Steal This Wi-Fi (the safe way)

In his Wired article “Steal This Wi-Fi” Bruce Schneier gives some good reasons to leave your wireless network open, being neighborly for starters. While being neighborly is nice, advising people to open their wireless network without providing some advice on how to do it securely is irresponsible and one would have expected more from a renowned security expert…

My blanket advice – close your wireless network. If you don’t know how, find someone who can help you.

On the other hand – if you know how to run an open wireless network securely then do it! It may be a geek thing, but I find it cool (and neighborly) to be able to run an open wireless network and provide passersby with free internet access.

Here is how I do it:

I have a system running SmoothWall Express that I use as a firewall/router, the system has 3 network cards (interfaces):

RED: Connects to my cable modem (internet)

GREEN: Connects to my private (read: secure) LAN

PURPLE: Connects to the public network

Let’s bust out the Visio:

Open Wi-Fi Example
It’s pretty simple, the SmoothWall won’t let any traffic pass from the Purple (public) network to the Green (private) network. This effectively creates two LANs, one public and one private. Clients on the Purple network cannot see clients on the Green network, the SmoothWall won’t allow it. With this setup I can place an access point on the Purple network and leave it open (no encryption) for the public to use without worry of exposing my systems to that public.

Consequently, you can still access the SmoothWall web interface (used to configure/administer SmoothWall) from the Purple network, while using a strong password would likely be sufficient to secure the web interface from rogue access I’d prefer to completely deny access to any clients on the Purple network.
To do this you edit /etc/rc.d/rc.firewall.up and add the following above the line # IPSEC:

if [ "$PURPLE_DEV" != "" ]; then
/sbin/iptables -I INPUT -p tcp -i $PURPLE_DEV -s 0/0 --dport 441 -j DROP
/sbin/iptables -I INPUT -p tcp -i $PURPLE_DEV -s 0/0 --dport 81 -j DROP

If any attempts are made to access the web interface form the Purple network they will be dropped and the user will get a timeout error as if there was nothing to connect to in the first place.

The gist of it – I have two wireless APs – one on the Green network, secured using WPA that I use for private wireless internet and LAN access. The other on the Purple network, left open for public use. The SmoothWall provides DHCP on both the Purple and Green networks so clients are automatically configured.

I keep an eye on traffic because after all I pay for the connection and even though I leave a wireless connection open; like a guest overstaying their welcome if someone starts sucking my bandwidth by downloading torrents – they are going to get cut off. I haven’t had any issues thus far but if I notice a slowdown in my connection speed, it’s the first thing I check.


This is only one method, there are several ways to accomplish the same effect but SmoothWall Express is free (except the computer to run it on, which does not have to be anything special) and it’s relatively simple to setup. A more novice friendly solution (Mr. Schneier also mentioned) might be the FON AP which uses 2 wireless signals, one secured and one open. But FON requires people to register before using the connection which is a bit… annoying. It would be nice to see more manufactures add dual network capability their wireless APs, to make it easier for people to share their internet connection securely should they want to.

Security flows the other direction too – when using any public Wi-Fi play it safe make sure that any sites you enter passwords on are using a secure (SSL) connection. If it does not say https in the address bar and your browser does not show its respective “lock” icon then don’t enter personal information on it. It’s best to keep it to general browsing when using public wireless because since they are open, it makes it easy to sniff any traffic that flows across them. The person sitting across from you in Starbucks could be reading the same e-mail you are. The person that owns the open signal could also be watching you – be safe.

If your in Vancouver, WA and come across a wireless SSID of “steal this wi-fi” feel free to use the connection, but mind your manners.

My SSID “steal this wi-fi” was in use long before Bruce Schneier’s article was published, thankyouverymuch.

UPDATE: Don’t live in Vancouver anymore, but if you are in Oregon and see a wireless SSID mothership.public, that’s me. Feel free to use the connection, but mind your manners.

Leave a Reply