OT: OK what about WiFi piggybacking ethics and legal issues?

[Daddy Dee]

I don't recall a discussion on this issue. Seems to be getting more news about prosecutions of WiFi thieves in the UK than in the US.

My DSL wifi at home is only secured with WEP, so it could be hacked easily. Also, my neighbor has an unsecured network, but I don't get on it.

I can see why this would be perceived as a victimless issue. It doesn't seem like the same concern as pirated music or software. I keep all my PC's and music legal.

If I lived next door to a coffee house or hotel with free wifi access, that would be more of a temptation.

Legal and ethical issues aside, there is an added security concern in using even public wifi.

[Audio Flynn]

Like copyrighted material piracy, if the price is too high for legitimate "service" so called victimless crime is encourged. Illegal cigarettes are the same economic model.

My daughter has piggybacked in her apartment complex. How is a college student supposed to pay $ 60 a month for high speed access to the internet?

Better yet how can a college student afford legal copies of any MS software?

Not saying it is justified, just a supply and demand thing.

[Jay481985]

Like copyrighted material piracy, if the price is too high for legitimate "service" so called victimless crime is encourged. Illegal cigarettes are the same economic model.

My daughter has piggybacked in her apartment complex. How is a college student supposed to pay $ 60 a month for high speed access to the internet?

my home has the verizon dsl at 15.99 a month

Better yet how can a college student afford legal copies of any MS software?

60 dollar legal microsoft office ultimate which retails at 679.00 dollars

http://microsoft.blognewschannel.com/archives/2007/09/12/office-ultimate-2007-just-60-for-students/

I brought that and its better than the 129 dollar student edition or the 99 dollar in school edition which lack all the features on ultimate.

Not saying it is justified, just a supply and demand thing.

[Jay481985]

Daddy Dee technically once you get on someone else's router even if they left it open or unencrypted it is against the law per se. Unless the person knows how to get you mac address and such (not a novice or intermediate) then he would be smart enough to use a better encryption, it is unlikely they will know who you are and prosecute you.

Second most prosecutors are lagging way behind in information technology field as is the law.

Daddy Dee unless you live in an urban area I doubt may people will war game on your router. Wifi is good to maybe 200 feet.

[pauln]

The once firm grasp of ethics and legality is getting more slippery each passing day. It is requiring more complex ways of looking at things to make arguments than in the past.

When you hop onto someone's WiFi, you are diminishing the bandwidth for which they paid. But they are also delivering the EM to your home, but you wouldn't borrow someone's car without permission, so this starts to sound like a "Hey! You're breathing my air!" kind of argument.

Keep in mind that the internet is not anonomous, the gov has the data on where everyone has ever been. Like the music download conviction explosion, those with the data can figure out WiFI tresspassing and come get you at any time.

Its like speeding; almost everyone does it and thinks its harmless, but it probably makes the roads more dangerous, wastes fuel, and increases maintenance for the roads. And like the other technologies (cameras, internet tracking, electronic purchases), now that cars have GPS build in it is only a matter of time before your car is checked for speeding every 5 seconds by GPS displacement against a database of roads' posted speed limits.

If I had a WiFi I would worry about unknown users. Now 80% of students think it is OK to copy CDs for their friends, distribute licensed music and movies, and a whole raft of new things, including piggybacking. The day of reckoning may come (because there is a ton of money to be made litigating it), and these offenses are the kind where you pay for each of the accumulated acts of transgression.

[Duke Spinner]

Keep in mind that the internet is not anonomous, the gov has the data
on where Everyone has ever been. Like the music download conviction
explosion, those with the data can figure out WiFI tresspassing and
come get you at any time.

do You have a Tin Foil Hat to go withis theory, Paul ...???.

[mas]

Not only is WEP and WPA broken (easily hacked), and your data at risk, but to add insult to injury, YOU are responsible for anyone hacking into your system and promulgating any action! Likewise should your computer be rendered a zombie and subsequently initialize any malicious action, yup, YOU are liable. Then you get to go after the agent who has compromised your system! Good luck! If you utilize wireless and you don't impliment adequate authentication and security, you are responsible for your negligence.

If you are utilizing wireless, you would do well to make sure that your wireless connection utilizes 802.11i-AES security (and no, that is not another 'channel'!). It is also being referred to as WPA2-AES and was ratified in June,2004. But please make sure that you utilize it in its full implimentation that utilizes AES encryption of the data stream (not just the WPA2-PSK - preshared key - lightweight version). Like many of the default security options that are turned off by default [*-)], the 'PSK- preshared key' version does not utilize AES encryption. With 802.11i-AES (WPA2-AES) we Finally we have a wireless security protocol that actually provides a level of security that approaches wired equivalency. Use it!

And if you are connecting to your home or business you would be wise to utilize SSH (and the open source OpenSSH) instead of the traditional insecure ftp or telnet as well as a VPN which essentially provides an encrypted 'private' tunnel over the Internet.

Otherwise, if you are jumping on a HotSpot, treat it like you are using a public urinal (sorry for the image, but your health, and that of your data, is your primary concern!) or talking publicly in a crowded elevator. Your info is wide open. So I would think twice or perhaps a few more times before condusicting business or accessing your bank account info or ordering with your credit card over wireless. You are simply a low power radio station, and anyone can listen - and they do.

Oh, and yes, not only does the US 'listen' to EVERY electronic transmission (and that has nothing to do with the Patriot Act), but the Russians still do from Cuba.And this is not the Predator system; it is a totally separate system that predates it. So say "hi" This is old news, literally.

(If you need a 'best practices' guide to wireless networking, PM me)

[Daddy Dee]

mas has raised an interesting issue about a wifi owner's responsibility for what is accessed over their connection. Someone parked in the street by your house could get the owner in a world of hurt by downloading illegal material over the net.

[mas]

mas has raised an interesting issue about a wifi owner's responsibility for what is accessed over their connection. Someone parked in the street by your house could get the owner in a world of hurt by downloading illegal material over the net.

Another example for which you are liable...If you 'allow' your computer (as if anyone does this voluntarily!) to become infected with a bot that sunsequently renders your conmputer into a zombie and if it at, say 2AM when you are asleep, begins issueing requests as part of a DOS (Denial of Service) attack on some corporate website... YOU are liable.

And rebuttals that 'someone effectively stole your car in order to use it for robbing a bank won't work.

Thus you responsible for securing your computer and network. There are a number of ways to do this and it is not difficult to do. But many have no idea as to their responsibility, let alone their exposure and the various vectors from which such compromise may originate. Simply having anti-virus and anti-spyware is not sufficient.

Likewise, using a readily available hot-spot is not by definition illegal. You do that whenever you might go to, say, Starbucks. But as in property law, there is a difference between trespass and theft.

And its ironic that SysAdmin whose system is compromised is also liable. Makes you want to run and jump into IT doesn't it? If your system containing the confidential customer or patient records is compromised, I can tell you who the first person's head is that they will be seeking!

Likewise, users are not exempt.

Here is a quick policy quote regarding user liability from : http://www.math.okstate.edu/system/policy.html#user%20liability .

emphasis is mine...

User Liability

An authorized user is responsible for any use of his/her account.
This includes usage of an account by some person other than the
authorized one. Here authorized user is defined to the the person the
account was assigned to. This authorized user may also be called the
account owner.

Even if an account is compromised due to a break in it is still
the responsibility of accounts owner.

This policy implies

• You should NEVER share your account with anyone. Account sharing
  is strictly forbidden anyway. Account sharing is grounds for account
  deactivation.
  
• This is good reason to pick a good password and keep it secret.
  
• If someone does something illegal with your account you are in
  trouble too.
  
• You could be held responsible---and required to pay for--damages to
  computer hardware and software damage from your account.

Prudent precautions are not difficult. And you are responsible for insuring the security of your wireless network. Are they convenient? Sure! Would I causally set one up? Heck no! And when you are not using it, you would be wise to shut it down, literally! And while online, you would be wise to use encrypted techniques for access (re OpenSSH), firewalls, data encryption, partitioning, anti-virus and anti-spyware, tools like TripWire to indicate changes in the OS, as well as networking best practices as well as wireless best practices. And the use of any wireless technology less than 802.11i-AES (and even anything less than an SSL VPN ) should be treated as sources of ingress (and that includes IPSec VPNs).

Convenience is nice, but you might want to be aware of what the tradeoffs are. Pardon the analogy, but if you use a hot spot, treat it like a bar urinal. And PLEASE assume that you are being actively sniffed (you are) and that anything you connect to it can be seen. You can certainly use it (technically subject to their usage policies - ha). but I would assume that you are swimming in a toilet, and you would be wise to make sure your data is encrypted and that your firewall is up to snuff, and all unnecessary services and ports are shut down, and that all of your transmissions are encrypted and secure. And I would run any number of secrutity tools designed to crack your own system against itself to insure control over your own environment. If you don't find them and secure them, others will. And the process is easy!

If you note, I tend to take the point of view of the operator/user of the network, as that is where the real liability lies as this is the real stakeholder.

And for the most part, you will not be held liable for simply piggy backing on someone's 'open' network, as they are in effect broadcasting. That is not to say that you are guiltless if you misuse data, but simply looking may not be considered illegal. Just as casing out a location that was unlocked is simple trespass until you accually remove property from the location or cause damages. And just like listening into a wireles phone conversation is not protected. And, on an associated aside, most wireles phone transmissions are not encrypted, a very real reason that spread-spectrum frequency hopping enabled technology be used. And they dpon't cost more - Panasonic makes some best of breed phones. Remember, you are essentially a low power FM station. You are the one broadcasting. So is your wireless network. And these are not protected from others listening.

And this also opens up the other aspect of home wireless phones without a minimum of spread spectrum capability. You are broadcasting whatever you say over the air. And it takes just a few minutes to modify a scanner to listen in as Mom tells Aunt Sally when you will be leaving town and returning to visit the relatives over Thanksgiving, and oh, here is my credit card info complete with all security info sufficient to authenticate you as you place that phone order to LLBean. And its common for criminals to just sit in a nice neighborhood in their car and jot the info down or to simply record it. Tough job huh?

Again, the best analogy I have heard in regard to this is to treat your wireless phone as if you are talking in a crowded elevator. You provide your info at your own risk.If your wireless home phone doesn't at least use spread spectrum technology, I would toss it. Literally. Many of the Panasonics emply it, and have for quite a while. Few others do. If you're not sure, I would verify it!

And with the advent of RFIDs, with no requirements that they be deactivated once you leave the store, what is to prevent someone with an easily obtained reader to simply cruise a shopping center parking lot and inventory what gifts you have stashed in your car? Oh yeah, there is something to regulate this...their sense of propriety. Feel safe?

Its a Brave New World. And the laws are woefully inadequate and antiquated regarding responsibility and liability. And this is no thanks to SOX and HIPAA, etc. (laws that worry more about process than anything else). And for all of the conveniences, be aware that they simply enable others to take advantage of them as well, with additional exposure and risk for you. So it makes sense to be aware of just what the conveniences are worth!

So, what is to prevent your piggy backing on your neighbor's wireless network if they have not taken sufficient precaustions to secure it? Your sense of propriety.

Oh, and as a digression - since i know that none of you would ever consider this, or if you haven't, here area few ideas!...Let me relate a practice that has been commonplace since the inception of wireless networking that may scare you more. In most of the IT tech sector, when shows are in town, it is common for all of the various vendor reps as well as attendees to the various functions to sniff the various wireless networks that are open in the hotels and facilities. And it is EASY to do this! And the game is to see how many you can compromise. ...Not maliciously, but just to say "Hi". Hey, you find your entertainment where you can! Especially when a bunch of those networks belong to Cisco! Can we say they already have a large bullseye painted on them??? And remember that there are usually 1000's of attendees...So the ground is fertile.

And to take this one step further, many of the expensive hotels still charge extra for phone calls and some for internet access. Of course, it is easy to take a wireless router and set up an access point. Let's see, you are charged per phone call... How much do you want to bet that there is one local or 800 phone call open for the entire duration of stay, and that the smart person has set this access point set to filter MAC addresses to specific machines, thus allowing all of their friends to piggy back on this ONE phone call for Internet access and Skype use, for, say, the entire week. Now, I would never consider doing such a thing! But one wonders why hotels catering to a bunch of nerds and who are in effect challenging them to hack their network instead of simply welcoming and enabling them, would adopt such a policy. And they wonder why their bandwidth is a 'bit full' and only 10 calls are being made! But then, I suspect their technologically challenged CFO still sees phone calls as a profit center. Right!

Of course some don't even bother, what with so many wireless access points available on which to piggyback...[]

Oh, and all of the tools necessary to do this are available via opensource for free on the web! If you are not aware of them, start your search with Snort and AirSnort...

You know, as a seque back to the thread over what decade was 'best'. In many ways one might say the period between 1965 and 1975. It was an age of immense possibility (technologically, etc.). But it was also the last period before widespread computer use, personal databases, electronic records, and so many other advances which limit our anonymity became widespread. But then we have gotten what we wished for. Enjoy. Myself, I must admit to being a bit nostalgic.

[Groomlakearea51]

Lengthy, but well explained; FIREWALL is the rule of the day. As the MIS for my agency (until I figured out a way to get away from that...) I cannot emphasize how vulnerable we are if we don't take the precautions available to us. I now have a WAN/LAN at my house and spent a considerable length of time making sure that it cannot be seen past the front door.

[Jay481985]

if you wanted to secure your wifi, I would get directional antennea and point it only in the areas you use the laptops. And then lower the voltage to reduce leakage to the outside.

[Guest srobak]

Daddy Dee technically once you get on someone else's router even if they left it open or unencrypted it is against the law per se.

Care to cite this? Only one state I know of has laws concerning this, and the FCC language is extremely loose in this regard.

[Guest srobak]

While WEP is not easily hacked (when is the last time you did it, mas? That's what I thought - it takes months of multiple threaded banging away 24/7 to even start to dent it, let alone break it), it is resource intensive and only serves to slow things down. Cutting down voltage only puts limits on yourself by impacting if you can use wireless in the basement, garage, deck, or yard. Just like waaay back in the day - the only real way to protect is using an ACL. Spoofing can be easily spotted and handled... at least if you know enough on how to make an ACL.

[Jay481985]

While WEP is not easily hacked (when is the last time you did it, mas? That's what I thought - it takes months of multiple threaded banging away 24/7 to even start to dent it, let alone break it), it is resource intensive and only serves to slow things down. Cutting down voltage only puts limits on yourself by impacting if you can use wireless in the basement, garage, deck, or yard. Just like waaay back in the day - the only real way to protect is using an ACL. Spoofing can be easily spotted and handled... at least if you know enough on how to make an ACL.

Wrong srobak..... wep can be broken in "Late-breaking news: with almost 2,000,000 IV's, aircrack
cracked my 128-bit key in about 43 seconds. Finally! Those must have
been really strong IV's! <grin>"

43 seconds. hardly months of banging away. That is with 128 bit encryption

http://www.netcraftsmen.net/welcher/papers/wlansec01.html

[Jay481985]

Daddy Dee technically once you get on someone else's router even if they left it open or unencrypted it is against the law per se.

Care to cite this? Only one state I know of has laws concerning this, and the FCC language is extremely loose in this regard.

basically its how the prosecutor sees it

http://www.news.com/FAQ-Wi-Fi-mooching-and-the-law/2100-7351_3-5778822.html

http://www.robhyndman.com/2005/08/09/the-legality-of-accessing-someone-elses-wi-fi/

"Oddly enough, it appears that the wifi signals in the Florida and UK cases were unprotected."

http://blogs.chron.com/techblog/archives/2005/07/wifi_scarfing_i.html

That doesn't make much sense. Is there a specific law that regulates Wi-Fi access?
Sort of. The primary law is the federal Computer Fraud and Abuse Act.

You can read it for yourself, but the important part (check out paragraph
(a)(2)) covers anyone who "intentionally accesses a computer without
authorization or exceeds authorized access." Nobody knows exactly what that
means in terms of wireless connections. The law was written in 1986 to punish
computer hacking--and nobody contemplated 802.1x wireless links back then.

http://www.networkworld.com/news/2005/080805widernet.html

[Daddy Dee]

Lengthy, but well explained; FIREWALL is the rule of the day. As the MIS for my agency (until I figured out a way to get away from that...) I cannot emphasize how vulnerable we are if we don't take the precautions available to us. I now have a WAN/LAN at my house and spent a considerable length of time making sure that it cannot be seen past the front door.

So how did you do that Marshall?

This is all good food for thought. I've been wondering how easily I might extend my wireless across the street to my office. Considerations of wisdom aside, I'm paying for two DSL accounts one for home and one for office because I can't pick up my home network at the office and vice versa. The distance is about 200 feet, and I've read about people using "cantenna" and other ways to boost their network. It would be nice to have only one DSL bill.

[Jay481985]

I would get a directional antenna and maybe a bridge if needed. They even have outdoor bridges which recieve the signal and boost it.

[mas]

While WEP is not easily hacked (when is the last time you did it, mas? That's what I thought - it takes months of multiple threaded banging away 24/7 to even start to dent it, let alone break it), it is resource intensive and only serves to slow things down. Cutting down voltage only puts limits on yourself by impacting if you can use wireless in the basement, garage, deck, or yard. Just like waaay back in the day - the only real way to protect is using an ACL. Spoofing can be easily spotted and handled... at least if you know enough on how to make an ACL.

Nonsense! WEP and WPA are akin to locks on a screen door utilizing a fatally flawed cypher.

WEPCrack and AirSnort been available for almost 10 years, and that is just a beginning!

You know, I listened to this same debate 5 years ago with regards to WPA. Then it was maintained that it would take hours, days, years, eras... of continuous transmission (note: Ethernet is bursty) to catpture enough packets. Nonsense, as the packets are not unique!

And at the Intel Developer's Forum in SF in February 2004, I had the chance to discuss this with Jessie Walker of Intel - author of "Unsafe at any Keysize", the original author to explode the WEP myth and describe exactly how the RC4 cyper primitive was completely and utterly misapplied in WEP - and by the way, also in WPA where all that was done was to apply a firmware patch and add TKIP to a still fundamentally and fatally flawed methodology. WPA is almost as easy to break as WEP. As many were convinced that WEP and WPA were not only sufficient, but in some cases overkill! And we had been lobbying for the final ratification of 802.11i-AES.

But as has since been conclusively proven, the RC4 cypher primative as applied is fatally flawed. here are distince problems that render it rather easily cracked. The arguments to the contrary assume erroneously that the RC4 cypher was properly utilized!

Walker was not only was open to discussing this, but he proceeded (with delight) to demonstrate the problem as several of us watched in a small section off the west end of 2nd floor main lobby of the Mosconi Forum where he proceeded to benignly hack into several connections of folks tied into the Intel/Mosconi public computer access LAN with the tool set on his laptop in less than 20 minutes - in an extremely congested and bursty environment!!! And the hacked connections were WPA, not WEP. Needless to say, the demo was quite convincing.

But what is surprising is to hear this debate now. Old myths die hard...or in many cases, simply persist...And if you are sufficiently nerdy, I really suggest attending a DEFCON hacker convention and/or take a SANS (www.sans.org) course(s).

The road to 802.11i-AES was a long one, especially with the herd of cats from IEEE - and far too long overdue! The problem with the protocol is that it requires a new more powerful processor, so to use it the old equipment is not compatible (the reason they went with a WPA firmware upgrade to act as a bandaid on WEP). You have to really read and check the new routers, as many manufacturers are waiting to employ it in 802.11n - you know, the MIMO technology for which everyone has been releasing their incompatible "pre-n" nonsense.

We can't even specifiy WEP OR WPA for HIPPAA and ISO17799 environments. And a COBiT audit will skin you alive, even if you have policies and procedures in place - as pen testing will render your security swiss cheese. The liability is simply not worth the exposure and the modicum of convenience. If we impliment wireless it is to an access point outside of our perimeter and external firewall - dispite an SSL VPN which allows for granular resource access control (whereas IPSec only gives you security to the firewall, and where, once inside, you have little control except by access control lists (ACLs) and are thus free to wander about internally!). And believe me, there is a great deal of impetus to role out the technology especially in medical environments, where one of the few viable environments for wireless tablet PCs presents the possibility for single entry patient data entry and record retrieval, as well as the 'real time' communication with additional information resources. Even with VPN, SSH, and data encryption, the risk with any technology less than 802.11i-AES - including Radius based WPA system, is simply not adequate.

WEP and WPA are broken. They are like deadbolts. Once you realize how simple it is to pick and/or bypass the lock, you realize that locks simply present an effective deterent for honest people, and a mere distraction for dishonest folks.

The fact that WEP and WPA are both fatally flawed is no longer a debated issue. That debate ran it's course several years ago. Anyone thinking of implimenting wireless would do well to employ 802.11i-AES (WPA2-AES) encryption as the minimum level of wireless security when building a secure wireless infratstructure

UnsafeAtAnyKeySize.Walker.pdf

[mas]

I just know that everyone is fascinated by this stuff, so here are a few apers regarding the RC4 cypher primative and WEP and WPA and their shortcomings.

Just so you know, this is all 'old news'. WEP and WPA are no longer current standards - they have been supplanted with 802.11e.

When will you?[]

Walker.802_11_Security_Overview.pdf

[mas]

And here is one more.

Check out sections 4.1 and 4.2 for a concise overview of the limitations of Access Control Lists - ACLs.

Don't get me wrong, ACLs are one of many tools that should be used (as I mentioned earlier).But they are nothing magical and can be circumvented.

For those not familiar with them, they are simply a 'flat' (text) file with a list of Ethernet MAC (hardware) addresses. Think of it as the guest list of names for a party that the doorman checks as you attempt to gain admittance. But, like passwords, they are rather easily 'broken'. In fact, you don't even have to break them! They are transmitted in the clear and are easily passively sniffed. So they simply provide one more method of slowing a determined hacker down.

your802.11ntwkhasnoclothes.pdf