[OpenWireless Tech] No problem with Open Wireless

[Brad Knowles]

On Nov 6, 2012, at 8:29 PM, John Gilmore <gnu at toad.com> wrote:

> No need to wait.  I've been running one or more open wireless networks
> on and in my house for many years.

John -- you are the last person that I would have aimed that comment at.  I am very aware of your contributions in many areas, and you personally are one of the primary reasons why I've been a supporter of organizations like the EFF since the mid-90s -- back when I started running around with the DC CypherPunks crowd.

> So far nobody has sued me, broken into my house, tried to shut down
> my internet access, etc.

I think anyone in this industry would have to be seriously unhinged to try to shut down someone of your status.  That's one of the most obvious things that you can bring to any endeavor of this nature, because you can provide such a large umbrella for all the other guys who would otherwise have little or no protection against crackdowns.

Regretfully, it is not hard to find instances where other people have not been as fortunate (or maybe as diligent), and they have not faired as well.

The problem is not the number of positive cases that we can point at, the problem is that there are sufficient numbers of negative cases that everyone else can point at.

> Of course, I exercise discretion in choosing my ISPs - I'm not on one that
> claims I can't run servers or access points.

Unfortunately, there are few ISPs around that are so understanding, and relatively few people are knowledgeable enough to know that they need to go looking for such providers.


As the case stands today, you can either be a talented and experienced pioneer and be secure in your knowledge of what the real risks are, or you're not.

If you're not a pioneer of that sort, you are highly unlikely to be running an open wireless network -- and you'd be foolhardy if you decided to run an open wireless network anyway.

> I think we should put our attention on solving some of the real
> problems in open access wireless, such as its susceptibility to
> radio-link wiretapping, its lack of ease of configuration, and do some
> negotiation with ISPs to improve their terms.  Forcing every open
> wireless node down a VPN strikes me as a lot of work that somebody
> else could do later, or "maybe never".

We have actually been down this road before.  Back when the Internet was first being created, it was hard enough work to make it work at all, so security was not a consideration.  I think that has left us in a very bad situation today.  DNS has not fared well on the security issue, either -- for the same reasons.  Now we're starting to hear more and more about BGP-based attacks, because the security there is even weaker.

We now know that for something to be secure at all, then security has to be baked into every aspect of the process, everywhere, all the time.  You can't just retrofit security on top of an inherently insecure process.


I would make the argument that the systems should be designed to be Rugged (i.e., subscribing to the "Rugged Manifesto"), and not focusing on the old concept of "security".

In other words, manage for what you *do* want, instead of trying to manage for the infinite number of things that you *don't* want.

> For example, it would require protocol changes in every client device.
> Real "open wireless" would work with unmodified client devices.

With respect, "Backwards Compatibility Uber Alles" is a theme that hasn't served Microsoft very well.  How can you fix anything if you're not allowed to change anything?

Not that I'm claiming you're taking that position, but that would be the natural result of your position, if taken to the logical extreme.


I would agree that we do want to support the widest feasible client base, and that has to take into account that some clients are going to be completely UI-free and browser-free, and they need some sort of simple API they can use.

But "unmodified client devices" should not be taken to mean as those devices are frozen in time today -- we should be free to create minimal additional requirements and processes if that is what is necessary for the whole system to work in a reasonable manner -- and to get sufficient adoption amongst the community of people outside the small group of talented and experienced pioneers.

--
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>