Archive for the ‘Uncategorized’ Category

Blackhat 2013 Sophos Puzzle

Wednesday, August 7th, 2013

Recently, Sophos like to mark attendance at a trade show by running a geeky puzzle competition and they’ve just done one for blackhat, which I actually managed to finish.

A hackable crossword puzzle

The puzzle started with a fairly straightforward crossword. Now, I’m terrible at crosswords, but fortunately this crossword had an answer checking function in its Javascript source code which contained hashes of the answers, using its own simple hashing function:

AnswerHash = new Array(81594, 21864, 31173, 82603, 59177, 71467, 9693, 97258, 
  92537, 49915, 30431, 16251, 59242, 66492, 67266, 96088, 2956, 97195, 73488, 
  73937, 38947, 81055);
...
// Returns a one-way hash for a word.
function HashWord(Word)
{
    var x = (Word.charCodeAt(0) * 719) % 1138;
    var Hash = 837;
    var i;
    for (i = 1; i <= Word.length; i++)
        Hash = (Hash * i + 5 + (Word.charCodeAt(i - 1) - 64) * x) % 98503;
    return Hash;
}

Porting this into PHP (my default scripting language) and using /usr/share/dict/words, it was pretty simple to solve a good number of the questions automatically. The hashing algorithm was prone to a lot of collisions, but narrowing down the possible words by length helped. I checked this worked properly against an easy clue: “How information starts its life”, which of course is “data”.

This technique gave me a nice spread of completed words across the board:

    • Decrement RCX and branch if not zero.: loop
    • The moves a pentester makes once he’s in.: lateral
    • Autonomous software (but not quite a virus).: agent
    • It’s not a lens, but it’s focused on you anyway.: prism
    • Vulnerabilities that really work.: exploits
    • How information starts its life.: data
    • On the Mac, it’s Option E.: acute
    • Where you set up the base pointer.: prolog
    • The guy who’ll win in the Apple-Samsung case.: attorney
    • What amateur cryptograms are always claimed to be.: airtight
    • Apple couldn’t bring themselves to call it Wi-Fi.: airport
    • Whitfield Diffie helped you share it.: secret
    • What the BlackHat trade show staff are really after.: leads

Then spotting a few more easy ones: “You’ll read it if you want to win the prize. [5,8]” is of courseNaked Security“, “What you do to your code when you’re in a hurry.” I got worryingly quickly: “Hack at it”. A few more required some googling: “He decrypted Hittite” is Hrozny. Curiously the last clue to get was “Why you are doing this puzzle”. “it’s fun” and “I’m bored” didn’t fit in, but I had enough letters that I could come up with possible combinations of words based on the words list and grep. You can do this with any crossword e.g. the first word “_H_E_” can be found with:

grep -i "^.h.e.$" /usr/share/dict/words

and the last word with

grep -i "^.r.n.e.$" /usr/share/dict/words

Despite the middle letter being “d” and “three” coming up in the first list, I still didn’t spot the answer (see, terrible at crosswords) so I combined the 26 possible first words with the 45 possible last words, creating a list of 1170 possible words, which I could then just run the hashing function against to reveal the right answer. This made me feel simultaneously cunning and stupid.

soln

The completed crossword

 

Moving on…

Counting in binary

As per the instructions on the competition page, this then gives you a string of 6 letters which form the password for the zip file containing the next stage, however you don’t know the case of each letter, which effectively means there are 2^6 possible passwords for the zip file. By considering an uppercase character as 1 and a lowercase character as 0, this is basically the same as counting from 0 to 64 in binary. e.g. if the possible letters were ABCDEF, you would first try abcdef, then abcdeF, abcdEf, abcdEF etc.

I wrote a simple script to create the word list and then ran “unzip -P [word] snodwen-message.zip” against each word. This gets you to the next stage.

Oh God, not FORTRAN

I hadn’t seen a line of FORTRAN for 12 blissful years until this point. The not-so-subtle reference to current affairs was a message as follows:

Dear Reader,

This is Teddy Snodwen speaking.

You don’t know me, and I don’t know you, but we may be able to help each other.

I have some private data I’ve encrypted, but I’m having some travel problems right now, with the result that I’m concerned about getting stuck in no-man’s land at some airport, unable to leave, or proceed, or get at my data.

So I have prepared a series of files from which anyone who’d like to help can extract a secret code that can be read out over the phone, or even just held up to the glass in the transit area for me to copy down.

When you’re ready, you’ll need a PDF file from here:

http://nakedsecurity.sophos.com/bh2013-sophospuzzle-the-snodwen-file

And you’ll need the password, a nine-digit number you can calculate with this simple algorithm, which I’ve written in my favourite programming language, MR-ISP.

It’s a rare dialect of FORTRAN:

P=1
DO 51 I=1,1000000000
P=1+1/P
51 CONTINUE
S=0
Q=1
DO 52 I=1,9
S=S*10
S=S+(INT(P*(10**Q)) MOD 10)
Q=Q*10
52 CONTINUE

I know you won’t so much as think of cracking the code until I give the signal, since gentlefolk don’t read other gentlefolks’ email.

And with that, I remain,

Yours sincerely,

Teddy Snodwen (Mr)

MR-ISP, eh? Subtle.

With some minor tweeks, that just about runs in FORTRAN, however unfortunately what you will very quickly notice is that the code is dealing with stupendously large numbers and a stupendously large precision number. The code is basically split into two parts:

Part 1: Iterate 1 billion times over the equation for phi to have that value to a very high degree of accuracy.
Part 2: Select digits from the decimal places of phi, in orders of magnitude increasing by 10. i.e. 1st decimal place, 10th, 100th, 1000th etc.

This doesn’t work in pretty much any programming language unless you use a library with which you can specify arbitrary precision of your numbers. So there are two ways of solving this:

  1. Find an arbitrary precision library for FORTRAN, get it to work with the above code, run the code
  2. Some other way which means I don’t have to touch any more FORTRAN or start looking for arbitrary precision libraries in another language

Obviously I chose #2. I can’t have been the first person on the internet to calculate phi to a ludicrous degree of accuracy. Indeed not. Someone had also written a program called y-cruncher which calculates famous constants to arbitrary precision and outputs them to a text file. Much nicer. I could then just pick out the digits by hand and come up with the 9 digit password for the PDF. Next.

Onion Skins Of Encryption

The Unlocked PDF has the URL and password for the next stage – another zip file. This contains a single text file – “e.9” – which contains Lua code. It’s clear from the first few characters that the code is an array of data encrypted using an XOR at some point:

k=11179023 o=bit32.bxor t=string.char f=math.floor c={
6501666,4735189,10824306,11719312,15507616,3654640,12739110
...
} function xit(n) local x=o(11994318,n) for i=1,24 do x=x*2 if x>=2^24 then x=o(x,25578747) end end return x end
function tit(n) return t(n%256)..t(f(n/256)%256)..t(f(n/65536)%256) end
p='' for i=1,#c do p=p..tit(o(k,c[i])) k=xit(k) end load(p)()

The code takes a very large array of integers, then iterates over them, XORing each integer against a key, then splitting the result into 3 bytes, adding that to a string and then creating a new key for the next iteration by shifting the old key one binary place to the left and then XORing that against a fixed number. Once all the iterations have finished the resulting string is loaded as Lua code and ran.

The first thing you would do once getting to this stage is to just run the code as is. You quickly find that:

  1. It takes ages
  2. It produces garbage

Clearly you need to change a few things. First of all, you don’t need to iterate over the entire array to find if it’s worked or not. Iterate over just 10 values by switching “#c” for “10” and switching “load(p)()” for “print(p)”. The next thing you have to do is make a few assumptions. What’s broken? The algorithm looks OK, so maybe the initial key isn’t right. To find a key for an XOR encrypted text is fairly easy if you know what the unencrypted text is for a part of the cypher text larger or equal to they key. The key is only 3 bytes long (only 3 characters), so this shouldn’t be too hard. I hadn’t used Lua before but to me, it looked like the last line “load(p)()” was treating “p” like a function and running it. Maybe the first line contains a function definition? I tried XORing the first 3 bytes of the cypher text against “fun” as in “function” using this code added to the end of e.9, replacing the normal decrypt loop:

function untit(test)
  return string.byte(test,1)+string.byte( test, 2 )*256+string.byte(test,3)*65536
end
test="fun"
v=untit(test)
k = o(c[1],v)
p = ''
for j=1,#c 
do 
	print( j.."/"..#c )
	p=p..tit(o(k,c[j])) 
	k=xit(k)
	if j>10 and not string.match( p, "function" ) then
	break
	end
end

This provides the reverse function of “tit”, “untit” and attempts to start the decryption by setting the initial key as the result of XORing the first 3 bytes with “fun”. If after 10 iterations the resulting string doesn’t contain “function” then the loop exits. If it does, then the decryption has worked and it continues to decrypt the rest of the array.

This didn’t work. The decrypted text clearly didn’t start with “fun”. So what then? The clue is the filename, “e.9”. The “e” is probably for “encryption” and the “9”? How about the 9th iteration? Suppose the file decrypts another selection of encrypted text? If it used the same algorithm that would mean the file started with “k=” and then a number between 0 and 9. Only 10 possible combinations of clear text for the first three bytes! I then took the above code and put it in a loop:

m = "k="
for i=0,9
do
  test = m..i
  v=untit(test)
  k = o(c[1],v)
  p = ''
  print( i )
  for j=1,#c 
  do 
    print( j.."/"..#c )
    p=p..tit(o(k,c[j])) 
    k=xit(k)
    if j>10 and not string.match( p, "bit32" ) then
      break
    end
  end
  if string.match( p, "bit32" ) then 
    print( test..": "..untit( k  ))
    print(p)
    file = io.open( "e.8", "w" )
    file:write(p)
    file:close()
  end
end

This attempts to decrypt using the known plaintext of “k=0”, “k=1” up to “k=9”. It then lets the algorithm carry on for 10 iterations and then tests to see if “bit32” has come out in the resulting string, as we know that this is also at the start of the code. If it has, it carries on decrypting the code and then writes it to file “e.8”.

As suspected, e.8 is basically the same, but slightly smaller. I could then just replace the array in my code with e.8’s, run it again and find e.7. Repeating this, you eventually get down to “e.1” and it stops working, suggesting that “e.0” doesn’t have the same code in it. We need a new known plaintext. Assuming e.0 was still Lua code, I tried a few things, eventually finding that it starts with “print”.

Extreme checksum

This is the final message:

print[[
In stage 1, you solved a crossword, extracted 24 characters 
from the completed grid, and used six of those characters to 
form a password.

Now take the remaining 18 characters and write them down in 
reverse alphabetic order (Z..A).

Then write a dollar sign.

In stage two, you calculated more than 400,000,000 decimal 
places of a certain transcendental number, and used nine of 
those digits to form a password.

Now write down the nine digits from decimal places 
100,000,001 to 100,000,009 inclusive.

Then write a dollar sign.

Now write four alphabetic characters (A-Z) of your choosing.

You should have a string of 33 characters. Ensure all letters 
are upper case.

Calculate the 512-bit SHA-3 hash of this string, print it as 
hexadecimal characters and use the first 20 as your answer.

Submit your answer as detailed here:

http://nakedsecurity.sophos.com/bh2013-final
]]

Fun! Basically, “You got this far, now prove again that you didn’t cheat”. If you were diligent in the early stages, you will have saved all your answers as you went along and this won’t take long. I took a screenshot of my crossword, thankfully but failed to save my digits of phi, so I had to do that bit again.

What’s with the last 4 characters? The puzzle author will check your hash against a rainbow table1 of 26^4 possible combinations to check you have the right answer, and presumably to restrict sharing of the hash.

Thanks to Paul Ducklin for the puzzle. It had a really nice difficulty curve that drew me in with an easy crossword and before too long I was writing in two programming languages I usually don’t touch.

[1] From the author:

“Less of a rainbow table and more of a list…only 26^4 options (about 0.5M).”

, however I consider anything I wouldn’t want to write by hand a rainbow table. Shopping list, you can do manually. Shopping rainbow table would be very expensive.

Greedy Git

Sunday, June 23rd, 2013

TL;DR: I wrote a script for enumerating and downloading source code off sites when they accidentally share their .git folder.


I’ve notice a couple of things of late when looking at security testing software:

  1. Python now seems to be the scripting language of choice
  2. It seems to be mostly in not just git, but on github

And the upswing in popularity of git is not just in small projects, but in deploying to web sites too, so much so that it’s now becoming increasingly more likely to find a site that is inadvertently serving the .git folder to the outside world.

With a little work it should be possible to reconstruct a repository remotely (object packs being the only hard part).

Of course, this isn’t a new problem – SVN has the same issue – but the fact that it’s slightly harder to parse that git metadata means it’s a nice opportunity to finally take the plunge and write some Python and learn more about git.

What’s in the .git folder?

  • an index file which, like SVN is effectively a database of all files in the project against hashes of those files. Unlike SVN, it’s in memory map format, which is much more fiddly to write code for
  • The entire site source code, reference by an SHA1 hash, compressed using zlib deflate
  • Logs of git actions such as commit in logs/HEAD
  • A small config file which is a good starting point to test if a .git directory is present or whether the site is configured to return 200 OK for any URL requested as it returns a very predictable format

Analysing the .git folder

As a starting point, to avoid having to parse the index file myself, I forked gin – a neat little index file parser written in Python. This already produces a readable and JSON encoded version of the file which I can then use to iterate over the files. The script looks at:

  • File extensions. Count which file extensions are the most popular. This tells us what our site is written in, if it wasn’t already obvious
  • “Interesting” files. Archive format files, backups, SQL, “hidden” files (beginning with “.”) such as .htaccess and .htpassword, files which might have DB configurations in them etc
  • The logs/HEAD file for emails and credentials stored in URLs

This then dumps this information out into a simple flat text interesting.lst file, a report.md file, containing the results of the above scan, a copy of index in its native format, readable text, json, and flat text and copies of config and logs/HEAD

Being a greedy git

At this point, you already have quite a lot of powerful info however if the script has managed the above, it will probably also be able to download the source code for the site. Since we’ve already determined a lot of interesting files in interesting.lst, we can use that (edit it and add to it) to download all those files to our computer. In git, the compressed source for a file (in “loose” format) is stored in .git/objects/ and is referenced by the SHA1 hash of itself. We have that hash, so we can try and download files.

Passing the “-I” command line argument to greedy-git will make it attempt to download everything in interesting.lst to ./files/ in the current working directory. If you really want to go overboard, you can pass “-a“, which will get as much of the site source code that it knows about, and passing “-g [remote/file/path]” will download just that file, or matching file pattern.

You now have a target site’s juicy source code. This could contain database or other credentials, clues to vulnerabilities or “security by obscurity” style back doors that the developer thought no one would find. All this is now just a few grep commands away.

Do use responsibly, and let me know if there is a way of guessing the pack file name – that would be the keys to the kingdom…

Quick And Dirty DVR

Wednesday, October 26th, 2011


I recently dug out an old USB 1.1 Digital TV Tuner – a Hauppauge WinTV Nova-T USB, which I think I bought in about 2003 and eventually gave up on due to poor reliability under Windows, the crappy TV signal quality in Coventry and the success of excellent torrent sites like UKNova. Well, I’ve moved house now, and with an increased TV signal strength also came the bad news that I appear to be on a limited bandwidth ADSL line. I envisaged a single evening of plugging in the tuner, installing MythTV under Ubuntu and having a neat DVR to use.

Sadly, this was not to be the case.

Getting the tuner recognised under linux wasn’t too hard. The required firmware was already present in Ubuntu’s repositories but I couldn’t get the thing to scan. MythTV couldn’t open or ID the card and “scan” resulted in nothing. I even tested with the intended packaged drivers under Windows and got about as far.

Eventually, I found “w_scan” which does the kind of full-frequency scan your TV would do and was able to produce a channels.conf file in the format that tzap uses. Success! On the tzap page of the MythTV wiki it shows how you can use tzap to tune the device and “cat” to just dump the MPEG stream to file. Excellent – time for a quick and dirty script!

I then knocked up a “record” script, which takes easy-to-read commands like “record Eastenders on BBC ONE for 30”, tunes the card and dumps the MPEG stream to a sensible location. Combine that with some cron and I’ve got a hacky little DVR. XBMC can do the front end stuff.

I now have to get used to the idea of knowing I want to watch something before it airs, like we used to do in the 90s.

Here’s my TV shows crontab as an example:

# Record soaps off the TV
29  19  * * 2,4 /home/iain/bin/record Eastenders $(date +\%F_\%A) on BBC ONE for 32
59  19  * * 1,5 /home/iain/bin/record Eastenders $(date +\%F_\%A) on BBC ONE for 32
30  18  * * 1-5 /home/iain/bin/record Hollyoaks $(date +\%F_\%A) on Channel 4 for 27

# Watchable stuff
59  20  * * 5 /home/iain/bin/record Have I Got News For You $(date +\%F) on BBC ONE for 32
59  21  * * 5 /home/iain/bin/record QI $(date +\%F) on BBC TWO for 32
0   18  * * 1-5 /home/iain/bin/record The Simpsons $(date +\%F) on Channel 4 for 30

Or for one-offs (as root, unless you change permissions on the device):

echo "record some tv on bbc one for 25" | at 16:00

(or as commandlinefu.com would probably prefer it:)

at 16:00 <<< 'record some tv on bbc one for 25'

Let me know in the comments if you end up using it.

How FireShepherd could live up to its name

Wednesday, November 3rd, 2010

First there was FireSheep. It allows anyone to hijack HTTP session cookies for a number of sites for anyone using them on the same open access point as you. Now, a predictable counter point for that is that someone would come up with “FireShepherd” to protect this poor flock. However, FireShepherd is no where near as fun as FireSheep – all it does is try and crash FireSheep with fake data and hope for the best, meanwhile your session info is still being transmitted in the clear.

Ideas for FireShepherd to be more useful/fun:

  1. Have it force SSL connections on all the same sites that FireSheep snoops on, making session hijacking impossible. Plugins like Force-TLS do this.
  2. Have it create bogus logins to sites where the user’s profile pic has been set as goatse, tubgirl etc. When the FireSheep user grabs that user’s session data they will have those lovely pics appear in their stolen sessions list.
  3. (getting crazy here) have it perform a man-in-the-middle attack on the wireless network, replacing the network’s router as the default gateway or DNS server. You can then point people to fake versions of captured websites and feed the FireSheep user whatever you want. Oops, there’s goatse again! Oh, what’s that you just went to? A malware site? Careless FireSheep user!

Anyway, there’re some ideas. As Steve Gibson pointed out in the last Security Now, simply switching a network to WPA is enough to protect all the users from this attack. If you’re running a Cafe and want to provide free wifi you can make the network password as public as you want – make a poster and stick it above the till. It is unencrypted wifi, not wifi itself that allows user sessions to be hijacked like this.

The BNP Hate Factor League

Wednesday, November 26th, 2008

As I’m sure you all noticed last week, the latest fun leaked data from a polical party came from the BNP who somehow had their entire membership list leaked onto the internet. For people like myself this presented two fun opportunities:

  1. To do a little bit of geographical and statistical analysis on some odd data
  2. To laugh at a bunch of hate-filled racists

There were quite a few nuggets of statistical analysis in the first couple of days: A proximity checker to see which of your neighbours members, the obligatory google maps mashups (since, sensibly taken down), a sort of heat map and the Grauniad did an excellent map broken into electoral wards. They were all pretty good, but they still rather suffered from the problem that you see “hot spots” in areas which are naturally population nodes. There was no accounting for population density.

Anyway, in a spare moment I took a copy of the database, cleaned up the postcode information a bit, ran it through a geocoder to get lat and long data and then ran that through a lookup for population density and then grouped the data by postcode area. What I now have is a count of each person in a postcode area, divided by the population density – this should then give a population normalised rank of how hate-filled post code areas are. Anyway, here’s the Top 40, Top Of The Pops style:

Rank Postal Area Town County Members Population Density Hate Factor
1 LE67 Coalville Leicestershire 56 0.621 90.125
2 S63 Bolton-on-Dearne Rotherham 50 0.557 89.846
3 HX3 Boothtown Halifax 35 0.563 62.182
4 LS27 Morley Leeds 46 0.772 59.618
5 BD22 Oakworth Keighley 32 0.598 53.556
6 CR4 263-265 London Road Mitcham 24 0.48 49.96
7 WF2 Wakefield West Yorkshire 27 0.543 49.727
8 HX2 Illingworth Halifax 27 0.551 48.974
9 NG10 Long Eaton Nottingham 27 0.551 48.97
10 DE55 Alfreton Derbyshire 35 0.735 47.594
11 S75 Silkstone Common Barnsley 33 0.701 47.047
12 LS15 Crossgates Leeds 35 0.772 45.362
13 CW7 Winsford Cheshire 9 0.199 45.124
14 M27 Swinton Manchester 9 0.199 45.124
15 BH1 Bournemouth Dorset 7 0.158 44.439
16 S70 Kendray Barnsley 20 0.463 43.202
17 BD13 Queensbury Bradford 24 0.585 41.025
18 L26 Halewood Knowsley 9 0.238 37.871
19 E4 Chingford Hatch London 12 0.32 37.47
20 B37 Solihull West Midlands 27 0.743 36.339
21 S6 Riverlin Sheffield 19 0.528 35.99
22 DE24 Stenson Fields Derby 26 0.772 33.697
23 N18 Aberdeen Road London 8 0.24 33.307
24 B63 Halesowen West Midlands 13 0.414 31.382
25 S71 Carlton Barnsley 19 0.609 31.192
26 NE34 South Shields Tyne & Wear 24 0.772 31.105
27 CV6 Bell Green Coventry 24 0.772 31.105
28 WF3 Tingley Wakefield 24 0.772 31.105
29 HD7 Leymoor, Golcar Huddersfield 17 0.551 30.835
30 WS9 Aldridge Walsall 17 0.551 30.835
31 CH2 Mickle Trafford Chester 8 0.267 29.923
32 DE21 Oakwood Derby 23 0.772 29.809
33 BD20 Glusburn Keighley 20 0.68 29.405
34 NG17 Kirkby-in-Ashfield Nottinghamshire 31 1.066 29.072
35 DE15 Burton-on-Trent Staffordshire 22 0.772 28.513
36 S5 Sheffield South Yorkshire 18 0.643 27.995
37 S12 Sheffield South Yorkshire 8 0.289 27.649
38 B14 Kings Heath Birmingham 14 0.512 27.347
39 HD3 Longwood Huddersfield 17 0.623 27.303
40 LS9 Leeds West Yorkshire 21 0.772 27.217

Berocca Bribing Bloggers

Thursday, October 2nd, 2008

They’ve clearly gotten a new marketing person over at Berocca in the past year. Having not really touched TV ads until now, they launched a campaign which is clearly targetted at the blogosphere which featured a slighty embarrassing rip-off of OK Go‘s “Here It Goes Again” and now they’re buying blog posts by launching their “Blogger Relief” campaign. You can register your blog and if they like it they’ll send you a box of free stress relieving gizmos.

I don’t need to be paid off to thoroughly recommend Berocca – I’ve been addicted to the stuff for years and it’s saved my life countless times, however the odd cheap bribe never hurt anyone.

If that still doesn’t convince you, the prospect of luminescent orange pee after a glass always brightens up a dull day (and freaks out anyone else in the public toilet).

Beebhack moved to Wikia

Monday, June 2nd, 2008

I had a very nice email from Angela at Wikia this morning, inviting me to move the Beebhack Wiki over to their hosting. I think the only reason Beebhack wasn’t over there in the first place was potential hassle around getting a free wiki approved by their staff. Since they’d been kind enough to email me over there, this was no longer a problem.

So, a good time to take advantage of a better implementation of MediaWiki than we had at BluWiki and hopefully some better uptime. Angela even imported all our existing wiki data for us.

Beebhack.wikia.com

Wii iPlayer, User Agents

Wednesday, April 9th, 2008

The beeb added a little update to the iPlayer again today, clearly as part of their (admirable) attempts at getting iPlayer working on exotic devices iPlayer is now Wii optimised! How cool! I’ve not tested it out, but this is the first “official” iPlayer version which is actually designed to display TV shows on a TV. We are living in the future!

I’ve written a few technical notes over on the Wiki, but basically they’re using the User-Agent string to serve a Flash 7 compatible stream.

Speaking of User-Agents, I’m hearing that the iPhone version of iPlayer has been tightening down on what User-Agent string you can get away with when you pretend to be an iPhone. No more “iPhone, LOL” strings I’m afraid 😉

New BBC Wiki

Wednesday, March 19th, 2008

I’ve created a new wiki all about using BBC content at beebhack.bluwiki.com

In the first 24 hrs it got 1500 page requests and it’s not looking to slow down just yet. I would have hosted it here at Strawp.net but I wanted this to be more community owned than something I would run.

The downside of course is that I really don’t have any detailed information on where any of those hits are coming from…

One in Six Wireless Networks are Sitting Ducks

Monday, November 6th, 2006

A few weeks ago I got a bluetooth GPS module for my iPaq, just to play around with. Since Wififofum collects GPS data if it’s available, I’ve been recording wireless access point data as I’ve been walking about the town, commuting to work or driving.

The data I’ve gotten so far (about 600 access points) isn’t that useful on its own, but what’s really interesting is slicing the data in various ways and seeing what you come up with. To do this I built a new site: wifi.strawp.net into which I can upload the log files from wififofum. For a day or so I had the front page of the site plot location data of access points into Google Maps, searchable by SSID, manufacturer, channel etc, however I was advised by friends that doing so was probably a really bad idea, so this information is now on a login-only basis.

The fun part, which is still publicly available is the stats page. If you’ve got a friend that you’re trying to convince they need to secure their wireless network, link them to that page. You can currently see the most popular manufacturers, the most commonly used SSID and – my favourite – the number of access points that have their default SSID and appear to have no encryption set. This is currently at just over one in six (16.9%), which is quite frankly frightening. You probably won’t be surprised to learn that the best place to look if you want to stumble across one of these access points is a suburban area where if Coventry is anything to go by, you’re likely to find an insecure access point on any street you care to walk down.

If you’re still wondering what the issue is, the BBC’s The Real Hustle did a very neat little feature on why you should use WPA encryption on your network.