Bruce Schneier: "Securing my wireless network isn't worth it."

« Nugache Overhauled, Overtaking Storm Worm? | Main | Justice Dept: Don't Sweat FISA: Big Brother's Broke Anyway »

January 10, 2008

Bruce Schneier: "Securing my wireless network isn't worth it."

Security dude Bruce Schneier says he doesn't bother enabling encryption on his home wireless network:

"To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous.

"I'm told that uninvited strangers may sit in their cars in front of my house, and use my network to send spam, eavesdrop on my passwords, and upload and download everything from pirated movies to child pornography. As a result, I risk all sorts of bad things happening to me, from seeing my IP address blacklisted to having the police crash through my door.

"While this is technically true, I don't think it's much of a risk. I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence."

I have a friend here in Portland who runs an open wireless network on the same principles of mutualism and neighborliness. The only thing I'm aware of that she's suffered from is one persistent bandwidth hog somewhere in close proximity.

I'm not very interested in leaving my own network open for a few reasons, the biggest one being a testbed server I've got sitting here on the network. If it's too much trouble to Schneier to configure his network security, it's too much trouble to me to secure that one, continually changing box. How good are the chances someone could come along and find it, exploit it and use it for evil purposes? Astronomically poor. I think I don't care.

He also mentions that evildoers are more likely to use any of the "five open wireless networks in coffee shops within a mile" of his house.

The proliferation of open wireless access also blunts my enthusiasm for leaving the front door of my network open.

Points to him for honesty when he reports the reactions of lawyers to his approach:

"While none thought you could be successfully prosecuted just because someone else used your network to commit a crime, any investigation could be time-consuming and expensive. You might have your computer equipment seized, and if you have any contraband of your own on your machine, it could be a delicate situation. Also, prosecutors aren't always the most technically savvy bunch, and you might end up being charged despite your innocence. The lawyers I spoke with say most defense attorneys will advise you to reach a plea agreement rather than risk going to trial on child-pornography charges.

Finally, he offers this, which is really the root of the problem:

"If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."

So: there are lots of open access points businesses are happy to provide, and unless you're the type to shrug off stuff like "cops impound all your computer stuff and you end up having to cop a plea for something that'll end up getting you on a registered sex offender list," the consequences of not flipping the encryption switch will be brutal, and besides ... you're Bruce Freaking Schneier, so just ... you know ... secure your computer!

I'm not there yet.

(Link)