Free Broadband Makes Good Neighbors

|

Reason contributor Tim Lee goes slumming in The New York Times to fight the piggybacking panic:

Millions of homes now have wireless Internet networks, and many of them are not protected by passwords. "Piggybacking" occurs when someone—a next-door neighbor or a stranger parked across the street—finds an open network and logs on.

News reports tend to paint the practice as a growing problem. Reporters use words like "stealing," "hacking" and "intrusion." But despite the alarmist talk, the articles rarely explain what the problem is.

Maybe that's because there is none. To the contrary, the increasing ubiquity of free wireless Internet access is something to celebrate.

Read the rest here.

NEXT: Visceral Politics

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Really, I think its more like trespassing.

    In both cases, I have something I paid for the exclusive use of, and I haven’t given you permission to use it, even if your use doesn’t cost me anything.

  2. The article I read in The Denver Post seemed to imply that the piggybackee’s internet connection ran more slowly as a result. Vrai ou faux?

  3. Vrai. But the only reason (correct me if I’m wrong) that certain wireless networks are unprotected by passwords is that the owner decides not to do so. If piggybacking becomes too much of a problem, it’s easy enough to set up password access and be done with it.

  4. Trespassing is a better description, but only when there’s intent. What these articles tend to leave out is the fact that devices out of the box are ‘open’, and as such, non-technical users on both ends- the host end, and the client end play on their respective weaknesses.

    Authentication to foreign network not only can occur, it will occur- becase the default ‘state’ for many devices is open, and automatic. Meaning, that if two neighbors have wireless access points, and both neighbors are technical laymen, there’s nothing obvious about which network you’re connecting to. To the user, a connection to ‘some wireless device’ is made, and if the internet is accessible, he’s done. Very little scrutiny on the part of the user takes place to actually verify WHOSE network he’s connected to.

  5. I paid for exclusive use of your apartment and never gave you permission to infect it with your router’s radiation, RCD. This should be especially clear now that you have admitted that a trespass is still a trespass even if it doesn’t cost anything.

    Your router trespassed first and that is what uncleans your hands here and prevents you from bringing a cognizable complaint.

  6. Reporters use words like “stealing,” “hacking” and “intrusion.” But despite the alarmist talk, the articles rarely explain what the problem is.

    It’s like using the term “identity theft” to describe credit card fraud. …and it might not be entirely unrelated. Maybe some reporters are suggesting that people will “steal”, “hack” and “intrude” their way into your computer and “steal” your “identity”.

    “I have something I paid for the exclusive use of, and I haven’t given you permission to use it, even if your use doesn’t cost me anything.”

    Some people, used to, leave connections open for public use. …If you don’t put up a “No Trespassing” sign, don’t be surprised if people walk over your property to get where they’re goin’. Of course, that doesn’t mean they should be free to help themselves to whatever they find there.

  7. …Leaving a connection open seems kind of like maintaining an attractive nuisance.

  8. I’m not an expert, but I believe it is possible for someone using your wireless connection to visit websites, leaving a trail that indicates that YOU were the one visiting them. Since these could include child porn sites, sites on various anti-terrorism watch lists, etc, this could cause you serious problems. Given the zealotry of prosecutors and the ignorance of many judges and juries, you could find yourself incarcerated and branded a child molester or terrorist. Not a happy thought.

  9. I once “stole” wireless access from an unknown neighbor purely by accident; when my computer didn’t automatically connect to our wireless modem I pressed all the various buttons necessary to hook up, and only later did I notice that I wasn’t on our own network, but somebody else’s. There are about five wireless networks filling the airwaves in my apartment. (Usually our network is the automatic default setting, but for some reason someone else’s network made it to the top of the list that one time.)

    I wonder how many cases of “network theft” are similarly accidental.

  10. If piggybacking becomes too much of a problem, it’s easy enough to set up password access and be done with it.

    You are exactly correct. And with the newer (post WEP) encryption standards, this is even easier than ever. With WPA, and WPA2, encrypting your network in a truly strong way has never been easier.

    Believe or not, the 802.11 standard DEMANDS that devices are sold as ‘open’ out of the box. So to be 802.11 compliant, you must adhere to that standard.

    WEP is well known to be a ‘broken’ encryption scheme- and I find it difficult to set up. WPA is nigh unbreakable (as long as strong passphrases are used) and ironically, is painfully simple to set up.

  11. But despite the alarmist talk, the articles rarely explain what the problem is.

    I think the real problem occurs if someone is “piggybacking” on your network and using your access point to do things like download copyrighted material, or view / download kiddie porm, or send threatening or harrassing emails. It puts the person who is paying for the conection at risk of getting sued/ arrested.

    As was stated above, these Access Points come OPEN out of the box. So what can be done really? Other than educating users who many times don’t want to have to learn more than the bare min. to get their connection working ???

    Another version of the problem that I have seen stated is that by opening up your network you are essentially cheating the phone company. Like if in my condo I had a wireless network and I let everyone in my building access it (either by opening it or by giving them explicit access) we are all essentially stealing from the provider since these people would be forced to pay a higher rate to them rather than say dividing the cost amongst ourselves.

    This second one to me doesn’t seem like a real “problem” as much as whining by the industry though.

  12. But the reality is that most of us have far more to fear from hackers on the Internet than from users parked across the street.

    Idiotic. Maybe the user across the street IS a hacker.

    Personally, I think sharing your connection is just being a good neighbor.

    Rather more like leaving your computer wide open to anyone who wants to help themselves to your data. This article is really stupid.

    That said, he’s correct in implying that securing your wireless network is too complicated for non-technical people.

  13. I’m not an expert, but I believe it is possible for someone using your wireless connection to visit websites, leaving a trail that indicates that YOU were the one visiting them.

    Yes and no. First of all, this depends on the equipment- particularly the WAP involved. WAPS will often record a log file of who authenticatd to them, and where they went on the WWW. If your WAP also is your gateway, that log will be on that device. If the wap ISN’T your primary gateway, then your gateway should have that info as well. HOWEVER…

    All that your WAP and/or gateway will record is the source IP address and MAC address. The only thing that truly identifies you is your MAC address, as it’s unique in the world. But just go out and try to match a MAC address with an owner. Only law enforcement would probably have that ability.

    In addition to this, if the ‘intruder’ is technically savvy, and the ‘victim’ has truly left their equipment open, the intruder can cover his tracks when he’s done.

    Jennifer, see my comments above. Your situation is fantastically common.

  14. I’m not an expert, but I believe it is possible for someone using your wireless connection to visit websites, leaving a trail that indicates that YOU were the one visiting them.

    Most, if not all, home wireless networks get one ‘public’ IP address from the service provider, and then use a port/network address translation scheme to allow multiple machines on the ‘private’ network to share that one public address. However, without some kind of traffic log on the private network, there’s no way to prove that traffic that appears to have originated from your public address actually originated on some transient machine that glommed on to your wireless network.

    And while it’s not stealing from the subscriber (piggybacking costs him nothing, except perhaps a little latency), it is more like stealing from the ISP, and allowing piggybacking, willfully or no, is probably a violation of most ISP service agreements.

    Believe or not, the 802.11 standard DEMANDS that devices are sold as ‘open’ out of the box.

    Wow. What a phenomenally bad decision.

  15. Another version of the problem that I have seen stated is that by opening up your network you are essentially cheating the phone company.
    Here our local provider (phone and cable wrapped in one, go figure) has ‘levels’ of use based on speed and bandwidth used in a month. You pay more for a higher speed and even more for unlimited bandwidth. If the industry is worried about shared connections all they have to do is place remove the ‘unlimited’ bandwidth or place it at a high enough price that users will find it more cost effective to purchase thier own access. That being said if I, as the bandwidth purchaser, wish to allow others to use that it should be my option. My purchase, my rights.

  16. “Idiotic. Maybe the user across the street IS a hacker.”

    These fucking crooks don’t like to leave their little hacker caves in their parents’ basement. They can use various holes (in Windows, etc) to install keyloggers. They use elaborate and efficient programs that automatically scan the web for vulnerable users. They can do all this from the comfort of their haxx0r caves…wy in god’s name would they bother exposing their slimy skin to the harsh sunlight, just to steal wifi? Highly doubtful, rhywun.

    “That said, he’s correct in implying that securing your wireless network is too complicated for non-technical people.”

    Yes, and so is putting a set of locks on your doors…so, you call a fucking locksmith.

  17. I’m not an expert, but I believe it is possible for someone using your wireless connection to visit websites, leaving a trail that indicates that YOU were the one visiting them.

    Yes and no. First of all, this depends on the equipment- particularly the WAP involved. WAPS will often record a log file of who authenticatd to them, and where they went on the WWW. If your WAP also is your gateway, that log will be on that device. If the wap ISN’T your primary gateway, then your gateway should have that info as well. HOWEVER…

    All that your WAP and/or gateway will record is the source IP address and MAC address. The only thing that truly identifies you is your MAC address, as it’s unique in the world. But just go out and try to match a MAC address with an owner. Only law enforcement would probably have that ability.

    In addition to this, if the ‘intruder’ is technically savvy, and the ‘victim’ has truly left their equipment open, the intruder can cover his tracks when he’s done.

    Jennifer, see my comments above. Your situation is fantastically common.

  18. I leave my wireless network open on purpose. I figure that nobody is going to depend on my network for access 100% of the time, since I shut it down when I’m not home. It’s mainly a conveninece I leave open to my neighbors should they or (more likely) their guests need it. Likewise, when my cable connection was down, I piggybacked frequently on my neighbor’s DSL connection that she leaves open.

  19. I’m not an expert, but I believe it is possible for someone using your wireless connection to visit websites, leaving a trail that indicates that YOU were the one visiting them.

    Yes and no. First of all, this depends on the equipment- particularly the WAP involved. WAPS will often record a log file of who authenticatd to them, and where they went on the WWW. If your WAP also is your gateway, that log will be on that device. If the wap ISN’T your primary gateway, then your gateway should have that info as well. HOWEVER…

    All that your WAP and/or gateway will record is the source IP address and MAC address. The only thing that truly identifies you is your MAC address, as it’s unique in the world. But just go out and try to match a MAC address with an owner. Only law enforcement would probably have that ability.

    In addition to this, if the ‘intruder’ is technically savvy, and the ‘victim’ has truly left their equipment open, the intruder can cover his tracks when he’s done.

    Jennifer, see my comments above. Your situation is fantastically common.

  20. Sometimes my neighbor plays his TV loud and I listen. I don’t pay for cable and yet I’ve heard all of Dave Chappelle’s jokes. Does this make me a stealer? My wife blocks out the noise and pays it no mind. When I tell her the jokes I heard later, she thinks I’m funny and doesn’t divorce me.

  21. Idiotic. Maybe the user across the street IS a hacker…Rather more like leaving your computer wide open to anyone who wants to help themselves to your data. This article is really stupid.

    Meh. If your computer has open ports that someone can hack into, it really doesn’t matter if the intruder is coming from Taiwan over your ISP’s hookup or across the street on your open network. The risk is precisely the same.

    That said, he’s correct in implying that securing your wireless network is too complicated for non-technical people.

    That doesn’t absolve them of the responsibility. I’m probably no good at installing deadbolts and locking windows but I’d happily buy a time-life manual or pay someone to do it for me. Point being, I understand if I want to hold onto and/or control my property, I’d do well to take some reasonable measures to secure it.

    As for the issue of WAPs being sold “open” out of the box, that doesn’t strike me as any more a bad decision than the contractor building your house not installing those deadbolts for you. The only difference is that the notion of securing your home and physical property has been around longer and thus is considered “common sense”.

  22. Believe or not, the 802.11 standard DEMANDS that devices are sold as ‘open’ out of the box.

    Wow. What a phenomenally bad decision.

    Why is this a bad decision? If a user is too stupid to figure out that “Step 3 – Set Network Password” is vital to his/her security then perhaps the user shouldn’t be using a WAP. This is just like somebody who doesn’t bother changing the locks when they move into a new (to them) house or leaves the windows in thier car down. It is the person’s responsibility to secure his property. If he can’t do it properly he can call the Geek Squad and pay somebody to do it right .

  23. I’ve installed at least three wireless networks in various residences so far, and every time, I was forced to answer the question of whether or not I wanted to secure the network. WEP has always been quick and easy for me; it’s disconcerting to know it’s not foolproof, but it’s a good start for most people.

  24. “As for the issue of WAPs being sold “open” out of the box, that doesn’t strike me as any more a bad decision than the contractor building your house not installing those deadbolts for you.”

    Well, yeah, but imagine if the National Associaton of General Contractors prohibited that contractor from installing them. I don’t think the commenters above were lambasting the manufacturers as much as they were lambasting the IEEE 802.11 Standards for Wireless Networking.

  25. “Personally, I think sharing your connection is just being a good neighbor. Think of it as the 21st century equivalent of lending a cup of sugar.”

    No, because in that case, you’d have to ask your neighbor for sugar. But in the case of stealing WiFi, you don’t typically ask anyone anything. You just take.

    Instead, to us Tim Lee’s analogy, it would be the 21st century equivalent of your neighbor leaving his front door unlocked, and you waltzing in and taking his sugar without asking. Yes, he shares some of the blame for leaving his door unlocked, but that still doesn’t mean that you’re not trespassing and stealing.

  26. They can do all this from the comfort of their haxx0r caves…wy in god’s name would they bother exposing their slimy skin to the harsh sunlight, just to steal wifi? Highly doubtful, rhywun.

    I can see that you’re highly sensitive to this subject, but I must say that it’s not so highly doubtful. It happens all the time because I know people who do it. Does that make me an asshole for not turning them in? Maybe. Maybe not. The people that I know who do it do nothing malicious, steal no data. For them, its an exercise of network security– we’re all network acministrators who are paranoid about security. But I’m not going to use this thread to justify their actions. I’m going to use it to tell you that it happens, and happens all the time.

    I’m a network engineer, and all my friends are network engineers. All of us know how to comprimise a network if left open.

    If you leave your WAP open– pull it out of the box, set it up and let it go– I can get on your network, I can get INTO your WAP/ROUTER, I can change its password, meaning that if you get suspicious and want to check the logs, you won’t be able to get into it, and the only way to get into it will be to hit the factory reset button, erasing any trace of my being there. Nice catch-22, huh? Once I have control of your wireless router, I can turn remote maintenance features on. Once I turn remote maintenance features on, I can do the exact same thing to ANOTHER router across town, and then I can control YOUR router from ANOTHER foreign network, meaning that any investigation into where the ‘attack’ is coming from will look like it came from some innocent users home network across town. Basically, I can use YOUR network to launch attacks against OTHER networks.

    So, for anyone who doesn’t lock their WAP down because they’re not worried about their network being comprimised, it’s not about you. You could be used as a platform to attack someone else. How does that make you sleep at night?

  27. You could be used as a platform to attack someone else. How does that make you sleep at night?

    Couldn’t you say the same thing about the free wireless access offered at Starbucks?

  28. Paul,

    A) I’m not talking about you and your haxx0r chums. I’m talking about data miners—the criminals who steal identities and sell them for profit. And I’m talking about real damage (you yourself said that they don’t do any harm). So, aside from your anecdote about harmless network nerds who want to have an “exercise in network security”, do you know of any widespread problem wherein people have real harm to them done?

    B) When I had landline cable broadband (not wifi), some cunt used my system to spam people (via trojan). My connection got cut by my ISP because they thought I was spamming—but I had no idea at the time. So, your point about using your system as a jumping point to attack others applies to landline networks as well. I still don’t see any hard evidence that leaving your network open is more of a risk than simply being online and forgetting to download the latest windows patch.

  29. Couldn’t you say the same thing about the free wireless access offered at Starbucks?

    Yes and no. It’s been a long time, but I believe that Starbucks does a one-time redirect if you want to do anything on the internet (read browse) which requires a username and password, given to you at the counter. By virtue of this, you’re leaving a trail of who you are, when you were there etc.

    Also, while I have no intimate knowledge of the starbucks wifi topography, my guess is (and woe be to them if they don’t) should have most outgoing traffic blocked. Simply saying, they’ll allow web browsing outboud, but nothing else. This greatly reduces a hax0res ability to conduct special attacks- because most hack attacks occur on ports other than 80– which is http (web browsing).

    A combination of these measure can make it just too difficult to conduct an attack. And here’s a social theory surrouding your question, Jennifer.

    I’m a criminal, I walk down the street. I have a magic device in my hand which tells me which houses are unlocked. As I walk down the street, my device tells me that 78% of the houses I walk by are unlocked. How much time am I going to spend/waste on a house that’s locked, even if poorly done, when the next 30 or 40 are wide open? Around 0%.

    This goes back to the suggestion by us networking pros to say that yes, even if WEP is considered weak and broken, use it at minimum- because the very existence of a ‘padlock’ icon on NetStumbler will cause th hacker to move three houses down to the wap that’s wide open.

  30. “You could be used as a platform to attack someone else. How does that make you sleep at night?”

    pretty good, actually.

  31. I still don’t see any hard evidence that leaving your network open is more of a risk than simply being online and forgetting to download the latest windows patch.

    It’s far more of a risk. When you leave your network open, someone can hop directly onto your network. Then, instead of having to burrow through your typical router (which acts as a firewall bacause of the NAT that is in place), they can directly attack your machine.

    In addition, if you have any network shares setup, all of that information instantly exposed. It doesn’t even require someone to hack into it.

    Anyone who sets up an open wireless network is just begging to get screwed. I’m surprised that more people who hop on at various public WiFi access points aren’t attacked.

    WPA is crap. WPA2 is the only way to go (and I’m still not sure I fully trust it).

  32. I believe that Starbucks does a one-time redirect if you want to do anything on the internet (read browse) which requires a username and password, given to you at the counter. By virtue of this, you’re leaving a trail of who you are, when you were there etc.

    I’ve never used Starbucks wi-fi but I doubt they demand ID before letting people have the password, so someone up to no good could easily go to Starbucks, buy an overpriced cup of coffee, give a fake name and wreak havoc.

    I have a magic device in my hand which tells me which houses are unlocked. As I walk down the street, my device tells me that 78% of the houses I walk by are unlocked.

    The people who don’t lock their houses are certainly foolish, but I don’t think they should “lose sleep at night” over guilt feelings if some thief steals their heavy candlesticks and uses them to bash someone else’s head in.

  33. So, aside from your anecdote about harmless network nerds who want to have an “exercise in network security”, do you know of any widespread problem wherein people have real harm to them done?

    I have no hard numbers. None. But I look at it like this, Evan. If on a quiet, Sunday afternoon, I have… been in the presence a network… intrusion, or two– and we were really, really nice guys, I promise, I have to assume that there are 100 other nasty 14 year olds that have the same knowledge who… aren’t so nice. So any ‘ethical’ lapses I’ve ever been involved in, I at least look at them as an opportunity to educate others about basic network security.

    So, your point about using your system as a jumping point to attack others applies to landline networks as well. I still don’t see any hard evidence that leaving your network open is more of a risk than

    This logic is a little shaky. Let me give you an anaology. “My neighbor locked his house every day, and it still got broken into, so why should I lock mine?”

    We can hit eachother with anecdote after anecdote- but to suggest that leaving a network open is no more of a risk than locking it down? Doesn’t follow. I can’t tell you, by the simple laws of science, that any network of any given type WON’T be comprimised. But I can tell you with a great amount of confidence that by locking it down, you dramatically lower the risk of attack.

  34. How am I supposed to download bootleg movie files of the latest romantic comedies and the compleate Hoobastank ringtone suite if my neighbor clogs my bandwidth to download Photoshopped pix of Christina Aquilera topless?

  35. “It’s far more of a risk. When you leave your network open, someone can hop directly onto your network. Then, instead of having to burrow through your typical router (which acts as a firewall bacause of the NAT that is in place), they can directly attack your machine.

    I understand that, MP; my point is that the opportunity cost of wifi theft is higher—-which would tend to lower the incident rate. We can sit around and bicker all day long about what is hypothetically possible—but the pragmatic reality is what’s important here.

    “In addition, if you have any network shares setup, all of that information instantly exposed”

    No shit—but c’mon…if you consciously share your WiFi with passersby and neighbors, and have file sharing enabled for folders or drives, then you deserve whatever shit befalls you.

    “Anyone who sets up an open wireless network is just begging to get screwed. I’m surprised that more people who hop on at various public WiFi access points aren’t attacked.”

    Until you can show me a significant number of incidences, I’m not sure this matters in reality. Technically, hypothetically, you’re right. But, really, there’s no one-size-fits-all here. For example, you’d say, “people would be crazy to leave the doors on their house unlocked and the keys in their unlocked car at night”, yet, my family’s been doing it for decades, and have yet to be robbed. Why? Well, because they live out in the middle of nowhere. I’m just saying—the “technically possible” doesn’t necessarily logically translate to the “pragmatically probable”.

  36. go to Starbucks, buy an overpriced cup of coffee, give a fake name and wreak havoc.

    Jennifer, while this statement is true, you didn’t read the nuance in my message. Yes, you can wreak havoc, but if you wreak enough havoc to warrant a visit from Johnny Law, you’ve left a trail. Albeit a thin one, there’s a trail.

    Officer: We have a report of a network attack that came from this address at around 1pm, Saturday.

    See where this is going? You were physically present, bought a cup of coffee. Why even show, as Evan says “Your slimy skin to the sunlight”.

    should “lose sleep at night” over guilt feelings if some thief steals their heavy candlesticks and uses them to bash someone else’s head in.

    We’re talking about two wildly different situations. We’re talking about a real thing vs. a virtual thing. The murder you describe is tied to the candlesticks, someone wielding the candlesticks, and a location other than your house. The hack attack is tied to the ADDRESS, nothing more. While the liklihood of a person ultimately being held responsible for a serious hack attack is very slim, it’s still an annoyance that a user would have to go through.

    To better analogize, what if you left your house unlocked, and you found a dead body on the floor, murdered with your handgun, and the gun had your prints all over it? A situation you’d probably want to avoid if possible.

  37. Reporters use words like “stealing,” “hacking” and “intrusion.”

    It’s “freeloading”. The person with the router may not mind and may let people freeload. Or not.

    Non-issue, except that people should be aware that anything using your router is, in most setups, on your side of the firewall.

  38. How am I supposed to download bootleg movie files of the latest romantic comedies and the compleate Hoobastank ringtone suite if my neighbor clogs my bandwidth to download Photoshopped pix of Christina Aquilera topless?

    Dude, who downloads bootlegged stuff on their own network? Always…ALWAYS jump on a neighbors WIFI before downloading bootlegged material. Always do the illegal stuff on someone ELSES network. Has no one been reading this thread?

  39. I’m just saying—the “technically possible” doesn’t necessarily logically translate to the “pragmatically probable”.

    Considering the severe consequences of identity theft, and the ease by which theives can untraceably access unsecured networks, “pragmatically probable” is too probable for me. FBI stats (which I don’t have offhand) show a significant increase in the last year or so of major internationl crime networks being more aggressive about identity theft (see Citibank’s recent cock-up) and general online criminal activity. I leave my car unlocked every night. But I’ll never setup an unsecured network.

  40. WPA is crap. WPA2 is the only way to go (and I’m still not sure I fully trust it).

    No it’s not. The weakpoint of WPA is people who use weak passphrases, and then become vulnerable to captured packet/offline attack. I’ll take the Pepsi challenge with WPA (as long as I set it up) any time.

  41. Paul, I’m not disagreeing when you say that having an unsecured network is probably a bad idea; I just disagree with the implication (“how can you sleep at night”?) that such people share responsibility for any wicked things done by hackers using their network.

    And I’m not sure I agree with the earlier analogies about locks and locksmiths, either. Not everybody knows how to install locks, but once the lock is installed everybody knows how to use a key to lock it. But with network security, even if somebody else installs the initial system, the maintenance and upkeep is a LOT more complicated than just “put the key in the lock and turn it.”

    I dunno–my boyfriend handles all the IT matters in our household; if it were up to me I’d probably buy one of those all-in-one Internet packages from AOL or something, because I can’t be bothered to worry about a hundred different security upgrades every time I log on to see what’s new on the sites I read. So I don’t blame the average person for NOT thinking, “Gee, every time I check Hit and Run there’s a chance that some hacker will use my connection to torment an inocent person I don’t even know.”

  42. The weakpoint of WPA is people who use weak passphrases, and then become vulnerable to captured packet/offline attack.

    I assume you are fully aware that WPA is easily cracked. A stronger passphrase is helpful but no guarantee. For the curious, read this.

    WPA isn’t good enough for me.

  43. Paul, I’m not disagreeing when you say that having an unsecured network is probably a bad idea; I just disagree with the implication (“how can you sleep at night”?) that such people share responsibility for any wicked things done by hackers using their network.

    Oh, no no no no no. No no no. You misunderstood me. I never, ever suggested, or meant to suggest that people with unlocked networks are ‘responsible’ for being used as a platform for an attack. Make no mistake, I do not believe that the poor sap who pulls his shiny new WRT54G out of the box slaps it on his network for trouble-=free wireless access is responsible for the evil that other men do.

    I was wondering why you were so sensitive about my assertion.

  44. I assume you are fully aware that WPA is easily cracked. A stronger passphrase is helpful but no guarantee. For the curious, read this.

    Thanks for supporting my position, MP. As I stated, and the article that you pointed out states, WPA’s vulerability is in user chosen weak passphrases. Let me quote from your article:

    We warned you: short WPA passphrases could be cracked?and now the software exists: The folks who wrote tinyPEAP, a firmware replacement for two Linksys router models that has on-board RADIUS authentication using 802.1X plus PEAP, released a WPA cracking tool.

    As Robert Moskowitz noted on this site a year ago, a weakness in shorter and dictionary-word-based passphrases used with Wi-Fi Protected Access render those passphrases capable of being cracked.

    Game, set and match. Weak passphrases. Use a strong password, as most articles will write, an excess of 20 characters. 20 characters? Pshaw, my passphrase is the first 12 chapters of “War and Peace”, in reverse, with random punctuation and senseless capitalization. Dude, Pepsi challenge. You ain’t crackin’ WPA if I set it up.

  45. “This logic is a little shaky. Let me give you an anaology. “My neighbor locked his house every day, and it still got broken into, so why should I lock mine?”

    I never ever said that nobody should secure their network. You’re taking my comments and making arguments out of them that I’m not pushing. All I’m arguing is that fear of haxx0rs should not drive anyone to be extraordinarily paranoid about an open WiFi. Hell, if I had a wifi network at home, I’d secure it.

    “We can hit eachother with anecdote after anecdote- but to suggest that leaving a network open is no more of a risk than locking it down?”

    Again, I never said that. All I said is that the risk of an open network being attacked by malicious hackers is diluted by the higher opportunity costs involved in going out and finding an unsecured network. I never suggested that it was “safe”, I just suggested that the real risk isn’t what people like MP make it out to be, at least not in most folks’ neighborhoods.

    “I can’t tell you, by the simple laws of science, that any network of any given type WON’T be comprimised. But I can tell you with a great amount of confidence that by locking it down, you dramatically lower the risk of attack.”

    Again, Paul, I agree with you. But in most people’s reality, it’s probably not enough of an actual risk to have a real impact on whether or not they should share WiFi. You keep talking in terms of hypothetical absolutes—-I’m talking in terms of probability & risk.

  46. Evan, your comments are noted.

    But in most people’s reality, it’s probably not enough of an actual risk to have a real impact on whether or not they should share WiFi.

    Let me also state that I’m not against, unlocked, shared WIFI (which is why the wifi standard demands openness, by the way- it was designed by a bunch of tie-dyed ‘peace and love’ types, I gather). But if you do share your wifi, then it needs to be on a network segment which itself is safe- like the way Hotel networks lock their wifi down (or are supposed to).

  47. You ain’t crackin’ WPA if I set it up.

    I’m busted. I was thinking of WEP, not WPA. I’ll need to read up more about WPA/WPA2.

  48. MP:

    And for the record, I understand the ‘social problems’ supporting any encryption scheme like WPA in a large corporate environment: That the password must be given out to your users- and the password is ‘long lived’

    So just in case you try to hitch on that bandwagon, I understand that. But that’s not so much a problem of WPA crackability, that’s a logistical problem which is solved by RADIUS servers (WPA2). But the encryption in WPA is what it is: great, but requires a passphrase more complex than ‘cat’ or ‘dog’.

    Most experts agree, that WPA was SO simple to set up, that ‘novice’ users could set it up, and as such, would use simple passphrases- thus weakening a perfecly strong system.

    Many encryption systems can be comprimised with a ‘brute force’ methodology. What we hope to do is create a system (wpa) which makes that unrealistic. See my comments above about the haxor wasting his time with an off-line brute force attack on a WPA system which may (or may not) have a strong passphrase when he can drive two houses down and get on an open network.

  49. I’m busted. I was thinking of WEP, not WPA. I’ll need to read up more about WPA/WPA2.

    Man, MP, thanks– I was really puzzled because almost every argument you were making SOUNDED like the complaint with WEP, but you were using them with WPA.

    Yes, WEP is Broken(tm) with a capital B.

  50. The one advantage/disadvantage (depending on your prospective) of free wi-fi is that it totally screws the law enforcement’s ability to prosecute internet crime. The only way they catch anything on the internet is eventually tracing activity back to an IP address and that IP address to a given account. If the account is an innocent college student in Manhattan who lets anyone and everyone who walks by their efficiency apartment log on and use their connection, the chances of finding the perpetrator are pretty much nil. I am told now that internet criminals cruise through neighborhoods wi-fi enable laptop in hand looking for unguarded home wireless hubs to connect to. Eventually the crooks will get smart enough that internet crime will be impossible to solve.

  51. Evan – The problem with the sugar analogy is that sugar is a rivalrous good; if I use your sugar, you don’t have it anymore. If I use your bandwidth (when you’re not using it), you still have it later. I admit to having borrowed people’s open APs now and then, but I think there’s a difference, culturally if not legally, in doing it casually for a few minutes and doing it regularly. Kind of like parking in front of someone’s house.

  52. That said, he’s correct in implying that securing your wireless network is too complicated for non-technical people.

    Not if you’re willing to spend ten minutes reading the manual.

    Oh, wait…

  53. If the industry is worried about shared connections all they have to do is place remove the ‘unlimited’ bandwidth

    Almost all of the service providers have done that, even most of the cable firms making “unlimited” claims. But even if there’s a cap on the amount of bandwidth an individual connection can obtain, the bandwidth provided further upstream on a phone or cable company’s network is invariably shared by numerous subscribers. So at some level, the sharing of capped Internet connections could still possibly create a bottleneck for someone other than the primary subscriber.

  54. Kind of like parking in front of someone’s house.

    More like turning around in their driveway.

  55. I just went to the control panel in my 2wire modem and shut down the wireless. I turn it on if I need to connect a laptop or whatever.

    The technical skill required, especially if instrucions were given would be low and easy to follow for the “average user”. One button and a confirmation was all it took. However, I had to thumb through the router/modem’s setup pages to find it. The companies could give warnings and instructions if they possessed a modicum of concern for security on their own networks.

    I did have my sister’s friend’s laptop in my possession that had wireless and it picked up several wireless networks in my vicinity. One or two were locked down with password. Several others I could connect to but could not readily access the internet. I do not know for sure if they were even connected; I didn’t persue the matter further. I was just poking around.

    Interestingly enough, the secure ones seemed to be administered by kids (having the name “Josh’s Network” and such)– probably my neighbor across the street.

  56. But even if there’s a cap on the amount of bandwidth an individual connection can obtain, the bandwidth provided further upstream on a phone or cable company’s network is invariably shared by numerous subscribers.

    I haven’t weighed in on this, but now’s the time. Here’s the thing about having your neighbors share your bandwidth…

    It’s not really about ‘how many people’ are behind a given router. While initially, the broadband providers tried to lock subscriptions down to a single device, and after they were completely thwarted in that attempt, they universally threw in the towel and created a kind of blanket ‘allowed x devices’ behind a firewall and looked the other way. This towel was thrown in for a couple of primary reasons. 1. They tried to tie the account into a MAC address (unique) on every device. Well, unique right up until it’s no longer unique. Firewall manufacturers started putting in the now famous ‘clone mac address’ feature so now you had a nat/pat device on the wild side of your network, and ‘x’ devices ‘hidden’ behind the gateway, and a gateway masquerading as your ‘pc’ that you had registered with the isp. Which leads us to the second reason: Sure, there was a time when people got their broadband connection and slapped their computer right up against the cloud– those times, they are a changin’. Few people now operate a broadband connection without some kind of firewall device behind it– they’d be silly not to. The ISP’s, being beaten at every turn finally gave up. But to the ISP, it’s not really so much a bandwidth issue as it is a subscription fee issue. If I subscribe to a broadband isp, and then I allow three of my neighbors to tap into my wireless connection, I’m the primary loser. I can no longer download pr0n very fast because three of my neighbors are too. The only thing the ISP has lost is ‘potential’ unique subscribers. If those three neighbors get their own connection the same broadband provider, they are now taking the same bandwidth between each of them that they were stressing on my connection. And arguably, more resources because now each of them requires IP space (DHCP or no).

    Now, one can certainly make the valid argument that WITH the added subscription fees, the ISP now has more resources (Money) with which to mitigate the extra stress on their network: switches/routers/cabling etc. So, looking at it fairly, if every subscriber of say Comcast in Seattle allowed two neighbors to hook in- the same amount of bandwidth would be used- but now their potential subscription fees would be cut by 2/3ds as opposed to if all of those people actually subscribed. So it becomes a kind of cat and mouse game of subscriber and provider. The provider could lower subscripton fees enough to reduce ‘barriers to entry’ by new subscribers. Or, the providers could jack UP subscription fees to offset the bandwidth with the lack of real subscribers. Interesting thoughts.

  57. Not if you’re willing to spend ten minutes reading the manual.

    I did it a couple years ago and it took me a LOT more than 10 minutes. Maybe it’s gotten easier.

  58. I did it last year, and ten minutes would actually be generous. All it really amounted to was typing in the local IP address of the router, entering the password for the router itself, clicking on a security tab, opting to enable WPA, and then typing in a password. Not quite the same as the proverbial clock on a VCR, but it’s close.

  59. It took me a couple hours; the vast majority of which was spent looking for–and finding very little–documentation on the procedure. But yeah, once you know what you’re doing, it can be done in 10 minutes. Most people don’t have a clue what they’re doing.

  60. When I set up my home wireless network (which involves my and my wife’s Apple laptops, an Apple Airport WAP, a Linksys cable modem and an Airport Express extension), it took me . . . maybe five minutes to set the entire thing up and make it secure with a WPA password of about 75 characters. And I am not a technical or IT person by a long shot.

  61. So it becomes a kind of cat and mouse game of subscriber and provider. The provider could lower subscripton fees enough to reduce ‘barriers to entry’ by new subscribers. Or, the providers could jack UP subscription fees to offset the bandwidth with the lack of real subscribers.

    This is what I was suggesting earlier. Sorry for the vagueness of the original post. With my local ISP you pay based on modem speed (256, 512, etc.) coupled with monthly transfer rate (1gb, 3gb, unlimited, etc.) If an ISP is concerned about the loss of revenue due to “freeloaders” they can lower the rates for the fixed transfer/bandwidth options to entice occasional users to subscribe or they can jack the rates for the “unlimited” versions to a price that only businesses will subscribe to those versions. ISPs could also provide ‘free’ network inspection to help people who are unaware of WAP freeloading to secure thier networks, thereby forcing “freeloaders” to subscribe.

  62. Interestingly enough, the secure ones seemed to be administered by kids (having the name “Josh’s Network” and such)– probably my neighbor across the street.

    This is common. However, don’t assume they’re kids because they gave their SSID a real ‘name’. I say this because usually the people who are savvy enough to understand WiFi security are the ones most likely to give their wap a custom name. Every wap I’ve ever set up has a custom SSID- and last time I checked, I’m a hair older than 14. 🙂

  63. Oh, and while beating dead horses (my favorite pass-time):
    We used the KisMAC [WPA cracking]tool to demonstrate that an eight-character PSK can be recovered using off-the-shelf tools against any product using such a short password with only a few days of work.

    Only a few days work. Let me say again, only a few days work. So, even with WPA’s vulnerability when users use immensly poor passwords like ‘cat’ or ‘dog’, it takes a ‘few days work’ to break your wireless network. Yeah, right. Like I say, the haxores are going to go straight down the street to the 37 unprotected WAPS than spend ‘a few days work’ on a network which may, or may not have a weak passphrase, and then once on, may not have anything worth stealing (so to speak).

  64. The problem with creating fixed bandwidth transfer limits is mostly psychological. Even if it’s quite unlikely that their bandwidth-consumption habits will lead them to exceed their monthly limits, the average residential Internet user places a high value on the peace-of-mind that comes with having no such limits.

    We’ve already seen the premium placed by residential Internet users on unlimited consumption twice over the last decade. The first was when AOL infamously saw its dial-up networks become heavily overloaded after offering an unlimited monthly access plan. The second, more recently, has been the failure of per-MB wireless data access plans relative to plans that offer unlimited access to a fixed set of services.

  65. “Few people now operate a broadband connection without some kind of firewall device behind it– they’d be silly not to. The ISP’s, being beaten at every turn finally gave up. But to the ISP, it’s not really so much a bandwidth issue as it is a subscription fee issue.”

    Thanks Paul, because you are correct!

    Though some shaing exists, and I think most of it’s due to ignorance of those setting up their network, it’s not really their fault. If ISP’s are feeling like they are losing $, then maybe they ought to help these folks set up their equipment. Most folks will never change the setup!

    Though the wpa part of the router we use here is shut off, as we use cables, both machines also run ZoneAlarm. Seems to help out.

  66. Our apartment is several floors up in a high-rise facing a lake and as a result we’re usually in range of at least half a dozen wi-fi networks; with a decent cantenna and a tripod it would probably jump to several dozen. It used to be that most were wide open (lots and lots of “2wireXXX”es out there) but over the past few years people seem to have started getting a clue, because there are a lot fewer unprotected APs out there than there used to be.

    I don’t make a habit of jumping onto other peoples’ connections, since we have plenty fast broadband, well-secured with WPA. But I’ll admit to pilfering a neighbor’s packets for a few rounds of Mario Kart DS now and then, at least until Nintendo’s USB WiFi adapter shows up in stores around here. (The DS is WEP-only. Very wierd decision on their part.)

  67. If you don’t know how to set up yourwireless connection so that others can’t access it, then you’re an idiot who deserves to have other people trespass on it.

  68. Setting up your wireless network to require a password is less complicated than choosing the right hardware.

    I must admit, I have “stolen” wireless internet in the past without thinking twice about it. Once I was stranded in a city for four hours waiting for my car to be repaired. For part of the time, I used the wireless internet service that was available from a nearby house. I just figured that if they didn’t care enough to require a password, they wouldn’t mind.

    And no, I didn’t do anything illegal while online.

  69. Eventually the crooks will get smart enough that internet crime will be impossible to solve.

    No, law enforcement will get laws passed that require hardware and software makers to make it at least possible (more likely ‘easy’) to track down crooks, which will at the same time make the hardware and software less functional or more expensive or both. Exhibit A: CALEA.

    And all you “if they don’t care enough to protect their network, they deserve what they get” folks, try substituting some of the following for “network”: car, house, financial data, daughter, etc. Just because the cost is negligible doesn’t change the principle of the thing.

  70. This is common. However, don’t assume they’re kids because they gave their SSID a real ‘name’.

    I tried to imply that I wasn’t assuming that by using “seemed”. Just guessing from what I know about people around here.

    I didn’t really have to disable the wireless anyhow because the 2wire HomePortal was set up by default to require an encryption key. However, it was set up WEP and you said in an earlier post that WEP is “broken”. Disabled can’t be cracked so easily.

    If you don’t know how to set up yourwireless connection so that others can’t access it, then you’re an idiot who deserves to have other people trespass on it.

    The bylaws in my subdivision do not allow for fences so maybe I should just shoot at whoever happens to be walking on the lawn.

    I wonder what they would do if I installed a Faraday cage over the house.

  71. I didn’t see my use as trespassing, or even anything to be alarmed over. But I could see how one would be concerned. Someone could easily access information on other computers using the network.

    Perhaps it can be equated with leaving a basketball in a public park. In my case, I came across the ball, shot a few baskets, (missing all of them,) and left the ball in the same condition in the same place, which I doubt anyone would mind. But if someone comes across the ball and popped it, I can see cause for alarm.

Please to post comments

Comments are closed.