For example, many home wireless routers use NAT (network address translation) which basically allows a number of computers to use one static IP address. So, say, if your IP address has been caught downloading porn/music/movies/what have you, guess who will be held responsible (or do you really want to go through the hassle of having to prove you weren't the one downloading all of that crap?).

Or, what about someone sniffing your traffic? Do you use http/ftp? Both of those protocols send passwords in plain text.

Or, you Windows users, do you inadvertently have your C: drive set to shared?

Also, there are providers out there like who are now beginning to crack down on use of NAT, and who are now nailing people for excessive use of bandwith and/or charging for additional IP addys. So, if you live in a one or two broadband provider area, you'll be up a creek if the cable company doesn't want to serve you anymore.

Now, again, I have a wifi enabled laptop and I love it. I love being able to go to a public area and get on to the Internet. However, I'm also wise enough to understand that in a public area, I'm more vulnerable. Now, for me, I understand the risks and I take precautions (although, admittedly I've got some paranoid friends who only use tunnelling, SSH, etc.) but the average user does not.

Maybe next week.

My attitute changed when I was snooping my wireless network trying to figure out a connection issue. I discovered another person using a DHCP address surfing porn off my ISP connection. I suddenly got a chill when I realized that if he ever started to download child porn, I would be the one left holding the bag.

After that, I turned on WPA (better than WEP - the normal encryption mechanism), installed a radius server (manages DHCP addresses to authorized clients only), mac filtered the network (restricted it so that only registered mac (raw) address from a list would be accepted).

No one should run an unrestricted wireless network out of home. If you wonder why not, ask yourself if a policeman would believe your story about not knowing that child porn or worse was being loaded over your network without your knowledge.

For security, mac filter your network, suppress the SSID/ESSID of your network, use WEP is you can, the larger key the better. If you have a radius server (free on linux, very expensive on non linux), then set that up to validate anyone trying to get a DHCP address, and then configure WPA to use it.

Even so, even client computer on the network should have a firewall (zonealarm is free for windows)

All of this will give you defense in depth. One they break one system, they need to tackle more systems, each backing the other. It would require a lot to hack. not impossible, just improbable. ;)

You make a good argument, but I’m going to stick by mine.

I never said that people shouldn’t secure their WAPs. I think that people *don’t* secure their WAPs because the technology is poorly implemented and frustrating. If WiFi security was more robust and easier to use, it would naturally be in everyone’s advantage to use it.

However, if I’m going to ask average consumers to spend a few hours on computer “security”, I’d much rather they first install the latest OS patches, turn off file sharing, install a firewall at the network and on every computer, learn a bit about “phishing” and other scams (and maybe download SpoofStick), install an anti-virus program and get the latest signatures, check for spyware and rethink their passwords. When they’ve done with all that, they can monkey around with their WiFi network. All the other stuff is more important, more effective and easier to do.

Even if you manage to keep your WiFi access point encrypted, you’re not really adding a whole lot of security. Everything just reverts right back to plaintext as soon as it goes from the WAP to the ISP, all your HTTP and FTP and email is bouncing around the guts of the web for anyone to see. If you’ve got data worth protecting, use SSH or SSL or a VPN – then it doesn’t matter if you’ve secured your WAP. If a non-SSL site asks you for a password, assume that everyone can see it. If you send out unencrypted, unsigned email, assume that there’s going to be a searchable trail of everything you’ve ever written somewhere or another.

As for the legal aspects, I don’t buy it. Internet access is not a firearm, and I don’t have any responsibility to make sure others can’t use the bits my access point decides to shoot out into the air. If my ISP has a problem with this, they should figure out how to restrict access on their side. I shouldn’t have to waste my time setting up “security” to solve their billing problem. If a crime is committed in my neighborhood, it’s not up to me to prove that I didn’t do it. It’s up to the authorities to find whoever did – and to prove it. Of course, you’re right that this area is “undefined” and it may take an unpleasant case or two to iron things out. If you’re concerned about being blamed for the actions of others on “your” wireless network, by all means take the appropriate precautions. For what it’s worth, I’ve found that MAC filtering works better than WAP encryption.

So, bottom line: we need better security technology that takes the burden of securing all data away from the user. In the mean time, locking down residential wireless access points is not my top security priority, and may not be a good way to spend finite security resources.

---