Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Wireless Networking Hardware

Schneier Says 'Steal this Wi-Fi' 432

Posted by CmdrTaco
from the can-i-steal-a-sandwich-too-i'm-hungry dept.
apolloose noted Bruce Schneier's latest entry on Wired where he talks about insecured wifi networks, and suggests that you Steal this WiFi. Basically, since insecure WiFi is everywhere, why not? You're helping make the world a little better for someone else.
This discussion has been archived. No new comments can be posted.

Schneier Says 'Steal this Wi-Fi'

Comments Filter:
  • Anonymity (Score:4, Insightful)

    by N3TW4LK3R (841526) on Thursday January 10, 2008 @11:07AM (#21984872)
    Why not? For one thing because it would pretty much guarantee total anonymity to everyone online.

    If you want to commit a crime online, it's easy enough to drive your car to the next city, open you laptop and connect to a random open AP.

    And if you were too lazy to do that, you can always say "It wasn't me, someone else connected through MY open AP!"
  • by Anonymous Coward on Thursday January 10, 2008 @11:08AM (#21984878)
    Why not just buy a wireless router instead of being an asshole?
  • by fastest fascist (1086001) on Thursday January 10, 2008 @11:08AM (#21984880)
    how about just getting a wireless router, instead?
  • Car analogy (Score:3, Insightful)

    by Anonymous Coward on Thursday January 10, 2008 @11:13AM (#21984952)
    In the article, B.S. writes:

    And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network?
    So if one of those red-light-cameras snaps a picture of my car running down a pedestrian, it should be a really great defense for me to say, "Oh yeah, I have a policy of leaving my car doors unlocked the keys in the ignition. Everyone around the neighborhood knows that."
  • Ethics by analogy (Score:5, Insightful)

    by crow (16139) on Thursday January 10, 2008 @11:14AM (#21984960) Homepage Journal
    This is an ethics by analogy situation. Everyone arguing over whether it is right to use unsecured wi-fi connections bases their arguments on analogies, and depending on the analogy, reaches a different conclusion.

    As I see it, if someone left their wi-fi open, then either it was intentional, or they're too clueless to notice (or care) that I'm reading my email.
  • Re:Steal Wi-Fi? (Score:5, Insightful)

    by Intron (870560) on Thursday January 10, 2008 @11:17AM (#21985008)
    I think it's more like bookcrossing [bookcrossing.com] You've already paid for it, now you're letting someone else use it. With books, publishers might not like it because they sell fewer books. With wifi, ISPs may sell fewer connections. Either way it's not stealing.
  • by Vellmont (569020) on Thursday January 10, 2008 @11:20AM (#21985062) Homepage
    Everything Schneire says is true.. for Bruce Schneire. Not everyone is as adept as he is in configuring a computer to be secure. I'm OK, but I'm likely not vigilant enough to keep everything as secure as it should be (and thus I have WPA encryption on in my wireless network). The vast majority of the public is just plain terrible, and has no clue how to configure their computers to be secure in an open network.

    Securing your wireless network with encryption isn't like flipping a switch, but it's a HELL of a lot easier and more accessible than knowing how to secure each and every device accessible on your network. Having ONE point of entry and configuring that properly is a lot easier to maintain than having multiple, different, changing points that take continued vigilance to remain secure. Is it better to keep each device secure on any network? Sure.. but how many people have the time, patience, knowledge, and ability to do that? Not many.
  • by roystgnr (4015) * <[ude.saxetu.macit] [ta] [rngtsyor]> on Thursday January 10, 2008 @11:22AM (#21985088) Homepage
    "Can anyone point me to a simple tutorial on cracking a WEP password?"

    1. Ask your neighbors for permission to connect to their WiFi.
    2. If you get permission, use the password they give you.
    3. If you don't get permission, don't be a dick.

    If someone has their WiFi configured to allow public access, I don't see much problem in making limited (e.g. no hogging bandwidth, nothing that might get them in trouble) use of it. The internet is built on the idea that people set up unattended computers to give automatic electronic permission for total strangers to use them; Slashdot would suck if everyone had to call Rob before they felt they were allowed to use his web server. But finding a hole in someone's security isn't permission, it's just intrusion.

    Even when you see an open access point asking permission isn't a bad idea. It shouldn't be a legal requirement, but it's a nice thing to do, despite involving the frightening prospects of going outside and meeting someone in real life.
  • by Anonymous Coward on Thursday January 10, 2008 @11:22AM (#21985090)
    That's just inviting trouble.

    If "Something Bad" were to happen from your IP address, there -will- be a knock at your front door in the early morning. Trust me.

    "Something" happened to my personal email server several years ago, and I had federal agents at my front door at 1am. I don't know what the heck happened - they wouldn't give me any details - but they seized my email server, and every computer in my household, even though their search warrant was only for the server. You don't tell them "no" - all that means is that they wait for the search warrant to be signed, and THEN they wreck your place searching. Much better for everyone involved to be cooperative.

    Cost me thousands of dollars in a retainer fee to a lawyer, I had to take a polygraph exam, and it took almost 2 years to get all my "stuff" back. That was 2 years where I was fearful for my job, worried about keeping my family afloat, worried about just about everything. My wife lost ALL of her graduate school work, and had to re-do most of it to turn in her final portfolio. Talk about miserable.

    And I STILL have no idea what that "Something Bad" was. And it didn't even happen at my house - it happened at my hosting ISP where the email server lived. It didn't matter that *I* didn't do it. I still had MY stuff taken from my, *I* still had to go take the polygraph exam, and *I* was still on the hook for 2 years.

    So yeah - keeping an open wireless network is just ASKING for trouble. If you want to deal with federal agents in the middle of the night, well, be my guest. You can talk the talk about how you'd tell them to go away, and how they'd have no proof, etc. etc., but unless you've been there, you have no idea what you're in for.

    Trust me.

  • FON (Score:2, Insightful)

    by Jeremiah Cornelius (137) on Thursday January 10, 2008 @11:23AM (#21985120) Homepage Journal
    Bruce mentions FON, which has dual capability APs - with both an open and a private net. With a proper IP scheme, you could even firewall the Internet upstream, to block P2P when the source is on the open net.

    I have a similar setup - but I don't have FON APs. I run an open AP, with all of my machines and services on an internal VPN.
  • Re:Car analogy (Score:2, Insightful)

    by Anonymous Coward on Thursday January 10, 2008 @11:26AM (#21985172)
    I guess your implication was that this would be a poor defense, but I'm pretty sure it would be a good defense in court (or rather a useful argument as part of a defense).

    Obviously the situation you describe is somewhat unrealistic (since no one would do that--losing a car is rather worse than losing a few MB of your bandwidth). A more realistic version might be a defense such as "yes that's my car, but these 20 people have access to the keys for that car, so it could have been any one of them driving it" and so on.

    In a real court case, of course other evidence would always be used (do you have an alibi? motive? etc.). But saying "it wasn't necessarily me since many people have access to the car" is a valid part of a defense, and so too is "it wasn't necessarily me since many people have access to that network".
  • Re:Car analogy (Score:4, Insightful)

    by phasm42 (588479) on Thursday January 10, 2008 @11:29AM (#21985226)

    So if one of those red-light-cameras snaps a picture of my car running down a pedestrian, it should be a really great defense for me to say, "Oh yeah, I have a policy of leaving my car doors unlocked the keys in the ignition. Everyone around the neighborhood knows that."
    Which completely ignores that pretty much nobody does that with their cars (since having your car stolen results in a definite loss that can cost lots of money and a major inconvenience), but a large percentage of people do that with their wi-fi (since most of the time they don't even notice, and it doesn't cost them anything).
  • by plague3106 (71849) on Thursday January 10, 2008 @11:30AM (#21985244)
    Fine. Go to said person and tell them "your network is not secured, so I'm using it to read my mail." Tell me if they care or not then. Seriously, just because someone doesn't know their WiFi is not secured doesn't mean they won't care that you're using. They just don't know.
  • Re:Yeah, but... (Score:2, Insightful)

    by plague3106 (71849) on Thursday January 10, 2008 @11:38AM (#21985388)
    Well, the actual article is pretty silly. His response to "if you're accused of downloading child porn you're better off pleading that going to court?" Ya, just want I want to do, have that on my record.

    No thanks, I'll lock down my network.
  • Re:Steal Wi-Fi? (Score:5, Insightful)

    by gnick (1211984) on Thursday January 10, 2008 @11:40AM (#21985428) Homepage

    That's like saying we should "steal" music files because it's not a physical thing and EVERYONES doing it so it's okay. Besides, it'll be an important lesson to those who didn't secure it in the first place...
    Did you RTFA? He's not suggesting that everyone should go out and steal Wi-Fi, he's just saying that it's nice to leave your own Wi-Fi unsecured so that others can use it if they want.

    That said, IANAL but the ones that he apparently spoke to seem awfully cavalier about the situation. I would be extremely uncomfortable explaining to a judge that I:
    1) Published an article stating that I knew that my wireless connection could be used by others to commit crimes.
    2) Left my connection unsecured anyway.
    3) Was arrested because of illegal traffic.
    4) Expect to be excused.
  • by zappepcs (820751) on Thursday January 10, 2008 @11:42AM (#21985448) Journal
    Not only might you want to give away unused bandwidth, but look at the reasons people are telling us we should not give it away:

    - You might be blamed for illegal file sharing or spamming
    - You might be held legally responsible for what other do
    - You might be the victim of malicious users
    - You might.... nevermind, all the reasons are to protect you from people who would sue you. What does that say about the world?

    Lets throw some other analogies out there:

    You shouldn't stop to help a stranded motorist because they might attack you or kill you
    You shouldn't give people advice because they might sue you for using it badly (lawyers & doctors)
    You shouldn't leave objects in your lawn in case someone trips and sues you
    you.... getting the picture?

    You are NO LONGER free to do as you wish with what is yours because other people control what you do, either directly, or indirectly as a consequence of fear of what they MIGHT do. If gun makers are not responsible for what people do with the products they make, you should NOT be responsible for what people do with the bandwidth you gave them to use.

    If we can be held responsible for what happens across our open APs, then the ISP can be held responsible for what goes across its network.

    In the end, common sense and reasonable thought dictate that the person who does the spamming or file sharing is responsible. If you leave a gardening tool in your lawn, and a person trips on it and hurts themselves, who is at fault? If you put a bench in your yard where people can sit and rest and some kid pushes another who then falls and cuts his head on the bench, who is at fault?

    I know those don't fit perfectly, but the point is that just because you helped to create something, you are NOT responsible for the use of it. Leaving your car unlocked is a good analogy: if someone takes it, they are stealing, and just because you did not do all that you could do to prevent them from taking it does not change the fact that they stole it.

    In another thought, holding the AP owner responsible is like trying to treat them as network security experts under the law. Insurance companies, police departments, all sorts of people work to inform you how to stop someone from stealing your property but does anyone do public service announcements to tell you how to stop people from stealing your bandwidth? Can you get insurance to protect you from bandwidth theft? or to compensate you when the **AA are suing you?

    Is a bus driver culpable if he drives the bus that a bank robber used to get to the bank he robbed?

    This goes on and on, but the point of holding you responsible for what others do with something you gave them (without the intent of doing so for malicious or nefarious reasons) has been proven in court already. Gun makers are not responsible for any deaths that happen from use of their products. Game over.
  • by joebagodonuts (561066) <cmkrnl.gmail@com> on Thursday January 10, 2008 @11:49AM (#21985586) Homepage Journal
    "Security is always a trade-off. I know people who rarely lock their front door, who drive in the rain (and, while using a cellphone) and who talk to strangers..."

    Plenty of people worried; "Oh someone might download kiddie porn and I would get blamed", "Oh, someone steals my information", "Oh, someone might download riaa music..."

    If you walk around in fear of things that never happen to you, then by all means, lock your stuff down - even better, stay off the net entirely! Then maybe you'll feel safe. Oh wait, you don't want to feel safe, you want to be afraid and worry.

    "This happens everywhere/all the time" - is a dangerous mindset when watching TV (or surfing /.)!
  • Re:Steal Wi-Fi? (Score:1, Insightful)

    by Anonymous Coward on Thursday January 10, 2008 @11:57AM (#21985710)
    That said, IANAL but the ones that he apparently spoke to seem awfully cavalier about the situation. I would be extremely uncomfortable explaining to a judge that I:

    But at least it offers a benefit to the rest of us. Justifying leaving the network open because a security expert recommended it makes it at least a slightly plausible defence.
  • Re:Yeah, but... (Score:5, Insightful)

    by Connie_Lingus (317691) on Thursday January 10, 2008 @12:04PM (#21985824) Homepage
    jeez...security is great and all that but you sound paranoid as hell. does the word overkill mean anything to you?
  • by alan_dershowitz (586542) on Thursday January 10, 2008 @12:04PM (#21985826)
    But you have to look at it in Bruce's mind, this only happens to probably a few thousand people a year, so it's an acceptable risk! Because all security is a tradeoff. In this case, the what you get is getting to feel "polite," and the risk is that anyone could do anything on your network and you're the one who gets investigated by the police or FBI who are all very trustworthy and concerned about maintainging your innocence. Now this personally doesn't sound to me like an acceptable tradeoff, but then I'm not Bruce Schneier.

    For at least a couple of years now Bruce's online presence has been in the business of pushing a certain political viewpoint. In this case, free wifi is cool, so it's more important for society if people stick their necks out for free wifi, even when that exposes the individual to personal risk. Now my question is, how is this a security viewpoint? Bruce jumped the shark for me when in the comments section of his blog he dismissed state election voter ID requirements because voter fraud probably only accounts for a few percentage points here and there, as if that's not enough to sway an election. For the most part I quit reading his crap after that.
  • Re:Steal Wi-Fi? (Score:5, Insightful)

    by TheRaven64 (641858) on Thursday January 10, 2008 @12:08PM (#21985894) Journal

    1) Published an article stating that I knew that my wireless connection could be used by others to commit crimes.
    I know the spade in my (unlocked / ungated) garden could be used to hit someone around the head and possibly even kill them. It could then be used to dig a shallow grave to bury the body. I have just posted on Slashdot stating that I know it can be used in this way (although I don't condone this use).

    2) Left my connection unsecured anyway.
    I have left the spade in my garden anyway and don't mind if my neighbours borrow it, as long as they return it promptly in the same condition.

    3) Was arrested because of illegal traffic. 4) Expect to be excused.
    I haven't been arrested on suspicion of being an accessory to murder, but I would expect to be acquitted if my only connection to the crime were that someone had borrowed my spade and used it as a murder weapon.
  • Re:Yeah, but... (Score:4, Insightful)

    by plague3106 (71849) on Thursday January 10, 2008 @12:17PM (#21986032)
    "If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence"

    His theory. I didn't hear him claim the lawyer told him that.

    Like you, I'm pretty terrified of the accusation, so my network is locked down as tight as I can get it. I use WPA with a strong password, MAC address filtering, I renumbered the subnet from the default, I set a strong administrator password, and disabled DHCP... and if I can think of anything else I can do to lock it down, I'll probably do it, out of fear that somebody will do something nefarious with it.

    No, from what I've seen in legal cases is that you have to at least show it was likely someone else used your property to commit the crime. It's not enough to say "someone else was driving my car" you have to explain who it could have been and know reasonably where it was.

    If you really want to lock things down, no need to disable DHCP. Just setup a RADIUS server and get an AP that supports it. Breaking into your network requires two steps then; breaking the encryption, AND compromsing the RADIUS server.. both of which would need to be done to use the network in the first place.

    On the other hand, if I do get hacked (somehow), all that work will probably hang me. Couple that with the fact that I have an advanced degree in computer science (which to the average slashdot reader seems to mean I now *nothing* about computers, but would surely impress a jury of my "peers" that I'm impervious to being hacked), and if my network is used against me, I'm getting the death penalty.

    They'd have to prove more than just your network was used. They'd need to find it on one of your computers somewhere, which there shouldn't be, because you didn't do it. Also, keeping logs can help if you can find in the logs that something weird happened that looks like a security breach.
  • by Comboman (895500) on Thursday January 10, 2008 @12:32PM (#21986302)
    with ISP you've specifically agreed you wont do that. Get some integrity!

    You mean the same ISP that agreed to give me unlimited downloads but cancels my service if I pass their secret limit? The same ISP that sold me unlimited high-speed but throttles it back for certain applications? Who is that needs the integrity?

  • by Anonymous Coward on Thursday January 10, 2008 @12:50PM (#21986712)
    So, what you're saying is, federal police appeared at your door with a warrant to seize an item that wasn't actually in your house. Rather than insisting that they get a warrant that specified the correct hardware at the correct address, you invited them in to your house and voluntarily gave them all of your computer hardware. And then it took you two years to get it all back.

    That's absolutely crazy. It's possible to assert your rights without being an ass about it. Check out the ACLU. They have a lot of information available about how it's done.
  • Re:Yeah, but... (Score:4, Insightful)

    by matt_king (19018) on Thursday January 10, 2008 @01:03PM (#21987032)
    That's actually an erroneous legal idea....if in fact you have shown due diligence in trying to secure your network, and someone gets in, you are less likely to be found at fault. If however the courts can show that you knew the risks and consequences to having your network opened, and you had the means to do it, yet did not, you are much more likely to be held accountable.
  • by Hatta (162192) on Thursday January 10, 2008 @01:16PM (#21987282) Journal
    If you request an IP and it's given to you, isn't that permission to use it?
  • by Hatta (162192) on Thursday January 10, 2008 @01:29PM (#21987534) Journal
    You're being an idiot. You consented to the search without having it signed by a judge, and then you let them take things that weren't on the warrant. You don't have to do either of those. And why the hell did you let them give you a polygraph? Those aren't admissible anywhere because they're absolutely useless for anything.

    The only reason you had no recourse is because you consented. If you made them get the warrant signed and they still took items not listed on the warrant you would have had an excellent case against them.
  • Re:Yeah, but... (Score:5, Insightful)

    by Tony Hoyle (11698) <tmh@nodomain.org> on Thursday January 10, 2008 @01:39PM (#21987674) Homepage
    The only effective measure there is the WPA. If a hacker gets through that (and that's *hard*) they can break through the others in a matter of seconds just by sniffing packets.

    All he's doing is making life harder for himself.

  • by Tony Hoyle (11698) <tmh@nodomain.org> on Thursday January 10, 2008 @01:48PM (#21987806) Homepage
    SSL web proxies work well.. but if you want to belive that it's impossible to do, then go right ahead.. I could use some extra cash.
  • by Hatta (162192) on Thursday January 10, 2008 @02:11PM (#21988188) Journal
    No, but if he gives me his keys when I ask for them, then it is permission. That's far more analogous to what's happening when you log into an open access point.
  • by Russ Nelson (33911) <slashdot@russnelson.com> on Thursday January 10, 2008 @02:45PM (#21988760) Homepage
    "insecure" is bad. "open" is good. It's an "open wifi network" not an "insecure wifi network."
  • by Coward Anonymous (110649) on Thursday January 10, 2008 @02:57PM (#21989010)
    helmets and seatbelts you are placing the cost of your healthcare on the public. Hence you are harming someone. You can argue that you could be given the choice of not wearing a helmet or seatbelt with the understanding that you waive any right to care you can't pay for if you are injured in an accident.
    Insider trading does harm others. You are very literally stealing money from other people.

    C'mon, can't you come up with something better?
  • Re:Steal Wi-Fi? (Score:3, Insightful)

    by nacturation (646836) <`moc.liamg' `ta' `noitarutcan'> on Thursday January 10, 2008 @04:11PM (#21990310) Journal

    I think it's more like bookcrossing [bookcrossing.com] You've already paid for it, now you're letting someone else use it. With books, publishers might not like it because they sell fewer books. With wifi, ISPs may sell fewer connections. Either way it's not stealing.
    I bet you're a popular guy at the all-you-can-eat places.
     
  • by Steve Hamlin (29353) on Thursday January 10, 2008 @06:02PM (#21992162) Homepage

    Bruce jumped the shark for me when in the comments section of his blog he dismissed state election voter ID requirements because voter fraud probably only accounts for a few percentage points here and there, as if that's not enough to sway an election.

    If you don't know, this is the very issue that was argued before the U.S. Supreme Court yesterday (Indiana law requiring government issued photo ID to vote). I agree with Bruce's POV, but his argument is NOT STRONG ENOUGH.

    In-person voter ID fraud doesn't "probably only account for a few percentage points here and there", but per the appellate arguments, there has not been one single identified case of in-person voter ID fraud in the history of Indiana. NOT ONE.

    Great article on the subject [slate.com] posted on Tuesday, before the oral arguments. Written by Walter Dellinger [wikipedia.org], one of the premier Supreme Court appellate attorneys, who is representing Washington DC in its upcoming Supreme Court case regarding DC's gun control laws. The first such case in the last half-century.

    ---

    "A law said to combat voting fraud by imposing the modest task of showing an ID may seem at first impression to be both sensible and fair. But this law is neither."

    "First and foremost, Indiana's law is a "solution" to a problem that doesn't exist. The voting fraud it purports to address is illusory. And the means it employs needlessly make it far more difficult for some citizens--especially those who are low-income, elderly, or lack easy access to transportation--to vote."

    "Because a photo-ID requirement exists to prevent a type of fraud that appears to be imaginary, the requirement would be hard to justify even if it imposed only a minimal impact on legitimate voters. But a photo-ID law in fact imposes substantial burdens on the right to vote."

  • Re:Yeah, but... (Score:4, Insightful)

    by nbert (785663) on Thursday January 10, 2008 @06:56PM (#21992906) Homepage Journal

    Essentially it adds another password to using the access point, since you need to know its name.
    Which would help a lot if the SSID wouldn't be transmitted unencrypted whenever a client logs on. It's even possible to force a reconnect sending packets from outside, so staying connected all the time doesn't help as well.

    Compared to using a dictionary based attack on a WPA encrypted WLAN it is rather trivial to bypass this hurdle. In this light it seems much more reasonable to invest time in creating a non-trivial password for WPA than to turn on such "features".

    The only downside is that it's quite annoying to dictate 16-char urandom passwords whenever some friend comes along and wants to connect. Plus all these non-geek people get assurance that I'm truly paranoid (heck, when 16 chars random becomes the standard I'll just move on to radius to convince these people ;) )

Sentient plasmoids are a gas.

Working...