Keeping an Open Wireless Network?
I’d like to briefly share with you an interesting article by famed computer security scientist Bruce Schneier that he recently wrote for Wired. In it he argues against securing your wireless network and for having open networks that others can use. To the obvious arguments against having open networks, such as people stealing your bandwidth, using your connection to perform illegal actions, or breaking into your computers, he replies: “…I don’t think it’s much of a risk.” He claims that virtually all potential negative consequences are either highly unlikely or of no significant consequence after all. It’s very interesting to see such a radically different viewpoint on such a seemingly obvious topic from a prominent computer security expert like Mr. Schneier. I encourage you all to check it out. It’s a quick and fun read.
As for myself, I secure my wireless networks for the same reason I lock my doors. Yeah, I’d like to think that I would be doing the good Samaritan thing by keeping my house open to passer-byers urgently needing to use a bathroom, but the risk that they might take something valuable on the way out just seems too real. On that same note, although Mr. Schneier might be right in saying that the risk of legal prosecution due to me keeping my network open is small, any risk to my life and freedom is too much. So that some “people…[be] rescued from connectivity emergencies by open wireless networks in the neighborhood” is not worth life in jail. If someone needs an open network that bad, they can drive the extra half-mile down the street to the coffee shop. Scary enough is the idea that it only takes one malicious user to make your network a conduit for crime. Also, Mr. Schneier argues that one should not rely on a secure network for computer security in general, because as soon as you take your mobile computing devices to a public place, they are no longer under the umbrella of a secure network and are therefore vulnerable. I say that both the network and the computer should be made as secure as possible. This follows the basic computer security principle of overlapping controls. Or perhaps I’m just too paranoid…
Comment by Nathan Bergen
January 10, 2008 @ 11:12 pm
The fact of the matter is, if someone really wants to get into your home network, they probably will be able to. And if not yours specifically, a large majority of the population. Even among CS majors here, how many of us actually secure our networks with anything more complex than the controls found on your average $70 router?
From that perspective, I can almost understand his rationale for opening his network to anyone who’d use it. However, one thing in the article does strike me as sour… He comes across as seeming to think that just because he leaves it intentionally open, he won’t be liable for anything that happens to it. In fact, I think the opposite might well prove to be true. As one educated in such matters, making a conscious decision to leave the network wide open can easily be construed as negligent, or at least it seems so to me. I’m not aware of any cases in which the ‘my network was open, so you cannot prove it was me that perpetrated these crimes’ defense actually worked.
Combine that precedent with a conscious, informed decision on the side of negligence, and I certainly wouldn’t rush to his side, were I a lawyer.
Comment by iddav
January 11, 2008 @ 12:21 pm
As someone who finds it annoying to lock doors, I completely agree with Bruce Schneier that we should–in most cases–leave home wireless networks open. General principles like “lock doors” or “secure wireless networks” have exceptions that are more optimal in certain situations.
Let’s take the “lock your doors” principle as an example. Suppose that I live by myself in an apartment in the U district. My apartment would have, say, $20 in cash, some clothes, some cheap furniture, and my computer. My most valuable asset, the data on my computer, would be backed up remotely. I think that it would not be worth the time to lock the door on my way out. It is my impression that the likelihood of someone attempting a break-in to my apartment while I am gone is very, very small (much less than 1 in 10,000 over the course of a year). And if a break-in does occur, I probably wouldn’t lose anything irreplaceable. Mainly, it would be the inconvenience of getting a new computer (which I might need anyway), restoring the data, and maybe changing some passwords. (Besides, if there are people willing to risk jail time for my items, maybe they need them more than I do anyway.) Looking at this another way, I would lose at most $1000 in the event of, let’s say, a 1-in-10000 burglary. That’s a cost of $1000/10000 = 10 cents for the convenience of not needing to lock/unlock the door all year! I’d say that’s worth it.
If you believe, like I do, that the chance of someone relying on your home wireless network to gain access to your computer or to perform other malicious activity is tiny in reality, then the same reasoning applies to open wireless networks. I think it is many times more likely that someone would use your open wireless network for something innocent (like browsing porn sites). So unless you have something highly valuable at stake, it may simply not be worth the effort to setup a secure wireless network at home.
Comment by cbhcking
January 11, 2008 @ 12:35 pm
Actually, the controls on your average router (and $70 s well above average) are good enough to block almost any attack if some thought to is given configuration, especially if you take the effort to reflash the firmware when updates are released (not that almost anybody does). In any case, for a home user the risk is very low with even minimal security – even WEP is strong enough to stop wardrivers – and WPA on any router is more than strong enough that, unless there is a specific reason to target you, an attacker will simply pick an easier target.
This also ignores automated attacks. Consider a worm that connects to open access points, dictionary-attacks the administrative controls (which on many APs are accessible via WiFi), and re-flashes the firmware to propogate itself. Such a worm would have incredible access; all your Internet traffic, all internal traffic that goes through the router, and all the computers and/or access points in range. Having multiple unsecured APs in range of each other is not uncommon in urban areas, so this type of worm could spread rapidly through densely populated regions.
Comment by Nathan Bergen
January 11, 2008 @ 12:51 pm
While the controls on your router may deter a wardriver to an easier target, if it’s the script kiddie next door with nothing but time on his hands, even WPA-RADIUS is vulnerable.
Regardless of how possible it is for standard encryption mechanics to be cracked, an open system is well, open. I think it is also important to note what kind of area he is advocating keeping an open system. In a rural neighborhood, or even suburbia, the risk would be far less than a densely populated area such as the U District.
Comment by kingpig
January 11, 2008 @ 12:58 pm
I think theft has a much higher probability than one might think. I was an RA in the dorms for two years, and I would see theft on an almost weekly basis there. While I know it is more likely to occur in the dorms than it is in an apartment, I think 1 in 10,000 is a very optimistic number – especially if you leave your door unlocked all the time.
Also – the $1,000 to have your computer replaced doesn’t factor in some of the other annoyances that you have to deal with if someone gets into your apartment and steals. There is also the cost to you in time in order to go around and get all of your stolen stuff replaced, file a report with the police, and generally deal with the situation.
And finally, there is the possibility that the thief will vandalize your home when they enter it. When I was five years old, burglars broke into my house while we were away and trashed the place while stealing everything valuable they could find. The cost of the damage they caused was much higher than the cost of the property they stole. All in all, it makes the two seconds to lock my door worth the stress that I might have to deal with if I don’t.
Comment by cbhcking
January 11, 2008 @ 12:59 pm
Considering the analogy of the unlocked house, you’re forgetting that stealing *things* isn’t necesarily what the criminals are after. Suppose there’s a basement to your house that you never fully explore (symbolizing the bandwidth available via your router). Suppose there’s a side door, which isn’t under observation, leading directly into that basement (symbolizing the ability for people to access the open AP remotely and nearly invisibly).
Now, you obviously don’t care much about this basement, you don’t secure it and you probably wouldn’t mind too much if a homeless person is sleeping down there. However, it would probably bother you dramatically if somebody is running a meth lab in your basement, or using it to store murder victims, and the cops track him or her down (assume for the moment that you can’t smell it from the house).
Think about what illegal acts you could do with an Internet connection that can be accessed invisibly and can’t be tied to you. Kiddie porn (or anything else that’s illegal on the web) could be hosted through your connection. Botnets and phishing scams could be operated from your IP address. Your bandwidth could be used for DoS attacks. The probability of any particular one of these or similar threats occurring is slight, but consider the potential damages – even if you manage to convince the court that none of it is your fault (an outcome I certainly wouldn’t count on), you’ll be out a lot of legal fees and time in court, you may have had to do jail time prior to getting out on bail (assuming you can afford to), and it probably won’t be good for a reputation of respectability. At the other end of the spectrum, you could get thrown in the slammer for a few months/years/decades, have massive punitive fines to pay, find yourself facing civil lawsuits from people or companies attacked via your connection, be registered as a sex offender for the rest of your life, or any number of other unpleasant things. Against any risk of all that, I’d be willing to spend a few minutes of my life securing my network.
Comment by Brian Mayton
January 11, 2008 @ 4:52 pm
I like the idea of open wireless networks. The internet is a public network, and I think anyone should be able to access it regardless of where they happen to be at the moment. That said, I keep my wireless network encrypted (and most of the time I don’t broadcast my SSID.)
The problem with open networks is that people are accountable for what goes over their networks. Nearly everywhere that I have a connection to the internet (and might want to create a wireless network) all connections made could get traced back to me, through means such as keeping track of which subscribers have which DSL modems, requiring log-ins, and keeping track of which switch port corresponds to the ethernet jack in my room.
While the Digital Millennium Copyright Act (DMCA) provides protections to ISPs so that they are not liable for actions committed by their customers, provided they follow certain procedures for dealing with such cases, these protections don’t extend to individual users running wireless networks (unless they can claim to be an ISP, which is almost certainly a violation of their ISP’s terms of service, even if casual sharing is not).
The lawsuits brought against many individuals by the RIAA lately have demonstrated that simply being accused of performing infringing or illegal acts over an internet connection is costly for the person accused, if the accused person’s IP address can be even loosely linked to the infringing activity. In this case, the person has the option to accept any monetary settlement that may be offered, on the order of several thousand dollars, or to fight the accusations in court. Even if the accused person proves that he or she is innocent and is able to recoup legal fees, a large amount of time and effort is required, simply as a consequence of having been accused.
Having an open wireless network connected to my name, particularly in a university residential setting where large amounts of copyright infringement is known to take place, is simply not a risk I’m willing to take so that someone nearby can check his e-mail in a pinch. Using encryption hardly makes me immune to this threat, but it discourages the majority of users who may want to use my network to do harmful things, particularly when there are several open access points nearby.
Comment by Andrew in Houston
September 25, 2008 @ 8:38 am
You know these security guys normally know what they are talking about. My main question if if you personally access secure sites such as your banking or stock trading accounts and someone is using your open WiFi can someone steal your info. If they cannot then I am all for sharing. Unless someone can harm your server or steal information the more the merrier.
Comment by Kris Plunkett
November 19, 2008 @ 1:46 pm
Anyone who is on the same WiFi access point as you can see all of your traffic. Now the thing to consider is whether or not your traffic is encrypted. If you’re browsing bank and stock accounts, then most likely your browser has established a secure, encrypted connection (over SSL) with the bank or stock account server. Then others on your WiFi network can only see your encrypted traffic as it leaves your wireless card and is received by the access point. If you are using a secured WiFi network, then an attacker would first need to crack the WiFi encryption, and then also crack the encrypted SSL connection between you and the server. If you’re WiFi network is secured using a WPA variant, then you shouldn’t have much to worry about. DO NOT use WEP to secure your wireless network. It is crackable with minimal effort and expertise.
Comment by Thompson@Cheap computer
February 16, 2009 @ 10:14 pm
To some extent it sounds odd but lets face the reality whatever security measures you install there is a chance of the data being stolen.