Open Wireless Movement
openwireless.orgOne solution to the privacy problem is running OpenWRT with cjdns [1] on the routers and clients, and using its IPTunnel feature [2]. The list of supported platforms is steadily growing [3], and it'd be something that runs alongside the existing IPv4/DHCP setups just fine.
[1] https://github.com/seattlemeshnet/meshbox
[2] https://github.com/cjdelisle/cjdns/tree/master/tunnel
[3] Desktop/Server Linuxes, Android, OpenWRT, OSX, FreeBSD. Even Windows support is being worked on.
The author of cjdns himself admits that it is aimed at power users/enthusiasts.
cjdns will never be a workable solution for the general public, and I wish people would stop recommending it.
> cjdns will never be a workable solution for the general public, and I wish people would stop recommending it.
I disagree...I believe in its current state it is not catering to the general public, but it's basically alpha software with a small bootstrapped network. Long-term, the idea is to make things more user friendly and appeal to a wider audience, but it's inaccurate to say it will "never be workable". Recommending it to a highly-technical targeted audience like HN seems entirely appropriate.
* I run 4 cjdns nodes
"Someone's been committing crimes from your network."
"It must be someone using my open wireless point."
"Sorry to bother you sir, have a nice day."
What if it was a coffeeshop, hotel, or other business?
I agree with you that the authorities aren't likely to treat individuals as well as they do businesses (at least in most countries). But the fact that they're already not gonna put a Starbucks manager in jail because someone did something illegal from Starbucks wifi -- suggests to me that there is an opening to agitate for individuals being treated with similar respect. The Open Wireless project clearly aims to make open wireless a normal and expected thing, so that legal norms will have to follow, and there will be political pressure for them to do so.
But yeah, I think it's as much of a social project as a technological one, which they seem to acknowledge in their self-description.
One would think that it would be Starbucks corporate legal and not the manager that would answer that kind of query.
Do you or I have the legal representation of Starbucks corporate?
There have already been cases where courts decided that way.
But I wonder whether it'd be possible to route all guests to Tor.
Edit: Comcast is planning to open all home routers in Houston, unless users opt out. The justice system might just have to get used to this.
http://slashdot.org/story/14/06/10/1751255/comcast-convertin...
I'll go ahead and say it won't happen that way. Whether they can or not, they will say something to the effect of "It happened on your network; you're responsible unless you can prove it wasn't you."
That isn't how the legal system works in the US. There have been cases decided this way already.
Some other things to worry about, if you sell anything on ebay or amazon as a hobby. They have pretty complex systems to detect linked accounts. If someone was to log into a "banned seller" account on your network. It can be a nightmare to convince ebay or amazon that it wasn't you. and you can most likely be banned on their systems forever (to sell). Just seems like a lot more to worry about.
Open does not necessarily mean insecure. See e.g. http://www.riosec.com/articles/open-secure-wireless-20
Until somebody uses your open wireless for child porn and the cops come asking you questions.
An interesting counterpoint from Bruce Schneier: https://www.schneier.com/blog/archives/2008/01/my_open_wirel...
And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.
In Germany this defense wouldn't really help you much. You're (partially) responsible for the crimes that are committed over your unsecured network. It's called "Mitstörerhaftung".
I can attest as an American in Berlin -- Germans are VERY serious about their privacy. this is especially true when related to the network/internets.
No, Mitstörerhaftung is a purely civil concept that does not -- and could never -- extend to criminal law.
Where does he live? It makes a huge difference if he lives in a farm house in the middle of a field or if he lives in an apartment building in the middle of a a large city. If you live in such a way that the only way for me to see your network is to sit in my car in your driveway, then perhaps. However, from the comfort of my sofa in my living room i can 'see' at about a dozen different wifi networks (and by extension at least a dozen people can see my wifi network from their sofa).
That kind of changes the math a bit. I don't want a dozen people torrenting off my network, not because I'm afraid of getting in trouble, but because it degrades my ability to use my network.
He has been having second thoughts though: https://www.schneier.com/blog/archives/2011/04/security_risk...
I've had enough experience with being cut off first and asked questions second. Running a server at home, this wasn't pleasant. I don't fancy trying out how often random people manage to cause abuse reports with my ISP - let alone the police. Besides, wireless isn't magically limited to the confounds of my home and garden. It's not basic politeness like a cup of tea as the page claims.
Yes; this happened to me. They didn't come asking questions so much as having a search warrant... http://bit.ly/seizure1111
> ... they asked [us] to wait outside while they conducted a preliminary search ...
Is that legally enforceable? They have a search warrant, not a warrant for your arrest. How are they in a position to demand you leave the premises?
That's some scary stuff either way, thanks for sharing.
How often does this actually happen? I am just not worried about it. I have been running open wireless access points at every home I've lived in for the past fourteen years.
I love the idea, though the paranoid security conscious developer in me is really worried about the security for average users. I'm not worried about the individuals opening up their routers, there is always a risk, but that can be mitigated. I'm more worried about average people thinking that whenever they see an openwireless.org hotspot, they'll think it's safe. And it's obviously not, or I wouldn't know about my neighbours banana fetish. (joke, please don't arrest me) I know people sign in to any open network regardless, but this has a brand that can be exploited and then blamed.
Especially since most devices auto-associate with known networks.
Under the status quo, if I'm desperate for Internet I make a gut decision on how trustworthy I think the nearest random open network is based on the context of my present situation. If openwireless becomes the default, I might decide that in this random small town coffee shop, openwireless is probably trustworthy and associate with it. I do my business and leave. Then, I could be walking through an airport and pass someone who's set up a malicious base station using the openwireless SSID. My device could associate with it and put me at risk without me even knowing.
I've configured my Nexus 5 to auto-connect to any open "linksys" SSID. How would this be any different?
Don't rely on SSID for security. Rely on SSL/TLS and certificate pinning.
It's not different. It's not even necessarily bad. It's just worth considering while evaluating this proposal.
And what if you need to login to a site that isn't SSL-secured? There's nothing the end user (you) can do about that.
You should never be using a site without SSL if you're passing authentication information.
Now, while I understand this is out of an end user's control, that shouldn't cause us to throw the idea of a shared wireless network out the door. That should cause us to look at non-secure sites accepting credentials, and how to prevent that behavior in the first place.
https://www.eff.org/https-everywhere
this site helps with this issue forcing sslany.
Installing a browser add-on doesn't make websites lacking an SSL certificate magically acquire one. The fact is that there are still a lot of sites out there that don't have them.
You use a VPN to tunnel to a trusted server and have it initiate the cleartext connection to the site, keeping the traffic between you and that server encrypted.
Not easy as in everyone has access to a __trusted__ VPN tunnel server.
Difference from FON? [1]
Does anyone here from the USA use FON? I've only used as an "alien" but I was able to purchase internet on demand from my apartment while living in Spain for a few months. Getting access from a teleco required a bank account or spanish ID number that we were unable to provide and FON ended up being cheaper anyways.
for starters you don't need to spend +$50 on extra hardware.
How about we make a wifi tax so that everyone pays for it and then have open networks ?
How about WiMax?
How about asking the ISPs to implement the free WiFi and flat subscription rates with no tiers?
How about asking the mobile companies that already cover urban areas to make HSDPA/UMTS/LTE free?
Plenty of more efficient ways to do this than this open network movement. And yet you're asking the individual who has like the smallest bandwidth fraction of all these players and the one one who pays the most per MB of bandwidth to make it free? Not. gonna. happen.
Is there a reason for recommending an insecure network? Would suggesting a global default password for an encrypted network be better. It can be as simple as 'openwireless'.
That's not a password, that's a shared private key. Encrypting everyone's traffic with the same private key provides no real security benefit at all.
What would that protect against?
The only use that I see for a standard-password approach is that it would circumvent some ISPs' terms of service that say you can't run an open network. But even then, a court may find that a closed network with a password like `openwireless` (i.e. as part of OpenWireless.org) is an "open network" anyway.
Using an open network without encryption allows a passerby to listen in to all of your traffic. Unfortunately not all websites are using SSL yet.
If attacker knows network pre-shared key, and intercepted handshake, they can decrypt your traffic.
I guess I should have read the comments on this post: http://steve.grc.com/2010/10/28/instant-hotspot-protection-f...
No, because you can set up a honeypot knowing this password, and then mirror your input to the sites you visit after I collect your information.
That's possible without a password too, except that anybody in the area can MITM you instead of just people who bothered to set up honeypots. AFAIK WiFi only provides encryption on networks with a password.
Right, this would avoid Google's argument that they can sniff unencrypted data from your wifi since it's being broadcast in the clear out into the street. At least having a per-session key would count as a legal defense against drive-by sniffers.
How isn't such a setup insecure?
Using current standard consumer technology, it would have some security issues.
That's why they say:
> We're working with a coalition of volunteer engineers to build technologies that will let users open their wireless networks without compromising their security or sacrificing bandwidth.
There are a variety of technological solutions possible, many of which could be implemented in firmware (see OpenWRT). I'd guess if we dig deeper on their website, we might get to their tech plans; I am not familiar with them specifically.
Although, honestly, if you're counting on nobody being able to sniff your traffic in transit for security, you don't have enough security anyway. But still, yeah, I wouldn't want to make it that easy.
per-device (session?) keys.
Actually IEEE 802.11u implements something like EAP-UNAUTH-TLS where the client auths the server but the server does not auths the client.
After that, the best would be to push the whole traffic throug tor (Or even to run a tor exit node, if nobody can say from which side of the network the requezst comes from ...).
I've always thought it would be a good idea to just route all traffic through tor with an insecure ssid (and a separate one for yourself. It would take care of security concerns, or getting blamed for torrenting.