook, light candles, and inject heroin all day long without people lording their little bit of authority over you.
posted by TheOnlyCoolTim at 3:00 PM on September 1, 2007
Have you thought of asking one of your roomies to set up internet connection sharing on their machine? You'd still need a cable (and another NIC in the host) but at least the cable would be shorter.
Incidentally, the WPA protocol isn't broken. It's vulnerable to a brute-force dictionary attack if your passphrase is weak (just like any security that depends on a chosen passphrase), but the protocol itself is still secure. Just use a very long random key. WEP is broken, regardless of how good your passphrase is.
posted by Dipsomaniac at 3:09 PM on September 1, 2007
Incidentally, the WPA protocol isn't broken. It's vulnerable to a brute-force dictionary attack if your passphrase is weak (just like any security that depends on a chosen passphrase), but the protocol itself is still secure. Just use a very long random key. WEP is broken, regardless of how good your passphrase is.
posted by Dipsomaniac at 3:09 PM on September 1, 2007
but I really doubt they'd be competent or conscientious enough to check for this.
Ahem.
OK, granted, it depends on the campus. I was on a really, really big UC campus.
But I was a lackey. The directors of this IT department were all hard core CS nerds that were still very heavily into the cutting edge. Hell, some of them were 45+ and attending Defcon regularly. These are the same nerds that also supported clustered supercomputer solutions, infrastructure-grade commodity multichannel fiber connections and much, much more.
Hunting rogue APs? Fine sport. Like plinking at prarie dogs. Just a mere diversion and mild entertainment, a nice break from watching the logs and programming stateful packet firewall algorithms.
The other thing to worry about is that, if caught, you may have the little (and geeky) people with a little authority problem here.
There's no authority problem. I just wiped your disk quota, your PINE backups and edited your finger file to refer to sexing up goats. I actually have a small shell script that does it all for me. It's just a small software LART.
The physical counterpart is a 25 pound stack of dead hard drives welded to a pair of rackmount rails and varnished in the dried blood of freshmen.
Never, ever underestimate the raw intelligence, boredom or maliciousness of your IT department.
If there's one thing I've learned over the years about these people, it's not just that people who (successfully, irrationally) make IT support a career are all suprisingly, shockingly smart - but also unbelievably diverse in breadth and depth in their personal interests - and they all have a very wicked, dark sense of humor.
They actually want you to taunt them. Do so at your own peril.
posted by loquacious at 3:12 PM on September 1, 2007
Ahem.
OK, granted, it depends on the campus. I was on a really, really big UC campus.
But I was a lackey. The directors of this IT department were all hard core CS nerds that were still very heavily into the cutting edge. Hell, some of them were 45+ and attending Defcon regularly. These are the same nerds that also supported clustered supercomputer solutions, infrastructure-grade commodity multichannel fiber connections and much, much more.
Hunting rogue APs? Fine sport. Like plinking at prarie dogs. Just a mere diversion and mild entertainment, a nice break from watching the logs and programming stateful packet firewall algorithms.
The other thing to worry about is that, if caught, you may have the little (and geeky) people with a little authority problem here.
There's no authority problem. I just wiped your disk quota, your PINE backups and edited your finger file to refer to sexing up goats. I actually have a small shell script that does it all for me. It's just a small software LART.
The physical counterpart is a 25 pound stack of dead hard drives welded to a pair of rackmount rails and varnished in the dried blood of freshmen.
Never, ever underestimate the raw intelligence, boredom or maliciousness of your IT department.
If there's one thing I've learned over the years about these people, it's not just that people who (successfully, irrationally) make IT support a career are all suprisingly, shockingly smart - but also unbelievably diverse in breadth and depth in their personal interests - and they all have a very wicked, dark sense of humor.
They actually want you to taunt them. Do so at your own peril.
posted by loquacious at 3:12 PM on September 1, 2007
Loquacious, AIUI, breaking WPA is only practical if you're using a fairly short passwork and pre-shared key. Generate a maximum-length completely random password and you should still be safe. [on preview: what dipsomaniac said]
As for the OP's question: the best you can do is probably to put the AP behind a NAT (make sure the AP isn't also NATing) to hide a few of its characteristics (such as its ethernet address), and tell it not to broadcast the ESSID. But as other people have pointed out, anyone with an 802.11 card in promiscuous mode will be able to see the (encrypted) packets going between your machine and an unknown AP. If the university cares enough to scan for that, there isn't a good way to hide.
I vote for the "hub and long cable" solution. Cheap, secure, not against the rules.
posted by hattifattener at 3:25 PM on September 1, 2007
As for the OP's question: the best you can do is probably to put the AP behind a NAT (make sure the AP isn't also NATing) to hide a few of its characteristics (such as its ethernet address), and tell it not to broadcast the ESSID. But as other people have pointed out, anyone with an 802.11 card in promiscuous mode will be able to see the (encrypted) packets going between your machine and an unknown AP. If the university cares enough to scan for that, there isn't a good way to hide.
I vote for the "hub and long cable" solution. Cheap, secure, not against the rules.
posted by hattifattener at 3:25 PM on September 1, 2007
You were at a UC campus. These dudes were probably dropping acid and inventing UNIX back in the 60s. If this dude is at community college, Podunk State, or some private school with 3,000 kids, they're not catching jack shit. Not even necessarily because the IT people are incompetent per se, but because they're too few to afford the time to bother to do this. I mean, look at the importance of what we're talking about: if someone haxx0rs the WPA, they're going to get the network privileges of some freshman in the dorms. What are they going to do, read the journal articles they can get from the library site with a dorm IP? The dorms themselves better be pretty secure, because there's probably more future CS Ph.D. students trying to hack your shit than random dudes looking for wireless access points for any reason but free internet.
There's no authority problem. I just wiped your disk quota, your PINE backups and edited your finger file to refer to sexing up goats. I actually have a small shell script that does it all for me. It's just a small software LART.
Here's a whack with the clue by four for you: for everyone but IT people, this situation is described as: "I wanted to use a wireless network, so the fucking loser nerds in IT fucked up my account. Let's go to the bar."
posted by TheOnlyCoolTim at 3:28 PM on September 1, 2007
There's no authority problem. I just wiped your disk quota, your PINE backups and edited your finger file to refer to sexing up goats. I actually have a small shell script that does it all for me. It's just a small software LART.
Here's a whack with the clue by four for you: for everyone but IT people, this situation is described as: "I wanted to use a wireless network, so the fucking loser nerds in IT fucked up my account. Let's go to the bar."
posted by TheOnlyCoolTim at 3:28 PM on September 1, 2007
> OK, granted, it depends on the campus. I was on a really, really big UC campus.
Same here with a big Texas (with a capital T) campus.
posted by SpecialK at 3:28 PM on September 1, 2007
Same here with a big Texas (with a capital T) campus.
posted by SpecialK at 3:28 PM on September 1, 2007
You might be attacking the problem in the wrong way. If your intent is to have wireless access in your apartment, where there are multiple computers and WiFi is forbidden, you could avoid WiFi completely and try a Bluetooth network.
If you have a cellphone with internet access (that can be used as a modem [DUN]) you can connect with a laptop from anywhere, and if necessary Remote Desktop into a computer wired into the school network for internal access.
As has been mentioned, wired connections using a router would also work. There are a lot of different ways to get access without breaking your schools rules.
posted by blue_beetle at 3:31 PM on September 1, 2007
If you have a cellphone with internet access (that can be used as a modem [DUN]) you can connect with a laptop from anywhere, and if necessary Remote Desktop into a computer wired into the school network for internal access.
As has been mentioned, wired connections using a router would also work. There are a lot of different ways to get access without breaking your schools rules.
posted by blue_beetle at 3:31 PM on September 1, 2007
Haha, I'm at Texas Tech. Not the same as a really, really big UC campus, but not a community college either.
Interesting turn this has taken. I think Tim has a point in the fact that all anyone could gain is the same access I have now anyway, but I really don't want to risk something that would involve me getting in real trouble.
posted by DMan at 3:34 PM on September 1, 2007
Interesting turn this has taken. I think Tim has a point in the fact that all anyone could gain is the same access I have now anyway, but I really don't want to risk something that would involve me getting in real trouble.
posted by DMan at 3:34 PM on September 1, 2007
loquacious, do you have any links pointing to WPA cracking being easy? WEP is trivial, but I think WPA is still pretty good?
posted by Malor at 3:35 PM on September 1, 2007
posted by Malor at 3:35 PM on September 1, 2007
It's not that hard to find you, so check out the consequences and decide. If a hub/router is allowed, then that makes it easy to share the jacks in the common area.
Lots of students may share your frustration. Get the student organization involved and see if you can get the rule changed. It's fun to do a student political campaign and you'll make a lot of friends, including members of the opposite sex. Even if you lose, you win.
RIAA is actively hunting students. A student at the local Univ. got nailed with a very expensive fine because his wireless router wasn't secure enough.
College and Univ. IT depts are often quite competent. Universities have lots of bandwidth, technical challenges to resolve, and a nice environment. That's a magnet for geeks.
posted by theora55 at 3:57 PM on September 1, 2007
Lots of students may share your frustration. Get the student organization involved and see if you can get the rule changed. It's fun to do a student political campaign and you'll make a lot of friends, including members of the opposite sex. Even if you lose, you win.
RIAA is actively hunting students. A student at the local Univ. got nailed with a very expensive fine because his wireless router wasn't secure enough.
College and Univ. IT depts are often quite competent. Universities have lots of bandwidth, technical challenges to resolve, and a nice environment. That's a magnet for geeks.
posted by theora55 at 3:57 PM on September 1, 2007
DMan: I'm at A&M. I work for athletics, but I deal with some of the CIS and ResNet guys here and some of them are scary good -- almost to the Scary-Devil-Monastery level. I have a set of clustered servers running here to handle some stuff, and had to sit down with the campus network security people and do a lot of testing with the hardware to see which parts of the port level security they have on the switches we had to turn off for my ports in order for the redundancy to work. I learned more about the TCP/IP stack that day then I did in four years of university.
This being Texas, and esp. you being out at Tech, I can now say with veracity that you'll get caught and you'll end up in a lot of trouble if you try to get past the security. The problem isn't that someone could gain the access that you have, it's that someone could get the access you have, then escalate the access that you have into something like, say, student financial data, and make it look like you did it. Texas University network security and state law (you know that agreement that you click through all the time?) says that anything that someone does WHILE USING YOUR NETWORK ACCESS is on your head because you failed to guard that access.
On top of that, many servers at the university level depend on the campus level security to be secure. There are a few servers I know of on campus that would be trivial to hack, but you would need to get through all of the other layers of security first at both the campus connection and harware level. Unfortunately, it'd be trivial to do from a compromised computer on the campus network. Don't let someone use your network access to hack one of those servers. That's why they put the MAC registration in place on your ResNet -- so that someone else couldn't plug into your network port in your room and then say "I confess, he did it!".
And believe me, good admins can trace back to both network port and MAC address when someone tries to compromise a computer on our networks. I obviously can't discuss what I've done recently in this realm, but let's just say now that I know where you are, I really realy wouldn't risk it.
posted by SpecialK at 4:04 PM on September 1, 2007
This being Texas, and esp. you being out at Tech, I can now say with veracity that you'll get caught and you'll end up in a lot of trouble if you try to get past the security. The problem isn't that someone could gain the access that you have, it's that someone could get the access you have, then escalate the access that you have into something like, say, student financial data, and make it look like you did it. Texas University network security and state law (you know that agreement that you click through all the time?) says that anything that someone does WHILE USING YOUR NETWORK ACCESS is on your head because you failed to guard that access.
On top of that, many servers at the university level depend on the campus level security to be secure. There are a few servers I know of on campus that would be trivial to hack, but you would need to get through all of the other layers of security first at both the campus connection and harware level. Unfortunately, it'd be trivial to do from a compromised computer on the campus network. Don't let someone use your network access to hack one of those servers. That's why they put the MAC registration in place on your ResNet -- so that someone else couldn't plug into your network port in your room and then say "I confess, he did it!".
And believe me, good admins can trace back to both network port and MAC address when someone tries to compromise a computer on our networks. I obviously can't discuss what I've done recently in this realm, but let's just say now that I know where you are, I really realy wouldn't risk it.
posted by SpecialK at 4:04 PM on September 1, 2007
Many of the commercial-grade access points that colleges use will also scan for nearby access points, and many of the wireless management packages use that to support "rogue access point detection," often using signal strength to triangulate. If your college IT group is halfway competent, expect to be busted within a few hours.
posted by dws at 4:06 PM on September 1, 2007
posted by dws at 4:06 PM on September 1, 2007
Sorry if I was snarky, but as indicated and supported there's reasons why these rules exist. Speaking as an anti-authoritarian, sometimes it really is for your own good and protection.
There's also reasons why IT folk get cranky - and this is one of them.
posted by loquacious at 4:26 PM on September 1, 2007
There's also reasons why IT folk get cranky - and this is one of them.
posted by loquacious at 4:26 PM on September 1, 2007
You could get under the radar using a pre-802.11 technology like the Netwave Airsurfer, which was a wireless bridge between two computers using PCI or ISA cards.
Pros:
posted by justkevin at 4:38 PM on September 1, 2007
Pros:
- Security through antiquity-- since the technology predates modern wifi, it will be undetectable by other wifi devices. It is also extremely unlikely that a hacker would have the tools necessary to intercept your data, for reasons listed below.
- You need two, one in a common room computer, one in yours.
- Good luck finding two, no one's made these in years.
- Even if you found one, drivers probably don't exist for your operating system.
- You also need software running on the bridge computer to act as a NAT or Proxy.
- As I recall, they were highly susceptible to interference from microwave generating devices (like microwave ovens).
- Speed is limited to a max of 2Mbps, usually less.
posted by justkevin at 4:38 PM on September 1, 2007
Now there's creative problems solving.
You'd also probably end up earning the respect and/or awe of the nerds in your IT department.
posted by loquacious at 5:06 PM on September 1, 2007
You'd also probably end up earning the respect and/or awe of the nerds in your IT department.
posted by loquacious at 5:06 PM on September 1, 2007
There's also power-line networking, where you send the signal over through the electric wiring. I'm not sure how that works though... it may look the same as a router. Might be worth looking into.
posted by smackfu at 5:14 PM on September 1, 2007
posted by smackfu at 5:14 PM on September 1, 2007
You could get under the radar using a pre-802.11 technology like the Netwave Airsurfer, which was a wireless bridge between two computers using PCI or ISA cards.
It's too late now, but a couple years ago I actually came across some pre 802.11 access points in a school ceiling - some early forgotten attempt at wireless access. I can't even remember if I took them down or left them there, or if they even theoretically belonged to my department to take down or leave, but they were an interesting find.
posted by TheOnlyCoolTim at 5:27 PM on September 1, 2007
It's too late now, but a couple years ago I actually came across some pre 802.11 access points in a school ceiling - some early forgotten attempt at wireless access. I can't even remember if I took them down or left them there, or if they even theoretically belonged to my department to take down or leave, but they were an interesting find.
posted by TheOnlyCoolTim at 5:27 PM on September 1, 2007
Even with the ancient wireless tech, you STILL have to do NAT or use a bridge and MAC spoof, which will STILL get detected.
posted by SpecialK at 5:48 PM on September 1, 2007
posted by SpecialK at 5:48 PM on September 1, 2007
Put 2 network cards on your computer. Plug one to the network, another to your wireless. Learn to live with proxy software (on the PC) instead of full blown NAT. Make sure the proxy is only visible to the wireless network (and only usable by you) and they won't find you until they search your room.
posted by CautionToTheWind at 6:05 PM on September 1, 2007
posted by CautionToTheWind at 6:05 PM on September 1, 2007
Haha, definitely wasn't expecting this much of a response :)
SpecialK, thanks for the Texas-specific insight. Good stuff. Thanks to you too loquacious, insider info is very useful.
To everyone else: thanks very much for the help, and to settle your fears, no, I will not be attempting this after all. Going to get a long ethernet cable tomorrow.
posted by DMan at 6:18 PM on September 1, 2007
SpecialK, thanks for the Texas-specific insight. Good stuff. Thanks to you too loquacious, insider info is very useful.
To everyone else: thanks very much for the help, and to settle your fears, no, I will not be attempting this after all. Going to get a long ethernet cable tomorrow.
posted by DMan at 6:18 PM on September 1, 2007
How can I hide a wireless router in such a way that the IT people will be unable to easily see that it's attached to my ethernet jack?
If they're decently competent, it will be impossible for you to hide it, unless you build it yourself. Any of the NATs-in-a-box you can buy from Best Buy or CompUSA can be easily detected. No exceptions.
If someone grabs your node and gains access to the campus LAN, they can do all kinds of nasty stuff.
If the campus LAN's traffic is switched, they aren't going to be able to sniff anything that's not going to and from the room they're located in. They aren't going to be able to sniff all the packets in another room or building without causing major problems and being noticed immediately.
posted by oaf at 7:18 PM on September 1, 2007
If they're decently competent, it will be impossible for you to hide it, unless you build it yourself. Any of the NATs-in-a-box you can buy from Best Buy or CompUSA can be easily detected. No exceptions.
If someone grabs your node and gains access to the campus LAN, they can do all kinds of nasty stuff.
If the campus LAN's traffic is switched, they aren't going to be able to sniff anything that's not going to and from the room they're located in. They aren't going to be able to sniff all the packets in another room or building without causing major problems and being noticed immediately.
posted by oaf at 7:18 PM on September 1, 2007
If the campus LAN's traffic is switched, they aren't going to be able to sniff anything that's not going to and from the room they're located in. They aren't going to be able to sniff all the packets in another room or building without causing major problems and being noticed immediately.
Ok, I *really* can't say much here, but speaking generally...
From the getting-caught side: the kinds of intelligent switches that IT departments are installing in security-sensitive places like university residential halls or other public places where anyone can walk in and plug anything into the wall -can- enable packet sniffing, sampling, or auditing.
From the black-hat-hacker side: We're not worried about them sniffing packets on the lan coming to the student's node, we're worried about them scanning the internal network for vulnerable servers that are firewalled off from the outside. Ex: I have FTP servers, which are known for day-0 exploits, running exposed to the internal campus network but not the world-and-dog internet. So you can see them from the ResNet, but you can't see them from your home.
In this case, where a student may have a wireless point that's easily crackable from a house on a hill overlooking campus with the simple use of a pringles-can wireless antenna, the hack gets traced back to the student's network and we find the wireless point ... and then the student, even if it's some clueless sorority chick, could end up in jail for hacking. It's not pretty, but that's what happens and that's why the things that are in place to protect the network against students plugging in wireless points are there.
posted by SpecialK at 8:10 PM on September 1, 2007
Ok, I *really* can't say much here, but speaking generally...
From the getting-caught side: the kinds of intelligent switches that IT departments are installing in security-sensitive places like university residential halls or other public places where anyone can walk in and plug anything into the wall -can- enable packet sniffing, sampling, or auditing.
From the black-hat-hacker side: We're not worried about them sniffing packets on the lan coming to the student's node, we're worried about them scanning the internal network for vulnerable servers that are firewalled off from the outside. Ex: I have FTP servers, which are known for day-0 exploits, running exposed to the internal campus network but not the world-and-dog internet. So you can see them from the ResNet, but you can't see them from your home.
In this case, where a student may have a wireless point that's easily crackable from a house on a hill overlooking campus with the simple use of a pringles-can wireless antenna, the hack gets traced back to the student's network and we find the wireless point ... and then the student, even if it's some clueless sorority chick, could end up in jail for hacking. It's not pretty, but that's what happens and that's why the things that are in place to protect the network against students plugging in wireless points are there.
posted by SpecialK at 8:10 PM on September 1, 2007
Here's how I did it and got away with it. Schneier's law applies, YMMV.
I used WPA, which was brand new then, and had yet to be seriously compromised. Nowadays you would use WPA2, and maybe an additional vpn layer above that. OpenVPN works well. Do your research. Under local laws, it wouldn't have been legal for the IT nerds to terminate a contract based on evidence gathered after cracking into an obviously closed computer system. If asked about it, you can always say that the wireless network isn't connected to the university network.
The MAC of the router was made to look like a recent Macintosh ethernet card to avoid suspicion. It was set to something entirely unlike the wireless ESSID.
NAT was disabled because it can be detected through various methods. I instead ran a SOCKS proxy on the router. Anything web-related also went through privoxy, with user agent rewriting switched on. With iptables, I even made that proxying transparent, while the residential network's mandatory proxy wasn't :).
Anything that couldn't use the SOCKS proxy or was usually not allowed to get out of the residential network went through ssh tunnels. There was an old sun box on campus to which we had access that wasn't firewalled.
My tunnelling was eventually detected when I used too much bandwidth, the rest, as far as I know, never was.
They could have detected me by seeing a correlation between the traffic coming from my ethernet plug and traffic on my wireless network, but you could generate noise on the wireless side to avoid that. As I said above, Schneier's law applies, and YMMV.
posted by stereo at 8:39 PM on September 1, 2007
I used WPA, which was brand new then, and had yet to be seriously compromised. Nowadays you would use WPA2, and maybe an additional vpn layer above that. OpenVPN works well. Do your research. Under local laws, it wouldn't have been legal for the IT nerds to terminate a contract based on evidence gathered after cracking into an obviously closed computer system. If asked about it, you can always say that the wireless network isn't connected to the university network.
The MAC of the router was made to look like a recent Macintosh ethernet card to avoid suspicion. It was set to something entirely unlike the wireless ESSID.
NAT was disabled because it can be detected through various methods. I instead ran a SOCKS proxy on the router. Anything web-related also went through privoxy, with user agent rewriting switched on. With iptables, I even made that proxying transparent, while the residential network's mandatory proxy wasn't :).
Anything that couldn't use the SOCKS proxy or was usually not allowed to get out of the residential network went through ssh tunnels. There was an old sun box on campus to which we had access that wasn't firewalled.
My tunnelling was eventually detected when I used too much bandwidth, the rest, as far as I know, never was.
They could have detected me by seeing a correlation between the traffic coming from my ethernet plug and traffic on my wireless network, but you could generate noise on the wireless side to avoid that. As I said above, Schneier's law applies, and YMMV.
posted by stereo at 8:39 PM on September 1, 2007
So you can see them from the ResNet, but you can't see them from your home.
Isn't trusting resident students kind of arbitrary? They're about a bag of weed away from being the tools of the black hats.
posted by smackfu at 9:09 PM on September 1, 2007
Isn't trusting resident students kind of arbitrary? They're about a bag of weed away from being the tools of the black hats.
posted by smackfu at 9:09 PM on September 1, 2007
I wonder if I made a Pringles antenna if I could just get wireless access from a building across the street. There happens to be a classroom building about...500-600 feet away that might have Wi-Fi inside.
posted by DMan at 9:12 PM on September 1, 2007
posted by DMan at 9:12 PM on September 1, 2007
Or a wok antenna.
posted by philomathoholic at 12:22 AM on September 2, 2007
posted by philomathoholic at 12:22 AM on September 2, 2007
not really answering the question ... but ... you could insert an ethernet/rj45 splitter in the common room to create a 3rd ethernet port. It will work except that the 2 pc's connected to the splitter will not be able to talk to eachother (and it is strictly outside of ethernet spec.).
posted by jannw at 12:33 AM on September 2, 2007
posted by jannw at 12:33 AM on September 2, 2007
Campus IT Staff - building threat models that fail to take usability and utility into account since day one.
By the way - if you want wireless access and don't want to run afoul of the campus rules, get a Sprint or Verizon broadband wirelss card. Verizon's service runs $80/mo ($60/mo if you already have Verizon cell service).
posted by zippy at 1:28 AM on September 2, 2007
By the way - if you want wireless access and don't want to run afoul of the campus rules, get a Sprint or Verizon broadband wirelss card. Verizon's service runs $80/mo ($60/mo if you already have Verizon cell service).
posted by zippy at 1:28 AM on September 2, 2007
I thought WPA-PSK (AES) with sufficiently long passphrase was secure and WPA-PSK (TKIP) was problematic?
posted by BrotherCaine at 2:07 AM on September 2, 2007
posted by BrotherCaine at 2:07 AM on September 2, 2007
TKIP is believed to be much weaker than AES for the same number of key bits, but at the moment AFAIK there's no actually feasible attack on TKIP; it's just not as strong as it should be (IIRC, 128bit TKIP <> 90bit AES if such a thing existed). That said, some people in the security community believe that TKIP will be broken eventually; when an encryption algorithm starts to be reduced in strength that's usually been a prelude to ever more effective breaks in the past.
WEP is hopelessly insecure on the other hand.>
posted by pharm at 6:15 AM on September 2, 2007
WEP is hopelessly insecure on the other hand.>
posted by pharm at 6:15 AM on September 2, 2007
Isn't trusting resident students kind of arbitrary? They're about a bag of weed away from being the tools of the black hats.
Meh, resnet students we can trace back and smack around. And if anything shady happens on their account, their access gets snicked off on a hairtrigger and we send Leo and his roll of quarters up to talk to them. Then they have to beg and grovel to get their access turned back on.
jannw: I think ResNet shut down an entire suite in one building last week (first week of move in) because some genius's dad put in an RJ-45 splitter. We were laughing about it at the bar after work.
posted by SpecialK at 7:41 AM on September 2, 2007
Meh, resnet students we can trace back and smack around. And if anything shady happens on their account, their access gets snicked off on a hairtrigger and we send Leo and his roll of quarters up to talk to them. Then they have to beg and grovel to get their access turned back on.
jannw: I think ResNet shut down an entire suite in one building last week (first week of move in) because some genius's dad put in an RJ-45 splitter. We were laughing about it at the bar after work.
posted by SpecialK at 7:41 AM on September 2, 2007
It doesn't sound like you actually need it anymore, but I thought I'd mention how these things go at my school (small, laid-back, physically isolated from surrounding bodies of people). Wireless routers are against the rules, but IT doesn't really care about them, as long as they're properly configured and don't start trying to assign IP addresses upstream, which tends to knock out about half the dorm's access to the internet. If you've got a router which starts doing that, they're usually just check if the admin password is the default still, and if it is, fix the settings for you and leave it be.
They're good people, and, in large part, students who are running their own wireless AP anyway.
After reading this thread, I now know how good I have it.
posted by Arturus at 8:48 AM on September 2, 2007
They're good people, and, in large part, students who are running their own wireless AP anyway.
After reading this thread, I now know how good I have it.
posted by Arturus at 8:48 AM on September 2, 2007
Wow, I'm surprised my a lot of these answers; my university very much looked the other way to things like this. (But then I went to MIT, which has all of 18.* to play with, so I guess its network policies probably aren't typical.)
This is expensive and probably not practical, but one way to do this that would be harder to detect would be to get an iMac or some other Apple machine, which you could plug into the ethernet in your room and configure to broadcast its own wireless network. (System Preferences > Sharing > Internet > Internet Sharing.) Any scanning done over the network would just show an Apple computer; it would take wandering around with an antenna to discover the network. I did this at my office to share the network with my laptop, and it worked like a charm.
posted by raf at 9:01 AM on September 2, 2007
This is expensive and probably not practical, but one way to do this that would be harder to detect would be to get an iMac or some other Apple machine, which you could plug into the ethernet in your room and configure to broadcast its own wireless network. (System Preferences > Sharing > Internet > Internet Sharing.) Any scanning done over the network would just show an Apple computer; it would take wandering around with an antenna to discover the network. I did this at my office to share the network with my laptop, and it worked like a charm.
posted by raf at 9:01 AM on September 2, 2007
This is expensive and probably not practical, but one way to do this that would be harder to detect would be to get an iMac or some other Apple machine, which you could plug into the ethernet in your room and configure to broadcast its own wireless network. (System Preferences > Sharing > Internet > Internet Sharing.) Any scanning done over the network would just show an Apple computer; it would take wandering around with an antenna to discover the network. I did this at my office to share the network with my laptop, and it worked like a charm.
And your port would get locked because you were NAT-ing.
Arturus and raf: I can't explain MIT 'cept that there's probably protections in place that you're not aware of, but at least at A&M we're considered a military target because of the school's military heritage and corps of cadets. The smaller school, like my old community college, probably didn't have as many issues, and it's quite possible that the state laws that put hacking attempts coming from an unsecured access to the network on the owner of that access's head don't exist in your state, so your IT groups at your schools aren't responsible for protecting students from themselves.
posted by SpecialK at 9:18 AM on September 2, 2007
And your port would get locked because you were NAT-ing.
Arturus and raf: I can't explain MIT 'cept that there's probably protections in place that you're not aware of, but at least at A&M we're considered a military target because of the school's military heritage and corps of cadets. The smaller school, like my old community college, probably didn't have as many issues, and it's quite possible that the state laws that put hacking attempts coming from an unsecured access to the network on the owner of that access's head don't exist in your state, so your IT groups at your schools aren't responsible for protecting students from themselves.
posted by SpecialK at 9:18 AM on September 2, 2007
at A&M we're considered a military target because of the school's military heritage and corps of cadets.
Is this astonishing level of paranoia not remarked upon?
posted by bystander at 7:50 PM on September 2, 2007
Is this astonishing level of paranoia not remarked upon?
posted by bystander at 7:50 PM on September 2, 2007
Bystander: It's not the place for it to be remarked upon.
Also, police here arrested three people last year with digital or film cameras completely full of photos of structural elements of the football stadium, a building that George Bush Sr. and the current Secretary of State (not to mention 87,000 other people) frequent during the football season. How many of you go to a football game and take only engineering photos?
Maybe some paranoia is justified. After all, I work in the football stadium.
posted by SpecialK at 5:16 AM on September 3, 2007
Also, police here arrested three people last year with digital or film cameras completely full of photos of structural elements of the football stadium, a building that George Bush Sr. and the current Secretary of State (not to mention 87,000 other people) frequent during the football season. How many of you go to a football game and take only engineering photos?
Maybe some paranoia is justified. After all, I work in the football stadium.
posted by SpecialK at 5:16 AM on September 3, 2007
This thread is closed to new comments.
1) You can't hide a wireless transmitter, it's not possible, further if they are savvy enough they roughly tell what's son their network based on the MAC address which is registered to a vendor. You can turn it on as needed and you can make it not broadcast the SSID, when you choose your SSID make it something innocuous, suck as SSID-1 or something.
2) As long as you use a pre-shared key with WPA of a reasonably large lenght, say 16 characters no one will be able to break the password. You can set up mac address filtering, but it can easily be defeated.
posted by iamabot at 2:05 PM on September 1, 2007