OT: OK what about WiFi piggybacking ethics and legal issues?

[pauln]

Isn't this exactly what one would expect with modern computers that encourage users to "browse" the web and "explore" the "network neighborhood"?

Does your wireless PC pop up an invitation to get into the wireless networks it detects? Well doesn't it?

In the old days, the model was the "guard shack"; you had to deliberately find it, offer credtials, and then know what you were looking for and have secured access to it.

The current model is the "invitation"; it finds you, credentials may be assumed, and everything shows whether it is secured or not. The nature of the internet especially is that a denial of access is not so much treated as a security signal but as typical problem to be overcome by taking different paths and different methods.

The simplest method of hacking any system is to gather three telephones and start calling the support administrators. I've seen this done - once you have a name you use that on the next guy. Assuming reference, authority, and urgency, the admins often provide access - they are never trained to handle a confidence man. The weak spot is the people themselves. They will bust their butts helping an important but tech illiterate "manager" get in.

Here's a tip: when you get hauled into court for computer issues direct your attorney to demand all the source code for all systems involved from the manufacturuers.

[Jay481985]

Here's a tip: when you get hauled into court for computer issues direct your attorney to demand all the source code for all systems involved from the manufacturuers.

microsoft fought off the us government and the EU, to think they would give you source codes..... ha. Cisco systems giving you source codes that could cripple the internet as you know it HA!

[Colin]

Morning!

Last year I read about a cop who arrested a man parked outside a coffee house, because he just knew that the Wi-Fi user was doing something wrong. On such insensitivity, fascism blooms.

First, while stealing the use of another person’s technology is a crime, it took several lawsuits in the 80s for the public to realize that the newly hatched Internet was not a private means of communication. Once thrown into the cloud, either over wires or not, our messages have “no expectation of privacy.” Messages are broadcast blindly over the field, however small it may be.

Second, wireless fidelity communicates across a publicly available radio spectrum. In the U.S., Canada, Australia and Europe, a portion of the 2.4 GHz Wi-Fi channel is also allocated to amateur radio users (FCC Part 15). Unlike radio stations using the airwaves, PC users are not regulated. You do not need a permit to “broadcast” over a local Wi-Fi point. You are indeed talking publicly in a crowded elevator.

If a Wi-Fi user is stealing a service that only costs $12 a month, just how much actual damage is done to the public (not the huge telecommunications conglomerates)? I rip off my music from the library for my own use, but then I am not really a customer. The music I steal is not within my budget, I was never going to buy it anyway. Although listening to the music is important to me, MY damage to the public and the huge music conglomerates is minimal.

Of course, if you are stealing my financial information, that is a crime. The free message a criminal accesses leads into my back pocket, and that is protected. Stealing financial information threatens the huge American mercantile and banking system.

Like the development of roads and highways for the benefit of nation-wide commerce, the trend is towards free Wi-Fi access, with several cities and Google planning open access points. As this trend continues, Internet transfer of information should be infinitely more secure.

Daddy-dee, I would also look into 802.11n routers and adapters, even though the standard is not officially cast into stone yet. We upgraded a iMac access point at Tonsina River Lodge last summer and the increase in range outside the building was remarkable.

WARNING: this post was sent over a piggy-backed access point. By reading this, you are now a accessory to a crime.

[Daddy Dee]

Morning!

Daddy-dee, I would also look into 802.11n routers and adapters, even though the standard is not officially cast into stone yet. We upgraded a iMac access point at Tonsina River Lodge last summer and the increase in range outside the building was remarkable.

WARNING: this post was sent over a piggy-backed access point. By reading this, you are now a accessory to a crime.

Colin,

Thanks for the tip on the N protocol.

Now we're going on the honor system for wifi.....

---- yes, your honor.... no, your honor!

[pauln]

A fair judge...

[mas]

Like the development of roads and highways for the benefit of nation-wide commerce, the trend is towards free Wi-Fi access, with several cities and Google planning open access points. As this trend continues, Internet transfer of information should be infinitely more secure.

Colin, I would debate the opposite. Without the user implementing a 'complete' security solution using 802.11i-AES, among a substantal amount of additional planning, the transfer of information via wireless means is infinitely less secure than wired access - including the substantial potentil for compromise that exists over wired access!

But if you are properly prepared, the convenience is their - especially for services such as Skype. But I would NOT conduct business that requires secure communication without absolute control over both ends of the communication. And few commercial services allow for this. We are still encountering significant problems with this in environments where we DO control both ends in a private enterprise environment!

And until the standard is actually confirmed, I would seriously suggest holding off buying an 802.11n - "N" router, unless you are prepared for incompatibility issues. The drafts have all been rejected, so the proliferation of "Draft N" units are meaningless. Each manufacturer is simply making what they THINK N will take. At this point, N is whatever you want to make it. And FEW have been avle to get MIMO to even work efficiently! Only the Airgo chipset functions as designed, and they are not openly sharing their technology - which has been a major sticking point in the entire process, as they (understandably) do not simply want to give the fruits of their labor away for free.

At this point, the best deal is still MIMO applied to A/B/G channel routers available now. And for consumer use, the Netgear (non-N) RangeMax line has perhaps the best performance/price. But be aware, even they are not performing up to the stated marketing hype transfer rates using WPA2-AES (do not settle for WPA2-PSK 'pre-shared key' option!!!!! USE THE FULL WPA2-AES). And if you do not, I would make sure that you have a router that supports VPN, and that your data is encrypted and that you have a good firewall such as Zone Alarm Pro.

Oh, and I cannot stress this too much. If you are not already using SSH to remotely ftp, rlogin or telnet, you NEED to download OpenSSH and USE IT! NOW! (OSX has it intergrated, just make sure you USE IT!. Otherwise you are 'talking' to other units and openly sending your username and password, etc. in the clear! And tha VAST majority of everyone out there is doing exactly this! So all of the other precaustions are rensdered moot is you simply give this info away! Who cares if you have the larges security system, if you simply give everyone the keys to the front door!? LOL! So, how many of you are actively using it now? I would love to hear that everyone is! But.why do I suspect less?.... (google OpenSSH - follow the links to for other environments; re PuTTY for Windows)

Having lost sleep writing too many TSEC/CC (Trusted Computing -Common Criteria) Protection Profiles, I can assure you that this topic is not trivial, regaqrdless of what the consumer product marketing hype is spewing!

This is a market where waiting for the anticipated standard adoption is the smart thing to do if you are looking to impliment wireless. You are going to see more modifications where the consumer will be the beneficiary. But you nevertheless need to impliment a best practices set of defenses for your data and your system now.You are on the Internet to reach this point. And you need protection now. Be smart. Cover your apps.

[Guest srobak]

You can read it for yourself, but the important part (check out paragraph
(a)(2)) covers anyone who "intentionally accesses a computer without
authorization or exceeds authorized access." Nobody knows exactly what that
means in terms of wireless connections. The law was written in 1986 to punish
computer hacking--and nobody contemplated 802.1x wireless links back then

Which is probably why it wouldn't hold up. That is an extremely broad interpretation of that article. But - without further case law or a revision to it - only time will tell.

[Guest srobak]

Last year I read about a cop who arrested a man parked outside a coffee house, because he just knew that the Wi-Fi user was doing something wrong.

You must have missed the part where the case was thrown out, the cop was fined, fired and sued along with the city for lack of probable cause. Just because you see someone leaving the parking lot of a bar doesn't mean you can pull them over because you just *know* he is DUI. Due Process... what a PITA, eh? [/sarcasm]

it took several lawsuits in the 80s for the public to realize that the newly hatched Internet was not a private means of communication.

I think you meant the 90s, as in the 80s - The Internet was still held in private hands and had absolutely no regulatory control what so ever.

I rip off my music from the library for my own use, but then I am not really a customer. The music I steal is not within my budget, I was never going to buy it anyway. Although listening to the music is important to me, MY damage to the public and the huge music conglomerates is minimal.

Not a can of worms you want to open with this group - trust me - regardless how accurate you might be.

Of course, if you are stealing my financial information, that is a crime. The free message a criminal accesses leads into my back pocket, and that is protected.

By the same argument - so is the music you stole. It leads into someone else's back pocket.

As this trend continues, Internet transfer of information should be infinitely more secure.

I have to agree with mas here, and disagree with you - for the exact reasons you use in your arguement... demonstrating the parallel between WiFi and public highways. The more people who get on the highway - the more dangerous it becomes, the more likely it is that someone is using it in a manner which is dangerous and harmful to everyone else on it, and the more likely it is that you will in fact become the victim of a bad act.

WARNING: this post was sent over a piggy-backed access point. By reading this, you are now a accessory to a crime.

Thankfully the Terms of this website usurp any such lunacy, and holds both Klipsch and the forum users harmless of anything posted by anyone else, by any means. It all falls back on you

[Colin]

OK, I am not sure what mas said, but it sounded good, but I do know that Shawn tore me down, point by point!

[kcmcramer]

There is such a gray area between what's "Legal" and what's "Ethical" these days. I TRY NOT to interchange the words(as many people do), as they have completely different meanings. I'd have to say that a Wifi connection that's considered "PUBLIC" shouldn't have any legal or Ethical repercussions. If it's advertised as PUBLIC (which gives you permission to use it), then it's Public, like the library or the police station. It's PUBLIC. I don't know how one can steal something that's advertised as free for everyone's use. However if they have a policy that only CUSTOMERS can use it, then it's "unethical" but not necessarally illegal because it's all up to the laws in your area and the PEOPLE WHO INTERPRET THEM.

However, I AM guilty in the past of using someone's "private" wifi connection when I didn't have internet access available at the time.

Yes it's stealing which is "unethical". But is it illegal? Well, that depends on where you live and how you finagle the terminology. If I simply call it "interference testing before I buy my own" then suddently it's not illegal, but it's still probably unethical because I don't have permission to use it.

Anyways, to combat MY security issues I use MAC address filtering(best line of defense) and WPA security on my WIFI router. Nobody is getting in there unless they hijack one of my MAC addresses + crack the encryption, or find a way to physically plug into it which is highly unlikely.

Unfortunately these days, it's up to the owner of the connection to watch their own "assets". Most people aren't going to IGNORE your open wifi connection because it's "unethical OR illegal" to be using it. That's not realistic these days because many people aren't that honest and some of us have an excuse for what we do. It's a SAD truth.

I "locked-down" my WIFI for fear of someone using my it to download illegal media/software. If the IP address gets tracked, it'll get tracked back to ME, not my wifi connection. And I have no way to prove that it wasn't me download it. I have to watch out for my own interests.

Babbling done! []

[Jay481985]

Yes it's stealing which is "unethical". But is it illegal? Well, that depends on where you live and how you finagle the terminology. If I simply call it "interference testing before I buy my own" then suddently it's not illegal, but it's still probably unethical because I don't have permission to use it.

Anyways, to combat MY security issues I use MAC address filtering(best line of defense) and WPA security on my WIFI router. Nobody is getting in there unless they hijack one of my MAC addresses + crack the encryption, or find a way to physically plug into it which is highly unlikely.

Mac Address spoofing is easy. WPA can be broke. Also did you changed the router password from the default?

[kcmcramer]

Yes it's stealing which is "unethical". But is it illegal? Well, that depends on where you live and how you finagle the terminology. If I simply call it "interference testing before I buy my own" then suddently it's not illegal, but it's still probably unethical because I don't have permission to use it.

Anyways, to combat MY security issues I use MAC address filtering(best line of defense) and WPA security on my WIFI router. Nobody is getting in there unless they hijack one of my MAC addresses + crack the encryption, or find a way to physically plug into it which is highly unlikely.

Mac Address spoofing is easy. WPA can be broke. Also did you changed the router password from the default?

Oh yes, I changed the password. But hey, passwords can be hacked too! OBVIOUSLY there isn't any "PERFECT" LAN security out there, but many layers of security is more helpful than non at all (like turning off your SSID broadcast will deter MOST "average" users from finding your wifi connection altogether). Also, I can safely say that most of the people who live around me don't know the definition of MAC address spoofing (I live a low income area they call "da hood"). I'm not really worred about someone spoofing my MAC address here. So saying it's easy, well that's your perception (which is great for you), but most of the general public would disagree with your statement that it's "easy".

But I agree with what you are saying in general, the security measures can be circumvented if the right person is doing the dirty work. But that's the way with most things - my car, house & place of work included...

So I stick by my statement that breaking into my network is "highly unlikely" but I'll add it's also "not impossible".

[mas]

Anyways, to combat MY security issues I use MAC address filtering(best
line of defense) and WPA security on my WIFI router. Nobody is getting
in there unless they hijack one of my MAC addresses + crack the
encryption, or find a way to physically plug into it which is highly
unlikely.

Mac Address spoofing is easy. WPA can be broke. Also did you changed the router password from the default?

So saying it's easy, well that's your perception (which is great for you), but most of the general public would disagree with your statement that it's "easy".

But I agree with what you are saying in general, the security measures can be circumvented if the right person is doing the dirty work.

So I stick by my statement that breaking into my network is "highly unlikely" but I'll add it's also "not impossible".

You might want to change that perception.

You aren't using at minimum an IPSec based VPN to encrypt the transmission?
You aren't encrypting your resident data? You aren't using secure shell?

About Mac Addresses:

Mac addresses are TOTALLY INSECURE! BY NECESSITY! If they were not, they
couldn't be read and recognized!

First of all MAC addresses are just one more password to identify AND IT IS
EASILY compromised! Why? Heck you don't even have to
break it! It is broadcast in the open (unencrypted)! All
you do is sit and passively listen! And obviously you are unaware of the
classic MITM - man in the middle - technique to steal control of the
connection! Just listen with AirSnort and this info is dropped in your lap! You
don't have to break them! I mean, how much easier can it be?

And spoofing? You are obviously unaware of the tools that allow you to
simply cut and past them into the data stream! Too lazy to cut and past? OK, it
will test the combinations and permutations for you!

OK, to use a simple analogy. From the network perspective, the Mac address
is your name. Mac address filtering is simply the party guest list that some
clerk at the door checks who has no idea who you are. You give them your name
and if you are on the list, you are in. Is your name secret? Heck no! Is it
easily obtained? Sure, especially if you are in effect wearing a name tag! All
anyone has to do is watch the nametags and note who is let into the party!

And since the doorman is no wiser, if you walk up to the door and say
"I'm watchamacallit", your in. It's literally that easy. All it does
is to keep the oblivious out. But anyone who wants in is in!

Is using Mac address filtering better than having no filtering? Sure!

Is it secure? Heck NO!

ALL of the tools necessary to effectively hack a system are available for
free on the web! Heck, if you want about 50 of them, PM me!

The irony is that most of the tech savvy KIDS know all about them. The fact
that your friends at church and the local PTA meeting don't know them - heck,
you know, the SAME folks that don’t even realize that WEP is not even enabled
by default!

So the biggest problem with online security is that the various security
protocols is that that they are NOT ENABLED BY DEFAULT! They are not enabled
unless YOU do it!

And how hard is it to map and hack into a system? You obviously are not
familiar with the OLD practice of war driving! Of driving around with a laptop,
AirSnort, (a few other tools) and an EASILY made directional antenna!

The fact is, this attitude that ’well, its complicated enough that few
can do it' is absolute nonsense. In fact, it is how many have
fun with a computer. Its a game.

About 3 years ago I was at the Grapevine Texas Best Buy explaining to a
couple of the techs there about 802.11i, and one of the techs said exactly what
you did! And to my surprise, one of the 18-19 year old guys standing
there not saying much said, "Oh yeah? No is not".

And as the conversation wound down, he motioned to me and asked a couple
more questions about a few of the cracking tools - and then pulled out his
laptop.

In it he had maps of about 10 MAJOR Metroplex area companies that were WIDE
open. They not only had near complete wireless maps of the company due to
uncontrolled wireless radiation extending beyond their walls, but he and
friends had cracked a majority of the passwords, mac addresses and SSIDs of
most of the access points and routers! The even had used Jack the Ripper to
break more internal passwords.

I was amazed, amused and rather shocked that they had gathered so much
info in so little time. And on companies that shocked me that they
were so absolutely open! Hard to do? Yeah...But only if you don't take the time
to drive around with your laptop and click a few icons.

Te fact is, the only part of this 'system' that is hard seems to be
to convince those who are totally unaware of how easy it is.

The fact is, the tools are available that simply passively listen and GIVE
you this. You do nothing except watch! You don't have to do anything except to
be there and double click on the tool!

Difficult to do? Yeah, if you think downloading a tool from the web is
"difficult". You don't need some advanced training or knowledge to do
this? Anymore than you need to play a CD or DVD!

And I will go further. If you do not literally power off your wireless
system when you are not ACTIVELY on it, you are a fool. Sorry to put it so
bluntly, but you are simply inviting others in! You buy it for convenience. But
how convenient is it for you when no one is using it? Not much! But it sure is convenient
for anyone else who wants to play! Or worse, has malicious intent. And who has
access to the system when you are not at home during the day....oh, but of
course a savvy criminal or tech savvy kids with lots of time wouldn't be smart
enough to do anything untoward...would they?

Oh, and how many access their workplace or bank accounts without using a
form of secure shell and at the bare minimum, an IPSec VPN? If so, you may as
well be printing out the data and distributing it to anyone who will take one.

The irony is that while so many only casually aware of this situation dismiss
the risk, those of us who work with it know better, and treat it as a big
screen door securing your home! Heck, we are having BIG trouble with it in
enterprise and secure installations! And that is using RADIUS authentication
servers and the latest in wireless security management tools as well as the
latest in IDS and layered security.

It's PAST the time that everyone take wireless security SERIOUSLY. Contrary
to the crazy assumption of most, its NOT hard to do. YOU don't have to do it!
The tools are amazingly sophisticated! And EASY to use! You just click a button
and watch! Then its ala carte!

Hey, but I’m sure you keep a spare key under the font door mat or on the
sill over the door too. After all, who would ever look, and if they did, who
would ever think to look there?

With all due respect, I just wish that those who are not familiar with the
fundamental security issues to stop declaring wireless effectively safe. Casual
wireless is anything but secure! The best you can do is risk mitigation. And
there is MUCH more that folks need to be doing if they are using wireless. The
irony is that I am forbidden to even have it anywhere in the network (even if
turned off!) if I access many systems! And that is even with encrypted
data, at least an IPSec VPN, and more ideally, an SSL VPN, tripwire and many other safeguards that any normal person is
not going to employ.

Seriously, if anyone needs help with this you can PM me. I am NSA certified
and possess a Masters in Information Assurance (among the other crazy degrees)
from the first graduate program fully certified by the National Security
Agency and Dept. of Defense as a Center of Academic Excellence in Information
Assurance that meets the full regimen of NSTISSI areas: 4011, 4012, 4013, 4014,
4015 & 4016.

[Jay481985]

Oh yes, I changed the password. But hey, passwords can be hacked too! OBVIOUSLY there isn't any "PERFECT" LAN security out there, but many layers of security is more helpful than non at all (like turning off your SSID broadcast will deter MOST "average" users from finding your wifi connection altogether). Also, I can safely say that most of the people who live around me don't know the definition of MAC address spoofing (I live a low income area they call "da hood"). I'm not really worred about someone spoofing my MAC address here. So saying it's easy, well that's your perception (which is great for you), but most of the general public would disagree with your statement that it's "easy".

But I agree with what you are saying in general, the security measures can be circumvented if the right person is doing the dirty work. But that's the way with most things - my car, house & place of work included...

So I stick by my statement that breaking into my network is "highly unlikely" but I'll add it's also "not impossible".

apple includes spoofing in os10 x

[mas]

apple includes spoofing in os10 x

While there are PLENTY of MAC address spoofing tools for OSX, OSX does not have this capability as a feature!

The MAC address refers to the Media Access Control Layer, not to anything related to Apple.