Bruce Schneier is one of the more venerated figures in the information security world, and rightfully so. But reading his article in Wired today, I think he might want to stick to encryption. (I know and like Bruce, so this isn’t a personal attack.)
Bruce has long bragged that he runs a totally open home wireless network. He considers it a kind of “pay it forward” charity. I love open WiFi and don’t have a problem with free access. Someday I might even open up part of my own network, although it’s probably not worth it considering where I live.
Bruce breaks the potential security risks down into two categories:
- Somebody abusing his network for illegal activity- spam, file sharing, attacking other systems, and so on.
- Connecting to his network and attacking his home systems.
He evaluates these risks as acceptable:
- Odds are a bad guy will use one of the five open, anonymous coffee shops down the street rather than parking in front of his house for (probably) hours on end. By saying that he instantly guarantees that some prankster will park their VW van out front and spam everyone from “Bruce Schneier’s House”. Perhaps not, but he does accurately outline the potential legal risks.
- In his own words, “I’m also unmoved by those who say I’m putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it’s on, then it simply doesn’t matter. And if my computer isn’t secure on a public network, securing my own network isn’t going to reduce my risk very much.”
While these risks might be acceptable to Bruce, I don’t recommend them for anyone else, including myself.
- Depending on population density, your risk of abuse of an open network may be higher. I could open part of my network in my current location without much worry, but I’ve previously lived in places where the pedophile living below me would take advantage of an open network. That’s not an exaggeration- for most of the time I lived in a particular condo in Boulder the person below me was known for risky activity. Never convicted, but concerning enough I sure as hell wouldn’t want him on my network. The risk of the RIAA going after you might also be higher if you live someplace with enough close neighbors that it’s worth someone’s effort to use your network to mask their activity. It’s a low risk for me where I am now, but has been high in the past.
- Very few people have the skills to secure their home network to the same degree as Bruce. I also suspect his network wouldn’t withstand a penetration test by a determined attacker. My home network is very secure; all systems are patched, firewalls turned on, and trust relationships are minimal. That said, I know I could crack it. I don’t encrypt all traffic (wireless is all WPA2 though) and I have some open file shares. Why? Because it’s “secure enough” for my home, and anything that leaves the walls and connects through the public Internet is totally locked down. In some cases, thanks to my consumer devices, I’m limited in the amount of security I can apply.
I wouldn’t make a big deal out of this, but Bruce is a role model to those interested in security. I can guarantee at least a few people will open up their networks to emulate Bruce, and be the worse for wear because of it.
He also mentions the risk of violating his ISP’s terms of service:
Certainly this does concern ISPs. Running an open wireless network will often violate your terms of service. But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn’t a big risk either. The worst that will happen to you is that you’ll have to find a new ISP.
To give the press quote, if Bruce is doing this himself it looks like he has appropriately evaluated his personal risks and they are within his personal tolerance. If he’s recommending this to others, that’s just plain stupid.
I’ve thought about opening my own access up via a separate, segregated segment, but it’s not worth the effort since almost no one around me would need it.
Don’t follow Bruce’s example- he’s an industry pundit making a point. If you want to open up your wireless network, and are comfortable violating the terms of agreement with your ISP, please use a well-segregated open access point. Don’t just let anyone wander around and see what’s on your TiVo (since all TiVos have an open web server you can’t lock down without hacking, it ain’t that unusual a risk).
Oh, and the Chuck Norris thing?
Reader interactions
10 Replies to “Why You Shouldn’t Run An Open Wireless Network Like Bruce (Or Chuck Norris)”
I am well agree with mogull if my network is secure i am totally secure form my side.
common courtesy for guests to his home. He also lets them use his heat, water, and electricity. Most people disagree, citing these
common courtesy for guests to his home. He also lets them use his heat, water, and electricity. Most people disagree, citing these
[…] thing. I wrote a blog post last year about this type of thing in response to Rich’s post on lax wireless security. I was trying to think up scenarios where this would be a problem, and the best example I thought […]
@armitage and @krischan
You totally missed my point (and of course I’‘m egotistical, I have a freaking blog).
I love open wireless and support it if you take the proper precautions and separate out your networks. You also need to account for any personal risk.
Bruce is irresponsible to recommend it for the average users. You WILL lose your equipment and get dragged to court before you get to explain how you have an open network and the IP crime wasn’‘t you. You WILL get hacked if anyone with a modicum of skill comes by,
That’s not being “too scared”. I could open mine up safely (no need, I’‘m not in an area where anyone could use it), but most people can’‘t.
Consider it a Honeypot. Several of us used to joke that the feds are watching Bruce’s every move, waiting for the day they can nab him because he accidentally emailed a copy of TwoFish to some ‘‘terrorist’’ nation. The van outside is not a hacker, it’s the FBI. You and I on the other hand need to worry about unsecured WiFi. Speaking of which … time to upgrade the home network.
Rich,
I could not agree more. While I am a fan of Bruce and have a lot of respect for him, the bragging about his open wireless drives me nuts.
I have an open AP that provides limited internet access and I log it all. This is more of an experiment to see who is connecting to my public network and what they are trying to do, than me just wanting to provide free access to everyone. Nothing too interesting has popped up in a while, but people connect and poke around often enough to remind me why I protect my home network.
My private home network is physically segmented and locked down, so my “visitors” have no access to that and I can’‘t even imagine giving them access. Something about letting someone touch stuff I don’‘t want them touching, no matter how secure I think it is, doesn’‘t sit right with me. If everything in my house was nailed down I would still lock the doors when I leave, wouldn’‘t you?
Enough from me….
> advantage (to me)
I agree with Armitage … too egoistic. If you had a newspaper and would not read it, why give it your neighbor. I you lived in a city … why pay taxes for the public library?
Why not? Ability to access information in the net becomes fundamental for most people. And if you leave open a port you might rejoice at somebody else leaving open a port (as I did during my three month – internship in another city).
And. Schneier points out that the ISPs rules might not be valid. He points out that making somebody responsible for a crime based on IP is weak evidence (see the allegedly 12.000 cases of child pornographer just before Christmas in Germany … collapsed).
Of course, it might cause you hassle. And if you are not prepared to take the slight risk, then do not dot it (and better stop living altogether, everything has its risk).
Schneier himself seems to be prepared, enough money and lawyers.
But do not advertise the slight risk of wrongful prosecution as the “big bad wolf that will happen to you just around the corner”. And do not advertise all potential users as pedophiles and hackers waiting to enter.
He makes the point “The risk of leaving your wireless network open isn’‘t zero, but it’s probably small.”
Which is valid if you don’‘t mind “small” risks. But by the same token, locking down your wireless reduces your risk to near-zero, and reduces its utility to you not at all.
And what would be the advantage (to me) of opening up my wireless anyway?
You guys are too scared and too egoistic