I’ve got a bad Case of the Mondays today, so when Wendy Seltzer’s Blog had a link to a New York Times story on open wi-fi, what follows was inevitable…

From Wendy:

Without a hint of irony, however:

“Two federal law enforcement officials said on condition of anonymity that while they were not aware of specific cases, they believed that sophisticated terrorists might also be starting to exploit unsecured Wi-Fi connections.”

Yes, even law enforcement needs anonymity sometimes.

Personally, I think that the reason that most of the “sources” are anonymous is because they don’t exist.

The article itself is FUD written by at best an ignorant reporter or, more likely SBC Communications’ Public Relations firm, and published as “news.” I suspect SBC because their spokesman Michael Coe is cited by name saying, “the company had provided about one million Wi-Fi routers to its customers with encryption turned on by default.” So the point of the article is that individuals deploy their wireless insecurely, whereas corporations like SBC are much better at it.

It’s just a happy coincidence that SBC’s Michael Coe also wrote the press release announcing that SBC is rolling out their own wi-fi subscription service right now. I guess that SBC is planning on logging 100% of the connections from their 3,300+ access points? That’s going to be expensive. Of course, if the perpetrator used a stolen credit card so sign up for SBC’s service, then Law Enforcement is in the same boat as if said perpetrator used an unsecured wireless connection, except that this way if they catch the person, they can throw on a credit card fraud charge for good measure.

From the article (which neglects to mention SBC’s Wi-Fi service):

Experts say most of those households never turn on any of the features, available in almost all Wi-Fi routers, that change the system’s default settings, conceal the connection from others and encrypt the data sent over it. Failure to secure the network in those ways can allow anyone with a Wi-Fi-enabled computer within about 200 feet to tap into the base station’s Internet connection, typically a digital subscriber line or a cable modem.

Wi-Fi connections are also popping up in retail locations across the country. But while national chains like Starbucks take steps to protect their networks, independent coffee shops that offer Wi-Fi often leave their connections wide open, law enforcement officials say.

(emphasis mine)

Why are there no Network Security experts quoted by name? Security is a Prestige Culture, so an attributed quote in the New York Times would be a huge benefit to one’s security career (If the NYT ever needs a security quote, they may feel free to contact me). Of course, the good ones wouldn’t say anything which supported the story. Does Wi-Fi raise the bar for law enforcement? Maybe, but since most criminals do dumb things like have the fraudulently ordered goods sent to their home, the bar isn’t raised that much.

If anything, it can make it easier. In the Loews Hardware Wi-Fi case, the perpetrators were caught illegally accessing the retailer’s in-store wireless network to install credit card sniffers because they had to sit in the parking lot outside the store to do it. Why wasn’t that crime, which could only have happened due to the use of wireless, mentioned in the story? Perhaps because it would have violated one of the core tenents the reader is supposed to take from the story: Corporations implement wireless securely while Individuals do not.

Consider the examples given. Four of the five cases listed were solved. The fifth wasn’t solved because it was, quite frankly, a non-crime–high schoolers making anonymous threats, which is the electronic equivilent of graffiti. Every other example is a case of people getting caught committing traditional crimes like mail fraud and child porn. Still, the story closes with this wildly inflammatory quote:

“The public needs to realize that all they’re doing is making it harder on me to go find the bad guys,” said Mr. Gilhooly, the former Secret Service agent. “How would you feel if you’re sitting at home and meanwhile someone is using your Wi-Fi to hack a bank or hack a company and downloads a million credit card numbers, which happens all the time? I come to you and knock on your door, and all you can say is, ‘Oops.’ ”

Someone uses open wi-fi to hack banks and download a million credit card numbers “all the time?” Why wasn’t there an example of that listed in the story instead of some guy ordering sex toys with the local college’s bank account number?

I spend a lot of time keeping up with current events and while I know of a handful of large-scale credit card thefts, most of them were inside jobs and whether or not they used wireless networks was irrelevant. Of course, if you grab 1,000,000 rows of pretty much any customer or credit card database, odds are you’re going to get some Californians in there somewhere, so there should be public notice about it.

My summary is my opening: This is a bunch of FUD, probably written at least in part by SBC Communications’ publicists to at least sell more (overpriced) wireless access points & DSL service and, at worst, to help build mindshare for the idea that independent and municipal broadband and wireless should be outlawed.