You know they know better, don't you? You know who they write these reports for? CTOs and their ilk. Why? Because that's where the money is.

I asked my CEO if we had any plans to look at the burgeoning market of community based WiFi hotspots. He all but laughed in my face. "They can use cheap Taiwanese APs."

"But our highly secure APs could really make the meshing of the future of wireless really happen. What with our integrated VPNs and bridging etc etc... We could move millions of units." I say.

"I don't think so." he says.

The people with the golf clubs have no idea. Oh well.

The article isn't clear, but I'm not sure the study equates email and spam. Maybe there really *was* spamming going on. Should be easy to detect: if the unauthorized user sends a few messages, it's probably not spam. If they send hundreds or thousands of identical ones, it probably is.

Spammers jump on every technology and loophole they can, so why assume they wouldn't wardrive to find an open WiFi link to send spam from?

I dunno. I don't see a reason to condemn this study as strongly as Cory did.

I'm not a spammer, but if I were, this is exactly how I'd do the deed.

If I were a spammer, I'd sit in my living room with a PC that costs 0.25 what a laptop does, with a stack of AOL CDs and no pants on. I wouldn't go buy a laptop and cruise the midnight streets for WiFi.

This reminds me a little of some of the fallout from the Code Red worm. I saw signs up in Office Depot the next day saying "Protect your computer from Code Red! Buy Norton Antivirus!" Nevermind that simply restarting your computer (which us Windows users do 20 times a day anyway) would get rid of it. They were simply using fear to sell their products. Fear is the next new big business. The government and media already uses it, why not Tech too?

But who's going to protect me from the fear generated by images of Cory with AOL CDs and no pants?

Cory --

Sitting at home with a stack of AOL CDs will get you burned in little-to-no time, unless you are consistently changing phonelines. When you run the setup, it dials the WATS line at AOL to validate you and get local numbers.

When AOL see four of five separate validates on the same phone number (and, as a WATS line, they get ANI service, which means they get the phone number, regardless of what you do (since they're paying for the phonecall)) they'l cut you off. When they see the traffic to port 25, they'll cut you off. Spammers are giving up on using AOL dialup accounts as feeds, because there are easier ways. Like using random WiFi accounts.

Spammer *do* driveby. I've seen it happen, having to get on the phone for clients to explain to thier ISP's how all that spam came from their netblock, and no, how it wouldn't happen again, as I'm busying firewalling and WEPing the WiFi hubs that the logs *clearly* showed were the source of the spam. Not just once, mind you, three or four times.

Remember -- the terms of service are between you and your ISP. If Joe Spammer grabs your WiFi, then it's your fault.

This sort of thing will almost certainly kill open WiFi in the end -- and if NearlyNet expects to actually work in the long run, it's going to have to deal with the problem. Which, alas, is typical of the net. A few abusers ruin everything.

Why should it kill open WiFi? Just initially firewall 25 and use a "captive portal" (http://www.personaltelco.net/index.cgi/CaptivePortal) or something similar to let connections through according to "acceptable use" criteria of your choice.

My personal incliniation would be to allocate WiFi users N "smtp credits" per hour, or day, or something, where they spend one credit per message per recipient. Set it to something large enough it's not going to trouble normal users (100? 500?), but low enough that it's not going to be worth spammers time and, worse, energy (spammers don't strike me as the athletic type) traipsing down to a WiFi hotspot only to have to traipse off to the next one after 30 seconds, and then the next, because they've blown their entire "budget". If they max out an entire city of WiFi hotspots they've probably still only sent 0.001% of the emails they'd send from home.

Or, perhaps require a validatable email address (ie email a PIN, get them to type it in), and CC: all email they send to it, so if they spam, they spam themselves. If one of your CC'd mails bounces with mailbox full, you stop allowing them to send SMTP. So they can't just throw it at a disposable hotmail account, cuz that'll soon fill up.

That's just two random schemes off the top of my head without really thinking about it, they're probably not secure long-term but they'd keep people off your back for a while -- but I'm sure the combined weight of the WiFi movement will crack it shortly. If it hasn't already, on a webpage out there somewhere I haven't read yet.

"Spammer *do* driveby. I've seen it happen, having to get on the phone for clients to explain to thier ISP's how all that spam came from their netblock, and no, how it wouldn't happen again, as I'm busying firewalling and WEPing the WiFi hubs that the logs *clearly* showed were the source of the spam. Not just once, mind you, three or four times."

You should document this, Erik. It has never been positively documented to my knowledge. The only claim to date of this turned out to be a misquote.

"If it hasn't already, on a webpage out there somewhere I haven't read yet."

I think Canis has just identified a new form of the lazyweb: the time-travelling lazyweb, which implements things before you ask for them!

Everything we want may already exist somewhere on the web, subject only to the trivial problem of locating it.

I too would like to see documented evidence of drive-by spamming. So far, it just seems to be a well-speculated obvious possibility. If this is such a problem and you see it happening as much as you say, write it up. Send it in to SANS or Usenix Security or DefCon or something. I want to see the logs, sanitized if you must, but I want to see them
in a forum where there is some sort of peer-review filtering mechanism in place that weeds out the FUD and marketing masquerading as a "study".
Until then, it's just going to continue to be more WiFUD to me.

You should document this, Erik. It has never been positively documented to my knowledge.

I'll talk to the companies, see if I can't get copies of the logs, or better yet, be able to get them on the record about it. I know other sysadmins who've either seen evidence or caught active bad-guy activity on open WiFi hubs, I'll see if I can't get them in on it.

Roadknight -- good idea. I didn't think of documenting for the world-at-large -- it seemed so obvious, and having dealt with it multiple times, I merely assumed it was common knowledge.

I honestly find it hard to believe that it's only happening in St. Louis, but hey -- maybe it is.