News of the Weird, Network Version: Security Guru Leaves His Wireless Network Open

[Husar]

My router is pretty secure in that regard.

Spoiler Alert, click show to read: 

It's not a WLAN router. hahaha

[sapi]

And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.

He actually has a point there; it's one of the few viable defences I've seen tried in the multitude of file sharing cases that are going around :)

Oh, and my network is unsecured here, too. I'm not at all worried - after all, if I couldn't get a decent signal 10m from the AP and had to switch to wired to avoid that, anyone who can pick up the network from outside deserves access

[Whacker]

OK, I have a few thoughts to contribute here.

First, regarding open WLANs in general. Honestly, any security you can layer on top of the application at the network level is a good thing in terms of obfuscation, but it doesn't always mean much. It's not hard for someone determined to crack a poorly protected WPA type environment, and WEP has been/is a total joke. However, for the enterprise, all this equates to additional cost and resources to put into managing the infrastructure, setting up clients, managing keys, etc etc etc. Personally at my employer (which is huge, global 300k+) and at numerous other businesses I've dealt with, I've never seen a general Wifi deployment without any kind of protection.

In terms of home use, I think it's even worse to leave an AP open, for a number of reasons (some of which have been alluded to already).

First, I believe in the US that there is either a law in coming or it's already been passed (I think the latter) which causes AP owners to be responsible for any content or problems that arise from their hardware, so "Well it was open" doesn't hold water anymore. It'll be interesting to see that actually tried in court and see if it stands up, because my professional (and armchair legal) opinion is that it wouldn't survive judicial review. I'd had to be the poor sap who has to fight that battle though, if it hasn't already. Maybe Tincow knows about this and can comment.

Second, as a home user, most people are going to be running their systems just like our own very dearest husar, wide open, half patched and vulnerable. Windows firewall is a joke for the most part for a number of reasons, but the core is that it can't stop everything and users will often just bypass it anyway with the brainless "OK" clicking on dialogues it presents, or the same with websites that ask for admin privileges. Thus, even with "default" settings that ship with the last few iterations of Windoze, there's still a ripe, fleshy, vulnerable interior that once you get past, it doesn't matter. Bruce could be using the logic that he doesn't care about the network level, and relies on application and OS level controls to minimize security exposures, but I don't subscribe to that. My mantra is "security in depth", which esp. for home users means using every tool available to it's fullest potential. Thus, I have my home router set up with AES WPA that I change the key every 6 mo or so, all 3 computers are all built and setup personally by me and secured to the hilt (wife complains often), and she's also had several lectures on "how to use teh intarnets", complete with lots of eyerolling and ignoring me like usual.

So again in a simplified version, we use:

1. Network level control; WPA, router/firewall properly configured, etc.
2. OS level control; passwords, lockouts, disabling services and apps, general hygiene
3. Application level control; installing only "good" applications, using available security settings (Firefox stored password encryption)
4. Good PC usage; not clicking "OK" all the time in general on dialogues, not browsing or doing business with "questionable" sites, etc

/soapbox off



Why

[R'as al Ghul]

Unless he logs every connection passing through his router and gets those logs certified, he won't be able to prove that anyone else has used his WLan AP. In the case of a charge the fact that he maintains an open network is no prove that someone else has used it. As long as he can't prove that someone else used his connection one has to assume that he did it himself.

This is weird.

[Whacker]

Unless he logs every connection passing through his router and gets those logs certified, he won't be able to prove that anyone else has used his WLan AP. In the case of a charge the fact that he maintains an open network is no prove that someone else has used it. As long as he can't prove that someone else used his connection one has to assume that he did it himself.

That's true, BUT it's not proof either that he was using it, hence burden of proof falls apart. Unless it can be correlated with other data that uniquely identifies him, it's just guesswork. Even if they can link it at least to his personal PC, it's still not proof that it was him using it. Hence why I have huge problems with legal BS like this and legal precedent being set on crappy cases with "evidence" that doesn't remotely prove anything.

[R'as al Ghul]

That's true, BUT it's not proof either that he was using it, hence burden of proof falls apart.

Okay, that may be the case in the US but here in Germany the owner of the connection is liable. This means that when you open your wifi you are responsible for the content should a crime be committed.
This is how the Music Industry gets your data in case of sharing of copyrighted material in Germany:
- They find the IP online
- They file a charge under criminal law
- The provider has to disclose the data behind the IP to the district attorney(MI doesn't have the IP yet)
- The criminal charge is likely to be dropped now
- The MI files a civil suit against unknown and demands disclosure of records of the case
- The MI sues you directly

Now at this point all cases usually end with settlements.
The question whether you or someone else has used the connection is not asked.


In the US, Schneiers practise could actually be succesful:

"The IP address simply can help you know who paid for the internet access, but not who was using what computer on a network. In fact, this even had some people suggesting that, if you want to win a lawsuit from the RIAA, you're best off opening up your WiFi network to neighbors. It seems like this strategy might actually be working. Earlier this month the inability to prove who actually did the file sharing caused the RIAA to drop a case in Oklahoma and now it looks like the same defense has worked in a California case as well. In both cases, though, as soon as the RIAA realized the person was using this defense, they dropped the case, rather than lose it and set a precedent showing they really don't have the unequivocal evidence they claim they do."

You can also turn the tables:

Sure, everyone please use my unsecured local Wi-Fi access point. I'm giving back to the community... ... and the community in turn will have all traffic filtered through a box that will sniff passwords, private keys, you name it.
So please "steal this Wi-Fi" since I need a few more social security and credit card numbers.

[caravel]

He's either insane or thinks he can fend off the law with the "it was open" argument and that's why he's doing this. I can think of no other reasonable explanation.

[Husar]

Second, as a home user, most people are going to be running their systems just like our own very dearest husar, wide open, half patched and vulnerable.