[174877] in North American Network Operators' Group
Re: Marriott wifi blocking
daemon@ATHENA.MIT.EDU (Hugo Slabbert)
Fri Oct 3 22:57:17 2014
X-Original-To: nanog@nanog.org
Date: Fri, 3 Oct 2014 19:57:07 -0700
From: Hugo Slabbert <hugo@slabnet.com>
To: Jay Ashworth <jra@baylink.com>
In-Reply-To: <db09ef1b-55e7-4c9a-9631-05a02349c1c8@email.android.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--veXX9dWIonWZEC6h
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Looks like you cut off, but:
>Except that this is the difference between what happens at a Marriott=20
>and what would happen at a business that was running rogue AP=20
>detection. In the business the portable AP would be trying to look like=20
>the network that the company operated so as to siphon off legitimate=20
>users. In a hotel the portable AP would be trying to create a=20
>different, separate network. And so your thesis does not hold.
But it's not a completely discrete network. It is a subset of the=20
existing network in the most common example of e.g. a WLAN + NAT device=20
providing access to additional clients, or at least an adjacent network=20
attached to the existing one. Okay: theoretically a guest could spin up=20
a hotspot and not attach it to the hotel network at all, but I'm=20
assuming that's a pretty tiny edge case.
As the administration of the hotel/org network, I'm within bounds to say=20
you're not allowed attach unauthorized devices to the network or extend=20
the network and that should be fair in "my network, my rules", no? And=20
so I can take action against a breach of those terms.
The hotspot is a separate network, but I don't have to allow it to=20
connect to my network. I guess that points towards killing the wired=20
port as a better method, as doing deauth on the hotspot(s) WLAN(s) would=20
mean that you are participating in the separate network(s) and causing=20
harm there rather than at the attachment point.
But what then of the duplicate SSID of the nefarious user at the=20
business? What recourse does the business have while still staying in=20
bounds?
--
Hugo
On Fri 2014-Oct-03 22:27:06 -0400, Jay Ashworth <jra@baylink.com> wrote:
>Except that this is the difference between what happens at a Marriott and =
what would happen at a business that was running rogue AP detection. In the=
business the portable AP would be trying to look like the network that the=
company operated so as to siphon off legitimate users. In a hotel the port=
able AP would be trying to create a different, separate network. And so you=
r thesis does not hold.
>
>I think this is the distinction we need. Because it's clear that the busin=
ess thing should be able to happen and the hotel thing should
>
>On October 3, 2014 10:25:22 PM EDT, Hugo Slabbert <hugo@slabnet.com> wrote:
>>On Fri 2014-Oct-03 17:21:08 -0700, Michael Van Norman <mvn@ucla.edu>
>>wrote:
>>
>>>IANAL, but I believe they are. State laws may also apply (e.g.
>>California
>>>Code - Section 502). In California, it is illegal to "knowingly and
>>>without permission disrupts or causes the disruption of computer
>>services
>>>or denies or causes the denial of computer services to an authorized
>>user
>>>of a computer, computer system, or computer network." Blocking access
>>to
>>>somebody's personal hot spot most likely qualifies.
>>
>>My guess would be that the hotel or other organizations using the
>>blocking tech would probably just say the users/admin of the rogue APs
>>are not authorized users as setting up said AP would probably be in
>>contravention of the AUP of the hotel/org network.
>>
>>>
>>>/Mike
>>>
>>>
>>
>>--
>>Hugo
>>
>>>On 10/3/14 5:15 PM, "Mike Hale" <eyeronic.design@gmail.com> wrote:
>>>
>>>>So does that mean the anti-rogue AP technologies by the various
>>>>vendors are illegal if used in the US?
>>>>
>>>>On Fri, Oct 3, 2014 at 4:54 PM, Jay Ashworth <jra@baylink.com> wrote:
>>>>> ----- Original Message -----
>>>>>> From: "Ricky Beam" <jfbeam@gmail.com>
>>>>>
>>>>>> It doesn't. The DEAUTH management frame is not encrypted and
>>carries no
>>>>>> authentication. The 802.11 spec only requires a reason code be
>>>>>> provided.
>>>>>
>>>>> What's the code for E_GREEDY?
>>>>>
>>>>> Cheers,
>>>>> -- jra
>>>>> --
>>>>> Jay R. Ashworth Baylink
>>>>>jra@baylink.com
>>>>> Designer The Things I Think
>>>>>RFC 2100
>>>>> Ashworth & Associates http://www.bcp38.info 2000
>>Land
>>>>>Rover DII
>>>>> St Petersburg FL USA BCP38: Ask For It By Name! +1
>>727
>>>>>647 1274
>>>>
>>>>
>>>>
>>>>--
>>>>09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>>
>>>
>
>--=20
>Sent from my Android phone with K-9 Mail. Please excuse my brevity.
--=20
Hugo
--veXX9dWIonWZEC6h
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCgAGBQJUL2IDAAoJEJqxD/2xeDE+C7kQAK2YqdNSeWHmFXRGeIiJ2XLl
Zmh4qfqWLxAbO+50Io+KZyzrKXWfLe6NMzoslyj6vvqfkdWjnTNO4vFifXB0PBt9
ahdWqOEqegrt0NdeetfBlFOL8J8uZlGp+4/617yayvdGzOusWSBtwyzA7K6S0u6b
x0HU3mT2gxn6RGqbXzOemoEBYlhnyG/QIgqgWID81/RS8UojtR4j4ANT1UIx/4Xv
D5ScK3mzWJ6Phxwvt/1aeTvGlTqWzeqkRZpwzUmhyJhlupchTZJimVmI5U/RuT+o
wMH5jiadrBBo2ynG+JCAM1+h5bUmXj7Sox+f+wRtebmXenEZmcUETpxQdLzCHPSM
ZmhlAJFGkqZ7ctMWZvNJus4vqUjLperx6ALGx6zaS3cM3vqODZTyrTp1DHw74/4C
BPF3mx87WeORniFcSJUk6SY6VYLp8Teh9nSCknimZbmaChmbCLCzS/ohN7EgoccA
Epb4LQJxVLWdTYQ2q2D8GJOxNEyWnySO0h5NtWCBbIFLulQa+QrUa9cgIjGoluu6
4GB/mEo3pELvxRbQxcuzcnIsUMH6AKm4UwbGEp3LnP4truhBau3H2ddNMYib0jfu
2eZ6wbgm5oKI27G2cOAOVzz7ydwyLxzdgCxZDDP231VRer8yHy2GImvepsOWQQsk
x8inK9iSWtNLomycDKYq
=T1ea
-----END PGP SIGNATURE-----
--veXX9dWIonWZEC6h--
