Friday, April 22, 2005

More Wireless Network Foo

Sean reaches out and pushes the big red button on my forehead— the one which makes the sign light up that says, "Don't push this button again." Or something.

It's like this. Some wiggler named Brendan Koerner, who is a contributing editor at Wired and a fellow at something called the New America Foundation (gurk!), has written an article for Legal Affairs Magazine called License To Wardrive. It's about the ongoing argument among legal scholars— and other dangerous elements in our society who need to be watched at all times— about issues revolving around wireless network security. The technology we are talking about is one of the main things I do with my time in my day job, so I have an informed opinion about this stuff. And I've posted about it here before.

Mr. Koerner gets up my nose right from the start. He sets up camp in my sinuses and dares me to come after him with a flamethrower and a crate full of concussion grenades. Let's see if I can maintain an orderly disposition, shall we?

Here's where he sends me straight to the munitions locker:
If you've ever booted up your laptop, scanned the area for unsecured wireless networks, and hopped onto the Internet on someone else's dime, you're a thief.

No. No. No. You are not. You are simply NOT.

I do this all the time. Lots of people do this all the time. It's perfectly legal. You are taking advantage of a complimentary service. When you go into the supermarket and you eat one of the free samples of whatever, are you stealing? No. They're giving something away for free to anyone who wants it. Why they're doing that is their business.

Koerner continues:
Swiping a little connectivity may be a relatively benign crime, and the victim likely won't know he's being victimized. Yet given that cable modem or DSL service contracts usually forbid subscribers from sharing bandwidth with strangers, it's technically illegal. That's the case whether the owner of the wireless network made the conscious decision to open his connection to all comers, or whether he doesn't realize that any passerby with a wireless card can leech off his bandwidth.

Ah yes— there's that word: victimized. This is the first signal that he's about to become outright dangerous. Follow along with me as I explain.

As I have mentioned elsewhere, I deliberately operate an open, unsecured wireless network in my home. I just checked the Acceptable Use Policy from my ISP, just to be sure, and yup— there is nothing in there that forbids me from doing this. Specifically, there is nothing that requires me to take any steps to prevent other individuals from accessing the Internet over my DSL line.

However, even if I were contractually obligated to secure access to my DSL service, the argument is just silly. The first question Koerner should be asking is whether such a contract is even enforceable. If he can get over that hurdle, then he gets to face the more difficult one: establishing that you're a thief because I'm violating my contract and letting you use the Internet from my house without first getting to know you as a friend.

He continues:
But that clear prohibition against stealing a connection can get fuzzy. What if you're only checking to see whether a network is open for all comers, and then you pass that information along to a friend? Or what if you publish the network's location on a website, so that anyone who swings by can log on, perhaps for illicit purposes?

At this point, he goes off to review a recently published book on the ethics of wardriving, which is what the activity he's talking about is called. When he's done with summarizing, he starts criticizing thusly:

This is where Ryan delves into a lengthy, somewhat drab argument for the legality of wardriving. Not that he isn't convincing: He dredges up several cases, as well as an FBI memorandum, that pretty clearly show that doing no more than noting a wireless network's location won't lead to anyone's conviction.

Yet there's something frustratingly academic about Ryan's rhetorical gymnastics in support of wardriving's legality. As he admits, "the premise that wardriving is legal relies on a narrowly construed and somewhat arcane distinction between viewing or recording the existence of open networks and accessing those networks." Yes, wardriving may be legal as a result of legal hairsplitting, but who cares? As Ryan acknowledges, wardrivers know that they're abetting the covert use of Wi-Fi connections by unauthorized people. So should wardrivers be considered accessories to computer trespass?

Notice how both Koerner and Ryan (the author of the book he's reviewing) have adopted as uncontested fact the premise that accessing an unsecured W-Fi network is a crime. Ryan, it turns out, isn't going too far out on the ledge, but Koerner jumps off into thin air.

Let's get out into the open what Koerner is really concerned about. He's not concerned about wardrivers who just want to know where they can get Internet access without paying for it themselves. Neither does he seem terribly troubled by the collection of people who are interested in measuring the market for companies that specialize in the service of helping naïve users secure their residential networks against unauthorized use. His big panic, like that of so many others, is the small group of people with malicious intent.

Have a look in the AU policy from my ISP that I linked above. It says:
Any prohibited or illegal activity that affects Sonic.net, Inc., its agents, equipment or customers is punishable to the full extent of the law, and Sonic.net Inc. will hold you responsible for any damage caused by your actions, whether intentional or unintentional. You are strictly prohibited from using your account other than as outlined in this Acceptable Use Policy and will be prosecuted to the full extent of the law if you do so illegally (see Enforcement section).

Let's imagine for a moment that a Fiend uses my open Wi-Fi network to do something illegal that causes damage (use your imagination). This clause in the contract says they can sue my ass to recover from any damages they suffer because of something prohibited or illegal that I did. Operating an unsecured Wi-Fi network with access to the Internet is NOT illegal or prohibited. We don't even have a legal precedent that says I'm being negligent by operating an unsecured network. So, when the Fiend uses my network to commit a fiendish act, guess what— it's the Fiend who is responsible for it, not me.

This is as it should be. Unfortunately, Koerner finds this deeply unsatisfying. Why? Because he wants the authorization to use the Internet to be something that is always explicitly granted to specific individuals, and never something given away on a first-come first-served basis to anyone who wanders by a wireless access point. Money must change hands— and, one suspects, it must leave a paper trail in the process.

The motivation for wanting to do this is simple: he wants to be able to identify fiends and punish them when they commit fiendish acts, and unsecured Wi-Fi networks (particularly those that use a function called a Network Address Translator, i.e. almost all of them) make it harder for the cops to tell who is using any particular Internet access point (though, how much harder is an interesting question that almost nobody understands— and I have a very well-educated guess that it's not very much harder at all).

The solution, in this simple-minded world, is to make every ISP customer responsible for securing access to the Internet through their equipment. But that doesn't reduce the ability of fiends to commit fiendish acts. All it does is make it easier to frame an innocent ISP customer for a crime that would otherwise go completely without prosecution. It creates an enormous burden of risk for the small retail Internet service customer without doing anything to promote the aggregate welfare of the Internet user community as a whole. It puts Joe Sixpack user directly into an arms race with technologically sophisticated network crackers, with the risk of criminal prosecution (for cyber-terrorism, maybe!) as a possible penalty for losing.

It doesn't help the cops or ISP's know who is the real user of the equipment from which a malicious operation is mounted. It only allows them to point the finger of blame at the owner of the equipment immediately downstream from their demarcation point.

Koerner, for a brief moment, breezes right past all this with a misguided swipe at equipment manufacturers:
Ryan does a better job in calling for Wi-Fi equipment providers to assume some of the responsibility for the woeful state of wireless Internet security. He makes the salient point that these companies have done a poor job of educating consumers about how to secure their networks, and may be exposed to civil action as a result. It is hard to believe that the Linksys and Netgears of the world can't better streamline their security processes, or even turn on encryption schemes by default.

Let's see... my ISP thinks it's my responsibility to educate myself about current law and regulations, so that I don't intentionally or unintentionally do anything illegal or prohibited. That's all good. What I don't get is how it's not my fault I don't know enough about how to control access to the Internet through my equipment— it's the fault of the people who made my Wi-Fi gear? Sigh. That's exactly backwards from his earlier premise.

The Wi-Fi equipment my employers sell comes out of its box unconfigured for an unsecured network. There's a very good reason for that. It's intentionally designed to be easy to just plug into the power and connect an ethernet cable to it from your cable/DSL modem. My employers were the first to the consumer market with a Wi-Fi access point, and the other manufacturers have copied the design— because it's a good design.

The setup assistant that comes with the device defaults to WPA security. It expects to communicate with the device over the wireless link. How do you have the unit come out of the box with a secure network and still be accessible by an average user from the setup assistant? This problem is more difficult than Koerner thinks. It's extremely difficult actually.

The obvious thing to do is to prevent the device from forwarding packets until it's been configured by the setup assistant, right? Wrong. If you do that, people buy the equipment, plug it in, and it doesn't work. Then, without even reading the instructions or opening the envelope with the disc containing the setup assistant, they pack the unit back into the box, take it to the store and demand a refund. Really, they do. There is just too much money to be lost by not making the unit fully functional right out of the box.

I really doubt that LinkSys and Netgear can do enough to keep average consumers from inadvertently setting up unsecured home Wi-Fi networks without being forced. The only way this "problem" will get addressed realistically, is to make the operation of unauthenticated Wi-Fi access to the Internet a crime and make it illegal to make, sell or possess the equipment for it. And by "realistically" of course I mean: surrealistically. That's where guys like Koerner are going— whether they know it or not. And that's why I say they're dangerous.

Look. My point is very simple. Before we start arresting people for operating unsecured Wi-Fi access to the Internet, we should ask whose interests are really served by that kind of policing system. Do not assume it's in the interest of public safety just because the Department of Homeland Security says it is— they have zero credibility on that issue. The real players who stand to benefit from this are incumbent network service providers, i.e. telephone and cable television companies. Anything that makes you have to pay them a monthly fee, instead of just borrowing some service from a friend of yours who has already paid for it, just fuels their network effect— which is the very thing that gives them an unfair advantage in the market by maintaining an artificially high barrier to entry for their competitors.

By playing the "security" card, guys like Koerner are playing right into the hands of the incumbent network service providers, who already enjoy egregiously high monopoly rent privileges in the market. At the same time, they're doing absolutely nothing but sheer wankery in the area of public safety— which seems to be the new American pastime, now that major league baseball is nothing more than a drug cult.

No comments: