Wednesday, May 26, 2010

Open Wi-Fi - My Thoughts

Now, I'm not a huge fan of Google's international wardriving efforts recently - personally I think that a company that promotes "Don't be evil" as an unofficial company motto should be trying to live up to that.

Now, having said that, if someone has an open Wi-Fi access point, then they MUST accept accept some of the responsibility if their connection gets abused.  I'm not saying - in any way - that the abusers should be absolved of their responsibility to the Law, but I am saying that the owner of an open Wi-Fi Access Point that's broadcasting it's openness to the world (which they do) needs to take some responsibility for their slackness and lack of consideration for their own security.

This is in no way any different to someone who left their house unlocked and a sign on the street letting passers by know this.  The insurance company certainly wouldn't be likely to pay for their loss of property - so if they do the same with their Wi-Fi, why should an insurance company, ISP or anyone else reimburse them for losses?

Yes, in both cases, the people stealing their property need to be prosecuted according to the relevant Laws.  They had no defined right to be there, therefore they should cop a legal whack for being criminals.  But this should not absolve the owner of the Wi-Fi AP from their responsibility to provide an acceptable form of security.

WA Greens Senator Scott Ludlam, as reported in CRN, asked the Australian Privacy Commissioner (Karen Curtis) about the legal status of Wi-Fi APs that you happen to drive past and pick up, to which he got the response:

"We have not firmed our legal perspective on it yet, but it would appear that if you have an unsecured wi-fi network you probably are publicly broadcasting, so you may expect that others may intercept it," Curtis replied. "We would be urging people to make sure they secure their networks."
I have to agree with this - if you don't secure your own property, you need to accept some responsibility when it is abused.

As an SMBiT Professional, we at Quark IT hold the safety of our clients' data in high regard and ensure that we deploy Wi-Fi Access Points with WPA2-PSK (AES) encryption, even at home locations.  This is the *only* current non-enterprise (read: needing a server to secure the Wi-Fi AP) security that hasn't been compromised - even WPA2-PSK (TKIP) is no longer secure, and WPA as well as WEP are nowhere near secure.

It is our responsibility, as SMBiT Professionals to ensure our clients are protected - the real problem comes when a home user buys a Wi-Fi router or access point from National Irons, Curling Wands and Computers and takes it home without being told about the need for Wi-Fi security.  How do we fix this issue when the large national and multinational chains can't take the time to inform their customers of the dangers of ineffective computers because the salespeople won't make commission that week if they do their job thoroughly?


The Outspoken Wookie

No comments: