Schneier on Security

This might be interesting for you:

http://www.heise-security.co.uk/news/101382

Scientists of Indiana University and of the Institute for Scientific Interchange (ISI) in Italy have investigated wireless networks as a potential platform for the distribution of worms, and have developed an epidemic model depicting how fast such a worm might spread across a city.

My wireless network has an SID of "4accessCall" and then my mobile phone number. I have had 4 people call me so far,and I immediately send them a text message containing the wpa password which is "opennetwork". That way I have the phone numbers of the people using my network, but there's still a low barrier to use.

I agree that sharing your wifi is basic politeness. I have been stranded without broadband enough times to wish that there were more people like us.

There are other advantages to having an open network. My father allows his neighbours to use his network. One day it went down (I think it was a result of an OS upgrade) and one of the neighbours noticed this and spent 2 or 3 hours sorting it out for him.

My parents live in a block of flats by the seaside and quite often some of the flats are let out to holiday makers. My dad's free network means my parents often get to meet and socialize with these holidaymakers. Some return every year and some lasting friendships have been made.

I offer my guests wireless access without running an open network: we have to go through the pain of correctly configuring the SSID, key, etc, once, but most of our guests come back a lot with the same equipment.

Just for the record: FON now allows free access to any FON hotspot even if for those who choose to receive financial compensation for offering theirs ("Bills"). I myself remain a Linus because I do not want money (for legal and tax reasons) out of my being a Fonero.

One thing Bruce doesn't address in his essay is whether he uses anything to mitigate the risk of people intercepting information transmitted over the wire.

It's trivial to set up something like OpenVPN or (less trivially) IPSec, which can run over any open wifi hotspot, and should protect you against many man-in-the-middle or cookie-stealing attacks...

Erratum: "The accused's chance of winning is higher than in a criminal case, because in civil litigation the burden of proof is lower."

Either "accused" should be "accuser", or "than" should be stricken.

I haven't read the supporting articles yet, but the last of the opposing ones has the worst argument I've ever heard on the subject.

"You'll cause your ISP to loose revenue, which is evil".

Wow.

If I was your guest I would appreciate the access. I run 2 wireless AP's. One extends coverage toward my local pub. Looking at the logs I'm the only one that uses it a lot.

My wifi access point at home is visible to all of my guests and there is a big tag with SSID and WPA-PSK password on top of it.

I don't want to open it free because I have a limit on a total download per month and there are a lot of heavy P2P users around here... and I don't want my network to congest when I'm racing Live For Speed online :-)

Really? The risk of being hit by an asteroid is one in 500? Perhaps if I live to be a million!

My wireless network is open, though. I'll know if it's being used a lot, because I'll get an email from my ISP to say I've been charged more. I've never had more than one of these in any one month, and it's most likely all my own usage.

Bruce,

It must be in your archives somewhere.

How do you protect your laptop when you use is wirelessly at home or in an airport?

The main reason I secure my network is the one mentioned by Ludwig. Even if it is not the case today - leaving WLANs open by everybody will cause someday that those networks will form parallel network of networks in future used mainly by spamers and Zombie farmers... Connecting non-firewalled computer to Internet couple of years ago was perfectly secure for couple of hours, today after 20 minutes it is full of trojans and viruses. I think blackhats will use internetwork of non-secured WLANS anything soon.

I cannot agree with the underlying premise more, although I always counsel caution.

Cyber-hospitality is quite an important part of the modern world. As I pointed out in " Internet Dial Tones & Firewalls: One Policy Does Not Fit All", a presentation for the Tampa chapter of the IEEE Computer Society in April 2004 (slides available at http://www.rlgsc.com/ieee/tampa/2004-3/internetdial.html ). "Safe Computing in the Age of Ubiquitous Connectivity", a full paper on this topic was presented at LISAT 2007 (see http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html )

The underlying concept that enables the safety of this type of access is the careful use of a network topology using nested and sibling firewalls, a concept that was in "Security on the Internet" (Chapter 23, Computer Security Handbook, 3rd Edition, Hutt, Bosworth, and Hoytt, eds., Wiley, 1995). The material is also in the Chapter 21 of the 4th Edition (see http://www.computersecurityhandbook.com/csh4/Chapter21.html ). Such a topology protects the access provider from penetration or monitoring, while the careful use of a VPN tunnel (and/or SSL) by the user ensures the sanctity of their traffic.

- Bob Gezelter, http://www.rlgsc.com

I work in an office full of techies and we've often discussed this issue. Most of us have had problems with neighbors intentionally or unintentionally leeching bandwidth and so run closed networks. If my router could give priority to my mac addresses I'd open it up in a second.

I feel so vindicated. Despite being a security analyst and writer who has focused on wireless technologies, I've taken an endless amount of crap for running a wide-open wireless network at my home. But I live on top of a hill in a rural area surrounded by mostly Amish people. If anyone were sitting in a parked car (or buggy for that matter) within association range, it would be pretty darn obvious. The risk just isn't there.

In germany, we have a 'nice' thing called "Störerhaftung", i.e. liability for people that allow bad things to happen.

In September 2006, a court actually ruled that a person running an un-protected WLAN was liable for copyright infringements conducted over her internet connection because she could have easily protected her network.
It did not matter that it wasn't her. Even if if had not been her, personally, she had enabled others to do the copyright infringment and therefore she was liable.

It remains unclear, however, how "bad" the protection actually may be to avoid liability. Is WEP and MAC filtering enough or does it have to be WPA (is password "aaa" enough?) ..?

As Bruce says, all security is about balancing risk against inconvenience.

Home users (which is really what we're talking about here) need to tackle their highest risks first. The first step is to apply all relevant software patches and personal virus/firewall/anti-spyware updates.

The majority of home users don't do this and are therefore open to the whole gamut of remote automated attacks.

Until you are protected from all such automated attacks, there's little point in defending yourself against a manual attack from someone sitting outside your house.

To use Bruce's own analogy, that would be like installing an asteroid defence system on your roof but never locking your front door.

I live in a semi-rural area, so people parked in front, or a large amount of neighbors "leeching" is not a problem. However, the immediate next-door neighbors have been having a problem with their 15-year-old going to porn sites, so I protect our network just to keep him from jumping on our network to bypass their controls. :)

--m

@Jim Ramsey

Every OS is a bit different, but the basic idea is: Turn off any network services, don't use IE, keep your OS and applications patched. For Windows, I'd add a virus scanner and host-based firewall.

My wireless network had a 40-bit key for a while, but it was more problem than it was worth. It was trivial to crack, and my laptop wouldn't switch between the two APs when there was a key; when I opened it up, my laptop switches automatically. Some neighbors use the network occasionally, but I don't mind.

In some countries (like in France) you are liable for the traffic passing on your line.
Proving that you are not the author of the infringing traffic passing over your line will probably dilute the charges, but you remain liable for costs...
In that case, I prefer to secure my network just enough to have the hackers pick-up another network.

As far as I known this law hasn’t passed a trial yet. I wonder how to judge a liable but technically ignorant line subscriber.

In Australia we have capped bandwidth (sic). After 15mb we they reduce my speed to 128kbs. This makes it a risk that if I leave my network open, someone might siphon off my megabytes. But I like the 4accessCall ... SID idea!

Although I agree that the likelyhood of something bad happening from an open WAP is exceedingly small, the impact could be quite large. For example, a kiddie porn investigation. What steps could/should be taken to lessen that impact? Logging headers, for example?

For those who fret reasonably or not about wireless risks with home networks, there's always the wired option. Skip WiFi altogether. Quite workable for people who don't take their computers anywhere.

Then one can worry about TEMPEST interception. What is that van doing down the street.

Bruce, thank you for writing a good response to the notion that closed wireless is a security absolute.

"My sentiments exactly Sir" :-)

The hassle of configuring "each" new devices is too much for me to bother with setting security, there is little benefit for that complexity.

I'd love to open my wifi and install the FON appliance or the Meraki access points. Unfortunately these actions are against the Terms Of Service for every broadband provider in my area. Why should I risk losing my Internet access?

see this ( http://geekz.co.uk/schneierfacts/fact/158 ) Bruce Schneier fact for why this works:
Setting SSID of an open Wi-Fi network to "bruceschneier" makes it completely secure.

Not that I disagree with having the open access point, but allow me to play devil's advocate for a minute. With regards to others committing crimes on your open network, isn't the obvious risk not the guy in a parked car outside downloading child porn, but someone at your neighbor's house downloading child porn?

I would be more comfortable providing open access if the access point hardware could provide two grades of service -- one authenticated and able to access anything including the local LAN, and another unauthenticated and able to access anything except the local LAN. Failing to authenticate could just connect you through a simple filter on destination IP number. It doesn't seem that this would impose a high manufacturing cost on the equipment. If someone knows more about hardware manufacture, could they comment?

Open access that only provides net access with out exposing the Intranet is becoming more commom

Paul

I think the biggest problem with this essay is that it assumes the reader is savvy enough to secure their systems appropriately. I agree 100% with Bruce myself. My network is open, my systems are locked down, and I get notified of intrusion attempts (though I am always nervous about my WinXP system.) I use VPN to access most things (openvpn rocks) so I am not concerned about sniffing.

The issue is that Joe Q Average will read this and leave their network unsecured. Joe is probably running a copy of Windows with several unpatched vulnerabilities, and turned on file sharing because he wanted to share his printer with the kids computers. Further the kids have a computer on the network that is already loaded with trojans and viruses.

In Joe's case, his environment is already inherently insecure. He occasionally gets a cold prickly feeling that he should update his virus checker, but he quickly gets distracted by the football game. Adding wireless security will not make his environment secure, but it definitely is one more roadblock to being completely raped and pillaged by the less scrupulous neighbors who would otherwise discover they can download his quicken files and banking passwords.

@DF:

"Logging headers, for example?"

Righto, chap!. So when that almost apocryphal Real Child Pornographer does his Evil Deeds, he won't run an open Wifi, and have a set of convenient headers that implicate his neighbors all ready to give to the police when they come knocking?

There is a "problem" with open access (which I wouldn't mind giving out myself except...) when it comes to usage based internet/DSL/broadband circuits. in this case it boils down to "stealing", as I pay per byte, and can even be denied access to the internet if the "thief" used too much of my bandwidth.

In a non-usage based internet access setup, I wouldn't have had a problem myself to just "hand out" access with an open wireless network.

When Mr. Child Pornographer uses your access point to download his crap, it will be your house the cops come to. It will be you explaining to your boss how you need time off to defend yourself from these ridiculous charges. It will be you paying for a lawyer. It will be your PC being perused by a forensic expert, and your personal life and data exposed to law enforcement. While you may eventually be proven innocent, what was the cost to you?

One problem I can see with running an open wireless network: the router itself is accessible to the world, and it's not totally clear that one can secure a router like one can secure a PC. (Look at the recent hoo-hah surrounding uPNP vulnerabilities.)

I am so pleased to read that other intelligent people also believe that wi-fi should be shared. It's like having a
houseparty without having to clean up after! Thank you for your article.

My wireless network, and any I set up, are closed.

Although my laptop is secure, there are resources on the home network (the game console, the ethernet printer) that I can't secure. The printer in particular trusts the local network.

Any guest gets the password, but not someone out in the street.

Also, Bruce, I'm sure you've seen the UPnP problems, right? Does your wireless access point support UPnP?

Hi, Perhaps a Fonera (www.fon.com) is interesting to
replace your open hotspot with. Not only can you use a secure wifi
link to the ap, you can still offer "free" wifi to the bloke in the
car. When they connect they will get a nice page explaining you know
you haven't secured your device intentionally and that they are
allowed to do whatever they want to. They have to create a "fon"
account (free) and you can at least see when someone used your wifi;
how long and how much... In some countries you can only have XXX
mbytes a month of traffic untill they close your line down till the
end of the month. Also the SAFE act will ask to be able to identify
people that have surfed to certain sites... if your ISP starts doing
this...then he can only point to you... do you have a camera looking
at streetlevel checking if at that point there was a black sedan
parked using your wifi ? I'm a Fonero and I could send you a fonera
for cheap due to the "fonero gives fonera"-deal.
http://blog.fon.com/en We foneros "share" our wifi. We don't just
give it away to anyone; only those that share theirs as well... We
also have people write "connector" software that automatically
connect your pc, iphone, ... to the nearest FON hotspot. There is
even a maps.fon.com website where you can check the status of a
fonspot nearby and download it into your GPS so you can drive to it;
or alter your route so you can regularly check your email. FON is
not limited to a city or a country...it's borderless. Everyone can
join! it's not limited to "premium places" it can be your neighbour...

Hey, I enjoyed the artical, it was a good read. I too leave my network open, for a few reasons. First is being I like having access to the internet from anywhere, so if I'd use someone else's open network, I should allow them to do the same. Another reason is, if someone were to try and gain my information, they could probably just get around the security if they were into that kind of business.

I somewhat agree that chances of your wireless being invaded by the
wrong people is remote. But then again so is your house being robbed.
However the chance for this does exists. In my sub division there are
about 5 wireless networks. All but one is secured. It gives me some
belief that even these ordinary people consider their bandwidth and
their $40 dollars a month for internet theirs to blow, not anyone
else's. However in public places I think it becomes a perk to have a
open wireless hotspot. As for me its not about guest using my internet
when they are over. I simply turn off the security on my routers and
let them roam. With routers having longer range the temptation of you
next door neighbor to cancel his internet and use yours. Pretty soon
if he or she is a big movie downloader or other bandwidth sucker your
stuck with a slow connection. I have already have that happen. My
neighbor decided to forgo internet and began to steel mine. After a
couple of weeks of intermittent slow internet. I checked my router
stats and sure enough a Mac Address was on their that was not mine. So
I turned on WPA and two days later the cable company was there
installing broadband. For me it's about everyone paying their way. I
don't like freeloaders! Thanks for your time!

pdp and I propose a friendly challenge to Bruce: let us drop by your place and give us a chance to convince you that the threat is more than you think by simply testing a few attacks on your router (BT Home Hub as he works for BT?).

More here: http://www.gnucitizen.org/blog/steal-his-wi-fi

I'm in Australia and the ADSL account I have chosen has a 4Gb/4Gb (peak/off peak) quota. If I exceed that quota my connection is shaped down to 64Kbps (it normally runs at around 17Mbps).

For me the risk is that someone might download enough to push me over my quota (which wouldn't be hard). I'd rather not be connecting at modem speeds so I secure my network.

If someone visits and wants to use my Internet connection I'll either help them configure their computer or let them plug into my switch.

I have a similar approach.
My Wi-Fi is open to anyone. My router let anyone access the Internet via it. On the other side access to my home network is only possible via IPSec with X.509 certificates.

Bruce,

Obviously many people have told you this already, but let me be another person to chime in…

It can be TRIVIAL to do many bad things to your computer and network if you leave your wireless access point open. The hacker tools (I encourage you to look at Cain & Abel (www.oxid.it) for a starting reference point) make it click-click-click these days.

Yes, they can capture and analyze your network traffic. Any why you and I try our best to be securely use our computers, my years of network sniffing tells me even the safest computer user makes mistakes and accidentally sends out plaintext passwords. Generally it is because of a software glitch, or a web site that appears to use SSL/TLS that really doesn’t (frame-in-a-frame focus problems). Plain-text passwords end up being sent across the wire more than any of realize.

Unless you hard code your Internet router gateway’s MAC address and your own, someone can initiate an ARP spoof.

I can inject a worm or buffer overflow into your network traffic that can compromise the computers on your network. I can analyze your network traffic and figure out what you run, cataloging your software. And when an exploit comes out for that software, all the attacker has to do is beat you to the patch.

And it’s even more risky than accessing the local AP at a hotel, airport, or coffee shop, because an interested party has more time to collected more data, etc., and to be patient. In the other settings, you’re only exposed maybe 1hr to a few days. At home, I can take my time and just wait for the one mistake.

Although I believe in openness, paying it forward, and open source software, I think it’s a mistake to run a personal wireless access point in an open state. Someone wishing to cause problems in your life really could.

Of course everything is a calculated risk equation and obviously you have already done your own personal threshold calculation.

bytman nails it on the head. Here's my extended argument.

In a world where we Americans don't have an intrusive government which disavows civil liberties, this would be an entirely sane idea. But the attitude of most police and federal agents these days is "confiscate first, ask questions later".

I know that as a security researcher you're familiar with the concept that if a breach is possible, it has already happened. As soon as you open up your network you have to assume someone will access it and use it for illegal purposes. If it's merely trading copyrighted music you're probably in the clear - you'll get a cease & desist letter and you can possibly respond to that by saying you have an open network. If you're lucky, the RIAA/MPAA won't haul you into court anyway. But if someone is trading child pornography using your open network, it's not unlikely that the feds would decide to confiscate all your equipment to verify that it wasn't you before giving you a chance to contest "but I had an open network!"

In fairness, assuming that you don't mind the loss of all your computer equipment for up to a month or more while the feds complete their investigation, you should get it all back and not be taken to jail for a crime you didn't commit. And in theory, their narrow warrant would only apply to actual child pornography which of course you would not possess. But what if you happened to have other illegal material or you had an encrypted partition? Given the lack of precedent over handing over encryption passphrases it's very likely they'd keep you in prison until you revealed your passphrase and they could verify your innocence.

Summary: until we return to the days of "innocent until proven guilty" having an open wi-fi is a very dangerous thing, in my opinion.

On an unrelated note, have you ever done a piece on alternative voting systems, such as approval voting or Condorcet methods? It's not really your area, but since we're in an election year it seemed it might be a timely piece which could inform a great deal of your readers. The paper below is what motivated me to learn more about the
subject since the largest group of alternative voting system advocates is for Instant Runoff Voting, which is a poor method.

http://zesty.ca/lj/yee-oca-transferable-vote-3.pdf

Dear Mr. Schneier,

I just read your Wired article about open WiFi networks and was struck by this:

"If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter."

I know from previous blog posts that you're a Windows users (although perhaps not by choice) and that you use PGP (which unfortunately doesn't make the total disk encryption for Mac OS X, at least not for the boot disk), but what does the security guru use network-wise to secure your computer?

Thanks.

As a postscript I thought I should mention that in part of our CBD area several mining companies have got together and set up a wireless network. This network is intentionally open and usable by anyone.

It benefits them because it means their employees can access the Internet and then VPN into their offices from anywhere in that area of the CBD.

I agree with Bruce, although I used to disagree. (Now I sound like an American Democrat running for office!)

I did the same thing at home too, until my neighbors started using up all my bandwidth. I'm thinking about getting a 2nd wireless router for them and dropping them in a DMZ with packet filtering and throttling. :)

Woo hoo. Another reasonable person who really gets it rather than just run down the street with everyone else screaming Protect Yourself, else you will get hacked!!! I'm not sure which one of us thought of this first but I will say that it has been a few years that anyone logging on to my wireless network gets the log on message of "Welcome to the Ameeti network. Pay it Forward." I am a computer consultant and I set up quite a few wireless networks. I do also secure my clients computers and network while allowing their internet access to wide open. And then to top things off, I rename the SSID from 'Linksys' or whatever it may start out to be to instead be my client's name followed by my phone number. Nearby neighbors can know whose network they are seeing and if there is a problem that suggests coordination of wireless signals, it is a lot easier for the neighbor to get a hold of me to fix a problem. Otherwise finding an overwhelming amount of wireless access points with the channels set to 1, 1, 3, 5, 6, 10 is just no fun. I've so often just wished that people could understand that coordination and cooperation could make for a better neighborhood experience with everyone benefitting from faster throughput if we arranged for less channel conflict with nearby signals. 'Tis funny the calls that I've gotten over the years though by people calling and asking if I know that my phone number is being broadcast for all the public to see! O my. Now they know my number! Aghast! I will admit that it has pulled in a client or two who figured out that I knew more than he did. lol.

@bytman:

"When Mr. Child Pornographer uses your access point to download his crap [...]"

If the police are unwilling or unable to conduct a basic, simple, examination, then you are basically screwed ... no matter what, Mr. Bytman. Give me your IP address, and the conditions you assume, and someone can have a cop stepping on your neck inside of a week.

Kind of redefines the problem, doesn't it?

But perhaps you'll feel safer when I tell you that the number of real child pornographers in the entire world is almost certainly less than the number of real terrorists. There are probably more police officers posing as child pornographers than child pornographers proper. Speaks volumes, eh?

But hey, if you wish to live in a world of fear, that's your problem. Do feel free to terrify us though: find one (1) instance in the real world that is comparable to the scenario you lay out. Until then, I'm laughing...

Guess none of you live in the city.

We have to lock our wireless, there are just too many leechers out there, they easily overwhelm access points.

I can see 25-30 access points depending on where I am in the apartment. Almost all of these are WEP/WPA protected. Three or four are open, but don't hand out DHCP or use MAC address blocking, don't know which since I haven't tried to hack them.

Ever couple of months, a new access point comes on line (noted because it's named "linksys" and it's open). It stays open about a month, just enough time for the ISP to send them a bandwidth warning, then the access point gets locked.

Sharing is great, but here it's more subsidizing. That's OK too, but when it affects your ability to connect, then it's a problem.

A lot of you have mentioned using VPN (openvpn) as a means of keeping your network open and keeping your computer secure at the same time. Can any recommend a basic online guide to setting this up? I'm not computer illiterate, I've just never dabbled with this kind of stuff, and most of the websites I can find on this topic deal with large business networks. Any info would be great, thanks!

Reason I keep my wireless closed...
I paid for the f***ing bandwith.

I wish every router/access point worked like the ones that Fon is distributing. I wouldn't mind opening my wireless up - however there's no easy way to detect, and ban abusers.

However with two networks - a public one and a private one; it becomes possible to segregate the traffic, and also do some sort of bandwidth limiting. I'm happy to let random strangers hop onto my wireless if I can make sure they won't swamp my connection with bit torrent downloads, or high-bandwidth VoIP...

And while the risks of your access point being used for nefarious purposes may be low - they are not non-existent. It should be easy, and is, easy to protect yourself from a minimal risk. Although depending on where you live (rural, sub-urban, urban) that risk may be more or less than you think. Having separated traffic might help clear your good name in the event of some misuse.

I've never really understood why routers don't just use some form of PGP for the encryption. Distribute them with a little USB key or memory card... Let each PC that's going to participate in the network generate a key, and put it on the key/card. That way you transfer the public key(s) out-of-band - and have a high level of encryption for wireless network traffic if needed.

I guess I'm just paranoid.

"But hey, if you wish to live in a world of fear, that's your problem. Do feel free to terrify us though: find one (1) instance in the real world that is comparable to the scenario you lay out. Until then, I'm laughing..."
As computer forensic examiner, I see and here about these scenarios all the time. Typical perp defense - it wasn't me, someone was on my network/PC with a trojan/keylogger and took over my system and downloaded all that stuff. Go to your typical prison, ask any perp in there and they are all innocent and framed. So when LE comes busting down your door, they are supposed to just believe you?
A "simple examination" involves multiple days of work and report writing to eventually provide the exculpatory evidence so charges will be dropped. Meanwhile, your wife, kids, friends and neighbors think your a perv. It happens, and unfortunately, the arrest makes the front page, and the dropped charges make the back page.

i agree with Roger A. Grimes completely.
the time element in an airport, or the anonymity is crucial there.

besides, take a look at:
http://www.tgdaily.com/content/view/33207/108/
do you still feel safe?

An Open wireless network is an ideal way to eavesdrop on those who use your network.
Run dsniff, driftnet, ettercap, etc and capture their passwords for posterity. You can even crack HTTPS if you can get folks to just "Accept" any cert errors.
Think of a wireless network like a swimming pool in your back yard. If you put up a tall wooden fence, most people won't even know you have one. If you tear it down or leave the gate wide open with a sign that says, "come on in - no life guard on duty" then you are not truly absolved of responsibility if someone slips on the asphalt or drown.
I guess I'm just saying... you aren't paranoid enough.

Well I'm not going to read all of this. But after the /. thread Someone talked about FON. I have now joined and am waiting for the hardware now. I will be a linus of course, and I will be the 3rd person on my street (Vienna) to offer a access point.

I like Fon because you are *suppose* to share it.

I don't waste time and energy with defensive measures unless I perceive risk, and I perceive no risk in leaving my wifi network open. I get no end of flak from amused friends and family, but there you have it.

Unfortunalety, in Germany, you're not only liable for everything done through your internet connection, but basically you also have to make logs about who is using your wifi, and keep them for 6 months in case law enforcement want to take a look at them (they call it "Vorratsdatenspeicherung", kind of "preemtive data collection"). So while the idiots are still ruling this country, I'll keep my network closed.

@Khanbalik:

"It happens, and unfortunately, the arrest makes the front page, and the dropped charges make the back page."

I'm glad to hear "it happens". Now, then, can you cite a reference for the claim? I've heard of many kiddie-porn arrests, but these appear to be followed by convictions, not a silent dropping of charges. This suggests that the cops are in fact doing examinations before an arrest is made, which is contrary to another claim you made.

How can we be sure you are "computer forensic examiner", anyways?

Perhaps a more direct approach to the problematic government may be a good idea, rather than rolling over and taking it?

wonderful article on open wi-fi.

I just wanted to write with a minor correction about Fon:
Linuses' Fon access points aren't actually free for aliens
(non-foneros) to use, it's just that the Linus doesn't get paid. It
used to be that Linuses took no payment for use of their access point,
and in exchange got to use other foneros' APs for free, whilst Bills
got half of the day ticket price (after tax), but had to pay. Now all
foneros get free surfing, so there's no real benefit to being a Linus
any more. Aliens pay (last time I looked) 3 Euros or 3 US Dollars for a
day pass, or less if you buy a multipack.

Phil.

I have to chime in here. How many of you really believe all this kiddie porn crap?

Really how many do you think there are? About 30% of the population or something? Wake up and smell the coffee. Kiddie is simply not popular for one simple reason. Most folk want tits! as in most guys are not into kiddie porn.

Refuse to be terrorized. Even by fake kiddie porn junkies.

Ask yourself this simple question (for the men). How much porn did you look at this last year and how much of was kiddie porn? Or even illegal porn of any sort?

Mr Schneier, I too run an open newtork at home... and agree with you. It is a curtosy. If a car load of kids want to download porn while parked outside my house... go for it. I have bigger problems
than this in my neighbourhood... Drug use for one.
People need to focus on crime that matters and not laws that prevents
Britney Spears from collecting $0.07 cents for a song that is illegally
downloaded. Get a grip people.
-- Henry

Open Closed
Open Closed

Mine is closed.

I live very close to a rest area on the PA Turnpike. There's *no way* I'm opening up my AP!

@Jason

Only in the land of vast civil law suits......

My friend drowned.. Must be the swimming pool owners fault.

My cat died in a microwave... Microwave manufacturer must pay.

I hacked the internet... Blame the ISP for given you internet access in the first place..

One of my favorite signatures I've seen is
"My ISP is 'linksys' and it is nationwide."

I have said for a long time that running WEP just means that people won't get on the network by mistake.

I can see 3-5 networks around my neighborhood, and I'd rather not bind to a distant/slow one by mistake, so I run a closed network. My rural relatives are on satellite, and they have serious download limit issues, so they also run a closed network, just to retain control over that.

Excellent arguments, all of them. You forgot, however to mention community wireless networks like Personal Telco (http://www.personaltelco.net), Ile Sans Fil (http://www.ilesansfil.org/), CUWiN at Champaign Urbana (http://www.cuwin.net/) and many more. These folks have been working and arguing for free and open wireless access for nearly 8 years now.

I used to run an open network, but after getting it shut down by my ISP after a complaint from the MPAA, I had to lock it down or switch ISPs. There's not enough competition in broadband in my market to make that a very attractive option.

I actually run my wireless open with my SSID set to LeachHere, but I've never seen any takers on my offer. I even run an access point instead of a router so I get a real IP on my computer. I've had my XP box setup this way for years without being hacked. I don't have anything I really care about on that system, so I don't care if it does get hacked, it's easy enough to rebuild. I've been been running this way as an experiment. I run the built in firewall as my only protection and have yet to have a problem. I have also disabled any unused services such as the server service, computer browser etc. I also unbound the MS network client from the NIC and disabled NetBIOS over TCP/IP. That's why I laugh at people that say XP can't be secure.

First of all, I enjoy reading your various articles and books on security, and completely *agree* with your comment from the open wi-fi networks article. Part of it is just simply 'being friendly'. ;)

You might say that I'm the local neighborhood's 'mad computer scientist', and usually when someone's computer goes *bif*, *borf* or *poof*, they (usually) come to me. I have a small data center located in the basement of my home. I am also a private researcher on critical infrastructure issues (not just computer/cyber related, but...everything related, and not really relating to security or force protection, but ensuring that, for example, our drinking water is safe and always available -- that sort of thing), and lately have been thinking about whether or not it's *worth* "trying to keep up with the Jones'".

If at all, one thing that I've learned over the years of working in IT (outside of it doesn't pay enough, hours are weird or lousy, and that many end-users are impatient beyond belief) is that it's like trying to hold back the ocean with a broom -- you just can't keep it up. It's almost pointless or impossible, even if I don’t believe in those words. In some regards, the same holds true with security. It's (usually) a 'Whack-A-Mole' scenario, and you never EVER seem to appear to get caught up, or catch the 'bad guys' -- it's almost appears to be never-ending.

Same goes with wi-fi. I'm 'old school' and come from a time when hacking was done for fun, for educational purposes, and just because we could do it. ;) So...why not let the 'next generation' have some fun, too, right?

The problem is, is that today's hacker is much more differently motivated, and being paranoid about these things won't get us any farther. In fact, to me, it's a step backward. We, as a society, are falling onto a 'slippery slope' of constant surveillance, cameras everywhere, growing number of police units -- and for what? To "feel" more secure? How is that considered "secure"? The same might hold true with trying to protect something that you don't know where it's originating from, esp. a wireless connection point. Being a ham radio operator and trying to track down "jammers" over the years -- has been difficult -- if at best.

For home use, yeah, I try and watch the network, and try to keep my servers up-to-date, patched and check the logs periodically. But lately, with me being torn between my daytime job (being just a humble systems administrator), my attempt at a paradigm-shift into another (hopefully better paying) realm or domain (critical infrastructure research and book writing), it just doesn't pay to have a home data center, and *try* and keep everything "secure". It just doesn't.

A few days ago, someone was trying to break into the AP. It's a simple Linksys AP, and its firmware wasn't up-to-date (bought it at a local hamfest), as it had its original firmware (which I didn't bother checking). I went to Linksys, downloaded the latest firmware, then updated it. Then I turned off the Linksys AP. A few hours later, I actually got a nasty-gram from the would-be-hacker trying to penetrate my network. Needless to say, he was simply trying to check his email, and didn't know if I was encrypted or not. OK, so I'd give him (maybe) a "B-" for the effort and excuse, but it kinda made me think along the lines of what you said about open networks. So this evening, I turned it back on, and left it on -- and open. Incidentally, it was my next door neighbor’s son who was attempting to use my Internet feed for his homework assignments.

Maybe someone might abuse all of this, and we'd be faced with the ever-growing threat of the RIAA and MPAA telling us that we need to pay $15 every time we watch the same movie on our home entertainment center/system, or that we need to pay $10 for the same song we listen to. Personally, matters of economics will rule the decision, not forcing consumers into thinking that they're criminals, and maybe everyone will be happy -- maybe.

In closing, my grandmother always told me that modern society appears to be loosing it's grip on humanity. Maybe this is what she meant.

I work with a company called Meraki, another company that operates in the “share your wi-fi and make the world a little bit better� space. Meraki approaches the problem a little differently than Fon by creating mesh networks—users just plug in power for Meraki’s signal repeater device, it picks up the wireless network and then repeats the signal and meshes with other repeaters in the area. The secret sauce is that the software that routes data efficiently thought the closest nodes.

Meraki has a big (and growing) network of these open network repeaters in San Francisco--the SF network is powered completely by Meraki via a few dozen hardwired broadband points around the city and access is provided free of charge. You can check out a live map and data usage for the SF network here: http://sf.meraki.com/map

Just because you have found an 'open channel' does not mean that you can abuse it. If at all, many people are providing that 'open channel' as a courtesy; meaning, it's a "privilege", not a "right".

One more thing, I am -- by no means -- condoning nor promoting "openness" in lieu of "anonymity" for others to benefit from downloading videos or music illegally through other people's Internet connections. Morally, ethically, and legally -- it's just wrong. Don't do it!!!

There is an awful lot of "cargo cult" security about. For example, many sites put a "firewall" on their network and assume that's solved the security problem.

The trouble is, firewalls fail silently and some threats, such as the recent multicast packet problem with windows, can fly past the firewall without even slowing down.

While running an open WAP may be acceptable to Bruce, it is worth pointing out that he is not suggesting that it is good practice for all. (Bruce, please correct me if I am wrong) An 'average' user of the Internet is likely to be running one or more vulnerable applications or running applications that pass credentials or other sensitive information unencrypted. To those that are setting up clients with unencrypted WAPs - Have you made your clients aware of the risks involved?

While you're at it, why not run Tor on your open wireless so everyone jumping on your connection without permission gets routed through the Tor network?

This is a classic problem. If you live in an area with few people who want to use your network, it may make sense to leave it open.

In rural areas, it's reasonable to knock on someone's door and ask to use their phone or bathroom. In New York City, McDonald's doesn't have public bathrooms.

Making a blank statement that, "all wireless networks should be open," is as ridiculous as saying, "locks should be illegal." Marxism has been shown not to work in the macroeconomic sense, even through it may work in certain isolated environments. There may truly be more of these environments where sharing is reasonable but on a larger scale, the underlying trend of humans to satisfy their own needs will take over.

Right now, there's a barrier to entry into the WiFi game. As things like One Laptop Per Child change economies of scale on wireless terminal devices, we'll find more unscrupulous hoodlums who aren't affected by the same unentitled though that some are: if I destroy my community, I will be among those who suffer.

This debate is a good mix of the theoretical and the empirical, and it's worth examining where they differ, or in some cases, doing study to see what really happens.

Bruce is quite right that securing your computers, rather than your network, is the only truly good approach. This is particularly true because unsecured computers on a local net may get infected by malware which then gets a free pass in attacking other local computers because it is "trusted." Even with the most wonderful firewall, if you take a laptop outside it and get infected, you've doomed your internal network. Or if you install malware the firewall could not block, and there is no perfect firewall.

However, at the same time, because consumer computers (mostly, but not exclusively, Windows) are not properly secured, there is some merit in giving them more protection. In an ideal world, each computer is secure and doesn't benefit from the false promise of a firewall. Typical consumer PCs do benefit, however. The real issue is that the firewall (network protection) gives people a false sense of security and stops them from doing more.

Because the real security result is a complex mixture of the individual security of machines, and the nature and frequency of attacks from various sources, the true answer actually can't be worked out from theory. The true answer would come by studying the various strategies and their success rate at keeping computers protected. My guess is that instances of attack via open wireless network are quite rare compared to other sources of attack.

Finally, the question rarely addressed properly in security is the underestimated importance of UI. Good security with bad UI remains undeployed, and thus can be inferior to lesser security with better UI. The UI on WEP/WPA is poor. It is hard to welcome your personal guests on your network, hard to install on all devices and thus we often will see motives to leave it off.

I guess I'm one of those ppl who locks
their front door when leaving the house.
No stranger gets a free ride or a look at
my traffic. It's not a security decision it's a
decision based on personal preferences.
Some ppl also dont like to lay naked on
the beach .. it's the same thing.

Interesting article. I've always thought of hardening a wireless connection as part of a "defense in depth" strategy.

How do I "configure my computer to be secure regardless of the network it's on"?

How do I "configure my computer to be secure regardless of the network it's on"?

Use secure network protocols, and tunnel insecure network protocols over a secure protocol. SSL, SSH, VPN, etc. These protocols are designed specifically to allow secure communication over an untrusted network.

If all of your network traffic is encrypted, it doesn't matter if random strangers can park their cars outside and sniff packets.

Lots of back and forth on this one, but fundamentally I agree with Bruce: running an open access point is a marginal risk at worst for someone who takes precautions to protect their hosts. I do it, but that's because one of my neighbors plays bandwidth-intensive video games and hogged my network in the past.

The whole "but a Porn Panderer may use my network" seems ridiculous to me. Of course, if a pair of officers showed up at my door with a warrant to search my house they wouldn't find any kiddie porn, and if they hauled off my computer they'd find a few hundred legally acquired PDFs of research papers and about 80 GB of MP3s I ripped off my own CD collection.

It would be a logistical pain in the ass, but the only way it would lead to an actual legal problem would be if my local district attorney was seriously abusing their authority. Not that this can't happen, but I'd consider this a very, very improbable risk.

Heck, if you're worried about *that* risk, you ought to be more worried that your computer will become infected with some trojan and actually start serving out child porn, which would be much more difficult to defend yourself against... and if you're worried about that threat, you probably ought not to have internet access at all :)

http://securetheworld.blogspot.com/2008/01/to-wpa-or-not-to-wpa.html

I succumbed to the temptation of writing about this :)

I enjoyed reading this article. I like how you think Bruce. The ordinary folk thinks that someone depicted in the movie War Games will break into their Internet and download Child porn and perpetuate worms and that the safety of the internet will be defeated if Open Networks are allowed. I myself run an open network and never once had any trouble. I run my WRT54G on max 251mW for maximum coverage so my neighbors can get on the internet if they want to. Now if they start sucking bandwidth down, i will rate limit them. I'm glad to see there are still open minded people out there that write articles like this. Makes my heart feel warm. Case in point, I was out in the sticks installing a iMac, and I'm a PC guy, but the client needed the AOL software. Well, I drove around looking for a network to get on, found one and downloaded the AOL software and saved the day. Thank you to whomever it was that had an open network! And thank you Bruce for writing this article! I'm blogging this!

What issue no one seems to be addressing is the ethics of having an open wifi system. My daughter asked me what I thought of getting wifi from a neighbor. I told her I thought it was stealing -- not from the neighbor, necessarily, but from the ISP. Bruce, would you put a splitter on your cable TV co-ax or your satellite TV feed and run it over the fence to your neighbor's house?

Open wifi isn't stealing from your ISP, they charge an enormous about for a ridiculously small download quota. If your bandwidth is free, fine - but when you pay over 100$ a month for 10GB, open wifi isn't such a great idea ...

Regarding "stealing from your ISP":

There are two possible arguments here, an ethical argument and a contractual one.

From an purely ethical standpoint, your ISP provides you with bandwidth, and you pay them for the bandwidth, and they really have no ethical grounds to stand on to tell you how you ought to use that bandwidth. You can argue that you have an ethical obligation to follow the terms of the contract, but I don't see outright that you have any other obligation to your ISP whatsoever.

From a contractual standpoint, many ISP's have clauses in their contracts which forbid their subscribers from sharing their DSL access, much like cable TV providers forbid you from sharing your cable TV. However, I don't know of any ISP that forbids their subscribers from setting up wireless access points/routers in their terms and conditions (Pac Bell used to, many many moons ago, I don't think a current ISP would have much of a customer base if they forbid WAP connections). I have yet to see a Terms and Conditions that requires a DSL customer to run any particular configuration on their wireless router.

Most likely, you are well within your contractual rights to run an open wireless access point. Whether or not anyone else connects to this WAP is not relevant as far as your contract with your ISP is concerned; you have no obligation to *prevent* people from connecting to your WAP.

Setting up an open WAP and walking around to your neighbors telling them not to get DSL because they can connect to your WAP would be actively trying to share your connection, and a violation of your contract. Just plugging in a WAP and letting people find it for themselves (and, presumably, use it) is not.

@PaulD

I think that shows that you are quite a new internet user and forget where this all comes from. What separates the internet from the walled garden networks which preceded it is basically equal traffic sharing / I'll take your traffic if you take mine type of agreements. ISPs which provide asymmetric links (with the possible exception of low speed wireless links for mobile devices) or which attempt to limit the number of users on a connection are themselves leeches. There should be zero tolerance for them.

The difference between this and the cable network is that in the cable network all the value (programmes) comes from the top down. Thus the cable company is actually delivering something of "value". Well, okay I admit I'm lying, but the solution to that is not to steal television, it's to go and do something worthwhile instead. Like posting inane comments on Bruces blog.

Put simply, some of us would consider a deliberately closed WLAN network to be less ethical than sharing your ISPs bandwidth. You are relying on the infrastructure we built and you aren't willing to share even when you are able at no cost to yourself.

@Bruce;

Could you talk a little about risk mitigation strategies. Do you use a VPN most of the time? How do you stop someone doing DNS spoofing or man in the middle on the WLAN? Do you give your own computers priority over others? Are you ready to lock down if it became a problem? How big is your garden?

My problem with this is that I think fully open WLAN encourages less expert users to get used to unencrypted network connections. I would rather provide an open local network with access to some documentation on a web server and an open access IPSEC gateway. Now nobody would use it of course, but at least that would make it "secure" :-)

Yes Bruce,

The criticism is well warranted, for many reasons. Some of the other posters have made this well clear. So, I'll just note a few.

To put is briefly, having an unsecured wireless network may not be a security risk for you, because you are well aware of how to secure your use of this connection, such as by employing a VPN or other encryption, or by simply connecting via a wired line for your own use.

But for the average person, providing an unsecured network, or using one in an insecure manner, is an unreasonable risk because it is so easy to intercept all communications and view any that are unencrypted.

The YouTube video at the following link demonstrates why this can be a significant risk for the provider (using weak WEP encryption in this case).

http://www.youtube.com/watch?v=A88XB7_Jz7s

And users of your network are relying on your benevolence and honesty, because you can very easily intercept everything they do through your connection. They are unlikely to have your level of skill and knowledge, and are therefore unlikely to secure their communication.

Therefore I cannot help but find fault with your reasoning, and I believe your advise in this matter is uncharacteristically unwise and disingenuous.

And although, it has generated some worthwhile debate, Bruce, there really are better ways for you to provoke such debate without leading uninformed users down the primrose path.

'I remain unconvinced of this threat, though. The RIAA has conducted
about 26,000 lawsuits, and there are more than 15 million music
downloaders. Mark Mulligan of Jupiter Research said it best: "If
you're a file sharer, you know that the likelihood of you being caught
is very similar to that of being hit by an asteroid." '

These percentages aren't close
Music sharing= 1 in 500= 1/2 %.
I can't find an individuals chance of being hit by an asteroid but
Chance that Earth will experience a catastrophic collision with an
asteroid in the next 100 years: 1 in 5,000 .
Chance of dying in such a collision: 1 in 20,000

But we need to have a common time denominator. So that 20,000/100
years or 1 in 2,000,000 for a year.
The music sharing lawsuits have been going on for about 5 years (?) so
1 in 2500.

So that's off by a factor of 1,000.

This isn't splitting hairs. It looks like it is much more likely that
some one will be sued then that they will die in say a car accident
(1/20,000 per year).

Three cheers for plausible deniability!

@ Seth

You're forgetting a large part of your computation, here.

Assuming your numbers are accurate, you have it down that you have a 1 in 2,000,000 chance to be killed by an asteroid, and a 1 in 500 chance to be sued by the RIAA *if* you are illegally downloading music.

If you have an open access point, then, admittedly someone may use it to download music illegally. But, you would have to have an open access point, and they would have to connect to *your* open access point, and they would have to engage in illegal file sharing in such a way that they would fall into the 1 in 500 category.

I think most posters are missing an important part of what Bruce is saying - it's just not worth the hassle.

Sure, if you run an open wi fi connection, bad things could happen, but guess what? Most often for most people NOTHING will happen.

It's really not a big bad world out there. Most folks are, most of the time, good and decent.

Next time you're in an airport, try this experiment. Drop a dollar bill onto a major walkway, then just sit down and watch what happens. Dollars to doughnuts, that bill will be sitting there when you go to get on the plane. At a minimum, hundreds of people will walk by, see the bill and step over it.

I clipped a bill to my car antenna and it was months before somebody stole it (I lived near Cleveland OH and was in and out of high population areas all the time).

I've been on-line since 1200 baud bbs' and have yet to get have my virus scanner pick up anything.

YYMV.

To moz:

No, I am not a new internet user. Furthermore, I find the distinctions you're drawing between cable companies and ISPs to be flawed. Whether the source is top-down or community generated makes no difference -- you're paying for the access.

To Pat Calahan:

I find your best ethical argument your contractual one. If the ISPs themselves do not forbid setting up WiFis, then the result of doing so cannot be considered theft. Thanks for your response.

One of our neighbors gave their wireless network the station name "VirusFarm". Interesting 'security' measure, yes?

"I know people who rarely lock their front door, who drive in the rain (and, while using a cellphone) and who talk to strangers. "

As a side note, leaving your door unlocked or talking to strangers can only get *you* killed. Driving while talking on your cell phone drastically reduces your reaction time (some studies have reported a decrease greater than that of someone whose blood alcohol level is greater than 0.08 - see David Strayer's research, for an example of someone working in this field). This means that you have a much greater chance of killing someone *else* and not just yourself.

Poor choice of example...

"yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network?"

It didn't work for Javier Perez last year. Now there is some legal precedent that people might be held accountable for what happens on their network connection. Or that it can somehow waive your 4th amendment rights against search and seizure.

Yeah, but do they pronounce it "scown" (messed up American way), or "scon" (proper way.)

Seriously, I leave the front door unlocked all the time. I'm 6'5" and weigh 290 lbs. If somebody breaks in while I'm lounging around, who's likely to come out of that encounter with broken bones? Why do I bother setting up a passphrase with mid-word capitals that none of my friends can get right?

Bruce's example reflects the simple truth of risk vs. cost. An open network has very low risk. If I freeload on an open network, what do I do? Check my email, write my blog, update my rpm's, and surf for pron if the trip has been long. Who cares? Do I say - hmmm, open network, the machines here must be vulnerable? I don't have the time. It's much more important to keep important files encrypted than to secure your network. Nothing's going to stop the kids from downloading that program offering free anime or the spouse from playing internet games or the latest widget. Worry about what's important.

Especially here in Germany, there are examples of people FALSELY suspected for child pornography, with a search of the home and the work place, where the wife and the boss took immediate action.

Being suspected/accused for child pornography is like a black mark on your forehead that won't go away your whole life, even if nothing is found.

There are even examples of unguilty victims who commited suicide because of this...

Thanks for this Bruce. I totally agree with you. Obviously we are talking "fair use"; not bandwidth hogging or when the owner has size-limited downloads.

Was it not Thomas Jefferson (who?) who looked at this problem first, when he asked if it was stealing to light your candle from someone else's candle?

It's all right for you living in the land of the free. Here in the UK, the land of surveillance and petty authority, we already have a conviction for just this (there may have been a sort of plea-bargain - illegal here - behind this),

http://news.bbc.co.uk/1/hi/technology/4721723.stm

Next they'll get you for depriving Rupert Murdoch of his legitimate income if you read someone else's newspaper over their shoulder in the train!

@You don't want this:

"There are even examples of unguilty victims who commited suicide because of this..."

Your job is simple: produce some sources that document the claims made.

@Sparafucile

"http://news.bbc.co.uk/1/hi/technology/4721723.stm"

This article is 2.5 years old now. Have any of the threats mentioned in it come to fruition? Are the courts in the UK jammed with similar cases? Or was it all just a huge FUD-flinging episode?

I note with amusement how running an open WiFi is equated to being a child pornographer. Or at least providing plausible deniability to that vast army of paedophiles running around in the streets, unchecked. What do we call journalists who repeat state propaganda without critical review?

The case at hand looked a lot like one of digital trespass anyways. That is, the guy was using equipment without permission. Not exactly what is under discussion here, is it? Bruce Schneier has given permission for anyone to use his WiFi.

Bruce, you still forgot to mention something important -- a lot of people read and send mails in the open, and also send their passwords so, either because the providers don't support "advanced features" or because it's the easiest way to configure the clients. Even some web mail clients send the passwords in the open, and even more the content in the open.
If those people never use their computers at airports etc, only by following your current advice they give their passwords and e-mail communication to everybody in the neiogbourhood -- and until now they were much safer!

@Bruce,

One point you have missed that is very relevant to you but not to most others.

At one point or another you have stood and offered "Opinion" in procedings where you would have had to be recognised as an "Expert Witness" legaly.

This cuts you out from the herd of the commons when it comes to a defense (of ignorance etc).

You have even bloged a case where a man was deamed (? assumed) to be guilty of using cryptography in a child abuse case simply because,

1, A standard crypto program was found on his computer.

2, The judge had indicated the defendants level of technical knowledge was equivalent to that of an expert.

From what information was made available at the time this appeared to be the sole criteria under which he was convicted.

...good you don't live in the UK

http://www.viruslist.com/en/news?id=208274069

"People stealing their neighbours’ wireless Internet (what is known as “leeching�) could now face the threat of a criminal record in the UK following an apparent crackdown by police...."

@Peter:

"http://www.viruslist.com/en/news?id=208274069"

The above story is about unauthorized access; Bruce Schneier (and others) are granting access to all comers. Can you perceive a difference?

A friend at work does run an open network, but it's a separate WAP and router and does not allow access to his private network.

The notion that configuring a WiFi AP to be secure is too inconvenient for a bunch of computer security people is laughable to me. Really, how hard is it to login to a secure network? I'm glad my bank doesn't use this logic!

My network is open to all my guests - they just have to have the WPA password. A moment of inconvenience the first time they set it up allows them access for all future visits. And meanwhile, I don't need to worry about my neighbor siphoning off bandwidth, downloading child porn or doing other questionable activities via my IP address.

I run the wifi at home wide open for very similar reasons. I do put the wifi outside my firewall so that anyone on the wifi has the same access to my home network as anyone else on the net.

I wanted to make the following suggestion. The potential annoyances of someone abusing your open Wi-Fi connection are real, but the ability to use a random Wi-Fi connection to surf or check email is highly appealing (although it is the last thing service providers want). I think that someone should develop software for a Wi-Fi "sidewalk". By this I mean that our Wi-Fi software should allow users to access an open version of the Wi-Fi connection while the owner uses a private version of the connection. The open version would have a number of limitations (like limited bandwith, lower priority vs. the private connection, limited volume, logging of visited IP addresses, maybe logging of MAC address of anonymous user). It would be like having a sidewalk along your property. You do not get to go through my backyard, but you are welcome to pass along the sidewalk.

I agree with LAL. I don't think I'm being inhospitable if I secure my network. The SSID is broadcast and has my name on it so it's clear to everyone who belongs in my neighborhood that it's mine. If someone in the neighborhood, or a guest, wants to access it, they ask me, I give them the password, and they access it. What's the big deal?

Bruce lists some reasons we shouldn't be *too* worried about people doing nasty things on our networks, but the only reason he says we should open them up is hospitality. I figure I already have that covered, so why not add a little bit of protection from unauthorized access?

In my case, my solution / reason is more old fashion - I just only use wired security. Main reason is that I am still not convinced that wireless is totally safe, from the health / cancer point of view. No doubt the wireless NIC have lower power emission than placing a cell phone next to the ear, but I am not so sure about the access points. This is one issue both my spouse and I agree on, so no wireless it is. ( No, we don't have CRT TVs either - for a number of years already. )

A secondary reason is that by using wired connection, the kids have to access the internet only where the computers are - in the living room in open view of everyone. Primitive shoulder-surfing security, but we much prefer that.

However, I do agree with Bruce on the point that if I have guest visiting, they are free to connect their laptop to my switch. Right now, I still have to open up my DHCP server to accept their MAC, but I have no qualms about allowing open MAC access from the switch.

--- cllee

Two points:
1 - Once your name and the words "Child Pornography" are associated, it matters little that you're not guilty. You will always be suspect in your family's, employer's, friend's and neighbor's eyes. Damage done. Why risk it?

2 - Everyone is spouting about being a good netcitizen and leaving their access points open for people, because they expect the same in return. However, don't expect that because you keep an open AP means you can just jump on any other open AP. Using someone else's private AP and Internet connection is illegal. Your open AP doesn't cancel out your illegal actions. Find a public hotspot. If it's free, bonus. If not, pony up a little cash.

Bruce's logic is totally off on this.
It is clear that keeping your network open adds risk, even if Bruce's assessment of the risk is low. Since there is no upside, don't do it. period.
I think Bruce supports open networks for political, rather than technical reasons. Bruce would like to see the erosion of copyrights and other IP, as seen from his opposition to DRM and other countermeasures; obviously a society where all wifi is open would make the IP holder's life harder. Nice, but I don't support this view and I would not risk my network or even bandwidth (and some ISPs would get upset if you consume inordinate amount) to further a political goal I oppose.
Sorry Bruce, no go.

@cllee/Anonymous:
"However, I do agree with Bruce on the point that if I have guest visiting, they are free to connect their laptop to my switch"

Indeed, this is basic politeness.
But for me, it is trivial to simply hand them the WPA password. It is in a text file on an USB stick, along with all other necessary config data (which is normally not needed anymore, nowadays), so getting access is usually a simple copy&paste.

Most of them have some profile management software for their wireless adapter, so next time when they come over, they simply activate the profile "at Paeniteo's" and there they go.

I simply don't see the benefits of leaving my wireless open. Yes, it could help someone who is "stranded without internet access", but I doubt this regularly happens to passers-by on the road in front of my house.
Also, I believe there are much worse/urgent emergencies than being without internet.
Consider a broken-down car, for example. Still, I do not leave my garage open so that people can get to my toolbox "just in case". Same goes with my telephone. Of course, if the need arises, someone may ask me to make a call from my phone. But should I put it in the lawn when I go out?

For those worried about unknown users downloading child porn etc, use OpenDNS, it automatically blocks such sites.

@DougF:

"have yet to get have my virus scanner pick up anything."

I'm always amused by the few people who still squeal this bullshit.

1. No virus scanner can detect all malware
2. Often scanners are whitelisted for policeware (and the Sony Rootkit before it was outed), what if hackers use this against others?
3. Any operating system which is closed source is untrustworthy by design
4. Any virus scanner which is closed source is untrustworthy by design
5. Malicious batch files or scripts can often fool most any virus scanner

The smug attitude is a laugh, but thanks for the chuckle.

dakaw: That's good to know, thanks, now I like OpenDNS even more :)

@Reasonable
"""Bruce would like to see the erosion of copyrights and other IP, as seen from his opposition to DRM ..."""

Pointing out that the concept of DRM is flawed and all implementations of it to this point laughably easy to crack doesn't necessarily mean lack of support copyright and IP.

To me it makes more sense to assume that someone pointing out the shortcomings of DRM is a supporter of copyright, trying to warn others not to trust this snakeoil.

@dakaw "For those worried about unknown users downloading child porn etc, use OpenDNS, it automatically blocks such sites.

I have an open WAP and I use openDNS, which I recommend for various reasons. At the same time, I don't suppose openDNS would block "naughty" *numeric IP addresses*, would it? Just something to think about...

I can't say whether you are right or wrong to run an open wireless node, but I run one, too. And at two locations!

I find my self in agreement with aspects of both positions. Open is a nice way to be friendly, yet ignoring built in capabilities to secure your home network from wireless intrusions can be viewed as an electronic equivalent of leaving the porch light on and front door open – in some neighborhoods, not much problem (everyone doing it, safety in numbers), in others, dumb and big problems.

So, how to solve this dilemma?

On the cheap end of options, how about stacklng two NAT wireless routers to establish a multi-network layer defense, the first one being closest to the Internet connection and “open� when you choose it to be, the next and inner-most NAT router secured for just the systems you fully trust. Low $s security and manages the risk of unknown “guests� otherwise fully trusted by your home network. If fact, the low-$ providers of NAT routers could offer a specific selling point to upgrade with dual “guest network� and “secured home network� capabilities in a single device.

When I get my "n" router, I'm planning on taking such an approach - but guests will still need to have a short key- (lights on but door locked on my porch- and they'll only get into the breezeway, not roam the entire house).

@Reasonable:

If you cannot trust the security in existing wireless networking devices, why use it all?

http://arstechnica.com/news.ars/post/20080218-report-implementation-flaws-hound-wireless-security.html

Bruce,
Thanks for the access, friend.
I'm grateful, and won't hack or get greedy with your bandwidth.

Well I did keep my line open all the time until I found my sidewalk marked by war drivers. It is still not secured, but I now have a Traffic Cop with a Red & Green light. When I am at my computer the green light is lit and I can monitor my modem for