CBRfree public Wi-Fi in full bloom

riotact said :

Definitely. Depending on your phone you are missing out on carrying maps in your pocket unless you have a standalone GPS for one thing (Windows Phones exempt as they will download persistent maps)…..You miss out on doing quick, easy, secure banking by typing a 4 digit pin and pressing a few buttons like on an ATM…..without actually having to go to an ATM (Yes you can call phone banking but it is definitely more of a hassle then opening an app and immediately seeing balance etc).

It appears I am missing out on stuff that I don’t need but thanks for enlightening me anyway. I was wondering what those rude people do in theatres with their devices and now I know.

riotact said :

I don’t have a phone with data (whatever that means). Does this mean I am missing out on something?

Definitely. Depending on your phone you are missing out on carrying maps in your pocket unless you have a standalone GPS for one thing (Windows Phones exempt as they will download persistent maps)…..You miss out on doing quick, easy, secure banking by typing a 4 digit pin and pressing a few buttons like on an ATM…..without actually having to go to an ATM (Yes you can call phone banking but it is definitely more of a hassle then opening an app and immediately seeing balance etc).

Banking can be done on the computer at home. There’s only a rare reason to need to call the bank. On a phone, can you see if the site you are accessing is secure, as you can on a computer?

Walking through Garema place, all of a sudden no pages will load. Oh, my phone auto connected to CBR Free wifi, which apparently isn’t connected to the internet… Turn Wifi off, continue.

I don’t have a phone with data (whatever that means). Does this mean I am missing out on something?

Definitely. Depending on your phone you are missing out on carrying maps in your pocket unless you have a standalone GPS for one thing (Windows Phones exempt as they will download persistent maps)…..You miss out on doing quick, easy, secure banking by typing a 4 digit pin and pressing a few buttons like on an ATM…..without actually having to go to an ATM (Yes you can call phone banking but it is definitely more of a hassle then opening an app and immediately seeing balance etc).

How do you edit comments? Seems I can’t…..but I thought I’d like to add that all of what I mentioned could be avoided if they set up WPA2 as the security for CBRfree and even if they simply made the password “cbrfree” and changed the SSID to “PasswordIsCBRfree” this will mostly protect you from everything I just mentioned…….but they won’t do it 🙂

riotact said :

“It also demonstrates the positive impact CBRfree Wi-Fi will have in making Canberra an even smarter and more liveable city”

Pfffft….Maccas have had free wifi for donkeys.

Who doesn’t have a phone with data these days anyway….yes this wifi is going to suddenly make Canberra super smart and wayyyy more liveable…..I mean I guess it’s always nice to get something for nothing from the Government……but then nothing is ever really for nothing when it comes from the public purse.

Oh FYI…..open (insecure) wifi networks such as CBRfree are prone to a little trick where perpetrator sitting near you firers up his/her rouge wifi station……floods the network with deauth packets to force your device to drop off the legit CBRfree access point…then if you are close enough to the perp and perps rogue wifi station has a strong enough signal, it pretends to be CBRfree and now your device unquestionably connects to the perps wifi station and the perp starts capturing your packets (Karma mode on Pineapple). Here is one example of a consumer rogue wifi station https://wifipineapple.com

Ok……so you’re now saying “Yea but sites like facebook use https” …. sure…..but if I’m acting as a “Man in the Middle” and so I’m establishing the SSL session to facebook, I can then render a http(not s) version of the site to you and hope you don’t see that it doesn’t have the green padlock (SSLStrip on Pineapple). Be honest, you wont notice. But ok……you do notice because you’re smarter than 92.3% of public servants….so this time I create my own site that looks exactly like facebook, or your bank and I host it on my own domain created for this task. I get my own certificate which is trusted as issued to my domain. As you are on my network, I capture your DNS queries for facebook.com and I direct you to my fake facebook site instead of the real facebook.com. I can alter what appears in the address bar of your browser so you now look like you are at facebook.com…..you have the little green padlock or whatever (browser will vary) and it is all https so you think great I’m encrypted with the green padlock and I’m good to go. Sure if you closely inspect the certificate you may see it is trusted for faceb0ok.com instead of the real deal….but you won’t look.

So you then proceed to enter your password into my fake facebook page, I capture the password and then I forward it to the legitimate facebook and relay the responses from facebook to you so you’re now logged onto facebook legitimately and I have your password.

Oh and you think that’s bad……you should see what data apps spit out in the clear… The thing with apps as well is there is no green padlock to tell you if the link is https or not……and if I do a “Man in the Middle” on the https session to the back end web API, quite often the app does no checking on encryption….and if it does force encryption and I have to supply a certificate…..8/10 it will not even check the legitimacy of the certificate and just trust it……

Woohoo! CBRfree, making Canberra smarter and more livable….LOL

I don’t have a phone with data (whatever that means). Does this mean I am missing out on something?

“Rouge wifi” – is this some sort of lefty pinko commie plot?

Otherwise a very good description of the pitfalls.

“It also demonstrates the positive impact CBRfree Wi-Fi will have in making Canberra an even smarter and more liveable city”

Pfffft….Maccas have had free wifi for donkeys.

Who doesn’t have a phone with data these days anyway….yes this wifi is going to suddenly make Canberra super smart and wayyyy more liveable…..I mean I guess it’s always nice to get something for nothing from the Government……but then nothing is ever really for nothing when it comes from the public purse.

Oh FYI…..open (insecure) wifi networks such as CBRfree are prone to a little trick where perpetrator sitting near you firers up his/her rouge wifi station……floods the network with deauth packets to force your device to drop off the legit CBRfree access point…then if you are close enough to the perp and perps rogue wifi station has a strong enough signal, it pretends to be CBRfree and now your device unquestionably connects to the perps wifi station and the perp starts capturing your packets (Karma mode on Pineapple). Here is one example of a consumer rogue wifi station https://wifipineapple.com

Ok……so you’re now saying “Yea but sites like facebook use https” …. sure…..but if I’m acting as a “Man in the Middle” and so I’m establishing the SSL session to facebook, I can then render a http(not s) version of the site to you and hope you don’t see that it doesn’t have the green padlock (SSLStrip on Pineapple). Be honest, you wont notice. But ok……you do notice because you’re smarter than 92.3% of public servants….so this time I create my own site that looks exactly like facebook, or your bank and I host it on my own domain created for this task. I get my own certificate which is trusted as issued to my domain. As you are on my network, I capture your DNS queries for facebook.com and I direct you to my fake facebook site instead of the real facebook.com. I can alter what appears in the address bar of your browser so you now look like you are at facebook.com…..you have the little green padlock or whatever (browser will vary) and it is all https so you think great I’m encrypted with the green padlock and I’m good to go. Sure if you closely inspect the certificate you may see it is trusted for faceb0ok.com instead of the real deal….but you won’t look.

So you then proceed to enter your password into my fake facebook page, I capture the password and then I forward it to the legitimate facebook and relay the responses from facebook to you so you’re now logged onto facebook legitimately and I have your password.

Oh and you think that’s bad……you should see what data apps spit out in the clear… The thing with apps as well is there is no green padlock to tell you if the link is https or not……and if I do a “Man in the Middle” on the https session to the back end web API, quite often the app does no checking on encryption….and if it does force encryption and I have to supply a certificate…..8/10 it will not even check the legitimacy of the certificate and just trust it……

Woohoo! CBRfree, making Canberra smarter and more livable….LOL