Friday, August 20, 2004

MIT Security Camp 2004 and the invisible AUP

So I took the past two days off to attend MIT Security Camp. I've been going to it and its sister conference at BU for a number of years now and really enjoy it. Its free, the talks are great and I always walk away learning something and having fun. So, I shouldn't be complaining, right?

Well, yes and no.

At one point during today's session, I, like 75% of the other people there, decided to take out my laptop to check mail, check in at work and the like. Now, given that there was a free wireless network for our use and I'm a freak when it comes to my data and my security, naturally I do everything I can to protect myself. So, I setup SSH forwarding to tunnel my mail traffic off the wireless network and to a slightly more secure wired network at home. My signal strength wasn't the best and I was having DNS issues so it made checking mail a bit tricky. So, I fired up trusty tcpdump to see what was going on. Sure enough, soon after I started seeing my traffic things started to work. If I had to guess, it was because the APs became slightly less bogged down or the slower of my assigned DNS servers finally timed out.

But, my tcpdump session was open long enough for me to see some pretty interesting traffic. Though, thats not too surprising for a number of reasons. For one, MIT's network (wired or otherwise) is extremely interesting given the vast number of machines, lack of firewalls, and hardware and software that predates my birth. Secondly, its because I have an eye for things that are out of the ordinary. Among other things, my eyes immediately fixated on some IPX traffic. In the payload was some data that obviously came from an Alpha box and was prefixed with the string LONG-LIVE-THE-BO, or something along those lines. Interesting, eh?

So after my mail situation was straightened out, I fired up ethereal to get a better (easier) look at the data I was seeing.

Keep in mind that my card was not in RFMON mode, as I still haven't figured out how to put my card into that mode and actually be able to establish normal connections with it (i.e., SSH'ing somewhere). So, the traffic that I was seeing was broadcast traffic that was headed toward my machine legitimately. I'm sure many of you know that the traffic that is considered network broadcast traffic can get quite ugly. This'll include everything from IGMP, to multicast, to windows networking and at least a half dozen other old, but relatively common protocols that most everyone has seen and isn't that interesting. As such, I filtered out damn near everything that I wasn't interested in. Sure enough, eventually that Alpha box was back and there were a few more that were chatting IPX with each other.

About 5-10 minutes into the second talk, one of the talk organizers taps Muncus (who was sitting next to me) on his shoulder and asks to speak to him outside. It was odd, but didn't think much of it. When he came back, he told me that someone had complained about me sniffing traffic and that she wanted me to leave (she being the talk organizer). At first very confused and surprised, I reluctantly packed up my stuff and headed out. I met her and the guy who was upset with my "sniffing" in the hallway. At the time, I was a bit uneasy because I wasn't sure what was going on, let alone what the big deal was. I was polite and as unconfrontational as possible, yet they seemed to insist that what I was doing was wrong and that I was breaking their rules. I tried to explain to them that I was doing nothing malicious at all and was merely interested in that Alpha traffic, which was coming my way whether I wanted it or not. It didn't seem to matter, really. I had already been asked to leave and two people were already fairly unhappy with me, so why bother making a stink, right?

Well, after the hike in the hot sun back home I had some time to think.

First of all, I broke no rules. Why? Because there were none. Yeah, I signed up for this conference, but I neither signed nor read any AUP or rules stating how I was to use their wireless network. That said, I'm a mature and fair person, especially when in the hospitality of others. So, if I thought that what I was doing was blatantly wrong and malicious, I can assure you I wouldn't have done it.

Second, even if I had read an AUP or signed some sort of agreement, I was doing nothing even remotely close to subverting or attacking their network. This was good old, plain jane broadcast traffic. No, I'm not talking RF broadcast, but standard 802.3 broadcast traffic that was being spewed at every machine in the auditorium whether they wanted it receive it or not. So, by telling me I can't do that is the equivalent of saying "hey, I'm gonna be talking really loudly in the back of the room while someone else is talking but you cannot listen to me." Sure, a similar argument can be made for RF traffic, but its a bit different. I took no hostile measures to get the traffic I saw. Heck, at that, the traffic I did see and was specifically looking for was 100% harmless anyway.

Thirdly, if you are at a security conference and have a problem with someone sniffing wireless traffic, you've got a serious wake up call coming. This is not the third grade -- there is no "honor system" in the security business. You've got to assume that, unless you are in some extreme situation, the minute traffic leaves your machine it will be compromised. Thats why the entire theme of this conference was security. It is extremely important and yes, despite what you may think, there are people out there whose soul purpose is to make your life as a security professional that much more difficult. I can think of easily a handful of conferences (whether they were security minded or not) where a survey of some sort was conducted to see what portion of the people attending that conference were practicing insecure computing practices. You know what? A scarily high percentage of those people that were among the foolish masses who were POPing their mail in the clear, using plain old HTTP to do banking and telnet'ing and SNMP querying their organizations routers had no idea of the implications of their actions. You know what? Now they know.

Once again, folks, the Internet is a scary scary place so you best start practicing what you preach or you will get bit and get bit hard. Its not if, its when.

I'll be at this coming Spring's BU Security Camp, as well as next year's MIT Security camp.