The so-called wi-fi golden era is over, and apparently being glad about it makes me an absolutist.
But John C. Dvorak is wrong. This isn’t about making people pay for Internet access. It’s pure security. Toilets and drinking fountains are free because the majority of people don’t abuse them. The Internet can’t be wide open and free like a public restroom because when it was totally wide open and free in the 1990s, too many people abused it.
From the article:
To prevent that sort of sharing [of wi-fi networks] from becoming prevalent, you’ll hear scary stories about creeps driving around to get a free connection and downloading porn on someone else’s account. Really? How many people are actually suckered into believing that sort of hokum? Whatever the case, I seriously do not think that this is a widespread problem.
“I seriously do not think this is a widespread problem….” Then the burden of proof is on the author. Maybe nobody’s done that on his wireless network. Nobody’s broken into my house and stolen all my copper pipes and wiring either, but that doesn’t mean it isn’t a problem.
But Dvorak is confusing the widespread problem with the worst-case scenario. You don’t want someone to use your Internet connection for something illegal and then have to prove your innocence. It’s bad enough if you’re busted and have to prove it was someone else who used your connection to download a few terabytes of boy-band MP3s or chick-flick AVIs. Then you’re out a few thousand dollars, or tens of thousands of dollars. If someone does something that would get you put on a sex offender list, in some people’s minds, you’re forever guilty. It can ruin your life.
Call me paranoid, but I’d much rather just take ten minutes and secure my network. I don’t want a 0.0001% chance of it happening. I want exactly zero chance of it happening.
Of course, the more likely threat comes from strange machines marching across your network. You don’t know where they’ve been or what they’ve done. You don’t know what malware they’re carrying, and how it’s going to try to jump onto your machines.
Connect a Windows PC to the Internet without a firewall, and it takes minutes for it to become infected. The number drops every year. In 2004, the survival time was 20 minutes. In 2008, it had dropped to 4 minutes. When you allow strange machines to connect to your network at will, you’re circumventing your firewall.
Everything could be OK. Just like if I leave my doors unlocked, everything might be OK. But all it takes is someone trying the door sometime for it to no longer be OK. And just because it’s never happened doesn’t make it less risky. I deal with that mentality on a weekly basis.
I could go on thinking it’s a shame that people lock their doors these days. After all, someone might need to walk in and make a phone call. The problem is, it’s more likely that someone is going to help themselves to the silverware.
And when wireless networks are concerned, the threats won’t always be human. A specific type of malware, called Typhoid adware, spreads itself via unsecured networks. It’s only going to become more common. There will come a time when using an unsecured wireless access point will be just as dangerous as connecting to the Internet directly with no firewall. Right now, Typhoid adware is more theory than practical, but it’s only a matter of time before real-world implementations of it appear. And after that, it’s only a matter of time before it appears with the ability to crack weakly protected networks.
Having unsecured networks just makes less and less sense as time wears on, and the arguments by their proponents aren’t getting any stronger. Dvorak’s mentality is the old way of thinking. When I was in college in the mid-1990s, many people kept their mail servers wide open. It was the polite thing to do. That way, if your mail server was down, you could just switch your computer to use some other mail server to send e-mail in an emergency. Then spam became rampant. It used to be that closing off your mail server was rude; now it’s keeping your mail server wide open that’s considered rude, or downright negligent. Unsecured wireless networks will follow that same path.
In fact, if anything concerns me, it’s that the security that’s out there right now isn’t enough. Looking around my neighborhood, I still see the occasional WEP network, which is a really weak lock–enough to keep the honest and the lazy out. WPA is better but not fully secure. And WPA2 is secure enough if you have WPS (Wi-Fi Protected Setup) disabled.
“We want people to stop thinking that they can be complacent and make assumptions about security, because the bad guys aren’t complacent at all. They are creative, intelligent, and always take the path of least resistance. It is truly a case of ‘If we can do it . . . so can they.’”
Right now the path of least resistance is the unsecured network. The rung above that is WEP, followed by WPA, followed by WPA2 with WPS enabled, followed by WPA2 with WPS disabled, followed by no wireless at all. The top rung of that ladder will always be no wireless at all, and if that’s practical for you, it’s where you want to be. For the growing number of people who find that impractical, they need to be as high up on the ladder as they can get.
Rich and his friend Mike put the ability to crack virtually any network into an airplane with a 6-foot wingspan. It could just as easily be put in an Internet worm that jumps from laptop to laptop, collecting networks as it goes, the same way the Love Letter virus ravaged computer networks and collected e-mail addresses nearly 12 years ago. It’s just like the New Madrid Fault in southern Missouri. We can’t talk about if that fault blows. It’s overdue. It’s a matter of when.
We can secure our networks now, and make it pretty much a non-event like Y2K was when it happened. Or it could be the next Love Letter or Nimda, or worse. And that’s why Windows makes it a point to tell you whether any network you connect to is secure or not, these days, and browser makers are trying to take it a step further with DNS over TLS.