Reckless Wireless

|

On Saturday The News York Times ran a front-page story that describes how criminals use other people's wireless networks to avoid detection. "The public needs to realize that all they're doing is making it harder on me to go find the bad guys," a former Secret Service agent told the Times. "How would you feel if you're sitting at home and meanwhile someone is using your Wi-Fi to hack a bank or hack a company and downloads a million credit card numbers, which happens all the time? I come to you and knock on your door, and all you can say is, 'Oops.'"

The implication seems to be that good citizens have a duty to lock down their networks, lest they become unwitting accomplices to identity theft, fraud, copyright infringement, and distribution of child pornography. But as the article notes, any open Wi-Fi network (including those set up by libraries or local governments to benefit the general public), can be used for illegal ends—as can public roads, pay phones, rental cars, etc. When individuals or businesses choose to leave his networks open as a gesture of good will toward neighbors and passers-by, are they being negligent or just friendly?

It's also odd that people who get a free ride on someone else's unsecured network can be charged with "theft of telecommunications services." If a passer-by's use of my network does not impair my use of it and does not cost me anything, what exactly has been stolen? If I have made no attempt to exclude him, it doesn't even seem like trespassing.

NEXT: Computers, Freedom & Privacy Conference—Last Day for Earlybird Registration

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. “If a passer-by’s use of my network does not impair my use of it and does not cost me anything, what exactly has been stolen?”

    I dunno, I would equate this with someone plugging an extension cord into one of my outdoor outlets and using my juice. And besides, if someone is using your network your bandwidth is effectively cut in half.

    FWIW, anyone in the vicinity of my network is free to use it, and if they can figure out the 26-character code they need to get in, they sure as hell deserve to use it.

  2. How do I secure my wireless network?? Been (lazily) trying to figure that out since I got my laptop a couple months ago.

  3. There is a scam here in the Banana Republik of Florida envolving collect calls. Seems as if an inmate calls you collect. IF you accept they can then bill phone calls to your number. I have received a half a dozen of these calls in the past month, none of which I would accept. I know noone in the slammer that I want to even talk to let alone pay for the call!

  4. Sage, IMHO plugging in to an electtric outlet clearly violates property rights. Logging on to a personal wifi is not (well, debatable at least). I would think a more clear analogy would be a passerby listening to loud music blaring from your house.

    GUYK, shame on Florida. In a state commonly “backwards”, “dopey” and worse – South Carolina, the Dept. of Corrections seems to have it a little better under control. When you get an inmate call (collect, land-line only), the first option you are given is “Press # to block all incoming calls from the DOC. . ”

    Never had any unwanted calls on the bill either.

  5. Ironchef: If we’re going to construct bad analogies; stealing wi-fi is more like a passerby watching a TV in an empty room thru the window. They’re using their own remote to turn it on and change the channels. All is well, but what if they start ordering pay-per-view?

    Rhywun: The topics you’ll want to be looking for are WEP and MAC filtering in your WAP manual.

  6. To sage : Using WEP cracking tools and a laptop I could have that 26 character code. If your using the wireless connection sometimes that can be done quite fast. But feel good in knowing you are more secure than most

    To Rhywun : Read the users manual that came with your wireless access point and setup WEP keys on the client and access point. Sometimes things dont work well so make sure you read how to reset the access point back to default factory settings.

    In general WEP keys will protect your network about like locking the front door of your house. People can still get in. They just have to work at it.

    Some links to read if you are really interested.

    maps of already plotted / identified wireless networks

    http://www.wigle.net/

    extreme amount of information of how to do and how to prevent wireless hacking

    http://www.wi-foo.com/index-4.html

    a tool to watch your neighbor surf

    http://www.kismetwireless.net/

    a tool to crack WEP keys

    http://sourceforge.net/projects/airsnort/

  7. sage, e-rock:

    What part of “does not impair my use of it and does not cost me anything” do you not understand?

  8. JC:

    It can, conceivably impair your use. You have a fixed amount of bandwidth coming into your house–if the freerider downloads MP3s all day, you’re not able to have the use of some of your DSL/Cable/etc. broadband line that your WiFi network essentially distributes.

  9. “The implication seems to be that good citizens have a duty to lock down their networks, lest they become unwitting accomplices to identity theft, fraud, copyright infringement, and distribution of child pornography.”

    I would replace “duty” with “might want to”. The issue is that this is certainly possible, and citizens might want to know that. The panic emerges because there is no reliable information on how often this happens, where it happens, etc. — this is not so different from the current panics about identity theft.

    I like the front door analogy for securing a Wi-Fi network. And, as with front doors, whether or not you look yours depends on where you live, and how you feel about the neighborhood. I certainly agree that forcing you to “lock your door” under threat of penalty is not so much helping you become an informed citizen so much as making you an obedient one.

    This also applies to the “front window” analogies above. Sometimes you don’t care if someone stares in your window, while other times you might want to close the fricking blinds . The data that help you make that decision (do I live on the first floor on a busy street?) are usually more obvious than for Wi-Fi, but otherwise I think quite similar.

    I certainly don’t have a problem with law enforcement trying to make people understand the risks of having an unprotected network — Hell, the fact that I don’t understand all the risks is exactly why I haven’t bothered to set one up. Naturally, I assume law enforcement will overreach and attempt to penalize innocent bystanders in the way noted above (there’s probably some analogy to forfeiture laws to be made here). As always, we can only support the saner voices and hope that they prevail.

    Anyone know who they are, on this topic?

    Anon

  10. Test2,

    If it has impaired my use, then it has impaired my use. If it has not impaired my use, then it has not imparied my use.

    You are trying to tell me that if it has not impaired my use, it has really impaired my use.

    Which one of us makes sense?

  11. If a passer-by’s use of my network does not impair my use of it and does not cost me anything, what exactly has been stolen?

    This is kind of a moot point since by most home broadband contracts, you don’t “own” your bandwidth to begin with. There’s plenty of things you usually can’t do, including creating a server on your computer. Turning your network into a wireless node would probably fall in this category.

  12. The real reason you might want to secure your wireless network is so that other people can’t snoop on *your* traffic. Wireless bandwidth is pretty ubiquitous these days — at least in most reasonably populated areas. What you really want to avoid is having someone grab your personal info as you’re surfing around from the couch.

  13. a tool to crack WEP keys
    Yikes! I didn’t realize they had effective brute force ways to crack a 128-bit key. My two WAPs are setup as a bridge, so I don’t think the network is hackable. But now I’m not so sure…

    Does anyone know of a secure wireless protocol? I don’t care if it is consumer grade, I’m just curious if anyone has solved this issue yet.

  14. Read the users manual that came with your wireless access point and setup WEP keys on the client and access point.

    Does the manual that came with my wireless router count?

  15. This also applies to the “front window” analogies above. Sometimes you don’t care if someone stares in your window, while other times you might want to close the fricking blinds .

    With most people it’s not so much a matter of not caring whether “someone stares in your window” as assessing the likelihood of such action.

    Most people, if asked, “if you noticed a stranger staring into your living room window, what would you do?”, would answer in one of the following ways:

    1. “I would close the blinds”
    2. “I would call the police”
    3. “I would chase the fucker off with a shotgun,”
    with option #2 probably being the most common.

    Rarely would a person answer: “usually, I’d do nothing, since I don’t care if people stare into my windows.”

  16. db,

    I think it depends on where you live. Your response accurately what my parents, who live in suburbia, would do — and probably what I would do if it happened while I was at their house. But anyone who has lived on a ground level apartment in a major city may have developed a more nuanced view — or, rather, a more nuanced policy. In particular, I have noticed many ground level apartment dwellers can be pretty friendly about “TV bandwidth” during playoff season (the playoffs of your choice) when everyone’s come over to watch the game. I recall some version of this behavior holding with radios in apartment building windows in one of my childhood neighborhoods.

    But this is probably more an exception than a rule, and I agree that people’s reactions are driven more by whatever they consider a reasonable expectation of privacy vs. the likelihood of the event occurring. I suppose this is one of the reasons doors are different than windows. You might be willing to leave your door unlocked because you don’t believe anyone will be brazen enough to try to open it (the illusion of privacy in on your side), while in the windows case your privacy is obviously open to invasion (the illusion of privacy is necessarily lost).

    Anon

  17. Does anyone know of a secure wireless protocol? I don’t care if it is consumer grade, I’m just curious if anyone has solved this issue yet.

    Newer hardware should do do WPA.
    http://www.wi-fiplanet.com/tutorials/article.php/1550561
    802.11i is supposed to fix it all. Best is to run your own VPN over wireless connections where possible. OpenVPN, http://openvpn.net/, is relatively easy to set up and runs on most OSes.

  18. Perhaps your ISP provides bandwidth at a price based on the average use by customers in your class or category. Sharing your access, wittingly or unknowingly, puts your usage out of the class to which the ISP had you assigned. You (and your limpets) end up using more of the ISP’s available bandwidth, and the ISP would like to charge you for it. Public shared LANs likely pay for a higher share of ISP bandwidth. Your contract probably requires you to fairly identify your type of use.

    If you willingly share, it seems like lending your car to a bank robber for a getaway. If you unknowingly share, it is like leaving your key in the car where the robber might use it (which in the car parallel, is illegal in some places). If you lock your net (or your car) you’re absolved for what the tresspasser does with your stuff.

  19. There are various ways to secure wireless, the new 802.11i standard for encryption and authentication go a long way towards solving the problems of WEP. WPA was the interim security solution to bridge the gap between WEP and 802.11i. Check the manufacturer’s website for firmware updates to upgrade your system to support better security.

    Unfortunately, few products aimed at home/small business users support 802.11i, due in large part to the lack of demand from the end users. Most consumers have no clue or inclination to secure their systems, just look at the number of people with DSL or cable Internet without firewalls. They are exposing their PC’s to the Internet naked. Try to explain this to them and their eyes glaze… And god forbid you lock down their system to secure it because that breaks their access to illegal MP3s and movies!

    Security is the responsibility of the person running the technology, just like driving a car or owning a gun, people should be responsible for learning how to safely operate their property before they inflict damage on their neighbors. If I left a loaded firearm in my front yard and someone picked it up and robbed a bank, I would be responsible. Why should it be any different with technology. People want to mandate the use of trigger locks on firearms, so too should we expect our fellow citizens to lock down their computers, wireless networks, etc.

    A malicious user accessing an unsecured access point to hack a bank is really nasty, but it is a lot less common than the much more annoying practice of using open access points to send spam. I have done work for local governments and businesses who wanted to provide open wireless access to their users, but we limited the outbound traffic requests to only a few protocols to minimize the risk of someone using those open access points to hack banks, send spam, spread viruses, and so on. It only takes a little forethought and planning to create a system that will deliver a secure solution.

    When properly implemented, wireless LANs are a wonderful and powerful tool. When implemented poorly, it is an invitation to disaster. And we should hold people responsible for the damage done because they did not lock down their network.

  20. To avoid waiting for 802.11i ratification (just recently passed), many vendors released WPA based on 802.11i draft version 3 (fall of 2002). Interoperability between vendors might be a tad suspect, but you can always setup your home network using a single vendor to help alleviate that.

    Older 802.11b equipment likely won’t be easily upgradeable to 802.11i. Most 802.11g equipment should. Or so they say.

  21. And we should hold people responsible for the damage done because they did not lock down their network.

    You’re joking, right? How about holding the people who CAUSE THE DAMAGE responsible? I hate to resort to the same tired analogy, but… if I forget to lock my door and someone comes in and takes all my stuff while I’m gone, I would like to think that the cops would go after the thieves rather than say, “Oh, it’s your fault.”

  22. Well, you get a ticket around here for leaving your keys in the car. It’s rather screwy.

  23. “I would like to think that the cops would go after the thieves rather than say, “Oh, it’s your fault.””

    I would like to think that too, but a recent neighborhood watch meeting with a policeman put that illusion to rest. The policeman spent the whole time basically telling us that if we have something stolen, it’s our fault for having something nice and allowing it to be seen. Actual exchange:

    civilian:”I had my car stereo stolen”

    policeman: “I’ll bet it was a really nice looking stereo, wasn’t it.”

    Anyway, I digress.

    I think *requiring* people to lock down networks is as rediculous as requiring people to lock their cars because maybe, just maybe, a robber will happen by and jump in. On its face, absurd.

  24. Rhywun,

    I was not suggesting that the people who actually commit the crime were not responsible, they are and should be prosecuted to the fullest extent of the law (if you could find them). I meant to say that owners of unsecured wireless access points are accessories to the crime.

    “The public needs to realize that all they’re doing is making it harder on me to go find the bad guys,” a former Secret Service agent told the Times. “How would you feel if you’re sitting at home and meanwhile someone is using your Wi-Fi to hack a bank or hack a company and downloads a million credit card numbers, which happens all the time? I come to you and knock on your door, and all you can say is, ‘Oops.'”

    Oops is not a valid defense wether we are talking about open wireless access points, giving firearms to children, or handing your car keys to a drunk. People should be held accountable for their actions, or inactions as the case may be.

  25. People want to mandate the use of trigger locks on firearms, so too should we expect our fellow citizens to lock down their computers, wireless networks, etc.

    Of course, trigger lock laws have the major effect of allowing the prosecution of innocent firearms owners whose property has been stolen and misused.
    They have not been proven to decrease the instances of firearms-related crime. Any idiot can disable most firearm locks, especially if they steal the gun and then take it some place where they have time to work on it.
    From a prosecutor’s standpoint, the more laws that can possibly be broken, the better.

  26. I don’t think its possible for someone to have an open wireless access point and not have at least some decrease in performance. With my sister and I sharing a single cable modem through a router, I notice a slowdown whenever she starts up bittorrent.
    The extension cord analogy is apt, as many broadband providers will charge extra if the user goes over a certain amount of data per day. Plus, most routers mask internal IP’s, so any hack attempt made will be traced back to the hijacked router and not the actual perpetrator.

  27. Just turn off SSID broadcasts.

  28. “I meant to say that owners of unsecured wireless access points are accessories to the crime.”

    That’s like saying that a woman wearing a two-piece bathing suit in public would be an accessory to her own rape, if such occurred, because she gave the criminals easy access.

    Similarly, you could use this logic to justify the removal of cold remedies from drugstore shelves, and their restriction as controlled substances. Because having the cold remedies readily available is, by this logic, serving as an accessory to meth production and related crimes.

    Sorry, DJ, but I call bullshit. Sure, I highly recommend that people secure their wi-fi networks and certainly wouldn’t use an unsecured wi-fi myself, but I think it’s pretty easy to tell the criminals from the law-abiding in this scenario, and I think most of us agree that the criminals are the ones that deserve the punishment.

  29. If I ran a business, such as a coffee shop, that used access to a hotspot as a tool to increase foot traffic, and one of my customers used it to hack some other company’s systems in order to commit fraud or vandalism, I might escape criminal charges, but I’d live in holy fear that the bank, insurer, etc. who was so victimized would sue me out of existence. Contributory negligence can be expensive, and even if they caught the anonymous weasel who actually did the dirty deed and sent him to the pokey for yahrens and yahrens, he may not have any assets to speak of, and I’d be a much likelier target for a civil action.

    On WGN radio, computer guy Mike DiMichele recommended this article on securing home wireless networks:

    http://www.maximumpc.com/how_to/reprint_2004-01-05.html

    Kevin

  30. If you want to secure your wireless network against unauthorized usage, change the password on your wireless router, change the SSID from the default, enable MAC address filtering, and stop it broadcasting the SSID.

    If you want to prevent people from sniffing your traffic, use one of the many data encryption schemes.

    Failure to do so will result in what happens to my upstairs neighbor–I find I get great reception with his network “linksys” and I have so far restrained myself from going in and configuring his router for him. I am sorely tempted, though, especially when he drops his shoes on the uncarpeted floor early in the morning and wakes me up.

  31. Cool – thanks for all the tips everybody – I think I’m secure now 🙂

  32. The house analogies don’t work…someone entering your house without explicit permission can’t do anything worse than commit theft or violence against you…and if they do, then I’d call it “assumed risk” on your part unless you were taking reasonable precautions (such as locking the doors).

    Let’s say it’s your car instead. You leave your car unlocked with the keys in the ignition, and while you’re asleep at home (and thus not using the car) some punk takes it out and uses it to commit a crime, and then returns it when he’s done. If he fills up the tank, then your use of the car is not diminished any more than your use of your wireless LAN is diminished by a cracker. But witnesses to the crime still saw your car making the getaway, and you can bet the cops will be coming for you…better hope your SO can swear under oath that you were asleep.

    No, I don’t think people should be _required_ to secure their LANs (as in, punished by law for failing to do so, even in the absence of proof of actual harm to a third party)…but anyone who doesn’t do so is inviting a world of hurt when they get caught up in some third party’s crime spree. Nor would I be offended by a law making internet users legally liable for whatever traffic their networks emit, at least in a contributory sense.

    Rights come with responsibilities. If you want the rope, then don’t expect the law to come to your rescue when you hang yourself with it.

Please to post comments

Comments are closed.