WiFi Peril

Worse than the Trent Lott show on BET, more agonizing than Patrick Stewart's "acting" in "Star Trek: Nemesis," and 10 times more awful than the message on John Poindexter's home answering machine -- it was the low-profile, we'll-just-remove-your-freedom-now meeting that took place two weeks ago between high-tech industry execs and Defense Department reps. The subject of this meeting? Dangerous WiFi networks! Apparently wireless computer networks are spreading everywhere like some kind of commie menace, soiling our precious military spectrum and making it possible for crafty terrorist hackers to get free Internet access.

The meeting followed closely on the heels of several announcements made by policy makers associated with the Department of Homeland Security that WiFi needed to become more secure or face government regulation. It was only a matter of time before techno-supergeniuses like cybersecurity czar Richard Clarke would start getting funny feelings about WiFi. The technology is both too libertarian and too anticapitalist to please any good servant of the U.S. government.

But before I cheerfully rip into Clarke and co., I should note that there are excellent reasons to be concerned about the security of wireless networks. Most schemes for locking down wireless networks are easy to hack, and the majority of people setting up WiFi for themselves aren't very clueful when it comes to making sure nobody is sniffing their radio waves. The ever resourceful publisher O'Reilly even has a new book out on the issue called 802.11 Security, which underscores my point by arguing that most WiFi networks -- which use the 802.11 transmission protocol specified by the Institute of Electrical and Electronics Engineers -- are wide open to attack.

But Clarke and his cronies aren't really worried about the kind of security that geeky O'Reilly authors are. This is obvious if you take a look at the working draft of President George W. Bush's National Strategy to Secure Cyberspace. Its authors, a collection of consultants from the Critical Infrastructure Protection Board, suggest that WiFi networks can be secured with tools "such as password access requirements, address filtering, encryption, or using a virtual private-network." With the exception of encryption, all of these tools are used in the context of WiFi exclusively to prevent random people from hopping onto a network. None of them is particularly difficult for a skillful hacker to circumvent. So obviously the threat model the CIPB types are working with is not evil terrorist hackers, who laugh in the face of your address filtering.

What, then, is the government's threat model for WiFi? It's most worried about people whose "hacker" tool kit includes nothing more complicated than Dynamic Host Configuration Protocol, software that is used to grant users open access to a publicly available wireless network. Most free WiFi networks use DHCP to assign visitors a temporary address on the network, giving them access to the Internet or whatever nifty things the network owners have made available. A deliberately open WiFi network is not an insecure network; it's a public works project. It's a resource that some generous geek has made available to anyone who wants to partake -- and usually said geek has carefully secured all parts of the network he or she wants to keep private.

Nearly all of CIPB's suggestions for "securing" a wireless network are actually rules for creating a closed WiFi network. Let's go through them one by one. "Password access requirements" are already used by Starbucks in its pay-per-use coffee shop WiFi; "address filtering" allows only certain machines to log on to the network; and a "virtual private-network" allows selected people to log on to an already secured network remotely. None of these so-called security methods will protect the content of a network. As long as you have a password or a machine whose address the network recognizes, you're in. Only "encryption" will protect sensitive data (precisely what a terrorist hacker would want, right?). So most of the "security" recommended by the government for wireless isn't aimed at stopping bad guys from drinking up our precious data. Nope, it's aimed at preventing people from using and setting up open wireless networks.