 the desktop. That'll make it a lot easier for us here today. Those of you who've been here in the past maybe have seen Pete talk. Evil Pete has done a project that's kind of notorious mapping the exchanges with his war dialer in the Bay Area. And now that the world is going wireless, it's kind of expanded that idea a bit and that's part of today's talk. So, no further ado, Pete Shippley. Okay, tech on this is actually pretty simple, but everybody wants to hear about it so here I am. Just a quick note on the right hand side, we have a little application called Net Stumble, which we'll talk about later. You can see there's some humorous people out here with fun APs. And pretty much Net Stumble will be available. I think it should, well, it's still in beta, but when it comes to driving around, this is currently the program until we finish writing some Unix code that actually works directly with the cards. So, people asked what it's called. Somebody coined war driving. I like calling it land jacking. Somebody else is calling, you know, land lacking. So generally what the project is, basically to basically where, rise to where it is this stuff. People set up networks, they don't know what they're doing. I don't know how many people remember when the web first got, like, noticed by the public and all of a sudden every company wanted to put up a website and every company got hacked into because they had no fucking idea what they were doing. And it's the same thing happens over and over again. People discovered previously in Linux. Ooh, I could have a home computer. Next thing you know, everybody's home machines being hacked. Yes. Well, it's the same thing happened in wireless. The public project is basically raising awareness of security ramifications. We've all dealt with managers. Managers are stupid people. Sorry if you're a manager, but most managers are stupid. And one thing about security, security is economics. That security is not there, though. Security follows down to economics. Software is made secure when it is something that has to do with money. If they're going to save money by not making it secure, they'll do it. So most security managers will basically decide, well, why should we care about wireless security when it's obviously not a problem? Or maybe there's a security problem here, but not our problem. So network security wireless lands. Why is it so popular? Well, we have half the con wired up and it didn't cost us much. Unlike, I don't know if you've been to previous cons, that this networking cable is just impossible to use. Secondly, companies can hold on. They can basically deploy things. Large buildings can set things up. If you've ever worked in a company that expands like crazy, it takes what, the local phone company, six months to set up your T1, or it takes a six pack of beer in an evening to set up a wireless link. It was also very similar to WebRace that I pointed out. I personally feel that wireless networking has brought security back 10 years. This is fun for some of us and makes others rich, but in the long run it's going to cost a lot of people a lot of money. Now, just cut off some of the questions. People ask, how do I do this? It's really not that hard. It's really trivial. Loosen cards have a nice little feature where you set your SID to any and it will associate with the nearest AP. Simple. I mean, this is really low tech stuff. I wrote a simple script in Perl that resets my card, records your SID, pulls my GPS, gets to my longitude latitude, and post-processing, spit it out in the maps. Somebody else saw what I had done, liked it, and it was a bit of a Windows progress. I mean, he actually wrote this, which is actually a little bit better, but literally you drive around, you see stuff like, you know, literally, there's a lot of networks here because we're at DEF CON, but you stand on like Fremont and Market Street in San Francisco, and literally the screen will be full of open access points and this is the hardware I use. If anybody wants the actual wiring, it's really trivial. The script's available free, www.disorg.slashwi. Download what? www.disorg.slashwi. And all the scripts are there. There's even a statistical program for looking up the stuff. Now detection methods, it's actually really easy. The first time was a quick hack. I basically, like I said, just took the Loosen card, put it into 11 cards, don't do this. Some vendors don't do this. If you have a Loosen card that doesn't work, backflash it to the firmware release back in November or January. Loosen kind of removed some of these features from the latest revisions because people were doing this stuff. Okay, just set your SID to any. If you're under FreeBSD, set your SID to a null string and your card becomes a little slut. It'll just hook up to any AP in the area and just, yeah. The other one, just resets polls, as I said, detects. If you think about it, Rye Road is really inefficient, but there's so much out there, it works really well. I mean, literally, I could drive it about 80 miles an hour down the freeway and lock on to people's access points and home access points. No problem. I had, my first version of the program actually had a bell that rang every time I found an AP. I took that out of the code real fast. You drive Loosen on this, being your friend's like, is something wrong? Is your car okay? Yeah, door's open, yeah. Key's ignition. Like I said, the data's log says people who are writing code like this, I encourage you to. I'm actually working on some stuff, which I'll talk about later. Like this guy up. This stuff is pretty good because it keeps the log. One nice thing of this is actually outputs the file in the same format as my script so I can do post-processing. See, as you drive down a road or street, you get points along the street in a different way, basically different signal strengths. Well, if you quantize your location into a grid and then do averaging, I could actually find which building your AP is. So if you drive up First Street and drive up Second Avenue, you can calculate where it is. Or if you're driving around a business park and you just circle the complex, I can tell you what building, and sometimes even like what area of the building is. Yeah, well, officially, I only look at IP headers. I will not look at anybody's personal data. That's my story and I'm sticking to it. Now, long distance. Matt, who's out here somewhere. Matt, yeah, who's out here somewhere. We and him got together one day and decided to go up to the Berkeley Hills. And actually, you beat this record, did you recently? The distance record? You beat our first distance record, didn't you? Yeah, you got a 20-mile link. The fun part about this is I'll show you a picture of a nice 24 dB antenna got up on the hills, pointed it to the far, literally at the horizon in San Francisco and I got into an office AP. Now, there are APs out there with big antenna samplifiers, but the one I actually was able to bump into was this corporation with an AP sitting on somebody's desk. Yeah. I did this over 13 miles away. So the managers out here, which I'd love to pick on, who think, well, it's not a problem. We have a security team. We will spot any of these long-haired hackers in the parking lot. Sorry. Okay, simple geometry here. You're on the ground at sea level. The horizon's three miles away. We're up on a hill in Berkeley. Our horizon's 35 miles. They were 13. So theoretically, I was hacking them from over the horizon. Go ahead. Keep looking at your parking lots for me. I'm the black car doing 80 miles an hour by. I mean, it's... So the important part about this is why my friend had driven around the area. Like I said, we do the triangulations. We knew exactly what it was. We pointed the dish at San Francisco, marked down all the MAC addresses that we discovered, cross-referenced the database, so I knew the remote location, typed into the GPS, over 13 miles, no problem. And he did some similar things another day, break in 20. Sorry. This is the view from Matt and I had up on the hills. Those of you familiar with Berkeley, this is the Campanile, this is the old Berkeley campus. That's Emeryville. You know, Emeryville is one big piece of landfill. Got the Bay Bridge, and of course San Francisco. Nice little view there, and this is really scary. Can you see the buildings in San Francisco? Yes. Well, we could barely see them. We had access to every one of their lands. It was actually... We were going to set it up to show you. We actually have a tripod mount for the whole dish. Really hot. White did a really good job on that. But with this, I was actually holding up the dish, pointing across it, and Matt's reading off the data. Literally, every time the thing moved even half a degree, we got another land. Pigs in a barrel. That's myself holding up the dish. The dish was really cheap, only 80 bucks. Antenna systems you can buy as low as 30, I believe. He paid the price. No, not always. Now that the ISPs are going out of business, cheap hardware. Here's Wyatt modeling the Yaggy system, which didn't work as well as planned. That's a 15 dB Yaggy. It's okay for direction finding, but not for long-distance snooping. So if you're going to do long-distance stuff, you really need to go with the high dB dish. The 15 dB Yaggy just doesn't cut it. One other thing, I always have your portable power supply. Radar Shack sells a nice little toy, gives you 7 amp hours of 12 volts. Enough to power your laptop for three or four hours. Kicks ass. Now, the next thing we're doing, the way people get asked, well, how do you secure things? Well, the way you secure things typically is to turn off beacons. You want to use web, web's been cracked, but you want to use web because it stops a casual person like me from pulling over and checking my email. That's going to stop 80 or 90% of the people trying to hack into your system. The only way to really secure a site these days is to basically set up a DMZ zone, only allow IP sec through. The routers of the DMZ or the firewall of the DMZ only allow IP sec connections and authentication, and that has to be a wireless network. Other than that, you're screwed. Unless you're willing to open up free networks, in fact, I'm going to drag Matt up here in a second so we can, a little bit later, so we can talk about the idea of free networks. Yeah, he's like, look at me. Yeah, right, Pete, thanks. But the next generation we're talking about is the prism, well, there's various chips available. The prism two chips are really fun. They're drivers for ARINET, they're patches for FreeBSD. I'm talking to a friend to commit them to the tree right now. Prism cards. We'll get to that in a second. But basically, with these cards, most hardware places don't let you read the packets, especially the web packets. It turns out with the prism cards, you can. You just suck the data up, you crack your web, but the way you secure your network is you turn off the beacons. All this stuff over here is doing is reporting all the AP beacons that it sees. You turn off your beacons, your automatic network configuration doesn't work, you have to know the net ID, you have to know the channel to get your network to work, but at least people don't drive by, stop in your parking lot and pick up your beacons. It hasn't been held up in court yet, but there's an argument. If you're transmitting a beacon saying, hi, here's an access point, talk to me, and I receive it, am I legal? Actually, it's debated. Receiving your IP packets is a different story, but actually just intercepting your beacons and logging it is still open. Yeah, tell them, yeah. So, effectively, what we're doing next is actually in about two or three months, I was actually hoping to do it by DefCon, but a friend gave me tickets to London, and I got really drunk, so I didn't write the code. But effectively, we're putting out some code, it's going to basically do all the prism, there's always some prism dump stuff out. In fact, do a search for prism dump, and you can do some of these things. Use some of that as a base, do a nice little utility that works under Unix that does all the right things, but your network will not be able to hide. Okay? Now, anybody can do this with a Loosen card. Again, we'll show you next number some more. Next. What the hell? Let's repeat. Oh yeah, this is a fun one. Now, for those of you who did bother installing software, we just have the standard Loosen stuff installed. You don't need special software. Any Windows machine with Loosen card could work. Set your SID to any. Go into your Client Manager, click on Advanced Site Monitor. And this is a picture that I got from Matt. He was standing on Fremont Market, which is one of the center of business section, and those amount of available networks. I believe what Matt was telling me when he ran Etherpeak, I believe, the first time on that sidewalk, the Etherpeak crashed from all the packets. That much data. And if you're not seeing people with no idea what they're doing, because everybody's set up on the same frequency. So basically, people are setting it up. They have no idea if there's somebody else next to them. None of them are getting a decent bandwidth. But literally, the standard, you know, this is already installed on your Windows machine. It'll tell you what networks are around. You just click on that and have fun. You don't need a GPS. You just walk down the street. And by the way, the casinos have wireless LANs. Yeah. Now, statistics. This is the fun part. This is why I'm doing this. I'm doing some statistical generation of things. And I'm trying to find out, you know, what is the problem? What else is going on in the world? And what's going on? Well, so far I've spent, well, many a day and afternoon. Usually get a friend who's good to talk to. We take turns driving. I kind of as fond as my friends out back, because so much room in that thing, lots of power plugs. And you got two sunroofs for extra antennas. I currently got about 1,500 APs located in the Bay Area. This is not enough for a good statistical, you know, those of you who stayed awake during statistics in school, this is not enough of a sample. But I'm working on it. But so far it's a scary part. You know, over 85% don't use encryption. Those running web usually use a default key. Default keys are 10, 11, 12, 13, or 1111. Zam, if you run him around here. He has a nice little file actually. He's built quite nice of statistics of all the different APs. What the default SID is for that type of card or AP. What the encryption type is. The data Pete just talked about is archived on the Wisconsin 2,600.org web server slash media horror slash NF0 slash wireless contains all sorts of things from Dane County and around Milwaukee, including a few hospitals who probably shouldn't have patients staying there anymore. Didn't you mention a better network connection to the hospital that you do at home? How many hops were they from above that? How many hops were they from above that? A place that does medical imaging in Madison is like two hops from above that. They appear to have some insane pipe to their office. They just do video creation. I'm sorry. There's a place in Madison we found. I don't remember the URL. I want to say it was illustrated ideas or something like that. They do some insane medical imaging, and they have insane pipe. Trace writing from the network, it was two or three hops from above that. From my laptop, I could hit things in six to seven milliseconds in a parking lot faster than I could from the DS3 at the university. It was okay. I would not complain. He's pretty much doing the same thing I'm doing but in his area. One last thing. The file Pete talked about is called defaultsid.txt. I've been keeping a versioning history of this. As I get an AP to play with, I just commit the data, interesting things, authentication it uses, allowing how you manage all sorts of stupid details, default max, that kind of thing. It's basically just kept in the file update every month or so as I learn new shit. Just give it a shot. It's in just media horror slash info slash wireless. Funny stuff in there. Until recently, anybody have a home links to SAP? Have you upgraded your firmware yet? Home links to SAPs don't have a password. So we'll get back to statistics. Basically, some people barely running web. Most of you use default keys. You run to a network running web. Key one is 10, 11, 12. Key two is 20, 21, 22. Trust me, it'll work a lot of the time. Don't bother trying to crack the web. You guess it most of the time. Most of them are wide open. You won't believe how many BGP packets and RIP packets I see driving down the street. Basically, if you're seeing BGP over that, that means you're next to one of the core routers talking to another core router, and their AP is in a place where their pants are down. We all know about routing protocols. If I were to start, trust me, a few routing updates to their network, they'll never fucking figure out what happened. Seriously, you just forge an address and a routing update gets inputted, might even propagate over the internet. They'll never figure it out. And don't even think that the AP is going to, my MAC address can tell you anything. When I drive around, my MAC address is officially dead, dead, dead, dead, dead. It's kind of a running joke that barrier wireless users group, because people report, yeah, we saw you drive by, you popped up on our list. It's a running joke. Assistics, here's the top 10 SIDs. I notice they're all defaults, Waveland Network, Air Wave, that's Cisco. By the way, would you see any of these as a SID? That means they didn't bother changing it, which means they probably didn't change many other things, like the password or the web key or any other default configurations. The Apple airport with the hex afterwards, those are basically people with Macintoshes with the card in it running in AP mode. Based on the SIDs and other things, SIDs are basically not using weapons stuff, 60% of APs are running in the default configuration. Five years, okay, this is what I've stumbled upon recently, I think it's really interesting. We all know about Dan Farmer's, he even has his pants down, you know, paper he put out. We show that 60% of machines on the internet are vulnerable of those 60%, 40% are just like outright wide open. That's well known paper, it's been published way too often. I did the war dialing thing, exact same statistics. So now, doing this other stuff, I find the exact same statistics. Which means we're looking at a constant here, go on. Results agree, 60% show signs of weakness, 33% have problems and holes. This shows we have a constant insecurity. In other words, companies say, oh we get on the internet, we're going to be insecure. I show that's bullshit. I show there's more ways of breaking the computer through dial up than there is over the internet after time. So Dan Farmer has shown that most machines are wide open on the internet. I'm shown they're open on dial up and wireless. I'm talking to some other people who are going to start taking better statistics and showing that they're wide open via physical audits. And if we could show a comment of 60%, it's no longer the fact that internet gives you security problems, or dial ups give you security problems. It's just 60% of companies are insecure. We know this, but they're not going to listen until we prove it. So if I wireless survey, show same numbers, as I said, it basically infers a definitive constant. Those of you who are heavily into security feel this is actually a really juicy thing because when you're right, you basically respond to RFPs and stuff like that. You can convince them to pay you lots of money because they have problems. Now I hear some, I guess, I can if you guys. We generated some maps. These maps were a little bit skewed as we were working on it. That's San Francisco. That was a 25 minute drive. I was with a, actually, I think that's the drive where me and Kevin Paulson basically jumped in the car for about an hour and just spun around and literally, well, we've spent about 25 minutes driving around. It was about an hour total on the road, but most of the state was collected literally within half an hour. I mean, talk about, you know, come on, you know, fishing a barrel here. It's really not funny. Next, here's another drive to get different areas. I get some really good ones in here. I can't really see all the SIDs, but literally, I was driving around London and got the exact same statistics except where I had SIDs like Brittany Spears. I don't understand that one. Here's yet another map of even more data. Yeah, that's it. Actually, some of these were there. Actually, a lot of these were actually transmitting from here, but it was such a clean signal path that they were appearing here. I drove around for, I guess, mostly afternoon, actually, but why didn't I concentrate on areas that I hadn't hit before, which were, I guess, upper-middle class that didn't have too many wireless access that were driving through the parks and stuff, but we still got quite a few just by driving around. And one thing about driving around and collecting these things, you'll find networks where you don't expect them. In this area, okay, you've got, the hate right here is loaded. In fact, this does not do justice. It puts the first 64 networks on the map. But it doesn't make a difference because they all go on top of each other anyway. The hate's really crowded. You walk down the hate, not actual hate, but page or call went on the side. It's like two or three networks per block. That's where all the little Gen-Xers got their little apartments with their little goth girlfriends, and they all got wireless networks. Now, around here is what's called South of Market. That's where the old dot-com things where you couldn't find a place but now all of a sudden all the dot-comers failed. But you still drive around that area you'd think is where the start-up places are. Even when the start-up places were there, the word of that many wireless networks. It's kind of weird. Matt's is there, but he likes it there. Matt actually has an open AP for people to actually openly use stuff, but he'll talk about that later. So driving around here, here's a cool little trip, I think. I think this is actually the first time I drove around. I'm still looking at Valley. I might recognize some companies. I love Ed's tech office. I'm not sure if the numbers showed up here or not. Dernsville, Nokia, Waveland. There's actually some serious funding, some capital venture companies I found. It's kind of scary. Mind you, these are mostly along the freeway, so the majority of these are just me just driving on the freeways at high speed. Now, this opens up another big question. What's free? Matt, myself, a lot of other people, Cliff, believe that we should make an effort to set up free open lands. But how do you tell what's free? What scenario do I bring you? You're right. Okay. Starbuck's is now offering a pay-per-use wireless access. Okay, walking to Starbuck's, you know, you start, set your ID to any, you're in Starbuck's, you're typing away, checking your email, you're paying way too much for access, it's not enough. You walk up, you turn your back, you put yourself between the AP or something else, and the company across the street gets associated with your card. Now, you're doing your traffic through the corporation land across the street. What if they have a clue and figure out what you're doing? You get arrested. Do you try to break into the network? No. You walked up, you paid the typically kid behind the counter, you know, the bucks to use their wireless land, you get it, but no, the other company transmitted beacon that was a stronger signal, your card associated with it, and now you're using their land, you don't even know it, because they gave you a DHCB address, you clicked on your little Netscape icon and it popped open to hotmail and you're checking your mail. And you get arrested. There's no problem here, isn't it? And that's one of the things you have to deal with, and it's actually still a lot to talk about. Aaron Peterson wrote all of the scripting software, no relation to Matt. Too bad Aaron can't make it out here this year. Cal, who's probably wandering around here somewhere drunk, helped me a lot with Linux drivers and getting them stuff to even compile in there. Everybody knows how much I hate Linux, so it made him work on it for me. Wyatt is an awesome guy. He turns large pieces of metal into small pieces of metal. We were going to set it up, but we got a little bit lazy. A counterweight drops into this. We actually had that big parabolic dish set up on a tripod. The whole thing weighs just a little over 10 pounds. Boom, boom, boom, you set up, you can hack into somebody 15 miles away. Oh yeah, and two things to point out. Check out Bay Area Wireless Uses Group. It seems to be the center of a lot of wireless information. We're working on doing things. Matt will describe some of the features that are going to be coming up with. And of course, at Distorg, at WI, I have a better page of the information, but right now I just put my scripts up for free. I encourage people to go around, map out networks. If you actually do a decent job mapping out the network, I would love that as my database so I have better statistics. I don't want to just like, oh yeah, in my town I found one or two from walking around. No, I actually need a decent demographic analysis with the GPS locations. I'll feed into the data, and we'll have much better statistics. So while your internet wants to be free, yes? Redmond? I don't know. When I drive that direction again. What's that? Sure. Matt, do you want to talk about B-Wulger? Actually, you're talking about hinting the other things like Redmond and stuff like that. I'm a virus. I'm not actually just Pete's space bar boy here. After Pete started working on this, I had quite recently bought a 1974 VW bus, which is actually a perfect vehicle for doing things like this because it's got a lot of space. The windows are very easily to tent at, you know, limousine black, and there's a lot of room for a lot of people with laptops. It's also one of the few vehicles that's actually designed to hold another large battery. So we're installing a deep-cell marine battery in the back. We hooked up 110 converters and put in 110 plugs throughout the whole back seat and near the table in the front seat, with all the other portable converters mounting directional... I think that's bad show about the Y-Aid's vehicle. The only real drawback here is this ugly orange with a white top. How inconspicuous is that? I think that's about it. You should check out Y-Aid's Bronco tube. The only problem is, he basically Titaniced it at the last Burning Man, and he's still thinking he's still full of mud. The car is actually half underground. We also installed just installed a big huge table there that we can use as a workstation. We're installing antennas on the top making a lot of them look like cell phone antennas and so forth. But basically, in a nutshell, I can have four people scanning and doing whatever they would want. I'm assuming they're going to be playing Doom while I'm driving? That's just my guess. But it's designed and I can cruise around. Now, if anyone's getting familiar with the VW Bus, they really don't go much faster than about 65 miles per hour with a good tailwind. So it's really a great vehicle for this. Except for the unleaded smell you get from the engine in the back. Environmental terrorists. VW's, by the way, put out more pollution in almost every other car on the road. So I'm doing my part for the economy, you know? You know? So we started designing this and putting it together. And then what we're going to do is set up with a laptop in the back so no matter where I'm going, if I'm going to the grocery store, the laptop in starts to scan. You know, and before Wednesday when I got light off, I was actually doing a 150 mile commute all over the place, back and forth from home to work. So the idea here is is I'm going to work as I'm cruising around as I'm sitting there. Because of the battering I'm putting in there, the laptop can actually stay on while I'm at work just kind of waiting for things to happen and off we go. And then I'm going to be turning that data over to Pete and he says, especially since I'm in the Sacramento area. So if you're in Sacramento and you have a wireless network, God bless you. So before I move on a little bit, any questions, General? No engine noise problems. We're talking 2.4 gigahertz as opposed to a couple kilohertz. Oh, he was asking if there was any problem with engine noise? Negative, no. And also shielding is really easy to do with aluminum foil. Actually anything you use is going to be shielded by a lot of people. What are those? WWDsorgs.wi or WL. It's in there. We'll double check it in a second. Yeah? Repeat the question. Stealthy antenna. You mean like this? Oh, yeah. This is more than enough dB. No problem. You really don't want high dB antenna because the way the best way to explain dB, if you don't know it, is a light bulb is 1 dB. You put a reflector underneath it. It's 2 dB. So the higher dB of your antenna means the less area is sensitive to. So when you have a omnidirectional high dB antenna, it can only see for a small plate like view around it. So literally as you walk by, he works a critical path. As you go, critical path is an AP available to the public. As I approach critical path, you get a good signal. As I get within a block or two, I lose most of the signal because they're above me and my antenna doesn't have much vertical reception. So if you're driving around, you want your antenna to be 5 or 8 dB. And by the way, this is a nice little 5 dB antenna. Is that stealth enough? That has been in your pocket right there. Sure. Can you speak up? We can't hear you. Well, physical address filtering is worthless because I'm going to see your MAC address and I can just assume your MAC address. Any sniffer program? TCP dump? What? W-I-Ctrl-N. W-I-Ctrl-N. Yeah, windows will do it. Literally. MAC address based security is not. Yeah, so the windows or unix, you literally just, and if configured, change your MAC address. Yes, really. When I war drive, my MAC address is dead, dead, dead. Make it easy for people. No, MAC addresses are easily faked and modified. So, yeah, even in windows, you can actually go in the control panel and test that out. It's pretty easy to do. Basically, anybody with any networking skills or knowledge actually knows that. I'll just be nice. Okay, so... All right, we already have it set up right here. Okay, everybody know what the control panel is under windows? We're not up there. We got it. We have a special session tomorrow on changing your IP address with windows GUIs. Okay, this is actually under unix right here, but, yeah, we can show you how to do it under windows too. But literally, just type in the command and you change it. They want to see the windows control panel. All right, they want to play with windows. Okay. What are you doing running windows playing Doom? I run it for PowerPoint. I run it for PowerPoint. I don't run windows. These guys do. Basically, you can go in the control panel and I'm working on it right now, but any operating system that supports the wireless cards, whether it's Linux, windows, Macintosh, they all let you spoof the Mac address. The reason they let you do that is because if you set web keys and also on your access point as a security mechanism, your access point administrator can say, okay, I don't want to deal with web. So instead, I'm going to list, you know, these three good guys for windows. All right, so all the drivers have always let you change that for that reason. So what's nothing spoofed? There's no hacks. There's no diffs. You go into your control panel. We're doing it right now. For those who, you know, think it's shit as we heard earlier. I don't know his last name. He's in the Bay Area. He hasn't actually come to any meeting. He just emails me updates, and it's like, cool. So literally, you go in here, you click on this, you click on properties, you can change it. I actually can do it with this card. I know. I don't have the Lucent drivers installed. We need the Lucent drivers installed to actually do it. Hold on, he's going to put it on here, but he's got the Lucent drivers installed. I don't have a Lucent card installed. He doesn't have a Lucent card installed, so it's harder to do on this. Keep your shirt on. I can't believe you guys don't believe you can't change addresses. We just did it five times. We just did it on the Unix system a couple of times here. This is amusing. Yeah, he didn't put the drivers on. Not on that system. All right, watch. Blue screen of death. You're going to promise, though, once it's been done, you cannot speak about it once, okay? Oh, yeah. Hey, Mojo, did you bring Baby's first ball gag? If you buy an Apple iMac, you have worse problems than changing your Mac address. Remember, friends don't let friends buy Mac. Unless they're Airports, or you need a boat anchor. Okay, I've been talking about companies that have open access that don't realize they're doing it. There's a lot of people who have access that want to grant. At my house, there's an AP. I have AP outside my firewall. I don't have web turned on, and I have a default SID. Why? Because I want my neighbors to have free internet access. That's nothing. I only put out a few milliwatts. Matt had actually gone for it. He actually is on top of his house in Hayward, with Cliff in... You tell him. I'm a wireless person, not a security person. I'm coming from a little bit of a different perspective. This isn't my day job, so I just try to have fun with this stuff. Essentially, you can do a lot of fun things with it. You can build these public mans. I'm trying to get the presentation going up here, but I've got a very slow computer here. This is not obviously Windows. I'm not going to do the full presentation because this is not a wireless specific event. This is obviously a security event, so it's not appropriate. Essentially, we've got a presentation that talks about the basics of 802.11 and what our mission is. I just want to show one slide here if I can find it. Let me take a second here. This is the typical presentation we do for people that are like, what's wireless and what have we done that's been a burning man before? This is how I got kind of addicted to this stuff. So let's let me sec here. What's interesting to note is there's different wireless cards that have different firmware in it. What's nice about it is that one of the first cards that came out was the bay card. I don't really know about this, but this is the Prism 1 chip set. If you look at the drivers in FreeBSD, you'll note that all the drivers deal with 802.11 in a raw mode. It's a really nice device to do sniffing. There's a group in Berkeley that did a web advisory. This is the card that they used. This is a bay networks card. I think it's 60 bucks. It's some surplus places down in the valley. You can get them on eBay. What's nice is this has got the Prism 1 chip set. Then what happened is the people at Intercell got their asses slapped and they made Prism 2. And if you're looking at Prism 2, you've got a couple different designs. Which is your d-links and your link sys and that sort of thing. These are very generic cards. What's nice about them is you can actually hack external connectors to them. Some of them are 30 milliwatts. Some are 50 milliwatts. These are really nice. They have a different firmware, which is a reference firmware. The Orinoco cards have their own firmware. They basically bought Prism 2, and did their own thing with it. What's nice about their cards is they have different ways of hacking connectors. But these cards are really cheap. They're like 80 bucks at fries now. So if you're ready to get this back. No big deal. If you're driving around, you need an external connector. And for GPS, the Mighty Mouse 2 GPS antenna. Give you a link, even in tall cities. Now even more exciting is Aeronet, which Cisco bought out about a year ago. Aeronet was an Ohio based company. This card is 100 milliwatts. And what's nice about it is they've taken the firmware to the next step. The firmware is really cracked out, but it's really powerful in the sense that they can do bridging in repeater mode. And it's a really sweet card, because the 100 milliwatts makes a difference. You saw the screen capture of the I guess the Orinoco control panel in downtown San Francisco. With this card, I found about a dozen networks. With this card, I found about 40. It does make a difference. And in the case of my house, I've got an omnidirectional antenna on the chimney. I'm obviously roaming around inside of the house. It's a big improvement. I get the five bars instead of three. Not that I run Windows. This is the Cisco 350 PCM model. They have one that does not have a built-in antenna. It's the LCM model. And it's got MMCX connectors. So you can build your own access point or obviously the ultimate war driving machine. It's really sweet because it is 100 milliwatts and you don't really need to buy an amp if you're kind of poor and whatnot. Because amps are very expensive. They're about $400 to get a one watt amp. People ask, why are we doing the Wi-Fi thing for free? And there's a lot of groups doing this. I started this after Burning Man where I built a network out there for Art Project and just anyone else to use. It did not have external internet access. A gentleman by the name of John Gilmore, if you've ever heard of Sun Microsystems or EFF, that sort of thing. He brings internet out there. He builds his network. We build our network. Ours is a little bit more reliable because we don't have to deal with that internet foo. People have got Art Projects and there's a neat project called SPIN and essentially SPIN is an LED thing that's spinning around and it's an optical illusion. This guy made this big fancy visual basic software where you can make your own animation, you can make stars, and you can make a Pac-Man thing. It was great and all, but no one downloaded the software and sent him animations. So on Plyonet this year at Burning Man, you'll be able to go to a kiosk booth on an X terminal and type in your message so that's really the goal of Plyonet. But we did that. I came back to the Bay Area and Wired and all these companies were attacking me and say, hey, we need an interview. What are you guys doing? And obviously my inbox got really full of saying, well, did you guys do anything illegal? It's Burning Man. Everything out there is illegal. That sort of thing. Yeah, exactly. We did have one-watt apps. I won't say what the game of the antenna was. The FCC speculates how much radiated energy they don't specify how many watts your amplifier is or how good things are. So basically they care about how much radiated energy. So if you're at the full maximum wattage of your amplifier and a really, really good antenna, you're illegal. Exactly. There's other groups doing this. Baywook is very generic. We're focused obviously primarily on H11B because it's cheap, it's really fun to deploy. Bluetooth, we don't even talk about it. It's dead. Home RF is coming down the pipe but this stuff is so cheap. In the next six months, it's going to be a whole other ballgame. You're going to have laptops that already have this built in. You've got PDAs that have this already. What's great about Baywook is since we're not saying that we're building a specific network, we attract a pretty diverse crowd. So we've got ham operators. We've got VCs. And we usually have about five or six stealth start-ups that are specific to H11B and A. And they talk to me. And I don't sign NDAs. What's nice about it is that they've got a lot of neat products coming out. So in the next six months, this is all going to be crap because there's going to be net BSD-based solutions. There's going to be Linux solutions. APs are going to be a lot more cheaper. It's just getting better and better and better. And obviously, war driving is pretty exciting in the sense that there's more and more networks are just being deployed everywhere. After that first article about the war driving stuff, you won't believe how much email I got, how many people were responding to it. And whose good idea was to leave the vodka up here? There's some interesting projects going on. This is an antenna hack where they've got a Primestar dish and a tin can. This, however, is not the best hack I've seen. The guys in Spassible, O'Reilly, everyone's heard of those books. There's a project called NoCat.net. That's N-O-C-A-T.net as in NoCat 5 involved. They essentially have a Pringles can with an end connector. So it's a lot cheaper than this. The connector is the most expensive part. Building networks is pretty interesting at how that works. I'm going to try to bring up an image here that you can see. Here's the frequencies, obviously, the ones that don't overlap. Let's see if we can get this link here. This is going across the bay between my house and Hayward there. San Jose is down at the bottom. This is land San Francisco and Millbray. This is a 20-mile link. Originally we were using Intel 2011 access points, which are really kind of sweet because they do something called WLAN mode. They can be an access point and a land bridge at the same time. The problem is that they don't do this too well. If they lose their link, they just reboot in the cycle. So they're not very good for doing bridges long-term. So now we're switching with WAP-11s, which are $200. If you get firmware that got accidentally released, you can do bridging with them. So now you're looking at about $200 for the access point that you can do bridge mode on. You get your pigtail and you've got your antenna and you've got a point-to-point link for less than $500. This didn't exist a couple years ago. You had projects like SFLAN and the Presidio that was using your frequency hopping equipment and Breezecom equipment and whatnot. This stuff has gotten so much cheaper and the price is really dropping. If you're doing Baywug or NoCAD or NLIC Wireless, you can do it with yourself. If you've got DSL and your friend down the street as outside of the DSL zone and you can see each other, set up a link. It's quite simple to do and the price is dropping on it. One of the things that's interesting is calculating is this link going to work? So there's some commercial software which is pretty expensive to do path analysis. Obviously, it's not in the I can't afford that, that's for sure. You can do kind of a, this is the access point first in Folsom in San Francisco. I didn't take that picture. This is kind of the getaway of doing how, where does it cover? So we're just walking around, clicking scan and then we took a map and draw it out. This is the coverage with a 15 DBI omnie with an aeronet access point of 100 milliwatts. I wanted to show the picture, I guess we don't have the picture of a terrain navigator. That's really, real quickly some of the stuff that we're working on. Tim Posar is another guy involved with the Baywog. There's a lot of other groups in different areas throughout the country. On the west coast, you're looking at BC Wireless up at the top, Seattle Wireless. Personal Telco is personaltelco.net. They're in Portland. Spassible up at O'Reilly. Bay Area Wireless user group is throughout the Bay Area. I think there's a group in San Diego moving more towards the east coast. You've got NYC Wireless and many other projects popping up. What's really happening is people are really excited about this technology and they're saying, how do I get rid of my DSL and join this big man and all that type of stuff. In reality, this stuff wasn't designed to create a man. It wasn't designed to compete with Ricochet. It was designed to build buildings or to put an access point in a room around in your conference room. We're really pushing the limits with this. The access point vendors don't like us doing that. We're going to the next step where we're buying cards, we're hacking antennas and we're looking at getting old 46s and Linux boxes, FreeBSD, whatever and building our own routers and that sort of thing. Our mission probably within the next six months is really cookie-cuttering this thing out in the sense that you'll be able to buy this motherboard that's stripped down, these CMCA slots and it's got its mini PCI and it's got its compact flash and its console and you download this software, it's got the cap, the portal and it's good to go and you get this card and here's how you hack it and this guy in your area has an LMR 400 crimper. Boom, boom, boom. You're good to go. That's really what we're moving to here and a lot of people ask us, well, what's going to happen when we do this? We don't really know. It's very organic. It's just like the internet. Different projects are doing different things at different points within New York and basically you can go to, as I like to say, you can go to like a donut shop and you can get your access for free and you're welcome to use that network and we're working on different ways of okay, you can put the SSID as call it free network or whatever and the reality is is that people are going to pop onto your network and to be secure, you can't just put a simple firewall in between so we're looking at doing like snort and IDS and kind of reversing the firewall methodology so it's a big project to do this because none of the stuff exists. The manufacturers are really confused right now. What do we do? We're selling these $200 links or people will put it home and now these free wireless people are building networks. What do we do? Cisco right now has a major problem because all these dot bombs are dying. All their switches and their routers you can buy at surplus auctions and the only thing they're selling right now is all back order and they don't know why people are buying them so much. They don't know where this market share is going to. I'm not bullshitting. Cisco people come to our meetings and like whoa, what are you guys doing? So it's really interesting what they're looking at. They made a good, definitely good acquisition of Aeronet from Ohio last year. That was a good plan. This is just real quickly, that was my kind of quick overview of the slideshow. Like I said, Baywog.org wireless.net you've got personal telco nocat.net the list goes on. Probably around November, October we're going to work on a wireless summit somewhere in the Bay area where it will be kind of formed like this like a workshop type environment. How do you build that Pringles can antenna? How do you do war dialing? How do you build antennas? Big kind of omidirectional antennas. What's the best access point to buy? So this is definitely a movement that people should be aware of. And I think that people a little bit scared by the media of saying, oh, Peter's driving around and he's war dialing and that's all bad. Well, it's really useful for us to get the statistical information to see what's out there, because then we can approach these companies and say, hey, buy it away X microsystems. You guys make those great computers there. Your network's not very secure. Why don't you put this out in the DMZ? All the major firewall companies in the Bay Area have open wands. Actually, no, sorry, it's cut you off a little bit. We've got about five more minutes so we might as well answer a few more questions. Right there. So the question is, how do we deploy a network in parts of San Francisco to cover all of San Francisco? From an RF standpoint, and I'm not an RF person, I'm not a ham or anything, it's really hard to do it right now because if you go to certain places in downtown San Francisco, there's already 40 access points you can hear in the default configuration with the default channel. Half of them are using channel one or channel 11. It would take a lot of coordination to pull that off. The problem is that this stuff is not really designed to do repeating and whatnot. You'd literally have to pull a T1 in to each location. So what we're suggesting is basically the bandwidth's already there at these companies. Let's give them a Linux box that's got DMZ in a box and they can do it. That's not our immediate goal right now. We're looking at more getting that software made, getting that box made instead of covering all of San Francisco city. It would take a lot of work and effort. There are some stuff startups that are proposing that, but it's really hard because the only wireless companies right now, like Mobile Star that's got the Starbucks thing and Wayport and those other ones, they're not making money and we're not in it for the money, so we're not going anywhere. Here's a map of New York, by the way. Starbucks. The blue dots are where we drove, the red dots are where we hit Starbucks network and the crosses are where the Starbucks actually are. Obviously we haven't covered everything in Manhattan, but we've hit 1,400 base stations already. All right, questions. A good trick when war driving? Take the bus. I'm not kidding, it's just efficient, get back, get drunk. All right, question. Mass transportation like Barge is a lot of fun. What? Was the percentage of the corporate networks were hitting while war driving? Encrypted. 18% maybe. That's it. Ontario and New York said it's a lot more in New York. We're looking at 75 to 85 in the finance area. I don't know, Bechtel in San Francisco is wide open. Questions. London is pretty fertile also. Got it right there. Tons. Incredible amounts. I'm very sure there's a lot of people, a lot of other people's networks, they don't know it. In addition, we have two APs in the same channel. They're going to stumble over each other and reduce your efficiency by in half at least. This has been demonstrated by the network at this event. The network is first set up around here. Maybe next year we'll come back and we'll set it up. It's really hard to set up a wireless network when you've got kiddies are spoofing all night. Question over here. This is the best place for access. Over wireless. The tent. Also the bar downstairs is pretty good. And it takes two purposes. The drink. Any other questions? Got any at the front? After this we'll probably walk down to the bar so if you buy us a beer we'll answer more questions. Wide open. I really want to take my BW bus to Washington D.C. You're already in this capital of California, state capital. I'm at the state capital of California right now and that's going to be entertainment value 101. So, is that it for questions? All right, one more. Speak louder. At that frequency I don't have to detect any Doppler programs. I'm really effective around 40, 45 miles an hour. I've done efficient scans around 80 miles an hour. And it's not going to affect my bus at all. So I think that's it for questions. I think we're running out of time. Thanks. I'd just like to make a one recommendation to no one in specific but a good book they should probably read is Networking for Dummies.