Steven M. Bellovin wrote:
I frequently take the train to Washington; I've occasionally noticed other PCs that appear to be looking for an access point. I've been tempted to put my machine into host AP mode (or use my travel access point -- these trains generally have AC power), run a dhcp server, and see what passwords I get. But I've never been able to convince myself that it would be legal, let alone ethical.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
I have in fact done this (well something similar). On a train from Boston to New York I turned on my wireless card in ad-hoc mode, setup a DHCP server and setup my phone for GPRS. Bingo, I had four other people get addresses from me and presumably "do stuff" I didn't sniff their traffic though. Good 'ole Windows (which they were presumably running, I wasn't) was happy to go from infrastructure mode to ad-hoc mode and associate with me. There is a fundamental security dilemma here. Years ago the original designers of Privacy Enhanced Mail (PEM) had the notion that users couldn't be trusted, so the idea was that there would be one root CA and it would only issue certificates to people who proved who they were. Software would only trust this one CA. In this fashion, if the software said "This came from Jeff Schiller, of MIT" by golly that is where it came from. No end-user preferences to get wrong, no dialog boxes to click away unread. I even remember arguments along the lines of if a signature verification failed, the message would be discarded and the user not permitted to read the "damaged" message. The dilemma is that when you build such a system, the guy who is the root always turns out to be a reptile (or is eaten by a reptile who takes her place). -Jeff -- ============================================================================= Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis@mit.edu ============================================================================