Tuesday, June 10, 2014

Comcast xfinitywifi and hidden wifi network

Recently, on twitter, I talked about Comcast and their xfinitywifi network. Here is the full story

If you have Comcast and a recent modem from them such as one of those, it creates by default a wireless network called xfinitywifi (if it doesn't now, it will do it soon). So that other people with Comcast can login to it and have Internet access when they are traveling.

It's a pretty good idea since it does not use any of your bandwidth (based on what they say and Slashdot had a story today from the Houston Chronicle) but it could slow down your wireless network since it is on the same channel. However, I really don't like the way they implemented it: it is enabled by default and you can only disable when logging on your account online, there is not a single mention of it in the modem configuration. It's also a bad idea because you can easily fake it to steal credentials (it's an Open network, no encryption).

Unfortunately, I had to spend quite a lot of time with their tech/customer service to figure out and get it disabled (their first attempt to disable it failed). And they will try to convince you to leave it. I knew they have access to the cable modem and they can reset/upgrade the firmware. What's really worrying is that they can access all the settings of the modem, including the wireless settings and they could tell me what my WiFi settings were. They might also be able to access your network.

Moving on. Another issue I mentioned to their tech was that there was another wireless network along xfinitywifi and my personal network. A hidden network with the same security settings as my personal network (or it's just a coincidence I use the same settings as them). The MAC address is also very similar to the one of your modem. What changes is the first byte.
As of now (last time I spoke to them was 2 or 3 week ago at least), this hidden network is still there and I have absolutely no idea what that network is. So, I'll disable the wireless on the modem and have another AP between the modem and my network. Here is a picture of the network (let me know if you'd like a PCAP).

Does anybody knows what that hidden wireless network is for? Comcast hasn't responded yet to that question on twitter.

Sunday, June 8, 2014

Custom trac+svn or GitHub (or other alternative)

Recently, I had a small discussion about moving to GitHub (or another similar solution) on IRC. The subject has come up several times (and I thought several times about it) and I'd like to have a more opinions about it.

I'm really tempted to move it since it might decrease cost a little bit and most importantly, it will decrease the amount of maintenance I have to do. However, I have some concerns and I'm open to new ideas.

I like GitHub since it has most of the features of (a base) trac (and I don't need more than that). User management is built-in, as well as anti-spam. There is a big community around it and we can do continuous integration (using Travis CI). And I don't have to spend time cleaning up the spam, updating the server (and making sure it's secure; I guess GitHub have security measures).

Here is what I don't like with GitHub:
  1. You don't have control of your code anymore.
  2. One way thing: you can import trac (tickets and stuff) to GitHub but I never heard of tools to back that up
  3. You depend on them: if they're down, you'll have to wait for their stuff to come back up. If they get hacked, you might be in trouble. They can close your project; If you guys remember WhatsApp, a few days before it was bought by Facebook, GitHub received DCMA letters and had to close a bunch of projects that were related to WhatsApp (or API library).
  4. You need an account to create a bug report.
 However, the cons can be somehow alleviated:
  1. Hosting my own git repository and syncing to GitHub (as well as other GitHub alternatives)
  2. If there is no tool to back up GitHub, I might develop one (and open source it) or pay somebody to create one.
  3. Using multiple services. We could have GitHub as main the main location and using other services as back-up (read-only). If GitHub gets down, we can switch any other to read-write. However, we'll need a software to do the sync (and it also depends on the back-up program in the previous point.
  4. If they don't have an account: Accept bug reports by email and/or have people post in the forum (you don't need an account to post) and I take care of adding them to GitHub.

So, here are my questions:
  1. What is your opinion about using GitHub (and git) for Aircrack-ng instead of trac+svn?
  2. What are the alternative to GitHub (free, hosted)? If you've used it, please give me your opinion about it. I'm also willing to pay a few dollars a month if there is a serious one.
  3. What are the installable (to your own server) alternatives to GitHub. It's better if it's free/open source but I don't mind paying if the solution is good.
Here is what I found (and heard about): GitLab (to install, as backup, using gitlab-mirrors), BitBucket, Gitorious, Kiln. However, I need more feedback about them.

As I get feedback, I'll update the post.