I notice a lot of other posters here don’t seem to have read what Bruce wrote about this. You all really should before posting.
For the benifit of the lazy, here are some excerpts refuting a lot of what I see being said here:
Um, I think you have it wrong Jeff. Bruce’s reasoning is just that its more polite to have an unsecured network. Your posting makes it seem as though he has a why bother type attitude. After reading his post, it sounds like he’s just being a nice guy by not securing it.
I think you got it wrong Jeff. In Bruce’s post, he says he’s just leaving it unsecured as a courtesy to others. Your post implies that he isn’t securing it because WEP or WPA isn’t secure. Sounds like hes just a nice guy and thats why he doesn’t add security.
Bruce’s decision – by his own description – is not one of promoting leaving your AP unsecured. He states that he does so, and his reasons for doing so.
First, because he sees benefit in a society where open access points are ubiquitous; e.g. if his neighbors need access because they have problems with their ISP, they can borrow his (and vice-versa).
Second, because he sees very little to gain by doing so. If you participate on open networks often, you have to secure your hosts for open WiFi environments anyhow.
My personal, additional take on it is this: anyone who thinks of security as preventing use simply doesn’t get it. Security is about availability, too. Why would you add the admin overhead of rotating your WPA passphrase, keeping your MAC filter list up to date, etc. if you don’t have any real security gain?
Wow! Some of you people are very generous to be willing to share your internet service that you pay for with your neighbors. Unless my neighbors want to split the bill, they can get their own!
Carl wrote:
Wow! Some of you people are very generous to be willing to share
your internet service that you pay for with your neighbors. Unless
my neighbors want to split the bill, they can get their own!
Bruce Schneier wrote:
If someone were using my network to the point that it affected my
own traffic or if some neighbor kid was dinking around, I might
want to do something about it; but as long as we’re all polite, why
should this concern me? Pay it forward, I say.
So if someone’s causing problems, sure I’d do something about it. (A good example of this would be calling me up to ask for support or complain about downages on my own line, which a total mooch would almost certianly do.) But if not, what difference does it make to me? Why be selfish just for the sake of being selfish?
So he keeps his wireless open because it allows him to concentrate more on securing his computer? Seems to me that you could do both and it would be just that much more secure. After all, someone can’t break into your PC if they can’t get to your PC.
I’ve never been too worried about someone hacking into my computer… much like Jeff, my concern is also bandwidth. I’ve got a lot of neighbors around me and if even one of them was a peer-to-peer file sharer, that could kill me. Plus the hassles I’d have to deal with if they got caught doing anything illegal.
When I was setting up my new Vista laptop it turned out to be unhappy with suppressed SSID. Looking for a solution, I was browsing some Microsoft literature and found a link to Steve Riley’s Security blog, and an interesting article about SSID suppression and MAC filtering.
Apparently you’re safer NOT suppressing your SSID, as otherwise your PC has to send out a list of all SSIDs it wants to connect to, more frequently than the WAP broadcasts its own ID.
And MAC is readable from any packet, and easy enough to spoof, but at least it doesn’t do any harm to keep filtering on.
So you’re relying on encryption, almost entirely.
Having said that, I have long thought how nice it would be to be able to offer others the use of my redundant bandwidth. It’s a sad world we live in, where considerations of corporate profits, terrorism and perversion have to take precedence.
33 characters is an arbitrary (and excessively high) standard for a strong pass phrase. Based on the technique described at
http://world.std.com/~reinhold/dicewarefaq.html#tables
each character has 6.55 bits of entropy. So a 20 character passphrase would have over 128 bits of entropy, which is entirely adequate for protecting any wireless network.
Actually I think the illusion of security is fine - as long as the illusion is gong the right direction. If potential thieves think you have good security, it’s a deterrent. That’s why you can buy fake security cameras and blinking lights to make it look like you have a car alarm. When my ISP was down, I looked to see if there were any open wireless networks in my area, and I found one - but I also found at least 20 protected by WEP. I wouldn’t bother to take the time to break into one - it’s much easier to just drive over to McDonald’s with my laptop.
Almost every home in America can be broken into with a hard kick or a crowbar, but people lock their doors anyway. This is usually enough to keep from being robbed, but it’s not real security. Almost every business in America has a GLASS door on the front, and a burglar alarm that goes off way too late… this isn’t security, but it does prevent most businesses from getting robbed.
I use wep at home simply to avoid interference with my neighbors and not because I’m worried about either downloading or hacking. Somehow we all seem to choose the same channel and depending on the weather see each other’s networks. This way I don’t print on their machines and they don’t on mine. The primary security on any of the machines in my home network is local to each machine, and unfortunately depends on the security consciousness of my teenage children 
. If you’ve read Mitnick’s how to book on fraud then you see that people are the security hole and to a large extent the coding algorithms only have to be good enough to make human factors attacks the only possible success.
I think everyone is missing the point when he says he leaves his wifi network open. He’s saying that you should protect your data at more granular levels than just tossing a key or passphrase on your wifi. networks are more easily physically attacked - someone just walking in and plugging in a cat6 cable. Once they’re on your network, what do you have in place to prevent theft or destruction of your data?
Think about that aspect - assume someone can and will get on your network - through a brute force attack, social engineering, or breaking and entering - what defense do you have now? Stating he keeps his network open is a way to get people to think about security a little more deeply, past algorythms and passphrases and such. Assuming a sufficiently motivated attacker will surpass such protection, where does that leave you, your data, and your business?
Hi everyone,
It’s not intrusion but an humble request to the community here.
I have recently started an articles website and would request you (I will appreciate if you can) to please spare some time and post articles at my site.
Thanks
Prashant
http://www.depositarticles.com
I just use a WPA passphrase constructed from one of Jeff’s regexes:
blockquote
@/?p|br\s?/?|/?b|/?strong|/?i|/?em|
/?s|/?strike|/?blockquote|/?sub|/?super|
/?h(1|2|3)|/?pre|hr\s?/?|/?code|/?ul|
/?ol|/?li|/a|a[^]+|img[^]+/?
/blockquote
Unfortunately, now I have two problems…
If you dont want anyone trying to access your network, dont use wireless. If you dont mind sharing, use wireless. Simple as that, if you ask me.
Whitelisting, anyone?
I don’t do anything sensitive over the air, so sniffing encryption isn’t important to me. What’s important is that no one gets full access to my network.
@Bear - I don’t think anyone is missing that point really, and I think what Jeff is saying is that even if you have your data encrypted and whatnot, you should still protect the network itself because that is a resource that you paid for. I put my gun and some valuables in a safe, right next to my mean little dog, but I still lock the house.
I believe the 2WIRE### wireless access points are from the utilities company for reporting gas/elecrical usage. Thats how it works in our city.
@mikeb; @BugFree:
MAC filtering will keep out most of the neighbours, but MAC addresses can be detected and spoofed using readily available tools (allegedly).
Just a sniff of a single packet from one of your whitelisted devices will reveal its MAC address in plain text, no guessing necessary.
If I have nothing to steal will the thief still come in the night?