it's worth noting, I think, that Schneier is pretty out of touch when it comes to the whole "open wireless" thing, because he leaves himself open to a bunch of local-only attacks. he's correct that your computer should be able to withstand being on the 'open' internet, since it is every time you take it to work or a coffee shop or something, but, don't be an idiot, just turn WPA2 on at your house.
many access points (I think) now provide a feature where they can run multiple SSIDs. so if you're savvy, you can turn on a guest-only open wifi for when you have visitors, and turn it off when they leave. kind of like a guest key for your spare room!
he leaves himself open to a bunch of local-only attacks
What kind of attacks might those be?
Consider the case of a computer connected to the network with no open ports (other than say, 25 for SSH), with a properly configured firewall, that connects to the Internet through a VPN and with an operating system that auto-updates itself.
I secure mine mostly so that a neighbor won't download torrents on my connection and thus negatively impact my experience. I imagine in an actual house it's not as necessary, but I live in a zone of large buildings and usually see 20+ networks visible.
Well, if his Internet connection is open, then he's open to being prosecuted for what other people might download on it.
As a celebrity, he probably has some substantial de facto immunity against this. (One blog post, and "the Internet" will show up on his side.) The rest of us... not so much.
Actually with an open wifi you're more protected agaist such instances because it's concrete proof that your IP was shared by other people, considering how ISVs assign these IPs dynamically and that their logs may not be accurate.
And in civil lawsuits, you can spend several thousand dollars in legal fees more or less effectively making your point.
Also, it's increasingly apparent that other jurisdictions will increasingly attempt -- or be used -- to ensnare people in more... "permissive" jurisdictions. Don't like the venue? Sue -- or prosecute -- them in another venue.
On the one hand, I feel sad that my response to this is to "close up" connectivity. On the other hand, I for one don't have the resources with which to liberally take such situations on.
That assumes that his network allows anyone to connect to the internet from it, which is not implied here. Open wifi usually lets anyone who hops on the network talk to the world, but I'd bet someone like Schneier is more sophisticated about that sort of thing.
Putting SSH on the open internet with port 22 means it'll be readily identified when people scan. Then they might well try to use dictionary attacks etc. - I'd advise against it simply to stop the log files filling up.
OpenBSD's second remotely-exploitable hole relied on being on the same network segment (AIUI from a quick read it involved sending malformed IPv6 packets). Such vulnerabilities aren't particularly common, but you're always going to be exposing a somewhat wider attack surface to the local network than to the internet at large.
If they're decent, the guest ID/config can have its own password. Approved guests get wireless without having to put it up and take it down. Unapproved "guests" remain unapproved.
many access points (I think) now provide a feature where they can run multiple SSIDs. so if you're savvy, you can turn on a guest-only open wifi for when you have visitors, and turn it off when they leave. kind of like a guest key for your spare room!