How do I keep myself safe from others on my LAN?

I can’t help you with your brother, but I want to address this question
because is raises a number of issues around the assumptions that we make when
using our computers at home. Assumptions that can affect our security and our
privacy.

If you have a tech-savvy snoopy brother like the person asking this
question, you won’t like the answer.

When we set up a home network we put a lot of emphasis on security, or more
specifically keeping “us” safe from “them”. By “them” we mean all the purveyors
of spyware, viruses and what-have-you out on the internet, and by “us” we mean
the machines at home, usually on our local network.

In fact, we often think of the line coming into our home as the boundary. On
the internet side of our router or broadband modem is “them” – the internet –
with “us” on the local network or LAN side.

The implicit assumption we’re making is that every machine and user on our
LAN is trustworthy. I’ll guess that more than 80% of the time that’s a valid
assumption. It’s certainly the explicit assumption I make on my home
network.

What if that assumption is wrong? What if you can’t trust everyone
on your home network?

Then you have to treat your home network as if it were the internet. Then
you have to set up things like firewalls on each machine you want to keep
safe.

Then you need to start thinking about privacy in a whole different way.

And that last one isn’t pretty.

•

I know the original question was about wireless sniffing, and I’ve discussed
some of the issues there before. Using WPA is one good way to keep things
fairly secure. But there’s a much, much larger problem here than just
wireless.

There was an interesting statement in the question: “In our house he has the
Desktop and the cable router.” The desktop’s no biggie, but the router? That’s
huge. Whoever controls the router has immense power. In general whoever has
access to the router can typically monitor which sites you visit. Depending on
the router, they may even be able to monitor the traffic itself – reading your
email or viewing the web sites you view.

In the worst case whoever controls your router or connection to the internet
could go so far as to insert a hub “upstream” and be able to monitor all
internet traffic going to and from your entire home network.

Scared yet? It gets worse.

As we’ve heard with the recent router admin password vulnerability, it’s
possible to configure many routers to misdirect you. You may enter
“google.com”, but the router could send you somewhere else entirely. This
depends on your router’s capabilities, and the expertise of the person
controlling the router. It’s not common, but it is possible.

•

So what do you do?

It depends on your level of paranoia. If the person controlling your router
isn’t that savvy, you may be quite safe in simply making sure your WiFi is
encrypted by using WPA or even WEP and leaving it at that.

If they are savvy, and you believe that they have reason to invest a lot of
effort trying to spy on you, things get very difficult. Some things you may
want to do include:

• Only connect to web servers via https. This encrypts all
  the data between your machine and the server, and renders it inaccessible to
  anyone in between, including whoever’s running your router. The bad news?
  First, not all websites – in fact very few – have https connections for
  anything except ecommerce. And second, even though he can’t see the data, your
  router admin can still see which sites you’re connecting to.

• Consider using an anonymous service such as TOR. Not only does this encrypt
  the connection leaving your machine, as https does, but it also hides which web
  sites you’re visiting. The downside is that it can be much slower, and
  I believe it’ll be obvious that you’re using it – meaning that it’ll be obvious
  to whoever’s monitoring your router that you’re hiding something.

• Use an encrypted connection to your email. Email is normally sent “in the
  clear” and thus could be read by anyone who has access to your router or
  internet traffic and knows how to do it. You can either encrypt the contents of
  your email – which still leaves the information about who you’re emailing
  visible – or you can use an encrypted connection to your email provider. That
  could be as simple as using an https-based web interface, or if your email
  provider supports it, configuring an SSL connection in your mail program’s
  account settings.

There’s a common theme above and that’s “encryption”. You can’t stop the
person who has administrative access to your router from being able to see your
data. You can encrypt that data so that it’s of no use to them.

•

Now, I’ll definitely admit that all that does sound like so much paranoia.
Certainly sibling interaction could be one reason for paranoia, but there could
be other reasons as well depending on personal situations.

However, I do want to be very clear that for most people there’s really
nothing to be concerned about. We’re the only ones to play with our own
routers, and we may not even have the skills to set up this advanced type of
network sniffing and monitoring. As long as we’ve protected ourselves properly
from “them” – the bad guys out on the internet – we’re safe on our LAN.

But I do think that it’s important to understand what assumptions that
safety entails.