WiFi Sourcing

When we had finally found a decent place to live in, we discovered one vital thing was missing to complete the picture: the holiness of Internet connectivity. While our lodging in Delfshaven, Rotterdam, does have a cable connection, the landlord did not approve of our request to also opt-in for Internet with the same cable company that already delivers television,  for the sake of administrative burdens. And as there is no telephone line, ADSL was not an option either. You can imagine how tremendously inconvenient that is in a world where you are expected to be connected all the time.

So basically we were not left with many options, although the landlord advised us to go with a dongle —mobile broadband through a USB stick that functions as a modem. It is true though that dongles are omnipresent nowadays, but for two young people starting up their lives, the carriers data plans and their respective rates are still too high.

However, when you are not — legally speaking — the owner of an Internet connection, there is still the possibility you can rely on an open wireless network sitting there somewhere in your neighborhood, waiting for you to stand under its umbrella. Well, as a matter of fact, not a single WiFi network was open. So then a friend of us suggested to go talk to the neigbhours, explaining them that we were having a hard time acquiring an Internet connection, asking them if we could share their connectivity, but as a consequence of that of course also contributing to their monthly bill.

Taking that advise, I reached out to them. This was a disappointing experience, as all of them were very hesitant to say the least. Some apprised me even that they would never even think of sharing their connection, as they think it brings troubles. So that left us with two options: going with the expensive dongle or (illegally) breaching the closed networks security.

A locked wireless network is secured by a password, and in our surroundings, again, all of the networks were protected, either using WEP encryption but most of them even using the more secure WPA encryption. WEP has security limitations and is therefore fairly easy to crack.  You just have to collect enough initialization vectors (IV) and data packages and a weak scheduling attack will do the rest. While the recommended solution to WEP security problems is to switch to WPA, even with WPA enabled, the network will remain vulnerable to password cracking of cracking weak passphrases.

I am not writing this to prove that I know how to crack such closed networks.  It was just striking me that all people locked down their wireless networks. This is in line what is said in the Open Wirless Movement call to action post. It nowadays indeed is harder to find an open wireless network. People lock their networks because they fear about privacy and security risks when WiFi is unencrypted. Well, just like my mom who is still fearing that her credit card data will be stolen once exposed on the Net. No wonder when almost every day our media reports about credit card and identity theft. Another fear might be that they have dataplan restrictions in place,  even for broadband, and they don’t want others “free-riding” and hogging bandwidth. Such a data restrictions are however no longer the case in a country like The Netherlands though and as per my understanding broadband connections are capable of at least something, only slowing down the traffic to a minimum extent. The above, in a sense, makes me think that people are quite greedy.

The earlier mentioned EEF post discusses the technical work that needs to be done in order to fight “the real problem, which isn’t that people are encrypting their WiFi: it’s that the encryption prevents them from sharing their WiFi with their friends, neighbours, and strangers wandering past their houses who happen to be lost and in need of a digital map.” So what is needed is WiFi that is open and encrypted at the same time. Apparently, the proposed protocol offers some additional privacy/security benefits not available in shared-pass-phrase WPA2 since under WPA2 all the users on the network can calculate each others’ session keys and eavesdrop on each other. With the  suggested design, that would cease to be possible. Moreover, WiFi networks turn out to make inherently much more efficient use of the electromagnetic spectrum than systems of widely spaced cell phone towers. So in order to make the Internet work seamlessly for everyone, we would need short-range networks with routers everywhere.

I am absolutely in favor of such a new protocol, but as always it takes time and has to go through different phases before it becomes a standard.  Requirements have to be analyzed more deeply and thoroughly, the protocol needs to be designed, implemented and tested. While it is good to see it is already materializing, I have been wondering how we can work something out using current WiFi  structures and protocols already in place. A concept that I call WiFi sourcing is introduced in the remainder part.

WiFi Sourcing refers to the practice of sharing a WiFi network with trusted agents for a limited time and limited bandwidth.

That firstly brings me to Clay Shirky’s concept called cognitive surplus. Basically this idea says that we should use our free time more wisely and exploit our goodwill. As we now have access to new media we can collaborate instead of passively watch television. Our society and daily lives will thus improve dramatically.

What if say your are in a certain foreign neighborhood, desperately in need of access to a wireless network as you need to check the local map to find a place because you are lost, but you find yourself in a very inconvenient situation because there is no open Internet access.  Although there are plenty of networks around you and electromagnetic wireless signals are flowing through your body, you just cannot access any of them since they all are password protected.

Let’s apply the principle of cognitive surplus to closed WiFi networks. If you would be able to tap into a database where people can access and contribute to “data” about closed WiFi networks, that could be very valuable.  Users of the service would then just lookup the Service Set Identifier (SSID), or browse by location as WiFi networks could be mapped to a location. A simple lookup will do the rest, and the password will be displayed accordingly. As such, people can share their network.

I think that in the first place people should be reminded and made aware that they are socially responsible of opening up their networks instead of hoarding them. However, if everyone opens up their network in the wild, people will notice there connection is slowing down if used carelessly and abundantly by others. So the ability to share a pass-phrase with certain “trusted” users over others should be possible.

Just like in “Down and Out in the Magic Kingdom” by Cory Doctorow the concept of Whuffie – social capital – should be part of the design of such a system. It functions as a way to normalize and steer human behavior, rewarding safe, conservative behavior and penalizing struggles and conflict. There are many more trust metrics, such as “Karma”, a system where people can give you reputation points based on your behavior. So a moderation, rating or reputation system as well as trust metrics are essential. The service earlier described should be build with that from the ground up and the community should support it.

From a cryptographic point of view, to increase trust and security, some sort of a Web of Trust is created.  Keys (PGP) will be accumulated from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. Everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. So if people abide to a fair use, they can be added to a trusted listed and can be referred to other WiFi proprietary owners. Just like in the Foaf+ssl protocol, trust is established recursively. Individuals add people they trust to their profile. Those people in turn do the same.

If such reputation based mechanisms are carefully implemented, people would be able to fine tune the allocation of bandwidth too. I am thinking of the design of a new application layer where the pass-phrase gets hashed multiple times, as many times as needed, according to the number of users that one wants to allow to share with. After all, if the password is plainly shared the danger exists that it will be passed on or spread to others. The proprietor of the closed WiFi network would administer the second level pass-phrases and distribute them accordingly. The newly generated pass-phrases could then be assigned to 1 to n IP addresses. Of course, the user wants instant access to the network so there should be a way to assign them automatically without the direct involvement of the WiFi owner. The authentication to the network would happen within the boundaries of the software itself, translating the newly generated passwords to the unique WiFi pass-phrase. It should be designed in such a way that is impossible to reverse engineer the cryptography to the original WiFi password.

Leave a Reply

Your email address will not be published. Required fields are marked *