The Wi-Fi user as wireless felon

This article will be of interest to all those who discussed the (i)legality
of accessing (un)secured wifi networks
and sharing internet connections.
http://www.theregister.co.uk/2004/05...i_legislation/
Regards,
Martin

I think the article is missing the point of legitimately "free" Wi-Fi
access. It uses Bryant Park (NY City) as an example of a place where people
go to get a free hotspot, then it tries to make the argument that it's
illegal, if I'm understanding it right. However, The Bryant Park
Organization sponsors that free signal for the sole purpose of providing
free internet access in Bryant Park.

So where is the crime?

"Martin²" <(E-Mail Removed)> wrote in message
news:ntRlc.39777$Y%(E-Mail Removed)...
> This article will be of interest to all those who discussed the
(i)legality
> of accessing (un)secured wifi networks
> and sharing internet connections.
> http://www.theregister.co.uk/2004/05...i_legislation/
> Regards,
> Martin
>
>

This is a very interesting read. I find the example at the end of the
article very odd, though. The author describes someone going to a park and
connecting to their home router, which is hooked to a cable modem. He
concludes, "You're busted!".

Nowhere does he discuss the use of WEP or WPA on the router, which I believe
would be a strong defense against an accusation of illegal sharing. It's one
of the main reasons I insist on at least using WEP, even if it's imperfect.
It is the minimal care a reasonable person could be expected to take to
prevent illegal access.

Also, the writer is overstating (by implication, at least) the degree of
risk. Free public hotspots with business-class DSL or cable agreements are
generally low- risk, especially if they have indicated to the service
provider that they intend to build a wifi hotspot around the backhaul. A
business class agreement implies commercial use, and while the service
agreements typcially do not yet include specific language permitting wifi
access, the service providers recognize that this kind of thing is actually
increasing their revenues. There are some potential liability issues
concerning users who abuse the hotspot for malicious hacking, but that's a
separate issue from mere access.

The homeowner who doesn't know that anyone can use their ISP via their
wide-open wifi network might be subject to a termination of service, but
almost certainly will not be prosecuted, even if that's theoretically
possible. There is no advantage to the service provider (who might pursue
theft-of-service) or to the the authorities (who might pursue theoretical
criminal violations outlined in the article). Mounting expensive
prosecutions or lawsuits against thousands of clueless people is a waste of
time and money. If abuse occurs, it's much cheaper and just as effective as
a training tool to shut off service to the customer who was hacked, and
publicize the fact.

It would help if some legal consensus could be achieved concerning when the
door is open. I'd prefer a standard that assumes the door is closed unless a
specific web page is presented that says otherwise, and maybe even requires
some kind of authentication step. I know a lot of people disagree with this
approach, but whatever legal standard emerges will have to accomodate the
reality that most people with wide-open nets do not understand the risks, do
not understnad the technical issues involved in reducing the risks, and
cannot be expected to take reasonable steps without much more help from the
vendors. That probably means on-by-default encryption that is trivial to
configure (and I don't know how you do that).


"Martin²" <(E-Mail Removed)> wrote in message
news:ntRlc.39777$Y%(E-Mail Removed)...
> This article will be of interest to all those who discussed the
(i)legality
> of accessing (un)secured wifi networks
> and sharing internet connections.
> http://www.theregister.co.uk/2004/05...i_legislation/
> Regards,
> Martin
>
>
>

In article <VfSlc.24179$(E-Mail Removed)> ,
(E-Mail Removed) says...
> This is a very interesting read. I find the example at the end of the
> article very odd, though. The author describes someone going to a park and
> connecting to their home router, which is hooked to a cable modem. He
> concludes, "You're busted!".
>
> Nowhere does he discuss the use of WEP or WPA on the router, which I believe
> would be a strong defense against an accusation of illegal sharing. It's one
> of the main reasons I insist on at least using WEP, even if it's imperfect.
> It is the minimal care a reasonable person could be expected to take to
> prevent illegal access.
>
> Also, the writer is overstating (by implication, at least) the degree of
> risk. Free public hotspots with business-class DSL or cable agreements are
> generally low- risk, especially if they have indicated to the service
> provider that they intend to build a wifi hotspot around the backhaul. A
> business class agreement implies commercial use, and while the service
> agreements typcially do not yet include specific language permitting wifi
> access, the service providers recognize that this kind of thing is actually
> increasing their revenues. There are some potential liability issues
> concerning users who abuse the hotspot for malicious hacking, but that's a
> separate issue from mere access.
>
> The homeowner who doesn't know that anyone can use their ISP via their
> wide-open wifi network might be subject to a termination of service, but
> almost certainly will not be prosecuted, even if that's theoretically
> possible. There is no advantage to the service provider (who might pursue
> theft-of-service) or to the the authorities (who might pursue theoretical
> criminal violations outlined in the article). Mounting expensive
> prosecutions or lawsuits against thousands of clueless people is a waste of
> time and money. If abuse occurs, it's much cheaper and just as effective as
> a training tool to shut off service to the customer who was hacked, and
> publicize the fact.
>
> It would help if some legal consensus could be achieved concerning when the
> door is open. I'd prefer a standard that assumes the door is closed unless a
> specific web page is presented that says otherwise, and maybe even requires
> some kind of authentication step. I know a lot of people disagree with this
> approach, but whatever legal standard emerges will have to accomodate the
> reality that most people with wide-open nets do not understand the risks,do
> not understnad the technical issues involved in reducing the risks, and
> cannot be expected to take reasonable steps without much more help from the
> vendors. That probably means on-by-default encryption that is trivial to
> configure (and I don't know how you do that).
>
>
> "Martin²" <(E-Mail Removed)> wrote in message
> news:ntRlc.39777$Y%(E-Mail Removed)...
> > This article will be of interest to all those who discussed the
> (i)legality
> > of accessing (un)secured wifi networks
I agree. It would be nice to be able to put in a customized HTML page in
the router that would notify someone they have accessed the network and
unless they have permission to so so that it would be illegal.

--

Ben E. Brady
http://www.clariondeveloper.com/wepgen
FREE! Effectively manage your Wi-Fi network.
Change your WEP keys often!

http://www.clariondeveloper.com/webcloak
FREE! Encrypt email addresses on your web site!
Keep spam bots from sending you spam!

http://www.firewallreporting.com
Personal firewall log analysis tools for
ZoneAlarm, BlackICE, WinRoute Pro and Windows XP
Take stock of your firewall settings and take action against intruders.

http://www.videoprofessorscam.com
Don't get stung by this scam!

On Tue, 04 May 2004 19:35:17 GMT, gary spoketh

>This is a very interesting read. I find the example at the end of the
>article very odd, though. The author describes someone going to a park and
>connecting to their home router, which is hooked to a cable modem. He
>concludes, "You're busted!".
>
>Nowhere does he discuss the use of WEP or WPA on the router, which I believe
>would be a strong defense against an accusation of illegal sharing. It's one
>of the main reasons I insist on at least using WEP, even if it's imperfect.
>It is the minimal care a reasonable person could be expected to take to
>prevent illegal access.
>

I believe his point is that too few people uses WEP or anything else to
protect their WiFi networks from abuse, and the fact that it's currently
virtually impossible to know if that constitutes authorized or
unauthorized use. The point being, the law is nowhere near where it
should be WRT this technology, and it's unclear what constitutes
unauthorized access.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

> I agree. It would be nice to be able to put in a customized HTML page in
> the router that would notify someone they have accessed the network and
> unless they have permission to so so that it would be illegal.

Huh? Where do you put that page? I mean when I connect to my home network
and then start my customary SSH session, or access my CVS repository, I don't
see any opportunity for the router to send me an HTML page.

There are other ports than 80 and 443, after all.


Stefan

In article <jwvy8o8ueng.fsf-monnier+(E-Mail Removed)>,
(E-Mail Removed) says...
> > I agree. It would be nice to be able to put in a customized HTML page in
> > the router that would notify someone they have accessed the network and
> > unless they have permission to so so that it would be illegal.
>
> Huh? Where do you put that page? I mean when I connect to my home network
> and then start my customary SSH session, or access my CVS repository, I don't
> see any opportunity for the router to send me an HTML page.
>
> There are other ports than 80 and 443, after all.
>
>
> Stefan
>
That's just it... there is no place to put the page... I was saying it
would be nice if the router were to provide a place to post HTML code in
memory where you could author a page that would automatically be sent by
the router to any new wireless connection being made.

--

Ben E. Brady
http://www.clariondeveloper.com/wepgen
FREE! Effectively manage your Wi-Fi network.
Change your WEP keys often!

http://www.clariondeveloper.com/webcloak
FREE! Encrypt email addresses on your web site!
Keep spam bots from sending you spam!

http://www.firewallreporting.com
Personal firewall log analysis tools for
ZoneAlarm, BlackICE, WinRoute Pro and Windows XP
Take stock of your firewall settings and take action against intruders.

http://www.videoprofessorscam.com
Don't get stung by this scam!

I still think it's odd that the article doesn't mention encryption at all.
An article that discusses arcane legal entanglements in such detail should
devote at least a paragraph to how use of encryption affects things.
Otherwise, it leaves the impression (at least with the technically
uninformed) that wifi is a nest of snakes and prosecution is imminent. In
that regard, I think the tone of the article is excessively pessimistic.

"Lars M. Hansen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Tue, 04 May 2004 19:35:17 GMT, gary spoketh
>
> >This is a very interesting read. I find the example at the end of the
> >article very odd, though. The author describes someone going to a park
and
> >connecting to their home router, which is hooked to a cable modem. He
> >concludes, "You're busted!".
> >
> >Nowhere does he discuss the use of WEP or WPA on the router, which I
believe
> >would be a strong defense against an accusation of illegal sharing. It's
one
> >of the main reasons I insist on at least using WEP, even if it's
imperfect.
> >It is the minimal care a reasonable person could be expected to take to
> >prevent illegal access.
> >
>
> I believe his point is that too few people uses WEP or anything else to
> protect their WiFi networks from abuse, and the fact that it's currently
> virtually impossible to know if that constitutes authorized or
> unauthorized use. The point being, the law is nowhere near where it
> should be WRT this technology, and it's unclear what constitutes
> unauthorized access.
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"

Web page hijacking is done all the time by hotspot edge servers. The first
attempt to connect to a web site from a new client - *any* web site - is
intercepted, and a splash page from the hotspot is substituted. Almost all
off-the-shelf wifi routers contain a web server to present admin pages, so
this would be a fairly trivial addition.

The real question is how you would use this. Without a secure authentication
step (need userid/password to get on the system), it doesn't accomplish
much. You could have the splash screen say that access is illegal if you are
not an authorized user, but since access would not be prevented, in practice
this would be meaningless. Anyone wishing to abuse your ISP connection would
do so. They would be completely untraceable, and your account would
eventually be terminated.

It seems to me that anything short of secure authentication, and preferably
encryption, is unworkable. It needs to be on by default, trivial to
configure, and disabled only by a conscious effort on the user's part.

Vendors and service providers can solve this problem if they want to, but
they first need to recognize it as a problem and then agree that something
needs to be done.

"Stefan Monnier" <(E-Mail Removed)> wrote in message
news:jwvy8o8ueng.fsf-monnier+(E-Mail Removed)...
> > I agree. It would be nice to be able to put in a customized HTML page in
> > the router that would notify someone they have accessed the network and
> > unless they have permission to so so that it would be illegal.
>
> Huh? Where do you put that page? I mean when I connect to my home
network
> and then start my customary SSH session, or access my CVS repository, I
don't
> see any opportunity for the router to send me an HTML page.
>
> There are other ports than 80 and 443, after all.
>
>
> Stefan

I notice I didn't address Lars' concern about clients whose first connection
is not http. Admittedly, that complicates it a little, but I'm sure that
there are several solutions. In one simple case, you could have a system
that presents no splash page at all if WEP or WPA encrytion and/or
authentication is used, but if it's open to the world, then the first IP
transaction from a client *must* be an http connection, after which the
client can do anything. If you don't want the system to behave that way, you
must either configure encryption, or take some other step to disable this
behavior. At least the user is then forced to acknowledge that he intends to
run completely open, and intends to present no barrier to entry. This is not
a suggested implementation, just an illustration that there are probably
multiple solutions to this technical issue.

In any case, it's moot. I don't think a splash page helps much without
secure authentication.

"gary" <(E-Mail Removed)> wrote in message
news:xiUlc.24220$(E-Mail Removed). com...
> I still think it's odd that the article doesn't mention encryption at all.
> An article that discusses arcane legal entanglements in such detail should
> devote at least a paragraph to how use of encryption affects things.
> Otherwise, it leaves the impression (at least with the technically
> uninformed) that wifi is a nest of snakes and prosecution is imminent. In
> that regard, I think the tone of the article is excessively pessimistic.
>
> "Lars M. Hansen" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > On Tue, 04 May 2004 19:35:17 GMT, gary spoketh
> >
> > >This is a very interesting read. I find the example at the end of the
> > >article very odd, though. The author describes someone going to a park
> and
> > >connecting to their home router, which is hooked to a cable modem. He
> > >concludes, "You're busted!".
> > >
> > >Nowhere does he discuss the use of WEP or WPA on the router, which I
> believe
> > >would be a strong defense against an accusation of illegal sharing.
It's
> one
> > >of the main reasons I insist on at least using WEP, even if it's
> imperfect.
> > >It is the minimal care a reasonable person could be expected to take to
> > >prevent illegal access.
> > >
> >
> > I believe his point is that too few people uses WEP or anything else to
> > protect their WiFi networks from abuse, and the fact that it's currently
> > virtually impossible to know if that constitutes authorized or
> > unauthorized use. The point being, the law is nowhere near where it
> > should be WRT this technology, and it's unclear what constitutes
> > unauthorized access.
> >
> > Lars M. Hansen
> > www.hansenonline.net
> > Remove "bad" from my e-mail address to contact me.
> > "If you try to fail, and succeed, which have you done?"
>
>