May 13, 2004
wifi, free as in beer?
Outside the Beltway linked to this post by Phil Libin advocating folks to not secure their wifi access points because "it's too hard" for the average person to set up their WAP securely. I wrote a quickie response at OTB about some concerns, and I also found this article at Security Focus covering the legal aspects of wifi use.
As with any shared network, there are a host of issues to consider when providing access to others. What if the person sharing your network downloads something illegal? Are you keeping logs tracking who is who? If you are unable to secure a WAP, who is to say that you've properly secured your own computers? What about if your provider shuts you down for excess bandwith usage?
In other words, if you are thinking of setting up an open WAP, think long and hard about the implications, both technical and legal. While it's great to talk about ubiquitious wifi connectivity, we're still in a tangled web of undefined legal risks. If nothing else, you're putting yourself at the mercy of others who may be able to take advantage of you.
Posted by joy at May 13, 2004 07:30 PM | TrackBackJoy,
You make a good argument, but I’m going to stick by mine.
I never said that people shouldn’t secure their WAPs. I think that people *don’t* secure their WAPs because the technology is poorly implemented and frustrating. If WiFi security was more robust and easier to use, it would naturally be in everyone’s advantage to use it.
However, if I’m going to ask average consumers to spend a few hours on computer “security”, I’d much rather they first install the latest OS patches, turn off file sharing, install a firewall at the network and on every computer, learn a bit about “phishing” and other scams (and maybe download SpoofStick), install an anti-virus program and get the latest signatures, check for spyware and rethink their passwords. When they’ve done with all that, they can monkey around with their WiFi network. All the other stuff is more important, more effective and easier to do.
Even if you manage to keep your WiFi access point encrypted, you’re not really adding a whole lot of security. Everything just reverts right back to plaintext as soon as it goes from the WAP to the ISP, all your HTTP and FTP and email is bouncing around the guts of the web for anyone to see. If you’ve got data worth protecting, use SSH or SSL or a VPN – then it doesn’t matter if you’ve secured your WAP. If a non-SSL site asks you for a password, assume that everyone can see it. If you send out unencrypted, unsigned email, assume that there’s going to be a searchable trail of everything you’ve ever written somewhere or another.
As for the legal aspects, I don’t buy it. Internet access is not a firearm, and I don’t have any responsibility to make sure others can’t use the bits my access point decides to shoot out into the air. If my ISP has a problem with this, they should figure out how to restrict access on their side. I shouldn’t have to waste my time setting up “security” to solve their billing problem. If a crime is committed in my neighborhood, it’s not up to me to prove that I didn’t do it. It’s up to the authorities to find whoever did – and to prove it. Of course, you’re right that this area is “undefined” and it may take an unpleasant case or two to iron things out. If you’re concerned about being blamed for the actions of others on “your” wireless network, by all means take the appropriate precautions. For what it’s worth, I’ve found that MAC filtering works better than WAP encryption.
So, bottom line: we need better security technology that takes the burden of securing all data away from the user. In the mean time, locking down residential wireless access points is not my top security priority, and may not be a good way to spend finite security resources.
Resistance is Futile. You Will Be Assimilated.
Joy, you sound like a lawyer!
;^)
Posted by: Misanthropyst at May 14, 2004 06:40 PM