Join 3,561 readers in helping fund MetaFilter (Hide)


How Can I Run An Open Access Point Without Jeopardizing My Computer's Security?
November 21, 2005 4:07 PM   Subscribe

I owe a great debt of gratitude to all the noobs in my neighbourhood who keep open, unsecured wireless networks. It's because of them that we can blog from the laundromat, blog from the waterfront park, blog from... well, you get the idea. How can I make my network 'open' to others without compromising the security of my computers?

I've heard a million times that unsecured open wifi networks are asking for trouble. But my ISP doesn't cap my bandwidth usage, and I want to share my signal. I love that the student area I live in is dotted with so many wireless networks as to make access almost pervasive.

So, is there a way to offer an open access point that doesn't put the computers on my network at risk? Some caveats: I don't want to have to spend much on additional hardware (I have one wifi router), I don't really want to have to run a machine 24/7 to act as a server, and the solution's gotta be easy enough for a relative idiot (ie me) to figure out.
posted by optimuscrime to Computers & Internet (35 answers total) 2 users marked this as a favorite
 
So, is there a way to offer an open access point that doesn't put the computers on my network at risk?

I'm not a network expert, but I think the answer is no. If someone can use your connection, they can use it to download kiddie porn, and that's bad news.
posted by ludwig_van at 4:19 PM on November 21, 2005


Could you put a filter on your network that blocks adult material?
posted by ThePinkSuperhero at 4:20 PM on November 21, 2005 [1 favorite]


the security of your machines is irrelevant. If somebody uses your access to download kiddy porn, YOU will be held responsible. That being said, if you turn on the windows firewall, your machines should be relatively safe. Also turn off file and print sharing. I'm sure others will re-iterate the "don't do it" warning.
posted by cosmicbandito at 4:20 PM on November 21, 2005


You can plug your Wireless router into a LAN jack on the back of another non wireless router. Heres what it would be like:


Internet - Router LAN jack - WAN jack on WiFi router

Nobody in the Wireless Router side can see the first router.
posted by Dean Keaton at 4:30 PM on November 21, 2005


Also if you get a WRT54G router that is older than version 5, you can make a splash page for people saying anything you want. I had goatse for 3 months.
posted by Dean Keaton at 4:31 PM on November 21, 2005


My wireless network is named after my email address so people can email me to get the password. So far no one has bothered, but it helps with screening.
posted by Alison at 4:38 PM on November 21, 2005


I was under the impression that a person like this was safe for the same reasons that an ISP isn't liable for its connections being used to nefarious ends...we had a nice argument about this a few months ago, and that point was brought up a few times. Is it completely wrong?
posted by hototogisu at 4:39 PM on November 21, 2005


Well, the safest and easiest way to do it would be to buy a 2nd wireless router (~$60), I'm not sure if you're saying that's out of budget for this or not.

Then you could have your ISP connection into that router (which is unsecured) and then plug your secured router into the unsecured router. You connect all of your computers to the secured router. That way, your computers aren't vulnerable (as they are on a different subnet, behind a router), but you're giving the world free access as well.

I don't think I'd be worried about the strangers-will-download-kiddie-porn-and-YOU'LL-go-to-jail issue, that sounds like a local news "scare" story to me. Anyone have proof of this actually happening?

I think that the odds of someone using your link to download kiddie porn, then getting tracked down, but you're the one the cops finger as the perp about as likely as you dying in a car crash on your way to your inevitible kiddie porn trial.

What you're thinking of doing is a good, neighborly thing IMO.
posted by freshgroundpepper at 4:55 PM on November 21, 2005


I'd think that having an open access point would be sufficient "plausible deniability" to not be held liable for people doing nefarious things with your network connection. However, with the incredible cluelessness of many judges, I wouldn't want to fully rely on that defense.

The best argument I've heard for not running an open access point is that it encourages/enables spammers and bot-farmers. For that reason, I've finally locked-down my AP for the first time in years. It is sad, since I really don't mind if people benignly use my bandwidth, but I just can't support the lowlife scum who would use it for evil.
posted by Invoke at 4:57 PM on November 21, 2005


I was going to say...

So, I can go to my local coffeeshop, plunk down $3 for a latte and get all the anonymous surfing I want. There are thousands of places that offer this kind of thing.

So, I sit at the back and download kiddie pr0n or launch DOS attacks or whatever.

I presume the coffeeshop wouldn't be liable.

So, operating an open network, what's the difference?

(Jurisdictional wrinkle: I'm in Canada.)

Love,

OPTIMUSCRIME
posted by optimuscrime at 4:57 PM on November 21, 2005


You will not be held responsible if someone downloads kiddie porn through your open wifi network.

You have the same status as an ISP does when you're making your connection available this way- not liable for the actions of random users from the outside, just liable for yourself.

I think most of the arguments against having open wifi are based on the idea that there are way more evil people around than actually exist. Opening your wireless network is the neighborly thing to do.
posted by AaronRaphael at 5:03 PM on November 21, 2005


I was under the impression that a person like this was safe for the same reasons that an ISP isn't liable for its connections being used to nefarious ends...we had a nice argument about this a few months ago, and that point was brought up a few times. Is it completely wrong?

You're not *actually* liable if you can prove it wasn't you, but do you want to be trying to explain what happened to some angry cops as they arrest you and haul your computer off to an evidence room somewhere because someone downloaded something illegal from your router's IP address?
posted by clarahamster at 5:04 PM on November 21, 2005


FreshGroundPepper: That sounds like a good answer to me.

So, I hook my modem into a WEP-enabled router, then hook an open AP into the secured router along with each of my PCs. Wardrivers and kiddie pr0n downloaders all connect to the unsecured router.

There's no way for the people connecting to the unsecured AP to 'get to' the people on the WEP subnet?
posted by optimuscrime at 5:05 PM on November 21, 2005


regardless of liability and kiddie porn, an open wireless network is an invitation to spammers/crackers/etc. tragedy of the commons and all that.

Alison has the right of it -- at least attempt to know with whom you're sharing.
posted by dorian at 5:27 PM on November 21, 2005


(and in a more practical fashion, your isp is not going to care too much about responsibility or identity if metric fsckloads of spam start getting shoved thru their smtp server from your dhcp lease...)
posted by dorian at 5:28 PM on November 21, 2005


All these things everyone mentioned can easily be stopped if you are monitoring your network. I don't see any problem with putting a wireless router on a dmz and watching it to make sure no one is downloading/uploading an exorbitant amount of stuff.
posted by meta87 at 5:36 PM on November 21, 2005


if you are monitoring your network -- sure, but not everyone has the time or inclination. nor should they.

if you have a snazzy advanced home-rooter or a lunix/bsd box doing duty then of course you can restrict all sorts of behavior (port-based, quantity-based, etc. even tarpits) but how many actually have the time to make that happen?

if you don't have the time or technology to audit what your open network is doing, then please don't have it open.

it's bad enough that I can quite easily download a list of the default wep keys (not to mention admin passwords) of all the latest big-name wireless home routers.
posted by dorian at 5:45 PM on November 21, 2005


It might be a good idea to set up a homepage that comes up when people connect, like what you get at cafes and the like, that bascially says "This network is open, but it costs me money. If you wish to use this network, please use it responsibly, as network abuse will suggest I should shut it down. Responsible use means web-browsing type activities - nothing illegal, and not excessive file downloading."

It might also be a bad idea, but I like the idea of encouraging some community spirit through the network, rather than letting people think they've found some anonymous clueless network they can use and abuse at will.

Saying "You're welcome here, I only ask that you be a considerate guest" can sidestep the inclination to not care about how your actions affect someone you don't know.

Of course, if your ISP bans open networks, you might want to be careful about the wording :)
posted by -harlequin- at 6:03 PM on November 21, 2005


Block port 25. Anyone who uses open wifi networks a lot uses secure SMTP anyway.
posted by kindall at 6:46 PM on November 21, 2005


Hey now, that's a good idea Kindall. Neighborly, yet not spam-o-riffic.
posted by Invoke at 7:05 PM on November 21, 2005


Alison: surely the reason nobody's emailing you is because they can't get on a network to email you from?

Otherwise, why would they need to use yours at all?
posted by bonaldi at 7:12 PM on November 21, 2005


I'd like to run parallel open and secured wifi nodes with the open one being throttled to a low bandwidth--that is, good enough to use in a pinch, but frustrating to use for big transfers. I know this can be done, but I haven't yet seen a step-by-step recipe.
posted by adamrice at 7:32 PM on November 21, 2005


it really seems like there would be a market for a router designed to provide public hotspot access -- with admin firmware that makes it easy to control port usage, throttle bandwidth, etc.

or does such a mythical beast exist?
posted by optimuscrime at 7:42 PM on November 21, 2005


Alison: surely the reason nobody's emailing you is because they can't get on a network to email you from?

It's possible, but the library isn't too far away if they wanted to make the extra effort. We used to have an open network, but a greedy neighbor used most of the bandwidth. It was a compromise but they haven't asked to join.
posted by Alison at 7:44 PM on November 21, 2005


it really seems like there would be a market for a router designed to provide public hotspot access -- with admin firmware that makes it easy to control port usage, throttle bandwidth, etc.

There are many, many companies that are in the business of making such devices.
posted by waldo at 7:50 PM on November 21, 2005


waldo: names! names! (shines bright light into eyes)
posted by optimuscrime at 8:04 PM on November 21, 2005


optimuscrime: that's correct. Your secure, WEP enabled router would be just as insulated from the people connecting on the unsecured router as you'll be to the rest of the internet. (unless they are sniffing and cracking your encrypted wireless traffic, but that's a (slight) risk that is present without providing an open access point).

You're on a different subnet with the full protection of your secured router between you and them.
posted by freshgroundpepper at 8:26 PM on November 21, 2005


Oh! I slightly misread your message. The way that I was suggesting would be:

ISP->Unsecured Router->Secured Router

Not

ISP->Secured Router->Unsecured Router

So the unsecured router gets the dynamic IP from your ISP, and the secured router probably gets something like 192.168.1.15 as the IP from the unsecured router.

Feel free to e-mail me if you have any questions if/when you're getting this set up.
posted by freshgroundpepper at 8:34 PM on November 21, 2005


Just as a note, your ISP's Terms of Service probably explicitly say that you can't do something like this (eg, open connections with the intent of sharing your bandwidth). Enough people are clueless about wireless security that you'll likely have plausible deniability for at least several years, however.

You may want to look into NoCatSplash, though you'll need a pretty good amount of technical savvy to set it up on your router. Basically, it will present users with a web page once they connect to your public net, very similar to what you'd see at an internet cafe, and you could then put your notice there.
posted by whir at 2:07 AM on November 22, 2005


as far as i know, there's no reason you will be held responsible for downloading kiddie porn, any more than the cable company, the company that made the modem, etc etc. if you can show that your connectin is open to the public, and that you don't have kiddie porn yourself, who is going to think you downloaded it?

the way i have arranged things in the past is to have a linux machine as a router and have two internal networks - one with ethernet that my other desktop computers are connected to, and one connected only to the wireless router. both networks could access "outside", but were otherwise isolated from each other.

if i used wireless myself, inside the house, i did so from a laptop that was itself running a firewall. in other words, i treated my own wireless connection like a public connection.

i also named the access point with my physical address (street name, house number) so people knew where it was located.

i've since changed to a simple solution just because i wanted to spend my life doing things other than sysadmin, but this config worked fine.
posted by andrew cooke at 5:35 AM on November 22, 2005


as far as i know, there's no reason you will be held responsible for downloading kiddie porn, any more than the cable company, the company that made the modem, etc etc. if you can show that your connectin is open to the public, and that you don't have kiddie porn yourself, who is going to think you downloaded it?

Depends on where you live.

An *ahem* anti-terrorism law passed this summer here in Italy effectively states that one can be prosecuted for having an open WiFi connection/unauthorised persons using your connection. Internet Cafes and businesses offering Internet access to the public must have a photocopy of the client's ID & monitor usage or face closure & prosecution. Law in effect until December 2007 (because that's when all the terrorists & paedeophiles will be gone, dontcha know.)

I'm willing to bet that Canada is a saner country in this respect, though.

posted by romakimmy at 7:09 AM on November 22, 2005


Opening your wireless network is the neighborly thing to do.

My AP is open because I appreciate the multitude of open APs that I find, almost everwhere I go. If somebody does something evil, I'll say "oops!" and shut it down.

Until then, I'm going to assume that my neighborhood is not rife with AP-hungry hackers, spammers or child pornographers.
posted by I Love Tacos at 7:11 AM on November 22, 2005


I'd love to leave mine open, but I'd only do so if I could throttle the available bandwidth to around 10kbps for any and all uninvited connections combined. I like the idea of an open AP, but since we use our ISP for phone service as well, I can't allow bandwidth hogs.

Does anyone know an easy way to do this? For now, I'm using MAC filtering and generally being unfriendly, but I'd like to change that.
posted by odinsdream at 7:59 AM on November 22, 2005


odin, my understanding is that some of the Linksys WTR54G bios replacements also have bandwidth shaping. I emailed Dean Keaton asking about his experiences since I am thinking of fiddling with one in the near future but perhaps he will post some specifics here.
posted by phearlez at 11:49 AM on November 22, 2005


Well, I tried to email DK but the one in his profile doesn't work. Bummer.
posted by phearlez at 12:34 PM on November 22, 2005


« Older Not long ago I was reading a t...   |  What are you doing to remove t... Newer »
This thread is closed to new comments.