Boo! Scary open wireless networks! Run! Hide!

Oooh! Scary! Share your wireless access and you might let your neighbors “peer into files containing sensitive financial and personal information, release malicious viruses and worms that could do irreparable damage, or use the computer as a launching pad for identity theft or the uploading and downloading of child pornography.”

Or you might not. Have a modicum of good sense about security and you’ll have locked down your computer against these sorts of intrusions – which can occur on any computer attached to the Internet, not just to computers attached to open Wifi networks.

But hey, good sense doesn’t sell newspapers as well as sensationalism, and the Times engages in some serious gratuitous panic-spreading with Sunday’s “Hey Neighbor, Stop Piggybacking on My Wireless”. And evidently, this sort of breathless reporting is very popular – it’s the most emailed story on the Times’s site over the past 24 hours.

Some basic facts – almost every wireless router in the world comes with an easily set option to turn on WAP encryption. While WAP is not an especially strong encryption scheme – techniques exist to crack it – it will keep most casual users from accessing your network, if that’s what you want. It means, however, that you’ll need to set a password for your network and give that password to anyone else you want to have access to your network. If, like me, you have lots of houseguests that carry laptops, you might prefer not to make all your guests memorize an eight-digit hexidecimal passphrase so they can check their email. (Then again, the only neighbors who share my wifi are moose. It’s hard to keep them off the network, as their antlers are amazingly effective directional antennae. And they’ve got an insatiable appetite for pirated mp3s.)

Any computer attached to the Internet via a broadband connection can be attacked. If you’re running Windows – the most commonly attacked system because of its lax security policies, its mediocre self-patching system and the existence of a large number of known exploits – and you’re not running a good firewall, you’ve probably already been compromised. Sure, your machine can be attacked by a hacker sitting outside your window. But you’re more likely to be attacked by someone in Brazil, Romania, or at least a safe distance away from your house – why would I possibly try to compromise your system when you can look out your window and see me trying?

(Well, I’d do it because then I could run a packet sniffer on your network and see if I could pick up unencrypted passwords that you’re using on non-https websites. But this is probably a better argument for teaching people to use SSL, not for closing open wireless networks…)

There are two legitimate worries as regards piggybacking – one is bandwidth use, and the other is use to launch attacks or dowload banned content. In the second case – where someone uses your unsecured wireless network to hack the Pentagon or download child porn, you can show that you’ve got an unencrypted network and make the argument that you’re not the hacker/slimeball initiating the requests. If said slimeball guesses/finds/cracks your WAP password, you’ll have a much harder time explaining to the FBI that you weren’t the one visiting hotllamasex.com…)

In the first case – wifi-enabled moose clogging your pipe with thousands of downloads from LimeWire – this is an argument for sharing bandwidth, but using techniques to “shape” bandwidth so that you’re only sharing a portion of your connection. As commenters pointed out the last time I wrote about WiFi, most packages distributed by community wireless networks – collectives designed to provide free internet coverage by allowing people to safely share their broadband connections – include options for bandwidth shaping, so that the moose can download only a few mp3s and you can still check your email.

The last paragraph of the otherwise paranoid story is good news, I think, for FON, the for-profit wireless company I help advise. (Please see my disclosures page for full information on my relationship with FON.) The Brodeurs, who were inadvertently sharing their Wifi connection in Los Angeles, pissed off some of their neighbors, who offered to pay for continued access to the network. That’s precisely what FON lets you do – open your access point to a limited number of users for a fee, letting them pay to help subsidize your connection. Does the fact that the Brodeurs decided not to do this imply that we’ve got a broken business model? Or that it’s an idea that’s been waiting for someone to make the technology dead simple so that people can share their connections with fewer security worries and a way to make some money in the process?

This entry was posted in Geekery, Media. Bookmark the permalink.

8 Responses to Boo! Scary open wireless networks! Run! Hide!

  1. Chris Blow says:

    Ethan,

    Thanks for another thought-provoking post. Upon reading, however, I have a kind of RSS indigestion because of two rather contradictory feelings:

    Firstly: ) I consider myself an avid enthusiast when it comes to any type of snide, dismissive criticism of the NYT, especially as they continue perpetually with the “Wringing Our Hands in SoHO” series. Really, this bandwidth indignation/bandwidth envy is ridiculous; people act as if broadband is a dwindling resource. (My first 56k US Robotics modem? Now that was the real upgrade.)

    !- but –

    Secondly: ) I have no idea what the hell these people you so casually referred me to are talking about.

    I mean Protocols, Authenticators, Routers … sure, these are all ideas that I can learn about and memorize if I really have to, but when it comes to really implementing and maintaining security practices, I’m lost, as I imagine most people are by that weird Soviet+Jetsons aesthetic. We’re lucky to have preloaded Windows firewall, at this point.

    So you could say that I am laughing with you at the Times … but then I’m going home and nervously calling my mom because I can’t figure out how to set up “email tunneling” and “port forwarding” I should already understand. I did actually find a thorough tutorial wih screenshots: this chaotic and uber-nerdy post (with 70+ comments in various stages of confusion). I think it’s pretty representative of the state of the art in advanced (I mean basic!) internet security education.

    So I think you’re being a little harsh on us people that find this stuff overwhelming, not really common sense. And I have to say that the “simple facts” raised in your post made me a lot more nervous than the NYT article did. I mean, if I read you correctly, (as amplified by the weblog I cited) you are saying (I’m sorry I sincerely am quite ignorant about network mojo – ) you’re saying that whenever I’m on a non-WEP wireless network I’m giving free reign over my passwords to all the nefarious digital d00ds and blackhats in my local coffeshop? And they can read my email?? Unless I figure out that _tunneling_ thing??

    That sounds rather serious. Right?

    And all this creepy-sounding “sniffer” stuff is pretty poor consolation for me as I try to laugh at the Times ignorance — just as I’m learning about the cracker at my window downloading llama porn, and the fact that I’ve been casually fraternizing with a harlot of an OS that has “known exploits!”

    Then there’s the final, salt-in-the-wounds realization that my (already totally uncool, closed, but well-intended) WEP-protectd network has merely been turning away the most _untalented_ evil Brazilian programmers (along with my roommates), and that I have (cue spooky voice) in fact “been compromised.”

    Though I do appreciate you legal advice for handling the resuling proceedings with the FBI!

    Seriously, I’m just relishing your own humor here, but perhaps you can clarify? There seem to be some extremely relevant issues: I mean, I’ve been under the impression that wireless networks were dandy incubators of development, and ripe for a social-entrepreneur to make a living as she promotes its explosive growth with just the right business model and wireless technology.

    But it sounds like some truly essential security innovation (not to mention education) is an even longer way off than the business model is. Sounds to me like “bandwidth shaping” can only do so much good (especially in regions of low tech. literacy) if, eg, I have to navigate those mean-spirited WC3-type documents and manually instantiate port identifiers or something before I can get a _basic_ level of privacy to build my business/nonprofit/education on. Are you feeling good about the possibility that we’ll have a community-ready Network in the near future? What is this going to take? Are you expecting radical changes in the structure of the internet that I keep reading about?

    I think I’ll be reading some Alvin Toffler or something equally frightening in my wooded home this evening (.. since I don’t have even that 56k any more!). … Maybe I’ll read Orwell … doesn’t he have a book about “email tunneling” during the Spanish revolution?

  2. Saheli says:

    good points all. But I’m going to be terribly silly and point you to one of my favorite single webcomics of all time.

    Ah, Achewood.

  3. mj says:

    Ethan,
    Slight typo in your post, I think:
    WEP encryption is indeed breakable (although not by Aunt Millie down the hall).
    WPA encryption — standard on most routers these days — is not.

  4. quixote says:

    Ethan, I’m kind of with Chris on this. I’m fascinated by FON, would love to sign up (I’m not far from a Fonero in Ventura CA), but I can’t seem to get answers from them. How would I have an unencrypted public network that people could use in my neighborhood, together with an encrypted one for me? I have a weird router; can FON work with any router? I have no firewall, except what is part of Linux, although I do have WEP encryption. Is that good enough? What does that mean for my internet use generally? Are wily Russians sniffing around my ports? I realize some of these are questions about FON, some about wireless, some about general security, and so on. But the thing is, for a lot of us, all of it rolls into one big security problem.

    If you could, for instance, give an example of a FON-capable, sensibly secure Windows system, it might make it a bit clearer to those of us out on the fringes of geekdom.

  5. Ethan says:

    Thanks for the commentary, folks. This clearly wasn’t my best thought out post – what I get for trying to write quickly and while on trains. The WEP/WPA error is a big one – I knew the WEP problem, but wasn’t aware that WPA had so thoroughly fixed the problem – thanks, mj.

    Chris, you’re asking some great questions. As I understand things, the main concern with an open wireless network is that they’re vulnerable to the same sorts of attacks that are possible when an attacker is sharing a wired ethernet network with you. Many of these attacks involve “packet sniffing”, which involves analyzing every piece of traffic that passes across a network. Smart people using packet sniffers can often pick up passwords, especially if people are logging into webmail systems or accessing their email through POP or IMAP systems that don’t use SSL encryption. The easy solution – use SSL encryption. I linked to an overly complicated piece on setting up SSL tunnels, a way to make your web browsing basically immune to packet sniffing attacks.

    My beef with the article was that it was so panicky and didn’t attempt to go into any of these details. But I may well be guilty of the same sort of gloss in my post.

    quixote, re: Fon. At present, FON runs on a particular model of Linksys router – you’d need to purchase one and flash it with FON software or buy one preconfig’d from FON. They’re currently selling them at a substantial loss, which is a good deal, but it may not last forever. You can run both an open network and a FON network – this is likely to be what I’m going to do. As for the security issues – everyone on the net gets portscanned nowadays – these are automated, common attacks where hackers look to see if there are open ports on your system that haven’t been closed. A simple way to try to ensure your ports are closed is to enable the firewall built into Windows, or install a third-party firewall and open only the services you need open. If you’re running a webserver, for instance, people need to connect to your machine on port 80 – if you’re not, it’s a smarter idea to have port 80 closed. But this is really a security issue relavent to anyone on the net, not a FON or Wifi specific issue. My complaint was that the NYT article seemed to be suggesting that open Wifi networks made you especially vulnerable to virii, for instance, which is a ludicrious assertion and a collapsing of general internet threats and specific wireless threats…

  6. quixote says:

    Ethan-
    Thanks for the answers, both to my and Chris’s questions. I did take your point about the overblown woo-hoo-scary-wireless nonsense, and see it even better now with the clarifications. I’m going straight from here to the FON site to see if I can afford the Linksys. :-)

  7. Pingback: Rupert Murdoch Ain’t No Dummy at connecting*the*dots

  8. quixote says:

    Great deal on the Linksys router! I’ve signed up and it’s on the way. I’m excited.

Comments are closed.