My brother Giovanni always reminds me that I should not let my office Wi-Fi hot spot unsecured as I am placing myself at the mercy of any unscrupulous hacker who may want to break havoc on my computer network at will.
Photo credit: Tom Hayward
Being the Robin Good I am, I always replied to him that I am "for" openly and willingly sharing that Wi-Fi connectivity surplus I am not really using for many hours a day. Being also limited my security knowledge in respect to breaking into other people LANs and office networks I have also always easily dismissed the ease with which my brother was portraying incumbent disaster unless I took some steps forward.
Fact is that I, like many among you, a trusty person, optimistic, looking forward and thinking ahead all the time. For someone like me, it really comes counternatural to worry about security things, protect my documents or worry that someone could really look at what I have on my hard disk. It feels like an excessive level of energies and resources is placed on something that in the end I don't value really that much.
But I do realize that this attitude is very superficial and especially so for someone who has a lot to loose if his office network went altogether down from night to morning.
My desire is one of sharing my extra bandwidth and Internet connection anytime my office is idle or below a predefined threshold. Why not? I have excess surplus and want to share it with others. I am for making this a better place and I am paying for that extra connectivity and bandwidth I am not using.
And that is why, I was more than happy to see among this morning Slashdot news stories the following one: "... the New York Times has an interesting piece about the abundance of open wireless connections available due to the lack of the average user's knowledge.
The article also takes a look at how the prevalent attitude is that tapping in to these connections does not equate to stealing and why still other may disagree. ..."
So, it appears that whether for a lack of security awareness on the part of many consumers, or for an willful conscious choice of individuals like me, there is an increasing number of unsecured private wi-fi access points open to access in many places. Especially in big metropolitan cities.
If you are like me, should you worry about this?
Can other individuals easily break into your computer and access your internal network if you do that?
I decided to peruse the ever-excellent extended conversation that makes up Slashdot commentary on each and everyone of the stories they publish to learn and erudite myself a bit more on the topic. Given that this is a geeky topic, in a community (Slashdot) that is portrayed as being probably more open-minded and progressive than the average IT manager, I thought I would be in for finding some interesting info.
Did I!
Here is what I found:
"... I think everyone should follow the sharing principle, lock your box, and open the AP (access point).
No matter what deviant may come around and use your access, you can always prove it wasn't you. Now it may be a hassle and even cost a bit of cash..., which we all know sucks, but I've been sharing my wi-fi for nearly 3 years now and have had no problems.
Plus, I've always appreciated the neighborhood open-ness eg. when cable modem users go down and the DSL subscribers are still kicking it, just hop right over and keep on keeping on."
This is the prevailing attitude among the geeky community of commenters making up Slashdot, though there are probably as many security-aware guys who are also very vocal about the risks and dangers under most people radars range: "The problem with securing your machines and opening the AP is that certain ISP services (mainly SMTP servers for outgoing mail) don't require any authentication as the ISP assumes that who ever has physical access to the connection is the authorized user. Someone 'sharing' the connection could be using it to borrow the ISP SMTP server for sending out spam or other unwelcome email. ..." continues.
Or Necro2607 suggesting also the possibility that not only other people may be illegally downloading music through your Internet connection, but much worst, that you are going to be brought to court by the RIAA and similar organizations outside the US, without you having even ever listened to any of those.
But one of the best contributions of all was from TPSReport who wrote in:
"At first I was thinking - whoa, you're very open minded. Then I realized you wrote wifi instead of wife. I need some coffee." (commenting to: ...Now it may be a hassle and even cost a bit of cash..., which we all know sucks, but I've been sharing my wifi for nearly 3 years now and have had no problems...)
and went on to say:
"I understand what you're saying about the open access, and it's a nice thing to do - but there's no way in hell I'm going to go through the federal investigation process or even chance the possibility of going to prison, for my neighbors kiddie porn habit. Sorry. My life and the potential hassle is worth way more than him saving $39.95 on his cable bill. You're being nice, and that's applaudable, but if anything does happen - you're going to have a tough time proving it was not you.... continues.You: but I have logs!
Them: How convenient. The accused has evidence pointing to someone else. Is it unaltered proof?
You: Of course! These are the raw server logs!
Them: Logs, from your firewall?
You: Yes!
Them: A firewall which you have administrative access to, and can change the logs at will?
You: Uh, yeah. But I didn't change them.
Them: So the logs very well could be altered. And it would be in your best interest for that to happen?
You: WTF man... I didn't do it.Don't expect your freeloader neighbor to step up and take a federal sentence when it comes down to it, and don't put your life in a position where it depends on the justice system to "get it right".
"
and TimC does corroborate the point quite well:
"Usually not knowing that what you are doing is not a crime is no defense, true. Generally though, not knowing that you're not doing something is, unless the prosecution can prove negligence.Until and unless there's a crime of failing to take reasonable steps to secure a PC or similar, people are going to "get away" with it.
Note that if you claim that it wasn't you, it was someone else using your connection without your knowledge, but the prosecution can demonstrate that actually it most likely was you and that you left your connection unsecured in order to provide yourself with that excuse, you'll likely not be believed.
"
And the reason why all of this happens is very simple:
"Because without fault, ALL APs are configured to accept any and all connections by default. And why? Because otherwise, clueless people would swarm the manufacturer's call center asking how to connect. ..." or so reports Opportunist, another valuable Slashdot commentator.
What about the cure?
Pretty simple apparently, at least according to Slashot commentator Bad to the Ben:
"You plug your computer in to the AP (access point) for the first time via an Ethernet cable. You go into the settings, and click an option to setup the AP. The AP creates a secure WPA key using random characters. It then spits out a small script for you to download. You execute the script as Administrator or root, and it automatically configures your OS for the AP, with the right key and everything. After this you can use the AP wirelessly."
But c00rdb cracks the security issue wide open:
"Open or not, what's the difference? 5 minutes searching on Google will show you how to break into pretty much any WEP secured WAP, 64 bit or 128 bit. That's probably 2/3 of the people who have secured internet in the first place. From there, most people leave the router's login (192.168.0.1 or 192.168.1.1) as admin/blank or blank/admin or admin/admin. Even the people who think they are secured are a joke really. Unless you have a strong password and WPA you are pretty much ripe for the picking."I think that spells it out clearly and unambiguously for everyone. Me included.
But that stuff obviously can't ever get digestible for my mother or my sister, who while being bright and intelligent beings have no clue about the heavy technical side of this stuff. Like in the past, only with a with a little help from a techy and patience-rich friend (or brother) one could get that easily done. Otherwise these are good recommendations only for those who can make sense of them.
Several also report that with a method called bandwidth shaping it is well within reach to configure this wireless access points in ways that allow a reasonable amount of free open access to others without impinging on your connectivity and security needs.
But still, many have more than a reason not to go the security safe direction. One common reason is that people don't want to be bothered to set up access for overnight guests and other visitors.
But even for the bravest, optimistic and trusting buddies out there, there is no escape from realizing that, fine if you want to share your connectivity but when you do so you should definitely increase security access to your hardware boxes. Everything should be firewalled.
So, while I would definitely stand on the side of hungrygrue, who states "Failing to secure an access point isn't a lack of user knowledge, it is common courtesy", I would also take all of the cautionary steps required to secure my boxes in the best possible ways.
By reading some of the most interesting among the over 200 comments I also got an indirect pointer to an interesting beggarware tool: Netstumbler.
NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g and which it can be used also to:
Others also recommend that "if you're going to offer a free wifi access point then please also run a Tor exit node." but not without realizing that doing that may also cost you banned access to multiple sites.
But one thing many of you probably don't know yet, is that there already some commercial business services which are riding the wave of people like you and me who want to share their extra connectivity without placing their critical and private data at risk.
Boingo, is one such service which provides software tools and roaming services that help bring the wireless Internet to just about anyone. Boingo has put together a large and rapidly growing roaming wi-fi system with tens of thousands of hot-spots around the globe. For $ 21.95 a month Boingo gives you unlimited connectivity from one of its tens of thousands of locations.
But the best news of all is Fon, a service launched in 2005, which offers a global community of people who want to share their Wi-Fi connection. With FON you can share your Wi-Fi broadband access at home or at work in a safe and secure fashion while benefiting from being able to access your fellow FON members connections all over the world.
To become a Fonero, all you need to do is register with Fon, have a broadband connection, and download the FON Software onto your WiFi router.
FON is now in a Beta phase and is only available for so called Linus users. A Linus is any user who shares his/her WiFi in exchange for free access throughout the Community wherever there is coverage.
Security-wise, if you have registered your WiFi in the FON Community, you will be protected through your local password which you can change whenever you choose. You will share your WiFi connection with registered Foneros from around the world. Unlike the open WiFi networks that are not password protected, all Foneros who connect through your WiFi are registered and identifiable.
Please note that FON recently received support and funding from the likes of Google, Skype and eBay.
After reading and learning so much from the Slashdot community, here are my best takes on this from my personal viewpoint:
1) To Sharewood friends everywhere: Sharing your wi-fi connection is fine, but make sure that at the same time your hardware is well secured.
2) To manufacturers: Let people choose, what to share, how much to share, when to share.
3) To manufacturers: Make better manuals and operational usability of these wi-fi access points 100 times better.
4) To telcos and ISPs: take advantage of this before someone else does.
Last but not least, if you are into trying to extract some value from this rich threaded river of comments that each Slashdot story generates, here is an online service that may do you some good:
http://www.alterslash.org/. It's called Alterslash and it brings to you the digest of the best comments extracted for each Slashdot article.
It didn't actually help me on this one, but I wish them to enable easier and faster drill down into the extensive valuable know-how that the Slashdot commenters always bring in.
| 2006-03-08 19:43:53 |
Now why is it, Robin, that your average IT Manager might not be so progressive and open minded? I think that it's because it is up to him to protect his employer's data goods or else! American employers are not interested in being socialistic and open minded or "progressive" when their data are on the line!
Slashdot contributors can implement their progressive only as far as their employer allows, long term, no more than that.Thanks for listening.
Rue Vadaya
