Slashdot Mirror
Safe and Insecure?
JoeCotellese writes "Can making your network insecure actually improve your security? That's the question asked in this story running in Salon. The author makes the case that by 'making my Internet connection available to any and all who happen upon it, I have no way to be certain what kinds of songs, movies and pictures will be downloaded by other people using my IP address. And more important, my ISP has no way to be certain if it's me.'"
"Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear. Now, anyone with a wireless card and a sniffer who happens by can use my connection to access the Internet. And with DHCP logging turned off, there's really no way to know who's using it."
I'd have read the whole thing, but I was morally repelled by the salon.com ad policy. Anyway, this concept seems to be some perverted cousin of "security by obscurity" -- only this has less to do with protecting your security and more to do with having a way out when someone comes knocking on your door.
Unfortunately, I think this only applies when you *don't do it on purpose*. From my point of view, if you design a network solely for the purpose of relieving yourself of responsibility for what traverses your network, you are pretty much screwed once you get to court. This reeks of the "I accidentally did it on purpose" defense, and isn't likely to fly with any judge that has even a portion of a clue.
dmiessler.com -- grep understanding knowledge
That's not improving your security. That's improving your privacy (via anonymity) at the expense of your security.
Somebody forgot to read the TOS of their ISP... because absolutely ever ISP out there has something to this effect in thier TOS: As the person who pays the bill, you're responsible for keeping the Internet connection you're buying to yourself and people who you trust with it. The reason why they're warning you to do that is because if you allow your connection to fall into "enemy hands", the usage that goes over your wire will be
By choosing to run the "notoriously vulnerable technology", as the author admited in his confession letter, he admitted that he knowingly chose a piece of technology that could be exploited yielding his internet equipment making a request on behalf of somebody unknown. That's nice... you just gave that unknown person the gift of a liability shield at your expense.
As I just posted last thread, annonymity these days is really achieved by somebody else who had the chance to know who you are intentionally failing notice or promising not to tell. The thing is, that other person is taking on the liablity for what you do.
How nice of you to pay his MPAA/RIAA verdict bill for him, you'll be a hero to copyright pirates everwhere. I'm sure they'll be excited to learn there's still people dumb enough to fall for this trick still out there.
this should be "it's funny, laugh" don't you think?
if you violate the terms of service by allowing others to use your connection, your ISP will disconnect service. Certainly *no* service is more secure, but then you won't be able to visit grannygash.com and hotdonkeyanus.org any more!
Oh, and wait until somebody spams, downloads child porn, or plots a terrorist attack through your open connection! The laughs will come a mile a minute! yuk yuk yuk!!!
It is doubtful you could qualify as a type of common carrier. If anything, you may increase your odds of being liable because you may be held responsible for what others do on your connection.
It would be interesting to see how this would play out. The closest analogy I can think of would be automobiles. If you allowed someone else to use your car, you may be held liable for damages they cause while they are driving it. As far a criminal activity, you may be targetted if your car is identified as taking part in a crime, though you have a pretty good chance of being found innocent if you can prove you weren't driving the car.
Not perfect, but close. The idea sounds good though.
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
First: great link! I get to see some awesome 30 second PBS commercial.
Second: stupid f'en idea
In a word, privacy. By making my Internet connection available to any and all who happen upon it, I have no way to be certain what kinds of songs, movies and pictures will be downloaded by other people using my IP address. And more important, my ISP has no way to be certain if it's me.
But since you're liable for everything that goes through your connection, you're fucked if something really bad does happen from your IP. That whole article sounds like it was written by some 14 year old. God... the logic employed in that article is truly amazing!
Casual Games/Downloads
Is to run a public AP. /. does the same thing, they refuse to log so that the logs cannot be used to incriminate people.
A public AP turns you into a transport provider instead of a liable agent. No one is going to go after the library for what offenses are caused there because they merely provide transit. Yeah your ISP will stil disconnect you but you will stay out of jail.
Second, forgetting that your name is still on the bill for that ISP, and that in all likely hood (see your ISP TOS) that makes you liable for what happens over your line.
Here's what I do: Bitty Browser & Andromeda
This might hold up if he were called on it. Where I live you're better off not shovelling your walk in winter rather than shovelling it imperfectly. If you let people trip and fall because you didn't shovel it's a natural condition and not on your property (the city ows the sidewalk). If you do shovel and an icy patch develops, you're liable because you created the dagerous conditions.
I shovel and salt to try to make it safer and damn the liability.
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
OK, now let's make a substitution:
"by making my gun available to any and all who happen upon it, I have no way to be certain who will be shot by other people using my gun. And more important, the police have no way to be certain if it's me."
Please help metamoderate.
Notice that Speakeasy encurages you to share the bandwidth and also share the bill. Suddenly your WiFi leach is now a party to your ISP agreement. :)
If it ever comes down to a lawsuit, who can be certain that I was the offender? And can the victim of hacking be held responsible for the hacker's crimes?
Yes you Honor, the police found a girl's dead body in the trunk of my car, but then, I leave the doors open and the key on the ignition all the time, so how can you be certain it was me?
Come on, this must be a joke...
This has got to be the most screwed up article I've read in a long time... I mean, where to begin?
Are people so desperate when it comes to computer security these days they're willing to commit suicide like this? His problem in the first place was with his ISP, so why not switch to a different one instead of applying his brand of twisted logic?
Seems like a pyrrhic victory if you ask me. He may be safe from lawsuits from his ISP, which he should have stopped using in the first place, but all the while his systems are open to whoever wants to use them for launching attacks, running little spam operations, you name it... It's not being smart, it's just being irresponsible and let the rest of us suffer the consequences.
Nope, this is the genuine artical. This guy is so dead on it's not even funny. How do you think Comcast avoides being put out of business if someone should use their connection to download illegal materials? Answer: "your honor, we're just the pipe. We let others actualy use it. We have no idea what goes on in that pipe that we rent out."
This guy is behaving just like Comcast. He's the pipe and he doesn't know what goes on in that pipe. Unless the Judge were to determine that the pipe owner is responsible (and Comcast will certainly help him fight _that_ kind of fight) then he's ok.
BTW, he also said he turned off logging. In many, many cases, there is no law that says you have to log, but there is a law that says you can't destroy evidence you alread poses. If you don't have a log in the first place, you have nothing to turn over to the feds and you have no evidence to destroy. I think that's a big step closer to true freedom.
TW
Unfortunately, I think this only applies when you *don't do it on purpose*. From my point of view, if you design a network solely for the purpose of relieving yourself of responsibility for what traverses your network, you are pretty much screwed once you get to court.
The prosecution must prove that you committed a crime, not that you tried to make their job difficult. They can't convict you for something just because you tried to obsfuscate your actions or gain plausible deniability.
As the article title says, "safe and insecure." The author has decreased the risk he faces from lawsuits launched by the RIAA, MPAA, BSA, SPA, etc., in exchange for reduced network security.
Where he is in grave danger is from his ISP, which could cancel his account in a moment should they get a DMCA complaint, spam complaint, hacking complaint, DoS complaint, or virus complaint tied to his IP address. The courts have to give him due process. His ISP does not.
"...my ISP has no way to be certain if it's me.'"
But they will have no problem holding you accountable by the terms of usage agreement.
End of discussion.
The next remark is false. The previous remark is true.
I think that we just found our second winner for (sure lets call it) the Spinder Award ("a person who makes a good effort at removing themselves from the Internet). I am sure that some Comcast tech is trying to track him down as I type. Can you say Terms Of Service, (I knew you could).
The grass is only greener, if you don't take care of your own lawn.
Comcast is protected by "Common Carrier" provisions -- "the law". You and I are not. As you would be acting with wreckless disreguard, the courts could very well hold you legally responsible for what goes on by way of your intentionally unsecured wireless network. And Comcast and all the others under the common carrier umbrella won't give a single damn. (In fact, most would simply terminate your account for various TOS violations.)
In a civilized society, you are responsible for your actions.
Wrong. Comcast is a business, and their business is transmitting information. That makes them a common carrier. The twitiot who wrote the article isn't in that business, and his TOS says that he can't use it that way. That means that he isn't a common carrier, can't use their protections and that if it gets to court, Comcast will not only not help him, they'll be doing everything they can to help the other side.
Good, inexpensive web hosting
If you don't have a log in the first place, you have nothing to turn over to the feds
Well, not necessarily. If there were some kind of lawsuit, and the Feds (or RIAA, or whoever) made a demand along these lines in discovery, I doubt you could get rid of them simply by saying, "Nope, I don't keep logs. Take my word for it." They'd probably petition the court to order you to turn your computer over to them so that they can check for themselves (as if you couldn't destroy such logs). The side with the more expensive lawyers -- i.e., them -- probably wins that argument.
OK, but what about somebody who was genuinely ignorant of encryption? Some Joe Schmoe who just went to Best Buy, bought a wireless router, subscribed to some broadband service, turned it on and never thought about it again? How can you tell the difference between intentionally and unintentionally unsecured networks?
They will never stop until somebody makes the
Actually it sounds like he's part of freenet.
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
No he is innocent until proven guilty. If you are accused of a crime you do not have to know who did it to get off the hook.
If you download illegal content in a library is the librarian on the hook if she cant point at you.
At work or university you can probably put a laptop with a fake MAC address on the network and download your illegal stuff. Is the CEO or dean on the hook?
In a decaying society, you are responsible for everyone else's actions.
Fixt
I am NOT a number! I am a - oh wait, I'm number 761710. Look! 761710!
I think you're wrong. This is no different than leaving your front door unlocked. If someone enters you house without your permission and shoots somebody from inside it, you can not be held liable for "wreckless disregard".
In the USA you should be free to assume that somebody will not break the law. Assuming people will break the law is very, very dangerous, and has cost us many of our freedoms through "preemptive legislation" like license plates, inummerable searches without probable cause (travel lately?), and handgun registration.
Nice!
we sure as hell wouldn't want the FBI catching CRIMINALS, because the FBI IS EVIL!
Good measure and judgment is getting thrown out the windows these days, by both sides to make matters worse.
Privacy is a delicate matter. If a ISP logs user activity, it should be clear what they do log and who has access to these logs. I don't mind the FBI, it's their job, but I do mind the RIAA.
The problem is, some people want anonymity ( I know I do) but at what price does it come?
I'm glad the FBI uses logs and other invasion of privacy to catch people affiliated with juvenile prostitution. Think about it, criminals always take great care about privacy, else they'd be caught dead fast.
If you are a legitimate user, your only concern should be WHO looks at your personal data.
We should have been
So much more by now
Too dead inside
To even know the guilt
How can you tell the difference between intentionally and unintentionally unsecured networks?
Well the fact that he wrote this article might be a clue...
In most jurisdictions (in the U.S., at least), you would be held legally liable for failing to properly store your firearm,
It was properly stored; it was in my private residence where nobody is allowed to go! You again are telling me I MUST ASSUME that somebody is going to break the law and I'm responsible for THEIR illegal actions. How can that be? That's very dangerous!
[gestapo voice] YOU ARE NOT ALLOWED TO HAVE THAT [insert anything] BECAUSE SOMEBODY *MIGHT* TAKE IT FROM YOU AND USE IT TO COMMIT A CRIME! [/gestapo voice] The abuses of that logic are endless! Where do they stop?
If you buy something dangerous like a gun, you should be expected to take precautions to prevent its misuse...
I also own a 10" über-sharp Wüsthof kitchen knife, which is "dangerous". If somebody takes it from my house and kills the President, should I go to jail? Do I have to lock up all my forks too? Where does it stop?
If you're so irresponsible as to neglect to install a fence to prevent trespassing neighborhood kids from falling in, then as far as I'm concerned, you have no business building a pool in the first place. Most municipal laws agree on this point as well.
What about the parents? Aren't THEY irresponsible for not preventing their kid from trespassing? Again, you are telling me I'm responsible for the consequences of SOMEBODY ELSE's illegal actions! That's not right!
(But I'll grant you I'd be nuts not to put a fence around a pool, but because it's the right thing to do, not because I'm responsible for the illegal actions of others.)
The problem here is that for some activities, the liability quotient is strict liability, that is, liability without fault. If the material is not stored on his computer, he has no liability. If someone stores kiddie porn on his computer, generally there is no defense available; it's presumed you knew it was there unless you can get a jury to believe you didn't download it. Now whether failing to secure his network makes him liable (or relieves him from liability) is another issue.
Paul Robinson >Postmaster@paul.washington.dc.us>
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
You are a legitimate user. Please send your keys and passwords to the FBI. And the CIA. And the NSC. And your local police. And the lawyers in your town, nearby city, your state capitol. And their accountants. And their psychiatrists. And their priests. And their doctors. What are the chances something bad will happen? You have nothing to hide, and they're all trustworthy, right? And with your passwords and keys so widely distributed, you won't ever get locked out of your car, house or ATM, and you need never remember anything, keychain to wallet. You have achieved total freedom!
"Freedom's just another word
For nothing left to lose"
- Kris Kristofferson, "Me & Bobby McGee"
--
make install -not war
Totally, it's just a bad idea. I guess this guy didn't read the previous slashdot article saying that a guy went to jail for someone hijacking his computer. Basically it ruined his life. If the guy is telling the truth, how many people believe him? I know I have my doubts.
Either way by making yourself insecure like this you are just adding to the many problems of the Internet. Plus you'll have spyware installed on your machine just by surfing to the wrong website, popups like there's no tomorrow. What happens when someone finally writes a malicious virus that destroys your data? I wouldn't feel sorry for you.
Indeed! We, the FBI are not EVIL. We are GOOD. We are the FRIEND you always wished for but never had! We are your best PAL, ever.
Trust us!
You, sir, make a very, very good point!
Since you are, without doubt, a legitmate user of the internet, please provide us with your login and passwords of all your emailaccounts or any other internetservice or tool you might use. Also, can we count on you to promote the use of encryption where we, as part of your trusted government, have the key/pasword of? It didn't work out the last time we and our pals on the NSA tried it, but with enough help of you and your ilk, we just might succeed, this time.
Thanks for your cooperation, and be sure to distribute our leafflets "Trust your Good Friend the FBI to Do what's Right". Please don't forget to place your name and address on that leaflet, however, because we try to change the law so we can make that obligatory.
To combat CRIMINALS ofcourse, not law-abiding citizens like you!
your friend,
the FBI
--- "To pee or not to pee, that is the question." ---
Most people here are missing the point. The point here is not that the Salon guy isn't honoring his TOS, or any of the other objections I've seen so far. It's that he's being morally irresponsible.
Some have mentioned equivalent scenarios such as leaving your gun in your house, and someone stealing it, and then whether or not you should be liable for the damage they do with it.
The difference here is that the writer of the article isn't like just some shmoe hillbilly or weekend hunter who happens to have a gun. These are ordinary people, with valid (or at least plausible) excuses for not securing their property if a mishap occurs. No, the writer is like a cop, who knows full well what happens when guns get stolen, and yet keeps his gun in plain sight in an unlocked cabinet in his unlocked home.
What is important here is not the ability he has to safeguard his stuff, but the knowledge that he's doing something irresponsible. He's trying to fake an insanity plea. He's an out-and-out liar if he tries to claim that he "just didn't know" someone would use his connection.
The other part is that, as a (I assume) at least semi-educated netizen, he should know that it takes everyone's participation to make things better. If MOST of the people who used wireless networks secured their networks, wardriving wouldn't be such a big hobby. If most of the people who used Windows practiced safe patching, antivirus, antimalware and email techniques, Windows wouldn't be such a big target.
He's shuffling the blame. "Let someone else deal with it," he is saying. That's a combination of irresponsibility and laziness.