Slashdot Mirror
Safe and Insecure?
JoeCotellese writes "Can making your network insecure actually improve your security? That's the question asked in this story running in Salon. The author makes the case that by 'making my Internet connection available to any and all who happen upon it, I have no way to be certain what kinds of songs, movies and pictures will be downloaded by other people using my IP address. And more important, my ISP has no way to be certain if it's me.'"
If you make it insecure people might think there's nothing there worth looking at. That's the only reason I can think that could work.
You also have no idea what kind of FTP server your computer has become, what kind of child porn people are downloading, how much spam you're forwarding. This doesn't seem like a very good idea to me.
Karma: pi (Mostly due to circular reasoning in posts).
I'm not deliberately opening my network to hackers and miscreants bent on downloading copyrighted material. I'm simply choosing not to secure it. That's no different from the millions of people who haven't installed anti-virus software and the millions more who don't keep theirs up to date.
But he IS deliberately opening his network to these people:
Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear.
If he didnt have them enabled in the first place, then I might have agreed with his statement, but this is nothing like the "millions of people who havent installed anti-virus software", or the "millions more who don't keep theirs up to date". Those people dont intentionally install said protection and then disable it.
And more important, my ISP has no way to be certain if it's me.
And how is this going to matter? The ISP is renting YOU the connection, so its arguably your own responsability for the traffic passing through it. Your landlord might have something to say if you left your front door open to all who might be passing, and drug dealers take up residence. Id love to see his line rentals terms and conditions, they will amost certainly forbid what this guy is doing (intentionally sharing his connection with third parties).
If it ever comes down to a lawsuit, who can be certain that I was the offender? And can the victim of hacking be held responsible for the hacker's crimes?
Theres no hacking (cracking) going on here, the networks wide open. And there are such laws as accessory to a crime, which if you are doing this wilfully, then Id almost certainly say you were.
I hope this guy took legal advice about this, and about his stance regarding correspondance with Comcast in the future, because from where I can see, he may be on the shakiest legal ground. This article is pretty lame imho.
and people wander in and out. So, it's not my fault that there are 12-year olds drinking 40s on the front porch. No way is it my fault someone's selling crack in the living room, or that someone drowned in the pool.
Ultimately, if you knowingly leave your computer open to mask your own poor behavior, you won't get off, you'll just get busted for all of it, and then get busted for knowingly providing a venue for this.
Disagreed.
It is a fact after you do open your net up there is no way for them to proove that you commited the illegal acts. The fact that you did this opening up by stupidity or on purpose does not change that fact.
They can maybe get you on intent, as it might be argued that you opened up so you can do illegal acts, but that is far fetched.
Code poet, espresso fiend, starter upper.
Not only does he not have the courage to stand up for himself, he's causing trouble for the rest of us. People can use his connection to send out those penis-enlarging e-mails to the rest of us. And as mentioned above, the FBI isn't likely to be amused by his defense if he becomes the hub for a child-porn ring.
"Security through apathy". Yeah, right.
The concept of "stealthing" network ports is due for a retirement party. It was great as a young kid, but it aged at Internet time speed. Now it's overdue for a retirement party.
See, stealthing is the idea of simply not answering the door when somebody unwanted knocks on it, instead of answering "I'm here but I'm not letting you in." which is what happens when a port is "closed" instead.
It was a great idea when port scanners didn't expect it. The idea being if the first request for a connect never gets a negative reply, the scanner will assume there's no computer at that IP and move onto the next possible victim. It worked against the port scanning threats of the time.
However, today's worms aren't so nice. TCP, by its nature, attempts to retry when a connection request is ignored, figuring the packets got lost in the Internet cloud somewhere. However, if you send the "I don't accept that kind of traffic!" message, the attacking server hears that, and that sends the attacker on to its next potential victim with no further waste of your incoming bandwidth.
"Stealth" is the new "Closed". Yeah, it's one of those fashion things where what's cool to do is just what everybody else isn't doing at the moment. So, keep watching, eventually it'll flip back.
> From my point of view, if you design a network solely for the purpose
> of relieving yourself of responsibility for what traverses your network,
> you are pretty much screwed once you get to court.
I dunno about that part. Isn't exactly what the telcos do? They intentionally make zero effort to control the traffic passing across their network, lest they lose common carrier status and become legally liable for everything that happens inside their zone of control.
The questionable part is turning off all logging, even dhcp logs of MAC address-IP pairs. That makes it truly impossible to pass the responsibility off even in theory.
Democrat delenda est
Open or closed, your wireless access point has plausible deniability.
Keeping the connection open just makes it much more convienent to access for the vast majority of people who are doing nothing illegal.
Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear
and then a few paragraphs later:
Don't get me wrong. I'm not deliberately opening my network to hackers and miscreants bent on downloading copyrighted material. I'm simply choosing not to secure it.
Clearly, the author contradicts himself when he first describes exactly how he went about disabling all those security features, and then later stating that he is not deliberately opening his network.
and now a look at tomorrows headlines... Man loans car to crime syndicate.
What could possibly go wrong?
Wrong. It'd be like if a gun owner signed a contract with the gun company saying that anything that happened with said guns is their fault and then left them on the front lawn for all to enjoy.
You may be forgetting all the civil and criminal facilitation laws. The article describes a deliberate attempt to allow unlawful activity and to obscure its source (disabling of all filtering). You may not be able to prove you did the activity, but proving who facilitated it is a snap.
Consider night clubs that "look the other way" on illegal drugs. They get slapped with a criminal facilitation charge.
Up to the point of turning off the logging, you could argue ignorance (by default, most wireless routers ARE wide open, except they log things). As soon as you intentionally create a launch-pad for illegal activities, you are hardpressed in court to prove to a reasonable jury a legitamite purpose (notice I said reasonable, as in reasonable doubt, not "shadow of a doubt," the standard some believe you must achieve but, in fact, don't need to).
Sarcasm and hyperbole are the final refuges for weak minds
Agreed.
However it does not change the fact that:
a. 80%-90% of wireless users never secure their net
b. securing the net require way above technical knowledge
c. even when you think you secured it, it is probably not secure (see built in factory passwords)
d. even if it is the most secure at the moment, it requires constant updating and patching to stay that way
All of the above reasons will stand in a court of law.
Code poet, espresso fiend, starter upper.
>Bacon grease cures heart disease
1. Know a person who has terminal heart disease, and a heart-surgeon who's waiting for a call.
2. Come upon a car accident where a passer-by who happens to be a pathologist or medical examinger is the first on the scene and pronounces the victim; oh, and there's a truck full of food-grade bacon grease involved, but no refrigeration for miles.
3. Convince the pathologist that you know where that heart can go.
4. When the pathologist dissects the heart from the dead guy, pack it in the bacon grease.
5. Transport while paging your friend and his surgeon.
6. ???
7. Say "de nada" when your friend thanks you for the new heart.
So that's where this all came from.
That has nothing to do with security, and may remove some protections you otherwise might have to keep people from breaking into your own computers.
You are looking for lawsuit immunity, which is very different than security. How well that might work is going to depend on when somebody is actually willing to go toe-to-toe against the **AA in court. So far it hasn't happened. They blackmail -- you pay. I don't expect if you just say, "Hey, I had an open Internet connection. Could have been anybody," is going to have them reply, "Oh, sorry, we're dropping our suit immediately." Their case might be weak in court since it would be very hard for them to prove it was actually you unless they served a search warrent against you, siezed your computers, and did forensic analysis on your hard drives and any CD/DVD - R/RW's they got along the way, but that's only after you get to court against their deep-pockets.
Besides, if you do open your connection intentionally, you are probably in violation of the terms of your ISP.
Your argument is essentially the same as any Freenet user has -- and that has yet to be tested as well.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
BUMP...the above about logging is SO TRUE...
/dev/null everything else. Records have a way of getting outed in court, refer to Netscape/M$/MCI cases.
First note to anyone setting up commercial installations is ONLY KEEP WHAT YOU ABSOLUTELY NEED, actively
I helped set up local public library systems and we ensured that no personal information was kept regarding book history, or check out history beyond the confirmation of return. We do track how many times and for what duration a book is out, but not who had it beyond the most current user, assuming the book is in fact out, if it is checked-in there is no user associated data kept. If the FBI under the guise of keeping us free from terrorism wants to know, we can tell them that the anarchist's cookbook gets LOTS of out time, and who currently has it but not what that person had prior or any sort of user history for a particiular subject, just the bare data that is required to maintain a good inventory of books and cut loose the dead weight that doesn't get used...
errr....umm...*whooosh* *whoosh* Is this thing on ?
Negligent of what?
Is it against the law for him to share his internet connection?
Is he required to be "his brother's keeper" and monitor everyone that uses it?
IMHO, the only issue is between him and his provider and the TOS... if it is OK with the provider, that is all that matters.
You are not required to keep your neighbor from breaking the law.
Now... if this keeps some "big brother" from being able to accurately determine who is doing what... well... I say bravo. Added benefit.
--Phillip
Can you say BIRTH TAX
As you would be acting with wreckless disreguard, the courts could very well hold you legally responsible for what goes on by way of your intentionally unsecured wireless network.
Do you have any case law references to backup this statement?
I don't know. I understand that the author is going for privacy at the expense of security, but this seems like the same logic employed by the person I heard about who had 6 deadbolts installed on their door and randomly locked only 3 of them--he figured a burglar would try to turn the bolt in all 6, thereby leaving several locked at any one time. His legal trouble is just going to smash the window and climb in.
I think all Joel is doing is setting himself up for the high-tech equivalent of a attractive nuisance suit.
What does it take to get common carrier status? I sure ain't no lawyer (ISANL) but I'd have a hard time believing that the size of your "customer" base makes a difference.
If he's responsible for the conduct of the people using his traffic then every free community wireless access service should be very afraid. Yet they appear to be thriving.
TW
I remember looking into this issue when I was with speakeasy, they very clearly stated that anything going though your connection is your responsibility, so while the cops may have a harder time dragging you into court on _______ charges, your ISP will probably have no problem at all dropping you like a hot potato.
On a side note I use megapath now and am much, much happier (though I'm sure the TOS regarding this kind of thing is the same, they just have better service...)
closed minded is as closed minded does
"Very carefully"
It'll obviously come down to the individual case and circumstances. For example, nobody would would beleive my attempt to use such a defense. But it'd be an easy sell for my parents or sister. AND, you only get to use this defense once; after that, you damn well better be able to show that you've at least tried to secure your network.
In the specific case pointed out in the article, he has taken clearly evident steps to permit (or _aid_) illegal activities... he turned off the DHCP server's logs. Beyond that, the AP is basically "out of the box". That's merely stupid -- if accessing your *new* wireless network is as simple as taking out of the box and your laptop starts using it without any configuration from you, why can't you understand it'll be that easy for anyone within radio range?
I've had a lawyer in a previous company tell us _not_ to moderate our discussion forums; and only act if there's someone complains. He said if we moderate the content we become more liable.
I recently went to Panera Bread with my laptop so I could use their wireless internet connection. At first I did not have access. I found the wireless network, but could not check my email using POP. Then I opened a web browser, a web page came up from Panera Bread asking me to agree to some legal document. I clicked on accept, and then I had full access to the internet.
If this guy had the same setup, would he be legally responsible?
...contract (civil) law and criminal law? Your ISP will cut you off in about .02 secs flat if you violate your ToS, and if someone else has had access to it, you have. No and, ifs or buts. Unless your ISP would like to argue that you deliberately or grossly negligently (people are so computer illiterate, it doesn't even exit) broke the terms, they have no case.
You rented a car, the car got stolen? You don't get sued for violating the contract saying you couldn't turn it over to anyone else (you might have to pay for the car/insurance, but that's in their contract, not a violation of it).
Criminal law is a different matter. You either have to commit, be an accessory to or facilitator of the crime. Normally you could have trouble by being grossly neglient, like having an unsecured well, but again: People are so computer illiterate it won't fly.
To qualify as an accessory or facilitator of, you'd have to either actively contribute or actively avoid knowing about it. Here's the clue-by-four: Electronic communication is invisible. People have tons of spyware, viruses, open relays and so on. Open wireless is just one more type.
The ignorance defence works. Where I think it'll fall down is if you try to use it as a cover for committing crimes yourself. For anyone to care about your claim that wardrivers/aliens/gremlins did it, they'd have to actually look at your setup.
And if they got to that point, they'd probably recover more than enough information from your hard drive to take you down hook, line and sinker. Unless you do religious encryption, wiping and so on, in which case they'll slam your ass for details because "he probably deserves a lot more".
So if they're going after you based on IP address alone and you want to bluff (note: Falsifying evidence, perjury are serious crimes), install an open wireless afterwards. If you're doing something bad enough the FBI raids your ass and examines your computer, it won't do you any good anyway.
What have you gained by opening it up now? As far as I can tell, nothing more than the good chance your ISP will cut you off, or the FBI raid your ass based on what someone else has been doing. I'd rather take my chances as a casual pirate than a casual pirate whose wireless network was used to release kiddie porn or the latest windows worm, all things considered...
Kjella
Live today, because you never know what tomorrow brings
I can just see the lawsuits against the wireless router makers also. Things like where was the warning sticker, why didn't they make me have a license like with a gun or car if I could be responsible for this much trouble... etc...
Seriously, for anything else with this kind of possible liability, there is licensing, multiple warning labels and required training so that Joe Shmoe KNOWS the dangers. I think that opening that kind of regulation on wireless access points will be faught pretty hard by hardware makers.
Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
If you are providing wireless network access for your neighborhood, houseguests, or even patrons in your restaurant, then you are a carrier and protected. Just in case you were not sure, IANAL.
So the question really is if you are in violation of your Terms of Service or not. My experience has been that most cable Internet providers restrict your usage to you and your household - no operating servers (e-mail, web, etc.) This is because of the shared bandwidth nature (bus topology) of the connection. If you are consuming mass quantities, then your neighbor's connection slows down. Same is true of most satellite systems. I am sure there are some satellite and cable ISP's that offer guaranteed bandwidth, so obviously they are the exception to my comments.
xDSL on the other hand is guaranteed bandwidth (star topology). In essence you have a dedicated pipe between you and the central office. Granted if you could consume all the bandwidth at the CO then you would slow everyone else down, which is why they throttle you and have a really fat pipe there. Now xDSL typically allows servers and other activities that could result in greater bandwidth consumption because you cannot degrade the performance of your neighbors connection.
So to sum up, it would seem that this strategy would work to defray suits from MPAA, RIAA, etc., and if you were running xDSL it may even be allowed under your TOS. But, your TOS probably says you are responsible for anything that goes over your pipe. This means you are responsible to your ISP, not to anyone else. So if your ISP says "Hey, you can't do that!" then they might pull your plug. It would seem to me that loosing your ISP and having to switch to one of the competitors would be much less of a inconvenience then being sued by RIAA, MPAA, SCO, etc.
Bottom line, if you think there is a chance that incriminating traffic might take place on your connection (by you or someone else) then you may improve your odds of claiming it wasn't you by adopting this strategy. But when you are trying to download game patches or some other large download, and it is taking a lot longer then you expected, remember that is the price you pay for freedom in this country.
What you need is a router that provides bandwidth priority to some connections and not others (I forget the term), and also that partitions the public portion of your personal network off from the private portion. And instead of claiming ignorance, claim you are a nice guy who just wants to help out your neighbors, houseguests or restaurant patrons.
This is in no way an endorsment or advocation for any of the actions outlined in this comment, the comments of others, or the original news post. It is just an observation.
"Anything is possible with enough programmers, time and pizza." (Substitute caffeine for time as needed.)
Doing it deliberately in order to facilitate others to do illegal things is not going to save you in court.
He isn't doing it deliberately to facilitate illegal things. For that to be true, he would have to have some prior knowledge that illegal activities were to take place and have taken actions to facilitate them. Instead, he took actions such that if someone were to take illegal actions, he would have less responsibility. He is neither condoning nor encouraging illegal activities, not is he aware of any activities that are happening. So he would be saving himself from court problems.
Learn to love Alaska
Many of the arguments people are applying to this guy could also apply to freenet--that running an unsecured wireless point or a freenet node could both be construed as facilitating a crime. In both cases, it's letting someone else use your bandwidth resources.
> Privacy is a delicate matter. If a ISP logs user activity, it should be clear what they do log and who has access to these logs. I don't mind the FBI, it's their job, but I do mind the RIAA. ... If you are a legitimate user, your only concern should be WHO looks at your personal data.
I was alive when President Richard Nixon was actively using the FBI, with the Director's cooperation, as a tool to collect information on and harass "enemies".
Yes, you certainly should be concerned with WHO, but don't think for a second that just because they're the FBI (or any other supposedly respectable TLA gov't agency) that abuses haven't and can't again happen, especially in these more paranoid times.
Yes, the same laws apply. However, just because he allows people to use his bandwidth doesn't mean he's a common carrier. In order to become one he has to satisfy certain legal requirements, such as being in the business of providing communications. Not only isn't he in such a business, his TOS certainly forbids his using his personal account in such a way. He isn't a common carrier, and can't become one just by letting anybody that wants to use his network.
Good, inexpensive web hosting
You're ignoring the fact that he's published what he's done and why -- an element I specifically pointed out.
How did he conspire with the guy in a van? He just told the guy, on a major media website, that he's deliberately disabled everything that might assist in the guy's capture. There's nothing in conspiracy law that requires the communication to be secret.
Now, he says, "I'm not deliberately opening my network to hackers and miscreants bent on downloading copyrighted material. I'm simply choosing not to secure it."
However, that's blatantly false. He said he "turned off all the security features of [his] wireless router", not never secured it. He said he did this so that he has "no way to be certain what kinds of songs, movies and pictures will be downloaded by other people using my IP address," which shows he clearly contemplated people using it illegally.
Now, if he'd not published, then he'd have plausible deniability. But as it stands now, no, he doesn't have a shred of deniability. All one has to do is enter his Salon article into evidence.
It is not acting in reckless disregard, the legal term you are looking for is "attractive nuisance."
For an example, lets say you have a swimming pool. You put up a fence keep the gate locked. You post signs saying "danger, no lifeguard." You chase away all the neighbor hood kids when they come around, but one climbs in late at night and drowns. You are at fault.
The author of this article has shown himself to be a sophisticated technical consumer. Someone who knows what they are doing. By choosing _not_ to protect access to his line he is acting in a negligent manner and his open AP could be considered an attractive nuisance.
Actually, the defence brought by the author is exactly the same as is done with Freenet (see a recent /. article about Freenet&paypal). Only, Freenet does it much, much safer.
Strange, I don't see many replies here crying faul and shouting that it is 'supporting childporn'. What? Keeping no log will provide a safehaven for all those myriads of baby-rapists out there, no?
Ah well...maybe one should forbid that too, then. And wile we're at it, all 'hot spots' should be forbidden too.
Shows how absurd those arguments were.
And furthermore, those people that claim that ISPs, as a carrier, have protections while we have not, don't know what they are talking about. If you use your puter/server as a carrier, then, by definition, you fall under the same protections (at least where I live). There is nothing in the law that says end-users can't have carrier-protection when they act as a carrier, but companies can.
You could still be violating your TOS, however, that is true. Though, it should be noted that some ISPs allow it, and in any case, a TOS-violation isn't that big a deal within a free market-economy where ISPs battle for marketshare.
--- "To pee or not to pee, that is the question." ---
No, he isn't a service provider, because he has no legal right to allow others to use that bandwidth. All he's doing is allowing others to steal bandwidth or use an IP they're not entitled to and that in iteslf doesn't make him a service provider. You have to meet certain legal requirements, and he's done nothing of the sort. All the law you cite refers to, btw, is the liability restrictions on a service provider and says nothing about what you have to do to be one.
Good, inexpensive web hosting