Is It Possible To Salvage Open WiFi?
from the would-be-nice dept
We recently wrote about how a guy had his home raided by gun-toting law enforcement officials accusing him of downloading child porn when it really came from someone else who had hopped on his open WiFi router. While the lesson we got out of it was that law enforcement needs to rethink when it calls in SWAT teams and beef up their own technical knowledge, the lesson that many others were pushing was that you must lock up your WiFi router. This is unfortunate for a few reasons. There definitely are times when it makes sense to lock up your WiFi, but there are also advantages to having an open router.The folks at the EFF are trying to salvage the idea of open WiFi by kicking off a call for an Open Wireless Movement. To make this work, they note that the two key reasons why people encrypt their WiFi is so that (1) they don't have all their bandwidth sucked up by others and (2) to avoid security issues with unencrypted content being accessible to others on the network. Rather than using that as an excuse for saying everyone should lock down their WiFi, the EFF suggests making a WiFi system that can remain open while solving both those issues:
The best solution to this problem is to have WiFi routers which make it very easy to share a certain amount of bandwidth via an open network, but simultaneously provide an encrypted WPA2 network that gets priority over the open network. Some modern routers already support multiple networks like this, but we need a very simple, single-click or default setting to get the prioritization right.But, overall, the proposal is to push for people to recognize that open WiFi isn't evil and often has tremendous benefits:
[...]
There is currently no WiFi protocol that allows anybody to join the network, while using link-layer encryption to prevent each network member from eavesdropping on the others. But such a protocol should exist. There are some technical details to work through, but they are manageable.
Most of us have had the experience of tremendous inconvenience because of a lack of Internet access. Being lost in a strange place with no way to find a map; having an urgent email to send with no way to do so; trying to meet a friend with no way to contact them. Even if we have data plans for our mobile phones, we've probably had these experience in cities or countries where our phones don't have coverage or don't have coverage for less-than-extortionate prices. We may even experience this problem at home, when our Internet connection dies while we urgently need to use it.To be honest, I doubt this will get that much traction. There just aren't enough reasons for people to purposely leave their WiFi open, no matter how nice it would be. Combine that with more modern wide-area wireless networks, and this becomes less and less of an issue.
Finding yourself in one of these binds is a bit like finding yourself parched and thirsty while everyone around you is sipping from nice tall glasses of iced water, or finding yourself cold and drenched in a rain storm because nobody will let you under their umbrella. At those moments when you are lost, or missing a deadline, or failing to meet your friend, it is almost always true that Internet data links are traveling through your body in the form of electromagnetic wireless signals -- it's just that people have chosen to lock those networks so that you can't make use of them.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, open wifi, wireless
Reader Comments
Subscribe: RSS
View by: Time | Thread
Download quotas
Given how much harder it is to have a private home Wi-Fi network that allows you to share files and printers between your own machines, while only sharing the net connection with arbitrary clients (as compared to just locking down the whole thing), deliberately running an Open Wifi connection has always struck me as something that is always going to remain a pretty rare occurrence, even in countries where download quotas don't knock it on the head.
[ link to this | view in chronology ]
Re: Download quotas
This is the bugger I have (it has really poor wireless range anyway but also does 2 VOIP lines) --Belkin site http://tinyurl.com/3dkrnnd -- iiNet-supplied with custom firmware. The theory is however they connect, their usage and my mac address are reported back to Tomizone who send me some cash.
So I guess in essence, even with capped internet, that sort of thing does exist, and I guess it also confirms that firmware to do it does exist already.
I currently pay for more than I need (50g peak and off at 20mb/s) but conversely if I am on holidays or my kids visit, I can stay unshaped.
[ link to this | view in chronology ]
Error: Reason not good enough
[ link to this | view in chronology ]
Every other ISP explicitly prohibits sharing in the T&Cs.
Worse, the Digital Economy Act means you're legally liable for any copyright infringement or other activity that happens on your connection. So expect Internet cafes, libraries etc with wifi to become a thing of the past.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The dark ages
Personally I don't miss having open wifi access points at all - my phone is always connected via 3G and can share that via wifi if I need to get another gadget online. The speeds are even quite acceptable - the only unacceptable part is the artificially high cost that has been applied to that sort of thing.
Like most things, once we sort out our main problem as a species (using hostile concepts like money and trade instead of actual cooperation), there is zero technical reason why we wouldn't have very fast and totally ubiquitous wireless access on every electronic device that can use it.
[ link to this | view in chronology ]
One-click setup
[ link to this | view in chronology ]
Re: One-click setup
[ link to this | view in chronology ]
Re: One-click setup
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Possible Solution (seen on slashdot comments)
That would probably stop ICE from kicking down someone's door at 3AM, and it would also stop residential internet providers from determining that someone has opened their internet connection to the public, which is universally against ISP terms of service. It also might be a boon to some of those onion proxy networks by letting people choose to become relays and exit nodes on the fly. The police would hate an initiative like that.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Basically, I do it because I'm a nice person. So, I guess I'm a part of this "movement" already. I check periodically and I've never had anyone seriously hogging bandwidth (I think most people get that that's uncool).
[ link to this | view in chronology ]
I had the Neighbor Problem
Internet access became really slow. I turned on logging and found my neighbor was running 24-7 file sharing on my Internet connection.
I was forced to figure out how to get it locked down.
All it takes is one inconsiderate person who probably thought he was anonymous and undetected.
[ link to this | view in chronology ]
Friends don't let friends run open Wifi
It lets them send email as you. It lets them transfer money out of your bank account if you' log into your bank. It let's them post on your Twitter account. It lets them post from your Facebook account.
So, tell me again why you want more open wifi hot spots?
(The ?good? news is that FireSheep is causing more sites to switch to SSL.)
[ link to this | view in chronology ]
Re: Friends don't let friends run open Wifi
Which is why this article pointed out that there should be open, but encrypted, WiFi.
FireSheep is a redherring in this discussion.
It lets them send email as you. It lets them transfer money out of your bank account if you' log into your bank. It let's them post on your Twitter account. It lets them post from your Facebook account.
Almost none of that is really true. Pretty much all bank accounts are encrypted these days. I can't believe any are still unencrypted. I can't think of any webmail services that aren't encrypted. And more and more of both twitter and facebook are encrypted.
So, tell me again why you want more open wifi hot spots?
As was stated in the article, the idea is to create encrypted but open Wifi.
[ link to this | view in chronology ]
Re: Re: Friends don't let friends run open Wifi
I think the problem here is that "open" can refer to an unencrypted WI-FI network as well as one that is promiscuous (i.e. allow anyone to join). I think what Rob is referring to are potential security problems when using an unencrypted WI-FI connection. The lack of security depends on what the user is doing with it. My webmail has a choice of using HTTP or HTTPS. You are right about banks though, I can't imagine any using HTTP still.
Maybe I can get people to start using the word promiscuous for these networks despite its negative connotations. There is a precedent for its use to describe NICs that did not filter received frames based on MAC address.
[ link to this | view in chronology ]
Re: Re: Friends don't let friends run open Wifi
I don't think wifi is evil any more than I think guns are evil, but both must be used carefully.
Maybe I misread the article as encouraging everyone to start using any and all open wifi connections they encounter. I'm just saying use caution, something I don't read any not of caution in this article.
The first thing that might be helpful is to find a new name for the secure version of "open wifi" (which my quote from the EFF says doesn't exist yet.)
Maybe the EFF should have kicked off the Secure Wireless movement.
[ link to this | view in chronology ]
Maybe this is off-topic and maybe it's a red herring but ...
http://www.grc.com/securitynow.htm
Both audio and transcripts are available.
In this episode Steve quotes what ConsumerAffairs.com today wrote:
"Computer security specialists have issued a warning about Firesheep, a new downloadable add-on to the Firefox browser. If the person in a coffee shop with you has it, they can see exactly what you're doing online.
"The feature was reportedly created by a Seattle software developer, whose purpose was to demonstrate how vulnerable unsecured networks are. Unfortunately, he's unleashed a tool that can turn a computer amateur into an accomplished hacker. With Firesheep, a computer user can log onto a public network, in an airport or coffee shop, and get a list of all the computers that happen to be connected to the network at that moment. "Simply by double-clicking on one of the names, the Firesheep user can access whatever that computer user is doing online. If they are updating their Facebook account, the Firesheep user is also logged in. Firesheep works by intercepting Internet cookies, which websites place on your computer when you visit so they will recognize you when you return. Professional hackers have had that tool in their arsenal for years. Now, thanks to Firesheep, anybody that has downloaded the add-on can do it too."
So as of that date Steve says that all these sites were vulnerable: Amazon, Basecamp, bit.ly, eNom, Facebook, Foursquare, GitHub, Google, Hacker News, Harvest, The New York Times, Pivotal Tracker, Twitter, ToorCon, Evernote, Dropbox, Windows Live, Cisco, Slicehost, Gowalla, and Flickr. And coming soon is Yahoo!, eBay, LinkedIn, Digg, Reddit, Wikipedia, Blogger, GoDaddy, Posterous, Tumblr, Netflix, YouTube, Slashdot, MobileMe, PayPal, Salesforce, Craigslist, MySpace, Match, and AOL.
However, many of them have switched to SSL.
So I'm just trying to spread the word about real world concerns that many people don't know about. I'm personally not using open wifi; the risk is too great. If you can't configure your router then turn the wifi off until you can get help.
That's all I'm saying.
Peace,
Rob:-]
[ link to this | view in chronology ]
The EFF says ...
[ link to this | view in chronology ]
Re: The EFF says ...
https://threatpost.com/en_us/blogs/ibm-unveil-secure-open-wireless-system-black-hat-0 80311
[ link to this | view in chronology ]
Fail!
[ link to this | view in chronology ]
Re: Fail!
Another point is that security is not absolute. You should be able to choose what level of security you want given what you are doing at the moment. Even if you can't trust the AP or prevent a MITM (Man In The Middle) attack, you might want to use an encrypted WI-FI link so that a low-level script kiddy can't use Firesheep to view your lunch-time session at 4-chan or out your AC identity on Techdirt.
A final point is that until all your destinations incorporate TLS, you may want to still use a promiscuous WI-FI AP to connect without exposing all your communications to the typical thief or voyeur. It's not absolute security. Without a way to authenticate APs, there is always the possibility of a MITM attack. It comes down to the level of security you are willing to accept. I might use webmail via HTTP at home but I wouldn't do that over a promiscuous WI-FI connection, encrypted or not. However, there are some things I would do, using HTTP, as long as the WI-FI link was encrypted.
[ link to this | view in chronology ]
anonymous or not?
I think anonymous access can be very useful despite this potential drawback. The government is likely to lean the other way and attempt to outlaw it when the opportunity arises. A new protocol is a new opportunity. A protocol, similar to WPA enterprise, could be used to allow anyone, who registers with the government, access to any promiscuous (public) network by authenticating with a government owned, or contracted, authentication server. The wonderful side-benefit of this is less likelihood of SWAT raids upon the innocent, at least as far as computer crimes go.
Another way to gain anonymity on the web is to use an onion router network like TOR. So, anonymity is not totally lost if anonymous access to public WI-FI is eliminated.
A side note:
I had an interesting exchange on Slashdot with someone about the Dutch guy who was convicted of making death threats via the internet but was determined not to have committed a crime by using someone else's WI-FI connection.
http://www.techdirt.com/blog/wireless/articles/20110319/00082913559/dutch-court-says- breaking-into-encrypted-wifi-router-to-use-connection-is-legal.shtml
I believe my comment exchange was with the Dutch culprit himself doing some sock-puppeting on Slashdot to clear his name. He was fluent in Dutch but absolutely lied about what was in the Dutch court documents. I called him on that but he kept it up. Here was a very technical guy, but he still didn't bother to spoof his MAC address.
[ link to this | view in chronology ]
economic argument
If there was a system in place such that every WI-FI access point was public (promiscuous), it seems that seems would settle down to an equilibrium where some percentage of users were parasites (didn't bother to pay for connectivity) and the rest were hosts. The result would be that the total use of bandwidth ends up divided among fewer paying customers. If the providers had some fixed cost for providing bandwidth then they would end up charging the hosts more than they would otherwise. So, even without a system with rates based on actual usage, the hosts end up paying more in the long run by opening up their WI-FI connection.
[ link to this | view in chronology ]
suggested protocol
Excuse the formatting, Allowed HTML gets in the way here
WAP sends (public key, SSID, MAC Address) to any host
host chooses symmetric key for session, encrypts this key with WAP public key, sends to WAP
all further communication between WAP and host uses session key.
Configure WAP with a set of fixed MAC addresses which will get priority over guest connections. Under Linux, use HTB queuing discipline to set up traffic shaping based on MAC address. Fixed set gets priority. Left over bandwidth is split equally between guest connections.
[ link to this | view in chronology ]
It might become less and less of an issue in the U.S., but in many areas in Europe wide-area public Wi-Fi is non-existent.
So i guess you do not need that many reasons to leave your connection open; i like it when i can check google-maps or my email through public Wi-Fi when abroad (see the don't have coverage for less-than-extortionate prices problem), and i like to think i may be doing someone else the same favor.
Then again, in Europe it is quite easy to cross borders, maybe travelling in the US does not generate the same issue, though i believe the point still applies.
[ link to this | view in chronology ]
Open WiFi
"Google WiFi" is open and can be used by anyone in MV, from anywhere. Meanwhile we can lock down a portion with, say, WPA or whatever.
Unfortunately, WiFi is not good for VOIP; so we have GWiFi, our WPAGWiFi, and DSL (for VOIP).
Interestingly, Google gives us free phone service (which we use), but not a usable broadband - WiFi is based on shared bursts of data, and in VOIP that means garbled phone calls! We use free GVOIP, but on our DSL system (which is slower than GWiFi, but steady.
[ link to this | view in chronology ]
*If* someone is monitoring at the time the association is set up, they will get all the data needed to compute the actual session key. But if they weren't able to see the establishment of the association, they can't derive the key. So, unlike the case with non-encrypted connections, just being able to converse with the access point doesn't mean you can read all its traffic. In fact, you can only read your own.
Now, this is not a very robust kind of protection. One attack against an existing connection is to interfere with it in any of a variety of ways, forcing it to be re-established - at a time when you are presumably monitoring, Still, it's better than nothing - and it's sufficient to render connections opaque to Firesheep.
A convention some people are following is to give the network a name that tells you what password to use. Of course, you can (depending on the exact circumstances) simply tell people what the password is - or put up a sign with that information.
-- Jerry
[ link to this | view in chronology ]
Opening your Wifi could exponentially boost your download speed
Open wifi could exponentially boost your download speed!!!
Think about it. Here in the in the city I routinely pick up between 4 and a dozen wifi signals and I'm on the edges of suburbia. In some of the denser student areas there are up to 20 signals.
Now think of how much time you are online unless you are a massive torrent fiend your probably on for a few hours most nights. Think of all the people you know only go on for a few hours a week or every few months I'm thinking of my parents here. Basically there is a lot of unused bandwidth.
There could be a sharing open bandwidth standard that if you have it allows you to hop onto all wifi signals you can reach and then onto all wifi signals those transmitters can reach etc. So your 1mb could be boosted up to the max maybe 50 or 100mb if no one else close is on at the time.
Fair sharing rules could be agreed that could encourage leaving the wifi turned on whilst not in use. Intelligent interval transmission could be used to save power when no users on.
If this system already exists let me know what it is called if it doesn't who can make it and what problems need to be overcome. This idea overcomes the usual problem of requiring selflessness by making wifi sharing a selfish act that is also altruistic.
[ link to this | view in chronology ]