Wide-open wireless on the Northeast Corridor

When I took the train from Boston to New York City last week to attend CeBIT America, I took with me my most portable notebook, a Sony PictureBook running Windows ME. I turned on the computer as the train rolled out of Route 128 Station, and kept it on until we dipped under the East River, all the while running a program called NetStumbler that scans the airwaves for Wi-Fi access points. The results: There are a lot of 802.11b access points out there, and most of them are wide open to air piracy.

When I tried this exercise a year and a half ago, Wi-Fi wasn’t nearly as widespread. At that time I uncovered only 43 devices on a similar stretch of track. This time, on a slightly shorter trip that started in the suburbs outside of Boston, I found 113 Wi-FI devices, all but five of them access points. Of those 108, only 15 were using WEP encryption.

Without WEP protection, which admittedly is relatively easy to crack but is better than nothing, anyone with a laptop computer and an 802.11b adapter could park within range of an unencrypted access point and share its Internet connection. Worse, if the owner’s internal security was as bad as its network security, anyone could read or copy files from computers on these networks. Unfortunately I couldn’t test any of the sites I found myself, because on a speeding locomotive, an access point goes in and out of range faster than you can click a mouse.

It appeared that most of the secured access points belonged to individuals, not businesses. They had SSID names like gramps, KPeterson, and Anthony’s Network. Why aren’t businesses making wireless security a priority? Some of them, restaurants perhaps, may offer wireless network access to customers as a perk. For the others, who are using wireless to augment their wired networks, I can think of a number of possible reasons for the lax security, but none of them holds up against the possibility of letting strangers inside your firewall.

I recently added WEP to my own home network. All of my neighbors who might be within range are old (or dead, in one case) and unlikely to be wild wireless access point hunters (I’m not being agist, I just know my neighbors), but I think it’s good practice. It’s a tiny bit more work when I set up each new PC, but just a trivial amount. I can understand how users might complain that they need to reconfigure when they move from their home network to their office network, but the simple solution to that problem is to give your home network the same encryption key as your office.

If you’re responsible for a wireless network, I urge you to practice safe computing. Even if you think leaving your link unencrypted is extremely unlikely to cause harm, consider the down side if you’re wrong. Just say yes to wireless data encryption.

Not a WASTE of effort

Nullsoft last month released Waste, an application “designed to permit secure distributed collaboration and communications for small trusted groups of users,” according to the developers. Nullsoft corporate parent AOL Time Warner yanked the software from Nullsoft’s site within a day, saying it had been illegally posted. The software is still available on mirror sites, however, so, open source mavericks that we are, we thought we’d give it a spin. Waste is a simple implementation of secure peer-to-peer networking that gives widely dispersed workgroups most of the secure instant messaging and file transfer tools they need.

First, about that name. It appears to be an acronym from Thomas Pynchon’s The Crying of Lot 49. In that novel, it stands for We Await Silent Tristero’s Empire, and represents a secret underground communication system. That seems appropriate, in that this Waste (general preference and our editorial style guide deplore all caps) communicates outside of common network instant messaging and file transfer channels.

Waste was written for Windows clients, but enterprising third parties have already coded a Linux version. Despite the statement in the design document that comes with the program’s source code that claims the program is for power users, installation is simple. After you agree to the GPL, Waste copies files and installs shortcuts to Windows’ Start menu. It walks you through generating or importing a private/public key pair and specifying download and upload directories.

The keys are, um, key to the product. Without the security they represent, you might as well use one of the many public instant messaging networks, which offer all of Waste’s other functionality and more. With the keys, which you must first exchange with those you want to communicate with, you can send messages and files encrypted using RSA and Blowfish algorithms, and the transaction isn’t mediated by any central server.

Look and feel

When Waste starts it displays two windows. The main Waste window is a slim list of other Waste users, similar in appearance to other instant messaging products’ user lists. The Network Status window shows the status of connections between your computer and another. This window is initially empty, but if you’ve connected to another Waste client before, the connection comes back automatically when you start the program again.

Any user who has tried any other instant messaging program will be instantly comfortable with Waste’s IM capabilities. You click on a user name to send a message to that user, or on a small button to create a shared chat room. A list of existing chat rooms appears beneath the user list; you can also create invisible chat rooms that don’t appear on the list.

Once you connect to another user you can bring up the Waste Browser window. In it you choose a user, and can then look over all the files in the directory the remote user made available for sending to others. You can upload or download a file to and from directories you specify from a Preferences choice on the main window’s File menu. While a transfer is in progress you can watch its status in a separate Transfers window.

Waste provides only rudimentary security options besides encryption. You can specify IP addresses to allow or deny. You can also limit inbound and outbound traffic streams to specified throughput levels to avoid impacting more important traffic.

In its initial release, Waste is simple and useful. It’s not especially powerful, however. It lacks at least a couple of key features I’d like to see. I’d like to be able to specify user-level privileges on my file transfer directories, to let some but not all of those on my Waste network access particular files. And I’d love the ability to synchronize two directories on machines across the network. Other simple enhancements will probably follow in future releases (if any), such as audible and visual cues on chat events such as users joining or leaving the network.

Waste is not designed for the enterprise; its design doc warns “the amount of traffic on the network scales more than linearly with the number of users.” Waste traffic may be broadcast to and routed through any nodes on a given private Waste network. But for a 1.0 product, it’s well-thought-out and a great base for building on. I hope we see future versions with expanded capabilities, either from Nullsoft or the wider open source developer community.

The demise of copyright

Last week Justin Frankel, the founder of Nullsoft, the company that created the popular Windows music player Winamp, quietly posted on Nullsoft’s Web site a collaboration program called WASTE licensed under the GPL. Nullsoft is owned by AOL Time Warner. The day after Frankel posted the software AOL ordered it removed from the site, and instead posted a notice asserting the company’s rights to the software. (Frankel Monday said he expects to leave Nullsoft in the wake of the AOL’s move.) However, in the short time the software was available, it, as well as the entire site on which it was available, was downloaded by others on the Internet, who have now posted mirrors of the missing site, allowing anyone to download and try the software.

If they post it, will users come? You bet. I plan to review it here soon. But may they? Ah, that’s a trickier question.

In this case, if Nullsoft had had the legal right to post it initially, users would be free and clear. Section 6 of the GPL states:

Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients’ exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

Since Nullsoft didn’t own the copyright when Frankel posted the program, however, the law is not your friend. Copyright law says you can’t legally use the application. In the same way, copyright law forbids you from downloading copyrighted music from Kazaa or Gnutella (fun fact: Nullsoft also released the original version of Gnutella, and AOL also yanked it almost immediately), or copyrighted images someone uploaded to alt.tasteless.pictures.

In reality, however, chances are you have downloaded copyrighted material and saved it on your hard drive, and if you haven’t, the guy next to you certainly has. The fact is, copyright works only as long as the barrier to violating it is high enough that the average user or reader isn’t able to violate it. When it took a printing press and skilled compositors to produce books, it wasn’t worth chancing one’s livelihood by pirating works for which one could be sued. Once the barrier was lowered, copyrights became ineffective.

Think of speed limits. You may not drive over 55 or 65 on the highway, but how many people routinely violate that law?

Enforcement helps keep speeders honest, but won’t work for digital rights. Copyright violations happen invisibly, in private, and far too frequently for policing to be effective.

If a legislative solution isn’t the answer, what about a technological one? That’s what Microsoft is trying to develop with its Next-Generation Secure Computing Base. Consumers are unlikely to agree to let third parties determine what rights they have to files on their own PCs, however, so NGSCB seems stillborn. Consumers will vote with their pocketbooks, opting for non-limited clients. Unless Microsoft and its development partner Intel truly do have a monopoly, any available alternative should bury NGSCB.

If we can’t depend on the law or science to enforce digital rights, how can writers, artists, and musicians hope to make a living nowadays?

New paradigms needed

One thing that will help is providing a mechanism for allowing people to do the right thing. Most people believe that creative professionals have a right to profit from what they create, and don’t mean to steal their livelihood.

I would happily pay an author the same amount he now gets from a publisher (which is far less than retail cost) if I could his download his books, read them on a handheld device, and delete them afterward. A little PayPal button on an author’s download page would work fine. If this became the rule rather than the exception it is today, publishers would all but disappear, and editors would be paid by writers, not publishers.

I would happily pay an artist for a print I found on her Web site and avoid the 100-percent markup the dealer or gallery owner gets.

I would happily pay for open source software that did a better job than other available options.

With no corporate publicity organization working to promote new works, critics and magazine editors play an important role. They sift the available works and highlight those they feel are most worthy of attention. Also important are Web sites where buyers can exchange comments about the works.

While taking advantage of the Internet’s ubiquity can help creative professionals, at the same time it behooves these artists to come up with more new ways of making a living. In the performing arts, product placement has helped supplement production costs for years. Not so long ago, the concept migrated to the novel, though not without much gnashing of teeth from the literary community. Personally, I prefer works untainted by commercial considerations, but I can understand auteurs putting practicality over principle.

The democratization of access to the mass media in the form of the World Wide Web is transforming many businesses, eliminating others, and creating new job categories. The experiences of open source software developers may point the way for the larger community. A Creative Commons license may become the natural heir to copyright a few years down the road.