News of the Weird, Network Version: Security Guru Leaves His Wireless Network Open

[Lemur]

This is kinda odd. I have immense respect for Bruce Schneier; I think his writing on network security is must-read material for anyone with an interest in the subject. (WHacker? Thoughts?)

He's posted an article about how he leaves his home WiFi network open, and how it's a great idea. I am left scratching my furry little head.

Security is always a trade-off. I know people who rarely lock their front door, who drive in the rain (and, while using a cellphone) and who talk to strangers. In my opinion, securing my wireless network isn't worth it. And I appreciate everyone else who keeps an open wireless network, including all the coffee shops, bars and libraries I have visited in the past, the Dayton International Airport where I started writing this and the Four Points Sheraton where I finished. You all make the world a better place.

[R'as al Ghul]

Yes, the folks at boingboing.net also think it's a good idea.
What I found most odd was this statement:

And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.

In Germany for example, the owner of the connection is liable.

[Xiahou]

And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.

That makes no sense at all- particularly with his being a IT security professional. I think an unsecured wireless network, in his case(as opposed to your average slob, who could plead stupidity), would smack of willful negligence on his part- practically begging someone to connect and do something bad.

To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous.

So really, this is all about his social views on wireless rather than security. In that regard, you could say he's speaking out of his area of expertise. That a "security expert" would advise people to do something that is by definition, totally unsecure because he feels it polite is... puzzling.

If he wants to let people freeload on his home network because he feels it's the right thing to do, he can go for it- but it's totally unsecure. For myself, I'll keep WPA.

[Ramses II CP]

It would seem obvious that the key word is 'guests' should have free access from your home. Not the kid next door hunting **** or the random nutter sitting nearby doing who-knows-what.

My guests do have free access, just as soon as they punch in their key.

[drone]

Even if you don't mind strangers eating your bandwidth and doing questionable/illegal things through your ISP connection, I would think that in most cases your standard wi-fi router is the first line of defense for your home network. By leaving this open, you are inviting potential attacks from behind the WAN firewall, relying on your PC malware defenses to protect you. Doesn't sound like a good idea to me.

WPA encrypted and MAC address filtered here! Go to a Starbucks, ya freeloaders!

[Husar]

My router is pretty secure in that regard.

Spoiler Alert, click show to read: 

It's not a WLAN router. hahaha

[sapi]

And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.

He actually has a point there; it's one of the few viable defences I've seen tried in the multitude of file sharing cases that are going around :)

Oh, and my network is unsecured here, too. I'm not at all worried - after all, if I couldn't get a decent signal 10m from the AP and had to switch to wired to avoid that, anyone who can pick up the network from outside deserves access

[Whacker]

OK, I have a few thoughts to contribute here.

First, regarding open WLANs in general. Honestly, any security you can layer on top of the application at the network level is a good thing in terms of obfuscation, but it doesn't always mean much. It's not hard for someone determined to crack a poorly protected WPA type environment, and WEP has been/is a total joke. However, for the enterprise, all this equates to additional cost and resources to put into managing the infrastructure, setting up clients, managing keys, etc etc etc. Personally at my employer (which is huge, global 300k+) and at numerous other businesses I've dealt with, I've never seen a general Wifi deployment without any kind of protection.

In terms of home use, I think it's even worse to leave an AP open, for a number of reasons (some of which have been alluded to already).

First, I believe in the US that there is either a law in coming or it's already been passed (I think the latter) which causes AP owners to be responsible for any content or problems that arise from their hardware, so "Well it was open" doesn't hold water anymore. It'll be interesting to see that actually tried in court and see if it stands up, because my professional (and armchair legal) opinion is that it wouldn't survive judicial review. I'd had to be the poor sap who has to fight that battle though, if it hasn't already. Maybe Tincow knows about this and can comment.

Second, as a home user, most people are going to be running their systems just like our own very dearest husar, wide open, half patched and vulnerable. Windows firewall is a joke for the most part for a number of reasons, but the core is that it can't stop everything and users will often just bypass it anyway with the brainless "OK" clicking on dialogues it presents, or the same with websites that ask for admin privileges. Thus, even with "default" settings that ship with the last few iterations of Windoze, there's still a ripe, fleshy, vulnerable interior that once you get past, it doesn't matter. Bruce could be using the logic that he doesn't care about the network level, and relies on application and OS level controls to minimize security exposures, but I don't subscribe to that. My mantra is "security in depth", which esp. for home users means using every tool available to it's fullest potential. Thus, I have my home router set up with AES WPA that I change the key every 6 mo or so, all 3 computers are all built and setup personally by me and secured to the hilt (wife complains often), and she's also had several lectures on "how to use teh intarnets", complete with lots of eyerolling and ignoring me like usual.

So again in a simplified version, we use:

1. Network level control; WPA, router/firewall properly configured, etc.
2. OS level control; passwords, lockouts, disabling services and apps, general hygiene
3. Application level control; installing only "good" applications, using available security settings (Firefox stored password encryption)
4. Good PC usage; not clicking "OK" all the time in general on dialogues, not browsing or doing business with "questionable" sites, etc

/soapbox off



Why

[R'as al Ghul]

Unless he logs every connection passing through his router and gets those logs certified, he won't be able to prove that anyone else has used his WLan AP. In the case of a charge the fact that he maintains an open network is no prove that someone else has used it. As long as he can't prove that someone else used his connection one has to assume that he did it himself.

This is weird.

[Whacker]

Unless he logs every connection passing through his router and gets those logs certified, he won't be able to prove that anyone else has used his WLan AP. In the case of a charge the fact that he maintains an open network is no prove that someone else has used it. As long as he can't prove that someone else used his connection one has to assume that he did it himself.

That's true, BUT it's not proof either that he was using it, hence burden of proof falls apart. Unless it can be correlated with other data that uniquely identifies him, it's just guesswork. Even if they can link it at least to his personal PC, it's still not proof that it was him using it. Hence why I have huge problems with legal BS like this and legal precedent being set on crappy cases with "evidence" that doesn't remotely prove anything.

[Husar]

Second, as a home user, most people are going to be running their systems just like our own very dearest husar, wide open, half patched and vulnerable.

[R'as al Ghul]

That's true, BUT it's not proof either that he was using it, hence burden of proof falls apart.

Okay, that may be the case in the US but here in Germany the owner of the connection is liable. This means that when you open your wifi you are responsible for the content should a crime be committed.
This is how the Music Industry gets your data in case of sharing of copyrighted material in Germany:
- They find the IP online
- They file a charge under criminal law
- The provider has to disclose the data behind the IP to the district attorney(MI doesn't have the IP yet)
- The criminal charge is likely to be dropped now
- The MI files a civil suit against unknown and demands disclosure of records of the case
- The MI sues you directly

Now at this point all cases usually end with settlements.
The question whether you or someone else has used the connection is not asked.


In the US, Schneiers practise could actually be succesful:

"The IP address simply can help you know who paid for the internet access, but not who was using what computer on a network. In fact, this even had some people suggesting that, if you want to win a lawsuit from the RIAA, you're best off opening up your WiFi network to neighbors. It seems like this strategy might actually be working. Earlier this month the inability to prove who actually did the file sharing caused the RIAA to drop a case in Oklahoma and now it looks like the same defense has worked in a California case as well. In both cases, though, as soon as the RIAA realized the person was using this defense, they dropped the case, rather than lose it and set a precedent showing they really don't have the unequivocal evidence they claim they do."

You can also turn the tables:

Sure, everyone please use my unsecured local Wi-Fi access point. I'm giving back to the community... ... and the community in turn will have all traffic filtered through a box that will sniff passwords, private keys, you name it.
So please "steal this Wi-Fi" since I need a few more social security and credit card numbers.

[caravel]

He's either insane or thinks he can fend off the law with the "it was open" argument and that's why he's doing this. I can think of no other reasonable explanation.

[Papewaio]

Having open wi-fi does not equal access to your network. It often does mean one and the same because the same people who don't secure their network generally have open wi-fi.

However home users generally don't setup VLans on their ports and other Enterprise level security measures such as domain logins. Enterprises also can have all these and still have a wide open wi-fi. Some wit will decide to add a wi-fi to their desktop using their login credentials which can lead to external users surfing through the companies internet connection. No matter the security in place HR will find a bigger idiot to circumvent it, they either will do so from the HR candidates or outsource and hire someone for a project coordinator role...

[sapi]

Having open wi-fi does not equal access to your network. It often does mean one and the same because the same people who don't secure their network generally have open wi-fi.

However home users generally don't setup VLans on their ports and other Enterprise level security measures such as domain logins. Enterprises also can have all these and still have a wide open wi-fi. Some wit will decide to add a wi-fi to their desktop using their login credentials which can lead to external users surfing through the companies internet connection. No matter the security in place HR will find a bigger idiot to circumvent it, they either will do so from the HR candidates or outsource and hire someone for a project coordinator role...

Speaking from experience there pape?

Would I be right in saying that, even for home users, it's possible to filter internet access by MAC address even while keeping an open network?

[Xiahou]

Would I be right in saying that, even for home users, it's possible to filter internet access by MAC address even while keeping an open network?

Yes, but MAC addresses are easily spoofed.

MAC filtering by itself is pretty weaksauce when it comes to security. It's an additional layer, but not a particularly strong one.

[Papewaio]

I didn't bother with wi-fi for my new place. Now I'm regretting it for the Wii.