Reader Poll: Wi-Fi Can Be Safe And Useful, But Must Be Deployed With Care

By Mitch Wagner

We didn't make a lot of friends with our recent article interviewing digital rights activist Cory Doctorow, who said the security risks of Wi-Fi wireless networking are completely overblown.

Readers told us that Doctorow is off base, and we were equally off base for publishing his views.

But readers did not say that Wi-Fi is too dangerous to use. Many actually agreed with at least some of Doctorow's views -- that it's ridiculous for some authorities to say running an open Wi-Fi connection is aiding terrorism.

Readers compared Wi-Fi to fire, and to knives -- tools that are useful and perfectly safe if handled correctly.

The most trenchant criticism, we thought, was that Doctorow grossly overestimates the ability of IT to keep the network secure. Keeping up with software security patches -- literally a full-time job in some enterprises -- is overwhelming. Doctorow recommended installing personal firewalls on every PC, but in real life, that's prohibitively expensive. He also recommended encrypting all traffic moving over the network, but in real life, that's computationally expensive, and therefore a financial expense too great for most enterprises to bear.

Readers said Doctorow was half-right in saying that the risks of people sniffing on Wi-Fi network traffic are no greater than the risks of sniffing on any network traffic where text is in the clear. But the problem is that it's much easier to sniff traffic on a Wi-Fi network than on a wired network. Wi-Fi networks are much less forgiving of security vulnerabilities than wired networks.

Some people picked on Doctorow's night job; he's a science-fiction writer whose first novel has just been published. We thought that was a cheap shot; we're science fiction fans ourselves and we enjoy Doctorow's fiction. There's no fiction in the debate about Wi-Fi.

But still, readers like Wi-Fi. And they believe that open, public, and free Wi-Fi network access is a good thing -- in its proper place -- coffee shops, hotels, shopping malls, and city parks. But not in the enterprise.

In our Wi-Fi Water Cooler poll, we asked:

How dangerous do you think Wi-Fi is? Rate the risks from 1 (lowest) to 4 (highest).

We received 574 responses. Here's how they broke out.

• 63 percent: "2. It's safe when used properly, but needs to be handled with care."
• 19 percent: "1. Cory's right -- the alleged risks of Wi-Fi are just a bunch of foolish superstition."
• 10 percent: "3. Wi-Fi is pretty dangerous. Although it has some applications, it's too risky for widespread use."
• 5 percent: "Cory's crazy. Wi-Fi is extremely dangerous, and anybody who runs an open Wi-Fi connection is a menace."
• 3 percent: None of the above.
• 57 of you took the time and trouble to write in, for which we are grateful. Here's what you had to say:

---

This is more of a response to the article than to Wi-Fi dangers in general. I'm not quite sure how being a freelance sci-fi writer makes one a Wi-Fi expert. It is clear from his assertions that he not only does not understand security but he does not understand networking either.

Example 1: "They don't generate enough collisions to matter." Full duplex networks should not have collisions so I guess in a sense he is right, but what this has to do with anything is unclear.

Example 2: "A router is capable of multiplexing 10 megabit-connections ..." Multiplexing is a term which means taking several signals and combining them on one channel. His statement makes no sense. If you have a 10-megabit Ethernet port on a router, how do you multiplex it to get more throughput than 10 megabits? You don't. A 10-megabit port is capable of 10 megabits, no more.

Example 3: "Firewalls are bankrupt technology predicated on the idea that everyone on one side of the firewall is trustworthy, and no one on the other side of the firewall is trustworthy." If this is his assumption, then he is correct in that HIS firewalls don't work. In the REAL world, no one makes this assumption. This also implies that firewalls are only used on the perimeter and nowhere else. This is simply not the case in most enterprises.

Example 4: "Doctorow encourages enterprises that maintain Wi-Fi connections to leave them open to public access. Doing so is a service to the community: It builds goodwill and costs nothing." He suggests, "The solution is not to limit Wi-Fi, but rather to install personal firewalls on each computer, and encrypt all traffic." This does not sound like a no-cost proposition to me. Truth is, very few companies have personal firewalls installed on all their PCs and servers. Furthermore, many legacy systems do not have firewalling technology available for them. How do you protect those systems?

Example 5: On the topic of eavesdropping he says this is not a Wi-Fi problem, "since any network where text is moving in the clear is susceptible to the same kind of eavesdropping." Here again he is only partly right. He is correct that clear-text protocols are susceptible to eavesdropping, but maintaining that risk is the same for wired and wireless networks is simply wrong. How difficult is it for someone sitting outside my building to eavesdrop on my wired connection? Pretty difficult unless they are a foreign government or a three-letter agency. Eavesdropping on clear-text communications on a wireless connection is extremely easy, even for a relative novice.

There are other examples of inaccuracies and half-truths in this article but I don't have the time to expose them all. By allowing sci-fi writers to pose as wireless and security experts you do the networking and security community a great disservice. -- Kevin DePeugh, San Francisco

Mr. Doctorow, keep up the good work! You are absolutely right, when I war drive, I always have good intentions. Why just the other day I merely wanted to check the status of my recent eBay purchase (Jim Nabors' greatest Bible songs), so of course it made sense to hop on someone else's net to do so. Of course you are absolutely right, most wardrivers are just like me. Those silly cyber cops, always making up all that jibber jabber about the evil hackers and crackers. Utter nonsense! Surely, no one would ever hop on an unprotected Wi-Fi link, and do the evil things that those "Chicken Little" naysayers would want us to believe. Why just the other day, I heard one of those silly cyber cops actually say that an evil hacker type can actually "listen" to stuff on a network with some thing called a sniffer. Oh my, isn't that just the funniest thing you ever heard? Imagine that, he actually called this thing a "sniffer." Boy, do those guys have an active imagination or what? What would anyone possibly want to "sniff" on my company's network? This same stiff actually had the audacity to tell me that the so called "evildoers" like to use unprotected networks to help mask their identity, and help cover their tracks when they are carrying out evil against other targets. Jeesh, what folly!

Imagine that he actually thinks there are people out there that "attack" others. Ha, ha, ha, that is a funny one. And then, the other day while at our monthly Bible study group, I overheard a few "security professionals" discussing the fact that many companies don't have the resources to adequately patch and protect all of their internal network devices. Boy, are those guys dead wrong or what? Why, everybody knows that's utter nonsense. Imagine that, I'm sure the admins at my company applied the latest IIS patches to all of our 2,500+ servers in a few minutes or less. Boy, and they actually pay these "security" guys for this type of thinking. Well, anyway, I've got to run, I see the meter maid coming, and I'm all out of quarters! Gotta go hop on somebody else's network to finish this post! Keep up the good work, and someday we'll educate the masses on just how "safe" things really are out there. ;) -- Tom K, TomK Tech, Philadelphia

All I can say is "Thanks a lot!" Those of us down here in the trenches every day trying to educate our users on real risks presented by technology and the proper means to safely implement it are done a tremendous disservice by publishing this type of nonsense. You tout Cory Doctorow as an "expert"; I don't know what he's an expert on, but it isn't security.

The bottom line is the risks as commonly described are real, but can be easily mitigated by proper setup and configuration. Is the sky falling? No, but in my association with officials in law enforcement that deal with these issues daily, I've not heard a single one of them hype the risks as mentioned in this article. They're generally very hard-working, dedicated individuals who genuinely care about protecting the welfare of the citizens of the country (not to mention their lives!). To portray them otherwise is doing a tremendous disservice to them. Have Wi-Fi security risks been sometimes over-hyped by companies that have a vested interest in scaring people? Yes, I'm sure this has happened at times, but this isn't anything new in the security industry, or in any other industry for that matter.

Let me address but a few of the "debunks" quoted by Doctorow in the article.

Regarding the issue of unauthorized use of Wi-Fi networks, Doctorow mentions that these users utilize but a small percentage of the available bandwidth, implying that therefore consuming available bandwidth shouldn't be a concern. He then goes on to describe the network capacity based on the capability of the backbone routers to switch connections. However, he goes on to describe the available access-point bandwidth as generally around 2 Mbp/s, depending on the implementation. This is generally a shared access, meaning that this bandwidth is shared among all of the users deployed on this access point. In common corporate deployments, this may be adequate to support perhaps two to five users, depending on the types of applications being utilized and the type of user. The number of Wi-Fi access points deployed in support of the business is based on this assumption. Any additional unauthorized use may be enough to keep an authorized user from being able to adequately perform their job function (or even get connected), as 2 Mbp/s of shared bandwidth really is minimal when compared with typical wired available dedicated bandwidth to business users of 10-100 Mbp/s.

The problem isn't with the available backbone capacity, or even the available access-point bandwidth. The simple reality is that corporate networks utilizing Wi-Fi are a resource paid for by the investors of the business. Unless they've made a conscious decision to contribute to the public's welfare by making available free network connectivity, the resources are purchased and installed in support of the business of the corporation. Is there anything wrong with public Wi-Fi networks, made available for the convenience and entertainment of the masses? No, so long as individuals use these responsibly. But to leap to the conclusion that ALL networks should be open to the public is simply ludicrous.

Another obvious concern with Doctorow's assumptions here are the simple risks of having anonymous, unauthorized users floating around on your network, with access to the same information and systems that the trusted, authorized users on your network do. I don't know about him, but this would sure be a concern if it were my network.

To assume that everyone is good-hearted and ethical, with nothing but good intentions, and we should therefore all open our networks to anyone (anonymously, mind you!) who should desire access is an altruistic and unreal view of the world. I see it every day in the hundreds of attempted attacks against our company's network and systems. The simple reality is that for all of the good things available on the Internet, there is a lot of bad stuff going on all the time also.

You quote Doctorow as saying "the problem is firewalls, which don't work, haven't worked, and aren't going to work," etc. So I guess all companies ought to just pull these out and get rid of them? This is another ridiculous assertion. Are firewalls foolproof? Of course not; no security protective device of which I am aware of is, but that's why we depend on security in-depth, and not on a single protective device. Firewalls may have originated in the mind-set of a trusted vs. non-trusted world 10 years ago, but today they are filtering devices that separate trusted from non-trusted connections to legitimate external resources, business partners, and the like. They do perform a very valuable function in providing a barrier that keeps the majority of those that have no business on our company's network off of it.

The issue of war-driving/war-chalking has nothing to do with the fact that "being a computer cop is incredibly boring," and therefore they have nothing better to do then spread FUD over this issue. Though there may be a little too much hype in some of the reports on this issue (mainly spread by the media, not the security experts themselves), exposing your corporate network to anonymous, unauthorized, and unintended use is certainly a risk, as I've previously described (how much of a risk is dependent on the confidentiality and sensitivity of your business information and communications, and only you can determine this). This is something that has DESERVED attention, and I for one am glad to have seen this well publicized.

I'm not a lawyer and can't authoritatively comment on the issue of liability regarding the inappropriate use of Wi-Fi networks (or any other network for that matter, as the issue is much the same). However, I have read of cases where companies have been sued where devices on their network have been hacked and used as a means to attack other companies, resulting in a significant loss or damage for the victim. I wouldn't assume that your company has no liability in these matters unless you're prepared to show you've done due diligence in trying to prevent these types of incidents from occurring.

So, is the sky falling? No, but there are legitimate concerns regarding the deployment of Wi-Fi, well documented by real security experts. The good news is that these can be well mitigated by the careful configuration and deployment of Wi-Fi technologies. But publishing bunk from so-called experts that completely gloss over the risks serves no one (but these "experts"). -- Keith Fowler, manager, IT security, LG&E Energy Services

I agree with Cory Doctorow that some of the fears are overblown, but his arguments are often no better than his critics. I'll address some of his points specifically:

Yes, eavesdropping is a security problem in all types of networks, not just Wi-Fi. Wi-Fi just makes it a whole lot easier, more convenient, and safer for the hacker. This makes no difference to the real criminals, but it encourages mischief, and pranks can do a lot of harm.

Yes, criminals often gain access to the network from the inside. But they just as often gain access to the network from the outside. So should we ignore the outside threats? Of course not.

Yes, "A router is capable of multiplexing 10-Mbit connections and making sure the traffic gets through." But anyone who has used an ISP knows that the networks can slow down during peak traffic times. Collisions or no, bandwidth is not unlimited and routers are not magic. If hackers are downloading porn on my Wi-Fi while I'm trying to get the latest Linux install, you bet I'm going to feel it.

Presumably, the wardrivers will be doing heavy uploading or downloading; if all they wanted was to send an e-mail or chat on IM, they would use a 'Net connected coffee house or library, as Doctorow suggests.

Regarding liability, Doctorow says, "A good lawyer will tell you to laugh it off." But that presumes I've gone to the expense of hiring a good lawyer. ISPs may be protected by law, but they still get sued. Sadly, in our legal climate, even the threat of a lawsuit can scare people away.

Doctorow notes that, "The practice of spamming is to get a stack of America Online CDs and sit around in your underwear in the living room and send all the spam you want." That's true, because that's been the easiest way so far. Spammers may not be early adopters, but when they discover the advantages of Wi-Fi, they'll embrace it. And why not? Everything that makes open Wi-Fi good for the legitimate user makes it good for the spammer.

"Hating the phone company is a grand American tradition," and one which Doctorow seems to revel in, but the phone companies have built a lot of the network infrastructure that we now take for granted. Sure, they used our money to do it, but I can't imagine a bunch of Wi-Fi freeloaders pooling their money to lay a new OC-48 line. -- Steve Schmitt, senior developer, Lante, San Francisco

I find that most of the hysteria around Wi-Fi is generated by those that have the most to gain. Security vendors selling products, security staff wanting to empire-build, and security consultants selling services. Yes, there are risks, but they are known and relatively easy to mitigate. Horror stories that are quoted are from sites that should have known better.

Look before you leap but don't just sit there quivering!! -- David Marshall, principal consultant, Count Consulting, Ottawa, Ontario