I secure mine mostly so that a neighbor won't download torrents on my connection and thus negatively impact my experience. I imagine in an actual house it's not as necessary, but I live in a zone of large buildings and usually see 20+ networks visible.

Well, if his Internet connection is open, then he's open to being prosecuted for what other people might download on it.

As a celebrity, he probably has some substantial de facto immunity against this. (One blog post, and "the Internet" will show up on his side.) The rest of us... not so much.

Actually with an open wifi you're more protected agaist such instances because it's concrete proof that your IP was shared by other people, considering how ISVs assign these IPs dynamically and that their logs may not be accurate.

Only in the case the local law doesn't hold you responsible for not having protected your network in the first place.

[Edit] This is the case in Germany. http://ratgeber-recht.welt.de/offene-wlan-hotspots-sind-zula... You may have your own hotspot but you may be liable for misuses.

And in civil lawsuits, you can spend several thousand dollars in legal fees more or less effectively making your point.

Also, it's increasingly apparent that other jurisdictions will increasingly attempt -- or be used -- to ensnare people in more... "permissive" jurisdictions. Don't like the venue? Sue -- or prosecute -- them in another venue.

On the one hand, I feel sad that my response to this is to "close up" connectivity. On the other hand, I for one don't have the resources with which to liberally take such situations on.

Have you checked this line of reasoning with an actual lawyer?

Precedent?

That assumes that his network allows anyone to connect to the internet from it, which is not implied here. Open wifi usually lets anyone who hops on the network talk to the world, but I'd bet someone like Schneier is more sophisticated about that sort of thing.

BTW port 25 is not SSH, it's SMTP. SSH is port 22.

Putting SSH on the open internet with port 22 means it'll be readily identified when people scan. Then they might well try to use dictionary attacks etc. - I'd advise against it simply to stop the log files filling up.

If you're putting sshd on its standard port available to the Internet, why are you allowing password-based auth?

OpenBSD's second remotely-exploitable hole relied on being on the same network segment (AIUI from a quick read it involved sending malformed IPv6 packets). Such vulnerabilities aren't particularly common, but you're always going to be exposing a somewhat wider attack surface to the local network than to the internet at large.

man-in-the middle the windows update channel (see: flame)

man-in-the-middle the VPN

man-in-the-middle administration of the router / wireless access point, which frequently is done without ssl

dhcp exploits, too, both against clients and any existing server.