WeekEnd Feature:Quick! Send me to Tibet!!

by Ian Thompson, CCSP Staff Editor
April 10, 2004

Last week, I mentioned how I’d recently rediscovered Google’s news service. This week, I’m seeking somewhere to hide from its infectious, addictive nature. Google News is a drug – it’s the crack habit that’s hard to kick, even after the first try. I don’t need the ‘watch this story’ toy I mused over – just clicking the refresh button every so often, Pavlov-style in the hope of another tasty morsel, is enough. Heck, I even enabled the Active Desktop for a while, just to have it change before my very eyes behind the game(s – endless) of Patience, or some of the CodeMasters desktop toys, or even daft downloads from MiniClips that I’d taken to wasting my time on between updates. Sorry for ever mentioning it… I mean, look what’s popped up this week…

WiFi, WiFi everywhere; pour me another drink…

With apologies to the poet, (I’m sure I should know which one wrote that ‘Water, water...’ piece). Here are a few of the latest stories floating, wire-free, around the various news archives… (all links acknowledged to their original authors).

Cisco warns of another security hole…

Oh good. Hot on the heels of the Cisco attack kit (look it up – what do you want me to do; make it easy for you?), I read this piece on ComputerWorld . It’s another instance of privileged information getting out, I suspect, because it reads like Cisco hard-code a default username and password into their equipment (or at least into their firmware). This time it affects the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software used to manage Aironet WLAN systems, tying together a variety of Cisco items into one huge, site-wide entity. I can see the point of this approach – better roaming ability for one – but it seems a shame that certain things get overlooked.

You see, stuff can be patched, as has been done for this problem, but this sort of thing lies at the most basic end of the security spectrum; namely, change each and every default username and password on equipment as soon as possible. Software is ‘out there’ that contains the default passwords and so on for pretty much all pieces of security hardware, which a hacker would consider an essential part of any attack kit. They’re not hard to find. Which makes me wonder just how much equipment is installed with defaults set. Anything is better than default.

This is London calling.

Two stories of overlapping nature were reported on The Register.

It seems that plans are afoot (“What’s afoot?” “12 inches…”) to leave vast quantities of expensive equipment literally lying around on roadsides across the UK, from more than one scheme under consideration.

It seems that every lamp-post, street sign and bollard is soon going to become a wireless repeater for one scheme or another, using the laws that permit “telematics” – the gathering of traffic information – to provide a system for public use. However, whilst this operates at a frequency well above standard 11a and 11b/g WiFi, it has made at least one UK council comment on the apparent overlap with systems it is trialling for employee use. Read the article – The Register will no doubt appreciate the hits.

The telematics scheme involves not only fitting street furniture with wireless repeaters, but also with large amounts of storage. This will be used to cache data accessed by users of devices such as mobile phones, PDAs and laptops, apparently to the tune of 80% of all hits. I’ve previously concluded we are all as predictable as sheep in our habits, but this takes that level of predictability to a new level. Regional differences aside, (you know, where all Yorkshiremen search for tips on racing pigeon clubs, Scotsmen find tasty new batter recipes for their Mars Bars, and Londoners permanently have the latest house prices displayed as a wallpaper – well , at least the last one is true), the only other solution is absolutely vast grid storage, accessible from any point.

If this uses anything like a standard form of memory (HDD, DIMMs), in the street lights, around here it will all get nicked. Luckily it seems to rely on caching the storage in users’ devices, which already get nicked often enough. Sounds like a giant P2P network…

Any spare change for a quick download, gov’nor?

And the other story? Something called a ‘global roaming hub’, involving partnerships between various mobile phone network operators anywhere that mobile phones are used (which is pretty much everywhere) and a group of access package providers.

You know, I think someone in the TLA-Mill has hit overdrive with this one. WLAN (Wireless LAN) I understood, but now there are things called WISPs to get to grips with. Presumably a WISP is a WiFi ISP, or something similar, and the idea is that these operate in conjunction with any WLAN created by the mobile operators themselves. This is good for older 2G (GSM) and 2.5G (GPRS) services, but not so much for the newer 3G operators who have based their business plan on selling network access over their handsets.

It’s another charge-point in the system – already I pay for the basic service, any extra minutes about my inclusive time, and for GPRS data by the megabyte; I could also shop by mobile, buying goods and services via my monthly bill. Now, rather than using my service provider’s network (which would presumably be in competition), I could download maps, local service announcements (phone-spam) and email by paying a bit more money for the same thing I already have.

Train of thought......woo woo

I also read this story , about how our long-distance trains are being equipped with WiFi and high-speed Internet access, rather like the system announced for airliners a while back by Boeing. This will be free for first-class passengers, but the rest of us rabble, forced to endure the prospects of no seat (even though it’s pre-booked) and one curly sandwich in the entire carriage-long buffet car (where they have a full kitchen but no-one cooking, even on the breakfast-time business specials), it will cost £4.95.

Given that most journeys (electrical failure, leaves on the line, or just general shoddiness notwithstanding) only take 2-4 hours before a change of train is due, several things sprang to mind. One is that people need a break from VR and need to duck back into the real world for at least a couple of hours each day. Shocking, I know, but it has apparently been medically proven that using computers all day can lead to a terminal failure in social life. Another thing is that tunnels will probably still cause ‘Mission: Impossible’ style problems – i.e. a break in transmission – unless they use the tracks for carrying the data; plenty of bandwidth there, but unfortunately also plenty of break points. If the train does go into a tunnel, it will automatically link to multiple mobile phone transmitters to maintain a link. However, last time I went through a tunnel, my phone lost signal, so this is obviously a winner. It’ll probably use the nearest WISP to maintain the hard-working stockbroker’s link to the LSE, or Sky Sports, or Yahoo!’s Britney-on-demand video library.

The last thing (apart from the fact that, these days, first class isn’t) was that this must represent an excellent challenge to the back-packing, laptop-toting, freshly-qualified ethical hacker. After all, bluejacking other passengers only has so much fun in it (believe me, the reactions soon become passé), and the “guess the filling” game with the sandwich has been done to death – as has running a book on when the final ‘lucky’ consumer of said morsel will dive for the (out-of-order) toilet.

Honestly, doesn’t anyone leave his or her job behind at the end of the day? Hang on while I mark another set of students’ work…

The Society of Silly Names (trading as ‘TLA-Mill plc’)

So, the boss of IKEA is now the richest man in the world, thanks to the falling value of the US dollar taking the boss of Microsoft down a few billion in the exchange rate game. Does this mean that he’ll branch out and expand his portfolio into software? Probably not, but let’s see who can come up with the most IKEA-like name for regular computer equipment. Of course, more or less everything apart from Apple would be given a utilitarian-sounding name, whilst Apple would not only have very sophisticated names but also pictures of their designers nearby in the stores.

If there are any family lines in IKEA product naming, I haven’t deciphered them yet, but you can bet that the small set of plastic storage containers currently called KRAPP would be retagged to free up that particular soubriquet for anything to do with the connection between the words ‘default’ and ‘security’. True to form, the stuff would be flat-packed and tricky to put together.

Default Administrator Username: “KRAPP”; Default Administrator Password: “TOTAL”

Change your defaults, won’t you? But not whilst on a busy train about to head into a tunnel, or leaning on a lamppost at the corner of the street – otherwise it might not turn out nice again after all.
Right, time to click ‘Refresh’ again…

Cheers and Happy Holiday!, Ian





by Ian Thompson ComputerCops Staff Editor



Ian Thompson is a Network Manager of a 500-PC, 9-server, 1700-user school network and is an ICT teacher at a UK high school near the city of Leeds. He has written articles for the Hutchinson Encyclopedia, plus many resources in support of teaching ICT in the UK schools' National Curriculum.


Copyright © Ian Thompson All Rights Reserved 2004.