Sunday, February 04, 2007

Plausible Deniability via 2 wifi-routers?

I like the idea of having an open wifi access point in my house. It makes me feel warm and fuzzy to know that people can use my excess bandwidth - something I've paid for, but am not really using.

However, there are a few major problems with simply leaving your access point unlocked.

1. Security - Anyone sitting outside your house instantly has a way of bypassing your firewall and getting access to your local network. This makes it much easier for you to get hacked.

2. Privacy - Anyone sitting outside your house can sniff your wifi network, and see the packets flying back and forth between your laptop in the living room, and the access point. Given that not all internet traffic is encrypted, this is a bad bad thing (do you really want someone to know which google queries you're submitting)?

3. Network Speed - While you may be happy to let your excess bandwidth get used by the folks next door - do you really want those dirty hippy freeloaders to get priority on your network, or at the least, do you want to have to compete with their downloads?

Which is why I now have 2 wifi routers.

I have a Buffalo 54G router which runs dd-wrt, a neato linux based customizable router, which runs an encrypted wifi network - this is the network that my own laptop and various wireless devices connect to. This device runs as the main router for the house, does all traffic shaping, firewalling, etc.

I have another el-cheapo wifi router plugged into the buffalo. This no-name router is left open, unlocked, and advertises itself as "Anarchy Free Wireless".

The linux-wifi router allows me to set a virtual vlan, so that the el-cheapo router doesn't get to see my internal network. Traffic from the no-name router is sent directly to the Internet connection. Do not pass go, do not collect 200 dollars.

On top of all of this, I have Quality of Service set on the linux router, so that the freeloaders across the street get the dregs of my Internet connection. Whatever I have left over, they can use - but if I need it, I get priority. This is exactly how it should be.

There were a few reasons I wanted to set this up - at the least, I shouldn't have to reveal my wifi password to friends that come over for a cup of coffee. Just because you want to check your email from my living room, it doesn't mean you should be able to later port-scan my home network from the comfort of your car.

But best of all - I now have quasi plausible deniability. For sure, this hasn't been proven in court yet, but it at least puts me on better ground than if my network were locked. If the G-Men ever show up at my house again (assuming it's for something that I didn't actually attach my name to, unlike last time), I can quite reasonably claim that it wasn't me, and that it must have been one of the hippy art students across the street.

Plus, in theory, I might be able to qualify as a common carrier under the DMCA. Given that I don't keep any logs at all on my wifi routers, I have absolutely no way of knowing who is using my open network - and just like a Tor exit node, I may be able to ignore DMCA threats - or at least explain that it wasn't me, and that I don't know who it was.


Anonymous said...

I'm not clear on exactly what the 'common carrier' provisions of the DMCA are, but you may want to check with a lawyer about whether you would actually be able to claim to be one; in the telcom world it is (or at least used to be) a very specific, highly regulated status, and you couldn't become one just by declaring yourself one.

You may also want to do the rest of the Internet a favour and do some limited firewalling of this connection, such as blocking port 25 to other than your ISP's servers (if your ISP doesn't already block it) and perhaps even forbidding all outgoing mail, to prevent spammers from using this connection to spam.

For a public situation like this, where the intent is really just to let other folks browse the web and such other conveniences, you may even want to consider locking down the connection entirely except for a limited amount of relatively "safe" connectivity, such as just web, ssh and popular tunnelling protocols.

Christopher Soghoian said...

Thanks for the comment Curt. After a few mins of playing with my linux router, I'm now blocking all outgoing port 25 traffic from the open access point, as well as outbound http traffic to (just for the hell of it).

Christopher Soghoian said...

Upon further analysis, I've unblocked everything on the open wifi router. A few people told me that if I wanted to be a 'safe harbor', that I needed to not filter a single thing. Thus, to be safe, I'm not looking at a single packet that crosses my open wifi point, I'm not blocking anything, and am not logging anything.

Anonymous said...

I "think" your term "quasi plausible deniability" is valid as even you _could_ run your devices on the open router...

Anonymous said...

I thought that VLAN support in dd-wrt is broken. Guess not!

Anonymous said...

Blocking port 25 won't stop spam.
Many ISP's have an extra port open.
My local library blocks port 25, but I have no trouble sending mail through a different port

Anonymous said...

Buffalo 54G router running dd-wrt, and am interested in doing the same type of setup. Could you post your setup or a link to how you set up your vlans and iptables. Thanks!