How much can the person I'm borrowing wireless from see?
May 23, 2006 8:08 AM   Subscribe

If you use someone elses wireless internet connection then the owners could see pretty much everything you do if they cared to, unless you are browsing an https site, or using SSL to encrypt connections to your e-mail server.

If the wireless link is unencrypted, then anyone within range of your laptop could also sniff your packets and see what you are doing.

Finally, if you have your own unsecured wireless network that you connect to and let other people share, then, again, anyone within range of your laptop could sniff your packets and see what you are doing.

If you really want to share your own connection, you could set up two wireless networks, a secure one for you, and an unsecured one for everyone else.
posted by Good Brain at 8:28 AM on May 23, 2006

I've used the SSH tunneling process outlined here for checking my email on the school's free (but open) wireless. It seems to be easier to set up on a mac than it was on a pc. Also, the system you are connecting to has to support SSH.
posted by toomanyplugs at 8:29 AM on May 23, 2006 [1 favorite]

odinsdream, why do you say that checking yahoo webmail is secure?

Even if you do the secure authentication, the data connection used to send and receive mail is still plaintext. So, your password might be safe, but someone with a sniffer could see any messages you send or open.
posted by Good Brain at 8:31 AM on May 23, 2006

ive wondered about this question too.

how do these "enterprising individuals" gain access to this content being thrown into the internet? im not looking for a how-to obviously but what information do they see? the urls that i view? the content of my emails that get downloaded to my harddrive? i mean we are talking hacker-types here with hacker-style skills?
posted by c at 8:32 AM on May 23, 2006

oh. sniffers i guess? are there sniffer sniffers to see if sniffers are sniffering you?
posted by c at 8:37 AM on May 23, 2006

I currently have gmail...is yahoo a safer bet?

You can use https for gmail. Just change the http to https in the URL.
posted by vacapinta at 8:39 AM on May 23, 2006

c: google packet sniffing for details. Short story, all unencrypted traffic, including the contents of your emails, can be viewed using packet sniffing tools.
posted by crazycanuck at 8:41 AM on May 23, 2006

If you're afraid that what you're doing can be sniffed, I would say that posting publicly that you're breaking the law is probably a Bad Idea(tm). Are you perhaps unaware that you're breaking the law?

There is no good way for someone without a good deal of experience to detect if someone is running a packet sniffer, but it's relatively safe to say that if a neighbor is leaving their network open -- they're not. I can't speak for the coffeeshops, though.

When you get your own connection, I would highly recommend against "leaving it open so others could share". When your new neighbor finds your open network and downloads kiddie porn and gets busted -- guess who gets arrested first, and maybe has no way to argue "it wasn't me"?

That's right. You.
posted by twiggy at 8:42 AM on May 23, 2006

Are you perhaps unaware that you're breaking the law?

Do you mind clarifying this statement?

Also, are you saying that coffeeshops regularly get busted because creepy guys are downloading illegal material - or is your statement just a scare tactic? Pointers to news stories or laws would be helpful.
posted by vacapinta at 8:49 AM on May 23, 2006

Regarding illegal activity and an open question: While a coffee shop (owner) would probably be able to convince the police that they didn't do it -- duh open connection used by all coffee shop customers (and possibly surrounding area if signal is strong enough), a private individual isn't going to have that luxury. Sure, after they look at your computer and find you never connected with the illegal IP addresses they are looking for, you'll be cleared. But that might take them a few days and meanwhile everyone thinks you are a child molestor (terrorist, etc.)

The most interesting story I've found is: Wardriving porn viewer. However, there have been several arrests of people using other people's wireless without permission and a ton of articles asking questions like "is it illegal to leave an unsecured wireless network?" "Can the owner of an unsecured wireless network be mistaken for the actual illegal network user?" etc.

So I think it is fair to say that there is concern that it could happen (and may have happened -- (suspected) child molestors aren't exactly treated very fairly by the police in many areas...)
posted by R343L at 9:06 AM on May 23, 2006

At the very least, you could send your pictures in a password-protected archive. I'm not a Mac user but I assume there is an easy way to do this - anyone?
posted by teleskiving at 9:15 AM on May 23, 2006

Also, if I use something like The Cloak, will that really hide all of my websurfing details?

No. Anyone between your machine and another machine can see everything being sent between the two and impersonate either machine to the other. Take a look at the pictures on The Cloak's FAQ and note that an open wireless node would be between you and The Cloak, completely negating any privacy The Cloak could offer.
posted by scottreynen at 9:17 AM on May 23, 2006

With regards to the law:

Coffeeshops are different. It's the "occasionally my neighbor's open network" that's a problem.

It doesn't matter whether or not they have a password. You are committing a crime if you use someone's open network without their permission.

Permission in coffeeshops is implicit, they're providing it as a service to you. Your neighbor is not providing it as a service to you.
posted by twiggy at 9:27 AM on May 23, 2006

Permission in coffeeshops is implicit, they're providing it as a service to you. Your neighbor is not providing it as a service to you.

I am. I leave an open network in my apartment for anyone to use, just like a coffeeshop does. And anyone who sees it open has no way of knowing if my network is or is not in a coffeeshop.

Do you have any evidence to support your certainty that it's illegal for my neighbors to access my network, or are you telling someone they are committing a crime based on your own unfounded speculation about what the law might be?
posted by scottreynen at 9:37 AM on May 23, 2006

It's not illegal (as far as I know) for you to share your wireless network. The problem is that the law hasn't decided whether "open" means that anyone can use it without permission. I.e. is my leaving my network open for use mean that random neighbor can use it without asking (legally)? Or is he using it illegally if he doesn't ask first? Does it matter if I know that I'm leaving it open and I don't care if he uses it? What if I'm just ignorant and don't realize I have my network misconfigured? There just isn't a lot of written law on these topics and the courts haven't decided consistently (in the US at least).

This is all orthogonal to the question of whether a wireless network owner could be held responsible for illegal usage of it (esp if it is an open network). The most likely at this time is that the owner (of the unsecured open wireless network) is the person the cops are most easily going to find if something illegal goes on -- whether or not the owner was the actual perpetrator (downloader of illegal porn, warez, virus author, bot networks, whatever). There is actually some discussion that maybe the owner should be liable for illegal activity if he doesn't make a reasonable attempt to limit access.
posted by R343L at 9:46 AM on May 23, 2006

Take a look at the pictures on The Cloak's FAQ and note that an open wireless node would be between you and The Cloak, completely negating any privacy The Cloak could offer.

Well, that's getting awful nitpicky, since everyone is vulnerable to man-in-the-middle attack. Yes, an unsecured wireless network makes it much easier, but the skill level necessary to perpetrate that kind of attack is way higher than simply sniffing unsecured packets. The Cloak and TOR are great options.
posted by deadfather at 9:48 AM on May 23, 2006

I would like to know that my neighbors can't see the pix I send my long-distance boyfriend

You may want to investigate something like PGP (assuming you're sending them by email). Your neighbors are much less likely viewers than any unethical sysadmins at your ISP, his, and every one in between. Even using an encrypted connection to your mail server won't help this, as that local connection would be the only thing encrypted.
posted by advil at 9:52 AM on May 23, 2006

If you use gmail, there's a greasemonkey script that forces gmail to use all-ssl connections. Usually it pulls the same trick that yahoo does and only secures the auth part of the process. Sniffing unencrypted traffic on a wireless lan is trivial at best.
posted by Skorgu at 10:41 AM on May 23, 2006

advil writes "You may want to investigate something like PGP (assuming you're sending them by email). Your neighbors are much less likely viewers than any unethical sysadmins at your ISP, his, and every one in between. Even using an encrypted connection to your mail server won't help this, as that local connection would be the only thing encrypted."

Second this. Remember that anyone between you and your boyfriend can read your traffic and email isn't encrypted between servers even if you encrypt the link between the server and your client. PGP is good but even simply zipping the files up and applying a password will greatly reduce the chances your photos will be seen by others. ZIP passwords are trivial to crack but raise the bar with another step to be over come making you a less attractive target to bots. As an alternative to PGP you can use TrueCrypt and exchange the encrypted volumes.

urania writes "How is sniffing unencrypted traffic on a wireless lan trivial? And what is the significance of an all-ssl connection?"

It's trivial in that no special equipment is needed and anyone even a little computer savvy with five minutes and access to google can do it.

Once you've downloaded the right tool it's no harder than picking up a sports broadcast by tuning your radio to the right frequency. An all-ssl connection encrypts all the traffic between the web server and your browser not just the logon screen. Servers don't do this by default because SSL imposes additional loads on the server.
posted by Mitheral at 10:54 AM on May 23, 2006

Urania: if the person has control of the router, they have access to all of the packets that you're sending and receiving. Software is readily available to take that data and extract useful information on it. From the perspective of a typical user, it isn't important to know how the sniffing is done, it's just important to know that it's possible (and not too difficult). Encryption is your weapon against people that might want to poke their noses into your data.

A SSL connection is encypted between your computer and the server you're connecting to. It'll provide a way to ensure that when you connect to GMail (for example), your password isn't sent over the Internet, free for anybody to see. It doesn't protect your e-mail when connecting to GMail, only your login information.
posted by gwenzel at 11:00 AM on May 23, 2006

The process for tracking web activities is made much easier with an unsecured wireless connection.

It's possible for someone offsite to set up a laptop to just listen for all the wireless traffic. Once the traffic is saved, he basically could recreate your exact online experience. Everything you typed in that wasn't sent over a secure connection could be viewed. If you use outlook or other email program, the entire content of your emails could be read. Oh those pictures you sent, easily recreated and viewed.

It's like this, unless you have a secure connection, everything you do online can be seen. It's much easier with a wireless connection (especially one that's unsecured) than with a wired one, because you don't have to have physical access to the network. In five minutes you could set up a computer from across the street to catch all the wireless traffic. You could save it all for analyzing it later, out of sight.

So to wrap things up: It's very easy to see everthing you've sent or received over the internet. If you take a few precautions such as making sure what you send is over a secured connection, you would greatly limit your chances of somebody else seeing your info.

on preview: what everybody else said!
posted by bigdave at 11:02 AM on May 23, 2006

urania Think about it this way: when you're on a wireless connection, your computer is doing the equivalent of shouting everything its saying as loud as possible. The AP is shouting the answers back. Everyone else waits until you're being quite to shout their own conversations. Also, the wireless AP in the coffee shop then whispers the information to some other computer that whispers it to another one all the way to the website that you're trying to talk to. Then the whole thing goes backwards again.

In a situation like this the hard thing is to not hear the other conversations. Actually listening is just paying attention to more shouts. Obviously the AP is party to everyone's conversations.

Encryption is like shouting in Swahili or a language that only you and the website you're talking to know. The AP and router(s) along the way repeat it but can't understand it. That's what SSL and TOR do, they wrap your shouts into envelopes that can't be opened (Yes I know this is actually wrong but its a good visual. Crypto is hard).

Basically, make sure all connections are https:// and stay https:// and use TOR if you can stand the massive slowdown you get with it.

If you use gmail, get greasemonkey for firefox and the gmail ssl script and you're covered. Thats what I use. Now only you (and google of course) can read your email.
posted by Skorgu at 11:18 AM on May 23, 2006

So to clarify. The best ways to protect myself:
Download a program like Tor/The Cloak
Login to all email/password sites with https://
Will this cover me for a secure email connection?

Yes, use https when possible, and use Tor if possible. Any time you're using http and not using Tor (or similar program) at the same time, people can watch your traffic.

I'd be hesitant to use The Cloak, at least Tor is open source and they're not in it for the money, unlike The Cloak.

Could you clarify, Skorgu? I am somewhat tech-illiterate. How is sniffing unencrypted traffic on a wireless lan trivial? And what is the significance of an all-ssl connection?

If you want to try out a sniffer yourself, ethereal is a free network sniffer for Winows and Linux.
posted by cactus at 11:29 AM on May 23, 2006

Don't ever send anything via email that you wouln't want forwarded to your mother.

It is nearly impossible for a normal user with standard consumer equipment to set up a reasonably secure wireless network.

Treat network security like a backyard fence, don't assume nobody is on a ladder looking through a knothole.
posted by Megafly at 11:38 AM on May 23, 2006

Everyone has pretty much covered the encryption lecture, so I'll just add that you want to make sure your computer doesn't have any network shares available. It's rare that someone will be actively sniffing network traffic and watching your communications, but it's common for idly curious people to check out other computer's open shares on a wireless network. It doesn't happen so much with Macs, but you'd be surprised how many Windows users have their entire drive shared and seemingly have no idea. At the very least make sure that any shared folders are password protected, and actually test from another machine to make sure that it works.
posted by team lowkey at 11:44 AM on May 23, 2006

Ditto the comments via e-mail. The only way to achieve "secure e-mail" is to encrypt your e-mail with a strong encryption algorithm (something like PGP or GPG is ideal).

If your e-mail isn't encrypted, then anybody could read it just as if it was a postcard dropped in the mailbox. This is true whether you're using TOR or not and whether you login using SSL or not. Those precautions protect your e-mail login and password, not the e-mail itself.

If you want to send something like photos securely to yur boyfriend, and don't want to mess around with public-key encryption (PGP or GPG), you might want to purchase Winzip (www.winzip.com) and use it to zip the files into an archive and encrypt them at the same time. Current versions of Winzip support AES encryption, which is considered very strong. The only downside with this method is that you need a secure way of communicating the file password to your boyfriend (i.e. don't e-mail it to him, or you make it trivial for somebody to decrypt the files).
posted by gwenzel at 11:45 AM on May 23, 2006

Urania: since you have a Mac, you ought to check out my buddy Sam Bushell's EtherPEG. You can get it up and running in a couple of minutes, even if you don't know anything about computers. It'll show you every image being passed across open (i.e., unencrypted) wireless networks in your vicinity.

Of course, since you can run such a program, so can anyone else.
posted by ikkyu2 at 12:02 PM on May 23, 2006

gwenzel writes "The only downside with this method is that you need a secure way of communicating the file password to your boyfriend"

Nothing complicated needed, any out of band communication will work like the phone. You can use the same password over and over again if you choose something fairly secure.

gwenzel writes "Current versions of Winzip support AES encryption, which is considered very strong"

7 zip's 7z format supports 256 bit AES, runs on MacOSX and is free.
posted by Mitheral at 12:30 PM on May 23, 2006

FAQ: Wi-fi mooching and the law...

I semi-retract my statement, but not really: You may be breaking the law by "borrowing" your neighbors connection.

At the end of the day, though, I believe you would be viewed as breaking the law even if he/she leaves it open, and here's why:

If I'm silly and leave a nice convenient hose connection on my water piping outside of my house, that doesn't give you the implicit legal right to use the utility that I pay for. You're leeching on a utility that someone pays money for by using their wireless connection, which can be viewed as stealing.


Furthermore, according to the FAQ linked above, even if you're not committing a crime, you're probably making the other person violate their contract with their internet provider (see: "How about sharing? Is it legal for me to share my cable modem or DSL connection with my neighbors?")

At the end of the day, whether or not it's legal is up for question, but I think the general consensus would be that unless someone has explicitly stated that their network is open for your use, it's unethical to "borrow" it.
posted by twiggy at 12:51 PM on May 23, 2006

urania: I don't think it's at all off topic. It seems that you're offended that I'm trying to do you a favor by letting you know it may very well be illegal (and note: it's not "not illegal" - it's just that clear precedent has not yet been defined, so it still may be!).

The fact that this offends you bothers me, because:
a) I was just trying to point out something you may be unaware of
b) It smacks of defensiveness, which points to the fact that you're basically searching for a way to get AskMe's help in doing something you know is unethical.

My post wasn't meant to derail the thread, and was an honest attempt to let you know that "hey, maybe you think this is OK, but it may very well not be OK". I wasn't accusatory at all.

Your defensive response here just makes me think you are knowingly doing something wrong, and that bothers me a lot.
posted by twiggy at 1:43 PM on May 23, 2006

Is it possible for network owners (let's just say in a coffeeshop or library) to have access to the information on my hard drive?

Possible? yep. If you run Windows and have a bad (weak) administrator password your files may be visible. If you run KazAa or a similar program, check what files are shared.

In OSX (mac) the default settings are nicely paranoid so you shouldn't have a problem unless you go sharing things.
posted by Skorgu at 2:02 PM on May 23, 2006

Twiggy, the issue is anything as cut and dry as you present it. There was a lengthy metafilter thread on precisely this issue, involving more than a few lawyers [43320].

And, as Urania points out, your comments are more than a little off-topic.

Everyone else, great comments. Much food for thought.
posted by bumpkin at 2:17 PM on May 23, 2006

bumpkin, did you read twiggy's responses? he says every third line "may be illegal". Given that people are getting arrested for using someone else's wifi without permission, I'd say he was being pretty accurate as to the murky nature of wifi-borrowing.
posted by nomisxid at 2:38 PM on May 23, 2006

That doing this may be illegal is of some consequence and relevance. I don't particularly have any personal interest in convincing anyone of the rightness or wrongness of using someone else's wifi connection, but it certainly is not the case that you can presume that you are not trespassing so long as the resource is "not protected". As the faux-FAQ twiggy links to, just as in the case of a real-world physical crime, context makes all the difference. We don't have to publicly declare that the our front doors are locked and our houses off-limits in order to make it a crime for a random passerby to enter. On the other hand, a retail establishment has to do exactly that. No notice and an open door is implicitly an invitation to enter a public establishment. And so it comes down to what's implicit in the environment. If you're a user on a large, multiuser UNIX system, some places and courts will see your rummaging through the files in another user's personal directories to be illegal because it is implicitly private whether or not he set the file bits to enforce it. Another court or local authority will see the setting of those bits as determinitative. However, I think a pretty strong case can be made that if there's any doubt about whether you should be (virtually) where you are, you probably shouldn't be. I, myself, would feel legally exposed were I to use some naive neighbor's wifi connection and I wouldn't really feel that great about it ethically, either. But my point isn't to pass judgment, just to offer accurate and useful information.
posted by Ethereal Bligh at 7:56 PM on May 23, 2006

Oh and yes, they can sniff all your traffic. In fact, they can sniff all your traffic even if you were using your own wifi connection if you don't enable encryption.
posted by delmoi at 8:46 PM on May 23, 2006

Oh, how can you prevent them from seeing what you're doing? Simple, just use a secured connection on top of TCP/IP like secure sockets layer.

In other words they can see what you posts on sites where you connect with "http" but not on sites where you connect with "https".

Most webmail and of course metafilter and most web sites use normal http, rather then https, though.
posted by delmoi at 8:48 PM on May 23, 2006

This thread is closed to new comments.