gabriel rosenkoetter on 3 Oct 2007 01:41:57 -0000 |
Wow, that's one of my more outrageous In-Reply-To headers ever... A bit of a summary, now that I've finally got a martini in my hand, on my views here. I'm going to go ahead and pick some nits below, but I think I'll wash my hands of this topic with this post (so, I guess, Cc me privately if you want to explicitly ask my opinion on something). I didn't ever intend, though I think may have implied, that anybody else should leave their wireless base stations open to the public just because I think it's a good idea. I did intend to present a contrary position to the proselytization that people are doing something bad and evil if they choose to share their Internet connection with the public by way of wireless Ethernet. If you are concerned for your own (network's) security, or aren't sure you understand how to leave things open for sharing but still protect yourself, then the technical advice given earlier today and yesterday is exactly valid (skip WEP, it's not worth the time it takes to configure; don't broadcast SSID; prefer WPA2; use a strong passphrase with WPA2's AES-256 encryption). If you know what you're doing to secure your internal network, however, I strongly encourage you to leave wireless open. If a neighbor or stranger abuses it to download huge quantities of data regularly, you'll know because you'll notice the bandwidth hit, and you can ban them. If they abuse it for nefarious purposes (and this here is my primary reason for sticking in this argument), the relevant law enforcement bodies are, finally, sufficiently clued that they will understand your assertions that it wasn't you: more than that, they'll be able to comprehend and act on your dhcpd.leases file to find the real crook (modulo one-time, never-repeat MAC spoofing, but clever crooks don't get caught in simple errors like that, that's why we call them clever). The reason that "I strongly encourage you to leave wireless open" (assuming you know what you're doing) is that it enables a better-connected world. Maybe that's overpaid jerks like me with iPhones, but maybe it's public school kids with a funded laptop from school whose family can't afford basic cable, let alone an Internet connection at home. In either case, and the many shades of grey between, I believe that our society prospers through a freer exchange of information, and letting a few school kids sit on my (or your) stoop and browse Wikipedia does just that. Sure, they may sit on our stoops and browse redtube.com, but that's a logically orthogonal societal problem. At 2007-10-02 14:05 -0400, lists.plug@mas.ml1.net <lists.plug@mas.ml1.net> wrote: > On Tue, 2 Oct 2007 09:43:09 -0400, "gabriel rosenkoetter" <gr@eclipsed.net> said: > > At 2007-10-01 23:11 -0400, jeff <jeffv@op.net> wrote: > > > My guess would be when it became popular to hijack/hack connections. > > Can you produce a single shred of evidence that this has "become > > popular"? > http://en.wikipedia.org/wiki/Piggybacking_%28internet_access%29 That is a well-written and balanced article, however I do not believe that it provides an example of what's implied by "hijack/hack connections". Piggybacking is something that I do all the time, some times inadvertantly (the iPhone knows about one SSID called linksys and another called NETGEAR; absent WEP or WPA authentication, it just goes ahead and uses them, exactly as it was intended to do). It becomes abusive when that connection is used either to download large quantities of data (regardless of copyright infringements involved) or to transmit various quantities of data (from spam to bomb threats). In the former case of abuse, you will (and I have) notice, and can ban the MAC address when it actually gets in the way. In the latter case of abuse, as I stated above, law enforcement isn't dumb about this, and they may be more surprised to get useful redirection from a private individual than they would be from a Corporation, but they do know how to move through, rather than on, that individual. Again, I wish Trooper John were reading and responding here. That was, three or four years ago, exactly what he did. Back to the Wikipedia article: they provide many examples in which the actual culprit abusing someone else's Internet connection got in trouble. There are no examples in that article cited in which the innocent (and neighborly) party got in trouble. That article supports, rather than controverts, my stance. (Personally, I'm discinclined to sue anybody over over- or misuse of my Internet connection, let alone bring charges: that's a problem far better solved by technology. But if the FBI comes knocking, I'll happily provide them connection logs for the period for which they have a warrant.) At 2007-10-02 17:20 -0400, Matthew Rosewarne <mrosewarne@inoutbox.com> wrote: > There is another issue, not technical, but legal, that might warrant some > attention. In your contract with your ISP, you probably explicitly agreed > not to provide an open access point. While it's unlikely they'll do anything > about it, they might decide to cut off your access. Again I do, as I have often before, recommend Speakeasy. I am, much to my irritation, no longer a customer, as Covad doesn't service the CO at my new address, but they have an explicit policy on sharing Internet connections they provide, which runs roughly like this: "please do, and tell us about it so that we can publicise its location to other Speakeasy customers". At 2007-10-02 13:00 -0400, zuzu <sean.zuzu@gmail.com> wrote: > the "piggybacking problem" smells like FUD the same way that the "spam > problem" has always been FUD. I think that's a misuse of the term FUD. Asserting that use of open wireless ("piggybacking") can be a problem is not FUD. Stating that everybody should lock down their wireless at the base station in response to that potential is FUD. I hope that's what you meant? I'm not sure what you're trying to say about spam, and I'm not sure it's necessarily relevant. If you're suggesting that the assertion that a lot of bandwidth (implying, incontrovertibly, money) is lost to transmitting email nobody wanted to read... if you're suggesting that that is FUD, you are dead wrong. If you're suggesting that "somebody might send spam using your IP address, so you must use the highest possible security on your wifi base station" is FUD, then I agree. My point is that FUD means fostering and invoking fear, uncertainty, and doubt. There are legitimate arguments to be made in favor of preventing abuse of one's Internet connection (and, more imporantly, clear explanations of how to do so), but those arugments lose their legitimacy (and become FUD) when they turn to absolute assertions of how others should manage their systems. At 2007-10-02 13:29 -0400, Brian Stempin <brian.stempin@gmail.com> wrote: > I think that saying "you don't need to secure your AP" is about as safe as > saying "your home/business/whatever internet connection doesn't need a > firewall". It just seems horribly counter-intuitive to me. [clip] These statements suggest to me that you do not understand how to perform a proper threat model analysis. The two situations differ in several ways, but here are the highlights: Securing an AP: - Target is physically local, and any large consituency will be noticed, especially in residential neighborhoods. - Target must leave traces (even if falsified) by way of MAC address when making use of an AP. Securing an Internet connection: - Target could be physically remote, and source traffic (clustered nmap, for example) can come from N sources. - Target can make connections through one or several (compromised) source IP addresses, making traces difficult if not impossible. Those two contrary points alone are sufficient to require complete reanalysis of the threat model, to justify cost/benefit recalculation, and to potentially produce wildly disparate response. The potential audience of my public Internet connection and my publicly-visible AP are sufficiently different to warrant handling each in a different manner. > As a real-life example: > Would you leave your house door unlocked all of the time? Would you leave > your keys in your unlocked car in an unlit alley-way all day and night? I think zuzu covered sufficiently the ways in which these are instinctive, but not analytically sound, comparisons. > I've got nothing against large mesh networks, but I would like some sort of > piece-of-mind. It all comes down to convenience vs security. Is the > benefit of said network greater than my potential risk? You may decide, for you, that it is not. I reacted to your proselytizing to others that they should share your fear. I do not think that is logically justified. > Is the convenience of leaving your access point open enough to deal with the > consequences of someone else's misuse? For me, bearing in mind the protections I've placed between that and the systems that have volatile data for me, it is. > Is the convenience of leaving your doors unlocked enough to deal with a > robbery? ... and this is where your extension of applicability goes to far. These are not the same things. At 2007-10-02 16:02 -0400, zuzu <sean.zuzu@gmail.com> wrote: > or, as I said, put any private services on a VPN to segregate it from > the "public" network. I'm not sure waving the Magic Word (well, acronym) VPN around is particularly useful here. Networks can be secured and traffic of certain types permitted through firewalls protecting them (potentially, enciphered, but at layers above 3) without the use of encryption at layer 3. "Virtual Private Networks" are almost always overkill for home networks, and are rarely push-button in that context. (I've carried an RSA key for for several employers and more years, and it makes sense if you can pay for it, but it's overkill to encipher all traffic all the time for the bandwidth and latency available for most home networks.) > however, noting that exposure from those within earshot of a wireless > signal is significantly smaller than exposure to the whole of the > internet is not insignificant either. YES! > > As a real-life example: > > [clip] > I'm fine with analogies, but comparing the access/copying of > [clip] I can't possibly improve on this explication. I agree completely. > because all security is a trade-off, as you also seem to imply... but > I don't think your security model holds up well to comprehensive > scrutiny. [clip] The buzzword you want there is "threat model" (not "security ~", which is NOT the same thing). Otherwise, I again agree completely. > I think you're ignoring a kind of opportunity cost; YES! again. > maybe reading a Bruce Schneier book could explain this than I am now. But, really, why pay for it? Bruce is plenty happy to provide sensible information security analysis, discussion, and advice to the masses free of charge. If you care about information security and you're not subscribing to: http://feeds.feedburner.com/schneier/fulltext you're missing out. At 2007-10-02 16:14 -0400, Brian Stempin <brian.stempin@gmail.com> wrote: > My goal was never to advocate building Fort Knox in your basement, > but rather to advise against letting people use your internet > connection to hide themselves for evil purposes. ... and my (and, I think, several others') suggestion is that you are protecting against a threat model that simply does not exist, restricting traffic in ways whose cost do not justify their benefit for most people. They may for you, given your own personal cost/benefit analysis, but it's not appropriate to prescribe your security to the rest of the world absent the suggestion that they should reach their own conclusions. At 2007-10-02 16:05 -0400, Brian Stempin <brian.stempin@gmail.com> wrote: > > Okay, so what did happen when the authorities did trace the IP > > address back to the other educational entity? > This was one of the press releases from the DA's office: > http://dsf.chesco.org/da/cwp/view.asp?A=11&Q=629772&pp=3 [clip] > > Were there any accusations leveled, either at the institution or at > > its students? > No names were mentioned in the article that I linked, but as per the quote > above, there were at least 200 people interviewed regarding the email. Okay. And is there some problem with being "interviewed"? I certainly distrust public policy on the "if you're innocent you have nothing to hide" principle, but in the case where someone does something evil through my Internet connection, I've nothing to lose by cooperation with the authorities. They really aren't idiots, and they don't get angry with you unless you behave unreasonably. That is fundamental to their job. > *court orders have been obtained to retrieve evidence concerning the source > of the threatening emails* > > I don't know about you, but I need my b0xen. By leaving my WAP open, I in > turn enable some jackass to abuse my generosity, which will in turn open me > up to having a court order filed against me demanding that I hand over my > equipment. You are operating on a decades-old definition of what law enforcement calls "evidence" in relation to computers. It is reasonable to expect that they will accept logs, properly forensically preserved, provided you are calm and open with them. (It wasn't reasonable to expect that even eight years ago, but it really is now, speaking from professional experience on which I can't expand further.) > What I was trying to convey is that you should be afraid of an unknown > person using your connection for evil. And I argue that that is not a legitimate reason for fear, because I can, digitally and verifiably, say "He went that way!", which I'm sufficiently comfortable to sleep at night that any legitimate law enforcment agent is sufficiently competent (or has sufficient resources behind him) to check out and follow up. Illegitimate (ie, infringing private property absent a valid warrant) law enforcment, of course, I'd shoot on recognition. But that's dipping penduously into my politics outside of computer security... > The point is that no matter how easy or hard your connection is to crack, > it's not worth an attackers time if all they're looking for is an internet > connection. They'll simply move on, which is what I would assume you would > want an attacker to do. Valid reasoning, except that it assumes all anonymous parties are attackers. I assume that relatively few anonymous parties are attackers, which is supported by real world usage of my publicly accessible wireless over the past nine years. I don't like thinking everyone I don't know is an attacker, and my experience meeting people I don't know confirms that an overwhelming majority of them are not attackers. My cost/benefit analysis suggests that being open, but cognizant, is better for the world than sticking my head in the sand. > That number was a rough estimation that I generated from from my days of > war driving. You do have a point: I do not have a good source for this. I > didn't spend too long poking around, but I did find this: > http://review.zdnet.com/4520-7297_16-5509700.html You gloss past an important quote here: > it should be noted that the survey does not take into consideration > intentionally public wireless networks, such as those from wireless > cafes. So they're just judging whether they can hit google on the connection, without consideration of whether it actually makes the provider of the connection vulnerable in any real or legal way. The unanswered questions alone, without bothering to speculate on their answers, renders that study useless in this context. > Within the last year, the percentage of those using wireless > encryption protocol (WEP) has gone up, from 32 percent one year ago > to 38 percent this year, as many companies have started to lock > down their wireless networks. However, the number of those using > the default wireless settings has actually gone up, from 27 percent > last year to 31 percent this year. So... that doesn't come within even a catapult's toss of the 75% you stated previously, does it? > This neither confirms nor denies my original number, > but still proves my point: There's a lot of open networks out there. You asserted that 75% of residential networks were open, explicitly, and vulnerable to local or remote abuse, implicitly. I think that's false based on the reference you've cited. > On 10/2/07, jeff <jeffv@op.net> wrote: > > gedit (sorry). At 2007-10-02 18:19 -0400, Brian Stempin <brian.stempin@gmail.com> wrote: > punch cards Wot? -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgp9RELdtMKne.pgp ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|