22

For my home I want to be a nice neighbor actually I have let my wifi open for the past maybe 6 or 7 years. I know that WEP, etc can be cracked within a couple of minutes but my neighbors son who works in IT told his mom and she told me that I am doing bad things and you know the story..

Do you think it's okay to leave your wifi open to the public? I live in a suburb with a tiny street and about 8 houses in reach of my wifi. I have a 16k DSL line so if some one joins me for a couple hours I would probably not notice.

I would love your thoughts on whether I should encrypt my wifi or not.

Thomaschaaf
  • 3,012
  • 5
  • 29
  • 24
  • 11
    As an addendum, the usual reply is "if you leave your network open you'll be held responsible for when terrorists set off their next attack from your little linksys network." A nice theory, but has this actually ever happened? Is there a US court history behind it? Precedent? It smells an awful lot like received wisdom with only rumor, not actual law, behind it. – palmer Jun 01 '09 at 12:03
  • 2
    I would like to leave my network open, and only lock it to those who can break WEP in 5 minutes. – GoatRider Jun 01 '09 at 12:15
  • If you apply some sort of crappy encryption scheme that is broken, you have an even harder time convincing the court that it wasn't you. 'Somebody hacked my computer' is like voodoo for most people, and they do not believe in it if it is more convenient not to. This is a question about the law. In Europe things are quite different from the U.S. (in Europe the still pretend you have some right to privacy) – Jacco Jun 01 '09 at 12:18
  • 1
    I agree with palmer above, the usual reply will be "you're going to be responsible for anyone who decides to take over the world from your connection" but as of yet, I haven't seen that used in court. The RIAA/MPAA lawsuits that tried to tie an IP to a person failed miserably, last I checked. There is no reason why you SHOULDN'T be able to run an open wifi, as long as you're aware that someone could log packets if they so chose. Whatever you choose, good on you for asking the question here. – Lee Jun 01 '09 at 17:32
  • 2
    I know this will come across as totally lame, but you might also consider the End User Agreement with your ISP, who probably forbids this type of activity. – anonymous coward Jun 01 '09 at 21:31

22 Answers22

19

I admire your altruistic notions of providing WiFi to those who need it - but you are leaving yourself open to huge exposure.

The RIAA et al will still hold you responsible for what they download, since you are here, I presume you are an IT person, hence an unsecured WiFI connection will not be a particularly good defense! Secondly there are worse things than movies people can download - do you want the hassle of having to prove YOU did not download those pictures?

Perhaps get the OpenWRT or similar firmware (if needed) and at least log what others download just in case - delete them (obviously without reading them) after 3-4 months?

Jon Rhoades
  • 4,989
  • 3
  • 30
  • 47
  • 2
    Logging and deleting? Did that not just make you a knowing accomplice destroying evidence? – Peter Stuer Jun 01 '09 at 17:18
  • Not necessarily. At least you would be logging it. You can keep it for longer if you are subpoenaed. Would be better to have 6-12 months, in my opinion, because it can take that long for notification to get to you. – Joshua Nurczyk Jun 11 '09 at 20:16
  • I don't think they subpoena such things. They get a warrant and take your equipment and analyze your drives for the actual proof. Your computer may never come back to you, but just having your IP isn't enough that I've ever seen in news (in the US) to get you for things like incidents usually cited. Also leaving your wifi open doesn't mean that you are necessarily going to be convicted for activity (without proof). If stupidity were a crime we'd have no free citizens...most users don't know how to use encryption in their wifi. they just make it work and are happy when it does. – Bart Silverstrim Dec 10 '09 at 12:57
  • Nowadays we know that encrypting with wpa/wep is really really far from being enough. –  Oct 03 '12 at 16:09
17

Security author Bruce Schneier leaves his personal network open, arguing that wireless encryption gives a false sense of security. He says:

I'm also unmoved by those who say I'm putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much.

http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html

hyperslug
  • 496
  • 3
  • 11
  • 6
    You left out an important bit of the blog post: "I spoke to several lawyers about this, and in their lawyerly way they outlined several other risks with leaving your network open. While none thought you could be successfully prosecuted just because someone else used your network to commit a crime, any investigation could be time-consuming and expensive. You might have your computer equipment seized, and if you have any contraband of your own on your machine, it could be a delicate situation. Also, prosecutors aren't always the most technically savvy bunch, ..." – Jim B Jun 01 '09 at 22:13
  • 2
    Anyone hear of Barnes and Noble, Panera, libraries, or anyone else with open or accessible network access being convicted for a patron transferring XYZ contraband material? – Bart Silverstrim Dec 10 '09 at 12:58
9

Wether it is wise or not, even celebrity security experts seem to leave their home wifi open for all.

The pro's are:

  • It is a "neighborly" thing to do. Anyone likes finding a connection to quickly get an email fix or look something up on the net. "Do unto others as you would have others do unto you" as it were.

The con's:

  • Setting it up so that a worm laden machine connecting to your LAN does not infect your machines is beyond the interests and skills of most people.
  • If the connection is abused, this could mean being sucked into an investigation.
  • Some ISPs explicitly forbid it in their terms of service

If you like the open access idea, you might want to create a separate "visitors" network using that old 801.11b router you have lying around from before you upgraded, and keep your shiny new n router for your own LAN.

alt text
(source: ask-leo.com)

Glorfindel
  • 1,213
  • 3
  • 15
  • 22
Peter Stuer
  • 1,473
  • 9
  • 11
  • If your connection is abused you will be sucked into the investigation, regardless of encryption. – Jacco Jun 01 '09 at 12:22
  • 1
    The risk of your connection being abused will be less with encryption, because they will use your neighbors unsecured network instead... – Arjan Einbu Jun 01 '09 at 13:39
  • 2
    Has anyone linked to an article or a legal precedent where the individual with open wifi has actually been "sucked into an investigation"? I've heard about it through the grapevine, but I've never heard of it going further than "Hey, this was your IP at the time of the incident." – Lee Jun 01 '09 at 18:59
  • Not a link, but a friend with an open router was "sucked into an investigation" when stolen laptops with "phone home" anti-theft devices had connected through the router, and of course reported "his" external IP. – Peter Stuer Jun 05 '09 at 08:39
  • You forgot another reason for open wifi...devices that are a PITA to get working. Some extra devices (handhelds, game devices, whatever firmware chipset with bugs/quirks) won't support the latest encryption/protection scheme of the year. Open wifi makes it far less of a support hassle to hop on and get what you want to get done rather than futzing with a 30-character string tapped into your iPod or other device, or troubleshooting connection quirks. – Bart Silverstrim Dec 10 '09 at 13:00
8

Well, this isn't really SysAdmin related but since it's in the public interest I'll let it slide ;-).

In short: there is nothing wrong with leaving your wifi open. Just be aware of the security concerns. Since the connection is unencrypted, any passwords you send over connections to other servers that aren't encrypted will be visible to anyone watching your network.

For example, if you connect to your email via a POP3 connection which doesn't use SSL (aka POP3S), anyone could watch your wireless network, see your username & password, and later use it themselves.

For this reason, unless you are very aware of what a secure connection is, (for all kinds of internet communication, including logging into websites) (and the fact you're asking here means, sorry, but you don't), I'd recommend you set up strong WPA2 or WPA encryption instead -- as I mentioned elsewhere, these are very secure.

Alex J
  • 2,804
  • 2
  • 21
  • 24
7

If I were you I would use encryption because:

  1. Someone from the street may use it to hack and you will have to explain yourself to the authorities.
  2. Any not secure flaws will be accessible to everyone. For example someone can mount your shares or just for fun use up all your ink in printer.
  3. After all cracking the encryption takes some time and people who look for networks to use will just probably ignore your wifi and continue search for an open one.
  4. Someone might use it to download kiddie porn, movies etc. and you'll have to explain yourself.

It's just a little configuration with makes "bad people" move along, rather then sit and crack.

Alakdae
  • 1,213
  • 8
  • 21
  • Yes. Point 1 is IMO the worst. One doesn't care only until the authorities come after him, possibly arrest him and grab all his equipment for forensic analysis (depends on where he's located of course). Will his boss and family be happy in such case? People even buy umbrella insurance policies to not risk being sued but don't mind risking their freedom and good name. – sharptooth Apr 22 '10 at 05:48
6

This is a big myth that you are responsible for the traffic coming out of your network. ISPs, coffee shops, etc are not liable in any way for what their users do.

In fact, this can even be used to your advantage in case something happens. If you have a open network anyone could have done, not just you.

I do the same thing and keep my wireless network open... I hate when I go out and need to quick check something online and there is no open wireless.

Be a nice neighbor, but check often to see if no one is taking advantage and using all the time.

sucuri
  • 2,817
  • 1
  • 22
  • 22
  • I'm fairly sure that this defense doesn't work in the UK. I can't find a decent link to a news story though. However, I did find this: http://www.out-law.com/page-7991 (US based.) – Matt Apr 02 '10 at 13:45
4

In germany, iirc, there is a huge difference between 'neighbour doing bad things with your open wifi' and 'neighbour doing bad things with your (somehow) secure wifi'. It does not matter how secure it is, just the 'i made it secure' thing makes the usage of your wifi a crime and you won't have to take responsibility for others using it.

What i do all the time when using insecure networks is using a VPN-tunnel to somewhere i trust enough for the things i want to do (work or home). Even if you want your wlan to be open, you could at least secure your own communication ;)

Karsten
  • 328
  • 3
  • 11
  • How do you prove that someone cracked your wifi to commit the crime? Wouldn't securing the wifi make it more evident that you did it unless there was proof a specific person was on your network, and how many home users have the ability to prove such a thing? – Bart Silverstrim Dec 10 '09 at 13:03
3
  • your communication is unencrypted, and there are many sites and services, that do not use SSL. Many only protect passwords, but still leave you open to session hijacking etc.
  • you're risking your IP getting banned for malicious behavior either of the users or of the trojans they might have in their systems.
  • some ISP have policy of completely disconnecting users, who do P2P, spam etc.
  • your computer illiterate neighbor might be using your net without even knowing it, just by having his laptop configured to "connect to any available network".
  • if you use your WiFi as your primary home LAN, they get access to your NAS, PVR, VoIP, printer etc.

As for "false sense of security", WPA2 has no known vulnerabilities and has not yet been cracked.

So called "WPA2 cracks" are actually lame, dictionary based attacks. Won't do any harm against strong password, especially if you use random hex, not ASCII.

vartec
  • 6,137
  • 2
  • 32
  • 49
  • 1
    WPA2 weak keys are crackable. Check out the script kiddie walk-throughs on youtube – Nick Kavadias Jun 01 '09 at 12:25
  • c'mon, dictionary based attacks, that is so lame. – vartec Jun 01 '09 at 12:27
  • 1
    It is not about cool vs. lame, it is all about what works an what doesn't. – Peter Stuer Jun 01 '09 at 18:04
  • 1
    WPA2 weak keys are only crackable with the right tools a lot of patience. And they're still "dictionary" attacks, because you're comparing encoded passphrases against the WPA2 passphrase. Check out the Rainbow Tables project to see just how much computing it takes to crack WPA2. – Lee Jun 01 '09 at 18:57
  • @Peter: it doesn't work. period. – vartec Jun 02 '09 at 07:54
  • @vartec, even though it is _unlikely_ it is not *impossible*, so to say it is impossible is demonstrably false. – SamAndrew81 Mar 01 '19 at 16:13
  • @SamAndrew81 it's not impossible to run through a solid concrete wall, it's just highly unlikely (in theory all the subatomic particles making up your body get through via quantum tunneling). But in practical matter, you cannot crack a strong password encrypted with 128-bit AES any more than you can run through a solid wall. – vartec Mar 01 '19 at 22:02
3

A client of mine has been in this precise situation. He left his WiFi open to all as a gesture of good will, two months after he did, he got a warning from his ISP about his data usage, and a week after that he received a cease and desist letter from the RIAA

He no longer has open WiFi.

Iain
  • 363
  • 1
  • 4
  • Cease & Desist != Indictment/Prosecution/etc. A C&D is only to deter the individual, and in the RIAA's case they've sent thousands of C&D's to WRONG individuals. Receiving a C&D doesn't mean anything, it just means they've tied the IP to his address and are trying to scare him from doing anything further, and in this case he's not the guilty party, and can probably prove it. Stop giving in to the RIAA/MPAA, people. C&D's are FUD. – Lee Jun 01 '09 at 19:25
  • In this case, the user had static IP from the ISP - so the traffic was definitely going through his WiFi. Coupled with his ISP's warning that he had greatly exceeded the generally accepted traffic quantities for the period - it was pretty clear cut that *someone* was using his pipe to download something big. The likeliest candidate is a torrent, where the download could be interrupted and picked up later. – Iain Jun 03 '09 at 11:28
3

I've actually had this discussion with local law enforcement. Fortunately we have a high-tech crime squad in San Diego and an ADA who has a pretyt good amount of clue in the high-tech area.

It is not in your personal best interests to have open wi-fi. Beyond the ISP terms of service, you run into the possibility of being dragged into an investigation.

In the San Diego area, there have been at least two cases in the past year where crimes were committed by people who were war-driving to find open residential wi-fi. In both cases the perps committed felonies, which led to the homeowners being the initial subjects of the investigations.

Open wi-fi just isn't worth the possible hassle.

tep
  • 304
  • 1
  • 5
  • OK, here's an example: SWAT raids wrong house based on open wifi. http://arstechnica.com/tech-policy/2012/06/swat-team-throws-flashbangs-raids-wrong-home-due-to-open-wifi-network/ – tep Jul 02 '12 at 16:03
2

I wouldn't leave it open, for one simple reason - you'll be liable for the activity of strangers. Imagine if the cops came knocking looking for someone downloading 'bad' porn :(

Chopper3
  • 100,240
  • 9
  • 106
  • 238
  • Liable? citation needed :) – Rog Jun 02 '09 at 04:30
  • Country-dependant of course but I'm in the UK and the liability rests with the broadband user unless there's a compelling audit history. – Chopper3 Jun 02 '09 at 05:38
  • How do coffee houses, bookstores, etc. allow such things without getting nailed for crimes from patrons? I've never heard of users getting convicted unless the proof was on the hard disk. – Bart Silverstrim Dec 10 '09 at 13:06
  • Because they already have public liability in that they open their doors to the public, they ensure that there are signs regarding their legal position on this matter available and that they often force you to accept T's & C's on their front page before letting you browse elsewhere. – Chopper3 Dec 10 '09 at 15:05
2

My argument for not doing leaving your network unsecured, is the same as that of Jon Rhoades and Alakdae: You're responsible for any traffic over your connection, so you need to make sure that none of that traffic is going to get you in trouble.

What you may want to consider, if you do want to leave your wiFi open for people, is some sort of setup whereby unknown users get heavily restricted internet access.

The idea being that this will prevent anyone doing anything untoward that you may have to answer for, and allow you to provide unrestricted access only to people who you trust.

However, setups like this are non-trivial to put together without setting up two distinct wireless networks, which is probably more hassle than it is worth to be kind to your neighbours.

SpoonMeiser
  • 183
  • 2
  • 7
2

Slightly offtopic, the Apple Airport Extreme adapters now have the option of a "guest" network. This effectively gives you two networks, so you can use a secure one for your stuff and leave an open network (using a different SID, and no encryption) for everybody else. I don't know how this hurts or helps you legality-wise, but it does allow you to be generous with your connection without having to put your own data at risk.

bobwood
  • 213
  • 1
  • 2
  • 5
2

Before deciding to operate an open access point, there are a few things you should consider. Any activity from a visitor will be going through your internet connection, if they try to hack the NSA, download ripped movies, etc - it will your IP address that they see in their logs. Another side-affect of having an open access point, is that heavy wireless users can somewhat saturate your network connection, making your connection appear slow. There is also the potential of an infected laptop connecting to your access point and infecting your network computers.

There are a couple of options that will allow you to be a neighborly person, but also protect you from the downsides of operating an open access point. If possible, get an access point that can run DD-WRT or Tomato firmware, or alternatively (and more costly) find an access point that supports Quality of Service (QoS), and Access Control Lists (ACLs).

  • Using QoS, you can limit the bandwidth available to your wireless visitors, preventing wireless users from saturating your network.
  • With restrictive ACLs, you can limit wireless traffic to only HTTP/HTTPs - allowing basic web traffic, but somewhat preventing P2P or extraneous network activity.

Regarding any actual court cases regarding open wireless access points, there are a few examples that show in US and foreign court that open APs are not always a valid defense for criminal offenses, however Civil cases (pirating, P2P, etc) may be thwarted by such a defense:

pezhore
  • 93
  • 6
1

I dont think I would leave it open either. Secure it with MAC address recognition and something else....whatever the router supports that is most secure. Then check your logs frequently and ban any strange entries.

If the music industry sends you a warrant to appear in court because of your neighbors music piracy you may wish it were locked down.

cop1152
  • 2,626
  • 3
  • 21
  • 32
1

Since it's pretty trivial to enable a moderate amount of security, I go ahead and do that. Sure, it'd be nice to leave my front door unlocked, like my grandma used to, but that's just not realistic.

As far as the Feds go, sure, I'm not exactly a datacenter, but if they're going to confiscate your servers based on physical proximity - do you REALLY think you're not going to end up embroiled in a huge hassle if someone uses your WiFi to download child porn? Does it seem that outlandish to imagine that someone downloading child porn would try to pin that traffic on someone else?

Thanks, I get into enough trouble with my OWN actions. ;)

Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
1

Occasionally, theives go through rubbish bins for scraps & reciepts that they can use to rip people off (credit card numbers, old bills & bank account details). If they are doing this then it is much easier/cleaner/nicer to do much the same with a wifi antenna & a laptop from their car or van. Don't let them do it. If you must be neighbourly, add the neighbours mac address to your access point & give them your WPA-2 key.

chr0naut
  • 86
  • 2
1

I wish I could leave my wifi open to everybody except those who could break into WEP in 5 minutes.

GoatRider
  • 201
  • 3
  • 8
1

You're asking to have your life ruined. Someone who downloads kiddie porn or emails a threat to certain individuals will result in serious prosecution for you. "Someone else used my wide-open network" is barely a defense (it works for a small percentage of people), and you can no longer use that defense if they find this post.

If someone uses your network to commit a class of crime where you are guilty until prove innocent, you will regret leaving it open.

Pretend security such as WEP or MAC address restrictions at least give you plausible deniability when something happens. But it's possible to make it actually secure as well. And you're losing your ability to use ignorance of the security of WEP by posting here.

If you really insist on leaving you network open for some political reason, then at least sniff all traffic and keep it for at least 90 days. This may help your defense. Also keep surveillance cameras pointed at at any area from which your network is accessible without a highly directional antenna.

carlito
  • 2,489
  • 18
  • 12
0

If your wifi is open then you need to make sure all your devices are secured individually. It is the same as leaving a network cable haning out the window for anyone to connect to. If your network is physically secure (and your wifi is also secure) then your router provides some protection against the big bad world.
If your wifi is open then random people using it to download illegal material may get you in BIG trouble.
Of course, more likely is that random people using it will get you into trouble with your ISP. Firstly by doing things like using it heavily, sending spam, whatever else your ISP may take a dim view of. And secondly just because you are sharing it. My ISP expressly forbids sharing my broadband connections with other households. If I do share it (and they notice) then I would be disconnected. :(
On the whole, I think it is worth securing your wifi.

pipTheGeek
  • 1,152
  • 5
  • 7
0

I try for the same good neighbor policy, but nevertheless turn encryption on.

I use an SSID which is the name of the condo complex, to imply it's for use by the whole complex, and I get out the encryption key to any resident who asks.

Note, however, that if you have a residential account with your ISP, you are almost certainly violating the Terms of Service if you have the network open like that (I have a business account, and can put anyone I want on).

James Curran
  • 101
  • 2
0

I don't think an open network is that big of a deal as long as you don't share anything publicly. Anybody who would use it for nefarious purposes knows how to get around security anyway.

Personally, I keep mine locked up but that is because I don't want anybody slowing down my connection.

ON a side note, have you heard of Open Mesh? It might be the perfect solution for you. Essentially it allows you to share some of your wifi but control usage per user or add a charge etc. It might be worth a look to you.

Open Mesh

MDJ
  • 21
  • 2