[ibook_steve]

I've been using wireless connections at home since about 2002 or 2003. In all that time, I have not used any wireless security (WEP, WPA, WPA2, etc.) except for MAC address checking. Every time I say to myself that I'm finally going to turn on security, I find one device or another that I have that doesn't support the recommended security protocol (i.e. not everything supports WPA2). I also find network troubleshooting hampered by having security enabled. I always have file sharing turned off on all my devices and I occasionally check the AEBS logs to see if anything other than my listed trusted devices (based on MAC addresses) are connected.

Am I asking for trouble from hacking kids in my peaceful little suburb? Or is there something else I should be worried about? I have found little to no need to enable it and complicate things when everything just works.

Thoughts?

Steve

[ghporter]

Not "stupid" exactly, but you're paying for people you don't know to have Internet access (almost guaranteed), and if you share anything on any of the computers on your network (wireless or wired) they could be compromised by a really dedicated intruder without much effort.

Your peaceful little suburb may seem safe, but there are definitely people around you who want to mess with your network, for profit or merely for pleasure. You don't have to go as paranoid as I have to prevent others from having access. You should use a long, random password that uses as many different kinds of characters as you can. This isn't something you have to remember, so there's no reason for it to be understandable; in fact, it's much better if it isn't. I'd consider 20 characters a minimum length for security with WPA or WPA2. WPA has been battered, and there's an exploit that makes it possible for an intruder to insert arbitrary data into your network, potentially messing it up temporarily, but WPA will still protect your data AND your access.

How paranoid am I? My wireless network is secured with WPA2 using a 63 character password. The password is exceptionally random and includes all types of characters. It does not include anything more than three characters in sequence that could be part of a dictionary word. I change my password on an infrequent and irregular basis, but I have a bunch of them saved up so I just copy/paste from my text file (on a USB flash drive) and all my authorized machines have access. I have not used MAC address filtering for about 6 months and haven't found evidence of any intrusions, so I probably won't go back to it without good reason.

[Simon]

How about this - you set up your main wifi network with proper WPA2 enabled, MAC address filtering, the works. That's what you use to hook up all your Macs and important stuff to.

Then you create a cheap secondary wireless network (like an old AP Express plugged into your main wifi BS through Ethernet) with MAC address filtering, hidden SSID, but the lowest common denominator in terms of security. WEP and WPA (not WPA2) can be considered broken, but having something instead of nothing is probably still a bit safer in that it will take more effort and a more determined attacker (vs. a casual leacher). You then hook up old devices that don't support WPA2 to this wifi. Important stuff stays away from this network. You could also consider putting this network on a different subnet. Also, make sure to regularly go through the log files of this wifi network.

That way your important stuff stays safe, while you have a back door for older devices before you replace them. Sure, having a non-WPA2 wifi is always a problem, but until you get rid of older devices that don't support it, this would at least add some extra obstacles.

[ghporter]

The two-network approach isn't that big a deal to do, assuming you have the additional hardware it takes. Until my son moved out, I ran two networks; one protected as I described above and the other protected only by WPA (because the XBox 360 doesn't support WPA2) and MAC address filtering. It's kinda hard to do anything damaging by hacking into a network that only has an XBox on it, so I wasn't at all worried about that one being compromised.

[ibook_steve]

Does the new dual-band support on the new AEBS support different security on each band (guessing not)? I have way too many boxes and cables as it is and I've been trying to avoid having to get a separate router for my b/g network devices (which could obviously be used with separate wifi security settings).

Steve

[Cold Warrior]

Originally Posted by ibook_steve 

Does the new dual-band support on the new AEBS support different security on each band (guessing not)?

It does not.

[ghporter]

See my last post in the "messed up my WEP" thread. An inexpensive wireless router should be more than adequate for supporting a lesser security level on devices that won't support WPA2.

[Cold Warrior]

If you set up that second wifi router in bridged mode, someone could still easily crack your WEP and get into your LAN -- including attacking your primary wifi router. Additional security steps if you go this route are for MAC address lists, static IPs, and -- importantly -- that router's own subnet so its devices can't access the LAN of your primary router.

...assuming you don't need those devices cross-talking and don't need any specific WAN-LAN port forwarding on.

[Simon]

Originally Posted by Cold Warrior 

that router's own subnet so its devices can't access the LAN of your primary router.

That was part of the original suggestion.

[Cold Warrior]

Originally Posted by Simon 

That was part of the original suggestion.

In passing, yes, but it lacked mention of the subnet acting as a wall between networks.

[Simon]

Indeed it did lack mention of the explicite reason. But yeah, that's the intention. You want separate subnets to make sure an intruder getting onto the WEP wifi does not also get access to clients on the entire LAN.

[steve626]

Originally Posted by ibook_steve 

I've been using wireless connections at home since about 2002 or 2003 ...
Am I asking for trouble from hacking kids in my peaceful little suburb? Or is there something else I should be worried about? I have found little to no need to enable it and complicate things when everything just works.

Two anecdotes for you. While visiting her grandmother, my 16-yr old daughter reported that even though Grandma had no internet, she (my daughter) was able to easily poach off neighbors unprotected wireless routers to get in while visiting there. Then at our house, while I was working out the settings of our new N wireless router and had for a short time put in a setting that caused lost wireless in our house, my daughter simply joined our neighbors' unprotected Apple airport network until I got the setup right with our router. Simply stealing your internet bandwidth is probably not going to hurt you too much, but there are ways to try administer to such "open" routers from the outside and thus someone could "take over" your router, even keep you from using it anymore! So yes, kids with time on their hands can easily go after other routers, even in nice neighborhoods (especially in nice neighborhoods).

Here's an even scarier one for you: one of the networks in my neighborhood is called "linksys" and is unprotected. It clearly worked "out of the box" and the user didn't bother to do anything but plug it in. It was set up so you could log in to it as the administrator using the default password. I left it alone (I don't even know where this network is, but it can't be too far from my house I guess) but I could have set up a new password, restricted MAC address access to that router, put other restrictions on it, disabled the router firewall, and made the owner post on some forum somewhere crying "help, my new router doesn't work anymore, I can't get on the internet anymore and it was fine yesterday" (how many of those posts have you seen?).

As for me, I use WPA2, MAC address filtering, and a password with letters and numbers that isn't very short. To me this is like locking your car, versus leaving the car unlocked with the keys in the ignition. Eventually, one person will come along and take that car that's easy, eventually.

[Simon]

You are right about somebody being able to take over a router. That can happen. But actually, I don't think that's the really bad part. Once you notice you can't get onto your own wifi anymore, you'd try to check the settungs, realize you can't get in, unplug the router and do a hard reset. Problem solved (at least partially).

But what IMHO is much more of an issue is that somebody could be leeching off your wifi to engage in illegal activity. Let's say the exchange of child pornography. This person will try to make sure you don't notice any changes so he can go on doing his stuff appearing to the outside wold as you. Now in principle sharing wifi is a great idea, the problem is the legal side of things. When the feds kick in your door because they've gathered evidence that you're sharing child porn, you can't just say, oh sorry that must have been a leecher. Now the burden of proof is on you. That's the part I find scary.

[ibook_steve]

Everybody keeps mentioning the possibility of leeching my wifi. However, as I said, I use MAC address filtering so only machines with the hardware addresses I specify can connect. Of course, I understand that somebody could spoof those addresses, but then the question becomes, how would they find out what the addresses I allow are in order to spoof them?

This is why I feel safe. People can see my SSID (don't really care about that), but they can't connect.

Steve

[ghporter]

MAC addresses are not completely protected by the encryption. I forget the details, but an intruder can find the MAC address of an authorized computer by sniffing enough packets. Since it would be a simple matter of just sniffing your traffic, it wouldn't matter to the intruder whose MAC he was stealing, it would be, by default, an authorized MAC.

[Cold Warrior]

Kismet and its Mac variant KisMac identify not only the SSID MAC address but those of its clients too. It takes just a few minutes of listening. MACs are also passed routinely in ARP traffic.

[dimmer]

Or you can take the social view and leave your SSID public, your network unlocked, and your computers secured. Just like you were using a WiFi hotspot all the time. Sure, you'll get leeches here and there, but you'll also be adding a little bit to your community.

[Simon]

Originally Posted by dimmer 

Or you can take the social view and leave your SSID public, your network unlocked, and your computers secured. Just like you were using a WiFi hotspot all the time. Sure, you'll get leeches here and there, but you'll also be adding a little bit to your community.

That would be a wonderful idea. Were it not for the whole legal issue I mentioned above.

[ghporter]

Originally Posted by dimmer 

Or you can take the social view and leave your SSID public, your network unlocked, and your computers secured. Just like you were using a WiFi hotspot all the time. Sure, you'll get leeches here and there, but you'll also be adding a little bit to your community.

Perfect world, etc., etc. Leeches could be benign, such as a neighbor that's not paying attention. Or not so benign. I do not take the risk of potentially non-benign leeches. All it would take would be one mobile spammer parked on my street for an hour or so, and it would be months before I'd be able to send a simple email because of all the blacklists MY IP would be on. No thanks.

[dimmer]

What can I say? I'm an idealist! I have hope for us.

So where can you find a wireless network with a public SSID, unlocked network, secured computers? Your local Apple Store. And they run those WinCE wireless POS devices...

[dimmer]

(Point of sale, not the other POS you may know of.)

[ghporter]

And Apple Stores have had a LOT of work done to make sure their POS system is secure. A couple years ago, my family took a cruise. While at sea one night, my son turned on his laptop and, in addition to the regular shipboard WiFi connection he was expecting, the ship's POS system was visible. And open. Seems someone made a goof and somehow turned off the security for the system. Being the knight errant he is, my son went to the purser's desk and showed them what he'd seen. Interestingly, both the shipboard WiFi network AND many of the shops aboard were down for most of the following day. This sort of thing takes constant attention to ensure that updates over here don't break things over there.

Now my home network isn't nearly that complex, but I still don't want to provide bandwidth to people I don't know because I do not want the responsibility of being a conduit for whatever it is they do. And though it would be all without my knowledge or explicit permission, there's a legal theory that says that providing the connectivity without some sort of effort to control who uses it is the same as implicitly giving permission to these anonymous users.

[Spheric Harlot]

Originally Posted by Simon 

But what IMHO is much more of an issue is that somebody could be leeching off your wifi to engage in illegal activity. Let's say the exchange of child pornography. This person will try to make sure you don't notice any changes so he can go on doing his stuff appearing to the outside wold as you. Now in principle sharing wifi is a great idea, the problem is the legal side of things. When the feds kick in your door because they've gathered evidence that you're sharing child porn, you can't just say, oh sorry that must have been a leecher. Now the burden of proof is on you. That's the part I find scary.

This is a BIG DEAL.

Maybe not so much in the States, but here in Germany, the owner of an internet connection is responsible for illegal activity taking place over it.

I.e., if criminal abuse of your internet detection is logged, you are responsible, at least initially.

[dimmer]

And Apple Stores have had a LOT of work done to make sure their POS system is secure.

It was actually really simple. Getting the VoIP phone badges to play nice, on the other hand...

One tenant of good security, physical and logical, is simplicity. As simple as possible, and no simpler.

there's a legal theory that says

Someone takes your car, and run someone over, are you liable? Nope. Someone taps into your land line and makes threatening phone calls, are you liable? Nope. To commit a crime you have to, like, commit a crime. Having an open WiFi network is not a crime (and could protect you if, you know, some of those web sites you visit are "questionable".)

[steve626]

Originally Posted by dimmer 

Someone takes your car, and run someone over, are you liable? Nope.

It's not that simple, actually. If you leave your car out with the doors unlocked and keys in the ignition and someone takes it and causes damage -- you are likely to be partially liable.

Also, if you allow someone to use your car and he/she causes damage, you the owner may find yourself liable if the driver did not have insurance.

Offering up a WiFi network with no security allows any computer in the vicinity to use the connection for any purpose. I assure you that if someone commits a crime and there are financial damages, someone's lawyer will come after you as well as anyone else they can convince a judge or jury shares some of the responsibility for what happened. If you want to take that chance, fine -- there are enough lawyers in my family who have told me that in these situations, you do share the liability. I'm certainly locking my "car".

[Simon]

Originally Posted by dimmer 

Someone takes your car, and run someone over, are you liable? Nope.

Not if the car was locked. Having an open wifi is like leaving the keys with the car for anybody to commit a crime with. And that would certainly get you into trouble.

Someone taps into your land line and makes threatening phone calls, are you liable? Nope.

But again, the burden of proof is on you. You're the one the feds come after. You're the one in jail trying to put up bail. You're the one who has to prove somebody was tampering with your landline.

I don't believe it's a simple as you put it. Even if in the end you can prove your innocence, you will be dealing with a lot of hassle and possibly even with liabilities.

Any legal experts here who could chime in on what has actually happened in such cases? Are there rulings?

[Spheric Harlot]

heise online - 08.07.08 - Gericht: Keine Haftung für offenes WLAN

In German.

This is actually new to me. A guy's IP was traced by copyright owners via an eMule file share.
The connection's owner was provably on vacation during the upload timeframe, and had an unsecured WLAN.

He was ruled liable by a court; the ruling was overturned last July by the state court. But it didn't go all the way through the levels.

Ruling here was that he is liable if he fails to verify the legality of users on his network, but that he can only be expected to explicitly verify this if he has concrete grounds to doubt the legality in the first place.

In the case of external users hijacking his internet connection, he has to first know about this, and second suspect that external users are actually using it for illegal purposes - which cannot be expected of a casual user.

However: This case was simplified by the fact that he was on vacation, and other cases HAVE ruled liability for an unsecured WLAN.

The jury is, quite literally, still out.

[OreoCookie]

Originally Posted by Simon 

Not if the car was locked. Having an open wifi is like leaving the keys with the car for anybody to commit a crime with. And that would certainly get you into trouble.

Even if you have not locked your car, you're not responsible for anything the thief does with it.

[Simon]

But if you give somebody your car and the keys that person is no thief. And you most definitely are responsible (at least partially) for what they do with your car.

[ghporter]

Originally Posted by dimmer 

And Apple Stores have had a LOT of work done to make sure their POS system is secure.

It was actually really simple. Getting the VoIP phone badges to play nice, on the other hand...

One tenant of good security, physical and logical, is simplicity. As simple as possible, and no simpler.

Instituting the security in the store IS simple. Figuring out WHAT to do, HOW to do it, and WHO will do it (and maintain it) is where the complexity lies. Simplicity is not always simple to generate.

Originally Posted by dimmer 

there's a legal theory that says

Someone takes your car, and run someone over, are you liable? Nope. Someone taps into your land line and makes threatening phone calls, are you liable? Nope. To commit a crime you have to, like, commit a crime. Having an open WiFi network is not a crime (and could protect you if, you know, some of those web sites you visit are "questionable".)

Yes, I could be liable. If it was clear that my car was unsecured and that there were people out looking for unsecured cars I could be held liable to some extent. Having an open WiFi network is a risk I will not take, especially since (here's the biggest part) I am paying for MY ACCESS, NOT OTHER PEOPLE'S. Terribly un-socialist of me, but I worked hard to get to where I can afford this. I don't share my TV access with others, I don't share my iTunes library with others, and I don't share my bandwidth.

[dimmer]

the burden of proof is on you

Actually, no it's not. This little "innocent 'till proven guilty" thing kicks in. You don't have to prove your innocence, the prosecutor has to prove -- beyond reasonable doubt -- your guilt.

I don't share my bandwidth.

Actually, you do, like it or not. Your ISP probably runs around a 10:1 oversubscription policy. Not that that's a bad thing overall (all of your utilities do the same thing).

But I think we've beat this (WiFi Security) horse to death by now. Agree to disagree and if you are ever in my neighbourhood and need a quick eMail read or sent I'll help you out, and if I'm in yours I can go freck myself?

[Simon]

Originally Posted by dimmer 

the burden of proof is on you

Actually, no it's not. This little "innocent 'till proven guilty" thing kicks in. You don't have to prove your innocence, the prosecutor has to prove -- beyond reasonable doubt -- your guilt.

Which he will by showing the court the ISP's records that show that the child porn was traded over an IP given to your ADSL or cable router.

The burden of proof is then on you. You will somehow have to convince the court that although everything went through your router, you had nothing to do with it at all.

Again, I think you are making this sound much simpler than it actually is. And I would really appreciate it if an actual lawyer (or any other legal expert) would comment on this rather than have a bunch of laymen (me included) exchange their guesses and hunches.

[OreoCookie]

Originally Posted by Simon 

But if you give somebody your car and the keys that person is no thief. And you most definitely are responsible (at least partially) for what they do with your car.

There is a difference between giving someone the car keys and leaving your car unlocked.

[Simon]

But does such a difference exists for wireless networks? Using no security at all on wifi is basically handing over your broadband connection to anybody and for any kind of use, isn't it?

[OreoCookie]

Well, you're constantly changing your analogy. And yes, of course there is such a difference.

However, even if you allow someone to use your network (or car or whatever), they're still personally responsible for what they're doing online. If I borrow you a kitchen knife and you kill your wife with it, how am I responsible for it? That's even true if I don't mind strangers surfing via my wireless connection (mine is protected, so this is hypothetical). Where we are, law is based on personal responsibility. To equate this with aiding and abetting is non-sensical -- unless you actually know that your connection will be or is used for something illegal. (If I know you want to kill your wife and I give you the knife, the situation is different.)

[Simon]

Sure they're responsible, I'm not claiming the opposite. But what about prosecution and liabilities? Let's assume they're gone and have left almost no traces. The DA OTOH will have an ISP record showing that illegal material went through your router. I seriously doubt it then suffices to say you didn't have WPA2 so the DA will at once let you go and shut down the case. Do you really think it's that simple? That would make convictions basically impossible, wouldn't it?

Also, there are countries (I know this is the case in Italy for example) where you always have to be able to link a user to an IP. Any wifi operator needs a copy of your ID before you're allowed online. I guess in such countries no wifi security isn't an option in the first place.

[Spheric Harlot]

Originally Posted by dimmer 

the burden of proof is on you

Actually, no it's not. This little "innocent 'till proven guilty" thing kicks in. You don't have to prove your innocence, the prosecutor has to prove -- beyond reasonable doubt -- your guilt.

It's your signature on the telecom contract, and the connection is in your hallway.

That's pretty strong evidence right off the bat that YOU have to exonerate yourself from.

[OreoCookie]

Originally Posted by Simon 

Sure they're responsible, I'm not claiming the opposite. But what about prosecution and liabilities? Let's assume they're gone and have left almost no traces. The DA OTOH will have an ISP record showing that illegal material went through your router. I seriously doubt it then suffices to say you didn't have WPA2 so the DA will at once let you go and shut down the case. Do you really think it's that simple?

They would have to prove personal involvement anyway. Evidence should surface after forensic analysis of the computer(s) of the accused. The burden of proof lies with the prosecution, you cannot prove innocence (i. e. you cannot prove what you haven't done, you can only prove what you have done).

Originally Posted by Simon 

That would make convictions basically impossible, wouldn't it?

There's a reason we have in dubio pro reo. Just because it's more convenient to assume the opposite at times doesn't mean we should selectively change that standard. In any case, you'd need proof of personal involvement.

Originally Posted by Simon 

Also, there are countries (I know this is the case in Italy for example) where you always have to be able to link a user to an IP. Any wifi operator needs a copy of your ID before you're allowed online. I guess in such countries no wifi security isn't an option in the first place.

I'm no legal expert, on Italian law much less.

[OreoCookie]

We usually use a combination of paper annotations (which are scanned to pdf) and comments in the LaTeX source instead. Isn't that an option in your case?
Oreo needs more coffee, that was meant to be posted in for this thread.

[Spheric Harlot]

Originally Posted by OreoCookie 

We usually use a combination of paper annotations (which are scanned to pdf) and comments in the LaTeX source instead. Isn't that an option in your case?

I gather that using a sledgehammer to dislodge the heads works quite well, too.