Leaving your wi-fi network open

Wi-fi network
Wi-fi network

Bruce Schneier (a leading US computer security expert) and Electronic Frontier Foundation (EFY) advise leaving your wi-fi network open: meaning, not use encryption protocols such as WEP or WPA2. This allows neighbours and passers-by to use it while in urgent need, and increases societal cooperation. EFY states:

“If you sometimes find yourself needing an open wireless network in order to check your email from a car, a street corner, or a park, you may have noticed that they’re getting harder to find.”

Due to privacy concerns, and also to avoid letting terrorists and anti-national elements use the spectrum – people are closing down their wi-fi networks. This is also the official advice from my ISP.

EFY argues however, that allowing access to others is just another way of giving back to the society. In addition they argue that this allows more efficient use of spectrum compared to cell phone towers. It admits, however, that current protocols are not designed for efficient sharing. The ideal protocol, as per EFY, would allow sharing part of your bandwidth – while leaving the rest encrypted and closed for snooping. They are working on building such a protocol.

I would love to leave my network open – I do not use all my bandwidth, and in fact do not use it at all for several hours a day. I have an unlimited plan – so it would not be a financial burden. It would instead shift the burden to the ISPs, which I believe is fair – they have restricted trade practices too.

Given the current state of terrorism in India – however – I do not feel safe in doing so. America has understood terrorism only a decade ago – we have felt it for last several decades. We know that an open wi-fi was used to claim Mumbai attacks of 26/11. I am also not sure of the legal protection in India, if any. The government machinery works in an ad hoc basis – even though we may claim to be the world’s largest democracy.

Please post thoughts / comments.


Internet censorship and loss of privacy


An excellent essay by Bruce Schneider on government organized initiatives worldwide to reduce internet privacy and for censorship. There is also evidence that criminals can (mis)use such infrastructure for their own purpose. Please click here to read.

Every year brings more Internet censorship and control — not just in
countries like China and Iran, but in the United States, the United
Kingdom, Canada and other free countries.

The control movement is egged on by both law enforcement, trying to
catch terrorists, child pornographers and other criminals, and by media
companies, trying to stop file sharers.

It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers and censors say, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in.


The world of computers: vision 2020


What would the shape of computing be 12-15 years from now? Here is where I think we will be:

My wrist watch will have my computer. When I reach office, I will place myself in front of a ‘dumb’ terminal – a monitor, a keyboard and a mouse. Embedded into the keyboard will be a smart card which will talk to my wrist watch (without cables). I will use a remote log-on software to connect to the computer inside the wrist watch – all applications will already be installed on the wrist watch and I will use them. It will also be possible to use the wrist watch as a pen drive of today. So all the data on the hard disk of this computer will be available in two ways: the remote log-on (which will also enable the use of installed applications), and USB (that is, minus the capability to use apps).

At home (and everywhere else), I will have a similar dumb terminal.

Microsoft will be dead – opensource (and portable) software like OpenOffice, and AbiWord will have caught up in terms of functionality. For profit firms of 2020 will provide support (and contribute to the enhancement to) GPL software.

Google will be going, but its offering of (office and other) applications as an online subscription (which will have become paid by then) will not be doing very well. People want to collaborate, but not at the expense of being tied down.

Electronics commerce will still have identity fraud 🙂 Sorry guys. However, the total volume digitally traded will be rising steadily.

Digital signatures would be much more easier to use, and transparent to the unitiated user. However, it will not be free from its own share of frauds.

Operating systems will be very different from today: there will be no device drivers. Every device will be plug & play, and will use universal drivers. Linux will be the defacto standard.

You have some more ideas? Please feel free to share.

Blogged with the Flock Browser

Safe Browsing Guide – II

Continued from Safe Browsing Guide – I

You might get some ‘warnings’ while opening secure pages, like below:


The first one means that the certificate could have been signed by anyone, including by someone you do not trust. If all I need is encryption: for example if I am sending email, and not sending any corporate presentations, or password, or credit card numbers – I should be fine. Many websites use such certificates – but if it’s a bank website using it – I would not login. To give you an idea of the relative security impact of many of the warnings discussed during this guide: this particular warning has a severity of 40 out of 100. It means even on seeing this warning, I am 60% likely to use the website.

The second one means that the certificate has expired. In this case, I would check what is the expiry date (by clicking on the lock) and if it expired a couple of days back I would allow it. In addition, if its sensitive information, I would not use the site until the issue is fixed. This one has a severity of 30.

The last one says that the website names do not match between the certificate and the actual website you are visiting. This could be a case of phishing, and could be serious. What I do in such a case is I find out what name the certificate is issued to (clicking on the lock icon) and check it against the actual website in the URL. If the website visited is server.icicibank.com and the certificate is for icicibank.com – I continue to use the site. If the two are very different, I don’t use the site. Severity is 80.

Mozilla issues one message for each of the issues as noted above while Internet Explorer (shown above) issues just one message with error icons:


This corresponds to the second warning from Internet Explorer.


This one corresponds to the first warning from Internet Explorer, same actions apply.

Another warning that you might see is this one:


Correspondingly for Mozilla:


This warning means that there is some content on the page which is not encrypted: this could be images or something else. Severity is 50: on GMail it may mean that the emails have such content so it’s ok to continue to do your stuff. However, if on one of the emails you are sending a password – you may want to be careful.

Lastly I would encourage visitors to read this advise on safe browsing from a security expert. This essay from 2004 is still good.

Disclaimer: This is just a guide and is not meant to replace professional advise. No measures can guarantee 100% security. There are a lot of threat vectors outside the scope of this tutorial: such as key loggers on your computer. In addition, the severities explained for warnings are just guides and have no scientific basis.


Safe Browsing Guide – I

When you browse over the Internet, or Chat, or send/receive email – you are not doing that in private. It is important to understand exactly what is private, and what steps you need to follow to maintain the privacy.

When accessing any website such as Yahoo.com, you get connected to the web site’s server which provides you the information you seek – search results, or email. This connection is not direct: you are connected through a series of nodes. Each node can view/alter the information that is flowing through it.

A protocol – ‘https’ provides privacy to your interaction by adding a ‘Secure Socket Layer‘ on top of the normal HTTP protocol. Enough of jargon, back to English!

So when you use this particular protocol you are secure subject to some caveats. Use of this protocol can be confirmed through the ‘https’ at the beginning of the URL, and through the ‘lock’ icon at the bottom right: Lock.

A lot of online websites support HTTPS for logging in. You have to select ‘secure’ at the login screen where you enter username/password. This means that your password is protected during the communication. However, these sites move back to normal mode after the login: your data (for example the email content) is not protected. Gmail supports secure connection even after login but you have to enable it in the settings – this makes sense and you should do it. However, even after doing this it does not mean that all your content is ‘protected’ – more on this later.

Please understand that if its emails in question: just your using a secure connection is not enough. The recipient should also use it for the information to remain inaccessible at the nodes.

Proceed to the next part of the guide.

Disclaimer: This is just a guide and is not meant to replace professional advise. No measures can guarantee 100% security. There are a lot of threat vectors outside the scope of this tutorial: such as key loggers on your computer. In addition, the severities explained for warnings are just guides and have no scientific basis.


reCAPTCHA project

There are a lot of sites including Google that use a CAPTCHA to distinguish a human visitor from an automatic web robot (called bot). An image is shown containing some letters and the visitor is required to recognise the letters. This is something that’s difficult for computers to do, but easy for humans.

reCAPTCHA is an interesting, free for all CAPTCHA project but it has a dual use: on the one hand (like all CAPTCHAs) it helps prevent spam, and on the other hand, it helps digitize books. The words it shows are taken from books that have been scanned but the OCR software is finding difficult to understand. More information on the reCAPTCHA website. I am planning to use this soon on my crossword solver page. I recommend that people add this to their websites – its very easy to do so with the plugins that are available.

By the way, CAPTCHA stands for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’