[ISN] Safe and insecure

InfoSec News isn at c4i.org
Wed May 19 08:20:30 EDT 2004


By Micah Joel
May 18, 2004  

Last week, I turned off all the security features of my wireless
router. I removed WEP encryption, disabled MAC address filtering and
made sure the SSID was being broadcast loud and clear. Now, anyone
with a wireless card and a sniffer who happens by can use my
connection to access the Internet. And with DHCP logging turned off,
there's really no way to know who's using it.

What's wrong with me? Haven't I heard about how malicious wardrivers
can use my connection from across the street to stage their hacking
operations? How my neighbors can steal my bandwidth so they don't have
to pay for their own? How I'm exposing my home network to attacks from
the inside? Yup.

So why am I doing this? In a word, privacy. By making my Internet
connection available to any and all who happen upon it, I have no way
to be certain what kinds of songs, movies and pictures will be
downloaded by other people using my IP address. And more important, my
ISP has no way to be certain if it's me.

In mid-April, Comcast sent letters to some of its subscribers claiming
that their IP addresses had been used to download copyrighted movies.  
Since Comcast is not likely to improve customer satisfaction and
retention with this strategy, it's probable the letter was a result of
pressure from the Motion Picture Association of America or one of its
members. And to Comcast's credit, it stopped short of direct
accusation; instead it gives users an out. Says the letter, "If you
believe in good faith that the allegedly infringing works have been
removed or blocked by mistake or misidentification, then you may send
a counter notification to Comcast."

That's good enough for me. I've already composed my reply in case I
receive one of these letters someday. "Dear Comcast, I am so sorry. I
had no idea that copyrighted works were being downloaded via my IP
address; I have a wireless router at home and it's possible that
someone may have been using my connection at the time. I will do my
best to secure this notoriously vulnerable technology, but I can make
no guarantee that hackers will not exploit my network in the future."

If it ever comes down to a lawsuit, who can be certain that I was the
offender? And can the victim of hacking be held responsible for the
hacker's crimes? If that were the case, we'd all be liable for the
Blaster worm's denial of service attacks against Microsoft last year.

Don't get me wrong. I'm not deliberately opening my network to hackers
and miscreants bent on downloading copyrighted material. I'm simply
choosing not to secure it. That's no different from the millions of
people who haven't installed anti-virus software and the millions more
who don't keep theirs up to date. Yes, their vulnerabilities allow
viruses to spread more quickly, but that's their choice, right?

What about the security of my home network? A determined hacker may be
able to crack my passwords or exploit weaknesses in the operating
system that I never even thought of, but how is that different from
before? There's no system that's completely secure, so whether hackers
are inside or outside my firewall will make little difference. I'm
willing to trade a little security for privacy.

It feels strange to be opening up my network after years of vigorously
protecting it, and it's not without a tinge of anxiety that I do so.  
But there's also a sense of liberation, of sticking it to the Man,
that's undeniable, as well as an odd sense of community. It seems
there's safety in numbers after all, even among strangers.

- - - - - - - - - - - -

About the writer Micah Joel is a systems engineer for a software
company, an award-winning tech presenter and an early adopter of home

More information about the ISN mailing list