Deterring wireless piggybackers

The New York Times recently gave front-page treatment to an (Internet) age-old question: Does an unprotected wireless network amounts to an open invitation for any piggybacker who happens by with a laptop. (Story only available to TimesSelect subscribers.)

Since the practice doesn’t seem to be slowing as the years fly by and wireless becomes ever more ubiquitous, I got to wondering what it might take to bring some law and order to the landscape. The topic is addressed in my ‘Net Buzz column this week.

And, as promised in the previous post, I’m going to turn the microphone over to Joel Snyder, a frequent Network World contributor and senior partner at Opus One, a consulting firm, in Tucson, Ariz.

Here’s what Joel has to say about the matter:

OK, so, first of all, I don’t get this idea of people being surprised when their neighbors are using their wireless. I understand that the idea behind computers and Internet technology is that you go to Best Buy and pick up a box and plug it in and you’re downloading porn within 10 minutes, but the Times must have looked long and hard to find people who had this internal train of thought:

I will buy something.

I will plug it in.

It will allow me to use the Internet wirelessly without putting any configuration information into my computer.

It works anywhere in my house and in my yard.

No one else will figure that out and use it from their house.

I mean, come on. I have a Doonesbury cartoon I cut out from July, 2002 that shows ‘drive-by wireless usage.’ And when Doonesbury has covered it, boy, this must be mainstream knowledge. So I’m just a bit confused at where Mr. and Mrs. Stupid are getting their Internet security information.

But let’s say ‘OK, they knew it was an issue, but there was no easy solution.’ I can live with that. Here’s an answer: put a switch on the box. I don’t mean an on-off switch. I mean a ‘secure/insecure’ switch. If there are only two common configurations: one wide open and one with WPA-Personal encryption, then put a switch on the box. I actually have an access point that I use for traveling that has a switch on it with four positions. One is ‘management mode’ and the other three are various combinations of open/closed, routing, etc. That wasn’t hard, and the access point cost $60. So it’s not like I’m coming up with this incredibly great idea here — AP vendors already have it.

What about the password? Well, put it on a sticker, next to the switch. Maybe it’s based on the MAC address, like the old Lucent APs used to do. Or maybe it’s a word pair, like the AOL floppies have on them. I don’t really care. It’s not that hard.

If we assume that the market for this is people with Windows XP and Mac laptops, both support WPA, automatically, out of the box. Put a switch on the access point, and you don’t have to go through the horrible explanation of how to open up a Web browser and put in configuration information.

If you wanted to be non-negligent in security, then you could go one step further. Ship the box with the switch in ‘SECURE’ position. Put a little piece of tape on it, kind of like the one that’s over power outlets saying ‘are you sure you’re on 120 volts?’ Someone wants to move the switch, OK. But if they don’t, the password is right there on the box.

They don’t even need to use a Web browser.

— Joel Snyder