Slashdot Mirror
Schneier Says 'Steal this Wi-Fi'
apolloose noted Bruce Schneier's latest entry on Wired where he talks about insecured wifi networks, and suggests that you
Steal this WiFi. Basically, since insecure WiFi is everywhere, why not? You're helping make the world a little better for someone else.
If I opened up my network, anyone could start downloading pirated movies and music and use up all of my bandwidth that I want to use for downloading pirated movies and music!
Give a man a fire and he'll be warm for a day. But light a man on fire and he'll be warm for the rest of his life.
Why not? For one thing because it would pretty much guarantee total anonymity to everyone online.
If you want to commit a crime online, it's easy enough to drive your car to the next city, open you laptop and connect to a random open AP.
And if you were too lazy to do that, you can always say "It wasn't me, someone else connected through MY open AP!"
how about just getting a wireless router, instead?
Sure, everyone please use my unsecured local Wi-Fi access point. I'm giving back to the community... ... and the community in turn will have all traffic filtered through a box that will sniff passwords, private keys, you name it.
So please "steal this Wi-Fi" since I need a few more social security and credit card numbers.
More Twoson than Cupertino
Why steal when you can *share*? i.e. get the owner's permission, a la www.sharemywifi.com
That's like saying we should "steal" music files
I thought that's how most people seal music files and do P2P: one of their neighbor's open networks.
1. Clients (laptops) default installed wifi software (hint: Steve Jobs are you reading???) need a scanning
mode which does not waste my time telling me about all the password or mac-address locked wifi
basestations, and only advises me about open ones.
2. Basestation/routers need a simple-to-configure mode where they will let others into a separate
subnet that goes straight out to the Internet but does not see my home computers directly.
3. (Brain software/mindset change.) Americans need to stop reflexively calling sharing 'stealing'.
You've been trained into this terminology by those who have already stolen everything and don't
want you to get it back.
Where are we going and why are we in a handbasket?
This is an ethics by analogy situation. Everyone arguing over whether it is right to use unsecured wi-fi connections bases their arguments on analogies, and depending on the analogy, reaches a different conclusion.
As I see it, if someone left their wi-fi open, then either it was intentional, or they're too clueless to notice (or care) that I'm reading my email.
Excuse me? He uses an iMac, therefore he must be used to paying through the nose.
I think it's more like bookcrossing You've already paid for it, now you're letting someone else use it. With books, publishers might not like it because they sell fewer books. With wifi, ISPs may sell fewer connections. Either way it's not stealing.
Intron: the portion of DNA which expresses nothing useful.
"Insecure?". Yeah, nobody wants a clingy Wi-Fi.
Proverbs 21:19
Another side to this is to consider that some people may actually allow access. I used to. I had an SSID of JUMPONFREE. I did this for two reasons: one to give Internet access to people in my apartment complex if they did not want to pay for it themselves, and two because I incorporated transparent proxying and compiled lists of visited sites (as well as port mirroring on the switch to track protocol usage). You don't have to concern yourself with abusers if you set up traffic priorities and/or bandwidth limiters. I am not alone, as I have seen many cleverly named SSID's indicating the owner is not just some non-configuring noob, but rather someone that cares enough to share.
Click here or here.
Everything Schneire says is true.. for Bruce Schneire. Not everyone is as adept as he is in configuring a computer to be secure. I'm OK, but I'm likely not vigilant enough to keep everything as secure as it should be (and thus I have WPA encryption on in my wireless network). The vast majority of the public is just plain terrible, and has no clue how to configure their computers to be secure in an open network.
Securing your wireless network with encryption isn't like flipping a switch, but it's a HELL of a lot easier and more accessible than knowing how to secure each and every device accessible on your network. Having ONE point of entry and configuring that properly is a lot easier to maintain than having multiple, different, changing points that take continued vigilance to remain secure. Is it better to keep each device secure on any network? Sure.. but how many people have the time, patience, knowledge, and ability to do that? Not many.
AccountKiller
"Can anyone point me to a simple tutorial on cracking a WEP password?"
1. Ask your neighbors for permission to connect to their WiFi.
2. If you get permission, use the password they give you.
3. If you don't get permission, don't be a dick.
If someone has their WiFi configured to allow public access, I don't see much problem in making limited (e.g. no hogging bandwidth, nothing that might get them in trouble) use of it. The internet is built on the idea that people set up unattended computers to give automatic electronic permission for total strangers to use them; Slashdot would suck if everyone had to call Rob before they felt they were allowed to use his web server. But finding a hole in someone's security isn't permission, it's just intrusion.
Even when you see an open access point asking permission isn't a bad idea. It shouldn't be a legal requirement, but it's a nice thing to do, despite involving the frightening prospects of going outside and meeting someone in real life.
That's just inviting trouble.
If "Something Bad" were to happen from your IP address, there -will- be a knock at your front door in the early morning. Trust me.
"Something" happened to my personal email server several years ago, and I had federal agents at my front door at 1am. I don't know what the heck happened - they wouldn't give me any details - but they seized my email server, and every computer in my household, even though their search warrant was only for the server. You don't tell them "no" - all that means is that they wait for the search warrant to be signed, and THEN they wreck your place searching. Much better for everyone involved to be cooperative.
Cost me thousands of dollars in a retainer fee to a lawyer, I had to take a polygraph exam, and it took almost 2 years to get all my "stuff" back. That was 2 years where I was fearful for my job, worried about keeping my family afloat, worried about just about everything. My wife lost ALL of her graduate school work, and had to re-do most of it to turn in her final portfolio. Talk about miserable.
And I STILL have no idea what that "Something Bad" was. And it didn't even happen at my house - it happened at my hosting ISP where the email server lived. It didn't matter that *I* didn't do it. I still had MY stuff taken from my, *I* still had to go take the polygraph exam, and *I* was still on the hook for 2 years.
So yeah - keeping an open wireless network is just ASKING for trouble. If you want to deal with federal agents in the middle of the night, well, be my guest. You can talk the talk about how you'd tell them to go away, and how they'd have no proof, etc. etc., but unless you've been there, you have no idea what you're in for.
Trust me.
No, it's nothing like that, if you actually read what he's saying instead of rushing in to make yourself sound smart on the internet.
There are already a number of organisations/initiatives around that actively encourage you to purchase their wireless routing products and then open up access to everyone.
I'm a member of FON, which allows you to allocate a specific amount of bandwidth for sharing if you're using one of their routers - say 1MB of your 8MB ADSL, which neatly overcomes the first poster's issue of not having enough bandwidth for their own nefarious purposes. After being a member of FON for 12 months they actually sent me three free wireless routers at Christmas, which I gave away to friends hoping that they too will join and share bandwidth.
There's another company I heard about, US based, that does something similar, but I can't think of their name right now.
However, I wonder about my ISP's stance regarding sharing WiFi for free with others. Does it violate their Ts&Cs? Do I care enough to actually find out? No!
Brought to you by the author of such childrens' classics as "Some Kittens can Fly!" and "All Dogs go to Hell."
Bruce mentions FON, which has dual capability APs - with both an open and a private net. With a proper IP scheme, you could even firewall the Internet upstream, to block P2P when the source is on the open net.
I have a similar setup - but I don't have FON APs. I run an open AP, with all of my machines and services on an internal VPN.
"Flyin' in just a sweet place,
Never been known to fail..."
But I thought the best way to browse securely was have all traffic sent to your home server, encrypt it, and forward to the laptop. This was because you assume your home network is inherently more secure. With is approach, you are leaving your home network, including your significant others, at risk. Especially those who are not savvy enough to apply updates and maintain anti-virus.
While I understand the anonymity helps his secure network stand out, all those open networks are just waiting for a guy with a little time and knowhow to start doing many bad things, say, man-in-the-middle. Just because you are blending into the pack does not keep the lions from eating one of you.
Now then, it IS his network at home, so he can do whatever the heck he feels like. And I do understand his social aspects of looking at WiFi as another resource for the public. But that does not free you from liability regardless of how little or insignificant it may be or stupidly enforced.
To me, it sounds like he doesn't want to roll up his sleeves and do some dirty work with port-forwarding, SSH-ing, and proxying. With those, you can enjoy quite decent browsing while away AND understand that your weakest point is at home.
On an unrelated note, where does this guy live?
import system.cool.Sig;
So then he's just a bastard?
Actually, yes it is. DD-WRT (http://dd-wrt.com/) has a feature that lets you put out a second (up to 4 IIRC) SSID with separate security and etc. It's only available in the RCs at the moment (and broken in RC6, but working in RC5).
"I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
That said, IANAL but the ones that he apparently spoke to seem awfully cavalier about the situation. I would be extremely uncomfortable explaining to a judge that I:
1) Published an article stating that I knew that my wireless connection could be used by others to commit crimes.
2) Left my connection unsecured anyway.
3) Was arrested because of illegal traffic.
4) Expect to be excused.
He's getting rather old, but he's a good mouse.
See this example in the UK
http://news.bbc.co.uk/1/hi/england/hereford/worcs/6565079.stm
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
No, it's more akin to: I go to the grocery store and buy a 5 lb bag of sugar. Now I don't need to use that much sugar so I let the neighbors have some. That's not stealing because I paid for it. You're essentially doing nothing more than what a Starbucks or other cafe does.
However, don't be surprised that companies like Comcast freak out because, while they want you to PAY for all that bandwidth, they don't actually want you to USE it!
If you've never been modded as "flamebait" or "troll," you've never tried to argue a minority viewpoint here!
"Security is always a trade-off. I know people who rarely lock their front door, who drive in the rain (and, while using a cellphone) and who talk to strangers..."
/.)!
Plenty of people worried; "Oh someone might download kiddie porn and I would get blamed", "Oh, someone steals my information", "Oh, someone might download riaa music..."
If you walk around in fear of things that never happen to you, then by all means, lock your stuff down - even better, stay off the net entirely! Then maybe you'll feel safe. Oh wait, you don't want to feel safe, you want to be afraid and worry.
"This happens everywhere/all the time" - is a dangerous mindset when watching TV (or surfing
"Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
It's totally possible. One of those FON WiFi routers (google it) will publish two SSIDs. Each has different settings. They sell them at cost and they're meant to have the public SSID be shared with other FON users, but they also have a feature where you can generate passwords for friends/family.
8 of 13 people found this answer helpful. Did you?
What if you borrow someone's book without asking them?
I don't look at connecting to wi-fi as stealing from an ISP at all. If anything I'd say you're stealing from whoever is buying that bandwidth. At the same time, though, you're not stealing their connection in the same way you're stealing a car. Their router and modem are still there, and if you're just surfing you're probably not causing any noticeable difference.
I say, if there's an unsecured wireless network, you may as well use it. Just don't be a jackass and prevent the poor old grandma who doesn't know what WEP is from googling proon smoothie recipes and using two very capable fingers to mail her grandkids every night at 5:30 right before bed.
life is a tragedy to those who feel, and a comedy to those who think
I am TheRaven on Soylent News
Slashdot would suck if everyone had to call Rob before they felt they were allowed to use his web server.
Wait! You mean I don't? Shit! All those wasted phone calls!
However, don't be surprised that companies like Comcast freak out because, while they want you to PAY for all that bandwidth, they don't actually want you to USE it! Actually, it's more like "I pay $50/month for unlimited 5lb bags of sugar. Now, since there's little chance I will use 50lbs of sugar, I give it away. In fact, I give away 200lbs of sugar, or ~$200 worth of sugar."
That's how the internet companies see this.
Who is right? Both really. There will be people who share the internet with 20 other users and only pay one bill. The upload and download is always maxed out 24/7. The internet company makes no money from them. In this case, the internet company was right. But there will also be people who simply like to leave there internet open, because it's awfully nice to go to your grandma's house over Christmas (who doesn't have internet, let alone wireless), and bring your laptop, and to be pleasantly surprised that someone left their network open, so you can still check Slashdot instead of spending time with family.
The solution would be to not force this into a box, but qualify statements: "While we the internet company do not approve of users sharing their internet with 20 different users in an apartment, we see nothing wrong with people in neighborhoods leaving their AP open; because most people aren't going to have a desktop with integrated wireless.
You mean the same ISP that agreed to give me unlimited downloads but cancels my service if I pass their secret limit? The same ISP that sold me unlimited high-speed but throttles it back for certain applications? Who is that needs the integrity?
Support Right To Repair Legislation.
Well put, but I believe that the RIAA is successfully prosecuting people based on IP's alone. IIRC, there was a recent case where a woman lost a case after trying to counter that somebody could have been piggy-backing on her connection. I'd swear I read about it on /., but can't seem to find the link.
Maybe it was just a vivid nightmare...
He's getting rather old, but he's a good mouse.
In the case of bandwidth, you aren't purchasing anything, except maybe the modem. You're purchasing a service, and access to the company's network and support resources. Now, if you bought the fiber and servers, maybe you'd have half of an argument there.
Actually, it's more like ordering the all you can eat buffet and letting your friend eat off your plate.
If your friend says, "gee that looks good," and you say, "here, have a bite," the restaurant doesn't care. You had a good time, your friend had a good time, you'll probably come back for more. On the other hand, if your friends eats a dozen jumbo shrimp and couple of salmon fillets, the restaurant will be ticked off, because they priced the buffet around the probable range of one person's appetite. If everybody starts doubling or tripling up, then they have to raise prices, which mean they can't sell to individual diners.
So the way this works is, the vendor makes rules, and they look the other way at insignificant bits of rule breaking that keep their customers happy. When people get organized about breaking rules to unilaterally drop the price of service, then they start to get a bit tetchy.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Hey, how about that? Here's a link an article about it.
"The IP address simply can help you know who paid for the internet access, but not who was using what computer on a network. In fact, this even had some people suggesting that, if you want to win a lawsuit from the RIAA, you're best off opening up your WiFi network to neighbors. It seems like this strategy might actually be working. Earlier this month the inability to prove who actually did the file sharing caused the RIAA to drop a case in Oklahoma and now it looks like the same defense has worked in a California case as well. In both cases, though, as soon as the RIAA realized the person was using this defense, they dropped the case, rather than lose it and set a precedent showing they really don't have the unequivocal evidence they claim they do."
Well, whaddya know?
I don't even own any WiFi equipment for fear of someone using my connection to do something questionable...but now maybe I will buy one. Nothing like a get out of jail free card, y'know?
Weaselmancer
rediculous.
I used to keep my WiFi router secured. But then there were some days when I couldn't connect from the other end of my apartment, and it was real handy to go through neighbor's unsecured WiFi. This convinced me that it was the neighborly thing to do and opened mine.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
"insecure" is bad. "open" is good. It's an "open wifi network" not an "insecure wifi network."
Don't piss off The Angry Economist
helmets and seatbelts you are placing the cost of your healthcare on the public. Hence you are harming someone. You can argue that you could be given the choice of not wearing a helmet or seatbelt with the understanding that you waive any right to care you can't pay for if you are injured in an accident.
Insider trading does harm others. You are very literally stealing money from other people.
C'mon, can't you come up with something better?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Bruce jumped the shark for me when in the comments section of his blog he dismissed state election voter ID requirements because voter fraud probably only accounts for a few percentage points here and there, as if that's not enough to sway an election.
If you don't know, this is the very issue that was argued before the U.S. Supreme Court yesterday (Indiana law requiring government issued photo ID to vote). I agree with Bruce's POV, but his argument is NOT STRONG ENOUGH.
In-person voter ID fraud doesn't "probably only account for a few percentage points here and there", but per the appellate arguments, there has not been one single identified case of in-person voter ID fraud in the history of Indiana. NOT ONE.
Great article on the subject posted on Tuesday, before the oral arguments. Written by Walter Dellinger, one of the premier Supreme Court appellate attorneys, who is representing Washington DC in its upcoming Supreme Court case regarding DC's gun control laws. The first such case in the last half-century.
---
"A law said to combat voting fraud by imposing the modest task of showing an ID may seem at first impression to be both sensible and fair. But this law is neither."
"First and foremost, Indiana's law is a "solution" to a problem that doesn't exist. The voting fraud it purports to address is illusory. And the means it employs needlessly make it far more difficult for some citizens--especially those who are low-income, elderly, or lack easy access to transportation--to vote."
"Because a photo-ID requirement exists to prevent a type of fraud that appears to be imaginary, the requirement would be hard to justify even if it imposed only a minimal impact on legitimate voters. But a photo-ID law in fact imposes substantial burdens on the right to vote."