Schneier Says 'Steal this Wi-Fi'

apolloose noted Bruce Schneier's latest entry on Wired where he talks about insecured wifi networks, and suggests that you Steal this WiFi. Basically, since insecure WiFi is everywhere, why not? You're helping make the world a little better for someone else.

Yeah, but...

[Serenissima]

If I opened up my network, anyone could start downloading pirated movies and music and use up all of my bandwidth that I want to use for downloading pirated movies and music!

Re:

[plague3106]

Well, the actual article is pretty silly. His response to "if you're accused of downloading child porn you're better off pleading that going to court?" Ya, just want I want to do, have that on my record.

No thanks, I'll lock down my network.

Re:Yeah, but...

[computational super]

What he said was, "If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence", and I often wonder if he's right. Like you, I'm pretty terrified of the accusation, so my network is locked down as tight as I can get it. I use WPA with a strong password, MAC address filtering, I renumbered the subnet from the default, I set a strong administrator password, and disabled DHCP... and if I can think of anything else I can do to lock it down, I'll probably do it, out of fear that somebody will do something nefarious with it.

On the other hand, if I do get hacked (somehow), all that work will probably hang me. Couple that with the fact that I have an advanced degree in computer science (which to the average slashdot reader seems to mean I now *nothing* about computers, but would surely impress a jury of my "peers" that I'm impervious to being hacked), and if my network is used against me, I'm getting the death penalty.

Re:Yeah, but...

[Connie_Lingus]

jeez...security is great and all that but you sound paranoid as hell. does the word overkill mean anything to you?

Re:Yeah, but...

[fictionpuss]

Apparently the words 'wired ethernet' mean nothing to him either.

Re:Yeah, but...

[Tony Hoyle]

The only effective measure there is the WPA. If a hacker gets through that (and that's *hard*) they can break through the others in a matter of seconds just by sniffing packets.

All he's doing is making life harder for himself.

Re:Yeah, but...

[plague3106]

"If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence"

His theory. I didn't hear him claim the lawyer told him that.

Like you, I'm pretty terrified of the accusation, so my network is locked down as tight as I can get it. I use WPA with a strong password, MAC address filtering, I renumbered the subnet from the default, I set a strong administrator password, and disabled DHCP... and if I can think of anything else I can do to lock it down, I'll probably do it, out of fear that somebody will do something nefarious with it.

No, from what I've seen in legal cases is that you have to at least show it was likely someone else used your property to commit the crime. It's not enough to say "someone else was driving my car" you have to explain who it could have been and know reasonably where it was.

If you really want to lock things down, no need to disable DHCP. Just setup a RADIUS server and get an AP that supports it. Breaking into your network requires two steps then; breaking the encryption, AND compromsing the RADIUS server.. both of which would need to be done to use the network in the first place.

On the other hand, if I do get hacked (somehow), all that work will probably hang me. Couple that with the fact that I have an advanced degree in computer science (which to the average slashdot reader seems to mean I now *nothing* about computers, but would surely impress a jury of my "peers" that I'm impervious to being hacked), and if my network is used against me, I'm getting the death penalty.

They'd have to prove more than just your network was used. They'd need to find it on one of your computers somewhere, which there shouldn't be, because you didn't do it. Also, keeping logs can help if you can find in the logs that something weird happened that looks like a security breach.

Re:

[aarroneous]

You forgot to disable broadcasting of your SSID.

Re:

[1u3hr]

You forgot to disable broadcasting of your SSID.

The six dumbest ways to secure a wireless LAN [zdnet.com]

SSID hiding: There is no such thing as "SSID hiding". You're only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, youre talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all you've ac

Re:Yeah, but...

[nbert]

Essentially it adds another password to using the access point, since you need to know its name.

Which would help a lot if the SSID wouldn't be transmitted unencrypted whenever a client logs on. It's even possible to force a reconnect sending packets from outside, so staying connected all the time doesn't help as well.

Compared to using a dictionary based attack on a WPA encrypted WLAN it is rather trivial to bypass this hurdle. In this light it seems much more reasonable to invest time in creating a non-trivial password for WPA than to turn on such "features".

The only downside is that it's quite annoying to dictate 16-char urandom passwords whenever some friend comes along and wants to connect. Plus all these non-geek people get assurance that I'm truly paranoid (heck, when 16 chars random becomes the standard I'll just move on to radius to convince these people ;) )

Re:Yeah, but...

[matt_king]

That's actually an erroneous legal idea....if in fact you have shown due diligence in trying to secure your network, and someone gets in, you are less likely to be found at fault. If however the courts can show that you knew the risks and consequences to having your network opened, and you had the means to do it, yet did not, you are much more likely to be held accountable.

Anonymity

[N3TW4LK3R]

Why not? For one thing because it would pretty much guarantee total anonymity to everyone online.

If you want to commit a crime online, it's easy enough to drive your car to the next city, open you laptop and connect to a random open AP.

And if you were too lazy to do that, you can always say "It wasn't me, someone else connected through MY open AP!"

Re:

[Iorek]

If you want to commit a crime online, it's easy enough to drive your car to the next city, open you laptop and connect to a random open AP.

Yeah, like this guy [theregister.co.uk]. He only got caught 'cause he set a meet. I wonder if the "elderly couple" were reprimanded for leaving their AP open? It doesn't sound like it.

That actually seems to work!

[Weaselmancer]

Hey, how about that? Here's a link an article about it. [techdirt.com]

"The IP address simply can help you know who paid for the internet access, but not who was using what computer on a network. In fact, this even had some people suggesting that, if you want to win a lawsuit from the RIAA, you're best off opening up your WiFi network to neighbors. It seems like this strategy might actually be working. Earlier this month the inability to prove who actually did the file sharing caused the RIAA to drop a case in Oklahoma and now it looks like the same defense has worked in a California case as well. In both cases, though, as soon as the RIAA realized the person was using this defense, they dropped the case, rather than lose it and set a precedent showing they really don't have the unequivocal evidence they claim they do."

Well, whaddya know?

I don't even own any WiFi equipment for fear of someone using my connection to do something questionable...but now maybe I will buy one. Nothing like a get out of jail free card, y'know?

Re:

[thanatos_x]

I'm reasonably certain that has happened (or is in the works.) It wasn't in the US if I remember correctly, but Germany I believe. Unfortunately I'm a bit busy at the moment to find the actual article.

Beware of strangers bearing gifts

[Applekid]

Sure, everyone please use my unsecured local Wi-Fi access point. I'm giving back to the community... ... and the community in turn will have all traffic filtered through a box that will sniff passwords, private keys, you name it.

So please "steal this Wi-Fi" since I need a few more social security and credit card numbers.

Re:

[Entropius]

... because CC#'s are generally transmitted in cleartext...

Re:

[jasen666]

I don't feel very secure that they're not.
[TJX nods approvingly]

Re:

[Jeff DeMaagd]

So please "steal this Wi-Fi" since I need a few more social security and credit card numbers.

Assuming the person stealing your Wi-Fi is using an unsecured site to do their transactions or that you can crack an SSL link.

Re:

[Daniel_Staal]

An SSL certificate is fairly cheap to purchase, just by one and operate a man-in-the-middle for all SSL connections. A few tech-savvy might notice, but most won't.

Re:Beware of strangers bearing gifts

[Braino420]

An SSL certificate is fairly cheap to purchase, just by one and operate a man-in-the-middle for all SSL connections. A few tech-savvy might notice, but most won't.

You purchase an SSL cert from a CA for a single host, so you will have to go through the whole process for each site the user tries to connect to. Not only this, but CAs do, admittedly minimaly, verify that you are who you say you are (depending on how much money you give them). Not only this, but you will not be able to get a cert that says you're, for example, Bank of America. You can always self-sign a cert, but this will alert the user in all modern browsers. On top of all that, if the user does get fooled by your MITM attack, you only get the information that they give you: their username and password. Sure, you can now log in to the site, but I know that if you're signing into BoA for the first time from that location, they ask you one of the security questions (which you do not have). Even if they didn't (or you fooled the user into giving you that information too) and you got access to their account, what are you going to do? You can't just transfer that money to your account without someone finding out who you are, and the accounts only show the last 4 digits of each account number. You can't get that 3 digit number on the back of the card for most online purchases, not to mention that online purchases will also point back to you. I will admit this is all much easier than cracking the 128-bit SSL session.

All of that means you aren't going to do shit; the payoff just isn't worth it and it's not as easy as some /. posters will have you believe.

Re:

[Tony Hoyle]

SSL web proxies work well.. but if you want to belive that it's impossible to do, then go right ahead.. I could use some extra cash.

Re:Beware of strangers bearing gifts

[garcia]

My public facing wireless AP has a SSID that reads, "I_SNIFF_AND_LOG". I generally find that no one is using my network and instead probably chose to use one of the 8 open "linksysfoo" APs around me.

Re:Beware of strangers bearing gifts

[Tim Doran]

Brilliant! The tech-savvy will know that means and avoid your WiFi.

The non-tech savvy will find it ambiguously gross and avoid you, your property, your children, your dog...

Re:Beware of strangers bearing gifts

[zymurgyboy]

Which to your Average Joe Wifi-thief probably translates to:

"He snorts coke and has a commercial lumber company."

Or

"He has cold, and probably a clogged toilet."

I'm surprised you don't more traffic.

Re:

[zrq]

I have the reverse problem at home.

I run an encrypted Wi-Fi network, connected to my local network and ADSL connection. However, someone else in the neighborhood runs an unencrypted Wi-Fi network, and whenever I start my laptop it tries to connect to the unencrypted networks first. I have to remember to check what network it is connected to before I use anything.

The unencrypted network is probably benign, setup by someone who hasn't read the manual and is blissfully unaware of the implications of hav

Re:

[Chris Mattern]

You should be able to specify the SSID you want to be using with the iwconfig command; tell the system you want to use your SSID (which will need to be different from your neighbor's, of course). You can automate this (at least in Debian, I don't know Fedora) in /etc/network/interfaces with a pre-up line in the stanza for your wireless interface to have the iwconfig command run before the interface is brought up.

Chris Mattern

Why steal when you can share?

[Anonymous Coward]

Why steal when you can *share*? i.e. get the owner's permission, a la www.sharemywifi.com

Re:

[dwater]

Why steal when you can *share*? i.e. get the owner's permission, a la www.sharemywifi.com

Why would I want to do that?

I just publish it's availability with it's SSID an not putting a password on it. Surely it's obvious that I don't mind other people using it.

If I didn't want people to use it, I would take measures to make it obvious, like putting a password on it, and not advertising the SSID.

Re:

[Hatta]

If you request an IP and it's given to you, isn't that permission to use it?

Re:Why steal when you can share?

[Hatta]

No, but if he gives me his keys when I ask for them, then it is permission. That's far more analogous to what's happening when you log into an open access point.

Car analogy

[Anonymous Coward]

In the article, B.S. writes:

And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network?

So if one of those red-light-cameras snaps a picture of my car running down a pedestrian, it should be a really great defense for me to say, "Oh yeah, I have a policy of leaving my car doors unlocked the keys in the ignition. Everyone around the neighborhood knows that."

Re:

[Anonymous Coward]

I guess your implication was that this would be a poor defense, but I'm pretty sure it would be a good defense in court (or rather a useful argument as part of a defense).

Obviously the situation you describe is somewhat unrealistic (since no one would do that--losing a car is rather worse than losing a few MB of your bandwidth). A more realistic version might be a defense such as "yes that's my car, but these 20 people have access to the keys for that car, so it could have been any one of them driving it" a

Re:

[Daniel_Staal]

Having recently gotten a speeding ticket from one of those cameras...

The ticket was specifically worded not to be issued to the driver. It was to the owner of the car, regardless of whether they were driving. This did have some implications otherwise: It therefore didn't result in 'points' being added to my record.

So, back to the computer situation, they could just say that you are responsible for that bandwidth, and should have blocked it if the traffic wasn't from you. Don't know which would hold up in

Re:Car analogy

[phasm42]

So if one of those red-light-cameras snaps a picture of my car running down a pedestrian, it should be a really great defense for me to say, "Oh yeah, I have a policy of leaving my car doors unlocked the keys in the ignition. Everyone around the neighborhood knows that."

Which completely ignores that pretty much nobody does that with their cars (since having your car stolen results in a definite loss that can cost lots of money and a major inconvenience), but a large percentage of people do that with their wi-fi (since most of the time they don't even notice, and it doesn't cost them anything).

Re:

[Ngarrang]

But, a lot of people DO leave their cars unlocked with the keys inside. Ever pull up to a gas station and find a running car...but no one is in it? It just all depends on where you live. In some places, it is quite safe to leave everything unlocked.

Yeah! But firmware and software changes would help

[presidenteloco]

1. Clients (laptops) default installed wifi software (hint: Steve Jobs are you reading???) need a scanning
mode which does not waste my time telling me about all the password or mac-address locked wifi
basestations, and only advises me about open ones.

2. Basestation/routers need a simple-to-configure mode where they will let others into a separate
subnet that goes straight out to the Internet but does not see my home computers directly.

3. (Brain software/mindset change.) Americans need to stop reflexively calling sharing 'stealing'.
You've been trained into this terminology by those who have already stolen everything and don't
want you to get it back.

Encrypted private *and* unencrypted open wi-fi

[crow]

So for point 2, you want encrypted wi-fi for your home systems and open unencrypted wi-fi for guests. Is that even possible without two separate access points?

Re:Encrypted private *and* unencrypted open wi-fi

[Constantine XVI]

Actually, yes it is. DD-WRT (http://dd-wrt.com/ [dd-wrt.com]) has a feature that lets you put out a second (up to 4 IIRC) SSID with separate security and etc. It's only available in the RCs at the moment (and broken in RC6, but working in RC5).

Re:

[inviolet]

So for point 2, you want encrypted wi-fi for your home systems and open unencrypted wi-fi for guests. Is that even possible without two separate access points?

Some of the newer APs have it built-in. Or you can do it by cascading two older, cheaper APs, like this [slashdot.org].

Re:

[cheater512]

There is nothing *technically* stopping you as long as both use the same channel.

Its just up to the firmware of the device which determines what it can do.
There certainly are some which can do it without much hacking.

Re:

[cerberusss]

It's totally possible. One of those FON WiFi routers (google it) will publish two SSIDs. Each has different settings. They sell them at cost and they're meant to have the public SSID be shared with other FON users, but they also have a feature where you can generate passwords for friends/family.

Re:Yeah! But firmware and software changes would h

[Zenaku]

I'd like to amend your number 1 -- I want a scanning mode that doesn't waste my time telling me about all the encrypted or mac-address locked networks, and also doesn't waste my time telling me about the "open" networks that don't actually give me any access until I open a browser, try to load a URL and get redirected to their own little page where I have to log in with a code to show that I've paid for a 24 hour pass or some shit.

I'm not saying nobody should offer such paid public access points, just that

Re:Yeah! But firmware and software changes would h

[teh kurisu]

2. Basestation/routers need a simple-to-configure mode where they will let others into a separate subnet that goes straight out to the Internet but does not see my home computers directly.

++

3. (Brain software/mindset change.) Americans need to stop reflexively calling sharing 'stealing'. You've been trained into this terminology by those who have already stolen everything and don't want you to get it back.

Sharing WiFi is fundamentally different from sharing copyrighted material. I don't get why pe

Re:Yeah! But firmware and software changes would h

[SuperBanana]

1. Clients (laptops) default installed wifi software (hint: Steve Jobs are you reading???) need a scanning mode which does not waste my time telling me about all the password or mac-address locked wifi basestations, and only advises me about open ones.

Leopard shows padlock icons next to locked networks. For at least two prior major OS revisions, you have the option to be told about open networks, and/or join them automatically.

Do you have any idea how much of a problem this is for IT people dealing wi

Re:Yeah! But firmware and software changes would h

[kwerle]

1. Clients (laptops) default installed wifi software (hint: Steve Jobs are you reading???) need a scanning
mode which does not waste my time telling me about all the password or mac-address locked wifi
basestations, and only advises me about open ones.

You need to upgrade to leopard. It shows a little lock next to the names of locked down wifi.

Ethics by analogy

[crow]

This is an ethics by analogy situation. Everyone arguing over whether it is right to use unsecured wi-fi connections bases their arguments on analogies, and depending on the analogy, reaches a different conclusion.

As I see it, if someone left their wi-fi open, then either it was intentional, or they're too clueless to notice (or care) that I'm reading my email.

Re:Ethics by analogy

[plague3106]

Fine. Go to said person and tell them "your network is not secured, so I'm using it to read my mail." Tell me if they care or not then. Seriously, just because someone doesn't know their WiFi is not secured doesn't mean they won't care that you're using. They just don't know.

Re:

[SCHecklerX]

How is using something that your laptop connects to without any effort an analogy? If you don't want to share your connection, even just turning off broadcasting will stop legitimate clients from using you automatically (but if you took the effort to do that, you likely enabled privacy settings too).

It's pretty bad when I sit in my living room, forgetting that my 802.11 configuration was for'any' SSID and swear about WTH can't I get to my local servers? :-)

"Insecured" Wi-Fi

[wcrowe]

"Insecure?". Yeah, nobody wants a clingy Wi-Fi.

Usually not stealing

[totallygeek]

Another side to this is to consider that some people may actually allow access. I used to. I had an SSID of JUMPONFREE. I did this for two reasons: one to give Internet access to people in my apartment complex if they did not want to pay for it themselves, and two because I incorporated transparent proxying and compiled lists of visited sites (as well as port mirroring on the switch to track protocol usage). You don't have to concern yourself with abusers if you set up traffic priorities and/or bandwidth limiters. I am not alone, as I have seen many cleverly named SSID's indicating the owner is not just some non-configuring noob, but rather someone that cares enough to share.

Re:Usually not stealing

[zappepcs]

Not only might you want to give away unused bandwidth, but look at the reasons people are telling us we should not give it away:

- You might be blamed for illegal file sharing or spamming
- You might be held legally responsible for what other do
- You might be the victim of malicious users
- You might.... nevermind, all the reasons are to protect you from people who would sue you. What does that say about the world?

Lets throw some other analogies out there:

You shouldn't stop to help a stranded motorist because they might attack you or kill you
You shouldn't give people advice because they might sue you for using it badly (lawyers & doctors)
You shouldn't leave objects in your lawn in case someone trips and sues you
you.... getting the picture?

You are NO LONGER free to do as you wish with what is yours because other people control what you do, either directly, or indirectly as a consequence of fear of what they MIGHT do. If gun makers are not responsible for what people do with the products they make, you should NOT be responsible for what people do with the bandwidth you gave them to use.

If we can be held responsible for what happens across our open APs, then the ISP can be held responsible for what goes across its network.

In the end, common sense and reasonable thought dictate that the person who does the spamming or file sharing is responsible. If you leave a gardening tool in your lawn, and a person trips on it and hurts themselves, who is at fault? If you put a bench in your yard where people can sit and rest and some kid pushes another who then falls and cuts his head on the bench, who is at fault?

I know those don't fit perfectly, but the point is that just because you helped to create something, you are NOT responsible for the use of it. Leaving your car unlocked is a good analogy: if someone takes it, they are stealing, and just because you did not do all that you could do to prevent them from taking it does not change the fact that they stole it.

In another thought, holding the AP owner responsible is like trying to treat them as network security experts under the law. Insurance companies, police departments, all sorts of people work to inform you how to stop someone from stealing your property but does anyone do public service announcements to tell you how to stop people from stealing your bandwidth? Can you get insurance to protect you from bandwidth theft? or to compensate you when the **AA are suing you?

Is a bus driver culpable if he drives the bus that a bank robber used to get to the bank he robbed?

This goes on and on, but the point of holding you responsible for what others do with something you gave them (without the intent of doing so for malicious or nefarious reasons) has been proven in court already. Gun makers are not responsible for any deaths that happen from use of their products. Game over.

think it's OK .... better stay in the USA then

[petes_PoV]

Because in other countries you will get busted.

See this example in the UK
http://news.bbc.co.uk/1/hi/england/hereford/worcs/6565079.stm [bbc.co.uk]

The flaw in Schneire's logic.

[Vellmont]

Everything Schneire says is true.. for Bruce Schneire. Not everyone is as adept as he is in configuring a computer to be secure. I'm OK, but I'm likely not vigilant enough to keep everything as secure as it should be (and thus I have WPA encryption on in my wireless network). The vast majority of the public is just plain terrible, and has no clue how to configure their computers to be secure in an open network.

Securing your wireless network with encryption isn't like flipping a switch, but it's a HELL of a lot easier and more accessible than knowing how to secure each and every device accessible on your network. Having ONE point of entry and configuring that properly is a lot easier to maintain than having multiple, different, changing points that take continued vigilance to remain secure. Is it better to keep each device secure on any network? Sure.. but how many people have the time, patience, knowledge, and ability to do that? Not many.

Re:

[GrenDel Fuego]

Yeah, that is my biggest concern here. In a perfect world everyone would secure their systems (or vendors would design systems securely) so that being on the local LAN did not grant any special privileges. But with that not being the case an open wireless network lets people access the files you accidentally shared out, compromise the system you forgot to patch or sniff your e-mail that you never setup SSL/TLS for.

Re:

[GrenDel Fuego]

I'm sure he can secure his computer, but I wonder how well he can detect man-in-the-middle attacks.

Assuming that he properly secures any protocols that he cares, he can probably do it pretty damn well. SSL/TLS secured protocols use a cert signed by a trusted authority. SSH allows you to validate the public key of a server. Initially obtaining the public key could use some improvement though.

Someone could do a MITM attack against http based web browsing, but that's fine as long as you stick to SSL for any

He's being an idiot.

[Anonymous Coward]

That's just inviting trouble.

If "Something Bad" were to happen from your IP address, there -will- be a knock at your front door in the early morning. Trust me.

"Something" happened to my personal email server several years ago, and I had federal agents at my front door at 1am. I don't know what the heck happened - they wouldn't give me any details - but they seized my email server, and every computer in my household, even though their search warrant was only for the server. You don't tell them "no" - all that means is that they wait for the search warrant to be signed, and THEN they wreck your place searching. Much better for everyone involved to be cooperative.

Cost me thousands of dollars in a retainer fee to a lawyer, I had to take a polygraph exam, and it took almost 2 years to get all my "stuff" back. That was 2 years where I was fearful for my job, worried about keeping my family afloat, worried about just about everything. My wife lost ALL of her graduate school work, and had to re-do most of it to turn in her final portfolio. Talk about miserable.

And I STILL have no idea what that "Something Bad" was. And it didn't even happen at my house - it happened at my hosting ISP where the email server lived. It didn't matter that *I* didn't do it. I still had MY stuff taken from my, *I* still had to go take the polygraph exam, and *I* was still on the hook for 2 years.

So yeah - keeping an open wireless network is just ASKING for trouble. If you want to deal with federal agents in the middle of the night, well, be my guest. You can talk the talk about how you'd tell them to go away, and how they'd have no proof, etc. etc., but unless you've been there, you have no idea what you're in for.

Trust me.

Re:

[alan_dershowitz]

But you have to look at it in Bruce's mind, this only happens to probably a few thousand people a year, so it's an acceptable risk! Because all security is a tradeoff. In this case, the what you get is getting to feel "polite," and the risk is that anyone could do anything on your network and you're the one who gets investigated by the police or FBI who are all very trustworthy and concerned about maintainging your innocence. Now this personally doesn't sound to me like an acceptable tradeoff, but then I'm

Voter ID fraud - DOESN'T EXIST, so no law req.

[Steve Hamlin]

Bruce jumped the shark for me when in the comments section of his blog he dismissed state election voter ID requirements because voter fraud probably only accounts for a few percentage points here and there, as if that's not enough to sway an election.

If you don't know, this is the very issue that was argued before the U.S. Supreme Court yesterday (Indiana law requiring government issued photo ID to vote). I agree with Bruce's POV, but his argument is NOT STRONG ENOUGH.

In-person voter ID fraud doesn't

Re:

[644bd346996]

Schneier isn't being an idiot. Do you think the feds could actually pull off an "investigation" like you describe on him of all people? It would look really fishy, and it would probably hit the mainstream media. I'd say that Schneier is pretty safe from high-level harassment.

Besides, the police probably wouldn't be able to get any useful data off his computers without hiring him to help.

Re:He's being an idiot.

[Hatta]

You're being an idiot. You consented to the search without having it signed by a judge, and then you let them take things that weren't on the warrant. You don't have to do either of those. And why the hell did you let them give you a polygraph? Those aren't admissible anywhere because they're absolutely useless for anything.

The only reason you had no recourse is because you consented. If you made them get the warrant signed and they still took items not listed on the warrant you would have had an excellent case against them.

FON and Co

[PhillC]

There are already a number of organisations/initiatives around that actively encourage you to purchase their wireless routing products and then open up access to everyone.

I'm a member of FON [fon.com], which allows you to allocate a specific amount of bandwidth for sharing if you're using one of their routers - say 1MB of your 8MB ADSL, which neatly overcomes the first poster's issue of not having enough bandwidth for their own nefarious purposes. After being a member of FON for 12 months they actually sent me three free wireless routers at Christmas, which I gave away to friends hoping that they too will join and share bandwidth.

There's another company I heard about, US based, that does something similar, but I can't think of their name right now.

However, I wonder about my ISP's stance regarding sharing WiFi for free with others. Does it violate their Ts&Cs? Do I care enough to actually find out? No!

Re:

[PhillC]

Meraki [meraki.com] is the other company I was thinking of. Like FON, they supply wireless hardware with the express aim of you sharing your connection. The Meraki stuff looks quite good too in terms of having an extended connectivity range.

Need help Here

[Sanat]

BS writes:

"The accused's chance of winning is higher than in a criminal case, because in civil litigation the burden of proof is lower. "

I am having a hard time parsing this sentence. Should it be "accuser's" rather than "accused's" or have I just got a mental blank about this sentence. Maybe change "winning" to "losing".

Re:

[mcmonkey]

"The accused's chance of winning is higher than in a criminal case, because in civil litigation the burden of proof is lower."

If you go to court accused to downloading something bad, you have a better chance of winning (not guilty) in criminal court. The burden of proof is lower is civil litigation. Think OJ--not convicted of murder in criminal court, but still found libel in civil.

Correct my if I'm wrong

[Seakip18]

But I thought the best way to browse securely was have all traffic sent to your home server, encrypt it, and forward to the laptop. This was because you assume your home network is inherently more secure. With is approach, you are leaving your home network, including your significant others, at risk. Especially those who are not savvy enough to apply updates and maintain anti-virus.

While I understand the anonymity helps his secure network stand out, all those open networks are just waiting for a guy with a little time and knowhow to start doing many bad things, say, man-in-the-middle. Just because you are blending into the pack does not keep the lions from eating one of you.

Now then, it IS his network at home, so he can do whatever the heck he feels like. And I do understand his social aspects of looking at WiFi as another resource for the public. But that does not free you from liability regardless of how little or insignificant it may be or stupidly enforced.

To me, it sounds like he doesn't want to roll up his sleeves and do some dirty work with port-forwarding, SSH-ing, and proxying. With those, you can enjoy quite decent browsing while away AND understand that your weakest point is at home.

On an unrelated note, where does this guy live?

My printer means "Closed Network"

[nweaver]

I use WPA. Why? Because on my parents network, they want to use file sharing between their desktop and their laptop. On both mine and my parents, there are networked printers.

But I write down the password on the router, and anyone who visits in person is welcome to use it.

Does Bruce not use a home printer? Share files between home computers?

I am a Sharer

[RobBebop]

For several years, I ran an open connection. Nothing bad happened. I doubt anybody used it, because it was in an apartment complex with mostly older, non-tech savvy individuals. But it was there.

I have since moved, and found an open network in my area. I browse, chat, e-mail, do occasional software updates, and occasionally download free music [jamendo.com]. I stream a Sirius radio audio connection from time to time, but that is low bandwidth. No streams of pirated movies. No infinite queues of warez or copyrig

If advertised as open...

[dazedNconfuzed]

If you've got a router broadcasting to the world "I'm here! I'm open! I'm free!" and handing out DCHP IP addresses on request, using it ain't "stealing".

Kinda like having a doorman shouting "C'mon in!" to passers-by and handing full-access visitor ID cards to anyone who walks in.

Hardly stealing in most cases

[SCHecklerX]

I mean, with windoze (and linux, if you set it up that way) automatically associating with any open AP that advertises, is it really stealing?

In my neighborhood, there are a number of 'belkin54' and 'linksys' APs advertising default SSIDs and networks with no privacy settings.

Now, if you log in to the device (which likely has a default password too), and change any setting, that is definitely tresspass (despite the utter lack of security). But as far as just using it goes? How can you be accused of steali

he says "it's basic politeness" - rubbish!

[petes_PoV]

In the article the guy says it's just like providing heat and light to guests. Fine, why not give them all your money, too. Why not take the fall when your "guests" are pulled for speeding, or online fraud?

By providing free internet access, you are effectively saying that it's OK for someone you don't know to commit crime and to have no defence when the cops come knocking on your door. The "it wasn't me, it was someone else" defence stopped being credible years ago and could easily wind up with the freeb

Re:

[ChrisA90278]

In the article the guy says it's just like providing heat and light to guests. Fine, why not give them all your money, too. Why not take the fall when your "guests" are pulled for speeding, or online fraud?

Because that is different. Heat and light is something you have in your house anyways and it costs you nothing to share it. WiFi is the same. When my son'e freind came over and brought his Apple iPod Touch it cost me nothing to put him on my wireless network

The problem with making it public is that 99.

He's right when he says it's a trade off

[joebagodonuts]

"Security is always a trade-off. I know people who rarely lock their front door, who drive in the rain (and, while using a cellphone) and who talk to strangers..."

Plenty of people worried; "Oh someone might download kiddie porn and I would get blamed", "Oh, someone steals my information", "Oh, someone might download riaa music..."

If you walk around in fear of things that never happen to you, then by all means, lock your stuff down - even better, stay off the net entirely! Then maybe you'll feel safe. Oh wait, you don't want to feel safe, you want to be afraid and worry.

"This happens everywhere/all the time" - is a dangerous mindset when watching TV (or surfing /.)!

I used to have an open WiFi until...

[Coward Anonymous]

Someone started running his own DHCP server on it and caused other random disruptions. I've moved since so I may consider re-opening it.

Are ISPs Paying Schneier?

[PingPongBoy]

Schneier is a pretty clever person. From my reading of some of his cryptography books, he knows a lot of tricks.

Open WiFi because it's a security risk? That sounds supportable on the surface, but it's just asking for trouble, and Bruce Schneier ought to be the first person to tell you so.

Then why is he espousing the controversial option of an open network? The answer may be obtained by following the money. Schneier propaganda leads to more open WiFi everywhere leads to ISP's raising cain and justifying high

Recently Opened Mine

[dcollins]

I used to keep my WiFi router secured. But then there were some days when I couldn't connect from the other end of my apartment, and it was real handy to go through neighbor's unsecured WiFi. This convinced me that it was the neighborly thing to do and opened mine.

it's not "insecure", it's "open"

[Russ Nelson]

"insecure" is bad. "open" is good. It's an "open wifi network" not an "insecure wifi network."

Re:how do i crack a WEP password?

[fastest fascist]

how about just getting a wireless router, instead?

Re:

[Archangel Michael]

"how about just getting a wireless router, instead?"

Because he's a cheap bastard?

Re:how do i crack a WEP password?

[fastest fascist]

Excuse me? He uses an iMac, therefore he must be used to paying through the nose.

Re:

[somersault]

Possible that he's a poser and just spent all his money on an iMac, and therefore can't afford a wireless router? ;) Or he bought it cheap from another poser.. (I've always liked Apple, but if I'm gonna buy one these days it would be the 'pro' stuff rather than something with a crappy graphics card..)

Re:how do i crack a WEP password?

[Anonymous Coward]

So then he's just a bastard?

Re:how do i crack a WEP password?

[roystgnr]

"Can anyone point me to a simple tutorial on cracking a WEP password?"

1. Ask your neighbors for permission to connect to their WiFi.
2. If you get permission, use the password they give you.
3. If you don't get permission, don't be a dick.

If someone has their WiFi configured to allow public access, I don't see much problem in making limited (e.g. no hogging bandwidth, nothing that might get them in trouble) use of it. The internet is built on the idea that people set up unattended computers to give automatic electronic permission for total strangers to use them; Slashdot would suck if everyone had to call Rob before they felt they were allowed to use his web server. But finding a hole in someone's security isn't permission, it's just intrusion.

Even when you see an open access point asking permission isn't a bad idea. It shouldn't be a legal requirement, but it's a nice thing to do, despite involving the frightening prospects of going outside and meeting someone in real life.

What what WHAT?

[Quiet_Desperation]

Slashdot would suck if everyone had to call Rob before they felt they were allowed to use his web server.

Wait! You mean I don't? Shit! All those wasted phone calls!

Re:

[boxlight]

Thanks!

Re:

[dattaway]

That's like saying we should "steal" music files

I thought that's how most people seal music files and do P2P: one of their neighbor's open networks.

FON

[Jeremiah Cornelius]

Bruce mentions FON, which has dual capability APs - with both an open and a private net. With a proper IP scheme, you could even firewall the Internet upstream, to block P2P when the source is on the open net.

I have a similar setup - but I don't have FON APs. I run an open AP, with all of my machines and services on an internal VPN.

Re:Steal Wi-Fi?

[Intron]

I think it's more like bookcrossing [bookcrossing.com] You've already paid for it, now you're letting someone else use it. With books, publishers might not like it because they sell fewer books. With wifi, ISPs may sell fewer connections. Either way it's not stealing.

Re:

[techpawn]

You've already paid for it, now you're letting someone else use it.

The same argument can be made for music in an odd way, but, that didn't stop DRM from going into effect.

Re:

[nacturation]

I think it's more like bookcrossing [bookcrossing.com] You've already paid for it, now you're letting someone else use it. With books, publishers might not like it because they sell fewer books. With wifi, ISPs may sell fewer connections. Either way it's not stealing.

I bet you're a popular guy at the all-you-can-eat places.
 

Re:

[Intron]

My ISP just says my line is for residential use and may not be resold. They used to say you could only connect one computer, but took out that whole section due to complaints. It says nothing about wifi or sharing.

Re:

[Coward Anonymous]

"with ISP you've specifically agreed you wont do that. Get some integrity!"

And if an O.J company wrote on their boxes that by buying their juice you agree to not sharing it with your friends you stick to that integrity?
You bought it, it's yours, you can do what you please with it.

Re:

[Coward Anonymous]

helmets and seatbelts you are placing the cost of your healthcare on the public. Hence you are harming someone. You can argue that you could be given the choice of not wearing a helmet or seatbelt with the understanding that you waive any right to care you can't pay for if you are injured in an accident.
Insider trading does harm others. You are very literally stealing money from other people.

C'mon, can't you come up with something better?

ISP and integrity in the same comment?

[Comboman]

with ISP you've specifically agreed you wont do that. Get some integrity!

You mean the same ISP that agreed to give me unlimited downloads but cancels my service if I pass their secret limit? The same ISP that sold me unlimited high-speed but throttles it back for certain applications? Who is that needs the integrity?

Re:Steal Wi-Fi?

[Goaway]

No, it's nothing like that, if you actually read what he's saying instead of rushing in to make yourself sound smart on the internet.

Re:Steal Wi-Fi?

[gnick]

That's like saying we should "steal" music files because it's not a physical thing and EVERYONES doing it so it's okay. Besides, it'll be an important lesson to those who didn't secure it in the first place...

Did you RTFA? He's not suggesting that everyone should go out and steal Wi-Fi, he's just saying that it's nice to leave your own Wi-Fi unsecured so that others can use it if they want.

That said, IANAL but the ones that he apparently spoke to seem awfully cavalier about the situation. I would be extremely uncomfortable explaining to a judge that I:
1) Published an article stating that I knew that my wireless connection could be used by others to commit crimes.
2) Left my connection unsecured anyway.
3) Was arrested because of illegal traffic.
4) Expect to be excused.

Re:Steal Wi-Fi?

[TheRaven64]

1) Published an article stating that I knew that my wireless connection could be used by others to commit crimes.

I know the spade in my (unlocked / ungated) garden could be used to hit someone around the head and possibly even kill them. It could then be used to dig a shallow grave to bury the body. I have just posted on Slashdot stating that I know it can be used in this way (although I don't condone this use).

2) Left my connection unsecured anyway.

I have left the spade in my garden anyway and don't mind if my neighbours borrow it, as long as they return it promptly in the same condition.

3) Was arrested because of illegal traffic. 4) Expect to be excused.

I haven't been arrested on suspicion of being an accessory to murder, but I would expect to be acquitted if my only connection to the crime were that someone had borrowed my spade and used it as a murder weapon.

Re:Steal Wi-Fi?

[penguin_dance]

No, it's more akin to: I go to the grocery store and buy a 5 lb bag of sugar. Now I don't need to use that much sugar so I let the neighbors have some. That's not stealing because I paid for it. You're essentially doing nothing more than what a Starbucks or other cafe does.

However, don't be surprised that companies like Comcast freak out because, while they want you to PAY for all that bandwidth, they don't actually want you to USE it!

Re:Steal Wi-Fi?

[hey!]

No, it's more akin to: I go to the grocery store and buy a 5 lb bag of sugar. Now I don't need to use that much sugar so I let the neighbors have some. That's not stealing because I paid for it. You're essentially doing nothing more than what a Starbucks or other cafe does.

Actually, it's more like ordering the all you can eat buffet and letting your friend eat off your plate.

If your friend says, "gee that looks good," and you say, "here, have a bite," the restaurant doesn't care. You had a good time, your friend had a good time, you'll probably come back for more. On the other hand, if your friends eats a dozen jumbo shrimp and couple of salmon fillets, the restaurant will be ticked off, because they priced the buffet around the probable range of one person's appetite. If everybody starts doubling or tripling up, then they have to raise prices, which mean they can't sell to individual diners.

So the way this works is, the vendor makes rules, and they look the other way at insignificant bits of rule breaking that keep their customers happy. When people get organized about breaking rules to unilaterally drop the price of service, then they start to get a bit tetchy.

Re:

[Hatta]

Yes, that's exactly why we should copy music files.