Good Practices for Open Wi-Fi;

2016-21. Wi-fi networks named openwireless.org are available to everyone for occasional, lawful internet access subject to terms of service. It's an initiative established by the Electronic Frontier Foundation (EFF) in 2012/ Sadly, it was placed on the back burner. But they do still support it ( Electronic Frontier Foundation 2021). Electronic Frontier Foundation. 2021. OpenWireless.org. Electronic Frontier Foundation, June 17. (Also archive.org eff.org /page /openwirelessorg#important.) Important points:

1. When you watch videos, use the service's tools to set the resolution to the lowest available, for example, using the YouTube gear icon to change the quality from 720p to 144p. Failure to do this may get you blacklisted. Every video service is different, but even Netflix offers this ( Netflix 2021). Netflix.com. 2021. How to Control How Much Data Netflix Uses. Netflix.com. (Also archive.org help.netflix.com /en /node /87.)
2. Do not share pirated material or engage in anti-social or illegal activity. Complaints will get you blacklisted.
3. You may be unable to access innocent pages that reside on servers currently infected or hosting adult or illegal content. The symptom may be a notice that the website is not configured correctly or that the site can't be found.
4. There may be log files showing every date and time you were simply near an open Wi-Fi, let alone using it. When not connected most devices transmit an 'Is anybody out there?' message to all routers in range in an attempt to find a usable Wi-Fi ( Haigh 2015). Haigh, Steven. 2015. Tracking people via WiFi (even when not connected). Steve's Blog, crc.id.au. Mar 8 (first archived). (Also archive.org crc.id.au /tracking-people-via-wifi-even-when-not-connected.) Some systems store such data.

Why openwireless.org?

Ironically, providing an isolated guest Wi-Fi can increase the security of your private Wi-Fi. Think of your private Wi-Fi as your banking Wi-Fi. The guest Wi-Fi is for all devices you can't be certain won't compromise your banking Wi-Fi.

Untrusted devices include all devices you do not personally own, control, and keep updated. When your neighbor's Internet goes down, you shouldn't give them your banking Wi-Fi password. You should tell them to use your guest Wi-Fi, openwireless.org. Similarly, if a guest wants to use your Internet, tell them to use the guest openwireless.org. Don't let their devices connect to your banking Wi-Fi. You may trust your neighbors and visitors, but you absolutely, positively cannot trust their laptops, smartphones, or tablets.

Untrusted devices also include every Internet thing you own. Every such device is a hacker's entrance. When you get a nifty web-connected thermometer, weather sensor, security camera, door lock, or TV, if you connect it to your banking Wi-Fi, you're just screaming for trouble. Connect them via your guest openwireless.org instead. When they are hacked -- and they will be -- they cannot do as much damage when they can't open connections to each other or your banking Wi-Fi.

• One Casino had its list of high rollers compromised by someone who reached it through a web-connected aquarium thermometer that was attached to its internal network. ( McAfee 2018.). McAfee.com. 2018. Casino's High-Roller Database Compromised by a single IoT Thermometer . McAfee.com blog, Apr. 17. (Also archive.org mcafee.com/ blogs/ privacy-identity-protection/ casinos-high-roller-database-iot-thermometer/.)
• A multifunction printer on your banking Wi-Fi may be just as risky. A patched 2018 security hole affecting 150 HP models allowed infecting private Wi-Fi computers by simply faxing the printer a malware-infested color fax ( Wagensell 2018). Wagensell, Paul. 2018. Have an HP Printer? Protect Yourself From This Scary Hack. TomsGuide.com, Aug. 14. (Also archive.org TomsGuide.com /us /hp-printer-fax-hacks-defcon26.news-27795.html.) A 2018 HP KRACK advisory advises customers to protect themselves by making sure the Wi-Fi network only allows WPA2-AES/CCMP, or setting up TLS for printing (e.g. IPPS), or turning off Wi-Fi and printing via USB or ethernet, and by not using Wi-Fi Direct from unpatched devices ( HP 2018). HP.com. 2018. HP Printing Security Advisory - KRACK Attacks Potential Vulnerabilities. Support.HP.com, Jan. 9. (Also archive.org Support.HP.com /us-en /document /c05872536.) An incompletely patched 2021 security hole affecting another 150 HP models allows infection by simply printing a malicious document ( Toulas 2021). Toulas, Bill. 2021. 8-Year-Old HP Printer Vulnerability Affects 150 Printer Models. BleepingComputer.com, Nov. 30. (Also archive.org BleepingComputer.com /news /security /8-year-old-hp-printer-vulnerability-affects-150-printer-models.)
• Theoretically, moving Internet things like printers to the guest Wi-Fi should greatly mitigate the reach of hackers. Practically, it may be fraught with difficulties and other risks. Printers are a great example.
  1. The HP Windows printer drivers print unencrypted to the network. And now it's a guest network with no encryption or at best a shared guest Wi-Fi password. So you might want to add the printer's self-signed HTTPS certificate to Windows and print only via an added HTTPS network printer (IPPS).
  2. Smartphones can no longer print until disconnected from Wi-Fi Internet and connected to the printer's Wi-Fi Direct. For Androids, the Mopria Print app can do this for you.
  3. With Wi-Fi Direct active, everybody within a block can connect to your printer. That means you'd better have a non-default password on its embedded web server. But that doesn't keep them from sending unwanted print jobs or potentially sending faxes over your phone line. If problems arose you'd need to change the printer's connect mode from automatic to manual so Wi-Fi Direct connections would be ignored unless accepted manually at the printer.
  For some, the cure may be worse than the disease. But if the printer is on your banking Wi-Fi and a hacker compromises it, they could place ransomware on your banking PC. That could be nearly fatal.

Openwireless.org gives you the option of moving some or all untrusted devices off of your private banking Wi-Fi. That's one of the reasons it is too useful to be without. In an environment of detached homes where all the neighbors have Internet, and when there's been no abuse, there may not even be a compelling reason to put a shared password on this network. It might be just as satisfactory to blacklist the occasional problematic device, like someone's Internet TV that probably erroneously connected to your system.

Good Practices

Theoretically, it's good practice to replace a Wi-Fi router's factory firmware with open-source firmware. It's often more powerful, for example allowing limited logging to an external PC. Some factory firmware doesn't even let you name a guest network 'openwireless.org', only allowing the main name with the suffix '-guest'. That doesn't make it obvious that it's open. Some won't even allow a passwordless network.

Practically, installing and maintaining open-source firmware is not for the faint of heart. For example, I'm currently running preinstalled open-source firmware in place of the OEM firmware on my router. It needs to be updated. But the company that preinstalled it no longer provides support. And I don't want to risk bricking the only working WiFi router I have.

Guest Client Isolation

Guest client isolation should be turned on. This lets guest devices access the Internet but not each other. Direct connections facilitate peer-to-peer file transfer, which is often illegal pirated content. It also facilitates hacking by one rogue guest of all other guest devices and propagation of worms from one infected device to all the others.

Content Filtering

Content filtering may and possibly should blacklist adult content, malware, and/or force safe search. This is because any openwireless.org network is inherently accessible by unsupervised minors and problematic adults. But everyone should understand that when content filtering applies, search engine results omit thousands of innocent pages, and connections to thousands more will be blocked.

Blacklisting may be necessary, but it is not benign. Blacklisting one problematic site may deny access to thousands of innocent pages because hundreds of unrelated sites commonly share a single rented server. In one case, a state forced the blocking of 376 illegal websites. The side effect was to block access to 1,190,000 innocent US pages plus another 500,000 at terra.es ( E.D. Pa. 2004). E.D. Pa. (DuBois, J.). 2004. Memorandum, Center for Democracy & Technology v. Pappert; Case No. 03-5051 (109 page PDF). E.D. Pa., Sep. 10 (Unofficial copy). (Also archive.org cdt.org /wp-content /uploads /speech /pennwebblock /20040910memorandum.pdf.)

Safe Search may be necessary but is not benign either. It de-indexes huge swaths of perfectly acceptable content. SafeSearch blocks at least tens of thousands of web pages without any sexually-explicit content .... [including] sites operated by educational institutions, non-profits, news media, and national and local governments ( Edelman 2003). Edelman, Benjamin. 2003. Empirical Analysis of Google SafeSearch. Cyber.law.Harvard.edu, Apr. 14. (Also archive.org cyber.law.Harvard.edu /archived_content /people /edelman /google-safesearch/.)

Still, it's probably better practice to apply content filtering and run an openwireless.org Wi-Fi than not to run one at all. Services that offer content filtering for free for personal use in 2021 include:

1. Cisco's OpenDNS Free Family Shield DNS resolvers (208.67.222.123 and 208.67.220.123) appear to be the least restrictive alternative. They only deny access to known servers hosting adult content. Safe Search is not applied. However, in this free version, they don't filter malicious content either. https://www.opendns.com/setupguide/#familyshield.
2. Yandex's Free DNS Family resolvers (77.88.8.3 and 77.88.8.7) are more restrictive. They deny access to known servers hosting adult content and those known to have malicious content. Additionally, they force Safe Search on Bing.com (moderate) and Google.com. Bing's moderate setting blocks adult images but not text. For US persons it may be troubling that Yandex is a Russian company, but they've made a reasonable attempt at DNS filtering here. dns.yandex.com.
3. CleanBrowsing.org's Free DNS Content Filtering. These 'Adult' DNS resolvers (185.228.168.10 and 185.228.169.11) are more restrictive. They deny access to known servers hosting adult content and those known to have malicious content. Additionally, they force Safe Search on Bing.com (strict - no adult images or text) and Google.com. cleanbrowsing.org/filters/.
4. Cloudflare Free DNS Adult/Malware denying resolvers (1.1.1.3 and 1.0.0.3). These are no more or less restrictive than CleanBrowsing.org's. They deny access to known servers hosting adult content and those known to have malicious content. Additionally, they force Safe Search on Bing.com (strict - no adult images or text) and Google.com. These may be the fastest filtering DNS resolvers available. https://1.1.1.1/family/.

Privacy and Usage Logs

Wi-Fi log files are a huge potential liability and should probably be disabled. To be sure, they're extremely useful for security and troubleshooting purposes. But as noted above, a side effect is that they typically create a time-stamped record of every device every time it enters or leaves the vicinity. It matters not that the passer-by never connected.

Wi-Fi log files are a huge privacy intrusion even for newer devices that randomize their ID. That random ID is usually persistent for any given access point. That makes it easy to pull the cover off the anonymity.

Are you exposing yourself to potential civil penalties if you store Wi-Fi log files? If you're in Europe, does the General Data Protection Regulation apply? If you're in California, does the California Consumer Privacy Act apply? In any jurisdiction, do stalking laws apply? Creating records of people's schedules, even accidentally, is very, very not good.

If you have Wi-Fi log files, you can't guarantee visitor privacy. Once served with a legal demand for the records, it's illegal to destroy them. You nearly always have to turn over what you have. And you can't even disclose the risk to passers-by who have never used or heard of your system.

If you must have Wi-Fi log files, hire an expert to manage them. You'll need data protection, retention, and destruction standards. Whole volumes have been written about that ( Kent and Souppaya 2006). Kent, Karen and Souppaya, Murugiah. 2006. Guide to Computer Security Log Management (72 page PDF). NIST Special Publication 800-92, Sep. (Also archive.org nvlpubs.nist.gov /nistpubs /Legacy /SP /nistspecialpublication800-92.pdf.)

Your life will be simpler and arguably safer if you don't create or store Wi-Fi log files at all.

Good Practices?

It's difficult to find good practices for open Wi-Fi systems. I'm certainly no expert. These are simply some things to think about. Alas, if you ask computer security people for help, you probably won't get any guidelines on how to run an open Wi-Fi responsibly. Instead, you'll probably get a screaming tirade of why you shouldn't. But the reasons don't stand up to inspection. The EFF's idea was a good one. It's too bad they put it on the back burner.