Re: [Bloat] [Cerowrt-devel] Suggestions/advice for captive portal on gw00/gw10?

Re: [Bloat] [Cerowrt-devel] Suggestions/advice for captive portal on gw00/gw10?

[Dave Taht]

On Wed, Apr 8, 2015 at 11:01 AM, leetminiwheat <LeetMiniWheat@gmail.com> wrote:
> Sorry if this is an inappropriate place to ask this, but does anyone have
> suggestions for a captive portal to use? And is there anything specific I
> need to be aware of when implementing a captive portal package from OpenWRT?
> I know Cero does firewall rules and zones a bit differently and admittedly I
> still don't fully understand it all. I just need a simple splash page that
> has an agree to terms type thing.

This is one of the few places where I have let my politics interfere
with the science or the perceived needs of cerowrt´s userbase.

There is ZERO sign that the captive portal feature has saved anyone a
lawsuit. It has all been a useless shuck to make wifi even less usable
than it already is, and create a new entry point to the wholesale
corruption of the public´s airspace by commercial entities like
xfiniti, etc and further encroachments planned by the LTE providers
into the 5Ghz spectrum.

Captive portals creates a barrier to what bob frankston calls ambient
connectivity[1], and for my whole life, that is what I have worked for
as a goal - expecting, by now, for that to happen, and for internet on
the move - to be essentially free, to all, with no metering, and no
barriers to accepting a phone or videocall or file transfer from
anywhere from any device on my person, anywhere there was a signal.

I will have no part of captive portals for cerowrt. There is at least
one captive portal in openwrt. Use that.

I am also bugged by the total insecurity built into WPA that has also
led to this decline in ambient connectivity over the last 10 years.
Anyone can capture a key exchange, or force one, to gain full access
to that nodes wifi traffic - and people NOT co-operating on channel
access and locking off their individual sessions with useless crypto
keys, instead of something that works, while delusionally thinking
they were "secure" - are helping *ruin* wifi for everyone.

e2d encryption is far, far saner than basic WPA2. [2]. People are
under the delusion that this form of crypto helps, it doesnt, all it
is doing is messing up the air with management frames and blocking
ambient connectivity.

Wifi is a commons. No amount of locking it down can prevent the waves
from escaping or interfering. All people - even the corporations
trying to repurpose it for their purposes - need to understand that. I
worked REALLY HARD in 1998-2004 to convince multiple VCs to not use up
this precious spectrum with another metricom - and thus, in part due
to that effort, we ALL have wifi, it is uncontrolled, and nearly
unregulated, and the world is a vastly freer better place for that.

And it is going to hell, because no-one understands it or cares about
it, enough. I have loved being freed from wires for 17 years now,
haven´t you? Isn´t wifi worth saving?

So, please, dont use captive portals. In a system with a decent and
secure guest network implementation, as cerowrt has, please share your
access with open APs or a simple shared certificate. Please
co-ordinate with your neighbors on channel selection - and radio
placement - or pool your resources to get one big fast internet
connect to share, fairly - now that the fq_codel technology is widely
available to make that transparent. Build meshy networks. Take back
the internet w e once had....

Lastly - there are only 24 hours left on this kickstarter - we CAN
start to take back the edge of the internet - if we can only find
another 12k of funding.

https://www.kickstarter.com/projects/onetswitch/onetswitch-open-source-hardware-for-networking

The same FPGA is also useful for SDR applications, but it is the pcie
interface and switch design - and reducing the cost from 7000 to 700
bucks - that is the important part of getting this board completed -
so that more of htb + fq_codel can move into hardware that anyone can
build and use.

There is a get one give one program that I asked meshsr to put in.
There are people on these lists with money, and there are those with
time, and it would be great if more of those people could line up with
each other. I put in all I could spare (8500 dollars).  I have one of
their high end boards, already. It´s great.

>
> Also, does anyone have a connlimit module for the 3.10-50-1 kernel? I'd like
> to limit max connections per IP on guest wireless. Or can someone point me
> in the right direction to build one? OpenWRT's build instructions are hard
> to follow and/or really outdated.

CeroWrt is effectively dead so long as it remains unfunded. What
little time, funding, and energy I can spare I am pouring into
make-wifi-fast and openwrt chaos calmer.

[1] http://frankston.com/public/?n=IAC.UAC
[2] Take an aircap, then take it apart via wireshark:
https://wiki.wireshark.org/HowToDecrypt802.11

>
> Thanks
>
> P.S. Solid uptime on 3.10.50-1, and my SQM bugs fixed with latest
> sqm-scripts. (using ones from late march 2015) on default scripts, egress
> wasn't getting throttled sometimes and many duplicate interfaces on SQM
> restarts. Also, dnscrypt-proxy packages from
> https://github.com/black-roland/exOpenWrt working great.
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>



-- 
Dave Täht
We CAN make better hardware, ourselves, beat bufferbloat, and take
back control of the edge of the internet! If we work together, on
making it:

https://www.kickstarter.com/projects/onetswitch/onetswitch-open-source-hardware-for-networking

Re: [Bloat] [Cerowrt-devel] Suggestions/advice for captive portal on gw00/gw10?

[Steinar H. Gunderson]

On Wed, Apr 08, 2015 at 01:02:57PM -0700, Dave Taht wrote:
> I am also bugged by the total insecurity built into WPA that has also
> led to this decline in ambient connectivity over the last 10 years.
> Anyone can capture a key exchange, or force one, to gain full access
> to that nodes wifi traffic

Wait, what? Citation needed.

> [2] Take an aircap, then take it apart via wireshark:
> https://wiki.wireshark.org/HowToDecrypt802.11

For this, you need to know the PSK (or, equivalently, the PMK).

/* Steinar */
-- 
Homepage: http://www.sesse.net/

Re: [Bloat] [Cerowrt-devel] Suggestions/advice for captive portal on gw00/gw10?

[Dave Taht]

On Wed, Apr 8, 2015 at 2:12 PM, Steinar H. Gunderson
<sgunderson@bigfoot.com> wrote:
> On Wed, Apr 08, 2015 at 01:02:57PM -0700, Dave Taht wrote:
>> I am also bugged by the total insecurity built into WPA that has also
>> led to this decline in ambient connectivity over the last 10 years.
>> Anyone can capture a key exchange, or force one, to gain full access
>> to that nodes wifi traffic
>
> Wait, what? Citation needed.
>
>> [2] Take an aircap, then take it apart via wireshark:
>> https://wiki.wireshark.org/HowToDecrypt802.11
>
> For this, you need to know the PSK (or, equivalently, the PMK).

Yes, anyone with access to the shared crypted network with a PSK can
decode everybody elses traffic.

> /* Steinar */
> --
> Homepage: http://www.sesse.net/
> _______________________________________________
> Bloat mailing list
> Bloat@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat



-- 
Dave Täht
We CAN make better hardware, ourselves, beat bufferbloat, and take
back control of the edge of the internet! If we work together, on
making it:

https://www.kickstarter.com/projects/onetswitch/onetswitch-open-source-hardware-for-networking

Re: [Bloat] [Cerowrt-devel] Suggestions/advice for captive portal on gw00/gw10?

[Dave Taht]

On Wed, Apr 8, 2015 at 2:14 PM,  <Valdis.Kletnieks@vt.edu> wrote:
> On Wed, 08 Apr 2015 16:40:10 -0400, leetminiwheat said:
>
>> Sorry again, I found connlimit in iptables-mod-conntrack-extra. I'll
>> investigate further about a simple portal and not make it too intrusive,
>> just more of a warning that they're not on their (faster) home WiFi.
>
> It's 74F and sunny outside, it's one of the more scenic areas in southwest
> Virginia, I have a Jaguar with an almost full tank of gas in the parking lot,
> and I'm stuck in this cubicle for a bit longer.  So the snark is running high
> at the moment.
>
> http://www.ex-parrot.com/pete/upside-down-ternet.html
>
> And add an exception list for device MAC addresses you recognize....
>
> That should do the trick. :)

While amusing, that was not my point.

My overall point is that not sharing wifi spectrum sanely, and the
resulting interference is hurting everyone.

There  is no "theft" of internet access you are not using.

(Admittedly there are (today) increasing amounts of usage caps from
the ISP, which I do not like either.)

-- 
Dave Täht
We CAN make better hardware, ourselves, beat bufferbloat, and take
back control of the edge of the internet! If we work together, on
making it:

https://www.kickstarter.com/projects/onetswitch/onetswitch-open-source-hardware-for-networking

Re: [Bloat] [Cerowrt-devel] Suggestions/advice for captive portal on gw00/gw10?

[Dave Taht]

On Wed, Apr 8, 2015 at 2:31 PM, Dave Taht <dave.taht@gmail.com> wrote:
> On Wed, Apr 8, 2015 at 2:12 PM, Steinar H. Gunderson
> <sgunderson@bigfoot.com> wrote:
>> On Wed, Apr 08, 2015 at 01:02:57PM -0700, Dave Taht wrote:
>>> I am also bugged by the total insecurity built into WPA that has also
>>> led to this decline in ambient connectivity over the last 10 years.
>>> Anyone can capture a key exchange, or force one, to gain full access
>>> to that nodes wifi traffic
>>
>> Wait, what? Citation needed.

I retract this portion of my rant. Having a bad day, sorry.

>>> [2] Take an aircap, then take it apart via wireshark:
>>> https://wiki.wireshark.org/HowToDecrypt802.11
>>
>> For this, you need to know the PSK (or, equivalently, the PMK).
>
> Yes, anyone with access to the shared crypted network with a PSK can
> decode everybody elses traffic.
>
>> /* Steinar */
>> --
>> Homepage: http://www.sesse.net/
>> _______________________________________________
>> Bloat mailing list
>> Bloat@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/bloat
>
>
>
> --
> Dave Täht
> We CAN make better hardware, ourselves, beat bufferbloat, and take
> back control of the edge of the internet! If we work together, on
> making it:
>
> https://www.kickstarter.com/projects/onetswitch/onetswitch-open-source-hardware-for-networking



-- 
Dave Täht
We CAN make better hardware, ourselves, beat bufferbloat, and take
back control of the edge of the internet! If we work together, on
making it:

https://www.kickstarter.com/projects/onetswitch/onetswitch-open-source-hardware-for-networking

Re: [Bloat] [Cerowrt-devel] Suggestions/advice for captive portal on gw00/gw10?

[dpreed]

DOn't want to get entangled in the political debate, but just a thought:

If you track what MAC addrs use what upstream capacity, you could have data on which to judge who is pushing your usage over any caps you happen to have.

Having some data (not general fears or propaganda generated by those who want to tell you to be very afraid so you buy their gear or their arguments) always helps.

And if you like, you could do something that doesn't involve all the protocol violations that a captive portal usually involves (redirecting DNS, ... and putting MITM attacks on https: connections, ...), e.g. restrict any unknown users to 28 Kb/sec of your upstream, for example, as a way to be non-disruptive.  People won't get netflix or youtube over 28 kb/sec in any useful way.

Security is often just a matter of making it easier to steal from your neighbor, rather than installing an automatic gun to shoot anyone who trespasses.

On Wednesday, April 8, 2015 5:34pm, "Dave Taht" <dave.taht@gmail.com> said:

> On Wed, Apr 8, 2015 at 2:14 PM,  <Valdis.Kletnieks@vt.edu> wrote:
>> On Wed, 08 Apr 2015 16:40:10 -0400, leetminiwheat said:
>>
>>> Sorry again, I found connlimit in iptables-mod-conntrack-extra. I'll
>>> investigate further about a simple portal and not make it too intrusive,
>>> just more of a warning that they're not on their (faster) home WiFi.
>>
>> It's 74F and sunny outside, it's one of the more scenic areas in southwest
>> Virginia, I have a Jaguar with an almost full tank of gas in the parking lot,
>> and I'm stuck in this cubicle for a bit longer.  So the snark is running high
>> at the moment.
>>
>> http://www.ex-parrot.com/pete/upside-down-ternet.html
>>
>> And add an exception list for device MAC addresses you recognize....
>>
>> That should do the trick. :)
> 
> While amusing, that was not my point.
> 
> My overall point is that not sharing wifi spectrum sanely, and the
> resulting interference is hurting everyone.
> 
> There  is no "theft" of internet access you are not using.
> 
> (Admittedly there are (today) increasing amounts of usage caps from
> the ISP, which I do not like either.)
> 
> --
> Dave Täht
> We CAN make better hardware, ourselves, beat bufferbloat, and take
> back control of the edge of the internet! If we work together, on
> making it:
> 
> https://www.kickstarter.com/projects/onetswitch/onetswitch-open-source-hardware-for-networking
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>