Wireless Hijacker Dealt First UK Punishment 663
paella_dodger writes "The BBC is reporting on a recent UK court case whereby a man was fined £500, sentenced to 12 months' conditional discharge and had his laptop confiscated for browsing the 'net on his neighbour's wireless Internet conenction. Perhaps I should secure my neighbour's wireless connection for him before Windows automagically connects to it and gets me arrested!"
honeypot... (Score:3, Interesting)
that might cause them to reconsider how they enforce the law.
I, for one, (Score:1, Interesting)
as someone who has been stealing internet access for more than a year now, really don't see a problem with doing it.
The neighbour whose connection I'm leeching off of uses their connection for about ten to twenty minutes in the morning when they wake up and about an hour or so at night -- and never uses their connection to its full capacity.
It's being wasted -- why not use it?
Re:I, for one, (Score:5, Interesting)
Or simpler; a forum which you both happen to visit decides to ban the IP for your bad behaviour or a poll-system allows only one vote per IP.
The real problem is not using the bandwidth, it's the online identity theft through use of their IP.
And how about a VPN? Is it okay to access that too through the WiFi connection?
Re:I, for one, (Score:3, Interesting)
Unsecure WLANs can be *real* expensive.
Compare it with a door... (Score:4, Interesting)
You know that most people do not intend to let everyone use their WiFi, any more than they want everyone to use their house when the door is unlocked. Most of them are poorly configured (typically, default SSID/password), and you know that 99%+ of all residential ISPs don't allow them to run a public hotspot.
Consider it something like garden furniture, even though it's not under lock and key it is still mine to use. If I don't sit in it, you still don't have any right to the unused "bandwidth". And don't give me the "reading in your light" argument, because using my network consumes my bandwidth. If I have a download running, you are slowing me down.
If you really are a free hotspot it is trivial to indicate that you are in your SSID. Otherwise the only thing you have is a very thin argument that since you can use it, it must be free. It certainly has no truth in the physical world, and hardly in the electronic world either. Just because I misconfigure a server to make an open relay/proxy/service, doesn't imply permission. Not if you have good reason to understand that this isn't intentional. You can play really stupid, but no court will let you get away with it.
Kjella
Deliberately open (Score:4, Interesting)
Fixed computers actually on my network are individually firewalled off.
If I ever find evidence of massive bandwidth leeching, I may change my policy, but even then I would prefer to simply cap non-me connections.
Morally, I don't feel it is wrong to borrow enough bandwidth off an open wifi node to read a few web pages or collect email.
Massive bandwith leeching, copyright theft or invading someone else's samba shared files via an open network (that they probably intended to be network private) are off limits, of course.
These days, I would hope that people are aware that these things are open by default - there have been enough articles in the major newspapers about it, and certainly I would prefer that hardware manufacturers shipped them in a default secure configuration, but I don't think this should prevent people leaving them open if they want to.
If i leave a plate of biscuits (cookies) just inside the open gate to my garden with a sign saying "take one please", is it a crime for someone to take one?
Re:Accident? (Score:3, Interesting)
In much the same way you're not expected to be a plumber to put in your own washing machine, or be a car mechanic able to build your own car before you get in one.
The point I was making is that it's rude, inconsiderate and very selfish to hijack the bandwidth. Just because someone else hasn't spent years learning all about computers, and just wants to plug their laptop into their network without understanding all the underlying principles of wireless transmission and security doesn't mean you have to leech, steal and generally take advantage of them.
The NICE thing to do is quitely tell them they have a problem (much like you'd quitely tell someone they had their fly undone in public), and actually educate them.
The SELFISH thing to do is take advantage and say "It's not my fault they don't have a clue". Because it IS your fault by not informing them.
I'd hazard a guess that in every day life, you break a goodly many outdated and ignored laws and byelaws. Would you like it if the police suddenly decided to pick you up on them, and say that it was no excuse you weren't aware of 50 heavy tomes of law, and that it was your duty to know it?
Why do people think it's ok to ignore these laws without so much as a thought to what they're doing?
Could it be that, to make sure the world works properly, people need to concentrate on other things? And not everyone has the time to spend to learn how wireless works (or that it's even insecure)?
Nah. Perish the thought. Everyone's a network engineer, right? Just like we're all as good at diagnosing ourselves as doctors are?
And know the Law as well as a Lawyer?
Re:I, for one, (Score:4, Interesting)
No. The fact that your door is unlocked doesn't mean that I can walk into your house. When on earth did "This object let me do it" become a standard of legality?!
Since the cash register gave me money when I hit the button, that 7-11 burglarly couldn't possibly be illegal. Since the car left running at the curb allowed me to drive it, my car theft cannot be illegal.
That standard of permission doesn't even apply to people! ("I wasn't violating the restraining order, her brother let me in!") Since when does it apply to inantimate objects?
Re:I, for one, (Score:3, Interesting)
This is a bit different. For your analogy to be apt this exchange would have to happen with the door:
you (or your wifi card): hi, can I connect to this network?
door: yes.
you: can I have an ip address?
door: yes, 192.168.0.102, dns 192.168.0.1, gateway 192.168.0.1, you can have this for 30 days.
THAT is what is happening technically. If the "wifi" were secured you would see:
you: can I come in?
door: no.
Or no response at all, which would of course still indicate no. The problem of course becomes - which open wifi is "free" and which is not? My local airport has free wifi advertised and the SSID is the default cisco one so the default SSID argument is dead in the water.
Re:In Perspective... (Score:5, Interesting)
Bullshit, there is no hijacking involved! Frikin walk up to the curb, open laptop, and use it. Do you need permission to turn on the TV and watch open air TV shows? How about 'permission to view' the flowers in front of my house? If people are too ignorent to use a piece of hardware, they shouldnt purchase it. Read the frikin big printed poster that shows you how to secure your access point. Otherwise, you deserve what you get.
Re:How many people secure their networks anyway? (Score:1, Interesting)
People with criminal intentions have, in the past, attempted to use the openness of their own wireless networks to cover their tracks online.
"There have been incidences where paedophiles deliberately leave their wireless networks open so that, if caught, they can say that is wasn't them that used the network for illegal purposes," said NetSurity's Mr Cracknell.
Such a defence would hold little water as the person installing the network, be they a home user or a business, has ultimate responsibility for any criminal activity that takes place on that network, whether it be launching a hack attack or downloading illegal pornography.
Basically, what they're saying is that if someone actually breaks into your network and uses it for criminal activity, you're held responsible.
Brilliant.
So on the one hand, if you are using someone else's network for innocuous reasons, you're a criminal. However, if someone else uses your network for something nefarious, you're the criminal.
This pisses me off to no end. The problem with this reasoning is that the people who are actually most likely to use others' networks for something undesirable or criminal are those who are most likely to try to cover it up! So you have this double incentive for actually breaking into networks: first, you get the privledge of actually using the network, and second, if your problematic use is detected, it's blamed on the network owner, not the actual perpetrator.
Now, I totally agree that most individuals have no clue about the security of their networks, and should be more concerned and educated about it, or there should be pressure on the industry to increase the default security of their networks on installation. However, I think it's even more ridiculous to start blaming the victims of malicious hacking for something they have nothing to do with.
I mean, organizations with professional security experts on staff have networks intruded into, so even if grandma down the street does everything she knows how to secure the network, what's to stop someone with malicious intent from making use of her?
Re:In Perspective... (Score:2, Interesting)
Re:In Perspective... (Score:5, Interesting)
That wireless routers ship unsecured in their default configuration is a problem with the vendors (and it wasn't always like this). Vendors do this to make it easier for people to setup their first wireless network... in fact it's basically automatic. Any Windows machine with a wireless card will automatically connect to any unsecured wireless access point. Period. Allow me to repeat this. Any Windows machine with a wireless card will automatically connect to any unsecured wireless access point. But people really do need to log in and change the default configuration, both for security purposes (it's trivially easy to find default passwords online), and functionality reasons. But the biggest reason is that the way to say something is available for use in the online world is to allow people to use it without authentication.
The standard way of saying something is open and available on the 'net is to not require a password. If you put your pictures up on your http site even if you don't publish the link anywhere you're giving your consent for people to connect and look at your pictures. Not just your consent... your hardware, which is your stand-in online, is actively doing it. The moment you put a password on your http site, you're showing that the site is private, and attempts to enter can be considered hacking. If you have an FTP site with no password, you're giving people permission to use it. Open chat servers, bulletin boards, p2p nodes... The universally accepted convention about networking protocols is "open unless locked." I don't need to call you and get your explicit permission to connect to your website if it isn't locked... by not having a password on something you are showing that it is available for all to use. This post bounced through 20 or so routers at various locations throughout the world, but I didn't need to get explicit permission to use any of them. I didn't have to: I had implicit permission built into the hardware's choice of protocol.
Likewise, if you have networking hardware that has no password or protection whatsoever, you're giving people permission to route through it. In fact, hardware you own is more than facilitating it... it's broadcasting its SSID, it's responding to my card's MAC address, it's responding to my session handshake, and it's not asking for authentication. That's no less than four steps along the line when it could have simply and trivially stopped anyone whom the owner didn't want on the network. The hardware actively engaged in the process. This isn't like checking everyone's door to see which is unlocked, this is like walking past a building downtown and having the glass door automatically open for you.
I should also say that lots of people do intentionally share their wireless networks, out of a sense of social support. There are several 802.11b networks permeating my apartment right now, several of which have altered SSID's and configurations but which are unlocked all the same, showing that the owners knew enough to change the configuration of their routers but still chose to leave them unlocked. This turned out to be good for me, as I had been unintentionally connecting to a neighbor's wireless network for about 1/2 of a year... My wireless card had a faulty WEP driver, and for half a year I didn't notice that it would fail to connect to my network and automatically went out and found another
Re:In Perspective... (Score:3, Interesting)
Wouldn't hijacking also have to involve locking out the owner and changing the router's password?
Rik
Re:Intentional doesn't mean criminal (Score:3, Interesting)
Why should it waste the judge's time at all? We just need some intelligent case law stating that any unsecured networks are equivalent to open networks. OS manufacturers have made it the de facto standard that unsecured networks are considered available networks.
so this means... (Score:2, Interesting)
maybe we need another kind of mark to denote that the chalk was made by the provider... but then we would need a further mark to denote that that, previous, mark was made by the provider...
Or we could make the AP advertise that the advertisement of an open network is advertising an open network...
Or we could assume that people are capable of logical thought and therefore if they are advertising an open network, then you can use the open network.
Given the assumption that is it OK to use a AP if there is a notice advertising its presence. However, it is illegal to use it if there is only the SSID. To see a notice outside someone's house, informing you that there is a network you can use, requires nothing more than perceiving the light emitted (reflected) from the sign and this means it is OK to use the network. Yet receiving a notice outside someones house, a bit further down the electromagnetic spectrum, informing you of the open network doesn't make it legal.
Does anyone know exactly what parts of the electromagnetic spectrum are legally binding?
On an entirely different point If it is legal to use a network if there is a Visible notice denoting its presence. If i write on the Side of my car my intention to use available networks does that make it legal?
Re:IT WILL NOT! (Score:1, Interesting)
Re:In Perspective... (Score:3, Interesting)
As for your front door being unlocked, no, I agree, that's not OK. A house with an open door is not an accepted standard of indication that it is public.
However every relevant standard indicated to this guy that this AP is public: the SSID broadcast, the accepted association request, the DHCP response giving him an IP address and telling him to send all his internet bound traffic to that particular router... According to every relevant standard, the accepted purpose of every one the mechanisms used by this "hacker" to connect to this AP was to allow for anonymous, public clients to connect.
The 802.11 and other standards provide plenty of ways of indicating a private access point. This AP used none of them, and this guy did not circumvent any of them.
Re:In Perspective... (Score:3, Interesting)
I buy a laptop from Los Alamos Computers (LAClinux.com), and choose not to get an 802.11 card in it, thinking "Ah, what the hell, Linux won't ever support the Intel cards well...". That was over 18 months ago.
Sure enough, in a few months along come the ipw2100/ipw2200 drivers, and I go online and purchase the Intel 2100 internal card for my laptop. I install the new card, and fire up the computer. Of course my network is encrypted with your standard flavor of WEP, so I spend some time configuring the computer to automagically log into my home network at startup.
There is a lot of trial and error, so I use the KWifiManager to see if I'm on the network (those little green bars in the tray can be useful!). I think I've got everything fixed (the drivers loaded with the right firmware, the essid, the key, the mode, the channel, etc) and I log in. Sure enough, the little task tray applet it showing I'm connected!
So I log into my router (Linksys WRT54g) at 192.168.1.1, and notice that somehow in messing with my router to get my laptop working (I had messed with the key, the encryption settings, etc.) I had somehow reset my router! Miffed, I started putting my old settings back in: essid, key, port forwarding, etc.
Well, it became clear in the next couple of minutes that I had logged into my neighbor's router (an identical model) while sitting on my couch in my living room (I live in a condo). I frantically try to figure out which is which now that they have the same essid and key, so I can log into the correct one (my neighbors) and switch all the settings back to default - hopefully they won't miss a beat and wonder "What broke the internet?"
Anyway, all was well, and I fixed it (and fixed my login sequence to use MY network!). But the point here is that sometimes, you really do simply log into some else's network and not even know it. When I see articles like this, I wonder what facts the courts look at, because many computers actually DO (Windows XP, all 4 of my Linux boxes, and my wife's Pwoerbook) log into the first available unencrypted network on boot. Unless you actively check which network you're on, you'd never know if it was yours (at home) or your neighbors.
Heck, if I chose to run an unencrypted network with my router's essid as "linksys" and no key (the *default* configuration), how could I tell easily if I were logged into my router or my neighbors? Most non-geeks wouldn't know to read the router info page, and even if they did, they wouldn'd know their router's external IP when they saw it.
This is a different question than "permission to use", but is related...and probably worth some thought before we go overbaord throwing people in jail for using someone else's internet connection. Hopefully, only the malicious cases make it to court. In that case, however, we shouldn't be making laws that are only reasonable when a benevolent government is assumed.
Re:In Perspective... (Score:3, Interesting)
The legal systems in the UK and US are based on precedents. Once a Judge has made a ruling with holdings, those holdings are used (held) in future cases.
One problem with this one, is that there is no longer any way of "wirelessly" advertizing permission to use an access point. (Not in a curerntly supported standard way, anyway).
But the bigger problem is that is sets a precedent of "default is closed". ie that access to networks must be specifically permitted.
This has widespread effect.
Nearly all of the internet is based on the premise that access is granted by default.
Even if the guy was being a dick, this is a bad, bad ruling.