Slashdot Mirror
Growth of Wi-Fi Opens New Path for Thieves
E. Harley writes "Wi-Fi connections are popping up all over the place from retails locations, schools, municipalities, and homes. Unintentionally or not, most of these wi-fi hot spots never change the system's default settings, hide the connection from others, or encrypt the data sent over it. This NY Times article [Free registration required] talks about the size and extent of the problem, and what has happened with law enforcement investigating criminals using these public connections. Also, the article updates us on an earlier Slashdot story about wardriving. That case is still pending."
Maybe so, maybe not. If the traffic is originating from your IP and the authorities track you down, don't you think they'll check your computer before you can blame it on the WiFi-Boogeyman. I think the WiFi-Boogeyman is more a defence you can use in court if the police didn't find anything on your computer.
While I understand that Joe Six Pack wants plug and play functionality without configuring, it is really that hard to add in another layer? When the AP is running on factory settings, it can just cause all Web requests to route to the configuration page along with an easy to explain set up about passwords. AP passwords aren't hard as normal passwords since many APs are in a secure building so writing the password on the AP and locking it in the closet would work half decently.
While the user has to take some blame for technical ignorance, the AP makers also have to take some blame here since they have the tech people to implement better security.
--
Want a free iPod?
Or try a free Nintendo DS, GC, PS2, Xbox. (you only need 4 referrals)
Wired article as proof
Not only that, they'll take all your computer stuff for a few years as evidence for their investigation.
Just being accused of a crime is enough of a problem to worry about.
The banks are not using secure authentication systems and WiFi users are getting blamed?
:]
Tell me.. When did it become my fault that someone can download tens of thousands of customer credit cards? Perhaps if these credit cards had been ditched long before the Internet we wouldn't be having that problem. Kerberos, challenge-response, PKI, and two-factor authentication devices have all been available for quite some time.
Someone tell the Secret Service to stop monitoring IRC connections and go after lazy banks instead, or something
This problem could be reduced dramatically if WAPs shipped from the factory with complex random passwords WEP enabled and complex random WEP keys.
As an example on a new HPaq server the iLO remore management interface has complex random password, printed on a label on the device.
Imagine if Linksys, etc. did the same thing with WAPs, where no 2 WAPs with the same WEP key or password.
Sure some users would just disable the protection but I'm betting if you made it halfway convienient that most won't. Make it more work to be insecure and the security will win most of the time. You might even be able to reduce this further by having the admin interface give you lots of warnings and make you jump through hopps to disable the security funcions.
Of course secrity could be improved upon even further if the default security was better than WEP but I think that's too high a barrier for the average user to tolerate. WEP may suck but it's considerably better than wide open.
Keep it open, limit the bandwidth for each uncommon connection; keep freedom.
If you let FCC give more regulation then everything will be difficult to use and everyone would pay a monthly charge just to use a device. Consider Amateur radio -- FCC puts heavy code burdens, and I just heard yesterday on local (non-linear) CB Radio from my neighbors that all the radio communication shops are getting out of the business becaue everyone would rather pay for service and take a number from that beastly FCC. Imagine that...FCC doesn't make anything easy to use; they just make the freedom much more difficult to attain. Tax tax tax. Now, more people would rather accept the number of the beast, such as a phone or pager number, than to give freedom a chance and just buy a tranceiver.
Keep your WiFi gateways open; it is the freedom-like thing to do. If any problem arises to software by an anonymous user, then you deserved the problem to begin with for having poorly design software. Slashdot's moderation system is a testament to how well Anonymous users can be silenced. Amen to that FIX!
i'll play devil's advocate, for a minute:
the airwaves are supposed to be public.
therefore, if there's a "thief," the thief would be the group that cordones the public airwaves off and claims them as their own private property.
"Forgive us our trespasses, as we forgive those who trespass against us." -Jesus Christ The Lord's Prayer
Notice that this article goes out of its way to associate the following practices with wifi:
--theft
--child porn
--terrorism
And the article here never even questions whether associating these practices with wifi could be a subterfuge by the telcos and cable companies to demonizes wifi so as to be able to outlaw municipal wifi through legislation, which is what they are afraid of, as that will cause them to cut their broadband prices.
This whole article is a propaganda piece, bought and paid for by the vested interests, such as telcos and cable companies.
What a sham is the NY Times. Just another cog in the CorpGovMedia propaganda machine...
eat shiat and bark at the moon
This problem could be reduced dramatically if WAPs shipped from the factory with complex random passwords WEP enabled and complex random WEP keys.
The incentive for the manufacturers is for wireless access points to NOT be secure out-of-the-box.
If it's not secure, it's plug-and-play. Plug it in, it's up. If it's more secure, it makes instalation (to the point of getting traffic through it) more difficult.
Insecurity doesn't affect the user until they get burned - mainly by lower performance as their bandwidth gets leached (assuming their important applications, like banking, already use end-to-end encryption). Leaching might not even be noticed. If it is, they can diagnose it and tighten things up.
Security impacts ease-of-use, and thus sales.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Notice that this NY Times article quotes "anonymous" government sources in their attempt to associate wifi with terrorism. This is the typical attempt to use terrorism to demonize a competitor. THe telcos and cable companies lobbies almost certainly paid off someone at the NY Times to get them to write this article. Now they will use this article when thieir lobbyists meet with state governments trying to get them to pass laws that make municipal wifi illegal. This is just the first step in manufacturing consent for shutting down cheap competition. This is American "free market" capitalism in action. Really, it is corporate socialism--socialism for the big corporations and their billionaires; free market cpapitalism for all of us peons. Or, rather, feudalism for us, as we are essentially being sold as consumers to the telcos and cable companies.
eat shiat and bark at the moon
Sorry...not happening. I don't want to be in the position of having to defend myself, for something I had no part in, that I could have easily prevented.
Regarding the argument that it is theft of services:
If I am in a public park, and there is a bathroom there, or a water fountain, I can drink from the fountain and use the bathroom, even if they don't say "public bathroom" or "public fountain" on them. I can assume that because they are not locked, I am allowed to enter and use them.
Regarding the argument that it is trespassing:
I can walk all over your property unless you post NO TREPASSING signs, or tell me that I am not allowed on your property. Trespassing on property is only traspassing if I know that you don't want me there. You must post a sign saying so.
In both cases, it is trivial for the person who set up their wifi to "lock the door" and "post no trespassing signs". Therefore it should be treated no differently than these other cases which have set precedent.
Most people, spoiled by plug and play, expect to plug it in and be just fine. From my wardriving experiences, still around 70% of APs are unsecure, and that's helped by buisnesses which have a very high secure rate (only about 5 to 10% I come across are open). About 90% of residential APs are open. It's really not that hard to secure an AP. WEP + Mac filtering ... bonus points for secure VPN.
Even though it's very weak, even just having WEP is enough for your average person... why would a 1337 h4x0r bother to take the type to break your WEP when the next idiot down the road doesn't even have that?
And please, do the world a favor... put in something for the SSID other than default, linksys, or leaving the SSID blank. Having a blank SSID is a very false sense of security... all it does is make it harder for legit users to connect, contribute to confusion (two people close together without SSIDs), and is really very easy to notice.
The Peanut Gallery, Ubergeek, Biblically Sober
NCAAbbs.com: Thousands of fans, Hundreds of teams, Just one place
your comment is a strawman. Journalists are of course biased. But that does not make it OK to write articles that help the telco/cable company lobby. By your logic (and I use that word leniently here), if person X has a bias, then it is OK for person X to do a particular act Y, as long as it is in accordance with the bias of person X. To wit, having a bias is not a justification for doing a particular act.
Of course, this is all just a strawman. I have already pointed out that this article is propaganda. If you want to deal with that aspect of it, please do so.
eat shiat and bark at the moon
As a consultant, I regularly deal with this issue. Customer says: "Why dont we go wireless? Wouldnt it be easier" I says: "Do you know that there are actually people who drive around looking for wireless connections to hack into and steal data?" Call me a bit paranoid, but I actually met a couple of hard-line coders/hackers who did this, trolling for useful data. While there are security features to lock down the WiFi by MAC address and you can further challenge access with passwords, for a business with valuable data (these are accountants, lawyers, financial professionals), going wireless when your computers are in a fixed position on your desk just seems to me like a whole lot of work so you dont have to run a cable. While I hate pulling cable, I'd hate to have them try to sue me for leaving their data unsecured!
Consultant Computerology Consulting http://www.computerologyconsulting.com
I run an open access point, I password protected the config interface and check occasionally to see if anyone is using it - but really I don't care. I always have enough bandwidth when I need it, so why not share? If anyone uses it for something illegal I know I can't be held liable and I don't have any logs of what goes on with it, maybe someday I'll get hassled by the cops or the MPAA, but I'll deal with that if it ever comes.
I am operating a free access point and have never had any problems with "thieves" or "hackers". I wonder who paid for such a misleading article. What we really need is more decentralization to become less depended of fragile internet backbones. Free wireless community and mesh networks are crucial steps in the right direction.
It's quite plausible, but there do exist other plausible motives.
E.g., media process news for entertainment value (this is an observed fact). Occasionally making people angry is a kind of entertainment, and newspapers and other media engage in it. More frequently, like a roller-coaster, they sell fear. "Look, we're warning you about this danger! Watch me! Read me!" This reliably improves sales. (This is at the root of the frequent comment that the media rarely print good news.)
And there doesn't need to be any more to this story than THAT.
(Note, I'm not saying that it doesn't have the effect that you are deploring, I'm merely saying that bribery/article-buying isn't needed.)
I think we've pushed this "anyone can grow up to be president" thing too far.
Everything else -- I am not going to be cowed by alarmist propaganda like "downloading kiddie porn!!!" or "file sharing!!!". They still have to prove me guilty. If they confiscate anything, it's only equipment and can be replaced. (Of course I have backups.) If "they" come for me I will fight them to the best of my abilities, that's all any citizen can do. Don't give up your rights just because they make it uncomfortable for you to exercise them.
And join the EFF and ACLU while you're at it. Remember, you don't have to agree with every single case they take on.
Unlimited growth == Cancer.
To take the other side...
What's with open, public roads that anyone is allowed to use? My friends were tied up and robbed the other day, and the thieves used public roads to do it!
We really need to crack down on usage of public roads.
Seriously, as if getting on the internet anonymously was EVER hard.. sure, wifi makes it a bit easier, but it's far, far from a new thing.
It seems wholly possible, even likely, that open WiFis pose opportunities for people to commit crimes while making it harder for law enforcement to stop them. Is this worth the benefit of free, widely available Internet access? Are there technical or legal steps we can take to tighten the holes these networks open to maximize their potential? These are real questions that deserve thoughtful consideration, rather than just screaming "FUD!".
Lets all be reasonable and not spread FUD but support the urgently needed free WiFi access. Yes, let's be reasonable. Cheap AIDS medication in the third world is "urgently needed". Cheap Internet access in the US is not "urgently needed".