Wi-Fi optimize

Neighbours stealing your Internet? Have fun...


While on one of my random surfing sessions I came across the website of Pete Stevens. Pete mentions that his neighbours are getting a free ride on his wireless Internet connection—he can either encrypt it or choose to have some fun. He opted for fun!

It looks like Pete’s using a Linux or BSD gateway on his network which runs essential services like DHCP (rather than using the server built in to his wireless router). This gives him a lot of control and lets him play around.

The first thing Pete has done is to split his network in two; trusted and un-trusted. This is easily done by defining two subnets in dhcpd.conf whereby unknown clients are denied access to the trusted subnet and authorised clients are identified by MAC (this is not fool proof but it’s just a bit of fun).

Once the network has been split in to trusted and un-trusted clients Pete goes on to show how you can have some fun with the neighbours. First off it’s the obvious trick of restricting access to one webpage; a simple IPtables rule will see all of your unauthorised clients hitting your site of choice. A webpage recently linked to in the comments section of one of my blogs seems like a comical choice. Getting a little more technical (and perhaps a little more evil) there is the option of teasing these users by giving them free Internet access but introducing some 'bugs'. Redirecting via a transparent squid proxy and adding a little script to interfere with traffic Pete suggests using mogrify to flip all images upside down and back to front; that’ll certainly leave his freeloading neighbours a little baffled!

Of course the best thing to do is to encrypt your wireless network!

82 comments
Jerry M. Gartner
Jerry M. Gartner

I posted a blurb about wireless default settings about a year ago at http://www.gartnerwebdev.com/2006/08/04/wireless-security/ . I'm sure that Pete Stevens knows how to secure his wireless network but he'd rather have some fun with folks! Many of states and localities are passing, or have passed, laws criminalizing wireless or any other type of internet piggybacking. Some how, people don't see a problem with this behavior. If my front door is unlocked that doesn't mean that people can just come right in! In Wisconsin (USA) I can see or ID a wireless network with no law-breaking. If I probe or access beyond this "seeing", I've broken the law.

Old Timer 8080
Old Timer 8080

Private Networking Security Basics: 1 ) Change the SSID. linksys doesn't cut it. 2 ) Change the admin password. 3 ) At the very least, use WEP security. This is like putting a cheap lock on the door. Anyone with a Credit Card ( NetStumbler ) can get in. WPA is better. You can get really paranoid and make a project out of securing your wireless. To each his own... We have an added problem: selecting a channel far enough away so that the nearest GoogleWiFi node doesn't interfere. Add to that the EIGHT local WAPS in the immediate area...fun times....

thomasnruth
thomasnruth

Just redirect the neighbor to a custom page to install malware. That'll teach 'em.

kaspencer
kaspencer

The original author of this post spelled "Neighbours" in the standard English style, but in the Techrepublic newsletter, the spelling was changed to the US style. Does anyone at TR know why? Ken.

Martin Glueckmann
Martin Glueckmann

Instead of getting angry on those free-riders, why don't you CHARGE them? Many Hotels and Hotspots use simple methods to intercept new users and present them with a logon-page linked top pay-pal or other collection services before opening a connection delimitetd to the time or data tarriff the user selected. Don't forget to present a "rules" page that those users have to accept first to avoid yourself getting in legal trouble and run a logging package to proof your billing and the usage was within legally allowed content. Make fun AND make money...

Dano NH
Dano NH

You could redirect them to a custom 404 page with some playful explanation about how the Internet is not free and unauthorized access to a private network is a crime punishable by law... then maybe close with "ever heard of asking?" There are so many different things you could do with this one; I keep thinking of more and more... hahaha

Dr_Zinj
Dr_Zinj

Redirect them to a webpage for your PayPal account and become a sub-ISP. They're surfing on your dollar (or ruble), you may as well offset your costs.

feral
feral

Nice work Pete ;)

normhaga
normhaga

I run my wireless as an open system because I live in a neighborhood where many people cannot afford internet service. I watch security and run my internal network through a separate server. The SSID is Star. Abuse and lose! All the users are notified that should I see illegal traffic I will block the MAC address. So far in six months, I have seen no questionable activities. The question I have is why do you need to lock down your wireless?

normhaga
normhaga

And is this illegal at the public library that offers public access? The point being enforcement. I am only aware of one situation in which a person was prosecuted for piggybacking. If I recall the report correctly, the prosecution occurred because the local D.A. was looking for a reelection position.

Neon Samurai
Neon Samurai

One can legally look for machines and ports connected to the internet but as soon as one tires to connect to an account, it becomes a legal issue.

chasbrey
chasbrey

You say that like it's the rule and not the exception. Most of us are mired in reality where we install and configure out own (and our friends) WiFi-enabled networks. Then there's the lucky few of us (including me) who get paid to do this for real. Sure, some cities are showing an interest and even implementation of SLOW WiFi in parts of their cities...again the exception and not the rule. Most of us are too spread-out and live for the rare, intentional hot-spot (ie IA Interstate rest areas) to check our e-mail. I'm still not willing to spring hard cash for an EVDO card. I may be dependent on network access, but not addicted.

tracey
tracey

Why does everyone want to punish people who are connecting to un-secured networks? While it is risky to connect to an unsecured network, it is interesting to me that those most at fault in this situation (who are failing to take basic security precautions on their network when they know better) are the the ones that are being so self righteous. I can understand having a little fun with people, and I agree that fellow IT people should expect to take a bigger hit for doing stupid stuff, but there is no need to be malicious about it, especially when it is general public you are dealing with. Bottom line is, if you don't like people connecting to your network, then at least use encryption. If not, I don't want to hear you cry about it.

normhaga
normhaga

How many federal laws did you say you are interested in breaking? Just after Gary Morris did his thing, the Feds. passed laws prohibiting the transmission of virii, trojans, and worms. Just recently, this year I think, it was made a federal crime to write the same. You would be a sitting duck for any investigation.

chasbrey
chasbrey

As funny as it would be, that would be ill advised. In this litigious society we're forced to endure, it's the criminals (bandwidth thieves) that would likely tie up their victims in court. It would be akin to killing a burglar in your own home and being sued by his family for loss of income. Suddenly I don't feel like laughing so loud.

brian.mills
brian.mills

While the thought of giving a bandwidth thief the finger by infecting them with malware sounds like a wonderful idea, I believe that a large portion of internet users don't need any help finding malware. I also don't really think we need any more malware-infected systems out there wreaking havoc on the internet. Man, I think I'm getting old. Five years ago I would've thought that idea was hilarious.

glgruver
glgruver

Automatic translation of British English to American English. You know, two English speaking countries separated by a common language. glgruver

Bit - Twiddler
Bit - Twiddler

I like this idea. Nobody gets hurt, nobody gets arrested. The extra cash is nice too. All WAP's should come with a public access mode, predefined (but customizable) EUA, and once someone connects they are given the option to agree to the terms, and pay a nominal fee (via paypal, CC, etc), or they can simply disconnect, and find some other sucker to mooch off. The hotels are making a killing off this model, trust me. The whole IT sector exists (for the most part) as a valid career path, because people who don't have the time and inclination to learn how this stuff works, are completely happy to pay others who do. Sure go ahead and share your bandwidth, but don't let the neighbors freeload! Charge em for your time and troubles. To do any less would be to sell yourself short, and devalue our entire industry! (Unless she is really hot...then she gets a free ride, but do feel free to intercept her packets) :-P Cheers!

darynb
darynb

Most internet providers do not allow you to share your internet access with anybody else. You could be charged for this.

RichardBI
RichardBI

Not a bad idea, but what's the easiest way to check if neighbors/visitors are using your wireless router connection. I'm using a Linksys WRT54G and I don't believe there is a menu/configuration to see how many wireless connections it has granted. When my own machines connect, they do not show up on the LAN table, and I can't find a similar report for wireless. Any ideas

brian.mills
brian.mills

Why lock down your wireless? The most obvious I can think of is keeping people from using your internet connection for illicit and illegal activities which will be traced back to your IP, while they drive away to leech off of someone else's open wireless access point. Someone could also use the wireless access to hack the other computers on the network, but if you have your personal network behind a firewall seperate from the wireless then it's no different than if the person was hacking from anywhere on the internet. In my opinion, if you want to let your neighbors use your wireless access, you should lock it down with WPA and set the neighbors up to use the secured network. You could also only allow trusted MAC addresses and keep your neighbors MAC addresses in that list. Then you can still block any MAC address that has illicit activity, while only allowing users you know and trust to even think of accessing the network.

Jerry M. Gartner
Jerry M. Gartner

By the very meaning of "Public Access", I don't believe that piggybacking would apply. Regardless of legality, there is the moral implication as well. A coffee shop provides wireless access as a convenience to it's customers. That doesn't make it okay to sit in the parking lot without patronizing the place. Too, there is the real issue of liability and security. If a proprietor doesn't bother to secure their internal network from the open wireless, (I've seen this happen), in addition to the possibility that their data may be compromised, they are opening themselves up to a host (pun intended) of other issues such as IRC bots, and the like, using their connection for ill. WAP's can be set up to notify users of conditions for use the first time they connect to the internet. A "real" public use WAP for our coffee shop can be set up so the paying customers get a temporary logon with their purchase. As far as home users go, leaving their WAP open is often a matter of ignorance, yet this ignorance subjects these people to the same internal network compromise as indicated previously. Now, the wardriving community is virtually non-existent in my immediate vicinity, which incidentally is a crime here. Even so, I do not leave my wireless network open just as I don't leave the front door to my house unlocked because I don't want any uninvited people walking in, regardless of their intent. http://www.gartnerwebdev.com

normhaga
normhaga

Many medium to large cities are putting up public WiFi that is 56mbs. In Salt Lake City, Utah, Public WiFi is available in all of the downtown area and expanding out to the eastern city limits. This is funded by the city of Salt Lake, the Feds., and an ISP Xmission.

ccornute
ccornute

If you don't want people on your network then secure it. If you don't then you have no right to be upset if someone "steals" your bandwidth. It isn't considered stealing if you are walking down the street and find a wad of cash. Even though the money may belong to someone else they should not have been so careless with it. Finder's keepers, loser's weepers.

chasbrey
chasbrey

Just because I left my front door open doesn't mean I want the neighbor's stealing my TV. Just because the keys are in my car doesn't mean I want some punk driving on my gas. Just because my router isn't locked down doesn't mean I want you stealing my bandwidth. My failure to secure my network doesn't give anyone else permisson to take or use what isn't their's. A criminal is a criminal.

Old Timer 8080
Old Timer 8080

Colorado's " Make My Day " law.... The people get to fight back by using COMMON SENSE. The people have spoken in CO, and their STATE representatives listened. You break in, you run the risk of getting KILLED. No Ambiguity. Simple to understand. Now apply that same bit of common sense to solving your WiFi problems. If you show that you have done ANYTHING about securing your network, what happens to the criminal is their problem. The smart ones move on to the UNSECURED WAP. God knows that there are plenty of those.....

zarathustra2010
zarathustra2010

Not only do these agreements provide for not using a server on their networks, they also state the law concerning messing with OTHER people's networks. This law applies to ALL customers, without exception. NOT just the one who is encroaching on his neigbor's network. IT also applies to the one whose network is being encroached upon. He has no more right to mess with other persons' networks than they do. So... 1) It is dangerous (but NOT unlawful) to keep your network open and easily accessible. 2) It is UNLAWFUL as well as WRONG, to mess with your neighbor's network. PERIOD. I suggest that you take the HIGH ROAD, instead, and 1) Invite your neighbor over for dinner. 2) Show him your network, and his presence where it does not belong. 3) Instruct them that this is wrong and illegal, as well as dangerous for both of you. 4) Finally, KINDLY show him how to stay out of other people's yards and how to keep others out of his yard. You would be surprised how much better kindness works than aggressive behavior. If he STILL refuses after this to do right, he deserves what happens. But you will have done your best. But DON'T retaliate against him. IF you do, you will be lowering yourself to HIS Level. Remember, perhaps he is just ignorant. We've all been there a time or two ourselves, haven't we? Wouldn't YOU rather have your gaffes and mistakes gently pointed out to you, rather than being hit over the head with a big stick? Just tighten up your OWN network, and let him do what he wishes. If he is breaking the law, it will eventually catch up with him. IF not, leave him alone, but gently instruct him to his face. On this day after Christ's birth celebration, let us do unto our neighbors as we would have them do unto us, as He taught so long ago. Donald L McDaniel

Big Ole Jack
Big Ole Jack

with the full knowledge that users won't set them up properly and become a mini-ISP for the entire neighborhood.

normhaga
normhaga

Mine allows 1) unlimited traffic and 2) unlimited users. Traffic is, of course limited by bandwidth.

shardeth-15902278
shardeth-15902278

Several I have read don't. And the only case I personally know of where an individual was actually taken to task for sharing his internet. The court ruled in has favor, that once it left the 'cable' and was broadcast, their restritions no longer applied (They had - of course - the option to terminate his contract 'at will' if the chose, don't know whether they did that or not...).

Big Ole Jack
Big Ole Jack

I use a US Robotics USR8054 model and it even has the ability to email me the log through an SMTP relay. I can easily see who on my router, both wired and wireless, but I need not worry because I have TKIP setup and am not openly broadcasting my SSID as many others do.

normhaga
normhaga

DSL router with hardware firewall -> linux firewall using packet sniffing. To the others: if you are so poor as to need to use my bandwidth, be my guest. I put the wireless up so that others that could not otherwise afford Inet could have access. But... do not think that this generosity is unprotected. I have had others attempt to intrude on the internal network, I have not yet logged the first success. Should someone be successful, I will learn how they did it.

Neon Samurai
Neon Samurai

I was trying to remeber how I did it with my wrt54gs. I remember it being pretty easy under one of the config screens because I pretty much check it for interest any time I walk past my workstation. It's been too long though. Linksys stopped providing a newer firmware for the router so I switched to something else. If your tech savvy, consider openWRT or Tomato. I put OpenWRT on my router three or more months ago and it's been great; enterprise router functions on my budget linksys soho hardware. I still check it out of interest any time I walk past my workstation but now the browser connects to the router admin through ssl and I get complete details. Tomato seems to be a bit more polished firmware replacement but I'm happy with OpenWRT.org

mathias_r2
mathias_r2

Assuming that you're using the WRT54G DHCP server, you can go to Status -> Local Network and then click on the DHCP Clients Table button. You will get a list of clients, IP addresses, and MAC addresses that are currently connected to your router.

mhpiper
mhpiper

I have yet to see a wireless router that does not have the ability to display connected hosts through its management interface (I've used Cisco, Netgear, Linksys and Dlink products). You dont even see your own machines? Are you sure they're connecting to your device and not some other unsecured device in your area?

Brian.Walters2
Brian.Walters2

The message by Brian Mills asks "Why?". Apart from the security issues already mentioned, here in the UK, the wireless router on my home internet connection is locked down because I'm on a reduced rate package that has a download limit of 2GB per month. This is enough for most of what I do from home; email, general surfing, a bit of web design and a small amount of mp3. I would be most miffed if one day I tried to download something only to find that my access was denied because my bandwidth limit had been used up by a "neighbour" who had been using my connection to download the latest videos. When I set up a wireless connection for a client, locking down the router is the first thing I work on, once I have it connected. Yes it still amazes me the number of open networks I can find. Regards, Brian

michaellashinsky
michaellashinsky

I recently read that a hacker can read the mac address off of the packet header, (or something like that, I have the article saved, but I am not going to look it up right now.) and copy a legitimate MAC address. Then clone that address into his own virtual adapter, and access is granted. This all takes about a minute to do once a valid MAC address is found.

chasbrey
chasbrey

It's a challenge allowing public access while simultaneously preventing public abuse. Some form of authentication or credentialling needs to be in place to authorize legitimate public users. It should be clear that I don't consider "everyone" as legitimate public. All users must be known, though the criteria for access is lower for a "public" user than an enterprise user. I am held accountable for every user and device on my network. I am continually striving to improve my control of the flow of every packet on my wire and in my air. As a government employee I am bound to enable as well as protect the taxpayers I serve. Enable appropriate access and protect from inapproriate access.

Big Ole Jack
Big Ole Jack

And these are the same gov't and politician pricks who have their "town hall meetings" to discuss the dangers of online predators and ID theft, yet are promoting it by setting up unsecure and open access points all over the city.

Neon Samurai
Neon Samurai

It is part of some jobs to post on forums and seek howto documents online. I've heard rumour that some software developers are required to spend half there day online reading forums and keeping up to date; code for the morning, learn for the afternoon. I meant the more general "*who* hasn't checked there email or posted to forums online" - meant mostly in good clean fun too since we're all here reading or writing. As a comp security geek, it almost broke my poor little head when I moved from working in IT on clean networks like military bases and small business customers we administrated for too non-IT work as an end user on messy networks. It's like walking from a room where firearms are well kept and handled properly into the next room over filled with toddlers, amunition, handguns and whatever combination the three can make. I'm surely not the right person to damn anyone around here for posting be it a part of there job or not though. The windows in my glass house are far from thick enough for that foolishness. ;)

chasbrey
chasbrey

It's within my job description to check my e-mail and post to forums on company time since I actively use both for troubleshooting and problem solving.

Neon Samurai
Neon Samurai

who hasn't checked there email from work or posted to a news forum. ;)

chasbrey
chasbrey

My previous post was a reply to explain "Why??" the animosity. I'm not saying it's wise or recommended to leave yourself open to the wolves. I'm not advocating negligence or failing to do one's due diligence. On the other side, there's no excuse for theft of service either. Whoever takes what isn't their's is still a criminal and worthy of derision.

Neon Samurai
Neon Samurai

Or "what is forbidden, is not allowed" as they say in security versus the older "what is allowed, wasn't forbidden" mind set. It'd be nice if everyone could be trusted based on honor but it just isn't so. If you don't do your due dilligence ahead of time then you'll have a heck of a lot less to complain about afterward. If I leave the keys in my car and it's stollen, my insurance is going way up. If I leave my house unlocked and valuables in all the windows then my house insurance is going up. If I have a house fire and don't have smoke alarms in the home then my house insurance is going up; if they'll still cover me. There is no excuse for leaving a wifi router wide open unless your giving everyone within range permission to jump on. The people who would abuse your internet connection don't care that you've not given them permission.

Neon Samurai
Neon Samurai

It's more like teaching my router not to talk to strangers. Sure someone can pretend to be recognized but it still limits the amount of traffic my router cares about. The WPA AES provides the real security authentication.

Big Ole Jack
Big Ole Jack

Read my post below to see what I mean. The average user won't do this, but someone who knows how to hack can.

Big Ole Jack
Big Ole Jack

I won't tell you what it is as it has dangerous implications, but I will tell you that the MAC is hashed in the registry and with the right conversion algorithm can be set to anything. With that stated, anyone with this utility and a WiFi NIC in their laptop can effectively become an access point and sniff traffic over the airwaves and capture data using a packet capture application like Ethereal or the builtin Windows Network monitor. Also, forging the MAC of a known access point will create a denial of service attack because packets will get dropped as they will see two devices with the same MAC address and won't know which one is the real thing. A man in the middle attack can also be performed. To counter hackers and lock down networks, one must think like a hacker and know all the tricks of the trade.

Neon Samurai
Neon Samurai

"don't talk to strangers and don't talk to people you recognize unless they know the family password" The little tyke hasn't wondered into anyone's van or accepted candy yet based on my logs (like any good security geek, I still don't consider that proof that no one's tried though). What can I say, computers offered me the ultimate puzzle long ago and I've been hooked since. My network is my baby as long as our rough housing doesn't effect the rest of the house's connection.

brian.mills
brian.mills

In other words, your router is like a child to you? :P

Neon Samurai
Neon Samurai

My wifi is always locked by WPA AES but the filtering means the router only listens to NICs it thinks it recognizes. It's more like telling my router not to talk to strangers.

brian.mills
brian.mills

If I did filter by MAC address, it would be in addition to the WPA2 encryption I'm using. I mentioned it as a way to shut down a trusted neighbor who abuses that trust and does something untrustworthy. That would be easier than generating new keys and disseminating them to the neighbors that are still trusted. Of course the untrustworthy neighbor could always be a hacker and still gain access, but there's no bulletproof solution to stop someone who really wants your network, especially on the consumer-grade level. The technical school I attended had an encrypted wireless network, but also used MAC address filtering. I'm guessing it was so that students didn't share the keys with unauthorized users, thus negating the encryption. I say as long as this guy's got an unsecured WAP, we should all go over to his neighborhood and get some free internet. :)