Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Obviously there are security reasons to close a wireless network and it's not fun if someone is stealing your bandwidth. That would be a serious problem?
To address the first concern: Does a device on the same wireless network have any special privileges or access that an other device on the internet has?
Assumptions : Wireless network is connected to the internet
The second seems like a community issue. If your neighbor is stealing bandwidth, you'd act just as if he were "borrowing" water or electricity.
First, Talk to him about the problem and if that doesn't work, go to the authorities or lock stuff up. Am I missing something?
Bruce Schneier is famous for running an open wireless network at home (see here). He does it for two reasons:
To be neighborly (you'd let your neighbor borrow a cup of sugar, wouldn't you? Why not a few megabits?)
To keep away from the false sense of security that a firewall gives you. In other words, it forces him to make sure his hosts are secure.
Personally, I would never run an open wireless network for one reason: accountability. If someone does something illegal on my network, I don't want to be held accountable.
I don't think the biggest problem is just someone stealing your bandwidth, but what they do with it. It's one thing if someone uses my wireless network to browse the Internet. It's another thing if they use it for torrenting (I find that slows down the network) or any illegal activities (kiddy porn? not on my network you don't).
Yes you are, your wireless router also doubles as a firewall preventing harmful data from the Internet, by letting one of your virus-infected neighbors in on your wlan you're essentially letting him bypass that.
Now, this shouldn't be a problem in an ideal world since you'd have a well-configured system with a firewall but that's certainly not always the case. What about when you have your less security minded friends over?
Not to mention the legal hassle you could get yourself into if one of your neighbors or someone sitting with a laptop in a car close enough starts browsing kiddieporn.
I feel it all has to due with population density. My parents own a big plot of land nearest neighbor is .5 mile away. To me it doesn't make sense to lock a wireless router down. But if I lived in a apartment complex that thing will be locked down and not broadcasting it's ID.
Now at my house I just don't broadcast my ID and keep it open. The signal doesn't travel further then my property line so I am not to worried about people hijacking it.
I would actually disagree with Thomas in the sense that I think bandwidth is the biggest problem, as it's unlikely there are many dodgy people in your area who just so happen to connect to your network to misbehave. It's more likely I think that you'll have chancers, or even users who don't fully understand wireless, connecting and slowing down your connection.
I've experienced horribly laggy connections due to bandwidth stealing, a lot of the problem is with ADSL - it just can't handle big upstream traffic; if a user is using torrents and not restricting the upstream bandwidth it can basically stall everything.
For most people, the wireless access point is a router that is acting as a hardware firewall to external traffic. If someone's not on your wireless network, the only way they'll get to a service running on your machine is if the router is configured to forward requests. Once a device is behind the router, you're relying on your computer's firewall for security. From a "paranoid" layered security standpoint, I'd consider an open wireless network in this scenario to be a reduction in security.
I've met a lot of people that leave their networks open on purpose, because they feel it's a kind of community service. I don't subscribe to that theory, but I can understand the logic. They don't see it as their neighbor stealing bandwidth because they feel like they aren't using that bandwidth anyway.
Following joshhinman comment, this is a link to an article where he explains why he has chosen to leave his wireless network setup open.Schneier on Open Wireless
This guy is probably the most famous security expert at the moment, so it worths having a look at what he has to say.
As far as the security aspect goes it is a non issue. An open network can allow a determined person to 'listen' to all your unencrypted communication. This will include emails - probably forum posts - things like this. These things should never EVER be considered secure in the first place unless you are applying your own encryption. Passwords / Secure log in to servers will be encrypted already so there is no benefit to the encryption while the packets are in the air. The advantage comes when, as others have mentioned, users perform illegal actions on your access point. IANAL but it seems some corrolations can be drawn to having your car stolen and someone commits a crime with it. You will be investigated and can be determined innocent if you have some alibi or logs showing your machines were not responsible for that traffic.
The best solution to the hassle of using a key for the home user is to restrict the MAC addresses of the computers that can connect. This solves the problem of having un-authorized users (for all but the most advanced at which point your PW likely won't help you either) and it keeps you from having to input a long key every time you need to access something.
Personally, I would never run an open wireless network for one reason: accountability. If someone does something illegal on my network, I don't want to be held accountable.
The flip side of this is deniability. If the government or RIAA come knocking on your door about something done from your IP address you can always point to your insecure wireless connection and blame someone else.
I wish people would stop referring to an open network as 'insecure'. A network is only insecure if it doesn't meet your security requirements - people need to understand that not everyone has the same security requirements. Some people actually want to share their network.
An open network is open. As long as you meant that to be the case, that's all it is. If your security policy doesn't include preventing your neighbors from sharing your bandwidth, then it's not a security fault if it allows them to do that, it's faulty if it doesn't.
Are you liable for other's use of your 'insecure' network? No. No more so than your ISP is liable for your use of the Internet. Why would you want it to be otherwise? Note, by the way, that pretty much every commercial WiFi hotspot in the world is set up in exactly such an open mode. So, why should a private individual be held liable for doing exactly the same thing, merely because they don't charge for it?
Having said that, you do have to lock down your hosts, or firewall off an 'internal' portion of your network, if you want to run fileshares etc internally with such a setup.
Also, another way to deal with 'bandwidth stealing' is to run a proxy that intercepts others traffic and replaces all images with upside down images or pictures of the Hof. :-)
#kronoz: I guess it depends on where you live. Only two houses are within reach of my wireless network, excluding my own. So I doubt that small number of people can affect my bandwidth. But if you live in a major metro area, and many people are able to see and get on the network, yeah, it might become a problem.
It is so easy to lock a wireless router down now, that I think a better question is why not lock it down?
The only reason I can think of is if you had a yard large enough so that your neighbors can't get a signal and you frequently have visitors bringing devices into your home (since setting them up can be a chore).
Note that I'm saying both of those things would need to be true for me to leave one open.
Personally, I would never run an open wireless network for one reason: accountability. If someone does something illegal on my network, I don't want to be held accountable.
The flip side of this is deniability. If the government or RIAA come knocking on your door about something done from your IP address you can always point to your insecure wireless connection and blame someone else.
I would argue that anyone who is running a network is responsible for the actions of all people who use it. If you aren't controlling use, then you are failing as a network administrator. But then again, I'm not a lawyer, so...
As it turns out, when I switched DSL service, the wireless router the company provided is secured out of the box. So unless I add the old router to my network, it will be secured.
On the other hand, it was very convenient to "borrow" a few hours of network time from neighbors while I was waiting for the technician to stop by and install the service. Looks like this might not be an option soon, however.
My biggest concern is there there is never too much bandwidth so a decision to share it is only acceptable if I can somehow guarantee that other people do not use more than, say, 5% of my total bandwidth. Which may or may not render my connection useless to other people, depending on what they mean to do with it.
As most wireless standards are very hackable I can understand the logic behind not securing it, as it removes the false sense of security that wireless security provides.
However, in NZ bandwidth is expensive; I cannot afford for randoms to leech that off me. As the vast majority of people don't have a clue regarding hacking wireless connections having this admitedly pitiful defense wards of most of the lazy.
If anyone cares enough they can hack my crappy WEP encryption and get themselves some free Internet and free leech until I care enough to stop them. Then I'll upgrade to something better (white-listed MAC addresses, say) which will be harder for them to hack, and the cycle will begin anew.
Related
My company just moved office to a new building and the Internet company came to install the internet (fiber). The problem is that the telco company installed the router in the basement of the building (which it happens to be the parking of the building also). That means that the internet router for my company is at the basement, wide in the open. The router has 3 free ports, that means that potentially anyone that walks-by at the parking can plug-in a laptop and get into our network (not only use the internet but try to hack into our file servers, etc...). We are a software company.
Did we try to get router upstairs? Yes but after several discussions with the telco company, it seems we have no choice with this setup. Therefore, does anyone recommend a good solution to protect our network? First thing comes to mind is to purchase a Firewall Hardware box and plug that inside our office from the internet cable that comes from the wall. Would that be the best solution? And if yes, any recommendations for a not too expensive firewall hardware? Thanks a lot.
As far as I'm aware, modern routers nowadays should already have port security features built-in. So, optimistically, you may not need to purchase a hardware firewall.
On the other hand, if you can afford to lock the router into a frame/cage, that's also a mean of physical access control. Installing a security camera near the router is another option.
One possible solution for your case is using packet filtering.
It is a firewall technique used to control network access by monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination IP addresses, protocols and ports.
A product that can suit your needs is Ixia's PacketStack. Its packet filtering capabilities can be used without any packet loss, you can anipulate traffic anyway you want - deduplicate, stamp and trim. You can hide or overwrite sensitive or personally identifiable information before providing the data to analysis tools.
I suspect we're all familiar with how facebook and google and the like detect if you're using a different device than usual, I was wondering what the most reliable way to do this is?
I'm talking about the old 'It looks like you're signing in from a different device', and then when you confirm etc, it usually sends you an email and asks whether you want to trust this device or not.
Obviously one could just set a cookie, one that maybe get's checked and logged each visit, but what about when the user signs out? Do we keep the cookie?
Is there any other reliable method to 'trust' a 'device' other than setting cookies? Or is this the best/most reliable way to do it?
The most reliable way to detect a device change is to create a fingerprint of the browser/device the browser is running on. This is a complex topic to get 100% right, and there are commercial offerings that are pretty darn good but not flawless. I worked at one of those companies several years ago.
There is now at least one open source fingerprinting project Client JS. I have not used it, but it seems to cover the bases.
Just setting a cookie is not very reliable because on average users clear cookies about every 30-45 days unless you use a network that attempts to re-set the cookie (paid services). Even those are not flawless.
Just using the IP address is useless. Some devices legitimately have many IPs in a short period of time (laptop at home, work and Starbucks or most any mobile device), while sometimes a single IP is shared by a large number of users (all the folks at Starbucks or behind a corporate proxy server).
UPDATE
Thoughts on your similar hash code.
It is a complex topic to get right. I had a small team for a few years. We got pretty darn good, but you can never be 100% accurate even when people are not intentionally trying to trick you.
If the CPU changes, it's probably a different device.
The same physical device can have many user agents. Each browser on the device has a different user agent, and privacy mode of browsers have different user agents with far less entropy.
Fonts doesn't change very quickly for a given physical device, though it's not a great source of entropy on mobile devices (few fonts installed, and typically all the same ones for a given type of device).
OS is generally stable, until it suddenly changes. Does it matter in your case if every device appears to be a new device when it updates to Windows 10?
Color depth will be pretty stable. If the user installs a new graphic card, this may change. Does that matter in your case?
If you can accept thinking some devices are new when in fact they are the same and vice-versa, this type of similarity hash may work for you. Note that you can never use this type of fingerprint to uniquely identify a device for a purpose that requires positive identification such as access to secure data. It's great for making probabilistic decisions such as serving an appropriate ad.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I have a BeagleBone Black that is running Debian Wheezy. I want to be able to SSH into it over the internet as long as it is connected to the Internet. I want to be able to type in an URL and be able to access it or deploy software on it.
Many other posts showed how one has to configure the router to forward the port and such. However, I want to be able to take this Beaglebone anywhere, maybe even at a coffee shop with Wifi, and I can quickly access it from another computer through the Internet.
I am wondering what is the best approach to do this. I have my own domain name (provider is Namecheap.com), and I won't mind actually paying for some web hosting services if the solution requires that.
To sum it up, I want to be able to SSH into a Debian Linux system via a domain name without any configuration with the network hardware. I want to be able to quickly set it up and access it as long as the system has internet access. How can this be done?
You need to use a "dynamic dns service", since (most likely) your home ip address is not static. it changes with time, which is why it makes sense to use a domain name. However you can not use a normal dns service, since that updates far too slowly.
You need to configure that dynamic dns service such that it points to the current public ip address of your home router. Typically that is done by a trigger that submits the new ip address as soon as the internet connection has been established. So this has to be done from within your home network, typically by a feature of your router (if offered). Alternatively you can use some utility installed on your boards system that is able to detect its public ip address and when that changes. There are some such utilities in the standard repositories. You can not simply publish your ip every minute or so. It has to be event driven (on connect), or you will probably be blocked by the dynamic dns service.
Then indeed you have to configure port forwarding on your home router. The rule has to forward all incoming requests to a specific port to your boards port 22. Note: do not use port 22 on the outside, so do not forward port 22 to port 22. This works, but you will see constant brute force hacking attacks against your system. Just use something like 50022 or whatever (on the outside!).
That should be all.
I take from your comment that you also want to be able to take that board wherever you go and just use any connection wherever. Such thing is possible, but much more complex. For certain you do need some additional server you have control over. That server has to play relay and forward your requests to your board which establishes an ssh tunnel between that server and itself as soon as it goes online. So you definitely do need some fixed point somewhere. Such a server is no rocket science. You can rent a virtual one for 3-5 Euros a month these days and do with it whatever you want.
The idea here is that your board contacts that server and establishes an ssh tunnel pointing back to its own port 22. Now you can contact the tunnel which is open at the server and your packages will be forwarded through the tunnel to your board. That works, it is a bit slower than otherwise.
In that case you do not need a dynamic dns service, since such a virtual server typically comes with a fixed ip address. So you can simply resolve your domain to that server of yours.
Question in this case is why to do that. Since you already have a comfortable server at your hand, so what is the board for? The only motivation I can think of is to be able to do illegal downloads or hacking attempts in the foreign environment... Which is not an issue in general. Networks are there to be explored. But you clearly should think thrice when you leave the legal ground. Especially about whom you might cause massive troubles :-)
Oh, you could also combine this approach with using your home router instead of a separate server in the internet. Your board can access your home network using the dynamic dns service, contact some system inside your home network which acts just like the rented server described above.
Taking the additional information from that next comment you gave also this might be worth a try, though I am not sure if that will work. You will have to give it a try:
If everyone meant to access the board is within the same local network, then you might get along without the need for port forwarding. You could try to use one of the mentioned dynamic dns utilities to publish your network internal ip address to the dns service. If they accept and publish that address, then everyone should be able to directly access your board inside the local network (so no via the internet), but by using your domain name. I never tried such thing. I could imagine that dns service providers block such thing. But then again, they might not. So it might be worth a try, since it would be a very simple and elegant solution. Also I am not that sure if all systems will accept such an internal address from a dns authority. As said: you will have to try this.
There certainly are more theoretical possibilities, but those certainly are much more complex. If you stay near your board you certainly can also use things like bluetooth or similar. You could bundle a cheap and broken smartphone and use it as a modem, that way the board can act just like the home router above. Certainly you have the option of a wifi ad-hock network connection, but I doubt that is what you are looking for.
One thing I would definitely not do is use a third party service provider specialized in such things. Something like TeamViewer or similar. I consider these a serious and obvious security thread, despite what they claim themselves. You definitely can never trust a closed source or internet only service, since there is simply no way for you do really check what they do. So do not fall for that apparently simple and comfortable solution!
I'm an embedded engineer (not a network guru) building a piece of Linux-based equipment (a portable measurement instrument) that is normally not connected to the Internet, but we need to make it possible for the equipment to "call home" for support, including updates and troubleshooting, in a manner that compromises neither the product's security, nor the customer's network security nor our own company network.
The "call home" capability will be completely controlled by the user, perhaps by pressing a physical button to activate it, after the equipment has been connected to whatever network the customer chooses to use. For prototype and demonstrations systems, this network could be at someone's home or office or even via a phone connection (the equipment will contain only a wired Ethernet port, and the customer would need to provide a wired AP if WiFi access is desired).
Making the connection should require no per-call configuration at the user's end, nor within our box, so I'm thinking we can require the customer to provide DHCP, and not much else. We can also require the customer to first contact us before pressing the "call home" button, so we can have our support interface up only when needed.
When a unit does "call home", it merely makes a connection to a company system, doing nothing else until an engineer (well, me) directly connects to it. Other than the existence of the connection, we should get no (or minimal) information about the network the customer is using. So I'm thinking some kind of SSH connection, but that's as far as I have gotten.
If possible, it should "feel" as if I'm connecting locally, as if the unit were on my desk (perhaps with much more latency, loss, and minimal bandwidth).
But I have no idea whatsoever how to make an SSH connection (if that's the right tool to use for this) as two separate halves: The remote unit "calls" somewhere, presumably on one of our company systems, then that system notifies an engineer (me) that a "call home" has been initiated, then waits for the engineer to connect, forming the other half of the connection.
The connection need not identify the remote system (make, model, serial number, version, etc.): I'd do that manually after logging in securely.
If needed, I can create a new system on our end (Linux, BSD, Windows, whatever, physical or VM) that can be dedicated to just this function. I can get at least one static port mapped out to our corporate WAN, if needed (but something I'd prefer to avoid, if possible).
Ideally, I'd also like for there to be minimal information in the equipment itself, so that possession of the equipment by an adversary (or competitor) could not compromise customer or company networks, other units, nor the call-home technique itself. From what little I know, I'd guess a hostname or IP address, a port number, and a key would be needed, but less would be better!
I'd also like the system to require manual intervention at both ends, with minimal automation that can be buggy or be compromised. Once we implement and test the initial system, automation could be added as our experience with it, and confidence in it, grows.
That's about as far as my thinking has taken me. Beyond this, I'm pretty much clueless. Am I on the right track? What pieces am I missing? Is this already a popular thing to do, and I simply don't know what it is called? How simple and stupid can this capability be made for a couple of prototype systems?
EDIT: If it wasn't obvious already, please assume I'm a networking idiot who can be trusted only to follow an explicit recipe, and not much more. KISS applies!
Disclaimer: as long as no "real" answer is there I just provide my more or less theoretical thoughts with hope it helps.
Without reading in detail, I found http://www.vdomck.org/2005/11/reversing-ssh-connection.html to reverse a ssh-connection. If that is easy to follow (it should be easy, just ssh -R basically, see also http://www.brandonhutchinson.com/ssh_tunnelling.html) it means your remote device could connect to your network (and "Pete" is your Partner at the customer). The problem is that initiating a ssh-connection without user/password requires a authentication- private key on that device (so in non-friendly hands).
You could place a dumb ssh-server with no private data and no special access and even the password you could set just for that single connection (and tell your partner "Pete" via phone), let your phantasie play a bit to get a static half "ImGenious$%" and a dynamic half "1243" so you can give a short easy dynamic half over phone.
Then from that dumb ssh-server you can connect to your device as in the article.
I would suggest the call home functionality uses SSH to connect to your office. This requires your customer's network provides DHCP, Internet access and DNS capability. It also requires them to allow outbound connections on port 22. The latter is possibly an issue for some security minded customers who want to prevent unknown egress of data.
You will need a certificate for your SSH server so the certificate is valid for the domain name you choose. You will also need to make sure the SSH client on the server is configured to accept the signature of your server.
It sounds like the number of devices you will be maintaining is relatively low. For this reason, I would suggest generating unique public/private key pairs for each device. You can then load the public key into your server so logins are accepted via keys only.
If a device is compromised or stolen, you can delete the appropriate key from your server. The device will not be able to login again. The private key on the device only has value because you have decided to accept the associated public key on login. Remove this and it has no value. The added benefit is that you can identify a device by the key it has used to login (e.g. you can associate each key with a different user). You can then tie up the login with the information about the device/customer that you store on your systems.
If you use reverse SSH you can have the device connect in. Once you're ready, you can use the reverse part to connect through the tunnel that the device and your server have already setup to perform the maintenance.
Is it possible to create GUI firewall that works as Windows and Mac counterparts? Per program basis. Popup notification window when specific program want to send\recv data from network.
If no, than why? What Linux kernel lacks to allow existence of such programs?
If yes, than why there aren't such program?
P.S. This is programming question, not user one.
Yes it's possible. You will need to setup firewall rules to route traffic through an userspace daemon, it'll involve quite a bit of work.
N/A
Because they're pretty pointless - if the user understands which programs he should block from net access he could just as well use one of multiple existing friendly netfilter/iptables frontends to configure this.
It is possible, there are no restrictions and at least one such application exists.
I would like to clarify a couple of points though.
If I understood this article correct, the firewalls mentioned here so far and iptables this question is tagged under are packet filters and accept and drop packets depending more on IP addresses and ports they come from/sent to.
What you describe looks more like mandatory access control to me. There are several utilities for that purpose in Linux - selinux, apparmor, tomoyo.
If I had to implement a graphical utility you describe, I would pick, for example, AppArmor, which supports whitelists, and, to some extent, dynamic profiling, and tried to make a GUI for it.
OpenSUSE's YaST features graphical interface for apparmor setup and 'learning' , but it is specific to the distribution.
So Linux users and administrators have several ways to control network (and files) access on per-application basis.
Why the graphical frontends for MAC are so few is another question. Probably it's because Linux desktop users tend to trust software they install from repositories and have less reasons to control them this way (if an application is freely distributed, it has less reasons to call home and packages are normally reviewed before they get to repositories) while administrators and power users are fine with command line.
As desktop Linux gets more popular and people install more software from AUR or PPA or even from gnome-look.org where packages and scripts are not reviewed that accurately (if at all) a demand for such type of software (user-friendly, simple to configure MAC) might grow.
To answer your 3rd point.
There is such a program which provides zenity popups, it is called Leopard Flower:
http://sourceforge.net/projects/leopardflower
Yes. Everything is possible
-
There are real antiviruses for linux, so there could be firewalls with GUI also. But as a linux user I can say that such firewall is not needed.
I reached that Question as i am currently trying to migrate from a Mac to Linux. There are a lot of applications I run on my Mac and on my Linux PC. Some of them I trust fully. But others I am not fully trusting. If they are installed from a source that checks them or not, do i have to trust them because someone else did? No, I am old enough to choose myself.
In times where privacy is getting more and more complicate to achieve, and Distributions exist that show that we should not trust everyone, I like to be in control of what my applications do. This control might not end at the connection to the network/Internet but it is what this question (and mine is about.
I have used LittleSnitch for MacOSX in the past years and I was surprised how often an application likes to access the internet without me even noticing. To check for updates, to call home, ...
Now where i would like to switch to Linux, I tried to find the same thing as I want to be in control of what leaves my PC.
During my research I found a lot of questions about that topic. This one, in my opinion, best describes what it is about. The question for me is the same. I want to know when an application tries to send or receive information over the network/internet.
Solutions like SELinux and AppAmor might be able to allow or deny such connections. Configuring them means a lot of manual configuration and does not inform when a new application tries to connect somewhere. You have to know which application you want to deny access to the network.
The existence of Douane (How to control internet access for each program? and DouaneApp.com) show that there is a need for an easy solution. There is even a Distribution which seems to have such a feature included. But i am not sure what Subgraph OS (subgraph.com) is using, but they state something like this on there website. It reads exactly like the initial question: "The Subgraph OS application firewall allows a user to control which applications can initiate outgoing connections. When an unknown application attempts to make an outgoing connection, the user will be prompted to allow or deny the connection on a temporary or permanent basis. This helps prevent malicious applications from phoning home."
As it seems to me, there are only two options at the moment. One is to Compiling Douane manually mysqlf or two, switch distribution to Subgraph OS. As one of the answers state, everything is possible - So i am surprised there is no other solution. Or is there?