Les Liaisons Dangereuses

Connectivity is dangerous. The fricative sounds of German wafting through the open windows of today’s hotel room reminded me of that fact, reminded me of a misadventure long past, a memory from a time when connectivity took a modem and a phone line. Sometimes it took the diligent and careful application of alligator clips. Hotel phones were, and still are, nothing but trouble.

That time, in that past hotel, things went south. I had tried to look innocent. I failed. “Monsieur!” said the hotel’s night manager as he pounded loudly on my door. “Monsieur, he repeated as I opened the door, “is there is a problem with your telephone, Mein Herr?”

The switch from French to German seemed ominous. Moreover, he looked ominous. He looked like he had spent his formative years on a diet of steroids and fondue, while bench pressing Tony Soprano. “Whoops,” I thought, “this can’t be good.” Articulate and ever ready with smooth repartee, I replied with a set of universally understood monosyllables. “Uh, err, ah, umm,” I said.

Gathering my wits about me, I continued: “Uh… nope, err… Nein. Ich bin… err.” At that I had exhausted what I remembered of my high-school German. All I could think of was “Ich bin ein Berliner.” That wouldn’t work. Wrong country, wrong era; moreover (urban legends about jelly donuts aside) I am no John Kennedy. Giving up, I continued in English, once again adopting my best Midwestern silly grin, “Can I have a late check-out?” I said.

I had been caught in the act. Apparently, my midnight trial-and-error tactics with the hotel phone had only succeeded in lighting up the switchboard. At checkout, I found out that I had also succeeded in calling most of the hotel’s other guests. Jet-lagged, I had been up in the wee hours; apparently ringing rooms randomly about the hotel. I had not made any new friends.

Let me tell you, it’s hard to look innocent with alligator clips in your hand. In those bygone days, I had traveled with a neat little home-made device — something I nicknamed a “blackjack” — a three-foot length of telco cable with two alligator clips on one end and an RJ11 on the other. In the dreaded hard-wired hotels of the past, one could (if you knew what you were doing) unscrew the room phone’s mouthpiece and, with proper application of the alligator clips, achieve the satori of oneness with a distant (and now prehistoric) packet network. It was all a question of feeding the right wires to the right alligator, holding your tongue in the right position, while simultaneously dialing the phone with your feet. Easy as pie.

I had been trying for the Swiss equivalent of Tymnet, but something had not gone right. Perhaps I was supposed to dial a “9″ first, or was it a “0″? Damn, whatever it was, I had done it wrong. I was young and foolish. I used to dare any hotel to defeat me. If I could unscrew the mouthpiece and find the right two wires, dial-tone was mine, I’d boast. Universal oneness would follow. “Pride goes before destruction, a haughty spirit before a fall.”

Luckily I was checking out that day. I’m probably not welcome back. It’s a shame. It was a nice hotel, nestled right next to Lake Geneva; walking distance to the various U.N. agencies at the Palais des Nations. They also served a good entrecote and frites, and a damn good fondue. I am easily pleased.

There was no wireless then; the internet was in its infancy, phones were hardwired, and hotels were worse than clueless. I left that hotel defeated. Shamed, I recall dejectedly tucking away the blackjack and reattaching the phone’s mouthpiece. All the while, the TV played five minutes of back-to-back cheese commercials. Fromage is a national pastime.

These particular cheese commercials consisted of a woman in a flowing diaphanous gown running down a hillside covered in waving lavender, pursued, and eventually caught, by a muscular manly-man, a la Fabio, dressed in a billowy white shirt open to the waist. Perhaps it was Fabio. Whoever it was, at that climax, the narrator would announce in a husky, sultry voice the word “fromage,” and the commercial would end. Fabio and fromage are forever linked in my mind — a rather terrible and strange mnemonic trigger.

I left Switzerland — a country now and forever associated dangerous liaisons, strange TV, and, of course, cheese. Since then, my blackjack has gone to the great “box-o’-wires” in the sky (actually the basement), and the world is a safer place for it. Hoteliers, world-wide, breathe easier, no doubt celebrating with a nice plate of Raclette. Someday I suppose I might even go back to Geneva and use my real name.

Connectivity, never easy, nevertheless, is still dangerous. In fact, it’s more dangerous than ever. I’m often surprised by just how dangerous it is, and how oblivious we are to it all. Moreover, I am amazed at how unsecure all these “secure” networks really are.

That was then, this is now. That was Switzerland, this is Germany. Nevertheless, in some strange twisted synchronicity, there are cheese commercials on the TV as I carefully type the hotel’s wireless passkey into my laptop. I can hear the putter and splash of cargo barges and touring ships as they work their ways up and down the Mosel River. It’s an idyllic scene, a setting that masks the inherent dangers of my actions.

Why the paranoia? Well, I don’t trust hotels to know what they’re doing, nor do I trust the other guests. Moreover, they should not trust me; nor should you. Trust me. It’s more dangerous than ever. For example, on this particular hotel network, there are lots of things I shouldn’t be able to see, and I’m not really even trying — just glancing around casually while waiting for my email to sync.

The hotel’s wireless… well, it’s wide open. Without even looking very hard, I could see the network tracks of half-a-dozen trusting hotel guests, including one nice open file share, complete with various documents and spreadsheets. There are also what appear to be a wide variety of the hotel’s PC’s. I idly considered upgrading my reservation. But, I’m not that kind of a guy. I might have had a field day. Instead, I check my firewall to make sure I’m safe from prying eyes or possible assaults on my precious collection of spreadsheets, memoranda, silly blog posts, and essays on cheese, Hegelian transcendental epistemological deconstructionism, and French fries.

Connectivity was dangerous. Connectivity is dangerous — more now than ever. Moreover, it’s dangerous on both sides of the equation. My policy is: if I don’t control the device — whatever it is — it’s not going to touch my network, period. I have no idea where you’ve been, or what you’ve been doing with that little device of yours. You may be innocent, but your laptop may have gone over to the dark side. A Sith lord may be hiding in your iPhone. I’m not about to find out the hard way. They’re hard to get rid of.

Similarly, I’m forever surprised at how often, and how easily, people give me access to their “secure” wireless networks without a second thought. The risks are great. I may look innocent, buy you haven’t a clue where my laptop has been. This problem persists in most nonprofit organizations I visit.

Upon request, folks blithely offer access. “Can I get on your wireless network,” I ask. “Sure,” they say, “here’s the passphrase.” And, just like that, they hand me the cookie jar. A few even offer up, meekly and mutely, the Ethernet jack on the wall. Surrender Dorothy! Here come the flying monkeys!

With nonprofits, when I’m offering advice or putting together this or that plan, I always, always advise and budget for setting up a separate “guest” network. It makes things easier all around. You can give out the key willy-nilly and not worry, you can be hospitable and accommodating, and you can be safe and secure in the knowledge that no one is going to steal your cheese, or whatever else might be lying about on your network.

Guest wireless networks are simple, cheap, and easy. That’s the irony. It’s a problem so easy to solve. Small routers (wired or wireless) are cheap; it’s a no brainer. Here are two easy approaches:

1. Set up a “Three Router “Y” guest network— this option uses three routers, in a “Y” configuration. It’s simple, and given the cost of routers, it’s cheap. If you have a large area, or need multiple access points, it can get complicated in delivering the connection to various access points. But a simple one you can do for the price of one router and two wireless routers, or as little as about $180.
2. Set up an “Open-Mesh” guest network — this option uses a set of open-source protocols on little beasties called “Open-Mesh Mini-routers.” This is for the more adventurous, those willing to walk a little closer to the wild side, the world of open source, open protocols, and funky startups. You can do this for as little as $50.

Setting up a Three Router “Y”

The simplest configuration is called a “Three Router Y.” It’s called a “Y” because the functional diagram looks like an upside-down letter “Y.” I’ve drawn a pretty picture below.

Basically, you “split” the internet connection where it enters your organization into two. One is for your organization and the other is for guests. Given this design, it is impossible for any traffic to flow between the “Private Network” and the “Guest Network.” Each is isolated from the other, yet both can reach the Internet via the shared connection. Moreover, since the two networks actually have the same internal sub-network (192.168.1.XXX), it’s absolutely positively impossible for any pesky packets to find their way from one WLAN network to the other.

This particular design works for small organizations that have only a single connection to the ‘net and probably only have one static, public IP address. It also works for home setups — if you want to provide a “guest” network at your house, for example and keep your nasty hacker friends out of your MP3 collection.

Note: If you’ve got a more sophisticated setup, and/or multiple public IP addresses, you can eliminate the first router in the chain, and simply split off a “guest” network before your firewall. That’s the trick.

Open-Mesh Mini-Routers

When you walk the wild side, you can get burned. I first started looking at “mesh” devices made by a company called Meraki. They were pretty neat. They were really cheap. They automatically set up a private network and a public network. I was all ready to go, but then Google bought them or something, and all of a sudden the boxes cost three times as much, they started slipping adverts into everything, and got all funky. So we’re going to switch to the spin-off, open-source alternative — something called “Open-Mesh.” They offer fine wee devices that have some pretty neat features. They’re cheap as all get out ($49.00). You can even get a POE (power over Ethernet) injector/splitter kit for $6.95.

Called an Open-Mesh Mini Router, these beasties use some neat “mesh” technology — technology that let you use the cigarette-package-sized device as either a router (connected to the internet) or a repeater (boosts and extends the signal allowing greater coverage).

For me, the Open-Mesh stuff solves a problem — they could provide coverage in a building that’s built like a Faraday cage. Seriously, my offices are scattered across six (non-contiguous) floors of a sixteen-story building, a building that has a higher percentage of steel than a ’50 Buick Roadmaster. In fact, I think it’s actually built of interlocking Buicks. (Figuratively it IS built of Buicks, and Chevys and Cadillacs and a couple of odd Oldsmobiles thrown in for good measure.) Cell phones only work because the roof is antenna city. I figure there is enough wireless radio activity to melt Raclette, but I haven’t tried yet.

These Open-Mesh routers are not specifically designed for split guest/private networks for organizations. I’m bastardizing their technology. Nevertheless, while it’s not designed for it, it does it very elegantly. So elegantly that I just couldn’t resist. If you want to read more about Open-Mesh, look here: Http://open-mesh.com.

Using one of these Mini-Routers (they’re made by Accton), setting up private/guest/public network is a breeze. There is no need for three routers. It only takes one, the beastie supports two isolated WLANs (and two SSIDs) on the same box. You just plug it in to the ‘net and give it power. Then, with a few clicks on a web-management page, you’re done. The Open-Mesh Mini-Router automatically sets up a private (WPA encrypted/passphrase required) wireless network and a second, “public” network. The second network can be encrypted or not, as your heart and/or neighborhood desires. And, if you find your neighbors are busy sucking all your bandwidth watching YouTube, you can throttle back the bandwidth. Management is easy as cheese pie. Fabio could do it.

The two separate networks are isolated from the other — in a nutshell, these beauties provide dual networks out -of-the-box, one for you and the machines you trust, and one for everybody else and their dirty habits.

Finally, icing the cake nicely is the mesh stuff. Because these Mini Routers will operate as either a router OR a “mesh” repeater, it’s easy to extend coverage through your own particular Faraday cage or neighborhood. Need more range, just add more mini-routers.

Once added, any additional Mini Router will automatically “link” to its next closest brethren, extending the range of your wireless network without additional cabling. I have been told that there is an effective range of about 100-300 feet between each hop, and that three hops is the limit. Keep that in mind, your mileage may vary. Nevertheless, unless you’re hooking up a mini-mansion, one or two should be sufficient to extend and boost your internet connection into the nether regions of your office or home. If you are hooking up a home the size of Bill Gates’, you can always mix and match, interspersing wired Mini Routers with unwired repeaters. You do need to provide power to the beasties, though. A Swiss Army knife is not required.