gabriel rosenkoetter on 3 Oct 2007 01:41:57 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Verizon FIOS & open wireless


Wow, that's one of my more outrageous In-Reply-To headers ever...

A bit of a summary, now that I've finally got a martini in my hand,
on my views here. I'm going to go ahead and pick some nits below,
but I think I'll wash my hands of this topic with this post (so, I
guess, Cc me privately if you want to explicitly ask my opinion on
something).

I didn't ever intend, though I think may have implied, that anybody
else should leave their wireless base stations open to the public
just because I think it's a good idea. I did intend to present a
contrary position to the proselytization that people are doing
something bad and evil if they choose to share their Internet
connection with the public by way of wireless Ethernet.

If you are concerned for your own (network's) security, or aren't
sure you understand how to leave things open for sharing but still
protect yourself, then the technical advice given earlier today and
yesterday is exactly valid (skip WEP, it's not worth the time it
takes to configure; don't broadcast SSID; prefer WPA2; use a strong
passphrase with WPA2's AES-256 encryption).

If you know what you're doing to secure your internal network,
however, I strongly encourage you to leave wireless open. If a
neighbor or stranger abuses it to download huge quantities of data
regularly, you'll know because you'll notice the bandwidth hit, and
you can ban them. If they abuse it for nefarious purposes (and this
here is my primary reason for sticking in this argument), the
relevant law enforcement bodies are, finally, sufficiently clued
that they will understand your assertions that it wasn't you: more
than that, they'll be able to comprehend and act on your
dhcpd.leases file to find the real crook (modulo one-time,
never-repeat MAC spoofing, but clever crooks don't get caught in
simple errors like that, that's why we call them clever).

The reason that "I strongly encourage you to leave wireless open"
(assuming you know what you're doing) is that it enables a
better-connected world. Maybe that's overpaid jerks like me with
iPhones, but maybe it's public school kids with a funded laptop
from school whose family can't afford basic cable, let alone an
Internet connection at home. In either case, and the many shades
of grey between, I believe that our society prospers through a
freer exchange of information, and letting a few school kids sit on
my (or your) stoop and browse Wikipedia does just that. Sure, they
may sit on our stoops and browse redtube.com, but that's a logically
orthogonal societal problem.

At 2007-10-02 14:05 -0400, lists.plug@mas.ml1.net <lists.plug@mas.ml1.net> wrote:
> On Tue, 2 Oct 2007 09:43:09 -0400, "gabriel rosenkoetter" <gr@eclipsed.net> said:
> > At 2007-10-01 23:11 -0400, jeff <jeffv@op.net> wrote:
> > > My guess would be when it became popular to hijack/hack connections.
> > Can you produce a single shred of evidence that this has "become
> > popular"?
> http://en.wikipedia.org/wiki/Piggybacking_%28internet_access%29

That is a well-written and balanced article, however I do not
believe that it provides an example of what's implied by
"hijack/hack connections".

Piggybacking is something that I do all the time, some times
inadvertantly (the iPhone knows about one SSID called linksys and
another called NETGEAR; absent WEP or WPA authentication, it just
goes ahead and uses them, exactly as it was intended to do).

It becomes abusive when that connection is used either to download
large quantities of data (regardless of copyright infringements
involved) or to transmit various quantities of data (from spam to
bomb threats).

In the former case of abuse, you will (and I have) notice, and can
ban the MAC address when it actually gets in the way. In the latter
case of abuse, as I stated above, law enforcement isn't dumb about
this, and they may be more surprised to get useful redirection from
a private individual than they would be from a Corporation, but they
do know how to move through, rather than on, that individual.

Again, I wish Trooper John were reading and responding here. That
was, three or four years ago, exactly what he did.

Back to the Wikipedia article: they provide many examples in which
the actual culprit abusing someone else's Internet connection got in
trouble. There are no examples in that article cited in which the
innocent (and neighborly) party got in trouble. That article
supports, rather than controverts, my stance.

(Personally, I'm discinclined to sue anybody over over- or misuse of
my Internet connection, let alone bring charges: that's a problem
far better solved by technology. But if the FBI comes knocking, I'll
happily provide them connection logs for the period for which they
have a warrant.)

At 2007-10-02 17:20 -0400, Matthew Rosewarne <mrosewarne@inoutbox.com> wrote:
> There is another issue, not technical, but legal, that might warrant some 
> attention.  In your contract with your ISP, you probably explicitly agreed 
> not to provide an open access point.  While it's unlikely they'll do anything 
> about it, they might decide to cut off your access.

Again I do, as I have often before, recommend Speakeasy. I am, much
to my irritation, no longer a customer, as Covad doesn't service the
CO at my new address, but they have an explicit policy on sharing
Internet connections they provide, which runs roughly like this:
"please do, and tell us about it so that we can publicise its
location to other Speakeasy customers".

At 2007-10-02 13:00 -0400, zuzu <sean.zuzu@gmail.com> wrote:
> the "piggybacking problem" smells like FUD the same way that the "spam
> problem" has always been FUD.

I think that's a misuse of the term FUD. Asserting that use of open
wireless ("piggybacking") can be a problem is not FUD. Stating that
everybody should lock down their wireless at the base station in
response to that potential is FUD. I hope that's what you meant?

I'm not sure what you're trying to say about spam, and I'm not sure
it's necessarily relevant. If you're suggesting that the assertion
that a lot of bandwidth (implying, incontrovertibly, money) is lost
to transmitting email nobody wanted to read... if you're suggesting
that that is FUD, you are dead wrong. If you're suggesting that
"somebody might send spam using your IP address, so you must use the
highest possible security on your wifi base station" is FUD, then I
agree.

My point is that FUD means fostering and invoking fear, uncertainty,
and doubt. There are legitimate arguments to be made in favor of
preventing abuse of one's Internet connection (and, more imporantly,
clear explanations of how to do so), but those arugments lose their
legitimacy (and become FUD) when they turn to absolute assertions
of how others should manage their systems.

At 2007-10-02 13:29 -0400, Brian Stempin <brian.stempin@gmail.com> wrote:
> I think that saying  "you don't need to secure your AP" is about as safe as
> saying "your home/business/whatever internet connection doesn't need a
> firewall".  It just seems horribly counter-intuitive to me.
[clip]

These statements suggest to me that you do not understand how to
perform a proper threat model analysis.

The two situations differ in several ways, but here are the
highlights:

Securing an AP:
- Target is physically local, and any large consituency will be
noticed, especially in residential neighborhoods.
- Target must leave traces (even if falsified) by way of MAC address
when making use of an AP.

Securing an Internet connection:
- Target could be physically remote, and source traffic (clustered
nmap, for example) can come from N sources.
- Target can make connections through one or several (compromised)
source IP addresses, making traces difficult if not impossible.

Those two contrary points alone are sufficient to require complete
reanalysis of the threat model, to justify cost/benefit
recalculation, and to potentially produce wildly disparate response.

The potential audience of my public Internet connection and my
publicly-visible AP are sufficiently different to warrant handling
each in a different manner.

> As a real-life example:
> Would you leave your house door unlocked all of the time?  Would you leave
> your keys in your unlocked car in an unlit alley-way all day and night?

I think zuzu covered sufficiently the ways in which these are
instinctive, but not analytically sound, comparisons.

> I've got nothing against large mesh networks, but I would like some sort of
> piece-of-mind.  It all comes down to convenience vs security.  Is the
> benefit of said network greater than my potential risk?

You may decide, for you, that it is not. I reacted to your
proselytizing to others that they should share your fear. I do not
think that is logically justified.

> Is the convenience of leaving your access point open enough to deal with the
> consequences of someone else's misuse?

For me, bearing in mind the protections I've placed between that and
the systems that have volatile data for me, it is.

> Is the convenience of leaving your doors unlocked enough to deal with a
> robbery?

... and this is where your extension of applicability goes to far.
These are not the same things.

At 2007-10-02 16:02 -0400, zuzu <sean.zuzu@gmail.com> wrote:
> or, as I said, put any private services on a VPN to segregate it from
> the "public" network.

I'm not sure waving the Magic Word (well, acronym) VPN around is
particularly useful here. Networks can be secured and traffic of
certain types permitted through firewalls protecting them (potentially,
enciphered, but at layers above 3) without the use of encryption at
layer 3.

"Virtual Private Networks" are almost always overkill for home
networks, and are rarely push-button in that context. (I've carried
an RSA key for for several employers and more years, and it makes
sense if you can pay for it, but it's overkill to encipher all
traffic all the time for the bandwidth and latency available for
most home networks.)

> however, noting that exposure from those within earshot of a wireless
> signal is significantly smaller than exposure to the whole of the
> internet is not insignificant either.

YES!

> > As a real-life example:
> > [clip]
> I'm fine with analogies, but comparing the access/copying of
> [clip]

I can't possibly improve on this explication. I agree completely.

> because all security is a trade-off, as you also seem to imply...  but
> I don't think your security model holds up well to comprehensive
> scrutiny. [clip]

The buzzword you want there is "threat model" (not "security ~",
which is NOT the same thing). Otherwise, I again agree completely.

> I think you're ignoring a kind of opportunity cost;

YES! again.

> maybe reading a Bruce Schneier book could explain this than I am now.

But, really, why pay for it? Bruce is plenty happy to provide
sensible information security analysis, discussion, and advice to
the masses free of charge. If you care about information security
and you're not subscribing to:
  http://feeds.feedburner.com/schneier/fulltext
you're missing out.

At 2007-10-02 16:14 -0400, Brian Stempin <brian.stempin@gmail.com> wrote:
> My goal was never to advocate building Fort Knox in your basement,
> but rather to advise against letting people use your internet
> connection to hide themselves for evil purposes.

... and my (and, I think, several others') suggestion is that you
are protecting against a threat model that simply does not exist,
restricting traffic in ways whose cost do not justify their benefit
for most people. They may for you, given your own personal
cost/benefit analysis, but it's not appropriate to prescribe your
security to the rest of the world absent the suggestion that they
should reach their own conclusions.

At 2007-10-02 16:05 -0400, Brian Stempin <brian.stempin@gmail.com> wrote:
> > Okay, so what did happen when the authorities did trace the IP
> > address back to the other educational entity?
> This was one of the press releases from the DA's office:
> http://dsf.chesco.org/da/cwp/view.asp?A=11&Q=629772&pp=3
[clip]
> > Were there any accusations leveled, either at the institution or at
> > its students?
> No names were mentioned in the article that I linked, but as per the quote
> above, there were at least 200 people interviewed regarding the email.

Okay. And is there some problem with being "interviewed"?

I certainly distrust public policy on the "if you're innocent you
have nothing to hide" principle, but in the case where someone does
something evil through my Internet connection, I've nothing to lose
by cooperation with the authorities. They really aren't idiots, and
they don't get angry with you unless you behave unreasonably. That
is fundamental to their job.

> *court orders have been obtained to retrieve evidence concerning the source
> of the threatening emails*
> 
> I don't know about you, but I need my b0xen.  By leaving my WAP open, I in
> turn enable some jackass to abuse my generosity, which will in turn open me
> up to having a court order filed against me demanding that I hand over my
> equipment.

You are operating on a decades-old definition of what law enforcement
calls "evidence" in relation to computers. It is reasonable to
expect that they will accept logs, properly forensically preserved,
provided you are calm and open with them. (It wasn't reasonable to
expect that even eight years ago, but it really is now, speaking
from professional experience on which I can't expand further.)

> What I was trying to convey is that you should be afraid of an unknown
> person using your connection for evil.

And I argue that that is not a legitimate reason for fear, because I
can, digitally and verifiably, say "He went that way!", which I'm
sufficiently comfortable to sleep at night that any legitimate law
enforcment agent is sufficiently competent (or has sufficient
resources behind him) to check out and follow up.

Illegitimate (ie, infringing private property absent a valid
warrant) law enforcment, of course, I'd shoot on recognition. But
that's dipping penduously into my politics outside of computer
security...

> The point is that no matter how easy or hard your connection is to crack,
> it's not worth an attackers time if all they're looking for is an internet
> connection.  They'll simply move on, which is what I would assume you would
> want an attacker to do.

Valid reasoning, except that it assumes all anonymous parties are
attackers. I assume that relatively few anonymous parties are
attackers, which is supported by real world usage of my publicly
accessible wireless over the past nine years.

I don't like thinking everyone I don't know is an attacker, and my
experience meeting people I don't know confirms that an overwhelming
majority of them are not attackers. My cost/benefit analysis
suggests that being open, but cognizant, is better for the world
than sticking my head in the sand.

> That number was a rough estimation  that I generated from from my days of
> war driving.  You do have a point:  I do not have a good source for this.  I
> didn't spend too long poking around, but I did find this:
> http://review.zdnet.com/4520-7297_16-5509700.html

You gloss past an important quote here:

> it should be noted that the survey does not take into consideration
> intentionally public wireless networks, such as those from wireless
> cafes.

So they're just judging whether they can hit google on the
connection, without consideration of whether it actually makes the
provider of the connection vulnerable in any real or legal way. The
unanswered questions alone, without bothering to speculate on their
answers, renders that study useless in this context.

> Within the last year, the percentage of those using wireless
> encryption protocol (WEP) has gone up, from 32 percent one year ago
> to 38 percent this year, as many companies have started to lock
> down their wireless networks. However, the number of those using
> the default wireless settings has actually gone up, from 27 percent
> last year to 31 percent this year.

So... that doesn't come within even a catapult's toss of the 75% you
stated previously, does it?

> This neither confirms nor denies my original number,
> but still proves my point:  There's a lot of open networks out there.

You asserted that 75% of residential networks were open, explicitly,
and vulnerable to local or remote abuse, implicitly. I think that's
false based on the reference you've cited.

> On 10/2/07, jeff <jeffv@op.net> wrote:
> > gedit (sorry).
At 2007-10-02 18:19 -0400, Brian Stempin <brian.stempin@gmail.com> wrote:
> punch cards

Wot?

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgp9RELdtMKne.pgp
Description: PGP signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug