Interesting People mailing list archives
Expert: Alleged Wi-Fi Risks Are Nonsense
From: Dave Farber <dave () farber net>
Date: Fri, 10 Jan 2003 07:43:24 -1000
------ Forwarded Message From: Dewayne Hendricks <dewayne () warpspeed com> Expert: Alleged Wi-Fi Risks Are Nonsense By Mitch Wagner, InternetWeek Jan 9, 2003 (11:50 AM) URL: <http://www.internetwk.com/story/INW20030109S0001> A popular technology Weblogger says warnings about the supposed security risks of Wi-Fi networking are nonsense. Law-enforcement officials and telecommunications and networking companies have issued several warnings about supposed security risks from 802.11b or Wi-Fi wireless networks. The warnings involve Wi-Fi hot-spots, which are wireless access points set up so that any passing stranger with a Wi-Fi card in his computer can use the network anonymously, without logging in or paying any charge. These open networks are often set up inadvertently by users who don't realize their new wireless access hardware is open. Other times, open-access points are set up intentionally: by restaurants and hotels looking to provide a service to customers, or by individual Internet enthusiasts looking to provide a community service. The warnings go like this: Open Wi-Fi networks can be used by attackers to read data going over a LAN or on an individual PC. Open networks rob bandwidth from legitimate users, slowing down network performance, and people who use open wireless networks without first getting explicit permission are thieves perpetrating a denial-of-service attack. The anonymous nature of open networks means they can be used by terrorists, spammers, or computer hackers and, in those cases, the owner of the wireless network will be liable for damages. Owners of wireless networks are warned that they could even face prison time if a criminal or terrorist hijacks their services. Of particular concern is a practice with the ominous name of "wardriving," where Internet enthusiasts drive around looking for open Wi-Fi connections in their neighborhoods. Then the enthusiasts leave marks to let other hackers know where they can find Wi-Fi connections, a practice known as "warchalking." For the enthusiasts, it's a way to get out of the house, be social, map a local resource, and do something for the community -- but for critics, it's ominous hacker activity. Using Wi-Fi network without explicit permission is a criminal act, and people who maintain open Wi-Fi connections are threats to national security, according to critics. The fears are ridiculous, says Cory Doctorow. Doctorow has made a mission of de-bunking Wi-Fi security concerns -- he'd call them myths -- as one of the themes he visits frequently on his Weblog, Boing Boing, which he co-authors with three others. It's one of the most widely read and oldest blogs out there, with 7,500 visits daily in December (see for yourself, the traffic stats are open to the public). How dangerous is Wi-Fi, anyway? What do you think? Take our poll and let us know. Like most blogs, Boing Boing is an eclectic mix reflecting all the authors' interests: networking technology and civil rights, copyright and digital rights management, Apple, Disney theme parks, and tiki furniture. Doctorow is also outreach coordinator of the Electronic Frontier Foundation, co-founder of the software company OpenCOLA, and a science fiction writer whose first novel, "Down and Out in the Magic Kingdom," was recently published. Doctorow says there's only the tiniest bit of truth to any of the security warnings, and even that little morsel of truth illustrates a flaw in all current thinking about network security, not just Wi-Fi. Contrary to conventional wisdom, Doctorow encourages enterprises that maintain Wi-Fi connections to leave them open to public access. Doing so is a service to the community: It builds goodwill and costs nothing. On the other hand, attempting to close off the Wi-Fi connection adds cost and complexity to the network. Doctorow blames much of the fear about Wi-Fi on false information spread by companies, such as Nokia, peddling 3G wireless and other high-speed networking technologies competing with Wi-Fi. These companies stand to lose a great deal of money if Wi-Fi continues to gain popularity. Also, the image of the wardriving hacker has captured the imaginations of law enforcement and the general public eager to paint hackers as villains. The one kernel of truth in all the controversy: Wi-Fi network users can eavesdrop on clear traffic going over the network, Doctorow said. But that's not a Wi-Fi problem, since any network where text is moving in the clear is susceptible to the same kind of eavesdropping. That's a security problem in all types of networks, not just Wi-Fi. "The problem is firewalls, which don't work, haven't worked and aren't going to work," Doctorow said. "Firewalls are bankrupt technology predicated on the idea that everyone on one side of the firewall is trustworthy, and no one on the other side of the firewall is trustworthy." But in fact, criminals often gain access to the network from the inside. In past months, authorities have arrested several people accused of making criminal use of network access gained by virtue of being present or former employees of the companies they were charged with stealing from. And firewalls aren't the only source of troubles: Many Internet service providers are still transmitting passwords in clear text over the network. The solution is not to limit Wi-Fi, but rather to install personal firewalls on each computer, and encrypt all traffic going over the network, Doctorow said. Denial of service is another fear raised. "There is a notion that gaining access to the network constitutes a denial of service; every packet I take is a packet you can't use," Doctorow said. But in fact, users use only a trivial amount of a high-speed Internet connection. Moreover, switches on corporate networks are designed to balance multiple, high-speed demands on network resources. "The wireless connection is at best 11 Mbps, more likely 2 Mbps, [but] when those are put on a 10 or 100 Mbit switched network, they just don't generate enough collisions to matter, no matter how many wireless users are out there," Doctorow said. "People who say to the contrary are wrong, they do not understand what they are talking about; they do not know how a switched network works. A router is capable of multiplexing 10 Mbit connections and making sure the traffic gets through." He added, "The next argument we hear a lot of is the liability argument. If someone connects to our wireless network and uses the network for terrorism, drug deals, or child pornography, the police will take you in for the crimes of some other person and won't you be sorry then." But in fact, the same laws that protect Internet service providers from liability protect entities providing Internet connectivity, Doctorow said. "If it were the case that the network provider were liable, no one would provide network service and the Internet would disappear," Doctorow said. "A good lawyer will tell you to laugh it off." Open Wi-Fi connections can present legal liabilities if the user's Internet service provider prohibits sharing Internet connections; Doctorow recommends finding a better ISP. ISP limitations on Wi-Fi connectivity are simply an attempt to limit access to the network and drive up profits, he said. "For anyone who sells a consumable service to the public, the less of the service that the customers use, the more money they can get," Doctorow said. "One of the nice things about a free market is that it puts those companies out of business." America Online rose to market leadership by removing limits on network access, replacing metered hourly connection plans in 1995 with plans that charged a flat monthly rate for all the network connectivity a customer could use. He predicted a similar shakeout would occur among ISPs as wireless networks become more prominent. The threat of anonymity falls down because there are easier ways of finding anonymous Internet connections than driving around looking for open Wi-Fi connections, Doctorow said. A terrorist or criminal can simply use Internet access from a kiosk, Internet cafe, or library. The notion that spammers would use open Wi-Fi to send out messages is ridiculous, he says. Spammers operate by using wired Internet connections from spam-friendly Internet service providers, and throwaway America Online and Hotmail accounts. "The practice of spamming is to get a stack of America Online CDs and sit around in your underwear in the living room and send all the spam you want," Doctorow said. Moreover, anonymous speech has civil rights protections and should be encouraged, despite the risks, Doctorow said. Anonymity protects whistle-blowers such as those who helped bust abuse at Enron. It protects dissidents in repressive countries. And it protects people needing medical information who are too ashamed of their conditions to seek the information openly. Doctorow believes there are several factors at work in the fear over Wi-Fi. One is the effort by competitors to stop its spread. "I think the phone companies intuitively understand that the day that someone offers a credible alternative to the phone company is the day that the phone companies go out of business," Doctorow said. "Hating the phone company is a grand American tradition." Another force at work is the "knee-jerk reflexive reaction of people mistrustful of anonymity. They are grinding the same axe they have been grinding since the Internet began," Doctorow said. And Wi-Fi gets police scrutiny for the same reason that the Internet enthusiasts love it: It's romantic. Cruising around looking for open Wi-Fi connections is much more exciting than computer police's usual work. "There was an NSA cop who pulled some hilarious stunt where he drove around D.C. with a homemade Wi-Fi detector and issued a press release about open Wi-Fi networks," Doctorow said. "My theory on this is that being a computer cop is incredibly boring. When you become a cop, you have this vision of nailing perps, but when you are a computer cop you're sitting at a desk all day dissecting DLLs and looking at dense CERT reports." On a final note, Doctorow said that enterprises and consumers who want to block access to their networks should at least activate the Wired Equivalent Privacy (WEP) functionality that comes built in to wireless networking equipment. WEP has been widely criticized for being easily compromised, but at least it serves as a "no trespassing" sign, letting people know that they should not connect. Related Links NEWS - Expert: Customer-Owned Networks Will Be Telcos' Biggest Competitors In Voice Over IP, Wireless - Marriott To Install Wi-Fi Wireless Internet Access - Toshiba Touts Twin-Headed Wireless Laptop - Startup Extends Wi-Fi Range To 1.2 Miles - Wi-Fi Shipments Expected To Grow Fivefold - Tougher Security In The Offing For Wireless LANs External Links Cory Doctorow has been tracking reports about Wi-Fi and its alleged dangers, along with his own caustic commentary, in his weblog, Boing Boing. - Warchalking in government - Burgers, Fries, 'n' WiFi: The first Los Angeles area Wardrive-in, Wed. Oct. 16 - Is FBI wireless FUD a form of wish-fulfillment? - Wireless FUD: Spammers *could* use WiFi - Warchalking FUD in the Calgary Sun. - FBI on War-chalking: the sky is falling, halp! - Warchalking FAQ - Nokia lies about warchalking, BBC reports as fact Archives at: <http://web.wireless.com/index.php?name=Mailing_List&fn=viewml&mid=4> Weblog at: <http://weblog.warpspeed.com> ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To unsubscribe or update your address, click http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Expert: Alleged Wi-Fi Risks Are Nonsense Dave Farber (Jan 10)