Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Schneier Says 'Steal this Wi-Fi'

Journal written by apolloose (134697) and posted by CmdrTaco on Thu Jan 10, 2008 12:00 PM
from the can-i-steal-a-sandwich-too-i'm-hungry dept.
Wireless Networking Hardware
apolloose noted Bruce Schneier's latest entry on Wired where he talks about insecured wifi networks, and suggests that you Steal this WiFi. Basically, since insecure WiFi is everywhere, why not? You're helping make the world a little better for someone else.
+ -
story

Related Stories

Firehose:Steal this WiFi by apolloose (134697)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Schneier Says 'Steal this Wi-Fi' 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Yeah, but... (Score:5, Funny)

    by Serenissima (1210562) on Thursday January 10 2008, @12:03PM (#21984798)
    If I opened up my network, anyone could start downloading pirated movies and music and use up all of my bandwidth that I want to use for downloading pirated movies and music!

      • Re:Yeah, but... (Score:5, Informative)

        by computational super (740265) on Thursday January 10 2008, @12:57PM (#21985708)

        What he said was, "If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence", and I often wonder if he's right. Like you, I'm pretty terrified of the accusation, so my network is locked down as tight as I can get it. I use WPA with a strong password, MAC address filtering, I renumbered the subnet from the default, I set a strong administrator password, and disabled DHCP... and if I can think of anything else I can do to lock it down, I'll probably do it, out of fear that somebody will do something nefarious with it.

        On the other hand, if I do get hacked (somehow), all that work will probably hang me. Couple that with the fact that I have an advanced degree in computer science (which to the average slashdot reader seems to mean I now *nothing* about computers, but would surely impress a jury of my "peers" that I'm impervious to being hacked), and if my network is used against me, I'm getting the death penalty.

  • Beware of strangers bearing gifts (Score:5, Interesting)

    by Applekid (993327) on Thursday January 10 2008, @12:11PM (#21984918)
    Sure, everyone please use my unsecured local Wi-Fi access point. I'm giving back to the community... ... and the community in turn will have all traffic filtered through a box that will sniff passwords, private keys, you name it.

    So please "steal this Wi-Fi" since I need a few more social security and credit card numbers.

    • Re:Beware of strangers bearing gifts (Score:5, Funny)

      by garcia (6573) on Thursday January 10 2008, @12:47PM (#21985554) Homepage
      My public facing wireless AP has a SSID that reads, "I_SNIFF_AND_LOG". I generally find that no one is using my network and instead probably chose to use one of the 8 open "linksysfoo" APs around me.

        • Re:Beware of strangers bearing gifts (Score:5, Informative)

          by Braino420 (896819) on Thursday January 10 2008, @01:17PM (#21986042)

          An SSL certificate is fairly cheap to purchase, just by one and operate a man-in-the-middle for all SSL connections. A few tech-savvy might notice, but most won't.
          You purchase an SSL cert from a CA for a single host, so you will have to go through the whole process for each site the user tries to connect to. Not only this, but CAs do, admittedly minimaly, verify that you are who you say you are (depending on how much money you give them). Not only this, but you will not be able to get a cert that says you're, for example, Bank of America. You can always self-sign a cert, but this will alert the user in all modern browsers. On top of all that, if the user does get fooled by your MITM attack, you only get the information that they give you: their username and password. Sure, you can now log in to the site, but I know that if you're signing into BoA for the first time from that location, they ask you one of the security questions (which you do not have). Even if they didn't (or you fooled the user into giving you that information too) and you got access to their account, what are you going to do? You can't just transfer that money to your account without someone finding out who you are, and the accounts only show the last 4 digits of each account number. You can't get that 3 digit number on the back of the card for most online purchases, not to mention that online purchases will also point back to you. I will admit this is all much easier than cracking the 128-bit SSL session.

          All of that means you aren't going to do shit; the payoff just isn't worth it and it's not as easy as some /. posters will have you believe.

  • Yeah! But firmware and software changes would help (Score:5, Interesting)

    by presidenteloco (659168) on Thursday January 10 2008, @12:13PM (#21984956)


    1. Clients (laptops) default installed wifi software (hint: Steve Jobs are you reading???) need a scanning
    mode which does not waste my time telling me about all the password or mac-address locked wifi
    basestations, and only advises me about open ones.

    2. Basestation/routers need a simple-to-configure mode where they will let others into a separate
    subnet that goes straight out to the Internet but does not see my home computers directly.

    3. (Brain software/mindset change.) Americans need to stop reflexively calling sharing 'stealing'.
    You've been trained into this terminology by those who have already stolen everything and don't
    want you to get it back.

  • Ethics by analogy (Score:5, Insightful)

    by crow (16139) on Thursday January 10 2008, @12:14PM (#21984960) Homepage Journal
    This is an ethics by analogy situation. Everyone arguing over whether it is right to use unsecured wi-fi connections bases their arguments on analogies, and depending on the analogy, reaches a different conclusion.

    As I see it, if someone left their wi-fi open, then either it was intentional, or they're too clueless to notice (or care) that I'm reading my email.

    • Re:Ethics by analogy (Score:5, Insightful)

      by plague3106 (71849) on Thursday January 10 2008, @12:30PM (#21985244)
      Fine. Go to said person and tell them "your network is not secured, so I'm using it to read my mail." Tell me if they care or not then. Seriously, just because someone doesn't know their WiFi is not secured doesn't mean they won't care that you're using. They just don't know.

  • "Insecured" Wi-Fi (Score:5, Funny)

    by wcrowe (94389) on Thursday January 10 2008, @12:18PM (#21985014)
    "Insecure?". Yeah, nobody wants a clingy Wi-Fi.

  • The flaw in Schneire's logic. (Score:5, Insightful)

    by Vellmont (569020) on Thursday January 10 2008, @12:20PM (#21985062)
    Everything Schneire says is true.. for Bruce Schneire. Not everyone is as adept as he is in configuring a computer to be secure. I'm OK, but I'm likely not vigilant enough to keep everything as secure as it should be (and thus I have WPA encryption on in my wireless network). The vast majority of the public is just plain terrible, and has no clue how to configure their computers to be secure in an open network.

    Securing your wireless network with encryption isn't like flipping a switch, but it's a HELL of a lot easier and more accessible than knowing how to secure each and every device accessible on your network. Having ONE point of entry and configuring that properly is a lot easier to maintain than having multiple, different, changing points that take continued vigilance to remain secure. Is it better to keep each device secure on any network? Sure.. but how many people have the time, patience, knowledge, and ability to do that? Not many.

  • FON and Co (Score:5, Interesting)

    by PhillC (84728) on Thursday January 10 2008, @12:22PM (#21985102) Homepage Journal

    There are already a number of organisations/initiatives around that actively encourage you to purchase their wireless routing products and then open up access to everyone.

    I'm a member of FON [fon.com], which allows you to allocate a specific amount of bandwidth for sharing if you're using one of their routers - say 1MB of your 8MB ADSL, which neatly overcomes the first poster's issue of not having enough bandwidth for their own nefarious purposes. After being a member of FON for 12 months they actually sent me three free wireless routers at Christmas, which I gave away to friends hoping that they too will join and share bandwidth.

    There's another company I heard about, US based, that does something similar, but I can't think of their name right now.

    However, I wonder about my ISP's stance regarding sharing WiFi for free with others. Does it violate their Ts&Cs? Do I care enough to actually find out? No!

  • Correct my if I'm wrong (Score:5, Interesting)

    by Seakip18 (1106315) on Thursday January 10 2008, @12:26PM (#21985178) Journal
    But I thought the best way to browse securely was have all traffic sent to your home server, encrypt it, and forward to the laptop. This was because you assume your home network is inherently more secure. With is approach, you are leaving your home network, including your significant others, at risk. Especially those who are not savvy enough to apply updates and maintain anti-virus.

    While I understand the anonymity helps his secure network stand out, all those open networks are just waiting for a guy with a little time and knowhow to start doing many bad things, say, man-in-the-middle. Just because you are blending into the pack does not keep the lions from eating one of you.

    Now then, it IS his network at home, so he can do whatever the heck he feels like. And I do understand his social aspects of looking at WiFi as another resource for the public. But that does not free you from liability regardless of how little or insignificant it may be or stupidly enforced.

    To me, it sounds like he doesn't want to roll up his sleeves and do some dirty work with port-forwarding, SSH-ing, and proxying. With those, you can enjoy quite decent browsing while away AND understand that your weakest point is at home.

    On an unrelated note, where does this guy live?
    • "Can anyone point me to a simple tutorial on cracking a WEP password?"

      1. Ask your neighbors for permission to connect to their WiFi.
      2. If you get permission, use the password they give you.
      3. If you don't get permission, don't be a dick.

      If someone has their WiFi configured to allow public access, I don't see much problem in making limited (e.g. no hogging bandwidth, nothing that might get them in trouble) use of it. The internet is built on the idea that people set up unattended computers to give automatic electronic permission for total strangers to use them; Slashdot would suck if everyone had to call Rob before they felt they were allowed to use his web server. But finding a hole in someone's security isn't permission, it's just intrusion.

      Even when you see an open access point asking permission isn't a bad idea. It shouldn't be a legal requirement, but it's a nice thing to do, despite involving the frightening prospects of going outside and meeting someone in real life.

    • Re:Steal Wi-Fi? (Score:5, Insightful)

      by Intron (870560) on Thursday January 10 2008, @12:17PM (#21985008)
      I think it's more like bookcrossing [bookcrossing.com] You've already paid for it, now you're letting someone else use it. With books, publishers might not like it because they sell fewer books. With wifi, ISPs may sell fewer connections. Either way it's not stealing.

        • ISP and integrity in the same comment? (Score:5, Insightful)

          by Comboman (895500) on Thursday January 10 2008, @01:32PM (#21986302)
          with ISP you've specifically agreed you wont do that. Get some integrity!

          You mean the same ISP that agreed to give me unlimited downloads but cancels my service if I pass their secret limit? The same ISP that sold me unlimited high-speed but throttles it back for certain applications? Who is that needs the integrity?

    • Re:Steal Wi-Fi? (Score:5, Insightful)

      by gnick (1211984) on Thursday January 10 2008, @12:40PM (#21985428) Homepage

      That's like saying we should "steal" music files because it's not a physical thing and EVERYONES doing it so it's okay. Besides, it'll be an important lesson to those who didn't secure it in the first place...
      Did you RTFA? He's not suggesting that everyone should go out and steal Wi-Fi, he's just saying that it's nice to leave your own Wi-Fi unsecured so that others can use it if they want.

      That said, IANAL but the ones that he apparently spoke to seem awfully cavalier about the situation. I would be extremely uncomfortable explaining to a judge that I:
      1) Published an article stating that I knew that my wireless connection could be used by others to commit crimes.
      2) Left my connection unsecured anyway.
      3) Was arrested because of illegal traffic.
      4) Expect to be excused.

      • Re:Steal Wi-Fi? (Score:5, Insightful)

        by TheRaven64 (641858) on Thursday January 10 2008, @01:08PM (#21985894) Homepage Journal

        1) Published an article stating that I knew that my wireless connection could be used by others to commit crimes.
        I know the spade in my (unlocked / ungated) garden could be used to hit someone around the head and possibly even kill them. It could then be used to dig a shallow grave to bury the body. I have just posted on Slashdot stating that I know it can be used in this way (although I don't condone this use).

        2) Left my connection unsecured anyway.
        I have left the spade in my garden anyway and don't mind if my neighbours borrow it, as long as they return it promptly in the same condition.

        3) Was arrested because of illegal traffic. 4) Expect to be excused.
        I haven't been arrested on suspicion of being an accessory to murder, but I would expect to be acquitted if my only connection to the crime were that someone had borrowed my spade and used it as a murder weapon.

    • Re:Steal Wi-Fi? (Score:5, Interesting)

      by penguin_dance (536599) on Thursday January 10 2008, @12:48PM (#21985566)
      No, it's more akin to: I go to the grocery store and buy a 5 lb bag of sugar. Now I don't need to use that much sugar so I let the neighbors have some. That's not stealing because I paid for it. You're essentially doing nothing more than what a Starbucks or other cafe does.

      However, don't be surprised that companies like Comcast freak out because, while they want you to PAY for all that bandwidth, they don't actually want you to USE it!

    • Re:Usually not stealing (Score:5, Insightful)

      by zappepcs (820751) on Thursday January 10 2008, @12:42PM (#21985448) Journal
      Not only might you want to give away unused bandwidth, but look at the reasons people are telling us we should not give it away:

      - You might be blamed for illegal file sharing or spamming
      - You might be held legally responsible for what other do
      - You might be the victim of malicious users
      - You might.... nevermind, all the reasons are to protect you from people who would sue you. What does that say about the world?

      Lets throw some other analogies out there:

      You shouldn't stop to help a stranded motorist because they might attack you or kill you
      You shouldn't give people advice because they might sue you for using it badly (lawyers & doctors)
      You shouldn't leave objects in your lawn in case someone trips and sues you
      you.... getting the picture?

      You are NO LONGER free to do as you wish with what is yours because other people control what you do, either directly, or indirectly as a consequence of fear of what they MIGHT do. If gun makers are not responsible for what people do with the products they make, you should NOT be responsible for what people do with the bandwidth you gave them to use.

      If we can be held responsible for what happens across our open APs, then the ISP can be held responsible for what goes across its network.

      In the end, common sense and reasonable thought dictate that the person who does the spamming or file sharing is responsible. If you leave a gardening tool in your lawn, and a person trips on it and hurts themselves, who is at fault? If you put a bench in your yard where people can sit and rest and some kid pushes another who then falls and cuts his head on the bench, who is at fault?

      I know those don't fit perfectly, but the point is that just because you helped to create something, you are NOT responsible for the use of it. Leaving your car unlocked is a good analogy: if someone takes it, they are stealing, and just because you did not do all that you could do to prevent them from taking it does not change the fact that they stole it.

      In another thought, holding the AP owner responsible is like trying to treat them as network security experts under the law. Insurance companies, police departments, all sorts of people work to inform you how to stop someone from stealing your property but does anyone do public service announcements to tell you how to stop people from stealing your bandwidth? Can you get insurance to protect you from bandwidth theft? or to compensate you when the **AA are suing you?

      Is a bus driver culpable if he drives the bus that a bank robber used to get to the bank he robbed?

      This goes on and on, but the point of holding you responsible for what others do with something you gave them (without the intent of doing so for malicious or nefarious reasons) has been proven in court already. Gun makers are not responsible for any deaths that happen from use of their products. Game over.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.