I've been tempted to weigh in on posts similar to this one for a while now; might as well take the plunge now.

Cory has mocked various articles claiming that this or that security professional said this or that bad thing about WiFi a few times now. In most of the technical points, he's right: there's a lot of quatsch going around.

But, as a "security professional" myself, I feel it should be pointed out that WiFi does, indeed, present new and complex dangers. Here are a few: (warning: long, and not directly a response to Cory's post)

1. Sniffing. It's true that sniffing can be done on wired networks. It's not at all true that DSL is similarly insecure. You cannot sniff DSL very easily: the DSL protocol (PPPoE or PPPoA) is point to point (PPP) between you and the local router. On some networks you may be able to sniff other's traffic, but this will mostly have to be an active attack (you send nasty packets, easily detectable and traceable to your phone number) and can usually be prevented at the network topology level. (Older cable systems (old DOCSIS) are idiotic, though newer ones tend to do do some non-standard futzes on the hardware modem side, to prevent sniffing. This is essentially the same as legislating NICs that can do promiscuous mode off your network: it wont work very well. There are a few outs, mostly bureaucratically legislating that only modems of non-hackable type x shall be allowed on the network; even if this is in the TOS, it's unlikely that may companies check.) No matter what, though, unless the last mile network was designed by monkeys, you're going to have a hard time sniffing more than a handfull of randomly-selected neighbors.

WiFi sniffing is trivial, WEP doesn't do a damn thing, and the sniffing is very directed. If you know that a company has a WiFi network without VPN, you can just show up and steal the traffic. This is a NEW problem, and a serious one. (And, even if the company does do VPN, you can just flood the VPN concentrator; in many cases, the admins will allow non-VPN access while they debug the problem.) Sniffing at hotspots isn't so directed -- unless you know your target is at starbucks right now -- and so like a box of chocolates. The best solution is to make sure users of your hotspot know that they shouldn't do anything remotely sensitive (at least, without a VPN). This is not only the only solution, it's also a perfectly adequate one.

2. The spam thing is nonsense. WiFi is not significantly different from wired nets here; I find it perfectly reasonable to think that if, say, lots of spam gets sent from the Tompkins Square Park WiFi net, that that address space get blacklisted from sending SMTP. This is the solution we have in place now, and it's a fairly good one. (The process surrounding blacklists needs, admittedly, work.) But really, the only solution to spam is going to be host- and server-based filtration. Legislating security at endpoints is stupid.

3. Wanting auditability is not, however, stupid. It's really very necessary in order for network/security/forensics techs to get much done. WiFi is much harder to trace back to the source. In the standard case, there ought to be audit trails that link traffic patterns to the sender; this is not orwellian, this is the price one pays to be on a public network. Auditability also ensures that network techs have the info they need to debug and streamline networks; it's a good thing. As an administrator, I expect that, when I get a bunch of bad traffic from subnet x, I can email the admin of x and get a response. The hotspot admin has no control over this sort of thing; even with audit trails she couldn't even get in touch with the offending user to fix the problem...

In the case of private networks, auditability on WiFi has solutions. Or rather, the solution is to require VPN. On public nets (ie, hotspots) requiring some sort of logon/authentication procedure would be an administrative nightmare, and would spoil the point. I think the solution there is twofold: 1) strict outbound filtering. The admin of a hotspot should take steps to ensure that bad traffic doesn't leave the network, or at least as little nastiness as possible is allowed out. Certainly no spoofed traffic should leave. A well-built proxy (eg squid) can prevent non-compliant/broken user software from affecting the Net as a whole, and would have the win of increasing speeds for hotspot users; adaptive inline firewalling (eg snort) can help to block intentionally-evil packets. 2) at some point, we need to just bite the bullet. hotspots will never be able to match the professionalism of real, administered nets. but, I think they're a big win in other ways, so shouldn't just be banned. I think we should just take the good with the bad, realizing that some networks with higher security requirements might end up blackholing hotspot traffic. (Bigger problem here is legally protecting the guy who set up the WiFi net from lawsuits regarding what his users did... I think best-effort rules ought to suffice here, though I'm also inclined to think that best-effort ought to involve outbound filtering. To my knowledge, there are no easy-to-use solutions to the outbound filtering problem, though.)

4. These are all traditional network-side problems; they have for the most part traditional solutions. (If you haven't gotten the picture yet, I mean VPN.) The big doozy with WiFi are the entirely new problems it presents. Case in point: there's some new übergeek digital camera coming out (link lost, sorry) that does WiFi. There is no chance in hell that this thing could do VPN if it tried; even WEP would be surprising. PDAs, MP3 players, and all the rest are slated for WiFi compat soon. None of these things will be able to communicate securely. What in the world are we going to do about this? Mr. Professional Photographer takes a pulitzer winning shot, hopes to use the proceeds to fund a year of college for his kid. Comes home only to find out that someone has already sold his images to a disreputable tabloid. Mr. Corp Executive keeps his secrets on his PDA, unknowingly walks through a hotspot. Suddenly half of lower Manhattan has access to his notes on the upcoming merger. etc.

This is Fear and Uncertainty, but not Doubt. This hasn't happened (to my knowledge) yet, but it's a very plausible scenario. I'm pretty sure it will happen, a number of times, before anyone does something about it. The problem is, what is there to do about it? This is the sort of thing that keep security consultants employed, and is exactly why security consultants see dangers in WiFi. When copiers and printers started being ethernet-ready out of the box, it caused all sorts of problems. Xerox copiers suddenly morphing into warez FTP servers and the like. Companies still have a hard time segregating network devices so that the printer sits behind a restrictive firewall. (This sort of thing is also what keeps sec. consultants employed.) When the thing is WiFi-enabled, firewalling simply wont work. What then?

(The problem here is also not new to WiFi. The local computer stores here in Germany are selling wireless keyboards for the same price or cheaper as wired ones. I'm even using a wireless keyboard right now: it's really nice, and fits my desk-style perfectly. But there's zero link-level encryption going on in these things. Who needs carnivore or keysniffers when you can just stand outside with a radio receiver?)

Sorry this is so long. I don't disagree with Cory that there's a lot of crap being said. But Cory's posts have, it seems to me, underplayed the fact that there is a serious risk involved with WiFi. It may be true that the coverage of the problems in national papers has been FUD-ish. But it's going to be very hard to explain to a non-technical audience what the real problems are. Filtered through a gee-whiz journalist, and you get articles like these. And really, spam isn't so far off the mark --- if you take spam to be undesirable network traffic in general, not just SMTP...

Of course, the biggest problems arise when congressfolks read these articles and get their legislative juices flowing. But that's why we have the EFF, right?