Wednesday, May 19, 2010

The Case Against Free Public Wifi

As a teenager in today's age, I have recently suffered one of the most horrible experiences one can have in his or her lifetime: a lack of Internet connectivity. Indeed, my phone line went out recently, and the DSL went with it. (Fortunately, I am slightly exaggerating here; I can do just fine without a few days of Internet.) But with more and more products going mobile and online, you are really placed at a disadvantage if you have no way to access the Internet. Data plans and smart phones are expensive, and Wi-Fi is limited to your house and free hot-spots (and the occasional FiOS network that has not changed the default password). Is there a way to give Internet to everybody without costing much or slacking on availability? London's mayor thinks so, because he recently promised that by the 2012 Olympics, every lamppost will have free Wi-Fi access. But is public Wi-Fi for all a safe, secure, or even efficient option?

Consumers are definitely in need of a continuous channel through which they can access their online services. Google and numerous other companies have launched innovations in cloud computing like never before, making your computer essentially dead without an Internet connection. With such a hunger for constant connectivity, it only seems natural that people would jump to public Wi-Fi, which is essentially the wireless connection they have at home extended everywhere. This seems like a good idea superficially, because it does indeed provide everybody with Internet access. Furthermore, whatever company or government that hosts this public Wi-Fi would have the ability to make some type of profit by offering premium services. But what I have been noticing more and more about public wireless Internet is the security risk that comes along with it.

The primary difference between connecting something like your mobile phone to a service provider and a laptop to a wireless router is that your laptop is not alone. While a smart phone would have a direct connection to the service provider through the cell antennas, laptop computers share a wireless network with whoever else is connected to that router, and all of these clients are held together in an internal network. The problem here is that it opens up all possibilities of security risks, primarily because now a random stranger on a computer has direct access to your laptop's firewall. Chances are your computer is not a security stronghold, and you would not fare well against a direct attack. Even worse is that this risk does not go away even on your own home network! Most home wireless networks are secured with WEP, which has a number of security flaws and is obsolete in terms of security. (This does not even take into account the fact that my house is surrounded by three or four FiOS networks, all of which have not changed the default password for their wireless.)

Another problem with free public Wi-Fi is the identity of the service provider itself. Back in 2008, people were wondering why Windows kept showing a "Free Public Wi-Fi" ad-hoc network. Fortunately, the network was a result of something in Windows, but it could just have easily been a cracking attempt. That free public Wi-Fi network might have been somebody across the room waiting for the unsuspecting computer user to connect and place their device at risk. This brings up the question of how we can establish the identity of the wireless network in the first place, considering there are no real protocols in place to exchange certificates with a router like you can do with a server over HTTPS.

Overall, though the public Wi-Fi in London may seem like a cool idea (and who knows, maybe everything will go well), the risks associated with such a plan are not worth taking on if you just want to give some Olympic stars wireless Internet. They would be much better off getting some Android phones with 3G and connecting to T-Mobile. I would take spotty service over a break-in any day.


  1. Actually the risk of you being hacked is rather minuscule and is over exaggerated. Just because you could be hacked doesn't mean you will be.

    Second, WEP is fast being replaced amongst modern routers and even though it is not the most secure (far from it), it is still better than nothing/

    Most importantly, the real issue here is not with the network, it is with the users. You are blaming a potential network for what is user error, or even user stupidity.

    If you care about your privacy at all, no matter what encryption a public hotspot is using, you will use a VPN when connecting and that is just one step that people will take.

    While your points are true to some extent, the fact of the matter here is that users need to be educated and need to stop blaming others for THEIR failures.

    Which would you prefer, free ubiquitous internet at the cost of educating users, or nobody has it because some people are too moronic to take the trouble of securing their connection when they use their laptops in public?

    Innovation and access should not be halted because some users refuse to educate themselves.

  2. You make some good points, but I have to disagree. While it is definitely true that user error is the cause of vulnerabilities in most common network situations (it really is amazing how stupid people are when it comes to computers, and annoys me quite often), in a way it is not their fault they are making such errors. Most people do not know what a VPN even is, let alone how to set it up, and there is no place to go to that will tell a user how to easily (and by easily I mean easy for somebody who uses their computer for only Facebook and social networking) set up such an encrypted connection. The same thing goes for firewalls and security software, since most good firewall solutions (for Windows, at least) cost money, and those good ones that are free nobody knows about.

    Also, about the possibility of being hacked: very true. The possibilities of being hacked at all are slim. But then why does everybody protect themselves anyway? It's because you cannot go on the assumption that an intrusion will not happen to you, because when it does chances are it would be really tough to recover. In fact, most security software is just a preemptive defense on something that is unlikely to happen, but you do not want to take the chances of being unprepared anyway. If you think that your computer will never be hacked, just turn off all your firewalls one day and leave your computer open. Did you actually do it? Probably not.

    Finally, with your last question, I will reply with a question: which would you prefer, free ubiquitous Internet at the cost of nobody using it because they consider it too insecure (if you have a good way of educating people, please tell me), or free ubiquitous Internet that just is not Wi-Fi?

  3. Actually the more I think about it, the more I believe your entire basis is false and here's why:

    Everybody, including these people who "know nothing about security" is already using Wi-Fi in their homes. Connecting to the network, broadcasting and receiving to and from their router, often in the clear as they haven't even bothered to enable basic encryption.

    For example, from where I am sitting right now I can pick up 6 networks (including my own). Only 3 of them are encrypted. 1 is on WEP, 1 is on WPA and then there is my own.

    So the threat, in terms of hacking, is perceived as being minuscule, because it actually is.

    With regards to firewalls, I would quite happily leave my firewall (which every router is btw) open all day long if I thought my only threat was somebody happening past and trying to hack me. Again, I probably have a better chance of winning the lottery.

    The reason we all have our firewalls turned on 24/7 is to block worms and other malware which automatically deploy through the internet and rely on open ports in order to infect your machine.

    As to your question of which I would prefer: a free ubiquitous internet which nobody used would not happen. Millions of people log on to wifi hotspots everyday, this is no different. When they log on they have no idea how legitimate the hotspot is, or what software may actually be running on the hotspots host computer sniffing traffic.

    And when it comes to the security behavior of people, you have to realize that what comes first for most people (rather foolishly) is convenience. That's why so many people don't run antivirus software, or if they do it is ridiculously out of date. That's why they turn off the scans when they start, because they are an inconvenience. That's also why so many people have unsecured routers at home, it's because they couldn't be bother to lock it down (I know more than a few people like that).

    So security is not the issue. Convenience is, and the will win out. And if a few people get hacked, they'll learn their lesson and move on. People who don't know better are already being hacked every day at hotspots all over the globe and they eventually learn the lesson.

    As for educating people, that should be done in computer classes in schools, were pupils should be thought actual valuable skills and through the media.

    And a free ubiquitous internet that is not Wifi? That would be something, but any and every network is vulnerable no matter how well designed it is. You can never take the human factor out of the security equation.

  4. You say that people are being hacked in hotspots around the world (so much for better chance than winning the lottery), but do you really believe they all go on and learn their lesson? People do not get hacked and then say "Aha, maybe I should start a VPN and put WPA encryption on my Wi-Fi." In fact, most people (or at least the people I know) who get hacked take it to somebody who they think can somehow save them from the inevitable. When you get hacked and somebody, let's say, deletes a few files off you're computer, the normal user thinks first about retrieving those files (depending on their importance, of course) before worrying about future attacks. This is primarily because, as you said, successful hacking is hard to come by, but not nonexistent. Another reason people do not learn is because you need both will and material to learn something. After a hacking attempt, the will might be there, but the material is definitely not. It's not easy to secure your computer if you do not know what you're doing. (By the way, the turning your firewall off was a rhetorical question. A rhetorical question is a question that exists to make a point, not to actually be answered.)

    And as far as computer classes in schools, please. I mean I guess it's entirely possible that our education system flips a 180 and starts to think realistically about our children's education, but considering that even my own school, which is a technical school nonetheless, lost its last legitimate computer class two years ago, it is unlikely the trend will go our way. And on a last note unrelated to the argument, malware does not rely on open ports in your computer; malware is the worm, trojan horse, or virus that you get when you make supposedly legitimate transactions through other services, such as the Internet or email.

  5. I said worms and malware. By malware I mean malicious software. Worms do rely on open ports to spread, and trojans and other spyware which relay information back to a host, cannot send the information if your firewall (on your router) is locked down properly.

  6. Oh, and yes considering how many people use the internet everyday at hotspots, it is rather like winning the lottery, but people win that too.

    And as for my comments about educating people through school you asked: "if you have a good way of educating people, please tell me".

    School is the perfect place to start. Just because it's not done now, doesn't mean it should not be or could not be.

    And Tyler: "By the way, the turning your firewall off was a rhetorical question. A rhetorical question is a question that exists to make a point, not to actually be answered."

    There is no need to be snarky because your assumptions are challenged. I am fully aware what a rhetorical question is. If your statement was correct it would not have been answered.

  7. Again, even worms do not necessarily rely on open ports. The ILOVEYOU worm of 2000 worked by attaching to emails.

  8. You cannot compare hacking to winning the lottery, one is determined by a random numbers while the other is another person actively acting on another person's computer. Even if it was a valid comparison, I guarantee that there is not a 1 in 14 million chance you would get hacked if completely vulnerable. But this is besides the point: why even take that chance at all when you can be protected?

    And do you really think I am against putting computer classes in schools? I went to the school I am in looking to take those classes, and they disappeared right before I took them. Just because it's not done now doesn't mean it shouldn't nor couldn't, but it does not mean it will. If you read my and other high school students' posts about our education system, it has been going off-course fast in the past decade or so, and shows no sign of making a comeback without some massive and active effort on the part of student, teachers, and administrators.

    Finally, I hate to be an AP English Nazi or anything, but the point of saying "just turn off all your firewalls one day and leave yourself open. Did you actually do it? Probably not." is to say that people are unlikely to leave themselves unprotected, because doing so violates Maslow's need for safety, the second most important need. Just because you decided that you personally and purposely want to challenge my situation does not make my point wrong, nor does it make the question not rhetorical.

  9. One example of worm that relies of a different deployment method does not invalidate why I said I'd need to leave my firewall on.

    I'm not debating this with you. From Wikipedia -

    "Unlike a virus, it does not need to attach itself to an existing program."

    "Worms spread by exploiting vulnerabilities in operating systems."

    In other words, worms, in general, do not require user interaction.

    The Wikipedia page is pretty short on content but it does contain some excellent links in the references and external links section. Read them, and learn a little about network security.

    Finally, an FYI. Your code for Google Buzz isn't implemented properly. It's displaying all stories as having the same number of shares on the front page of your blog, so the permalink for each individual post is not being passed to Buzz properly.

    I'm not that familiar with bloggers template system, but you might want to have it pass the individual story URL to the button each time it is displayed. Should be simple enough.

  10. I forgot to include the wikipedia link, sorry :

  11. Travelling to the US recently, I discovered that the staggering data roaming costs (upwards of $3/MB) forced me to have to use public wifi to get onto the Internet (the majority of hotels in the US don't seem to have discovered wifi yet). Lurking outside a Krispy Kreme to get onto their network, I knew that it might be someone next door maliciously advertising as them, and I knew that many if my iPhone apps don't use SSL, but still I neede my fix.

    The Internet is always going to be insecure - 4G will give us better bandwidth from cell carriers and reduce the dependency on wifi, but it's still not really secure (and doesn't help roaming foreigners).

    Especially as apps move into the cloud, the responsibility is on the app developers to make sure that the apps are safe across a dangerous Internet, but this doesn't seem to be a major concern at the moment. Perhaps some kind of certification is needed so consumers can easily see when they are using unsafe apps (like the old "Verisign secure site" logos people used to splash on their sites). This would not be that hard in an app store, but much more difficult generally (beyond noticing the padlock symbol in the browser of course).

  12. Your interpretation of Wikipedia's definition of a worm is wrong. It is extremely rare that anybody other than an active person as a computer uses open ports as an exploit, since it is simply too hard. But as you said, that's not really the argument here.

    "Read them, and learn a little about network security." Really? Just because my views of public Wi-Fi differ from yours does not mean I'm an idiot. I do know quite a bit about network security. In fact, I probably know more of network security than I do social networking.

    And I've noticed the Buzz count before. Unfortunately, the problem is that there is no parameter to set the share URL (it's just a script tag). There is probably a fix but I have not had time to look for one

  13. You have some very interesting concepts about web apps security. If only everybody had as much common sense. I mean, even Paul below this comment definitely has a lot of experience, interest, and care in this topic, but that only makes three of us. Not to say there is nobody that cares, but you get the point.

    Unfortunately, you are right that the Internet will never be secure. But I do feel that WiFi was never made for public use. WiFi was made for wireless versions of traditional Ethernet networks, which were used privately in homes and companies, not in public. Mobile computing should not use the same networking as desktop computing, because the two technologies were not made to fit together. 4G is at least made for mobile Internet, so it is probably relatively safer than WiFi.

  14. very interesting article, will share this with my friends, thanks!

  15. iSecurf – Wi-Fi Without Worry, lets you create your own key and surf worry free. Go ahead, do online banking at our hotspots.

  16. Response to Tyler and Paul's flamewar since this is the first time I'm doing this and Disqus is being strange? IDK. Chrome is just not playing nice with DISQUS.

    Anyway, in the end none of your opinions are totally correct. Normal Users are just that. Normal Users. They don't know how or why they should protect themselves on public internet. Nor do they care for learning it.

    If you deal with enough people, you're going to learn that people don't wanna take a crash course in internet security. They want a one click solution. And they should get that. Its not up to them to learn internet security. Its not their problem. Its our problem.

    But neither am I going to say that they shouldn't learn. In the end it's a very nice skill to have.
    But Public Internet is a very very interesting subject. While it's highly desired by many. It's not that easy to pull off. And no matter how many ways you string it, even an army of Tyler Romeos and Pauls could never stand up to that one REALLY GOOD HACKER.
    So Education is moot. But Public internet is possible. But I wouldn't do something statewide. Maybe sector wide? A square mile radius for one network? That way if one system gets compromised, the problem can be isolated and the rest of the networks updated. Really I'm just throwing ideas out. But I just wanted to say two things:

    1) Computer Education is moot. Government level systems have been destroyed by hackers with no prior hacking experience. A good number of the viruses we've seen were college projects or made at home.
    2) Public Internet is possible. Hard to do yes and certainly not perfect. But it's public. When was the last time you went into a public restroom and expected it to be made out of gold?

  17. I totally agree with you on the education thing, Kevin. You and I know for experience. As for Public Internet, while I agree with you that it is indeed possible, my main argument this entire time is just that Wi-Fi is not the solution for public internet. There probably is a solution out there, yet to be created, some protocol or something, but it's not Wi-Fi specifically (though, if public wi-fi did become widespread, constricted networks such as a square mile radius per network or something would be a good way to help protect people).