Tuesday, May 18, 2004

Salon on insecurity

Today Salon.com has an article which describes exactly why I've never locked down my wireless network at home. Bottom line: because the network is insecure, no one can prove without a doubt that it was me who used the network.

By Micah Joel

May 18, 2004

"Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear. Now, anyone with a wireless card and a sniffer who happens by can use my connection to access the Internet. And with DHCP logging turned off, there's really no way to know who's using it.


What's wrong with me? Haven't I heard about how malicious wardrivers can use my connection from across the street to stage their hacking operations? How my neighbors can steal my bandwidth so they don't have to pay for their own? How I'm exposing my home network to attacks from the inside? Yup.


So why am I doing this? In a word, privacy. By making my Internet connection available to any and all who happen upon it, I have no way to be certain what kinds of songs, movies and pictures will be downloaded by other people using my IP address. And more important, my ISP has no way to be certain if it's me.


In mid-April, Comcast sent letters to some of its subscribers claiming that their IP addresses had been used to download copyrighted movies. Since Comcast is not likely to improve customer satisfaction and retention with this strategy, it's probable the letter was a result of pressure from the Motion Picture Association of America or one of its members. And to Comcast's credit, it stopped short of direct accusation; instead it gives users an out. Says the letter, 'If you believe in good faith that the allegedly infringing works have been removed or blocked by mistake or misidentification, then you may send a counter notification to Comcast.'


That's good enough for me. I've already composed my reply in case I receive one of these letters someday. 'Dear Comcast, I am so sorry. I had no idea that copyrighted works were being downloaded via my IP address; I have a wireless router at home and it's possible that someone may have been using my connection at the time. I will do my best to secure this notoriously vulnerable technology, but I can make no guarantee that hackers will not exploit my network in the future.'


If it ever comes down to a lawsuit, who can be certain that I was the offender? And can the victim of hacking be held responsible for the hacker's crimes? If that were the case, we'd all be liable for the Blaster worm's denial of service attacks against Microsoft last year.


Don't get me wrong. I'm not deliberately opening my network to hackers and miscreants bent on downloading copyrighted material. I'm simply choosing not to secure it. That's no different from the millions of people who haven't installed anti-virus software and the millions more who don't keep theirs up to date. Yes, their vulnerabilities allow viruses to spread more quickly, but that's their choice, right?


What about the security of my home network? A determined hacker may be able to crack my passwords or exploit weaknesses in the operating system that I never even thought of, but how is that different from before? There's no system that's completely secure, so whether hackers are inside or outside my firewall will make little difference. I'm willing to trade a little security for privacy.


It feels strange to be opening up my network after years of vigorously protecting it, and it's not without a tinge of anxiety that I do so. But there's also a sense of liberation, of sticking it to the Man, that's undeniable, as well as an odd sense of community. It seems there's safety in numbers after all, even among strangers"

No comments: