I agree with most of what you say, Cory, but not this:

"I'm no more "unprotected" from spammers on my WiFi node (something I've yet to see a single published account of, despite the continuous warnings about it) than I am from spammers sending Nigerian 419 letters from the next terminal at the library"

What you're saying is: we haven't heard about drive-by spamming happening, therefore it's not a threat.

I think this is a poor argument for the following reasons:

1. It's easier for spammers, crackers and other electronic miscreants to use wired methods today, but as spamming gets harder to do, maybe insecure wireless networks will become more tempting. It would be a shame if efforts to make spam harder to send ended up being circumvented by spammers wandering around big cities with wireless cards. Your attitude reminds me of a big company responding
to a newly revealed security hole - dismissing it as "theoretical". Which means anyone who wants to could do it, but they just haven't bothered yet.


2. Just because you haven't read about it in the blog-o-sphere doesn't mean it's not happening. I understand that companies that have security "incidents" generally don't report them. I've worked for a company that handled big financial transactions but had little idea about security. If something had gone wrong, they'd definitely have hushed it up. Some companies might be so clueless that they don't even know that something's gone wrong.

 Also, I think you place too much trust in WEP. It's known to be broken - as I understand it, anyone who can sit near your office for half-an-hour running the right program can read the traffic. Granted, from the paranoid security-minded point of view, a lot of things that people do on wired networks are insecure. But it's unrealistic to say "Well, just use strong cryptography for everything". Joe User isn't checking his email using strong crypto. It behooves wireless vendors to come up with a properly secure system, and more importantly, have it turned on by default, and work seamlessly. Most people just won't bother using it otherwise. In fact, I'm posting from a wireless network with no WEP because my new Airport card seems to refuse to do WEP with the Dlink access point in my house. I'm sure I'll figure it out, or set it up to limit access by MAC address, but, like most home users, I have better things to do. It'll be a while till I get round to it.

 I'm sure done properly, Wi-Fi is as secure as the typical company's wired setup. But the problem is, the typical company has an overworked, undertrained IT dept who won't do things properly. I think there's a need for publicity about Wi-Fi security risks, as long as it avoids scaremongering.

Now, how can I get my network to reach the pub across the road?

Edited by author 07-27-2003 06:05 PM
No -- what I'm saying is that warnings about drive-by spammers are:

1. Hysterical, because there are no published accounts of this occurring in the wild, and so it consitutes a marginal threat today (Ebola is a genuine threat, but if no one has ebola for 15,000' mile around, there's no sense worrying about it)

2. Nonsensical, because it's no skin off my dick if someone uses my node to send spam, so long as I'm not the recipient -- this is a threat to OTHER PEOPLE, not people who operate hotspots

3. Disingenous, because this amounts to an attack not on WiFi, but on anonymity, a value that is central to American democracy. Saying, "allowing people to connect to the Internet without keeping track of who they are is a 'risk' because they might send spam" is the same as saying, "Anonymity is wrong."

Er, you've misunderstood me on WEP. I've been making fun of WEP for years.

Meanwhile, every single ISP customer whose ISP requires SSL is using strong crypto to fetch mail. ISPs could accomplish universal, across-the-board secure mail by simply insisting on this. And they should.

I'm not going to lay into the article, but there's one thing bears mentioning:

People hate spammers. People *really* hate spammers. Spammers know people hate spammers. Ergo, spammers have no interest in being physically close to the people who's network they are abusing. Sending spam via a WiFi node would be really, really bad for the spammers personal safety.

Having said all that, maybe I'm forgetting about Spam Rule #1 (http://killaspammerforchrist.com/therules.html - excuse the OTT URL.)

it's no skin off my dick if someone uses my node to send spam, so long as I'm not the recipient

Until your ISP shuts your connection down because of all the spam coming from your node.

"Security professionals" also noted that "although no calamitous hacking event has been launched using a Dvorak keyboard, it is only a matter of time."

I've been trying to get those damned Dvorak keyboards banned for years -- did you know that 99% of them lack built-in security features entirely?

It's good to see that "Security professionals" is on the case.

Edited by author 07-27-2003 10:17 PM
"Until your ISP shuts your connection down because of all the spam coming from your node."

If a restauranteur finds his premises occupied by stake-out crews of anti-bank-robber-cops because a series of robberies are traced back to plans hatched his back-booth, is he at fault for failing to require that all his customers positively identify themselves and agree to having their conversations recorded?

Anonymity is a fundamental principle. It's worth standing up for. Anonymity-but-only-for-people-who-aren't-doing-bad-stuff doesn't exist -- if you require everyone who's "anonymous" to be identified and have their activities logged in case they do something bad and you take some heat, you've abandoned anonymity.

Yes, that's all very well and good.

However, in the real world, if your ISP gets a flood of spam complaints that get traced back to your IP, they will shut off your connection. If you've got a nice expensive T1 or something, you'll probably get a few warnings first, but if it continues they eventually have to take action to avoid getting blacklisted in one of the spam databases. You can tell them all about how you're standing up for the principle of anonymity by opening up your WiFi node to the world, but I can guarantee you they won't give a shit.

Similarly, if someone connects to your node and tries to hack the White House's website, the cops are going to show up on your door, confiscate your computer equipment as "evidence", and probably arrest you.

If you still want to open up your node to the world, then great, go for it. But realize that there are risks involved, and it doesn't do you any good to pretend those risks don't exist or don't affect you.

*Similarly, if someone connects to your node and tries to hack the White House's website, the cops are going to show up on your door, confiscate your computer equipment as "evidence", and probably arrest you.*

I'm sorry, you're wrong.

I work at an office where we could be reasonably expected to hear about this sort of thing if it happened. It doesn't.

What may happen is that the FBI shows up with Carnivore wiretap equipment, or interview you, or ask you to testify. The "cops descending on your home and confiscating your equipment" doomsday scenario is inspired by Hollywood movies and the misbegotten Operation Sundevil raids of the early 90s, not the reality of today. In today's world, ISPs have clearly demarkated safe harbors for the actions of their users, as set out by the CDA, DMCA and other statutes.

In the real world, if you believe in a principle, you stand up for it, even if that means that bullies who "won't give a shit" take unilateral action to punish you. In the real world, principles matter. In the real world, the danger to free speech posed by abridging anonymity is far greater than the inconvenience of spam. In the real world, people who don't stand up for their principles get trampled. People who do have a chance of winning. In the real world, you can only win by pushing back. In the real world, the counsel of defeat can lead only to defeat.

In any event, this is all non-sequitor in relation to the article, which implied that your open network would be used to damage your computer and compomise your data, not invoke the wrath of self-appointed Internet cops or shadowy Fed spooks.

HenBen - why is it impractical to say "Use strong crypto"? It's a single checkbox in any of the common email clients; web browsers have had it for years and paranoia at large corporations has at least been enough to get most other remote access protocols to either use SSL (e.g. Microsoft Terminal Services) or play nicely over a VPN. 5 years ago that was a reasonable complaint but now it's rare to find a situation where the use of an insecure protocol isn't due to laziness or incompetence.

As far as spam goes it's hardly a big deal to limit normal outbound SMTP to a single authenticated server - most ISPs are starting to do that anyway to cut down on open relays and things like those spam-sending worms - and it's increasingly likely that the average DSL / cable line is going to be on the non-MX blacklists anyway. It's not at all unreasonable to say that you must use SMTPS or a VPN to send email from a public access point if you don't have an account.

I've been tempted to weigh in on posts similar to this one for a while now; might as well take the plunge now.

Cory has mocked various articles claiming that this or that security professional said this or that bad thing about WiFi a few times now. In most of the technical points, he's right: there's a lot of quatsch going around.

But, as a "security professional" myself, I feel it should be pointed out that WiFi does, indeed, present new and complex dangers. Here are a few: (warning: long, and not directly a response to Cory's post)

1. Sniffing. It's true that sniffing can be done on wired networks. It's not at all true that DSL is similarly insecure. You cannot sniff DSL very easily: the DSL protocol (PPPoE or PPPoA) is point to point (PPP) between you and the local router. On some networks you may be able to sniff other's traffic, but this will mostly have to be an active attack (you send nasty packets, easily detectable and traceable to your phone number) and can usually be prevented at the network topology level. (Older cable systems (old DOCSIS) are idiotic, though newer ones tend to do do some non-standard futzes on the hardware modem side, to prevent sniffing. This is essentially the same as legislating NICs that can do promiscuous mode off your network: it wont work very well. There are a few outs, mostly bureaucratically legislating that only modems of non-hackable type x shall be allowed on the network; even if this is in the TOS, it's unlikely that may companies check.) No matter what, though, unless the last mile network was designed by monkeys, you're going to have a hard time sniffing more than a handfull of randomly-selected neighbors.

WiFi sniffing is trivial, WEP doesn't do a damn thing, and the sniffing is very directed. If you know that a company has a WiFi network without VPN, you can just show up and steal the traffic. This is a NEW problem, and a serious one. (And, even if the company does do VPN, you can just flood the VPN concentrator; in many cases, the admins will allow non-VPN access while they debug the problem.) Sniffing at hotspots isn't so directed -- unless you know your target is at starbucks right now -- and so like a box of chocolates. The best solution is to make sure users of your hotspot know that they shouldn't do anything remotely sensitive (at least, without a VPN). This is not only the only solution, it's also a perfectly adequate one.

2. The spam thing is nonsense. WiFi is not significantly different from wired nets here; I find it perfectly reasonable to think that if, say, lots of spam gets sent from the Tompkins Square Park WiFi net, that that address space get blacklisted from sending SMTP. This is the solution we have in place now, and it's a fairly good one. (The process surrounding blacklists needs, admittedly, work.) But really, the only solution to spam is going to be host- and server-based filtration. Legislating security at endpoints is stupid.

3. Wanting auditability is not, however, stupid. It's really very necessary in order for network/security/forensics techs to get much done. WiFi is much harder to trace back to the source. In the standard case, there ought to be audit trails that link traffic patterns to the sender; this is not orwellian, this is the price one pays to be on a public network. Auditability also ensures that network techs have the info they need to debug and streamline networks; it's a good thing. As an administrator, I expect that, when I get a bunch of bad traffic from subnet x, I can email the admin of x and get a response. The hotspot admin has no control over this sort of thing; even with audit trails she couldn't even get in touch with the offending user to fix the problem...

In the case of private networks, auditability on WiFi has solutions. Or rather, the solution is to require VPN. On public nets (ie, hotspots) requiring some sort of logon/authentication procedure would be an administrative nightmare, and would spoil the point. I think the solution there is twofold: 1) strict outbound filtering. The admin of a hotspot should take steps to ensure that bad traffic doesn't leave the network, or at least as little nastiness as possible is allowed out. Certainly no spoofed traffic should leave. A well-built proxy (eg squid) can prevent non-compliant/broken user software from affecting the Net as a whole, and would have the win of increasing speeds for hotspot users; adaptive inline firewalling (eg snort) can help to block intentionally-evil packets. 2) at some point, we need to just bite the bullet. hotspots will never be able to match the professionalism of real, administered nets. but, I think they're a big win in other ways, so shouldn't just be banned. I think we should just take the good with the bad, realizing that some networks with higher security requirements might end up blackholing hotspot traffic. (Bigger problem here is legally protecting the guy who set up the WiFi net from lawsuits regarding what his users did... I think best-effort rules ought to suffice here, though I'm also inclined to think that best-effort ought to involve outbound filtering. To my knowledge, there are no easy-to-use solutions to the outbound filtering problem, though.)

4. These are all traditional network-side problems; they have for the most part traditional solutions. (If you haven't gotten the picture yet, I mean VPN.) The big doozy with WiFi are the entirely new problems it presents. Case in point: there's some new übergeek digital camera coming out (link lost, sorry) that does WiFi. There is no chance in hell that this thing could do VPN if it tried; even WEP would be surprising. PDAs, MP3 players, and all the rest are slated for WiFi compat soon. None of these things will be able to communicate securely. What in the world are we going to do about this? Mr. Professional Photographer takes a pulitzer winning shot, hopes to use the proceeds to fund a year of college for his kid. Comes home only to find out that someone has already sold his images to a disreputable tabloid. Mr. Corp Executive keeps his secrets on his PDA, unknowingly walks through a hotspot. Suddenly half of lower Manhattan has access to his notes on the upcoming merger. etc.

This is Fear and Uncertainty, but not Doubt. This hasn't happened (to my knowledge) yet, but it's a very plausible scenario. I'm pretty sure it will happen, a number of times, before anyone does something about it. The problem is, what is there to do about it? This is the sort of thing that keep security consultants employed, and is exactly why security consultants see dangers in WiFi. When copiers and printers started being ethernet-ready out of the box, it caused all sorts of problems. Xerox copiers suddenly morphing into warez FTP servers and the like. Companies still have a hard time segregating network devices so that the printer sits behind a restrictive firewall. (This sort of thing is also what keeps sec. consultants employed.) When the thing is WiFi-enabled, firewalling simply wont work. What then?

(The problem here is also not new to WiFi. The local computer stores here in Germany are selling wireless keyboards for the same price or cheaper as wired ones. I'm even using a wireless keyboard right now: it's really nice, and fits my desk-style perfectly. But there's zero link-level encryption going on in these things. Who needs carnivore or keysniffers when you can just stand outside with a radio receiver?)

Sorry this is so long. I don't disagree with Cory that there's a lot of crap being said. But Cory's posts have, it seems to me, underplayed the fact that there is a serious risk involved with WiFi. It may be true that the coverage of the problems in national papers has been FUD-ish. But it's going to be very hard to explain to a non-technical audience what the real problems are. Filtered through a gee-whiz journalist, and you get articles like these. And really, spam isn't so far off the mark --- if you take spam to be undesirable network traffic in general, not just SMTP...

Of course, the biggest problems arise when congressfolks read these articles and get their legislative juices flowing. But that's why we have the EFF, right?

Cory: sorry I misunderstood you about WEP. Also, like I said, I don't mean to defend the article. But I'm not sure if I agree with your attitude of "who cares if someone spams with my node?" That's like saying "who cares if someone spams off my open relay?" You should care (a) out of civic responsibility, or whatever the net equivalent is, and (b) because you might end up on blacklists.

I don't see how the right to anonymity is infringed by people securing their access points if they want. Just because I have a phone line, people don't have a right to come into my house and call whoever they want.

As for your question about crypto, Chris: good point about SSL, but not everything you might want to keep private can be done easily over SSL. What if a wireless network is used to transfer patient records internally in a GP's office? Also, the webmail services that the vast majority of people are still using offer SSL as an option, if at all. Of course, this is addressing a different threat to spamming, but people should be aware of the threat of eavesdropping.

 If "it's rare to find a situation where the use of an insecure protocol isn't due to laziness or incompetence", that's going to leave lots of insecure nodes. That's the point - the average home user is concerned with getting things working, and lots of IT depts are lazy or inept. I think people should be warned that there are risks. Just not in a scaremongering way.

"WiFi, short for wireless fidelity"

What?

I thought the term "WIFi" evolved from combinations of the words "HiFi" and "wireless". I have never heard it called "wireless fidelity".

After this statement, 3 lines into the article, I knew I needn't take any technical content in the article seriously.

People that don't take the care to properly protect their equipment from hackers deserve to be blacklisted. It's probably the only way that most of them find out that they've been hacked.

As far as protection goes, turn on WEP, configure your access point to only allow connections from specific, known hardware addresses, and turn off network discovery. This is not rocket science. The manufactureres of 802.11 hardware need to do a better job of informing their customers,

wep...

http://airsnort.shmoo.com/

"AirSnort requires approximately 5-10 million encrypted packets to be gathered. Once enough packets have been gathered, AirSnort can guess the encryption password in under a second."

HenBen - my point was simply that strong crypto is a lot easier to use than it was in the past. Yes, many webmail providers don't do SSL yet. The solution is for them to spend $50 on an SSL certificate and get into the late 90s, not for us to go around making our wireless networks less reliable and harder to use. Programs like ettercap make it very easy to sniff passwords even on switched networks, so I tend to see the use of an unencrypted protocol as a security nightmare waiting to happen. It's much better to check the "Use SSL" option on the server and clients and avoid that whole class of problems, even if it does mean reminding a security-naive admin that this is a Really Good Idea which they should setup soon. Otherwise you end up with the "crunchy shell, soft chewy inside" network which significantly amplifies the damage from the inevitable worm, disgruntled employee, trojaned desktop, etc.

Some of this may be colored by my job as an admin in an academic environment - you don't even want to think about trusting campus networks - but I think it's increasingly necessary elsewhere, too. Things like HIPAA really raise the risk of continuing to do things the way we did a decade ago and the general trend is towards more accountability and higher fines for inadequate security.

As far as file sharing goes, it's probably not that hypothetical GP's biggest problem (far more data seems to leak from Outlook worms and careless/dishonest employees) and they arguably should be encrypting the files directly but there's an easy solution which requires no client-side software: WebDAV over SSL. Windows and OS X users can interact with it just like a normal file server and it's completely secure (OS X users arguably don't need this as 10.2 uses SSH tunnels for AFP networking but it's nice to have the option). SFTP is even more portable and the GUI clients are quite easy to use these days. Sure, it requires learning a little bit but that's a requirement for most jobs these days - smart business owners are not going to be that sympathetic to the inertia argument when compared to the prospect of, say, ruinous HIPAA fines.

I think that perhaps the level of hype about how easy it is to crack WEP is getting pretty high. This is an example from the AirSnort forum:

I got AirSnort 02.1.b to crack a 40 bit key after collecting 3693 interesting packets out of a total of just over 10,000,000 encrypted packets. The 40 bit crack breath was set at 12.

It took 6 hours to generate the packets, by running approx 250 concurrent PINGs on a W2K Pro client station.

The PING (ping -t-f 192.168.1.1) targeted a Linksys AP - model BEFW1154_v2 (firmware 1.42.7).

The W2K client station used an Orinoco Gold card in a PCI adapter (firmware 7.28).

The capture machine ran RedHat Linux 7.3 on a Pentium 3 - 500 Mhz, using a Cisco Aironet 350 PCI card (firmware 4.25.30).

At these firmware levels, both the Orinoco and the Linksys AP generate sequential IV numbers. Before starting the Airsnort capture, I reloaded the firmware on both devices, so the IVs started out initialized to 00:00:00.

So to succeed with a short key took 6 hours of fairly intimate internal access to the network (including 250 concurrent sets of pinging to generate some nice predictable traffic!)