Locking down Linux.conf.au

Give five hundred very technically proficient Linux enthusiasts unfettered access to the same Wi-Fi network and you might be asking for trouble.

Nearly every year, network administrators at Linux.conf.au, Australia’s premiere open source conference, have to deal with some sort of shenanigans on the network.

Chief among the concerns for conference network admin Steve Walsh has been the appearance of mysterious rogue wireless access points with the same or similar names to the official network.

Usually it’s an accident, Walsh explained. "People set up their Android phone as a hotspot, get lazy and use the same network name. But that's really obvious because the connection is so slow."

But things aren't always that innocent, as the enthusiast crowd have the skills - and often the anti-authority motivation - to attack the wireless network.

"We had someone in 2009 with a unit that did a Denial of Service attack, stopping anyone else from using the network while they got to use all the bandwidth,” Walsh told iTnews at this year’s event.

“And in 2005 there was someone in [conference founder] Rusty Russell's talk that rebroadcast the network, intercepting everyone's traffic."

Those Man-in-the-Middle attacks are serious, potentially leading to data or identity theft. Secure websites and services will display an error when this happens, but many users ignore the warnings.

Fortunately, most Linux.conf.au attendees are highly security-conscious.

"Rusty just saw the warning and immediately powered off his laptop,” Walsh said.

It's not easy to prevent wireless attacks.

Once a perpetrator knows that conference organisers are on their tail, they simply close their laptop or turn off their device, and become effectively undetectable. It's a cat and mouse game where the mouse can turn invisible on demand.

But for the past few events, the admins have had a secret weapon: some advanced Linux-based wireless arrays contributed by the conference’s in-kind sponsor Xirrus.

These arrays come armed with an “intrusion prevention and detection system", says Matt Sutherland, Wi-Fi Engineer at Xirrus, such that if there is "any anomaly on the network, we can spot it and attack it".

That is to say, rather than waiting around for attacks to happen, the conference's access points actively search for unauthorised networks and pre-emptively strike before they can do any damage.

They can also passively locate attackers, and even intercept their communication, without it being obvious that anything different is happening.

More importantly, because it's a wireless array rather than a single unit, these monitoring and security activities can occur independently of providing a continuous wireless connection to all conference-goers.

Last week's conference saw the return of a mysterious rogue access point, but Walsh wasn’t too worried.

"There's always someone,” he said. “We give them three hours, and if they haven't come forward by then we just start tweeting their location and it tends to go away by itself."