dslreports logo
site
spacer

spacer
 
   
spc
story category
Wi-Fi Raises New Questions
Pointing the finger of responsibility
by Karl Bode 10:48AM Friday Dec 26 2003
While wireless is convenient, it's also naturally less secure, opening itself to a wide array of new questions. 2004 may see hotspot owners held accountable (or given less judicial rights) for illegal activity done over their poorly secured connection. This Always On article briefly touches on the recent arrest of a man using community hotspots for child porn (while driving). On top of other charges, Toronto police will apparently be charging the man with Telecom theft. The article also points to this 2003 Wireless System Design Article discussing potential New Hampshire legislation that would eliminate the intruder prosecution rights of a company if they fail to secure their wireless network.

In the Always On article, a user agrees to not press-charges if the intruder (his neighbor's son in this instance) teaches him how to properly secure his wireless network. But can individuals be prosecuted for "breaking into" a wide-open home network? Should the hotspot owners be held legally responsible if a crime is committed in part thanks to their poor security practices?

view:
topics flat nest 
doppler

join:2003-03-31
Blue Point, NY

Wireless is not a defense for clueless

Secure it or lose everything
russotto

join:2000-10-05
West Orange, NJ

Re: Wireless is not a defense for clueless

On what grounds? 17 USC 512(a) removes liability for those who are deliberately providing access. If the access is being provided accidentally or even against the wishes of the provider (e.g. by someone hacking WEP), there's no grounds in the first place.

J D McDorce
Premium
join:2001-12-29
Westland, MI

Re: Wireless is not a defense for clueless

17 USC 512(a) only refers to Copyright Infringement and is certainly not a Get Out of Jail Free Card for those providing (intentionally or not) wireless access.
doppler

join:2003-03-31
Blue Point, NY
Personal responsibility.

I am a member of the NRA. I will not leave a loaded gun
laying around for anybody to use. I use a wireless
connection. IT'S SECURE.

I can't get my boss to realize how bad it is to leave
an open connection via wireless. Things that could
happen because of an unsecured connection.

1. Lawsuit from RIAA/MPAA etc etc because someone
was out front of the business protesting RIAA tactics.
"Gee, your honour. I didn't know about those 10,000
illegal music files offered on my T1".

2. FBI/Local enforcement sting for child porn.
"Gee, your honour. I didn't know about those 1,000,000
illegal child porn files offered on my T1".

3. Getting blacklisted from every spam block list.
"Gee, I didn't know about those billions of spam messages
being passed through my T1".

Even if there is no legal standpoint. There is a point
where you must take responsibility.

TooLazyToLogin

@indiana.edu
Totally agree. If they had bothered to even read the manuals, they would know. And if they did read the manual and did nothing to secure their networks, shame on them.
Budman1018

join:2003-04-14
Camp Hill, PA
For a number of years I have been installing computers and computer networks for people who still cannot figure out how to program their VCR. Recently, some of my 'customers' have been requesting wireless networks installed. I will only install them if they agree to sit down with me and hear my lesson about basic wireless network security. I will not install a network without, at a minimum WEP encryption, and MAC filtering. The customer realizes if they do not pay attention to my little lesson about how to access the router and enter MAC addresses and WEP keys they are not going to be able to add any more computers or get back on if the network goes down. I don't install a lot of wireless because most customers don't have the time to hear me out, or they are not savvy enough to comprehend what I'm saying. Some are so ignorant they tell me to F**** off they will find someone else to do it. The majority of computer users don't care. Their computers are full of virus and malware. What's one other thing like giving a hacker a free ride on your IP.

Mellow
Premium
join:2001-11-16
Salisbury, MD

1 edit

wh0re driving

I predict 2004 as the first year we see some innocent war driver be put in federal prison under the terrorist law. I also predict we will see martha stewart acknowledge her affair with bill gates. And I cant wait to see the distance records for wi-fi this year!

richk_1957
If ..Then..Else
Premium
join:2001-04-11
Minas Tirith

Personally..

said by Mellow:
I predict 2004 as the first year we see some innocent war driver be put in federal prison under the terrorist law. I also predict we will see martha stewart acknowledge her affair with bill gates. And I cant wait to see the distance records for wi-fi this year!

I don't approve of war driving, but I guess it's natural outgrowth of the wireless technology
Your second sentence is quite funny [good god...]

However, the first one might be closer to the truth than you think. Given the mindset on terrorism (and the fact that almost anything can be label that) and the fact that that people [including the government] are bad about securing networks, a innocent war driver,may just access a site that has 'secure' information,
and may wind up in jail as a terrorist, for hacking into a network. Hacking is a defined as being a act of terrorism, and a former version of 'war driving' was 'war dialing' or 'modem scanning' that was a popular for finding unsecured networks, and was a popular hacker activity (I don't like the word 'hacker', but the media has irrevocably tarred it, so..)

Mellow
Premium
join:2001-11-16
Salisbury, MD

Re: Personally..

My definition of innocent war driving is a person that has tcp/ip unbinded from their wifi device.

technick
Premium
join:2000-12-16
Wheat Ridge, CO
kudos:1

Re: Personally..

quote:
My definition of innocent war driving is a person that has tcp/ip unbinded from their wifi device.
Well why would someone do that? Half of war driving is looking to see whats on the wireless network. Any idiot can get one of those little wifi key chain finders, and find access point after access point.

Being able to look around is half the fun.

FLECOM
Bay Networks Freak
Premium
join:2003-03-03
Miami, FL
Reviews:
·DSLi

Re: Personally..

said by technick:
quote:
My definition of innocent war driving is a person that has tcp/ip unbinded from their wifi device.
Well why would someone do that? Half of war driving is looking to see whats on the wireless network. Any idiot can get one of those little wifi key chain finders, and find access point after access point.

Being able to look around is half the fun.

and thats the illegal part... duh...

disable "wireless zero config" and unbind TCP/IP from your wifi nic, your golden
--
BellSouth sucks

JimThePCGuy
Formerly known as schja01.
Premium,MVM
join:2000-04-27
Morton Grove, IL

Just another example of "Blame Shifting"

So I accidentally leave my front door to my home unlocked or my car door unlocked. Does that give everyone carte blanche to steal me blind?
I hope not.
J
--
As the number of components in a system approach infinity the Mean-Time-Before-Failure approaches zero.

technick
Premium
join:2000-12-16
Wheat Ridge, CO
kudos:1

Re: Just another example of "Blame Shifting"

You point out a very good point of view, and I agree 110% with your point of view. You can not be held responsible for anyone else's actions.

verolom

join:2002-03-23
Reston, VA
Damn right! If someone walks into your home and commits a crime how the hell can you be held liable? After all you did secure your home, you closed the door. So what is secure in the first place? A lock on the door, a deadbolt, a steel door, steel bars, an alarm system, CCTV, gated neighbourhood, barb wire, guards, machine guns, mine fields, tanks, an army?

How many billions of dollars does the US spend on defense each year? Are we still secure? Should we sue ourselves for letting the terrorists kill our own people?

Am I getting crazy here, or it is not just me?

Slick12

@comcast.net
It's not akin to leaving your door unlocked. It's like leaving all your possessions in a 30 yard radius outside your house, in the street, on your yard (the range of your Wifi network). While I might not be tempted to take your stuff, I probably would look at it before I left as I was in the street legally, on public property.

-So I accidentally leave my front door to my home unlocked -or my car door unlocked. Does that give everyone carte blanche to steal me blind?
I hope not.

drjim
Premium,MVM
join:2000-06-13
Long Beach, CA
kudos:3

WEP is flawed, BUT.......

At least it serves as a "No Trespassing" sign on your network. Just by having enabled means the 'innocent' war driver had to deliberately collect enough packets, and then deliberately run the crack to break into your network.
--
One man's Magic is another man's Engineering.
WeKnSmith

join:2001-08-09
Noblesville, IN

Re: WEP is flawed, BUT.......

said by drjim:
At least it serves as a "No Trespassing" sign...
Come to think of it, why not make your SSID "NoTrespassing".

W8ASA
Tieng gi vay?

join:2000-07-31
Dayton, OH
Reviews:
·AT&T Midwest

What worries me......

is the possibility that a crime will be committed over a wi-fi network, and some coffee shop AND the equipment manufacturer will be held liable. Don't discount that possibility, either. The deeper your pockets, the more likely you are to get sued.

Or, how about someone who changes the MAC address of his network card to that of an innocent person? Could the innocent person be held liable, particularly if he didn't have an alibi for the time period? You bet he could.

This all sounds preposterous, but in a litigious society such as ours, almost anything goes.
--
Microwave and RF Components at www.ohiomicrowave.com

richk_1957
If ..Then..Else
Premium
join:2001-04-11
Minas Tirith

Re: What worries me......

In all respects, you're right

This could open a HUGE can of worms:(

technick
Premium
join:2000-12-16
Wheat Ridge, CO
kudos:1
You bring up a very good point with this post. I believe it can all solved with better end user hardware, and better logs from network devices. But with this in light, it would raise hardware cost, and TCO of a wireless network. If someone has the knowledge to ghost mac addresses, you will need the technology to log this, and track where it came from. Just my 5 cents.

W8ASA
Tieng gi vay?

join:2000-07-31
Dayton, OH
Reviews:
·AT&T Midwest

Re: What worries me......

I agree. The technology already exists to do all of this, but at what TCO, as you ask? We are going to have to pay for security, of that I am certain. How much for what level is the real question. Also, computer users need to be more educated, but that's yet another can of worms.

Last year, I purchased a wireless card for my laptop. I don't yet have a wireless network, but business I visit do. While installing the card, it immediately picked up two completely open and unsecure networks in my building. So, I went to those offices. One guy was shocked, but let me show him how to lock it down. The other guy told me to buzz off, but not in so many words. He's lucky I don't have a mean streak in me, or I could have owned his computer. What a dummy!
--
Microwave and RF Components at www.ohiomicrowave.com
geek49203

join:2000-11-25
Jackson, MI

Yeah, right

And the people who leave an open proxy or open relay are liable for all that spam? Or we're gonna prosecute inDUHviduals who have their DSL hacked with a bug, sending out spam like the kiddie porno spam I got today, sent via Ameritech DSL subscriber?

There is no law on the other side of your firewall people... get used to it.

Tim Wohlford

ctceo
Premium
join:2001-04-26
South Bend, IN

Duh

Could somebody tell me the idiot that decided to cough up the beans that wireless is less secure, Now the pictures of my cat & poems might fall into the hands of terrorists. Tell them to IM me when they get this message, I have some words with them.

gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1

I've already made my sentiments clear...

... can a thief be prosecuted for making his entry through an unlocked door? People are responsible for their actions... and leaving a 5 dollar bill on your desk shouldn't be seen as surrendering your rights to it... nor should an insecure network be regarded as a legal red carpet for cyber-trespassing.

The only complexity comes in when you consider how many legitimate hotspots there are, and it may become difficult to prove knowledge or intent, in some cases. But where knowledge and intent are clear, why should a common cracker be exculpated because the "door is unlocked?"

On the other hand, it's like any other network appliance. It's the owner's responsibility to secure it... and leaving it insecure after being constructively notified it's insecure is irresponsible, and may certainly create liabilities on the part of the negligent owner... of course, any insecure router can be exploited, wireless or wired, given the right holes and the right tools and toys. But wirelesses are more exploitable, because it's rather trivial to do the work, once an open one is found...

What we need is to work out a sound, very strong universal authentication and encryption scheme, I think... something that's a no-brainer to activate, and that raises the stakes for the cracker such that it's not so significantly easier to crack a wireless than a hardwired network.
--
The willow bends unbroken when angry tempests blow, The stately oak is levelled and all its strength laid low...Oliver Wendell Holmes

technick
Premium
join:2000-12-16
Wheat Ridge, CO
kudos:1

Re: I've already made my sentiments clear...

The technology is available to hender cracking wireless networks, but it comes with such a high price tag, it's cheaper to buy a new car almost.

The TCO is really to high for good security, or the knowledge requirements are to high. Either or, u decide.

mark470
eh?
Premium
join:2002-01-09
Hooksett, NH

new hampshire bill

"A bill that is under consideration in New Hampshire's legislature states that operators of wireless networks must either secure them or lose some of their ability to prosecute anyone who gains access to the networks"

that sound more like commonsense to me
well my 2 cents worth
--
darn wears that boot loader
geek49203

join:2000-11-25
Jackson, MI

Re: new hampshire bill

Okay... someone uses my network to do unspecified bad things. Maybe they send spam, or feed their kiddie porn habit, who knows.

Assuming that they're doing bad stuff, who's gonna investigate this? Do your local / state cops have the expertise, the time, the inclination to investigate? Will your local or state prosecutor even bother with this one? I know that here in Michigan the answer is that no one will investigate, and no one will prosecute.

In fact, credit card fraud is very rarely prosecuted here either, since the banks don't find it profitable to send out people to assist in prosecution. Bin Laden could be living off of tens of thousands of credit card scams right now for all we know.

A quick primer for businesses... make Wireless nodes available, but only hooking into your DMZ. Let your users gain access to email and files via web access (ie, NetStorage) as they would if they were on the road. That way the only thing a hacker would be able to do is to sync his/her email and do some web browsing, and you can leverage the power of your firewall to secure your wireless links.
qworster

join:2001-11-25
Bryn Mawr, PA
Reviews:
·Comcast
·Verizon FiOS

2 edits

Okay..how about this????

Down in back of my condo, along the alley there's an unlocked telephone box OWNED BY VERIZON! It's on their side of the network interface. Anyone can open it in about two seconds with a screwdriver (or even a dime, for that matter!). What's to stop someone from clipping a telephone to the open terminals there and making obscene phone calls on my line? If they did, it's likely I'd be arrested (or at least investigated) for things being done completely without my knowledge on equipment I don't own! Indeed, I'll bet that most of the telephones on the street are available in that box as there's almost 50 lines coming into it.

To me, I can't see how I can or should be held responsible for what I DON'T DO! Having it any other way kills the presumption of innocence. Last time I checked, Bush and Ashcroft hadn't had the chance to take that one away (yet!).
qworster

join:2001-11-25
Bryn Mawr, PA
Reviews:
·Comcast
·Verizon FiOS

2 edits

A federal law makes wardriving legal!!

There is a federal law that was passed back in the days of analog cell phones. See, in those days any scanner could pick up cell calls. Congress's response was to pass yet another law (as an aside, does Congress actually believe that the answer to everything is to pass another law?) called the Electronic Communications Privacy Act. This law made it illegal to listen to cell calls. That way, if someone asked the sales guy in Radio Shack: "are cell calls private?" the guy could reply: "Oh yes, listening to them is against FEDERAL LAW!". The ECPA is the reason all police scanners are cellular blocked. Also in there is some boilerplate that makes it illegal to monitor Cable TV pickups, Radio and TV studio to transmitter microwave links, etc. I mean they had to have a reason for the law after all (as if it actually stopped people from listening, huh?).

The ECPA also SPECIFICALLY EXEMPTS unlicensed communications devices in the 49, 900, 2100 and 5 gig unlicensed ISM (Industrial, Scientific and Industrial) bands. The original reason for this was to make it clear that cordless telephones be EXEMPT from this law.
BUT it also means that any WIFI communications is not private BY FEDERAL STATUTE (WIFI b and g operate in the 2100 band, a operates in the 5 gig band)! This is the reason why on the bottom of your device there's a statement about "undesired operation".

Now..it seems to me that this federal law ALLOWS wardriving, at least in the US, since it specifically says that devices operated in these bands neither deserve nor should expect ANY EXPECTATION OF PRIVACY WHATSOEVER!!

Comments?
Brisk

join:2003-07-11
Colorado Springs, CO

Equipment manufacturers:

SECURE YOUR ROUTERS! Normal 'people' can't be expected to.

Another thing: give us domain blocking and bandwidth restrictions for those of us who -want- to run a hotspot.
Just don't leave it on my default.

This is how security issues become issues. Internet security simply doesn't click like locking car doors, for most people. Grand theft computer.
--
Such is the way of the internet... 0 to 60, then back to 0, then back to 20-something.VeriSign.HasOwned.us - Help Stop VeriSign's Greed now!

mrantenna

@204.0.x.x

Public/Private AP's

If WEP is OFF and it hands me an IP number from DHCP then I assume that it was intended to be a Public Access WiFi Hotspot . wether you intended it to be or not.

Turn on WEP it at least tells people that this is a Private AP.

Use something like PublicIp.net to filter the Network going to your AP is you intentionally Build a Public Hotspot.

Duke Archon

@east.verizon.ne

Irresponsible

A good point. Leving your network unsecured, after being told it was is irresponsible. That is what determines liability. It is irresponsible to own a gun, but leave it unsecured in your home. Therefore if a child picks up said gun, and injures himself or others, then the gun owner is responsible for the damages.