[OpenWireless Tech] Securing an OpenWireless.org Access Point

Erik Soderquist ErikSoderquist at gmail.com
Fri Jan 16 13:03:04 PST 2015 

entire message quoted as it was (I believe accidentally) sent to me only
rather than to the list.


On Fri, Jan 16, 2015 at 3:11 PM, Tom Hanan <tom.hanan at switchcomputing.com>
wrote:

>  Erik, I think we share a lot of common ground in our goals for Open
> Wireless in the Commons . Which is why I am somewhat surprised at your
> opposition to "practical" real world solutions to a real and present danger
> to wide adoption of Open Wireless in the Commons initiatives like
> OpenWireless.org.
>

I never said I was in favor of or opposed to your proposals; I said they
are in direct opposition to one of the stated goals of the movement, and
quoted the exact stated goal I was referencing from the movement website.


> Which is frankly why I was so surprised at your response since I don't
> know of anyone who does not see the security FUD issue as possibly the most
> pressing issue impacting wide adoption of OpenWireless by providers in the
> Commons.
>

One of the worst things anyone who knows better can do regarding FUD is to
act as if the FUD is a real threat.


> I take exception that 2) and or 3) "largely defeat" the stated goals of
> OpenWireless.org unless it is an "unstated" goal to address the real
> security issues they address by ignoring them and thus by "default" shift
> security consequences to the Common "Providers" of Open Wireless in the
> Commons.
>

You are treating jurisdictional questions as universal issues.  As has been
stated on this list before, jurisdictional issues are a question for each
individual who is considering putting up an OpenWireless segment.  As has
also been stated, in this thread, in the general US jurisdiction, in 14+
years, their has not been a need, and giving into the FUD would give more
legitimacy to the FUD than it deserves.


> Such actions put the initiative to rapidly and widely stand up
> OpenWireless in the commons at risk of being derailed by bad publicity
> before it can reach the critical mass it need to meet it stated goals.
>

I would rather fail to achieve the stated goals by actually trying them and
finding them unworkable than to undermine them from the get go.

I am quoting the stated goals from the openwireless.org website:
<quote>
We envision a world where, in any urban environment:

    Dozens of open networks are available at your fingertips.
    Tablets, watches, and other new devices can automatically join these
networks to do nifty things.
    The societal expectation is one of sharing, and, as a result, wireless
Internet is more efficient.
    The false notion that an IP address could be used as a sole identifier
is finally a thing of the past, creating a privacy-enhancing norm of shared
networks.
</quote>

To the first stated goal: a network that requires or forces XYZ anything,
by definition, is NOT open

To the second stated goal: the requirements you propose in your 2 and 3
would likely cripple or prohibit the ability of new devices, particularly
pseudo autonomous devices, like a watch that sets its time from the open
ntp servers on the internet using open connections, from even being able to
connect, let alone use the connection.

To the third, if we try to require simple home users to configure a system
where their access point forces everything through a VPN to protect against
FUD, we are legitimizing the FUD, and teaching that wireless sharing isn't
safe in any regard.

To the fourth, the one that prompted my initial response; if we are pushing
for VPN'ed connections, we are reenforcing the FUD, rather than working
toward the goal of IP address not even considered as a potential personal
identifier


>
> All I really recommended is that OpenWireless "default" to VPN Tunneling
> "if available" on the access point/router and disabled OpenWireless if not.
> I then recommended that OpenWireless modify its code to require
> OpenWireless providers to manually accept the potential risks of
> associating their IP address with abusive traffic by OpenWireless users in
> order to minimize "un-knowing risk exposure by default".
>

To the best of my knowledge, the ONLY wireless AP OS that "defaults" to
having an openwireless.org SSID available is the one being written here.
In the current state, it still takes reasonable technical knowledge to
deploy, and said users would have to specifically seek it out.  IF we get
to the point of general manufactures including openwireless.org even as a
directly selectable option, we will have long since shattered the FUD you
are attempting to address.


> 3) Is a call to those that "DO" to provide yet another low/no cost VPN
> option to the commoners like me who "provide" OpenWireless to the commons
> but are not comfortable exposing their IP address to potential abuses
> within the current Legal and political climate.
>

What jurisdiction are you in that it is such a huge concern?


> I Thus do not see how protecting OpenWireless providers from "unexpected"
> consequences, in the ways I have outlined above, is in conflict with any of
> OpenWireless.org's stated goals in any way shape or form. Nothing I have
> recommended prevents a Provider of Open Wireless in the commons from
> enabling full open access and thus accepting the potential risks of doing
> so!
>
> While I recognize that these recommendations may have some negative
> impacts on which wireless routers support which kinds of traffic in the
> "Commons", I believe history has shown these negative impacts are small
> compared to the much larger positive impact of wider adoption and thus
> coverage that result from allowing "each provider" to "knowingly" accept
> the risk and or cost of providing transparent protection of their IP
> address they are individually comfortable with.
>

That negative impact cripples the reliability of the whole, and therefore
cripples the movement as a whole.  Even most hig end laptops will only show
the SSID, not individual APs offering an SSID, so the experience would one
of, "sometimes it works, sometimes it doesn't" with connection requirements
that vary from AP to AP with the same SSID.  If you are not comfortable
with having actual openwireless on your network, I suggest you use an SSID
of "TunneledFreeWireless" so you are not running a wireless segment in
opposition to the stated goals of the openwireless.org movement.


>
> I am always uncomfortable when a "few" people decide by "default" what
> risks the much larger "Commons" will accept by "default"!
>

If you didn't have a choice in using or not using the package, I would
share your concern.  However, no one is forcing you to, and you are
certainly welcome to do a parallel setup that has similar goals.


>
> I, and many like me believe such actions to be the worst form of abusive
> governance in and of the commons! An abuse not dissimilar to the "default"
> of holding those who pay for an IP address responsible for everyone's
> traffic associated with that IP address.
>

HUGE difference: again, we are not forcing you to do anything.  The legal
system, which we don't really have a choice about, it is simply there, is
the one trying to force something.  However, the extra measures you propose
for the VPN requirements in fact reinforce the <quote>"default" of holding
those who pay for an IP address responsible for everyone's traffic
associated with that IP address.</quote> rather than help eliminate it.



> I look forward to your comments and suggestions on how best OpenWireless
> can address the security FUD issue without ignoring it as "In conflict with
> the stated goals of OpenWireless" which are presently in conflict with the
> stated goal of promoting wide adoption of Open Wireless in the Commons.
>

I'm not ignoring it; I am stating clearly that the VPN requirements you
propose legitimatize and reenforce the FUD you are concerned with rather
than fix it, and that the VPN requires are in opposition to the movement's
stated goals.



> Kind Regards,
> Tom Hanan
>



>
>
>
> On 1/14/2015 3:01 PM, Erik Soderquist wrote:
>
> <snip>
>
> Regarding 2/3, those largely defeat one of the stated purposes of theopenwireless.org
>  movement, specifically: "We envision a world where,
> in any urban environment: ... The false notion that an IP address
> could be used as a sole identifier is finally a thing of the past,
> creating a privacy-enhancing norm of shared networks."
>
> And 2 in particular would block the majority of users the movement is
> intended to help.
>
> -- Erik
> _______________________________________________
> Tech mailing listTech at openwireless.orghttps://srv1.openwireless.org/mailman/listinfo/tech
>
>
>
>
> ------------------------------
>    <http://www.avast.com/>
>
> This email has been checked for viruses by Avast antivirus software.
> www.avast.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/tech/attachments/20150116/b0a4877d/attachment.html>

More information about the Tech mailing list