Unfortunately, I can't do anything to prevent an asteroid strike. I'm helpless. If you can–no matter how small the probability–I wish you would. If not for your sake, then for mine.

Living in fear sucks. And, it makes no statistical sense. For instance, I've had one car accident in the last 22 years. I don't put on my seat belt every time I get in the car–before I start the engine–because it's the law, or because I have a statistical probability of getting in an accident. My good driver discount says otherwise. (Though, one might argue that, statistically, I'm due.) I put one on because I'm afraid of what might happen if I don't. Murphy's Law would suggest, the DAY I don't. Likewise, safety was my number one concern when purchasing a family car. Though, one might argue–given my driving record–my money might have been better spent elsewhere.

I suppose, if the odds favored an accident, no one would even sell me insurance. The bet favors the house. Yet, I have more-than-adequate coverage–not because the law says I have to, or because it's paid off in the past, but because, IF something happened, I could loose my house. So far, I've lost money on the investment–and I'm glad it has worked out that way.

The good news is, the “state-of-the-art” wireless security, WPA2–has not yet been cracked. At least, not that anyone is bragging about. So, for now, those who want to live in fear, can, with relative confidence.

Though I would never advise leaving a Wi-Fi router “open”, I will tell you what I would do IF I was hell-bent on providing service to the neighborhood (or, say, my customers in a small retail establishment). Mind you, this is just a theory. I would lock-down my own router, assign “keys” to my own computers, and enable logging. Then, I would attach an unsecured, “open” router to the DMZ (an isolated port on the router that should not intermingle with the other computers inside the network). I would also enable logging, and name the router something like “Guest”. Then, should there be a problem, I would volunteer those logs to law enforcement (AFTER CONSULTING AN ATTORNEY), and advise investigators, in writing, VIA MY ATTORNEY, of the configuration.

Minus the “open” part, it's something I've done when I have guests on my network, just to prevent any cross-contamination. I like my friends, but I don't know where their laptops have been. It not only allows you to play Robin Hood with your broadband, but also provides plausible deniability with your ISP because of the hot-spot's name (SSID). As far as the ISP is concerned, you forgot to disconnect when your guests left. It's not a half-bad insurance policy, if you want to live on the edge.

Insightful discussion, Jeff!

-Jeb

I think the discrepancy between our positions is actually a small one–because, what you propose is an ideal to which I ascribe. Here's the minor chasm, as I see it: I believe you're coming from the standpoint of, will I ever ACTUALLY be convicted? The irony of this position is that, it is one that seems to be common among both the most, and least, educated defendants I've met over the last 15-odd-years.

The problem is, most of the defendants I've met lost everything they had–jobs, savings, friends, spouses–long before they were ever acquitted or convicted. Even the wealthy ones. Many, long before the investigation was completed. Most people have to mortgage their houses to pay for a defense. I'm talking about well before any kind of trial. Which, by the way, can take years to get to.

Actually, (and I know this because I examine the evidence,) more often, these days, people get investigated for the theft of their own cars–especially if they're found unlocked. And, your insurance company won't usually pay, if they're found without evidence of forced entry.

Yes, you can be indicted, even if your computer is clean. The network traffic is enough to indict. Not because I say so, but because I've had plenty of cases where the computers weren't even seized. And, some of those defendants did prison time. Some pre-conviction and some post.

That time you spend “convincing the jury” will cost you tens-of-thousands-of-dollars. And, remember, the time to “lawyer-up” is when they start asking questions, not later. Pleanty of my cases involve “Just tell us your side of the story” statements. Not good.

Bottom line, you play the lottery. If your number doesn't get pulled, you're in good shape. As long as you don't live near a place that gets traffic, like a major street, or public park, you're chances are lessened, I suppose. I love my neighbors. Maybe, even enough to risk the wrath of my cable company's TOS. I've handed out my house key to a neighbor before. I'd likely hand out my WPA shared key (password) to the same ones, if they needed it.

If I WERE a gambler, I'd bet on the house. But, I wouldn't use my house as collateral. I think you're taking a small statistical risk with a huge potential loss, and little upside.

Here's the metaphor you -should- be using: Suppose they want to water their lawn from my hose–would I care about that? Yes, I would. Here's why even THAT metaphor is flawed. I don't pay LVMWD a fixed fee for my monthly allotment of water whether it is used or not–that's how my bandwidth works.

Your thoughts about the ToS are interesting. Technically, it is -illegal- for the neighbor kid to steal my bandwidth, which there is much circumstantial evidence to conclude she is. It's not -illegal- for me to run an unsecured network, and so far, it's not -illegal- for me to not pay attention to my router logs and determine how many hop-ons I may have. Are train operators breaking the law if they don't check for hobos? By your own statement, even if my network was locked the ISP is going to help the prosecution–why should I care what they think?

I think your “open door” analogy is weak. The last time I checked, even if the door was open and a neon sign was on my lawn saying come get some sugar, it is still illegal to come in my house and look at child porn or steal something. Every week people report items stolen from their unlocked cars, and the police still write up the reports, because a crime was committed. What you're saying is that some third party will say, “Someone in that house STOLE SOME MUSIC.” And the investigators will walk up and see my door open and my neon sign, and conclude that I stole the music, despite the fact that there's no music in my house (viz, that song and very likely that sharing client, as I'm using a Mac), and convince the jury of this with their “preponderance of evidence.” (That's the civil court language, yes?) Yeah, I'll take my chances.

Schneier points out ( http://www.schneier.com/blog/archives/2008/01/m... ) that there are 15M people sharing music on the Internet. That's a 0.13% chance of getting caught–and that's for people that are ACTUALLY SHARING MUSIC, which I'm not. For me, the cost-benefit analysis is clear. I'll keep my network open.

-jeb

I'd be lying if I said that I didn't have a stake in the outcome either way. Part of my job is to educate and advise, based on the trends that I'm seeing. They don't support the ideal. Service provider subpoenas, and warrant requests are increasing year-over-year. It's become about as easy a prosecution as they come, which would support the trend.

I think that the sugar analogy is flawed. First, no one actually “borrows” a cup of sugar, like no one borrows a cigarette. They ask. You give. It's consumed. The end-product goes through another shared network. If the neighbor's kid came by and ASKED to use your Wi-Fi, and you allowed it, that might be more analogous to the sugar scenario. After all, your neighbors aren't returning the bandwidth they consume. But, that's presuming that the Wi-Fi was yours to give. You paid for a certain amount of sugar. It's yours to give away. Chances are that the Terms of Service that you have agreed to with your ISP don't allow you to give away their bandwidth to your neighbors.

I only bring that up because it's your ISP that will be cooperating with law enforcement. It's hard to imagine that, after they find out that you were cutting into their profits by serving your neighbors broadband, that they're going to incentivized to provide aid to your defense. In fact, having worked for the defense, I can tell you that they will do everything, short of violating the same TOS to aid in your prosecution–even if you didn't intentionally open your network.

But, let's assume, for the sake of argument, that your ISP is one that welcomes the spirit of sharing–explicitly. Returning to the sugar analogy: What you're really doing is leaving the front door open so that your neighbors, or anyone else passing by, can come in a take some sugar. Moreover, you're putting out a neon sign that invites them to do so. Then, when a crime occurs on your property, you show law enforcement the neon sign, and the open door, and ask that they, and a jury of your peers, understand and accept the likelihood (plausible denyabillity) that it was someone else.

I get those cases from time to time. A jury is typically apt to accept the government's assertion that you were running a crack house. I also get the open-wi-fi cases. The jury is typically apt to accept the government's assertion that you were directly, knowingly invovled, or aiding in any crime that occurs on your network–if for no other reason than, there's no one else to investigate and charge. (Not that the kid next door wouldn't make a great character witness in a sex crimes case.)

There are, after all, there are almost 200 million drivers in the U.S., and only around 6 million accidents a year. Those are good odds. With only 20,000 people sued by–and a 100% success rate for–the RIAA, and less than 700,000 Americans on sex offender registries (many for images that traversed their computer networks), I suppose you could take your chances–for the betterment of your neighborhood.

Unfortunately, I can't do anything to prevent an asteroid strike. I'm helpless. If you can–no matter how small the probability–I wish you would. If not for your sake, then for mine.

Living in fear sucks. And, it makes no statistical sense. For instance, I've had one car accident in the last 22 years. I don't put on my seat belt every time I get in the car–before I start the engine–because it's the law, or because I have a statistical probability of getting in an accident. My good driver discount says otherwise. (Though, one might argue that, statistically, I'm due.) I put one on because I'm afraid of what might happen if I don't. Murphy's Law would suggest, the DAY I don't. Likewise, safety was my number one concern when purchasing a family car. Though, one might argue–given my driving record–my money might have been better spent elsewhere.

I suppose, if the odds favored an accident, no one would even sell me insurance. The bet favors the house. Yet, I have more-than-adequate coverage–not because the law says I have to, or because it's paid off in the past, but because, IF something happened, I could loose my house. So far, I've lost money on the investment–and I'm glad it has worked out that way.

The good news is, the “state-of-the-art” wireless security, WPA2–has not yet been cracked. At least, not that anyone is bragging about. So, for now, those who want to live in fear, can, with relative confidence.

Though I would never advise leaving a Wi-Fi router “open”, I will tell you what I would do IF I was hell-bent on providing service to the neighborhood (or, say, my customers in a small retail establishment). Mind you, this is just a theory. I would lock-down my own router, assign “keys” to my own computers, and enable logging. Then, I would attach an unsecured, “open” router to the DMZ (an isolated port on the router that should not intermingle with the other computers inside the network). I would also enable logging, and name the router something like “Guest”. Then, should there be a problem, I would volunteer those logs to law enforcement (AFTER CONSULTING AN ATTORNEY), and advise investigators, in writing, VIA MY ATTORNEY, of the configuration.

Minus the “open” part, it's something I've done when I have guests on my network, just to prevent any cross-contamination. I like my friends, but I don't know where their laptops have been. It not only allows you to play Robin Hood with your broadband, but also provides plausible deniability with your ISP because of the hot-spot's name (SSID). As far as the ISP is concerned, you forgot to disconnect when your guests left. It's not a half-bad insurance policy, if you want to live on the edge.

Insightful discussion, Jeff!

-Jeb

I think the discrepancy between our positions is actually a small one–because, what you propose is an ideal to which I ascribe. Here's the minor chasm, as I see it: I believe you're coming from the standpoint of, will I ever ACTUALLY be convicted? The irony of this position is that, it is one that seems to be common among both the most, and least, educated defendants I've met over the last 15-odd-years.

The problem is, most of the defendants I've met lost everything they had–jobs, savings, friends, spouses–long before they were ever acquitted or convicted. Even the wealthy ones. Many, long before the investigation was completed. Most people have to mortgage their houses to pay for a defense. I'm talking about well before any kind of trial. Which, by the way, can take years to get to.

Actually, (and I know this because I examine the evidence,) more often, these days, people get investigated for the theft of their own cars–especially if they're found unlocked. And, your insurance company won't usually pay, if they're found without evidence of forced entry.

Yes, you can be indicted, even if your computer is clean. The network traffic is enough to indict. Not because I say so, but because I've had plenty of cases where the computers weren't even seized. And, some of those defendants did prison time. Some pre-conviction and some post.

That time you spend “convincing the jury” will cost you tens-of-thousands-of-dollars. And, remember, the time to “lawyer-up” is when they start asking questions, not later. Pleanty of my cases involve “Just tell us your side of the story” statements. Not good.

Bottom line, you play the lottery. If your number doesn't get pulled, you're in good shape. As long as you don't live near a place that gets traffic, like a major street, or public park, you're chances are lessened, I suppose. I love my neighbors. Maybe, even enough to risk the wrath of my cable company's TOS. I've handed out my house key to a neighbor before. I'd likely hand out my WPA shared key (password) to the same ones, if they needed it.

If I WERE a gambler, I'd bet on the house. But, I wouldn't use my house as collateral. I think you're taking a small statistical risk with a huge potential loss, and little upside.

Here's the metaphor you -should- be using: Suppose they want to water their lawn from my hose–would I care about that? Yes, I would. Here's why even THAT metaphor is flawed. I don't pay LVMWD a fixed fee for my monthly allotment of water whether it is used or not–that's how my bandwidth works.

Your thoughts about the ToS are interesting. Technically, it is -illegal- for the neighbor kid to steal my bandwidth, which there is much circumstantial evidence to conclude she is. It's not -illegal- for me to run an unsecured network, and so far, it's not -illegal- for me to not pay attention to my router logs and determine how many hop-ons I may have. Are train operators breaking the law if they don't check for hobos? By your own statement, even if my network was locked the ISP is going to help the prosecution–why should I care what they think?

I think your “open door” analogy is weak. The last time I checked, even if the door was open and a neon sign was on my lawn saying come get some sugar, it is still illegal to come in my house and look at child porn or steal something. Every week people report items stolen from their unlocked cars, and the police still write up the reports, because a crime was committed. What you're saying is that some third party will say, “Someone in that house STOLE SOME MUSIC.” And the investigators will walk up and see my door open and my neon sign, and conclude that I stole the music, despite the fact that there's no music in my house (viz, that song and very likely that sharing client, as I'm using a Mac), and convince the jury of this with their “preponderance of evidence.” (That's the civil court language, yes?) Yeah, I'll take my chances.

Schneier points out ( http://www.schneier.com/blog/archives/2008/01/m... ) that there are 15M people sharing music on the Internet. That's a 0.13% chance of getting caught–and that's for people that are ACTUALLY SHARING MUSIC, which I'm not. For me, the cost-benefit analysis is clear. I'll keep my network open.

-jeb

I'd be lying if I said that I didn't have a stake in the outcome either way. Part of my job is to educate and advise, based on the trends that I'm seeing. They don't support the ideal. Service provider subpoenas, and warrant requests are increasing year-over-year. It's become about as easy a prosecution as they come, which would support the trend.

I think that the sugar analogy is flawed. First, no one actually “borrows” a cup of sugar, like no one borrows a cigarette. They ask. You give. It's consumed. The end-product goes through another shared network. If the neighbor's kid came by and ASKED to use your Wi-Fi, and you allowed it, that might be more analogous to the sugar scenario. After all, your neighbors aren't returning the bandwidth they consume. But, that's presuming that the Wi-Fi was yours to give. You paid for a certain amount of sugar. It's yours to give away. Chances are that the Terms of Service that you have agreed to with your ISP don't allow you to give away their bandwidth to your neighbors.

I only bring that up because it's your ISP that will be cooperating with law enforcement. It's hard to imagine that, after they find out that you were cutting into their profits by serving your neighbors broadband, that they're going to incentivized to provide aid to your defense. In fact, having worked for the defense, I can tell you that they will do everything, short of violating the same TOS to aid in your prosecution–even if you didn't intentionally open your network.

But, let's assume, for the sake of argument, that your ISP is one that welcomes the spirit of sharing–explicitly. Returning to the sugar analogy: What you're really doing is leaving the front door open so that your neighbors, or anyone else passing by, can come in a take some sugar. Moreover, you're putting out a neon sign that invites them to do so. Then, when a crime occurs on your property, you show law enforcement the neon sign, and the open door, and ask that they, and a jury of your peers, understand and accept the likelihood (plausible denyabillity) that it was someone else.

I get those cases from time to time. A jury is typically apt to accept the government's assertion that you were running a crack house. I also get the open-wi-fi cases. The jury is typically apt to accept the governement's assertion that you were directly, knowingly invovled, or aiding in any crime that occours on your network–if for no other reason than, there's no one else to investigate and charge. (Not that the kid next door wouldn't make a great character witness in a sex crimes case.)

There are, after all, there are almost 200 million drivers in the U.S., and only around 6 million accidents a year. Those are good odds. With only 20,000 people sued by–and a 100% success rate for–the RIAA, and less than 700,000 Americans on sex offender registries (many for images that traversed their computer networks), I suppose you could take your chaces–for the betterment of your neighborhood.