My Open Wireless Network

Whenever I talk or write about my own security setup, the one thing that surprises people -- and attracts the most criticism -- is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet.

To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous.

I'm told that uninvited strangers may sit in their cars in front of my house, and use my network to send spam, eavesdrop on my passwords, and upload and download everything from pirated movies to child pornography. As a result, I risk all sorts of bad things happening to me, from seeing my IP address blacklisted to having the police crash through my door.

While this is technically true, I don't think it's much of a risk. I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.

This is not to say that the new wireless security protocol, WPA, isn't very good. It is. But there are going to be security flaws in it; there always are.

I spoke to several lawyers about this, and in their lawyerly way they outlined several other risks with leaving your network open.

While none thought you could be successfully prosecuted just because someone else used your network to commit a crime, any investigation could be time-consuming and expensive. You might have your computer equipment seized, and if you have any contraband of your own on your machine, it could be a delicate situation. Also, prosecutors aren't always the most technically savvy bunch, and you might end up being charged despite your innocence. The lawyers I spoke with say most defense attorneys will advise you to reach a plea agreement rather than risk going to trial on child-pornography charges.

In a less far-fetched scenario, the Recording Industry Association of America is known to sue copyright infringers based on nothing more than an IP address. The accuser's chance of winning is higher than in a criminal case, because in civil litigation the burden of proof is lower. And again, lawyers argue that even if you win it's not worth the risk or expense, and that you should settle and pay a few thousand dollars.

I remain unconvinced of this threat, though. The RIAA has conducted about 26,000 lawsuits, and there are more than 15 million music downloaders. Mark Mulligan of Jupiter Research said it best: "If you're a file sharer, you know that the likelihood of you being caught is very similar to that of being hit by an asteroid."

I'm also unmoved by those who say I'm putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much.

Yes, computer security is hard. But if your computers leave your house, you have to solve it anyway. And any solution will apply to your desktop machines as well.

Finally, critics say someone might steal bandwidth from me. Despite isolated court rulings that this is illegal, my feeling is that they're welcome to it. I really don't mind if neighbors use my wireless network when they need it, and I've heard several stories of people who have been rescued from connectivity emergencies by open wireless networks in the neighborhood.

Similarly, I appreciate an open network when I am otherwise without bandwidth. If someone were using my network to the point that it affected my own traffic or if some neighbor kid was dinking around, I might want to do something about it; but as long as we're all polite, why should this concern me? Pay it forward, I say.

Certainly this does concern ISPs. Running an open wireless network will often violate your terms of service. But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn't a big risk either. The worst that will happen to you is that you'll have to find a new ISP.

A company called Fon has an interesting approach to this problem. Fon wireless access points have two wireless networks: a secure one for you, and an open one for everyone else. You can configure your open network in either "Bill" or "Linus" mode: In the former, people pay you to use your network, and you have to pay to use any other Fon wireless network. In Linus mode, anyone can use your network, and you can use any other Fon wireless network for free. It's a really clever idea.

Security is always a trade-off. I know people who rarely lock their front door, who drive in the rain (and, while using a cell phone) and who talk to strangers. In my opinion, securing my wireless network isn't worth it. And I appreciate everyone else who keeps an open wireless network, including all the coffee shops, bars and libraries I have visited in the past, the Dayton International Airport where I started writing this and the Four Points Sheraton where I finished. You all make the world a better place.

This essay originally appeared on Wired.com, and has since generated a lot of controversy. There's a Slashdot thread. And here are three opposing essays and three supporting essays. Presumably there will be a lot of back and forth in the comments section here as well.

EDITED TO ADD (1/15): There has been lots more commentary.

EDITED TO ADD (1/16): Even more commentary. And still more.

EDITED TO ADD (1/17): Two more.

EDITED TO ADD (1/18): Another. In the beginning, comments agreeing with me and disagreeing with me were about tied. By now, those that disagree with me are firmly in the lead.

Posted on January 15, 2008 at 3:33 AM • 171 Comments

Comments

LudwigJanuary 15, 2008 3:54 AM

This might be interesting for you:

http://www.heise-security.co.uk/news/101382

Scientists of Indiana University and of the Institute for Scientific Interchange (ISI) in Italy have investigated wireless networks as a potential platform for the distribution of worms, and have developed an epidemic model depicting how fast such a worm might spread across a city.

kybJanuary 15, 2008 4:20 AM

My wireless network has an SID of "4accessCall" and then my mobile phone number. I have had 4 people call me so far,and I immediately send them a text message containing the wpa password which is "opennetwork". That way I have the phone numbers of the people using my network, but there's still a low barrier to use.

I agree that sharing your wifi is basic politeness. I have been stranded without broadband enough times to wish that there were more people like us.

Martin BuddenJanuary 15, 2008 4:31 AM

There are other advantages to having an open network. My father allows his neighbours to use his network. One day it went down (I think it was a result of an OS upgrade) and one of the neighbours noticed this and spent 2 or 3 hours sorting it out for him.

My parents live in a block of flats by the seaside and quite often some of the flats are let out to holiday makers. My dad's free network means my parents often get to meet and socialize with these holidaymakers. Some return every year and some lasting friendships have been made.

SteveJJanuary 15, 2008 4:39 AM

I offer my guests wireless access without running an open network: we have to go through the pain of correctly configuring the SSID, key, etc, once, but most of our guests come back a lot with the same equipment.

buntklicker.deJanuary 15, 2008 4:47 AM

Just for the record: FON now allows free access to any FON hotspot even if for those who choose to receive financial compensation for offering theirs ("Bills"). I myself remain a Linus because I do not want money (for legal and tax reasons) out of my being a Fonero.

Dave PageJanuary 15, 2008 5:21 AM

One thing Bruce doesn't address in his essay is whether he uses anything to mitigate the risk of people intercepting information transmitted over the wire.

It's trivial to set up something like OpenVPN or (less trivially) IPSec, which can run over any open wifi hotspot, and should protect you against many man-in-the-middle or cookie-stealing attacks...

AnonymousJanuary 15, 2008 5:21 AM

Erratum: "The accused's chance of winning is higher than in a criminal case, because in civil litigation the burden of proof is lower."

Either "accused" should be "accuser", or "than" should be stricken.

AnonymousJanuary 15, 2008 5:27 AM

I haven't read the supporting articles yet, but the last of the opposing ones has the worst argument I've ever heard on the subject.

"You'll cause your ISP to loose revenue, which is evil".

Wow.

ChrisJanuary 15, 2008 5:33 AM

If I was your guest I would appreciate the access. I run 2 wireless AP's. One extends coverage toward my local pub. Looking at the logs I'm the only one that uses it a lot.

MartinJanuary 15, 2008 5:57 AM

My wifi access point at home is visible to all of my guests and there is a big tag with SSID and WPA-PSK password on top of it.

I don't want to open it free because I have a limit on a total download per month and there are a lot of heavy P2P users around here... and I don't want my network to congest when I'm racing Live For Speed online :-)

Ian EiloartJanuary 15, 2008 6:11 AM

Really? The risk of being hit by an asteroid is one in 500? Perhaps if I live to be a million!

My wireless network is open, though. I'll know if it's being used a lot, because I'll get an email from my ISP to say I've been charged more. I've never had more than one of these in any one month, and it's most likely all my own usage.

Jim RamseyJanuary 15, 2008 6:25 AM

Bruce,

It must be in your archives somewhere.

How do you protect your laptop when you use is wirelessly at home or in an airport?

DidimosJanuary 15, 2008 6:28 AM

The main reason I secure my network is the one mentioned by Ludwig. Even if it is not the case today - leaving WLANs open by everybody will cause someday that those networks will form parallel network of networks in future used mainly by spamers and Zombie farmers... Connecting non-firewalled computer to Internet couple of years ago was perfectly secure for couple of hours, today after 20 minutes it is full of trojans and viruses. I think blackhats will use internetwork of non-secured WLANS anything soon.

Bob GezelterJanuary 15, 2008 6:29 AM

I cannot agree with the underlying premise more, although I always counsel caution.

Cyber-hospitality is quite an important part of the modern world. As I pointed out in " Internet Dial Tones & Firewalls: One Policy Does Not Fit All", a presentation for the Tampa chapter of the IEEE Computer Society in April 2004 (slides available at http://www.rlgsc.com/ieee/tampa/2004-3/internetdial.html ). "Safe Computing in the Age of Ubiquitous Connectivity", a full paper on this topic was presented at LISAT 2007 (see http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html )

The underlying concept that enables the safety of this type of access is the careful use of a network topology using nested and sibling firewalls, a concept that was in "Security on the Internet" (Chapter 23, Computer Security Handbook, 3rd Edition, Hutt, Bosworth, and Hoytt, eds., Wiley, 1995). The material is also in the Chapter 21 of the 4th Edition (see http://www.computersecurityhandbook.com/csh4/Chapter21.html ). Such a topology protects the access provider from penetration or monitoring, while the careful use of a VPN tunnel (and/or SSL) by the user ensures the sanctity of their traffic.

- Bob Gezelter, http://www.rlgsc.com

jstewartJanuary 15, 2008 6:29 AM

I work in an office full of techies and we've often discussed this issue. Most of us have had problems with neighbors intentionally or unintentionally leeching bandwidth and so run closed networks. If my router could give priority to my mac addresses I'd open it up in a second.

SandraJanuary 15, 2008 6:32 AM

I feel so vindicated. Despite being a security analyst and writer who has focused on wireless technologies, I've taken an endless amount of crap for running a wide-open wireless network at my home. But I live on top of a hill in a rural area surrounded by mostly Amish people. If anyone were sitting in a parked car (or buggy for that matter) within association range, it would be pretty darn obvious. The risk just isn't there.

PaeniteoJanuary 15, 2008 7:03 AM

In germany, we have a 'nice' thing called "Störerhaftung", i.e. liability for people that allow bad things to happen.

In September 2006, a court actually ruled that a person running an un-protected WLAN was liable for copyright infringements conducted over her internet connection because she could have easily protected her network.
It did not matter that it wasn't her. Even if if had not been her, personally, she had enabled others to do the copyright infringment and therefore she was liable.

It remains unclear, however, how "bad" the protection actually may be to avoid liability. Is WEP and MAC filtering enough or does it have to be WPA (is password "aaa" enough?) ..?

drwhoJanuary 15, 2008 7:04 AM

As Bruce says, all security is about balancing risk against inconvenience.

Home users (which is really what we're talking about here) need to tackle their highest risks first. The first step is to apply all relevant software patches and personal virus/firewall/anti-spyware updates.

The majority of home users don't do this and are therefore open to the whole gamut of remote automated attacks.

Until you are protected from all such automated attacks, there's little point in defending yourself against a manual attack from someone sitting outside your house.

To use Bruce's own analogy, that would be like installing an asteroid defence system on your roof but never locking your front door.

mhussJanuary 15, 2008 7:09 AM

I live in a semi-rural area, so people parked in front, or a large amount of neighbors "leeching" is not a problem. However, the immediate next-door neighbors have been having a problem with their 15-year-old going to porn sites, so I protect our network just to keep him from jumping on our network to bypass their controls. :)

--m

Kevin SullivanJanuary 15, 2008 7:09 AM

@Jim Ramsey

Every OS is a bit different, but the basic idea is: Turn off any network services, don't use IE, keep your OS and applications patched. For Windows, I'd add a virus scanner and host-based firewall.

My wireless network had a 40-bit key for a while, but it was more problem than it was worth. It was trivial to crack, and my laptop wouldn't switch between the two APs when there was a key; when I opened it up, my laptop switches automatically. Some neighbors use the network occasionally, but I don't mind.

sleJanuary 15, 2008 7:11 AM

In some countries (like in France) you are liable for the traffic passing on your line.
Proving that you are not the author of the infringing traffic passing over your line will probably dilute the charges, but you remain liable for costs...
In that case, I prefer to secure my network just enough to have the hackers pick-up another network.

As far as I known this law hasn’t passed a trial yet. I wonder how to judge a liable but technically ignorant line subscriber.

AntonJanuary 15, 2008 7:19 AM

In Australia we have capped bandwidth (sic). After 15mb we they reduce my speed to 128kbs. This makes it a risk that if I leave my network open, someone might siphon off my megabytes. But I like the 4accessCall ... SID idea!

DFJanuary 15, 2008 7:32 AM

Although I agree that the likelyhood of something bad happening from an open WAP is exceedingly small, the impact could be quite large. For example, a kiddie porn investigation. What steps could/should be taken to lessen that impact? Logging headers, for example?

J.D. AbolinsJanuary 15, 2008 7:50 AM

For those who fret reasonably or not about wireless risks with home networks, there's always the wired option. Skip WiFi altogether. Quite workable for people who don't take their computers anywhere.

Then one can worry about TEMPEST interception. What is that van doing down the street.

Bruce, thank you for writing a good response to the notion that closed wireless is a security absolute.

sooth_sayerJanuary 15, 2008 7:53 AM

"My sentiments exactly Sir" :-)

The hassle of configuring "each" new devices is too much for me to bother with setting security, there is little benefit for that complexity.

GreggJanuary 15, 2008 7:53 AM

I'd love to open my wifi and install the FON appliance or the Meraki access points. Unfortunately these actions are against the Terms Of Service for every broadband provider in my area. Why should I risk losing my Internet access?

EvanJanuary 15, 2008 8:04 AM

Not that I disagree with having the open access point, but allow me to play devil's advocate for a minute. With regards to others committing crimes on your open network, isn't the obvious risk not the guy in a parked car outside downloading child porn, but someone at your neighbor's house downloading child porn?

Hendrik BoomJanuary 15, 2008 8:05 AM

I would be more comfortable providing open access if the access point hardware could provide two grades of service -- one authenticated and able to access anything including the local LAN, and another unauthenticated and able to access anything except the local LAN. Failing to authenticate could just connect you through a simple filter on destination IP number. It doesn't seem that this would impose a high manufacturing cost on the equipment. If someone knows more about hardware manufacture, could they comment?

PaulJanuary 15, 2008 8:10 AM

Open access that only provides net access with out exposing the Intranet is becoming more commom


Paul

DaveJanuary 15, 2008 8:15 AM

I think the biggest problem with this essay is that it assumes the reader is savvy enough to secure their systems appropriately. I agree 100% with Bruce myself. My network is open, my systems are locked down, and I get notified of intrusion attempts (though I am always nervous about my WinXP system.) I use VPN to access most things (openvpn rocks) so I am not concerned about sniffing.

The issue is that Joe Q Average will read this and leave their network unsecured. Joe is probably running a copy of Windows with several unpatched vulnerabilities, and turned on file sharing because he wanted to share his printer with the kids computers. Further the kids have a computer on the network that is already loaded with trojans and viruses.

In Joe's case, his environment is already inherently insecure. He occasionally gets a cold prickly feeling that he should update his virus checker, but he quickly gets distracted by the football game. Adding wireless security will not make his environment secure, but it definitely is one more roadblock to being completely raped and pillaged by the less scrupulous neighbors who would otherwise discover they can download his quicken files and banking passwords.

AnonymousJanuary 15, 2008 8:17 AM

@DF:

"Logging headers, for example?"

Righto, chap!. So when that almost apocryphal Real Child Pornographer does his Evil Deeds, he won't run an open Wifi, and have a set of convenient headers that implicate his neighbors all ready to give to the police when they come knocking?

HendrikJanuary 15, 2008 8:20 AM

There is a "problem" with open access (which I wouldn't mind giving out myself except...) when it comes to usage based internet/DSL/broadband circuits. in this case it boils down to "stealing", as I pay per byte, and can even be denied access to the internet if the "thief" used too much of my bandwidth.

In a non-usage based internet access setup, I wouldn't have had a problem myself to just "hand out" access with an open wireless network.

bytmanJanuary 15, 2008 8:41 AM

When Mr. Child Pornographer uses your access point to download his crap, it will be your house the cops come to. It will be you explaining to your boss how you need time off to defend yourself from these ridiculous charges. It will be you paying for a lawyer. It will be your PC being perused by a forensic expert, and your personal life and data exposed to law enforcement. While you may eventually be proven innocent, what was the cost to you?

cassielJanuary 15, 2008 8:44 AM

One problem I can see with running an open wireless network: the router itself is accessible to the world, and it's not totally clear that one can secure a router like one can secure a PC. (Look at the recent hoo-hah surrounding uPNP vulnerabilities.)

JillianJanuary 15, 2008 8:46 AM

I am so pleased to read that other intelligent people also believe that wi-fi should be shared. It's like having a
houseparty without having to clean up after! Thank you for your article.

Nicholas WeaverJanuary 15, 2008 8:46 AM

My wireless network, and any I set up, are closed.

Although my laptop is secure, there are resources on the home network (the game console, the ethernet printer) that I can't secure. The printer in particular trusts the local network.

Any guest gets the password, but not someone out in the street.

Also, Bruce, I'm sure you've seen the UPnP problems, right? Does your wireless access point support UPnP?

stevenJanuary 15, 2008 8:48 AM

Hi, Perhaps a Fonera (www.fon.com) is interesting to
replace your open hotspot with. Not only can you use a secure wifi
link to the ap, you can still offer "free" wifi to the bloke in the
car. When they connect they will get a nice page explaining you know
you haven't secured your device intentionally and that they are
allowed to do whatever they want to. They have to create a "fon"
account (free) and you can at least see when someone used your wifi;
how long and how much... In some countries you can only have XXX
mbytes a month of traffic untill they close your line down till the
end of the month. Also the SAFE act will ask to be able to identify
people that have surfed to certain sites... if your ISP starts doing
this...then he can only point to you... do you have a camera looking
at streetlevel checking if at that point there was a black sedan
parked using your wifi ? I'm a Fonero and I could send you a fonera
for cheap due to the "fonero gives fonera"-deal.
http://blog.fon.com/en We foneros "share" our wifi. We don't just
give it away to anyone; only those that share theirs as well... We
also have people write "connector" software that automatically
connect your pc, iphone, ... to the nearest FON hotspot. There is
even a maps.fon.com website where you can check the status of a
fonspot nearby and download it into your GPS so you can drive to it;
or alter your route so you can regularly check your email. FON is
not limited to a city or a country...it's borderless. Everyone can
join! it's not limited to "premium places" it can be your neighbour...

JayJanuary 15, 2008 8:51 AM

Hey, I enjoyed the artical, it was a good read. I too leave my network open, for a few reasons. First is being I like having access to the internet from anywhere, so if I'd use someone else's open network, I should allow them to do the same. Another reason is, if someone were to try and gain my information, they could probably just get around the security if they were into that kind of business.

John SJanuary 15, 2008 8:51 AM

I somewhat agree that chances of your wireless being invaded by the
wrong people is remote. But then again so is your house being robbed.
However the chance for this does exists. In my sub division there are
about 5 wireless networks. All but one is secured. It gives me some
belief that even these ordinary people consider their bandwidth and
their $40 dollars a month for internet theirs to blow, not anyone
else's. However in public places I think it becomes a perk to have a
open wireless hotspot. As for me its not about guest using my internet
when they are over. I simply turn off the security on my routers and
let them roam. With routers having longer range the temptation of you
next door neighbor to cancel his internet and use yours. Pretty soon
if he or she is a big movie downloader or other bandwidth sucker your
stuck with a slow connection. I have already have that happen. My
neighbor decided to forgo internet and began to steel mine. After a
couple of weeks of intermittent slow internet. I checked my router
stats and sure enough a Mac Address was on their that was not mine. So
I turned on WPA and two days later the cable company was there
installing broadband. For me it's about everyone paying their way. I
don't like freeloaders! Thanks for your time!

BillJanuary 15, 2008 8:53 AM

I'm in Australia and the ADSL account I have chosen has a 4Gb/4Gb (peak/off peak) quota. If I exceed that quota my connection is shaped down to 64Kbps (it normally runs at around 17Mbps).

For me the risk is that someone might download enough to push me over my quota (which wouldn't be hard). I'd rather not be connecting at modem speeds so I secure my network.

If someone visits and wants to use my Internet connection I'll either help them configure their computer or let them plug into my switch.

DirkJanuary 15, 2008 8:53 AM

I have a similar approach.
My Wi-Fi is open to anyone. My router let anyone access the Internet via it. On the other side access to my home network is only possible via IPSec with X.509 certificates.

Roger A. GrimesJanuary 15, 2008 8:56 AM

Bruce,

Obviously many people have told you this already, but let me be another person to chime in…

It can be TRIVIAL to do many bad things to your computer and network if you leave your wireless access point open. The hacker tools (I encourage you to look at Cain & Abel (www.oxid.it) for a starting reference point) make it click-click-click these days.

Yes, they can capture and analyze your network traffic. Any why you and I try our best to be securely use our computers, my years of network sniffing tells me even the safest computer user makes mistakes and accidentally sends out plaintext passwords. Generally it is because of a software glitch, or a web site that appears to use SSL/TLS that really doesn’t (frame-in-a-frame focus problems). Plain-text passwords end up being sent across the wire more than any of realize.

Unless you hard code your Internet router gateway’s MAC address and your own, someone can initiate an ARP spoof.

I can inject a worm or buffer overflow into your network traffic that can compromise the computers on your network. I can analyze your network traffic and figure out what you run, cataloging your software. And when an exploit comes out for that software, all the attacker has to do is beat you to the patch.

And it’s even more risky than accessing the local AP at a hotel, airport, or coffee shop, because an interested party has more time to collected more data, etc., and to be patient. In the other settings, you’re only exposed maybe 1hr to a few days. At home, I can take my time and just wait for the one mistake.

Although I believe in openness, paying it forward, and open source software, I think it’s a mistake to run a personal wireless access point in an open state. Someone wishing to cause problems in your life really could.

Of course everything is a calculated risk equation and obviously you have already done your own personal threshold calculation.

MarkJanuary 15, 2008 8:56 AM

bytman nails it on the head. Here's my extended argument.

In a world where we Americans don't have an intrusive government which disavows civil liberties, this would be an entirely sane idea. But the attitude of most police and federal agents these days is "confiscate first, ask questions later".

I know that as a security researcher you're familiar with the concept that if a breach is possible, it has already happened. As soon as you open up your network you have to assume someone will access it and use it for illegal purposes. If it's merely trading copyrighted music you're probably in the clear - you'll get a cease & desist letter and you can possibly respond to that by saying you have an open network. If you're lucky, the RIAA/MPAA won't haul you into court anyway. But if someone is trading child pornography using your open network, it's not unlikely that the feds would decide to confiscate all your equipment to verify that it wasn't you before giving you a chance to contest "but I had an open network!"

In fairness, assuming that you don't mind the loss of all your computer equipment for up to a month or more while the feds complete their investigation, you should get it all back and not be taken to jail for a crime you didn't commit. And in theory, their narrow warrant would only apply to actual child pornography which of course you would not possess. But what if you happened to have other illegal material or you had an encrypted partition? Given the lack of precedent over handing over encryption passphrases it's very likely they'd keep you in prison until you revealed your passphrase and they could verify your innocence.

Summary: until we return to the days of "innocent until proven guilty" having an open wi-fi is a very dangerous thing, in my opinion.

On an unrelated note, have you ever done a piece on alternative voting systems, such as approval voting or Condorcet methods? It's not really your area, but since we're in an election year it seemed it might be a timely piece which could inform a great deal of your readers. The paper below is what motivated me to learn more about the
subject since the largest group of alternative voting system advocates is for Instant Runoff Voting, which is a poor method.

http://zesty.ca/lj/yee-oca-transferable-vote-3.pdf

SeanJanuary 15, 2008 9:01 AM

Dear Mr. Schneier,

I just read your Wired article about open WiFi networks and was struck by this:

"If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter."

I know from previous blog posts that you're a Windows users (although perhaps not by choice) and that you use PGP (which unfortunately doesn't make the total disk encryption for Mac OS X, at least not for the boot disk), but what does the security guru use network-wise to secure your computer?

Thanks.

BillJanuary 15, 2008 9:02 AM

As a postscript I thought I should mention that in part of our CBD area several mining companies have got together and set up a wireless network. This network is intentionally open and usable by anyone.

It benefits them because it means their employees can access the Internet and then VPN into their offices from anywhere in that area of the CBD.

Robert HeinleinJanuary 15, 2008 9:07 AM

I agree with Bruce, although I used to disagree. (Now I sound like an American Democrat running for office!)

PlipJanuary 15, 2008 9:09 AM

I did the same thing at home too, until my neighbors started using up all my bandwidth. I'm thinking about getting a 2nd wireless router for them and dropping them in a DMZ with packet filtering and throttling. :)

Robert AmeetiJanuary 15, 2008 9:18 AM

Woo hoo. Another reasonable person who really gets it rather than just run down the street with everyone else screaming Protect Yourself, else you will get hacked!!! I'm not sure which one of us thought of this first but I will say that it has been a few years that anyone logging on to my wireless network gets the log on message of "Welcome to the Ameeti network. Pay it Forward." I am a computer consultant and I set up quite a few wireless networks. I do also secure my clients computers and network while allowing their internet access to wide open. And then to top things off, I rename the SSID from 'Linksys' or whatever it may start out to be to instead be my client's name followed by my phone number. Nearby neighbors can know whose network they are seeing and if there is a problem that suggests coordination of wireless signals, it is a lot easier for the neighbor to get a hold of me to fix a problem. Otherwise finding an overwhelming amount of wireless access points with the channels set to 1, 1, 3, 5, 6, 10 is just no fun. I've so often just wished that people could understand that coordination and cooperation could make for a better neighborhood experience with everyone benefitting from faster throughput if we arranged for less channel conflict with nearby signals. 'Tis funny the calls that I've gotten over the years though by people calling and asking if I know that my phone number is being broadcast for all the public to see! O my. Now they know my number! Aghast! I will admit that it has pulled in a client or two who figured out that I knew more than he did. lol.

AnonymousJanuary 15, 2008 9:29 AM

@bytman:

"When Mr. Child Pornographer uses your access point to download his crap [...]"

If the police are unwilling or unable to conduct a basic, simple, examination, then you are basically screwed ... no matter what, Mr. Bytman. Give me your IP address, and the conditions you assume, and someone can have a cop stepping on your neck inside of a week.

Kind of redefines the problem, doesn't it?

But perhaps you'll feel safer when I tell you that the number of real child pornographers in the entire world is almost certainly less than the number of real terrorists. There are probably more police officers posing as child pornographers than child pornographers proper. Speaks volumes, eh?

But hey, if you wish to live in a world of fear, that's your problem. Do feel free to terrify us though: find one (1) instance in the real world that is comparable to the scenario you lay out. Until then, I'm laughing...

TSJanuary 15, 2008 9:29 AM

Guess none of you live in the city.

We have to lock our wireless, there are just too many leechers out there, they easily overwhelm access points.

I can see 25-30 access points depending on where I am in the apartment. Almost all of these are WEP/WPA protected. Three or four are open, but don't hand out DHCP or use MAC address blocking, don't know which since I haven't tried to hack them.

Ever couple of months, a new access point comes on line (noted because it's named "linksys" and it's open). It stays open about a month, just enough time for the ISP to send them a bandwidth warning, then the access point gets locked.

Sharing is great, but here it's more subsidizing. That's OK too, but when it affects your ability to connect, then it's a problem.

JoePJanuary 15, 2008 9:35 AM

A lot of you have mentioned using VPN (openvpn) as a means of keeping your network open and keeping your computer secure at the same time. Can any recommend a basic online guide to setting this up? I'm not computer illiterate, I've just never dabbled with this kind of stuff, and most of the websites I can find on this topic deal with large business networks. Any info would be great, thanks!

PorterJanuary 15, 2008 9:53 AM

I wish every router/access point worked like the ones that Fon is distributing. I wouldn't mind opening my wireless up - however there's no easy way to detect, and ban abusers.

However with two networks - a public one and a private one; it becomes possible to segregate the traffic, and also do some sort of bandwidth limiting. I'm happy to let random strangers hop onto my wireless if I can make sure they won't swamp my connection with bit torrent downloads, or high-bandwidth VoIP...

And while the risks of your access point being used for nefarious purposes may be low - they are not non-existent. It should be easy, and is, easy to protect yourself from a minimal risk. Although depending on where you live (rural, sub-urban, urban) that risk may be more or less than you think. Having separated traffic might help clear your good name in the event of some misuse.

I've never really understood why routers don't just use some form of PGP for the encryption. Distribute them with a little USB key or memory card... Let each PC that's going to participate in the network generate a key, and put it on the key/card. That way you transfer the public key(s) out-of-band - and have a high level of encryption for wireless network traffic if needed.

I guess I'm just paranoid.

KhanbalikJanuary 15, 2008 9:54 AM

"But hey, if you wish to live in a world of fear, that's your problem. Do feel free to terrify us though: find one (1) instance in the real world that is comparable to the scenario you lay out. Until then, I'm laughing..."
As computer forensic examiner, I see and here about these scenarios all the time. Typical perp defense - it wasn't me, someone was on my network/PC with a trojan/keylogger and took over my system and downloaded all that stuff. Go to your typical prison, ask any perp in there and they are all innocent and framed. So when LE comes busting down your door, they are supposed to just believe you?
A "simple examination" involves multiple days of work and report writing to eventually provide the exculpatory evidence so charges will be dropped. Meanwhile, your wife, kids, friends and neighbors think your a perv. It happens, and unfortunately, the arrest makes the front page, and the dropped charges make the back page.

JasonJanuary 15, 2008 9:57 AM

An Open wireless network is an ideal way to eavesdrop on those who use your network.
Run dsniff, driftnet, ettercap, etc and capture their passwords for posterity. You can even crack HTTPS if you can get folks to just "Accept" any cert errors.
Think of a wireless network like a swimming pool in your back yard. If you put up a tall wooden fence, most people won't even know you have one. If you tear it down or leave the gate wide open with a sign that says, "come on in - no life guard on duty" then you are not truly absolved of responsibility if someone slips on the asphalt or drown.
I guess I'm just saying... you aren't paranoid enough.

gregJanuary 15, 2008 10:04 AM

Well I'm not going to read all of this. But after the /. thread Someone talked about FON. I have now joined and am waiting for the hardware now. I will be a linus of course, and I will be the 3rd person on my street (Vienna) to offer a access point.

I like Fon because you are *suppose* to share it.

Timmy303January 15, 2008 10:15 AM

I don't waste time and energy with defensive measures unless I perceive risk, and I perceive no risk in leaving my wifi network open. I get no end of flak from amused friends and family, but there you have it.

MatthiasJanuary 15, 2008 10:17 AM

Unfortunalety, in Germany, you're not only liable for everything done through your internet connection, but basically you also have to make logs about who is using your wifi, and keep them for 6 months in case law enforcement want to take a look at them (they call it "Vorratsdatenspeicherung", kind of "preemtive data collection"). So while the idiots are still ruling this country, I'll keep my network closed.

AnonymousJanuary 15, 2008 10:21 AM

@Khanbalik:

"It happens, and unfortunately, the arrest makes the front page, and the dropped charges make the back page."

I'm glad to hear "it happens". Now, then, can you cite a reference for the claim? I've heard of many kiddie-porn arrests, but these appear to be followed by convictions, not a silent dropping of charges. This suggests that the cops are in fact doing examinations before an arrest is made, which is contrary to another claim you made.

How can we be sure you are "computer forensic examiner", anyways?

Germany--Again!January 15, 2008 10:34 AM

Perhaps a more direct approach to the problematic government may be a good idea, rather than rolling over and taking it?

Phil CulmerJanuary 15, 2008 10:40 AM

wonderful article on open wi-fi.

I just wanted to write with a minor correction about Fon:
Linuses' Fon access points aren't actually free for aliens
(non-foneros) to use, it's just that the Linus doesn't get paid. It
used to be that Linuses took no payment for use of their access point,
and in exchange got to use other foneros' APs for free, whilst Bills
got half of the day ticket price (after tax), but had to pay. Now all
foneros get free surfing, so there's no real benefit to being a Linus
any more. Aliens pay (last time I looked) 3 Euros or 3 US Dollars for a
day pass, or less if you buy a multipack.

Phil.

P0rn lover...January 15, 2008 10:43 AM

I have to chime in here. How many of you really believe all this kiddie porn crap?

Really how many do you think there are? About 30% of the population or something? Wake up and smell the coffee. Kiddie is simply not popular for one simple reason. Most folk want tits! as in most guys are not into kiddie porn.

Refuse to be terrorized. Even by fake kiddie porn junkies.

Ask yourself this simple question (for the men). How much porn did you look at this last year and how much of was kiddie porn? Or even illegal porn of any sort?

Henry WitwickiJanuary 15, 2008 10:44 AM

Mr Schneier, I too run an open newtork at home... and agree with you. It is a curtosy. If a car load of kids want to download porn while parked outside my house... go for it. I have bigger problems
than this in my neighbourhood... Drug use for one.
People need to focus on crime that matters and not laws that prevents
Britney Spears from collecting $0.07 cents for a song that is illegally
downloaded. Get a grip people.
-- Henry

AlanJanuary 15, 2008 10:50 AM

I live very close to a rest area on the PA Turnpike. There's *no way* I'm opening up my AP!

Only in USAJanuary 15, 2008 10:51 AM

@Jason

Only in the land of vast civil law suits......

My friend drowned.. Must be the swimming pool owners fault.

My cat died in a microwave... Microwave manufacturer must pay.

I hacked the internet... Blame the ISP for given you internet access in the first place..

HaapiJanuary 15, 2008 11:08 AM

One of my favorite signatures I've seen is
"My ISP is 'linksys' and it is nationwide."

I have said for a long time that running WEP just means that people won't get on the network by mistake.

I can see 3-5 networks around my neighborhood, and I'd rather not bind to a distant/slow one by mistake, so I run a closed network. My rural relatives are on satellite, and they have serious download limit issues, so they also run a closed network, just to retain control over that.

CalebJanuary 15, 2008 11:16 AM

Excellent arguments, all of them. You forgot, however to mention community wireless networks like Personal Telco (http://www.personaltelco.net), Ile Sans Fil (http://www.ilesansfil.org/), CUWiN at Champaign Urbana (http://www.cuwin.net/) and many more. These folks have been working and arguing for free and open wireless access for nearly 8 years now.

Rich WilsonJanuary 15, 2008 11:27 AM

I used to run an open network, but after getting it shut down by my ISP after a complaint from the MPAA, I had to lock it down or switch ISPs. There's not enough competition in broadband in my market to make that a very attractive option.

TomJanuary 15, 2008 11:33 AM

I actually run my wireless open with my SSID set to LeachHere, but I've never seen any takers on my offer. I even run an access point instead of a router so I get a real IP on my computer. I've had my XP box setup this way for years without being hacked. I don't have anything I really care about on that system, so I don't care if it does get hacked, it's easy enough to rebuild. I've been been running this way as an experiment. I run the built in firewall as my only protection and have yet to have a problem. I have also disabled any unused services such as the server service, computer browser etc. I also unbound the MS network client from the NIC and disabled NetBIOS over TCP/IP. That's why I laugh at people that say XP can't be secure.

Bob RadvanovskyJanuary 15, 2008 11:47 AM

First of all, I enjoy reading your various articles and books on security, and completely *agree* with your comment from the open wi-fi networks article. Part of it is just simply 'being friendly'. ;)

You might say that I'm the local neighborhood's 'mad computer scientist', and usually when someone's computer goes *bif*, *borf* or *poof*, they (usually) come to me. I have a small data center located in the basement of my home. I am also a private researcher on critical infrastructure issues (not just computer/cyber related, but...everything related, and not really relating to security or force protection, but ensuring that, for example, our drinking water is safe and always available -- that sort of thing), and lately have been thinking about whether or not it's *worth* "trying to keep up with the Jones'".

If at all, one thing that I've learned over the years of working in IT (outside of it doesn't pay enough, hours are weird or lousy, and that many end-users are impatient beyond belief) is that it's like trying to hold back the ocean with a broom -- you just can't keep it up. It's almost pointless or impossible, even if I don’t believe in those words. In some regards, the same holds true with security. It's (usually) a 'Whack-A-Mole' scenario, and you never EVER seem to appear to get caught up, or catch the 'bad guys' -- it's almost appears to be never-ending.

Same goes with wi-fi. I'm 'old school' and come from a time when hacking was done for fun, for educational purposes, and just because we could do it. ;) So...why not let the 'next generation' have some fun, too, right?

The problem is, is that today's hacker is much more differently motivated, and being paranoid about these things won't get us any farther. In fact, to me, it's a step backward. We, as a society, are falling onto a 'slippery slope' of constant surveillance, cameras everywhere, growing number of police units -- and for what? To "feel" more secure? How is that considered "secure"? The same might hold true with trying to protect something that you don't know where it's originating from, esp. a wireless connection point. Being a ham radio operator and trying to track down "jammers" over the years -- has been difficult -- if at best.

For home use, yeah, I try and watch the network, and try to keep my servers up-to-date, patched and check the logs periodically. But lately, with me being torn between my daytime job (being just a humble systems administrator), my attempt at a paradigm-shift into another (hopefully better paying) realm or domain (critical infrastructure research and book writing), it just doesn't pay to have a home data center, and *try* and keep everything "secure". It just doesn't.

A few days ago, someone was trying to break into the AP. It's a simple Linksys AP, and its firmware wasn't up-to-date (bought it at a local hamfest), as it had its original firmware (which I didn't bother checking). I went to Linksys, downloaded the latest firmware, then updated it. Then I turned off the Linksys AP. A few hours later, I actually got a nasty-gram from the would-be-hacker trying to penetrate my network. Needless to say, he was simply trying to check his email, and didn't know if I was encrypted or not. OK, so I'd give him (maybe) a "B-" for the effort and excuse, but it kinda made me think along the lines of what you said about open networks. So this evening, I turned it back on, and left it on -- and open. Incidentally, it was my next door neighbor’s son who was attempting to use my Internet feed for his homework assignments.

Maybe someone might abuse all of this, and we'd be faced with the ever-growing threat of the RIAA and MPAA telling us that we need to pay $15 every time we watch the same movie on our home entertainment center/system, or that we need to pay $10 for the same song we listen to. Personally, matters of economics will rule the decision, not forcing consumers into thinking that they're criminals, and maybe everyone will be happy -- maybe.

In closing, my grandmother always told me that modern society appears to be loosing it's grip on humanity. Maybe this is what she meant.

EvanJanuary 15, 2008 11:50 AM

I work with a company called Meraki, another company that operates in the “share your wi-fi and make the world a little bit better��? space. Meraki approaches the problem a little differently than Fon by creating mesh networks—users just plug in power for Meraki’s signal repeater device, it picks up the wireless network and then repeats the signal and meshes with other repeaters in the area. The secret sauce is that the software that routes data efficiently thought the closest nodes.

Meraki has a big (and growing) network of these open network repeaters in San Francisco--the SF network is powered completely by Meraki via a few dozen hardwired broadband points around the city and access is provided free of charge. You can check out a live map and data usage for the SF network here: http://sf.meraki.com/map

Bob RadvanovskyJanuary 15, 2008 11:54 AM

Just because you have found an 'open channel' does not mean that you can abuse it. If at all, many people are providing that 'open channel' as a courtesy; meaning, it's a "privilege", not a "right".

One more thing, I am -- by no means -- condoning nor promoting "openness" in lieu of "anonymity" for others to benefit from downloading videos or music illegally through other people's Internet connections. Morally, ethically, and legally -- it's just wrong. Don't do it!!!

Nomen PublicusJanuary 15, 2008 12:02 PM

There is an awful lot of "cargo cult" security about. For example, many sites put a "firewall" on their network and assume that's solved the security problem.

The trouble is, firewalls fail silently and some threats, such as the recent multicast packet problem with windows, can fly past the firewall without even slowing down.

Paul SladeJanuary 15, 2008 12:25 PM

While running an open WAP may be acceptable to Bruce, it is worth pointing out that he is not suggesting that it is good practice for all. (Bruce, please correct me if I am wrong) An 'average' user of the Internet is likely to be running one or more vulnerable applications or running applications that pass credentials or other sensitive information unencrypted. To those that are setting up clients with unencrypted WAPs - Have you made your clients aware of the risks involved?

onionJanuary 15, 2008 12:32 PM

While you're at it, why not run Tor on your open wireless so everyone jumping on your connection without permission gets routed through the Tor network?

Stephan SamuelJanuary 15, 2008 12:48 PM

This is a classic problem. If you live in an area with few people who want to use your network, it may make sense to leave it open.

In rural areas, it's reasonable to knock on someone's door and ask to use their phone or bathroom. In New York City, McDonald's doesn't have public bathrooms.

Making a blank statement that, "all wireless networks should be open," is as ridiculous as saying, "locks should be illegal." Marxism has been shown not to work in the macroeconomic sense, even through it may work in certain isolated environments. There may truly be more of these environments where sharing is reasonable but on a larger scale, the underlying trend of humans to satisfy their own needs will take over.

Right now, there's a barrier to entry into the WiFi game. As things like One Laptop Per Child change economies of scale on wireless terminal devices, we'll find more unscrupulous hoodlums who aren't affected by the same unentitled though that some are: if I destroy my community, I will be among those who suffer.

Brad TempletonJanuary 15, 2008 12:56 PM

This debate is a good mix of the theoretical and the empirical, and it's worth examining where they differ, or in some cases, doing study to see what really happens.

Bruce is quite right that securing your computers, rather than your network, is the only truly good approach. This is particularly true because unsecured computers on a local net may get infected by malware which then gets a free pass in attacking other local computers because it is "trusted." Even with the most wonderful firewall, if you take a laptop outside it and get infected, you've doomed your internal network. Or if you install malware the firewall could not block, and there is no perfect firewall.

However, at the same time, because consumer computers (mostly, but not exclusively, Windows) are not properly secured, there is some merit in giving them more protection. In an ideal world, each computer is secure and doesn't benefit from the false promise of a firewall. Typical consumer PCs do benefit, however. The real issue is that the firewall (network protection) gives people a false sense of security and stops them from doing more.

Because the real security result is a complex mixture of the individual security of machines, and the nature and frequency of attacks from various sources, the true answer actually can't be worked out from theory. The true answer would come by studying the various strategies and their success rate at keeping computers protected. My guess is that instances of attack via open wireless network are quite rare compared to other sources of attack.

Finally, the question rarely addressed properly in security is the underestimated importance of UI. Good security with bad UI remains undeployed, and thus can be inferior to lesser security with better UI. The UI on WEP/WPA is poor. It is hard to welcome your personal guests on your network, hard to install on all devices and thus we often will see motives to leave it off.

AnonymousJanuary 15, 2008 1:15 PM

I guess I'm one of those ppl who locks
their front door when leaving the house.
No stranger gets a free ride or a look at
my traffic. It's not a security decision it's a
decision based on personal preferences.
Some ppl also dont like to lay naked on
the beach .. it's the same thing.

Clueless & ParanoidJanuary 15, 2008 1:21 PM

Interesting article. I've always thought of hardening a wireless connection as part of a "defense in depth" strategy.

How do I "configure my computer to be secure regardless of the network it's on"?

acJanuary 15, 2008 1:54 PM

How do I "configure my computer to be secure regardless of the network it's on"?

Use secure network protocols, and tunnel insecure network protocols over a secure protocol. SSL, SSH, VPN, etc. These protocols are designed specifically to allow secure communication over an untrusted network.

If all of your network traffic is encrypted, it doesn't matter if random strangers can park their cars outside and sniff packets.

Pat CahalanJanuary 15, 2008 2:00 PM

Lots of back and forth on this one, but fundamentally I agree with Bruce: running an open access point is a marginal risk at worst for someone who takes precautions to protect their hosts. I do it, but that's because one of my neighbors plays bandwidth-intensive video games and hogged my network in the past.

The whole "but a Porn Panderer may use my network" seems ridiculous to me. Of course, if a pair of officers showed up at my door with a warrant to search my house they wouldn't find any kiddie porn, and if they hauled off my computer they'd find a few hundred legally acquired PDFs of research papers and about 80 GB of MP3s I ripped off my own CD collection.

It would be a logistical pain in the ass, but the only way it would lead to an actual legal problem would be if my local district attorney was seriously abusing their authority. Not that this can't happen, but I'd consider this a very, very improbable risk.

Heck, if you're worried about *that* risk, you ought to be more worried that your computer will become infected with some trojan and actually start serving out child porn, which would be much more difficult to defend yourself against... and if you're worried about that threat, you probably ought not to have internet access at all :)

Chris FaulknerJanuary 15, 2008 2:10 PM

I enjoyed reading this article. I like how you think Bruce. The ordinary folk thinks that someone depicted in the movie War Games will break into their Internet and download Child porn and perpetuate worms and that the safety of the internet will be defeated if Open Networks are allowed. I myself run an open network and never once had any trouble. I run my WRT54G on max 251mW for maximum coverage so my neighbors can get on the internet if they want to. Now if they start sucking bandwidth down, i will rate limit them. I'm glad to see there are still open minded people out there that write articles like this. Makes my heart feel warm. Case in point, I was out in the sticks installing a iMac, and I'm a PC guy, but the client needed the AOL software. Well, I drove around looking for a network to get on, found one and downloaded the AOL software and saved the day. Thank you to whomever it was that had an open network! And thank you Bruce for writing this article! I'm blogging this!

PaulDJanuary 15, 2008 3:07 PM

What issue no one seems to be addressing is the ethics of having an open wifi system. My daughter asked me what I thought of getting wifi from a neighbor. I told her I thought it was stealing -- not from the neighbor, necessarily, but from the ISP. Bruce, would you put a splitter on your cable TV co-ax or your satellite TV feed and run it over the fence to your neighbor's house?

ants in your pantsJanuary 15, 2008 3:46 PM

Open wifi isn't stealing from your ISP, they charge an enormous about for a ridiculously small download quota. If your bandwidth is free, fine - but when you pay over 100$ a month for 10GB, open wifi isn't such a great idea ...

Pat CahalanJanuary 15, 2008 4:03 PM

Regarding "stealing from your ISP":

There are two possible arguments here, an ethical argument and a contractual one.

From an purely ethical standpoint, your ISP provides you with bandwidth, and you pay them for the bandwidth, and they really have no ethical grounds to stand on to tell you how you ought to use that bandwidth. You can argue that you have an ethical obligation to follow the terms of the contract, but I don't see outright that you have any other obligation to your ISP whatsoever.

From a contractual standpoint, many ISP's have clauses in their contracts which forbid their subscribers from sharing their DSL access, much like cable TV providers forbid you from sharing your cable TV. However, I don't know of any ISP that forbids their subscribers from setting up wireless access points/routers in their terms and conditions (Pac Bell used to, many many moons ago, I don't think a current ISP would have much of a customer base if they forbid WAP connections). I have yet to see a Terms and Conditions that requires a DSL customer to run any particular configuration on their wireless router.

Most likely, you are well within your contractual rights to run an open wireless access point. Whether or not anyone else connects to this WAP is not relevant as far as your contract with your ISP is concerned; you have no obligation to *prevent* people from connecting to your WAP.

Setting up an open WAP and walking around to your neighbors telling them not to get DSL because they can connect to your WAP would be actively trying to share your connection, and a violation of your contract. Just plugging in a WAP and letting people find it for themselves (and, presumably, use it) is not.

mozJanuary 15, 2008 4:12 PM

@PaulD

I think that shows that you are quite a new internet user and forget where this all comes from. What separates the internet from the walled garden networks which preceded it is basically equal traffic sharing / I'll take your traffic if you take mine type of agreements. ISPs which provide asymmetric links (with the possible exception of low speed wireless links for mobile devices) or which attempt to limit the number of users on a connection are themselves leeches. There should be zero tolerance for them.

The difference between this and the cable network is that in the cable network all the value (programmes) comes from the top down. Thus the cable company is actually delivering something of "value". Well, okay I admit I'm lying, but the solution to that is not to steal television, it's to go and do something worthwhile instead. Like posting inane comments on Bruces blog.

Put simply, some of us would consider a deliberately closed WLAN network to be less ethical than sharing your ISPs bandwidth. You are relying on the infrastructure we built and you aren't willing to share even when you are able at no cost to yourself.

@Bruce;

Could you talk a little about risk mitigation strategies. Do you use a VPN most of the time? How do you stop someone doing DNS spoofing or man in the middle on the WLAN? Do you give your own computers priority over others? Are you ready to lock down if it became a problem? How big is your garden?

My problem with this is that I think fully open WLAN encourages less expert users to get used to unencrypted network connections. I would rather provide an open local network with access to some documentation on a web server and an open access IPSEC gateway. Now nobody would use it of course, but at least that would make it "secure" :-)

Randall RiceJanuary 15, 2008 5:00 PM

Yes Bruce,

The criticism is well warranted, for many reasons. Some of the other posters have made this well clear. So, I'll just note a few.

To put is briefly, having an unsecured wireless network may not be a security risk for you, because you are well aware of how to secure your use of this connection, such as by employing a VPN or other encryption, or by simply connecting via a wired line for your own use.

But for the average person, providing an unsecured network, or using one in an insecure manner, is an unreasonable risk because it is so easy to intercept all communications and view any that are unencrypted.

The YouTube video at the following link demonstrates why this can be a significant risk for the provider (using weak WEP encryption in this case).

http://www.youtube.com/watch?v=A88XB7_Jz7s

And users of your network are relying on your benevolence and honesty, because you can very easily intercept everything they do through your connection. They are unlikely to have your level of skill and knowledge, and are therefore unlikely to secure their communication.

Therefore I cannot help but find fault with your reasoning, and I believe your advise in this matter is uncharacteristically unwise and disingenuous.

And although, it has generated some worthwhile debate, Bruce, there really are better ways for you to provoke such debate without leading uninformed users down the primrose path.

Seth WandersmanJanuary 15, 2008 5:09 PM

'I remain unconvinced of this threat, though. The RIAA has conducted
about 26,000 lawsuits, and there are more than 15 million music
downloaders. Mark Mulligan of Jupiter Research said it best: "If
you're a file sharer, you know that the likelihood of you being caught
is very similar to that of being hit by an asteroid." '


These percentages aren't close
Music sharing= 1 in 500= 1/2 %.
I can't find an individuals chance of being hit by an asteroid but
Chance that Earth will experience a catastrophic collision with an
asteroid in the next 100 years: 1 in 5,000 .
Chance of dying in such a collision: 1 in 20,000

But we need to have a common time denominator. So that 20,000/100
years or 1 in 2,000,000 for a year.
The music sharing lawsuits have been going on for about 5 years (?) so
1 in 2500.

So that's off by a factor of 1,000.

This isn't splitting hairs. It looks like it is much more likely that
some one will be sued then that they will die in say a car accident
(1/20,000 per year).

Pat CahalanJanuary 15, 2008 6:22 PM

@ Seth

You're forgetting a large part of your computation, here.

Assuming your numbers are accurate, you have it down that you have a 1 in 2,000,000 chance to be killed by an asteroid, and a 1 in 500 chance to be sued by the RIAA *if* you are illegally downloading music.

If you have an open access point, then, admittedly someone may use it to download music illegally. But, you would have to have an open access point, and they would have to connect to *your* open access point, and they would have to engage in illegal file sharing in such a way that they would fall into the 1 in 500 category.

DougFJanuary 15, 2008 7:42 PM

I think most posters are missing an important part of what Bruce is saying - it's just not worth the hassle.

Sure, if you run an open wi fi connection, bad things could happen, but guess what? Most often for most people NOTHING will happen.

It's really not a big bad world out there. Most folks are, most of the time, good and decent.

Next time you're in an airport, try this experiment. Drop a dollar bill onto a major walkway, then just sit down and watch what happens. Dollars to doughnuts, that bill will be sitting there when you go to get on the plane. At a minimum, hundreds of people will walk by, see the bill and step over it.

I clipped a bill to my car antenna and it was months before somebody stole it (I lived near Cleveland OH and was in and out of high population areas all the time).

I've been on-line since 1200 baud bbs' and have yet to get have my virus scanner pick up anything.

YYMV.

PaulDJanuary 15, 2008 7:48 PM

To moz:

No, I am not a new internet user. Furthermore, I find the distinctions you're drawing between cable companies and ISPs to be flawed. Whether the source is top-down or community generated makes no difference -- you're paying for the access.

To Pat Calahan:

I find your best ethical argument your contractual one. If the ISPs themselves do not forbid setting up WiFis, then the result of doing so cannot be considered theft. Thanks for your response.

WinawerJanuary 15, 2008 8:36 PM

"I know people who rarely lock their front door, who drive in the rain (and, while using a cellphone) and who talk to strangers. "

As a side note, leaving your door unlocked or talking to strangers can only get *you* killed. Driving while talking on your cell phone drastically reduces your reaction time (some studies have reported a decrease greater than that of someone whose blood alcohol level is greater than 0.08 - see David Strayer's research, for an example of someone working in this field). This means that you have a much greater chance of killing someone *else* and not just yourself.

Poor choice of example...

Mike M.January 16, 2008 12:38 AM

"yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network?"

It didn't work for Javier Perez last year. Now there is some legal precedent that people might be held accountable for what happens on their network connection. Or that it can somehow waive your 4th amendment rights against search and seizure.

altjiraJanuary 16, 2008 12:51 AM

Yeah, but do they pronounce it "scown" (messed up American way), or "scon" (proper way.)

Seriously, I leave the front door unlocked all the time. I'm 6'5" and weigh 290 lbs. If somebody breaks in while I'm lounging around, who's likely to come out of that encounter with broken bones? Why do I bother setting up a passphrase with mid-word capitals that none of my friends can get right?

Bruce's example reflects the simple truth of risk vs. cost. An open network has very low risk. If I freeload on an open network, what do I do? Check my email, write my blog, update my rpm's, and surf for pron if the trip has been long. Who cares? Do I say - hmmm, open network, the machines here must be vulnerable? I don't have the time. It's much more important to keep important files encrypted than to secure your network. Nothing's going to stop the kids from downloading that program offering free anime or the spouse from playing internet games or the latest widget. Worry about what's important.

You don't want thisJanuary 16, 2008 3:59 AM

Especially here in Germany, there are examples of people FALSELY suspected for child pornography, with a search of the home and the work place, where the wife and the boss took immediate action.

Being suspected/accused for child pornography is like a black mark on your forehead that won't go away your whole life, even if nothing is found.

There are even examples of unguilty victims who commited suicide because of this...

SparafucileJanuary 16, 2008 5:31 AM

Thanks for this Bruce. I totally agree with you. Obviously we are talking "fair use"; not bandwidth hogging or when the owner has size-limited downloads.

Was it not Thomas Jefferson (who?) who looked at this problem first, when he asked if it was stealing to light your candle from someone else's candle?

It's all right for you living in the land of the free. Here in the UK, the land of surveillance and petty authority, we already have a conviction for just this (there may have been a sort of plea-bargain - illegal here - behind this),

http://news.bbc.co.uk/1/hi/technology/4721723.stm

Next they'll get you for depriving Rupert Murdoch of his legitimate income if you read someone else's newspaper over their shoulder in the train!

AnonymousJanuary 16, 2008 7:23 AM

@You don't want this:

"There are even examples of unguilty victims who commited suicide because of this..."

Your job is simple: produce some sources that document the claims made.

AnonymousJanuary 16, 2008 7:35 AM

@Sparafucile

"http://news.bbc.co.uk/1/hi/technology/4721723.stm"

This article is 2.5 years old now. Have any of the threats mentioned in it come to fruition? Are the courts in the UK jammed with similar cases? Or was it all just a huge FUD-flinging episode?

I note with amusement how running an open WiFi is equated to being a child pornographer. Or at least providing plausible deniability to that vast army of paedophiles running around in the streets, unchecked. What do we call journalists who repeat state propaganda without critical review?

The case at hand looked a lot like one of digital trespass anyways. That is, the guy was using equipment without permission. Not exactly what is under discussion here, is it? Bruce Schneier has given permission for anyone to use his WiFi.

acwJanuary 16, 2008 8:06 AM

Bruce, you still forgot to mention something important -- a lot of people read and send mails in the open, and also send their passwords so, either because the providers don't support "advanced features" or because it's the easiest way to configure the clients. Even some web mail clients send the passwords in the open, and even more the content in the open.
If those people never use their computers at airports etc, only by following your current advice they give their passwords and e-mail communication to everybody in the neiogbourhood -- and until now they were much safer!

Clive RobinsonJanuary 16, 2008 8:18 AM

@Bruce,

One point you have missed that is very relevant to you but not to most others.

At one point or another you have stood and offered "Opinion" in procedings where you would have had to be recognised as an "Expert Witness" legaly.

This cuts you out from the herd of the commons when it comes to a defense (of ignorance etc).

You have even bloged a case where a man was deamed (? assumed) to be guilty of using cryptography in a child abuse case simply because,

1, A standard crypto program was found on his computer.

2, The judge had indicated the defendants level of technical knowledge was equivalent to that of an expert.

From what information was made available at the time this appeared to be the sole criteria under which he was convicted.

AnonymousJanuary 16, 2008 12:16 PM

@Peter:

"http://www.viruslist.com/en/news?id=208274069"

The above story is about unauthorized access; Bruce Schneier (and others) are granting access to all comers. Can you perceive a difference?

John RidleyJanuary 16, 2008 12:29 PM

A friend at work does run an open network, but it's a separate WAP and router and does not allow access to his private network.

LALJanuary 16, 2008 1:19 PM

The notion that configuring a WiFi AP to be secure is too inconvenient for a bunch of computer security people is laughable to me. Really, how hard is it to login to a secure network? I'm glad my bank doesn't use this logic!

My network is open to all my guests - they just have to have the WPA password. A moment of inconvenience the first time they set it up allows them access for all future visits. And meanwhile, I don't need to worry about my neighbor siphoning off bandwidth, downloading child porn or doing other questionable activities via my IP address.

LarryJanuary 16, 2008 1:31 PM

I run the wifi at home wide open for very similar reasons. I do put the wifi outside my firewall so that anyone on the wifi has the same access to my home network as anyone else on the net.

Yves Moreau, U.Leuven, BelgiumJanuary 16, 2008 2:03 PM

I wanted to make the following suggestion. The potential annoyances of someone abusing your open Wi-Fi connection are real, but the ability to use a random Wi-Fi connection to surf or check email is highly appealing (although it is the last thing service providers want). I think that someone should develop software for a Wi-Fi "sidewalk". By this I mean that our Wi-Fi software should allow users to access an open version of the Wi-Fi connection while the owner uses a private version of the connection. The open version would have a number of limitations (like limited bandwith, lower priority vs. the private connection, limited volume, logging of visited IP addresses, maybe logging of MAC address of anonymous user). It would be like having a sidewalk along your property. You do not get to go through my backyard, but you are welcome to pass along the sidewalk.

SidJanuary 16, 2008 2:18 PM

I agree with LAL. I don't think I'm being inhospitable if I secure my network. The SSID is broadcast and has my name on it so it's clear to everyone who belongs in my neighborhood that it's mine. If someone in the neighborhood, or a guest, wants to access it, they ask me, I give them the password, and they access it. What's the big deal?

Bruce lists some reasons we shouldn't be *too* worried about people doing nasty things on our networks, but the only reason he says we should open them up is hospitality. I figure I already have that covered, so why not add a little bit of protection from unauthorized access?

AnonymousJanuary 16, 2008 3:45 PM

In my case, my solution / reason is more old fashion - I just only use wired security. Main reason is that I am still not convinced that wireless is totally safe, from the health / cancer point of view. No doubt the wireless NIC have lower power emission than placing a cell phone next to the ear, but I am not so sure about the access points. This is one issue both my spouse and I agree on, so no wireless it is. ( No, we don't have CRT TVs either - for a number of years already. )

A secondary reason is that by using wired connection, the kids have to access the internet only where the computers are - in the living room in open view of everyone. Primitive shoulder-surfing security, but we much prefer that.

However, I do agree with Bruce on the point that if I have guest visiting, they are free to connect their laptop to my switch. Right now, I still have to open up my DHCP server to accept their MAC, but I have no qualms about allowing open MAC access from the switch.

--- cllee

CTheSoupJanuary 16, 2008 6:28 PM

Two points:
1 - Once your name and the words "Child Pornography" are associated, it matters little that you're not guilty. You will always be suspect in your family's, employer's, friend's and neighbor's eyes. Damage done. Why risk it?

2 - Everyone is spouting about being a good netcitizen and leaving their access points open for people, because they expect the same in return. However, don't expect that because you keep an open AP means you can just jump on any other open AP. Using someone else's private AP and Internet connection is illegal. Your open AP doesn't cancel out your illegal actions. Find a public hotspot. If it's free, bonus. If not, pony up a little cash.

ReasonableJanuary 16, 2008 10:50 PM

Bruce's logic is totally off on this.
It is clear that keeping your network open adds risk, even if Bruce's assessment of the risk is low. Since there is no upside, don't do it. period.
I think Bruce supports open networks for political, rather than technical reasons. Bruce would like to see the erosion of copyrights and other IP, as seen from his opposition to DRM and other countermeasures; obviously a society where all wifi is open would make the IP holder's life harder. Nice, but I don't support this view and I would not risk my network or even bandwidth (and some ISPs would get upset if you consume inordinate amount) to further a political goal I oppose.
Sorry Bruce, no go.

PaeniteoJanuary 17, 2008 6:20 AM

@cllee/Anonymous:
"However, I do agree with Bruce on the point that if I have guest visiting, they are free to connect their laptop to my switch"

Indeed, this is basic politeness.
But for me, it is trivial to simply hand them the WPA password. It is in a text file on an USB stick, along with all other necessary config data (which is normally not needed anymore, nowadays), so getting access is usually a simple copy&paste.

Most of them have some profile management software for their wireless adapter, so next time when they come over, they simply activate the profile "at Paeniteo's" and there they go.

I simply don't see the benefits of leaving my wireless open. Yes, it could help someone who is "stranded without internet access", but I doubt this regularly happens to passers-by on the road in front of my house.
Also, I believe there are much worse/urgent emergencies than being without internet.
Consider a broken-down car, for example. Still, I do not leave my garage open so that people can get to my toolbox "just in case". Same goes with my telephone. Of course, if the need arises, someone may ask me to make a call from my phone. But should I put it in the lawn when I go out?

dakawJanuary 17, 2008 10:02 AM

For those worried about unknown users downloading child porn etc, use OpenDNS, it automatically blocks such sites.

simpsonJanuary 17, 2008 2:16 PM

@DougF:

"have yet to get have my virus scanner pick up anything."

I'm always amused by the few people who still squeal this bullshit.

1. No virus scanner can detect all malware
2. Often scanners are whitelisted for policeware (and the Sony Rootkit before it was outed), what if hackers use this against others?
3. Any operating system which is closed source is untrustworthy by design
4. Any virus scanner which is closed source is untrustworthy by design
5. Malicious batch files or scripts can often fool most any virus scanner

The smug attitude is a laugh, but thanks for the chuckle.

ThomasJanuary 17, 2008 7:28 PM

@Reasonable
"""Bruce would like to see the erosion of copyrights and other IP, as seen from his opposition to DRM ..."""

Pointing out that the concept of DRM is flawed and all implementations of it to this point laughably easy to crack doesn't necessarily mean lack of support copyright and IP.

To me it makes more sense to assume that someone pointing out the shortcomings of DRM is a supporter of copyright, trying to warn others not to trust this snakeoil.

Colin BraceJanuary 22, 2008 5:23 PM

@dakaw "For those worried about unknown users downloading child porn etc, use OpenDNS, it automatically blocks such sites.

I have an open WAP and I use openDNS, which I recommend for various reasons. At the same time, I don't suppose openDNS would block "naughty" *numeric IP addresses*, would it? Just something to think about...

Orlando StevensonJanuary 28, 2008 12:43 PM

I find my self in agreement with aspects of both positions. Open is a nice way to be friendly, yet ignoring built in capabilities to secure your home network from wireless intrusions can be viewed as an electronic equivalent of leaving the porch light on and front door open – in some neighborhoods, not much problem (everyone doing it, safety in numbers), in others, dumb and big problems.

So, how to solve this dilemma?

On the cheap end of options, how about stacklng two NAT wireless routers to establish a multi-network layer defense, the first one being closest to the Internet connection and “open��? when you choose it to be, the next and inner-most NAT router secured for just the systems you fully trust. Low $s security and manages the risk of unknown “guests��? otherwise fully trusted by your home network. If fact, the low-$ providers of NAT routers could offer a specific selling point to upgrade with dual “guest network��? and “secured home network��? capabilities in a single device.

When I get my "n" router, I'm planning on taking such an approach - but guests will still need to have a short key- (lights on but door locked on my porch- and they'll only get into the breezeway, not roam the entire house).

tuesdayFebruary 23, 2008 12:10 AM

Bruce,
Thanks for the access, friend.
I'm grateful, and won't hack or get greedy with your bandwidth.

JimH:March 13, 2008 2:42 PM

Well I did keep my line open all the time until I found my sidewalk marked by war drivers. It is still not secured, but I now have a Traffic Cop with a Red & Green light. When I am at my computer the green light is lit and I can monitor my modem for outside traffic when I leave I hit the red button, which turns off all traffic. I think this is the better of the two worlds.

JimH:

SomethingPositronicMarch 23, 2008 3:08 AM

From http://www.wired.com/politics/security/commentary/securitymatters/2008/03/securitymatters_0320 you say:

"The idea is for me to paint this stuff on my valuables as proof of ownership," I wrote when I first learned about the idea. "I think a better idea would be for me to paint it on your valuables, and then call the police."

Which is funny, because you are keeping your home WiFi network open.

Which is funny to me, because the very first thing I thought when I read http://yro.slashdot.org/article.pl?sid=08/03/20/2323247&from=rss and http://www.news.com/8301-13578_3-9899151-38.html?tag=nefd.pop , the VERY FIRST THING was "Hey, that's funny, so all I have to do to have the FBI confiscate all of Bruce Schneier's computers, data and records is to drive up to his house and pull some kiddie-porn sting URLs through his AP? Possibly even get him arrested on child porn charges? Hmm, ain't that a heckuva thing."

Bruce, you're a public figure. In *computer security*, of all things. All things considered...

...do you really, actually still think that it's a good idea to keep your WiFi network open?

So, there's that.

And then right after that, I thought "Hmm, this makes it really scary to operate a spider that hunts the 'net for open servers (http and otherwise) and crawls them...because if one of them is an FBI sting box, your spider could get the FBI breaking down your door, arresting you, and taking all your stuff...and/or shooting you or your family members if they freak out due to the home invasion...and getting you fired due to missing work or even the *accusation* of child porn grabbing...

And then there's the FUN angle of hacking bluetooth on people's cell phones (that have network connectivity through their service providers) and pulling sting URLs through their phone...without them even knowing.

And say you wanted to destroy the reputation of a church, or some church elders? You can remotely pull URLs through their network (from 100's or even 1000's of feet away with a good antenna, or just plant a small WiFi device that scripts the grab) when just those elders are there.

And so on. This really does write itself after awhile. Twisted thinking indeed...I'm surprised you haven't put a few more turns on this one, really.

Good luck!

scchelpdeskMarch 24, 2008 5:55 PM

wow, that is a great topic of debate. Relating to Open Wireless networks, have you seen any issues where laptops with either XP or Vista that once could connect to an open wireless network, now can not? I went through a few days worth of forum searches at Dell, Microsoft and Google. I think the post about the 25,000 student State University is a valid one and I can't see why Microsoft would issue patches ('cause my hardware has not changed) to protect me from Open Wireless Networks. I can connect to my hidden SSID, WEP enabled AP without any issue. Issue is not OS specific, in my case. I had Vista Business and have loaded XP (thinking I could blame Vista), but still have the same issue with Open Networks.

SMGApril 9, 2008 10:36 AM

Hi Bruce, I enjoyed your piece, "Open Wireless Network." However, a good reason for an encrypted network is kids. I do not want my kids to able to access the internet in a non public room (such as their bedroom) because of the ease of viewing an inappropriate site (type "boobs" into google to see how easy it is) or engaging (via email or chat) with an undesirable.

I know this is not a cure-all. But it does reduce the likelihood of my kids surfing to where they should not or conversing with a nogoodnick.

--SMG

AnonymousApril 19, 2008 9:32 AM

What you are doing is noble, the risk you should worry about as some people above already said is not as much the things your internet could be used for. (except perhaps leeching down ur bw) but rather the damage that can be done to your network... your logins, passwords... before you know the 'bloke in his car' runs your network, knows to much and might attempt an identity theft and steal some real $$$ from you.

I sugest that you DON'T use a modem/router box as sold in the stores, but use an old computer.
check : ipcop or smoothwall
for example, this will give you a much more professional modem/router/firewall/proxy/on the fly virus scanner/...

Allows you to do what you want to do. What to allow, what not. Store stuff on the proxy (windows updates for example) to save you bandwith and most important... keep control over your network.

Again your idea is noble but act wise, use good equipment.

(its like sex... It's fun, but when you don't know who you'r dealing with use a rubber.

JayMay 10, 2008 8:03 PM

What the heck...

I have mine open, and don't give a damn really.

Any files I really care about are backed up, and I don't do anything illegal, and am careful about bank/credit card transactions, or anything else that might actually be useful.

So whatever info passes through me is fine by me, if I get nasty messages from my ISP about people running servers I might rethink it.

JamesMay 15, 2008 4:38 AM

In my personal experience, your computers are more at risk from being stolen, than someone breaking through your security.

I left my wireless network open for years, nobody used it.

I left my back door unlocked one night, and in the morning my laptops had gone along with several other things. I was in at the time too.

Your data is of zero importance to people, they're not going to sit outside your house sniffing packets looking for VISA numbers. They're more likely to wander in and just take your laptop to sell.

But saying that, any open Wifi networks called "Belkin54g" "Netgear" or "Linksys" are just screaming "Point a browser at 192.168.0.1 and log in and mess around please!". There's got to be some basic security to protect the computer illiterate though, it's a bit unfair otherwise

Morgan StoreyJune 22, 2008 10:53 PM

Interesting article Bruce, but laws vary country to country. The honus is on you here in Australia if your network (wireless or not) is used to perform a crime. So web cafe's lock down their network, and free hotspots require registration. WPA doesn't look to have vulnerabilites short of brute forcing or using rainbow tables. The latter can be negated against by using a different than default SSID and a long WPA key, mine is almost at the maximum.
But I see what you mean, originally I had my Wifi segregated off and free, then my Missus said but what if someone does such and such, and I said well I would be fine surely, she being a student at law had a look, and lo and behold I would be liable to an extent. My wifi has been locked since then.

Chris BlalockSeptember 9, 2008 4:23 PM

Having just bought a linksys router, I cantell you that they make it very easy to set up the security. There's even a "new" feature that allows you to authenticate a computer by hitting a button on the router - I'm not sure if it sends the pw to the comp or if it just authenticates it for 1 session though.

someone on your networkNovember 3, 2008 9:47 AM

dear Sir,
will you at any point touch on the topic of security for wireless cell phones i have a nokia 95 8gb and i have done everything as instructed yet it does not shut down the wireless and someone keeps coming into my phone and deleting my flight information resumes ect.. what to do what to do

Anonymous BullyNovember 3, 2008 4:21 PM

Bruce,
This crowd offerred 'enhanced security' saying it was not required but in essence it was. I have gone three months without being able to properly enter the compute for on-line banking Must go to my regional office and let them bank for me. Finally got the magic password and security stopped me on the first word.

AlexanderNovember 4, 2008 4:39 AM

Security is not the only reason why you would want a protected wlan. Performance is important as well.
If someone would use my wireless to download or upload anything it would hurt the latency of my connection.
I'm not using the wlan for gaming but I don't want anyone to use it while I'm playing either since it would hurt the overall performance of my internet connection.
And because of the configuration efford I'm not switching back to an open network when I'm done gaming even though this is a bit selfish.

DoDoNovember 4, 2008 3:54 PM

The concept of locking our door has been around for long time. There's no reason not to do the same for WiFi.

Sure there's some downside for outsider if we lock our network, but then why should the accessibility problem be the responsibility of each household?

I believe that in the next few years, government/city will increasingly see the Internet as public-infrastructure related issue before they start doing anything about it.

John S,
If you still wish to keep your network open but at the same time, wish to keep your neighbor out, you can. You simply add their MAC address(es) to your router's block list.

DoDoNovember 4, 2008 3:57 PM

jstewart,

Brilliant idea.

"Most of us have had problems with neighbors intentionally or unintentionally leeching bandwidth and so run closed networks. If my router could give priority to my mac addresses I'd open it up in a second."

EnzoDecember 29, 2008 11:50 PM


This is dumb advice, plain and simple. You need to secure your network. Most people have a lot of wireless devices. For example, I have a Tivo, 2 iPhones, an Apple TV, 2 laptops, 1 Slingbox and a desktop. Leaving your network open will cost you bandwidth and leave you vunerable to all sorts of hacks & scams. I understand the spirit of what Bruce is saying, but he's dead wrong on this. Once someone hacks your network for spamming or child porn you won't take the same position. You'll be in a legal battle for your life which you don't need.

Sure once my computers leave my house I have to secure them. I do this with software firewalls that they have. But my Tivo & Slingbox don't have built in firewalls. There are plenty other wifi devices that don't either and those will be vunerable without being on a secure wifi network.

Leaving your wifi network open is pretty stupid and is no different than leaving your car unlocked or your house door unlocked. You can if you want to, but you're just asking for trouble.


newkidintownMarch 8, 2009 12:50 AM

Hi everybody, hi Bruce... I have a question for Bruce: did you in anyway modify your point of vue on this topic after reading the numerous various comments and reactions, or do you stick to your original way of doing things as regards your home wi-fi security?
Maybe we could get your 2009-point of vue about all this!?
Thanks

SoylentApril 1, 2009 5:00 AM

"Sharing is great, but here it's more subsidizing. That's OK too, but when it affects your ability to connect, then it's a problem."

I have a 100 mbps symmetric connection that costs me $20 per month; as does everyone in the block-of-flats where I live(it's included in the rent).

I'm sure there's some bandwidth limit theorethically, but I haven't yet encountered it and I can tell you from experience that whatever it is, it's north of 100 GB/month.

I see a few open wireless networks and a whole bunch of closed ones. Only once in a blue moon will someone try to use mine and they're welcome to it.

AnonymousApril 8, 2009 12:31 AM

i have done a little resarch, if you were to pay for a phone and have it in your frunt yard with a sign that says free phone calls and it is used to commet a crime there are no laws that my punish you for this nor be an assesory to the crime hinse the pay phone company whould be charged for all of the crimes commeted over their phones, the same goes for your wireless, i work with cgi and send around 500gbs a month of data i have had my isp ask me questions and thats all , i also share my network i have high speed road runner any one on it gets 35mbps , my point share your damn wireless most people cant afford it how greatfull would you feel if the guy next to you let you on when you couldnt have your own to sum of use that would make him our hero corroct ? far as security threat i can hack any wirless in under 20 mins and disable you from your own router in 5 with your networked secured so you tell me whos would i mess with the guys thats nice or the stingy guy that presents me with a chalenge?

Sr. LopezJune 29, 2009 12:53 PM

Thanks for driving on a cell phone and endangering my life. I'm sick of idiots on cell phones driving like Sh*t. I think it should be legal to run them off the road since they do the same to me on occasion. And when I have my 9 month old in the back seat, it should be legal to fire a pistol through their windshield as self defense.

TobiasJuly 24, 2009 1:54 PM

Thanks for this article. I think in exactly the same way and I have practiced the same thing (plus a captive portal to track concurrent users with timestamps in case police knocks my door down) for years.

It’s really cool to link to you whenever people start the usual »ZOMG, WPA2 or else« sermon.

Wolfgang DraxingerJuly 28, 2009 3:04 PM

Leaving your WLAN open is not such a good idea in Germany: It gets you your equipment confiscated and you'll not get damages awarded:

http://www.heise.de/netze/news/meldung/142658

A man got his house raided, after a neighbour used his open WLAN to post an announcement in a message board, he'll going on a gun rampage. After he had been cleard of charges, he was denined any compensation, as by leaving his WLAN open, he'd forfeited any claims. Juristically that's more than debatable, but adopting Animal Farm, police and government are a lot more equal than the rest of the population.

SquiggiESeptember 4, 2009 3:44 PM

This is udderly rediculous nonsense from a so-called "Security Professional". What's your address...I'll sit outside, in my car with my pentest setup.

Hope you don't check your email, bank accounts, email, 401k, IRA, etc...

Wait, of course you do. Hmmm... so does my good friend ettercap....

Note to all reading this article, set up WPA2+AES....or don't, we don't mind... ;-P

BeekerOctober 17, 2009 6:50 PM

So, some of you wanted to hear a horror story about open wi-fi? Here's one: I work with students who can make a laptop dice and slice. They hack into them at school, crack firewalls and come up with daily proxy means to beat the security measures we have at school. Now, here I am living in an apt. complex with an open wi-fi (I'm not the least bit computer literate) and in the same complex live several of my students as well! Some are not even legal residents of the country but are here for an American education! They've left notes on my car (nothing threatening, just "hi") have come to my door asking for a drink (yeah, right!) And so forth... Last week, the postal insp. asked to speak with me. No problem. I went in. WELL, come to find out credit card apps were sent to my mailbox cubicle (who I had to have the maintenance man change a year ago because it kept getting left open) and even though none were used, the investigation led them....THAT'S RIGHT...TO MY IP ADDRESS! Ta-da! So, here I sit, paying for an atty that I can't afford to defend me. And btw, that's ALL they have! Mail going to my obviously breached mailbox cubby and my IP address. Gee? I wonder how THAT happened. I may sound glib guys but, I'm facing serious trouble here and for what? Being naive and never giving a second thought to securing my wi-fi. There. I'm not telling anyone what they should do - I'm just giving you an example of what COULD happen!

DingleDeeDooMay 15, 2010 8:18 AM

SquiggiE: Just because the network isn't encrypted it, doesn't mean the context isn't. Online-Banking and Online-Shops use HTTPS. For E-Mails you usually use TLS/SSL-encrypted connections, too. Now, if you actually use encrypted VPN for everything, all you expose is encrypted traffic.

In fact, if you stopped believing that LANs are inherently safe and secure, taking the right approaches, WLAN is just that: a Wireless LAN. The trouble with open, unencrypted WLAN is of legal nature and not a question of privacy, unless you still believe obscurity equals security.

Granted, most people won't use VPN for everything and don't have a clue what they expose about themselves at all. So I certainly wouldn't recommend this to Joe Average.

DavidMay 16, 2010 7:53 PM

I have a neighbor with an unsecured network. His router is open and his printer setup is also open. I'm no haxor, but it didn't take me long to figure out who he was since he used his last name for the computer's name. Zabasearch told me where he lived.

He has a little girl, I've driven past the house. I could download pr0n with his wifi and then send it to his expensive to use all-in-one HP color injet printer/scanner.

I sent him a letter to his own printer addressed to him by first name and suggested that he lock it down. With no password on the router setup any fool could lock him out of his own box.

He probably doesn't care about the bandwith. When I typed the router local address I guessed wrong the first time and got a 404 Comcast branded page, so he has such a high speed cable connection that an open 'G' wireless isn't going to push him over the download limit anytime soon.

He does have a password on his computer. I tried to remote login and there was actually a password there.

7G OperatorJuly 11, 2010 12:57 PM

I think unsecured/open wireless access points are a double-edged sword. They have their positives and they have their negatives. For instance i am writing this message courtesy of a local open network near here. I am slightly more of the thinking that people should secure their networks, as it is kind of responsible to do so. Has anyone mentioned about WEP encrypted protection and how you might as well turn off that protection as it does nothing more than ensure a false sense of security? WEP encryption is crackable in approx 2-5 minutes. As i have demonstrated with both my brothers and my uncles wi-fi connection. Usually producing a 'what the heck' as i tell them their passwords.
As aforementioned by some other dudes, once you have a connection to the wireless lan network you can easily monitor network traffic traversing it with a deep-packet inspection tool such as wireshark.

Or b) Gain entrance to the system via the router. By allowing open connectivety, you give away the ip address of your router. (what good is a rock solid fortification example wpa2 encryption, if you leave the back door to the castle open?). Routers are notable for inherently poor security standards, be aware of this.)

c) access any accidentally shared shares such as printer shares/file shares or ultimately ipc$'s which with relevant know how can be utilized to escalate privileges, leading to ultimate non-cool root access. Once compromised your computer can easily become a participating node in a cyber attack (botnet attack). Or as aforementioned be used for other various shady things.

d) They could be used to directly/indirectly attack a government organisation/fbi whatever. Which when traced back would appear to come from your computer. The real culprit is somewhat undetectable especially if they use further measures such as proxying, after connecting via your wireless, or using tor e.t.c. It also goes without saying that using a macchanging tool, to change mac addresses is a fairly simple operation.
The best way to deduce individuals these days i would of thought would be via o/s fingerprinting, or browser scripting. Or perhaps the MI5 database (Facebook). IP addresses are no longer really of any value, which could to my understanding result in a few possible logical conclusions.

-Identity being required to purchase computers in the first place.
-Unique connection of machine to individual, like a passport but for computers.
-Ideally getting a computer to function on a DNA level (sampling dna before each use).

A few ideas for you dudes/dudettes anyways.

- Eiji Takanaka.

ryan baguerosNovember 7, 2010 4:55 PM

I stumbled on this article via current article about firesheep :)

I wanted to add in my vote for open wireless networks. I don't encrypt my home wireless network for the same reason: I want people to use it if they need it! I keep logs of who connects and I live in a densely-populated part of San Francisco (SOMA/downtown).

In 4.5 years of running my wireless network like this, I've had only 5 visitors. Two of them are my neighbors who I think connect accidentally because my signal is stronger than their's. Another one is some mobile device that always connects sporadically. And, there have been two others who I didn't watch too closely but a few minutes of tcpdump just showed them surfing some news websites.

On the flipside, once I had trouble with my DSL account + I had to wait 4 days for my new modem to arrive. I posted up signs all over my building, the building next door, etc explaining my situation, asking folks to temporarily let me connect to their networks.

Not one person sympathized at all. After 1.5 days of waiting for someone to come to my rescue, I figured out they were all too selfish and/or FUD-filled to let me use it and I paid for a dial-up account for one month (+ setup fees) just because they would get me online same-day.

I was very disappointed in my neighbors.. they know exactly what it'd be like to be suddenly offline, especially for someone like me who has 10 ssh sessions active at any given time (yes, I use screen).

But, honestly, this is the culture I have found here in SF. No one is willing to move an inch unless it directly benefits them. I come from the midwest where the poorest people you could know would give you the last $5 they had if you needed it. *shrug* The only reason I stay in SF is that I know so many people and can get work for my business so easily.

But, everyone knows my goal is to move away to a place where community values are important (I've found it to be like that in Brazil and many other places in Latin America where, not coincidentally, societies there have fully embraced free/open source software -- see the URL associated with my post).

Allen NicksNovember 16, 2010 12:21 PM

I see where you are coming from man but the law can hold you liable and trust me on this. If a crime is commited using your network trust me a prosecutor will trouble nailing you as an accessory to the crime.

Troy RiggsApril 26, 2011 3:27 PM

First of all, I see leaving my wi-fi network open as just part of being a good neighbor - akin to letting a someone borrow my phone or a neighbor use the light from my front door while taking out their trash at night.

Then, even if I do secure my wi-fi network, I've only secured the first hop to a network that is, by design, significantly more robust than it is secure.

Securing my wi-fi network does not guarantee the "stormtroupers" won't bust through my door, nor will my attempt to do so provide me with an useful defense in court if they do. But, having an open wi-fi network does provide me with some reasonable doubt since the offending traffic could have been generated by anyone in the area.

Sometimes the best security is complete openness.

sandeepMay 15, 2011 1:35 AM

I suppose for people paranoid about their security can use powerline ethernet as a private LAN. Open wireless is good for internet access.

PaulMay 15, 2011 10:46 AM

lots of folks run open wifi networks simply out of ignorance, not knowing it's open and will be quite miffed if someone interprets the openness as an invitation to connect. they may try to sue for theft of service.

HansMay 16, 2011 3:22 AM

There was an open wireless movement in Sweden after the passing of the IPRED law allowing companies access to IP numbers of file sharers.
The Swedish Pirate Party started a campaing where people left their WI-FI's unencrypted and the SSI set to "Ipredia" in order to achieve deniability.

senrichAugust 25, 2011 11:53 PM

I just have two routers. One is directly connected to the internet and uses encryption. The other one is connected to it and is open. I replaced the junk firmware with dd-wrt(open linux) firmware and run quality of service. I bump down the open router, so I will never be slowed down by someone jumping on the open connection. Closing your connection because someone might someday do something unlawful with it is like never offering someone help when they're in need. It may be less risky to not give someone help if they're car's broken down or their hurt or otherwise in need, but being Good requires taking risk sometimes. The way I figure it is when I'm out and about, I'll borrow someone's open network, if they happen to be around my house they can do the same. It just seems neighborly to me.

JefJuly 9, 2012 2:10 PM

Bruce, flash-forward - its now July 2012, 4.5 years since your original posting. Any change in your position about having an open wi-fi spot in your home? Especially now with streaming HD multimedia from online vendors like NetFlix, VuDu & Amazon?

I have a new complex of about 20-25 housing units that now are broadcasting into my limited G network range, one is an open guest account that I assume their router/gateway allows as a secondary wifi AP. However, I secure my wifi and I also set others except in remote rural areas due to security and bandwidth issues. I do like the idea presented of including a phone number in the SSID to help with interference issues. Finally, if anyone is interested on good freeware for detecting wifi nets see inSSIDer at www.metageek.net/support/downloads/

StevenJuly 5, 2013 4:36 PM

I'd really like to do this, but UK law sounds pretty fearsome, in the unlikely event that someone used it for something illegal which is then traced to your address. Falling under the suspicion of plod could mean the seizure of your equipment (which is pretty serious if you need it for work/study/leisure), and then being forced to decrypt anything they suspect as being encrypted (or that they perhaps couldn't understand), or otherwise face jail and unproven accusations, without being convicted of the original allegation. [RIPA, part III]

So, as a compromise I could consider a special VLAN (or physically separate LAN) dedicated to open wireless traffic, whose outgoing connections are routed via Tor. To protect users' privacy I could permit only SSL/TLS and VPN traffic types through. A captive portal for HTTP could explain this policy, or automatically redirect http:// URLs to https:// where possible, similar to how HTTPS Everywhere works.

It's not going to be as fast or as useful as it could technically be, but at least it should transfer any legal risk over to the Tor exit node operators, who hopefully don't live in a dystopia. Latency would be too high to make voice calls, but probably still better than some of the 2G mobile data (cell) networks where I live, and as a benefit it should discourage use for nuisance peer-to-peer or other excessive traffic.

FloriszOctober 2, 2013 9:46 AM

Bruce, I totaly agree with you.
Since securing WIFI is never good enough why do it at all. And I like to use open wifi elswhere, so I share mine.

Now I tried to search the internet for solutions to monitor your wifi network on misbehavior usage. Just like there are virus scanners, there should be a solution possible to notify or close down the connection(momentaraly) when misbehaved. But i really can't find anything like it.

ionNovember 24, 2013 12:03 PM

I used do this with Guest SSID. Since 2008 many things have changed; internet is very affordable and available where I live: 50Mbps connection - 6.5 Euro, 100Mbps - 8.8 Euro, 500Mbps -11 Euro, 1000Mbps - 13 Euro, DSL connection only 5 Euros . Mobile conections start from 3.5 Euro unlimited plan at 3G speeds. 4G in a little more expensive and do not have good coverage.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..