Freakonomics Q&A

I just did a Q&A on the Freakonomics blog. Nothing regular readers of this blog haven't heard before, but it was fun all the same. There's also a Slashdot thread on the Q&A.

Posted on December 5, 2007 at 9:10 AM • 35 Comments

Comments

SpiderDecember 5, 2007 9:30 AM

Yeah feakanomics is really just the proof of the saying "when the only tool you have is a hammer, everything looks like a nail."

wallyDecember 5, 2007 10:28 AM

As if Bruce really puts his password list in his wallet. He just wants people to think he does.

JustinDecember 5, 2007 11:23 AM

In the "Bruce's rep precedes him", some dolt on the ./ thread mocked his password scheme, claiming that he remembers unique, secure passwords for everything, and saying "this guy needs to learn something about security."

The sum of responses to him were "you think Bruce Schneier needs to learn about security?"

BogwitchDecember 5, 2007 12:19 PM

Interesting interview.
I was taken aback somewhat to read about Bruce's open wifi AP.
I use WPA and recommend it to anyone that will listen. In an ideal world, all APs would be open and everyone could be trusted with your bandwidth - this world is far from ideal.
I assume that an open AP will eventually attract a black hat/ skiddie/ paedophile, who can then do whatever they want with traceability only back to the AP owner.
If I 'allowed' a person with malicious intent to use my unsecured wireless access:
a. I would be inconvenienced if I needed to be interviewed by law enforcement.
b. As a security professional, I would be slated for allowing it to happen and no doubt treated with suspicion.

Additionally, I would have made it clear to all the readers of freakonomics that no WPA encryption means any information sent over the wifi is open to interception.

Dom De VittoDecember 5, 2007 12:29 PM

I think the day Bruce stops learning about security, is a long way off.

I think I know enough about Bruce to know he's not a fool, and enough about him to know he thinks he is.

"Only the truly wise know how little they know, and only fools think they know much." (quote: me, drunk, but it still counts)

I would say, in true Crack5 tone, that any password storage, outside the brain is flawed, as is any password 'scheme' for generating passwords.

Me? I use 'fredfred' - it's easy to type (same as lowering your iPod volume) when you have a coffee in the other hand :-)

All passwords are a balance against convenience - it's the_risk assessment_ that's important.

Dom

ScottDecember 5, 2007 12:30 PM

Bogwitch

Consider the "plausible deniability" angle. If your wifi is wide open, then anything that happens on your network can be explained by "it wasn't me, must have been someone else using my bandwidth.'

neduDecember 5, 2007 12:38 PM

"Consider the "plausible deniability" angle. [...]"

@Scott,

If you live in a Republican county, and a Democratic party orgnizer uses your open wifi, are you then providing "material support" to overthrow the county government? Should that trigger the issuance of a national security letter (NSL) purport to authorize the covert seizure of your financial records?

TmanDecember 5, 2007 12:49 PM

Bruce is doing a great service in getting people (and hopefully more people in government) towards a better system for preventing financial/criminal identity fraud. Until the banking institutions are held more responsible for verifying transactions, these problems are only going to get worse. With the non-computer-scam-savvy boomer generation retiring, we will continue to see a major uptick in phishing and lottery type scams.

It worked for the credit card industry, and it's the only answer for the banking industry.

Reality CheckDecember 5, 2007 1:07 PM

@Scott

"Consider the "plausible deniability" angle. If your wifi is wide open, then anything that happens on your network can be explained by "it wasn't me, must have been someone else using my bandwidth.' "

Oh yeah, the Courts buy that.

"Really sir? Oh jeepers! Well, you're free to go!"

BogwitchDecember 5, 2007 1:30 PM

I had considered the plausible deniability angle but I didn't think it would apply to Bruce. :)

Clive RobinsonDecember 5, 2007 1:38 PM

With regard to the open WiFi AP Bruce say's he does not care... And then makes it out to be "good nieghbourlyness", with the side assumption all of his computers are securly set up.

Well Bruce frequently goes on about "unpatched" OS's and Software being a security threat, and I should imagine if we dig back far enough he also made similar comments about "Open" Mail Relays. Are the people still doing this good or bad neighbours in Bruces view?

In times past it was ok to leave your house unlocked your gun in the porch and the keys in your truck just incase your neighbour might need to borrow them. But times have changed and all of the above would be considered reckless behaviour these days.

It will not be long before having an unauthenticated AP is considered reckless.

Brian CarnellDecember 5, 2007 3:04 PM

"Additionally, I would have made it clear to all the readers of freakonomics that no WPA encryption means any information sent over the wifi is open to interception."

Same here. I wouldn't want my neighbors or people driving through the neighborhood packet sniffing my unsecured web traffic (for example, my visits to schneier.com). Maybe Schneier's directing all of his browsing through a secure proxy or doesn't care if people monitor his visits to non-secure sites, but most people aren't likely to be doing the former and *are* likely to care about the latter.

Bruce SchneierDecember 5, 2007 5:32 PM

"I assume that an open AP will eventually attract a black hat/ skiddie/ paedophile, who can then do whatever they want with traceability only back to the AP owner."

Zillions of coffee shops around the world run open wifi networks. I just don't see it as a big risk -- someone isn't going to park in front of my house to steal my wifi, when they can do it down the block on a comfortable couch with a nice cup of coffee.

Bruce SchneierDecember 5, 2007 5:34 PM

"I would say, in true Crack5 tone, that any password storage, outside the brain is flawed, as is any password 'scheme' for generating passwords."

Security is always a trade-off. It's far more secure to write down a strong password than memorize a weak one -- and memorizing a secure password is not a reasonable option for most people.

BogwitchDecember 5, 2007 6:37 PM

"someone isn't going to park in front of my house to steal my wifi, when they can do it down the block on a comfortable couch with a nice cup of coffee."

Fair point, but your neighbour could be sat in the comfort^W familiar surroundings of their own S&M dungeon just as easily...

I appreciate what you're saying, but a cost-benefit analysis suggests to me that employing WPA reduces the risk for near zero cost. It also affords me more flexibility as to how I use my wifi without having to rely on other, more costly technical measures.

ThinkerDecember 5, 2007 9:55 PM

I have seen, and have done, ethernet taps in weird places too. Just because you have a physical wire is no reason to think the network is secure. I run a wide open wifi as well. All of the traffic is encrypted. You can crack WEP and WPA keys with ease, so what's the point? WEP/WPA just slow down your network. You are not defined by your IP address. In practicality, in 8 years of open wifi, I've had zero problems. I live in a busy neighborhood with plenty of freeloaders. We can live in fear of bad people or merely live in the real world using real data. 8 years and zero incidents is my world.

JasonDecember 5, 2007 10:31 PM

About open WIFI, I like the idea of "neighborly" open access. The probability is very low that an e-criminal, pedophile, or terrorist moves within ten or twenty meters of my access point. (And I live in the most desirable country in the world for pedophiles and money launderers: Thailand.) What is much more likely is that a neighbor has a guest over who wants to check his email. About getting on the hook for someone else's misdeeds, well, the police are interested in apprehending the perpetrators, not just any old fellow who runs an AP. The only risk you incur by opening your wireless is the risk that the police may need your cooperation to catch a real criminal who used your wireless.

As far as my own security, in my household, behind the DSL router, I use Linux with the default firewall rules. On email and financial sites, I use SSL. Like the man says in Beyond Fear, a criminal is likely to move to a softer target down the street.

I would not at this time universally recommend open wireless to all households, simply because general Internet literacy is not to the level where people know their responsibilities. But in a few years time this will change, I think.

CJDecember 6, 2007 12:05 AM

I don't leave my AP open, purely because of the cost. We pay per gig, and I'd be bankrupt in minutes if I let just anyone use it as much as they like. It must be nice for you guys, living in countries with decent ISPs and infrastructure!

KilianDecember 6, 2007 2:54 AM

To the open Wi-Fi AP:
Is there a law making you responsible for crimes beeing commited via your internetconnection in the US?
In germany, you may be held responsible if somebody, say, downloads music illegaly via your connection.
Which is why concepts like the FON-network didn´t take off here (They offered a 15min "trial" without real authentication). So you should not leave your network open if you have something like that in your jurisdiction.

Kilian

jDecember 6, 2007 2:53 PM

With regard to open WiFi, at work the corporate security folks push a different argument, quoting an organization called the National Security Institute, Inc.:

"More than 54% of respondents to a recent survey admitted illegally connecting to someone else's Wi-Fi network. Logging onto a wireless network without the owner's knowledge or permission, a practice known as “piggybacking,��? is illegal in many jurisdictions, and there have been successful prosecutions for it in the past. Analysts say that while stealing Internet access may feel like a victimless crime, it deprives providers of revenue. The experts say the study underscores the importance of properly securing your wireless network to avoid giving piggyback rides to others. Your Wi-Fi connection should be encrypted, and any passwords used should be strong."

I feel confident that Bruce disagrees with some of the underlying assumptions there, but that is in some sense an "official" position on this issue, certainly that of my employer.

EsurnirDecember 6, 2007 3:44 PM

@Scott: "the problem" Your router will probably store the record of your mac address, so you better prove that someone did spoof it.

sirlDecember 7, 2007 9:53 PM

Bruce, thanks so much for continuing to disseminate information and common sense about security.

wmDecember 11, 2007 8:14 AM

@Bruce: "someone isn't going to park in front of my house to steal my wifi, when they can do it down the block [in a coffee shop]"

Well, I don't know if it's common enough to be worth worrying about, but it does happen:

http://news.bbc.co.uk/2/hi/uk_news/england/...

http://news.bbc.co.uk/1/hi/england/hereford/...

Maybe they were afraid of being caught on CCTV in a high street coffee shop, if what they were going to do was illegal. (The UK not exactly lacking in CCTV installations.)


--------
Required disclaimer:
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.

SofaDecember 12, 2007 12:05 PM

Why not recommend Netcraft in lieu of teaching better bullshit detecting?

Netcraft Toolbar will tell average people where the site is located globally, when it was registered, and gauge its threat decently. No one ever talks about this free and handy toolbar for PC's, especially in IE.

http://toolbar.netcraft.com/

I wish people like Bruce promoted it more.

Reader XDecember 12, 2007 1:24 PM

@Bruce: "someone isn't going to park in front of my house to steal my wifi, when they can do it down the block [in a coffee shop]"

Sure they will. I have observed teenagers doing this to my suburban neighbors on multiple occasions. (I suspect evasion of parental snooping is the motive here. If you are a teen and want to download porn, the coffee shop, school and/or library are not the best places to do it.) Of course there are many targets - Kismac tells me there are half a dozen open APs on my four-block street alone.

santhoshJune 28, 2010 11:55 PM

With regard to open WiFi, at work the corporate security folks push a different argument, quoting an organization called the National Security Institute, Inc.:

"More than 54% of respondents to a recent survey admitted illegally connecting to someone else's Wi-Fi network. Logging onto a wireless network without the owner's knowledge or permission, a practice known as “piggybacking,��? is illegal in many jurisdictions, and there have been successful prosecutions for it in the past. Analysts say that while stealing Internet access may feel like a victimless crime, it deprives providers of revenue. The experts say the study underscores the importance of properly securing your wireless network to avoid giving piggyback rides to others. Your Wi-Fi connection should be encrypted, and any passwords used should be strong."

I feel confident that Bruce disagrees with some of the underlying assumptions there, but that is in some sense an "official" position on this issue, certainly that of my employer

sridharaJuly 1, 2010 11:11 AM

Sure they will. I have observed teenagers doing this to my suburban neighbors on multiple occasions. (I suspect evasion of parental snooping is the motive here. If you are a teen and want to download porn, the coffee shop, school and/or library are not the best places to do it.) Of course there are many targets - Kismac tells me there are half a dozen open APs on my four-block street alone.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..