Cease and Desist!

My ISP (Speakeasy) sent me a nice letter recently informing me the Eurpopean Union's copyright infringement division was displeased with me. The said that based on these allegations, I would be in violation of the Speakeasy Acceptable Use Policy. "How can that be?", thought I. I buy my music on iTunes, I do not partake in bittorrent, limewire or any other version of the now dead Napster (old school version not the new subscription based system) music/file-trading system Hell, I pay for stuff!. I have encoded all my purchased CD's and boxed them away but I keep them to myself. In fact I am a true supporter of "legitimate" digital music use via iTunes or any other service that, in some way, supports the artisits that create the music I love. This includes freely distributed music a la Radiohead.

So why was the European Union comin after me? Speakeasy's Tech Support and Security groups were very helpful in pointing out to me that they could track streams of file sharing originating at my IP address. So I thought deeply about this (for 2 seconds) and arrived at the most logical conclusion. My neighbors were connecting to me via Free The Net, the Meraki based San Francisco free wifi network and uploading/downloading music to their hearts content. I have 2 repeaters on my roof and 4 others in houses nearby providing firewalled access to the Internet. This made me sad. I was very pleased to provide an un-asked for service to my neighbors who may not have - or may not be able to afford - Internet access. I wrote to Meraki explaining my dilemma and asked of there was someway to restrict my neighbors from conducting file trading on my network.

People in my hood are sharing music over my wireless network and
abusing my speakeasy acceptable use policy. Speakeasy.net has warned
me that any continued abuse will result in disconnection of my
service. Therefore I must inform you that unless you can lock it
down so only port 80 is being used I will have to disconnect the
Meraki repeaters and access points from my network.

I am very sorry. This seems like a real shame. I was very eager to
participate in "Free the Net" but now I am a bit saddened that folks
are abusing it.

Please get back to me and let me know if there is anything you can do
on your end.

They replied back with...

Hey Bruce,

grr. that's really irritating. but actually what's surprising is that
we haven't had to address this issue so far. as far as blocking
everything but port 80: I don't think any of us would be happy with a web-only Internet connection, so that doesn't seem like a good answer. to me it seems the real solution here would be to figure out who the culprit is and block them.

I looked on your gateway and didn't see anyone transferring an
inordinate amount of traffic. do you happen to have any idea who it is? do you know if it is bittorrent they are using? maybe they are using a different gateway at least part of the time (probably mine, hehe).

next week I guess we can figure out how to set up the right counters on your gateway so that we can figure out who it is (any insight or additional info you can provide would obviously be super helpful). hopefully Speakeasy can wait that long. if you need to unplug, we understand, but leaving your repeater plugged into power would at least soften the blow.

ugh,

So far they have found no way to track or stop the activity and I love my Speakeasy service. So I have no choice. Until such a time as I can trust my neighbors not to conduct activity that the European Union deems as illegal or until Meraki finds a way to filter this traffic out, I must disconnect my network from "Free the Net". I still have repeaters on my roof but they are no longer connected to my network, file traders now siphon off some other guys pipe or tube or truck that backs up and unloads Internet.

Comments and suggestions, as always, are very welcome.

WLAN IDS and the bizarre world of security exploits

If you make security software (or any software, for that matter) sooner or later you will create what I technically refer to as a booboo. A security vulnerability in your software that raises the ire of your customers and make you feel foolish and sad. Not to worry, mateys, this happens to all software manufacturers. The important thing to remember here is how you handle it. Are you going to be a Pro or a shmuck? Recently, AirDefense (why no dot com?), a WLAN IDS manufacturer had just such and incident. Is this uncommon? Relatively so. Is it dire? Not really. Are you just sniping at your competitor? Kind of, but in the interest of disclosure, we had an incident a long time ago as well so, dear friends, I feel their pain.

Let's talk about what happened first. The vulnerability as explained here happens when you send a specially crafted HTTPS request, which will cause the HTTPS service on the system to crash. It appears from my quick glance as if you need to authenticate first and also be on the segment from which you can administer the system. So what is this? Granted it can bring down the sensor but actually it appears to be a "tempest in a teacup". You need to be the admin or snarf the admin login in order to cause a denial of service to one of probably many tens or hundereds of sensors. Unlikely at best.

So how was this handled? Professionally, in my humble opinion. AirDefense contacted the people who reported the exploit and directed them to a patch for it as reported here, "Solution: Update to the latest firmware version"

AirMagnet had a similar experience Last October. And we handled it the same way. Here is our official response to the problem from back then:

Re: Airmagnet management interfaces multiple vulnerabilities
AirMagnet vendor response below -

(1) The vulnerabilities are tested against an over-a-year old AirMagnet Enterprise product,
(2) Some of these vulnerabilities have been patched and fixed in AirMagnet Enterprise version 7.0.x,
(3) All vulnerabilities are now completely fixed by AirMagnet Enterprise version 7.5 build 6307 and later.
(4) AirMagnet customers can download patches from MyAirMagnet support web site (http://www.airmagnet.com/my_airmagnet/index.php)

So to summarize, there are a lot of security professionals out there who are trying to make a name for themselves and do it in an industry, like the WLAN industry, that is going places. They spend all their time looking for these exploits and I, for one, am glad they do. They keep us honest and ensure that we are doing our very best to protect our customers. Are their motives pure? Debatable but mostly. Do they sit down afterwards and talk amongst themselves about what l@m3rz those software guys are? You bet! Should I take it personally? Nah.