Pushing Back On Fear Mongering Reports About Open WiFi Networks

from the about-time dept

We've covered so many fear mongering reports about how dangerous open WiFi networks are, it's quite amazing to see a press article that quotes security researchers pushing back on the latest fear mongering report. As Bruce Schneier notes in the article, it's not the open network that's the issue, but the devices on the network. If the devices are secured, it can be quite safe to use an open network or leave your network open. It seems like there's just a kneejerk reaction against the idea of open WiFi these days. While there may be some risk in getting falsely accused if someone misuses your WiFi, we've yet to hear of any such case where it took very long for the innocence of the network owner to be established.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    dorpus, Jun 28th, 2006 @ 1:40am

    Can you steal wifi?

    Can you steal the router devices? I was just wondering, after spending a day on another forum discussing unusual stolen goods -- stolen mailboxes, fire trucks, ambulances, cranes, wedding cakes, port-a-johns, ....

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Bill, Jun 28th, 2006 @ 3:50am

    disagree

    we should not leave our networks open that is unless you're willing to put another hard wired router between your connection and your computers. by leaving your wifi open all of your computers are vulnerable. software firewalls including windows firewall and mac osx's firewall are weak to say the least. there is some truth "if your devices are secured". which means 13 character secure passwords on your machine. secure means, no words, just a jumble of letters and numbers. now do that and enable the software firewall on a mac and roll the dice. but as for windows, there are a plethora of hacks that need NO authentication(password or user name) so don't think the windows firewall, or zone alarm or strong passwords on windows are going to make you safe. they're not!

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Jesse McNelis, Jun 28th, 2006 @ 7:40am

      Re: disagree

      Again I have to state it.
      Personal Software Firewalls are pointless. They provide nothing in terms of security and actually decrease security by adding another process that requires administrator privileges.
      You are much better off disabling the network services that you don't require.

      13 character passwords are also unnescessary. You can just prevent brute forcing of passwords by limiting the number of remote login attempts allowed in a given time period, say 5 per minute and change your password every few weeks.

      There is quite a bit of crazyness about Windows not being secure, I agree that it's not secure on a default install. But it can be easily made much more secure.

      - Jesse McNelis

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 28th, 2006 @ 9:19am

      Re: disagree

      which means 13 character secure passwords on your machine
      What will a 13 character password do? http://support.microsoft.com/?kbid=299656"

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Tom, Jun 28th, 2006 @ 6:54am

    Security thru ignorance

    If lack of physical access to your computer network is the only security you have, then you are destined for being stolen from. Open WiFi is no different than having a network jack on the outside wall of your building where anyone can plug in. You should have security procedures that will let a hacker plug into your network physically or connect via Open WiFi and not be able to access sensitive information. If you can't do that, then every employee is potential thief.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Daryl Licked, Jun 28th, 2006 @ 7:04am

    wi fi security guard

    im just waiting for the day the government requires you to have internet insurance, to pay for the "damage" you cause by using wifi hot spots.

    dont think thats a stretch

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Dan.No, Jun 28th, 2006 @ 7:58am

    Scare tactics and Indoctrination

    I'm tired of hearing how WiFi is going to be the downfall of corporations. Give me a break.

    It's as likely that someone will walk into your building and plug into an extra network jack than it is that someone will use your wireless network - in some cases, even if you haven't secured it.

    If you plan your wireless network so that the signal covers all of your building, but not so much out of your building; then use a WEP key or similar to make it 'secure', the likelyhood of wardriving or some random person accessing your network are slim to none.

    Having been the System Administrator at a school division that uses various technologies and have significantly varying needs, the use of WiFi in many cases is convenient and cost effective. Not only have we not had ANY issues with lost data and hacking, we have not had ANY issues with lost data and hacking. We've been running wireless for several years now.

    As far as I'm concerned, the majority of what you hear about the dangers of wireless are simply scare tactics.

    It bugs me when people believe everything they read without doing a little research and experimentation.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Joe T, Jun 29th, 2006 @ 9:25am

      Re: Scare tactics and Indoctrination

      I hate to resort to this, but there's no polite way to put this: You, sir, are clueless and ignorant in this subject and the fact that you are guarding the personal information of children from pedophiles scares me. I am in the wireless industry, I *HAVE* done the research, testing, and pen testing, and I submit that if you haven't had any issues with your wireless being compromised it's because you haven't a clue how to determine that you have. While using WEP on a home network might be a mild deterrent, a saavy pedophile will see you as a nice, juicy target and take the 20 minutes to break your WEP key.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    harry hackerman, Jun 28th, 2006 @ 8:09am

    We will hack you

    We have hacked you, we are hacking you, we will hack you.
    Hack you
    Harry.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    I, for one, Jun 28th, 2006 @ 8:34am

    security by regulation

    There was a time when you couldn't even plug a non-approved telephone into your line. Deregulation was a major component force in allowing the internet to flourish, and I don't see a time when we will go back to the old Soviet system. But every now and then someone shouts "regulation!" and it seems so seductive. Here's my list of "why it won't work" for all the naive arguments I hear so often

    • Licence equipment
    • Licence Users
    • User insurance
    • Licence Technicians
    Licencing equipment

    It seems like its possible to mandate a standard for hardware. Perhaps a security rating. But look at Microsoft. There is simply no question that they have gone out of their way to deliberately make software and hardware insecure, perhaps not for sinister reasons - just to ease installation complexity. It works by default, which is the opposite of any good security policy where everything should be turned off by default. Then there are the more sinister questions like hardware manufacturers leaving backdoors in routers. Could industry ever come on side for hardware/software licenced standards? Not a chance imho. And if they could, what kind of moneypit would enforcement become? Stopping all those "unlicenced" low standard cheap Chinese devices getting into our shops and homes? No chance. And where would that leave free software? The entire planet has trillions invested behind that unstoppable juggernaut

    Licencing Users

    We licence cars and guns, so why not internet access. Maybe a certain level of competence should be demonstrated in order to be allowed on to the wide area network? Well it will never work because 99% of people will fail the test. By the time the standards are lowered enough for even 30% to get through the training will be so watered down as to be useless. Driving a car or using a firearm is a skill that doesn't change. But every month the landscape of the network shifts to require new skills and knowledge. Even us IT people have a hard time keeping ahead of it all.

    User insurance

    Possibly the worst idea of all. Insurance would lower security standards even further by shifting responsibilty. We need to encourage people to take more responsibility not less. Besides it cannot be applied in the same way that auto insurance or home insurance pertains to fixed assets and events. Things are already very fluid on the network, IP6 and mesh WiFi are only going to make it more so. Blame game antics will quickly get out of hand when your IP6 drinks fridge in your car decides to call home to the wrong address and does a drive by DOS on the local fire stations VOIP. Companies cannot handle the complexity of the claims or afford to hire experts in the same relatively simple and sensible way that culpability in an RTA or storm damage to a house can be decided.

    Licence install and repair techs

    If a dentist or lawyer needs a licence to practice why not a computer technician? Well, it's no secret that right now the entire domestic internet is kept alive only by dint of unpaid 12-18 year old geek kids who have the slightest clue what is going on most of the time. Technology is moving too fast for professional standards to ever take hold and get established. The skill pool moves through very fast and frankly, we need every able pair of hands connected to a brain just to keep things at the level they are now. Even a sniff of regulation would be catastrophic. If it really cost you $100/hour twice a month to get your infected Windows machine fixed up (because that's what a tech is going to charge as a professional rate, like every other professional) then most people are going to just say "sod it" and throw out their computers. Don't ever believe we've passed the point where that can't happen, there is plenty of scope for a collosal anti-tech backlash at this point in history.

    Solutions? What will work? I haven't a clue, which is why it's al so interesting still. All I know is that everything listed above is a dumb step backwards.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    anonymous coward, Jun 28th, 2006 @ 9:43am

    i shut down my wifi router. not because of security concerns, but because i replaced it with Belkin powerline Ethernet adapters. dramatically faster and more reliable than wifi with an added bonus of improved security.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    BMR777, Jun 28th, 2006 @ 1:17pm

    The Future of Open WiFi - FON

    The future of open WiFi is FON.

    http://www.fon.com/

    It seems that you can have your Wifi open and still be secure. The FON service lets fon users use each other's wifi. Basically you share your wifi with other FON users securily and other FON users share with you securily.

    BMR777

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Gabriel Tane (profile), Jun 29th, 2006 @ 7:40am

    Insurance on WIFI

    "im just waiting for the day the government requires you to have internet insurance, to pay for the "damage" you cause by using wifi hot spots. "
    -Daryl Licked

    "User insurance
    Possibly the worst idea of all. Insurance would lower security standards even further by shifting responsibilty. We need to encourage people to take more responsibility not less. Besides it cannot be applied in the same way that auto insurance or home insurance pertains to fixed assets and events. Things are already very fluid on the network, IP6 and mesh WiFi are only going to make it more so. Blame game antics will quickly get out of hand when your IP6 drinks fridge in your car decides to call home to the wrong address and does a drive by DOS on the local fire stations VOIP. Companies cannot handle the complexity of the claims or afford to hire experts in the same relatively simple and sensible way that culpability in an RTA or storm damage to a house can be decided."
    -I, for one


    Actually, guys, it's already here. It's called "liability insurance" which is usually automatically part of your Homeowners or Renters insurance. While there's nothing specifically stated in the policy that says "WIFI is covered", there doesn't need to be. Liability insurance is on an "all risk" basis, which means that it's covered unless it's specifically excluded.

    While your insurance won't pay for lost data or damage caused to you by these evil Hakkor Hordes, it will pay if someone sues you because someone else damages them through your WIFI. It will also pay if someone sues you claiming that you damaged them at Starbucks' hotspot or wherever.

    Also, Starbucks et al... Their insurance will cover if someone does naughty things with that free hotspot and someone sues Starbucks for it. So if Johnny Jack-in hacks someone while sitting at Starbucks, and that someone sues Starbucks for "providing the opportunity to commit the crime", Starbucks' insurance will pay the defense costs. And if Starbucks somehow loses, the insurance will pay that too.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 29th, 2006 @ 8:09am

      Re: Insurance on WIFI

      Starbucks' insurance will pay the defense costs. And if Starbucks somehow loses, the insurance will pay that too.
      No wonder that coffee is so expensive.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 29th, 2006 @ 8:40pm

    The previous poster in a nutcase. All that is missing is someone yelling "Won't someone please think of the children!"

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 29th, 2006 @ 8:41pm

    There is no secure wifi. I can break any WPA setting n under 30 minutes. The only way to secure wifi is to unplug it.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Jesse McNelis, Jun 30th, 2006 @ 3:16am

      Re:

      There is no secure wifi. I can break any WPA setting n under 30 minutes. The only way to secure wifi is to unplug it.

      I reckon you could break in to my house and plug in to my wired network in less time.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      ebrke, Jun 30th, 2006 @ 8:23am

      Re:

      "The only way to secure wifi is to unplug it."

      And people laugh at me because I don't use wi-fi at home. I just don't feel it's worth the headaches and risk. Thanks for showing me at least one other person agrees.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Object Constant, Jun 30th, 2006 @ 6:11am

    Break into a house faster then breaking a WEP

    Breaking into a house without a deadbolt is about three seconds. Breaking into a house with a deadbolt is under a minute. If a window is open it is about five seconds. If that.

    So "yeah" to the comment from Jesse McNelis.

    :-P

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 30th, 2006 @ 8:47am

    Next we'll be hearing about open powerline networks without encryption enabled.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Fox McCloud, Jul 1st, 2006 @ 11:14pm

    "just jumbled letters and numbers"

    I noticed a few people (namely bill way back at #2) made the point that windows password encryption is nothing more than jumbled letters and numbers, and he's right. Sadly, in making that point, he discredited his own.

    WEP keys are, just like windows passwords, nothing more than jumbled letters and numbers. In fact, they're a far weaker level of encryption. WHOPPIX (a cd-based linux distro which I think is now called WHAX) can crack any (and yes, I said any) 64-bit hex WEP key in just 10 minutes. Literally. And that's from boot to cracked, not just cracking time. It's not hard to see how if you are on (for example) a hotel wifi with 256-bit hex WEP encryption the network WEP key could easily be cracked in just one night, perhaps under 4 hours, and most routers don't offer any higher encryption.

    (FYI I did that once at a Holiday Inn Express, and it took me 3 hours. Sadly I found out the WiFi was free anyway the next day, which begs the question of why they bothered to put a WEP key on it in the first place...)

    So, though I'm not saying not to use a WEP key, I'm simply saying that if a hacker wants to get into YOUR computer, a WEP key is probably a little less effective than even the built-in windows firewall. WEP keys are good for stopping wardrivers, but they're an extremely small half-a-step for stopping any professional hacker, or even a hacker-for-hire.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This