Expert: Alleged Wi-Fi Risks Are Nonsense

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Dewayne Hendricks <dewayne () warpspeed com>


Expert: Alleged Wi-Fi Risks Are Nonsense

By Mitch Wagner, InternetWeek
Jan 9, 2003 (11:50 AM)
URL: <http://www.internetwk.com/story/INW20030109S0001>

A popular technology Weblogger says warnings about the supposed
security risks of Wi-Fi networking are nonsense. Law-enforcement
officials and telecommunications and networking companies have issued
several warnings about supposed security risks from 802.11b or Wi-Fi
wireless networks.

The warnings involve Wi-Fi hot-spots, which are wireless access
points set up so that any passing stranger with a Wi-Fi card in his
computer can use the network anonymously, without logging in or
paying any charge. These open networks are often set up inadvertently
by users who don't realize their new wireless access hardware is open.

Other times, open-access points are set up intentionally: by
restaurants and hotels looking to provide a service to customers, or
by individual Internet enthusiasts looking to provide a community
service.

The warnings go like this: Open Wi-Fi networks can be used by
attackers to read data going over a LAN or on an individual PC. Open
networks rob bandwidth from legitimate users, slowing down network
performance, and people who use open wireless networks without first
getting explicit permission are thieves perpetrating a
denial-of-service attack.

The anonymous nature of open networks means they can be used by
terrorists, spammers, or computer hackers and, in those cases, the
owner of the wireless network will be liable for damages. Owners of
wireless networks are warned that they could even face prison time if
a criminal or terrorist hijacks their services.

Of particular concern is a practice with the ominous name of
"wardriving," where Internet enthusiasts drive around looking for
open Wi-Fi connections in their neighborhoods. Then the enthusiasts
leave marks to let other hackers know where they can find Wi-Fi
connections, a practice known as "warchalking." For the enthusiasts,
it's a way to get out of the house, be social, map a local resource,
and do something for the community -- but for critics, it's ominous
hacker activity.

Using Wi-Fi network without explicit permission is a criminal act,
and people who maintain open Wi-Fi connections are threats to
national security, according to critics.

The fears are ridiculous, says Cory Doctorow.

Doctorow has made a mission of de-bunking Wi-Fi security concerns --
he'd call them myths -- as one of the themes he visits frequently on
his Weblog, Boing Boing, which he co-authors with three others. It's
one of the most widely read and oldest blogs out there, with 7,500
visits daily in December (see for yourself, the traffic stats are
open to the public).

How dangerous is Wi-Fi, anyway? What do you think? Take our poll and
let us know.

Like most blogs, Boing Boing is an eclectic mix reflecting all the
authors' interests: networking technology and civil rights, copyright
and digital rights management, Apple, Disney theme parks, and tiki
furniture. Doctorow is also outreach coordinator of the Electronic
Frontier Foundation, co-founder of the software company OpenCOLA, and
a science fiction writer whose first novel, "Down and Out in the
Magic Kingdom," was recently published.

Doctorow says there's only the tiniest bit of truth to any of the
security warnings, and even that little morsel of truth illustrates a
flaw in all current thinking about network security, not just Wi-Fi.

Contrary to conventional wisdom, Doctorow encourages enterprises that
maintain Wi-Fi connections to leave them open to public access. Doing
so is a service to the community: It builds goodwill and costs
nothing. On the other hand, attempting to close off the Wi-Fi
connection adds cost and complexity to the network.

Doctorow blames much of the fear about Wi-Fi on false information
spread by companies, such as Nokia, peddling 3G wireless and other
high-speed networking technologies competing with Wi-Fi. These
companies stand to lose a great deal of money if Wi-Fi continues to
gain popularity. Also, the image of the wardriving hacker has
captured the imaginations of law enforcement and the general public
eager to paint hackers as villains.

The one kernel of truth in all the controversy: Wi-Fi network users
can eavesdrop on clear traffic going over the network, Doctorow said.
But that's not a Wi-Fi problem, since any network where text is
moving in the clear is susceptible to the same kind of eavesdropping.
That's a security problem in all types of networks, not just Wi-Fi.

"The problem is firewalls, which don't work, haven't worked and
aren't going to work," Doctorow said. "Firewalls are bankrupt
technology predicated on the idea that everyone on one side of the
firewall is trustworthy, and no one on the other side of the firewall
is trustworthy." But in fact, criminals often gain access to the
network from the inside. In past months, authorities have arrested
several people accused of making criminal use of network access
gained by virtue of being present or former employees of the
companies they were charged with stealing from. And firewalls aren't
the only source of troubles: Many Internet service providers are
still transmitting passwords in clear text over the network.

The solution is not to limit Wi-Fi, but rather to install personal
firewalls on each computer, and encrypt all traffic going over the
network, Doctorow said.

Denial of service is another fear raised.

"There is a notion that gaining access to the network constitutes a
denial of service; every packet I take is a packet you can't use,"
Doctorow said. But in fact, users use only a trivial amount of a
high-speed Internet connection. Moreover, switches on corporate
networks are designed to balance multiple, high-speed demands on
network resources.

"The wireless connection is at best 11 Mbps, more likely 2 Mbps,
[but] when those are put on a 10 or 100 Mbit switched network, they
just don't generate enough collisions to matter, no matter how many
wireless users are out there," Doctorow said. "People who say to the
contrary are wrong, they do not understand what they are talking
about; they do not know how a switched network works. A router is
capable of multiplexing 10 Mbit connections and making sure the
traffic gets through."

He added, "The next argument we hear a lot of is the liability
argument. If someone connects to our wireless network and uses the
network for terrorism, drug deals, or child pornography, the police
will take you in for the crimes of some other person and won't you be
sorry then."

But in fact, the same laws that protect Internet service providers
from liability protect entities providing Internet connectivity,
Doctorow said. "If it were the case that the network provider were
liable, no one would provide network service and the Internet would
disappear," Doctorow said. "A good lawyer will tell you to laugh it
off."

Open Wi-Fi connections can present legal liabilities if the user's
Internet service provider prohibits sharing Internet connections;
Doctorow recommends finding a better ISP.

ISP limitations on Wi-Fi connectivity are simply an attempt to limit
access to the network and drive up profits, he said. "For anyone who
sells a consumable service to the public, the less of the service
that the customers use, the more money they can get," Doctorow said.
"One of the nice things about a free market is that it puts those
companies out of business." America Online rose to market leadership
by removing limits on network access, replacing metered hourly
connection plans in 1995 with plans that charged a flat monthly rate
for all the network connectivity a customer could use. He predicted a
similar shakeout would occur among ISPs as wireless networks become
more prominent.

The threat of anonymity falls down because there are easier ways of
finding anonymous Internet connections than driving around looking
for open Wi-Fi connections, Doctorow said. A terrorist or criminal
can simply use Internet access from a kiosk, Internet cafe, or
library.

The notion that spammers would use open Wi-Fi to send out messages is
ridiculous, he says. Spammers operate by using wired Internet
connections from spam-friendly Internet service providers, and
throwaway America Online and Hotmail accounts.

"The practice of spamming is to get a stack of America Online CDs and
sit around in your underwear in the living room and send all the spam
you want," Doctorow said.

Moreover, anonymous speech has civil rights protections and should be
encouraged, despite the risks, Doctorow said. Anonymity protects
whistle-blowers such as those who helped bust abuse at Enron. It
protects dissidents in repressive countries. And it protects people
needing medical information who are too ashamed of their conditions
to seek the information openly.

Doctorow believes there are several factors at work in the fear over
Wi-Fi. One is the effort by competitors to stop its spread.

"I think the phone companies intuitively understand that the day that
someone offers a credible alternative to the phone company is the day
that the phone companies go out of business," Doctorow said. "Hating
the phone company is a grand American tradition."

Another force at work is the "knee-jerk reflexive reaction of people
mistrustful of anonymity. They are grinding the same axe they have
been grinding since the Internet began," Doctorow said.

And Wi-Fi gets police scrutiny for the same reason that the Internet
enthusiasts love it: It's romantic. Cruising around looking for open
Wi-Fi connections is much more exciting than computer police's usual
work.

"There was an NSA cop who pulled some hilarious stunt where he drove
around D.C. with a homemade Wi-Fi detector and issued a press release
about open Wi-Fi networks," Doctorow said. "My theory on this is that
being a computer cop is incredibly boring. When you become a cop, you
have this vision of nailing perps, but when you are a computer cop
you're sitting at a desk all day dissecting DLLs and looking at dense
CERT reports."

On a final note, Doctorow said that enterprises and consumers who
want to block access to their networks should at least activate the
Wired Equivalent Privacy (WEP) functionality that comes built in to
wireless networking equipment. WEP has been widely criticized for
being easily compromised, but at least it serves as a "no
trespassing" sign, letting people know that they should not connect.

Related Links

NEWS - Expert: Customer-Owned Networks Will Be Telcos' Biggest
Competitors In Voice Over IP, Wireless - Marriott To Install Wi-Fi
Wireless Internet Access - Toshiba Touts Twin-Headed Wireless Laptop
- Startup Extends Wi-Fi Range To 1.2 Miles - Wi-Fi Shipments Expected
To Grow Fivefold - Tougher Security In The Offing For Wireless LANs

External Links

Cory Doctorow has been tracking reports about Wi-Fi and its alleged
dangers, along with his own caustic commentary, in his weblog, Boing
Boing.

- Warchalking in government - Burgers, Fries, 'n' WiFi: The first Los
Angeles area Wardrive-in, Wed. Oct. 16 - Is FBI wireless FUD a form
of wish-fulfillment? - Wireless FUD: Spammers *could* use WiFi -
Warchalking FUD in the Calgary Sun. - FBI on War-chalking: the sky is
falling, halp! - Warchalking FAQ - Nokia lies about warchalking, BBC
reports as fact


Archives at: 
<http://web.wireless.com/index.php?name=Mailing_List&fn=viewml&mid=4>
Weblog at: <http://weblog.warpspeed.com>


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/