 I'm Matthew Schuchman. I'm the founder of WarDrivingWorld.com and I'm here to talk to you about war driving hardware and how to build some if you want to war drive. Firstly, can I ask a question? How many of you have ever gone war driving? Can you raise your hands? Okay, so the rest of you are interested in war driving and the ones who have already war driven want to do some new things. They're great. Mike? Better? Okay, that's better. Okay, sorry. What is war driving? To start off, if those of you who haven't done it, war driving is the sport. The name was coined by Peter Shipley. The act of driving around and looking with a laptop computer and locating access points for wifi networks. You don't necessarily need an antenna. You can use an internal wifi card on a laptop, but you can only go so far with that. There are a variety of pieces of software that have been shared by their authors or in the public domain including packages like Maurice Miller's Net Stumbler, which allow you to record the access points that you find and record some information about them. And there are also packages like Kismet and that variety, which are crap, wifi packets, and then you dissect them a bit and do little bits of surgery on them. First question, is it legal to war drive? Okay. That's a word for all of you. Is it legal to war drive? Good question. And it's one that I'm going to be covering more in tomorrow afternoon. There'll be a session on the legal and ethical aspects of war driving. I'm the chair on that. And Frank Thornton will be there. Robert Hale and Renderman. And the four of us will be having a panel discussion on some of the current legal issues and some of the ethical issues in terms of war driving. You can join us there. Yes. They've moved the time a few times, but I think it's at 1 p.m. tomorrow. I guess they'll let me know tomorrow, but look forward to seeing you there. Okay. Simply put, the construction of war driving tools is legal. And war driving is legal as long as you don't try to access a wifi signal that you don't have permission to access. Simply detecting the signal so far, all the cases that have come forward have shown that at least accessing the signal is a problem, potentially. But simply detecting the signal is not. The problem comes in when you have a typical case of, let's say at home, I have a link sys router. I pull the link sys router out of the box. I configure some security there. And what do I use for an SSID that is the name on the router? Default. Okay. This seems unique. I now have my Windows XP laptop configured that when it sees default, it knows it's my home network and it links to it. Well, I drive around town. You're going to find a lot of links sys routers configured with the name of default. And what does Windows do? And when linked up with links sys, it simply goes and connects to the network. And it thinks it's yours. So, actively you haven't done anything. But the software and the hardware have combined, the software and the firmware have combined basically to allow you to have access to that network. So that's when the question becomes a little tricky. So we'll be discussing that more tomorrow. Yes, next slide. No, hold on a second. Thank you. The original war drivers were those IT folks who were asked to perform site surveys for the design of Wi-Fi systems. Their purpose was to see where the signal was emanating from, where it was strong, where it was weak, and where it needed to be changed. This is certainly a legal form of war driving because they're working with signals that they've been contracted to work with or they're working with signals in their own company. Yes, there have been a few arrests of people for war driving. Don't be scared. So far, there have been no cases of anyone arrested for war driving that wasn't associated with some other nefarious activity. That is, they committed some other crime. Most of us, I think, would agree if you're using... I'll take questions later. Thank you. Most of us would agree that if you're dropping in on somebody else's Wi-Fi signal and sending out child pornography as spam, that that's a crime and that has nothing to do with the fact that they happen to be war driving while doing it. Or going up online on Wi-Fi and stealing people's credit card numbers that are coming across from a retail store, the crime really is not the war driving. The crime was stealing the credit card numbers. So far, there have really been no yet recorded arrests for war driving. So, to start doing war driving and performing Wi-Fi site surveys, what do you need? As I said, if you already have a laptop with built-in Wi-Fi, that's all you need, you can drive around with that and that's a piece of software like Net Stumbler, and you can detect networks. The first time I went war driving, I lived in South Florida. I drove in a four-mile square, four miles on each side around my house on major roads. I detected 83 access points. Approximately 15% had some form of protection. All of the others were naked. The SSIDs that is the name given to the networks that were naked included a local hospital, two law firms, one of which was named Law Firm, and the other one which was named by the name of the law firm, so certainly they weren't trying to hide, and one bank and one local city agency. Obviously there's a lot of people that are unprotected out there, but enough said about the vulnerability of Wi-Fi, one of the reasons in a sense that we all appreciate war driving is that we're trying to improve the security that exists within Wi-Fi. But again, I don't like to place the blame on the consumers who purchase the equipment which accesses it, or the consumers who have the equipment in their offices. I think that something is up to the responsibility should be in part with those who design the operating systems and those who design the hardware. They want to make it so easy to use they make the lack of security a default rather than security a default. There are different cards to use for Wi-Fi for different purposes. Internal Wi-Fi cards. People come up to me with one of the most common emails we get is, I bought a new Dell 8600. It has great internal Wi-Fi. What do I need to hook up your cantana to it? And I say, it's not going to help you at all. These type of laptops, their Wi-Fi is not upgradable unless you want to open up the screen, solder in a connector that's going to avoid your warranty and I don't want to sell the parts for it because I don't want to get involved in the problems. So I suggest to them what you need generally is an external Wi-Fi card that you plug in which has a external connector which allows you to hook up a variety of antennas. They're more power hungry than the internal card. They are going to draw power but most people's batteries are in pretty good shape these days. Not all external Wi-Fi cards PCMCIA or Cardbus that have external antenna connectors are created equal. They run the full gamut but there is no one Wi-Fi card which is the best. Some people prefer the two chipsets that are most commonly used are the ones based on the Hermes or the Orinoco classic gold and the other one is the ones based on the Prism chipset. Again, they're both different cards. The Orinoco gold classic was manufactured by Orinoco it was related to Loot but it was part of Lucent and when it was made it was not only manufactured for Lucent as an Orinoco card it was manufactured under private label for Antaresis, Twowire, Dell True Mobile Compact, Toshiba. At one point just about every Wi-Fi card you picked up was really an Orinoco. It was a very nice design. Proxim bought the hardware licenses from Orinoco and a company called a Jerry bought the software licenses. So when you use a gold classic card these days most of the time you're ending up putting a card in if it's a new one it's manufactured by Proxim and the software still comes from a Jerry. So people often ask me when they get a card here's a real Orinoco. Is there any difference between this and the Compact? There are about two bites of difference but from a performance basis there is no difference and they'll both run the same drivers. The Prism 2 based cards come in a variety of packages. Many Linux users prefer it. In particular there's a Cisco version which is a 100 milliwatt card. The Orinoco cards are only running at about 35 milliwatts. There's also an SMC version which is at 200 milliwatts and I think they've now come out with a 300 milliwatts version. So if you want power the Prism is a good card to go to but if you try pumping out 200 milliwatts on a continuous basis you'll certainly drain your batteries quite quickly. One of the important issues when working with a card and you want to do serious war driving and serious war driving would involve accepting some packets and examining their contents. This is what we would call promiscuous mode. Promiscuous mode is not as naughty as it sounds. It relates to networking where you have a Wi-Fi card which is able to recognize and accept all the network traffic which comes along. Passively. So it's basically somewhat stealthy and it's just sitting there and listening. Generally you not only need a promiscuous mode, a card that will do it, you also need a driver that will allow you to do it. I put it this way. If you want to listen to the music of Wi-Fi and you want to look at the notes that are being played with promiscuous mode, one of the important factors in terms of choosing a card is receive sensitivity. Receive sensitivity indicates how faint an RF signal is that can be successfully be received by your card. The lower power level that a card can receive the better the receive sensitivity. In Wi-Fi equipment, receive sensitivity is generally stated as a function of network speed. It will generally tell you at what speed your sensitivity is. For any given receiver, the higher the data rate, the less sensitive will be the receiver because the more power that is required to support that higher data rate. So people often ask me, I'm at a distance, it's dropping down to 2 megabits. Yes, that's what's going to happen. That's why you put an antenna in to increase the amount of signal that you're getting even though you're not increasing the sensitivity so then you can boost up your speed again. Next slide. I'm not going to do too much math here. Just briefly, receive sensitivity is frequently a confusing issue for people. That is because it's expressed in decibels. It's not generally a unit that most of you are familiar with if you're not working in RF or you're not working in acoustics. A decibel is a ratio expressed on a logarithmic exponential scale. So a 10 to 1 ratio is 10 dB. A 2 to 1 ratio is 3 and a 1 to 1 ratio is 0 dB. While ratios of less than 1 to 1 are expressed as negative numbers, for example a 1 to 2 ratio equals minus 3 dB. Received sensitivity when you look at a card and the specifications is expressed using a version of decibel employed in measurements of radio power. The dBm scale. 0 dBm equals 1 milliwatt. That's perhaps the end scale. A power of 100 milliwatts equals 20 dBm and 1,000 milliwatts equals 30 dBm. Power levels below 1 milliwatt are expressed as a negative number. That's just what happens when you're looking at something logarithmically. But when you need to compare the received sensitivity, for example, 0.01 milliwatts would be minus 20 dBm. And so when taking a look at it, what you really have to look at is the absolute value. What I mean by that is a signal of minus 98 dBm. Sensitivity is much better than the sensitivity at minus 95 dBm. Let's take a look at antennas for a moment. The simplest antenna, and what I'm going to tell you when any of you came to the booth and everybody wants the biggest antenna. It's an American tradition. Bigger is always better. In wood driving, bigger is not always better. And many of you I encourage to buy a lower-gain antenna. Why? The radiation pattern of a theoretically perfect omnidirectional antenna is a sphere that's called an isotropic antenna. However, that only exists in theory. A real antenna cannot have an isotropic, a perfect radiation pattern. The field propagates in a direction perpendicular to the radiating wire. So for a vertical antenna, the field isn't going to propagate up and down as much as it is sideways. That means that a 5 dB antenna is going to go to a certain range, but it will also go up, let's say, to the 15th or the 20th floor if you're in an urban area. If you suddenly go up to a 7 dB or an 8 dB gain antenna, you will get the additional range this way, but you will suddenly maybe not be able to retrieve a signal above the 10th floor or the 8th floor. So, that's why if you're in an urban area, bigger is not always better. Directional antenna. The two I'm going to talk about are the Quentena and the Yagi. The antenna we're looking at here on the top is a Yagi. Okay? Using a variety of elements that collect, reflect, or radiate the signal, antennas can be constructed, so the transmission and reception isn't always equal in all directions. The definition of what a directional antenna is. The first antenna we're going to consider here is the top one. It's called the Yagi Uda antenna. It's antenna in which the gain of a single dipole element is enhanced by putting a reflector behind it, a reflector behind it, and then directional elements in front of it, so that you can take a signal and push it forward, have a gain from all the reflected power and keep it directed on a narrow path. This antenna was invented in 1926 by H. Yagi and S. Uda. Uda's name dropped out along the way, but from what I heard from someone, he's the one who got the original patents. But a Yagi Uda antenna is a long time favorite. Any of you who are ham radio enthusiasts, any of you who remember what an old TV antenna looks like, anybody ever see a TV antenna? The days before cable? Right. Those were Yagis, okay? And they were very directional, and that's why you frequently put a rotator on them to rotate it in the direction of the signal. The next antenna we're going to show you is a Cantena. This is the original Heath Kid Cantena. This is not an antenna. I only show this to you because some people ask me how did it get the name Cantena. In the 70s and 80s, this is a product, which is basically a one gallon tank can that was filled with oil. It was used to test radio transmitters. It would dissipate the power up to a thousand watts. So you put an antenna for the transmitter on it and dissipated the power out of the transmitter if you didn't have an antenna on it. That name came along. And what happened was in about 2001, Andy Clapp presented a novel design for a very simple antenna based on a Pringles can. Many of you have heard of it. The Pringles antenna showed a great potential for a simple, low cost, less than $10 high gain directional Wi-Fi antenna. At this point, the other high gain Wi-Fi antennas that were anywhere near it were several hundred dollars a piece. I don't exactly know who to credit, but along the way, someone simplified the design and came up with what we have for a current tin can wave guide antenna or Cantena. Since it was much easier to build, the Cantena became very popular. This is an example of a commercial Cantena. Here's what a Cantena looks like inside. Essentially, a Cantena is constructed out of a can that can range from about three to five inches. You can go lower, you can go higher, but if you want reasonable gains, stay within that range in diameter. The most popular one uses a total can length of approximately 12 inches, which on a three, three-and-a-half inch Cantena results in a gain of about 12 dB and a beam width of roughly 30 degrees. You can build a Cantena yourself, and that's the whole basis for this talk. There are professionally manufactured Cantenas. We sell them. There are plenty of them available on eBay and online, but you can very simply build your own Cantena, and that's how I started off in the sport, so I want to share that information with you. The tin can wave guide antenna basically acts as a collector, and the closed end on the back here acts as a reflector. What happens is that the 2400 megahertz signal that's coming in is reflected off the back, and it intersects with the waveforms that are coming in. As these incoming signals and the reflecting signals meet, there are certain points where there are troughs and there are certain points where you have a maximum signal. It happens, the trick is that if you place the collector at about a one-quarter wavelength position from the rear of the can, you're on one of the tops. You get the maximum signal collection. At the very closed end of it, you get a zero signal. Anywhere along in the middle, you're going to get a different signal. The optimal position is about one-quarter wavelength along the way. I'm going to diverge momentarily off the Cantena because you can't really use a Cantena very well without a pigtail, and I want to explain a little bit about pigtails briefly. Firstly, you don't need a pigtail to use a Cantena. Simply by having a Cantena in proximity to a Wi-Fi card, since it's tuned at the same frequency, there's a certain amount of signal strength that will radiate over, and you will get an increase. It's minimal, and going through the air, you lose a lot of that signal. So although you don't need a cable to connect the two, I strongly recommend it. What's a pigtail? What's a cable? An extension cable is simply a cable which has two of the same connectors, one at each end. A pigtail is one which has two different connectors. That's the only distinction. The nomenclature isn't that firm, but that's at least how most of us use it. Why are there so many varieties of connectors? There are three up here. One, not all connectors are designed to operate efficiently at microwave frequencies. 2.4 gigahertz, which is Wi-Fi, is microwave. It's the same frequency approximately that your microwave oven operates on, except that's running at 4, 5, 800 watts, and we're talking here about milliwatts. Manufacturers want you to purchase their accessories for their product, so they use a custom connector, of course, to use their antennas with their Wi-Fi devices. But it also originated with the FCC. Part 15 of the FCC code says that the frequency we're working in at around 2,400 megahertz is in public domain. However, you're limited to an effective radiated power of about 4 watts. The way the FCC managed to limit manufacturers was to say that if you had a D-link antenna and a D-link router, D-link had to go and admit approval for the antenna and the router in combination together. And until last year, 2004, summer of 2004, the FCC came out with a new ruling which said you could mix and match. Technically, before that summer ruling, if you took a antenna and put it on a link-sys router, you were doing something not permitted by FCC Rule 15, because you might have increased the power above the limit that they wanted to. To comply with the FCC, each manufacturer came up with somewhat of a custom connector and got it approved by the FCC. Some took the popular SMA connector and they reversed the ground and the signal and you came up with an RP, which is a reverse polarity SMA cable. Others came up with a custom connector called the MC, which is what Orinoco uses. It's somewhat of a fragile connector, but again, we didn't design it. They came up with it, so it was customized for them. Samsung took the SMA connector and reversed the threads on the connector and you have something called an RT-SMA. So, when you get to the point at which you're looking for pigtails, be very careful which pigtail you're looking for. An SMA is not an RP-SMA, it's not an RT-SMA. Look carefully, talk to people you know. Go up online, there's some tables for each one of the types of equipment so that you can find out which type of cable you're going to use. The other important thing to keep in mind with connectors is people say to me, I'm a CB enthusiast. I have a PL259 connector. It looks about like an end connector. It does. It, however, was never made to operate and microwave frequencies, so you're going to see a lot of loss. If you use a connector, preferably an end, that is efficient at microwave frequencies. Cables. What makes a good cable? People are always calling me up and saying, I want a really, really low-loss cable. A really, really low-loss cable is about three-quarters of an inch in diameter. It takes two people to carry it down the street. But, yes, it works. The thicker the central conductor on a coax cable, the stronger the shield, there's almost a direct correlation, the lower the loss of the signal along the cable. However, the thicker the cable, the less flexible. The cables you're generally going to run into are an LMR400, and that's about three-quarters of an inch, sometimes almost an inch thick. It's very heavy. It's very bulky. But if I'm running a 50-foot span up to the roof and I know I'm only going to lose 6 dB over 100 feet, here's a piece of LMR400. This is not the type of thing you want to plug into your little laptop. This is what we call equivalent to about an LMR200 cable. It's a lot lighter weight. It's a lot more flexible. If you're going to do a run of 20 feet or less, this is a great cable to use. They call it LMR240, they call it LMR200, they call it low-loss 200, great cable to work with. This is an LMR100 cable, very thin. On the other hand, if I'm trying to connect this into a card that I plugged into my laptop, I certainly couldn't plug in that LMR400 into it. One, there's no place to put the connector. Two, the weight of it would break the connector. So we use pigtails to connect from one side of the connector up to another. Just be careful in a sense, when you're looking for a cable, you have to decide how long it's going to be. Now that you know a little bit about cables and you know a little bit about connectors, the next step is you want to build a tin can wave guide antenna. That's what you all came to hear. What are the parts and tools you're going to need? You're going to need a tin can. You're going to need an end connector. You could use another microwave connector. I'm going to use my example using an end connector. The example stays the same. You're going to need a drill or device to make a hole in the can. You're going to need a short piece of wire. You only need about one and a quarter inches, but I would say start off with about six inches so you can make a few mistakes. You're going to need a soldering iron and solder. A little flux doesn't hurt. My partner here, King Tuna, makes and he says if you've soldered, put a little flux on it and it's going to make life a lot easier. And most importantly, you're going to need a ruler. Don't do it by law on the site. Sorry, by site. Choosing a can. You could choose many different types of cans. This helps in the build process. Yes. King Tuna says I build better can tunas when I've had a shot of Jack, but we've used coffee cans work. You can eat beans, baked beans cans work great, particularly anybody here from England. The baked bean cans are a lot wider there and they're much better for a cantona. Or you can use or drink scotch at holiday time and it comes in a nice little metal commemorative can which happens to be almost perfect for a great cantona. Stoly also provides them. You can download plans for many of the cantonas. We're going to distribute one plan here off of the internet. Some of them will have very exact measurements of how to build it. Relax, you don't have to be that exact. You can be within 10% and still make a good cantona. There are some dimensions which are important. You start off by having an end connector. This is an end connector. You're going to take this end connector, it has a female end on one end and it'll have a little stub on the other side. You're going to be soldering a piece of copper wire to that. We have, in my business, we happen to use a little brass tube that we have pre-soldered. You can use a brass tube, you can use copper, you can use a copper piece of wire. It'll all work about the same. You need 1.21 inches for a radiator to be effective. What? Let's go to the next slide, please. Okay, now, they've just told me I only have 10 minutes because we started a little late, so I'm going to try to go briefly. The first thing to determine is based on the width of the can, the diameter of the can that you have, will determine what the length is for a wavelength. You need to position the collector one-quarter wavelength from the end. That's the optimal point. That is the distance that you have to be careful on. Anywhere, if a little further, a little less, the cantina will still work, but you'll get lower gain. The other important measurement is what we call L over 4 here, which is the length of the radiator, which is going to collect the signal. It's going to be as close to 1.21 inches as you can. Using a ruler to make a cantina, here's an example of one that my partner, King Tuna, made. It took him about 15 minutes this afternoon. This is made from a 13-inch coffee can, 13-pounds coffee can. It's not necessarily the optimal can to do it, but it shows you can do it with any can. That's CVS you bought it. You take this can. We've got some plans. You can go up and there's some calculators that will give you that are on the internet, which, based on the diameter of the can, will tell you the distance out from here that is one-quarter wavelength. Cut a hole. In this case, we just used a screwdriver and a mallet to cut a hole that's about 5-8 inches around. You take the radiator that you've constructed, which looks like an end connector with a 1.21-inch piece of copper wire or brass rod, insert it, screw it down. You don't need it to be a round connector. If you've got a square connector, you can use that. You can screw it in place. The other dimensions are not going to be that important. For an optimal cantina, you want this length to be approximately at least three-quarters of a wavelength. For this particular can, which is four inches across, three-quarters of a wavelength works out to be 5.15 inches. This happens to be 5.25 inches. The 13-ounce coffee can just happens to work well. Put it in. Screw it down. All there is to building your cantina. Essentially, the only part that you're going to have a problem finding is the end connector. You can get it from radio supply houses. We may even have a few left at our booth. There are places to buy them on the internet. That, a 1.21 inch radiator and a good tin can. Take that. This particular one is four inches, a hundred millimeters. Four inches across. I could go over the math, but basically, the distance that you're going to measure from here to there is going to change based on the diameter of the can. If you want, you put a pigtail on. Pact it up to your card. A simple cantina like this, which took about 20 minutes to build, will give you about somewhere between 8 to 10 dB gain. We haven't fully measured this. If you're a lot more careful about the calculations, if you're a lot more careful about the length of the can, you can probably get 12 to 14 dB gain. If we make this shorter, we will get less gain, but then again, we'll get a wider signal coming out of it. Some people have made them about four inches or so, and they get about a 50-degree signal breath. If you make it about 12 inches long, you're going to drop down to about a 25 or a 30-degree signal breath. That's what you use in your cantina for. We find it very useful to go to Home Depot, pick up a little tripod, thread a 1 quarter by 20 inch, 1 quarter by 20, threaded, bolt, put it on there, screw it in, and now you don't have to take your coffee cup and try to measure it and get it off and left to focus it. You can put it on any camera tripod. It's really very simple to build a cantina. Again, the two calculations necessary, the length of it is 1.21, and go and find either use of plans that we've got for working with a simple coffee can, or go on the web. You can go to a calculator and measure this out for this 1 quarter wavelength. Any questions? The optimal radiator is a trapezoid. Actually, a cone. But it's pretty hard to make a cone like that. So, by making a rod, we end up trying to get in the middle channel. See me afterwards. What you want is a trapezoid I think it's 6 millimeters at the bottom and 1 millimeter at the top. Again, 1.21 across. That's optimal. Yes. No. We tried it with copper. We tried it with bronze. We even tried it with aluminum. They all work well. We didn't see a significant difference. Yes. Thank you very much.