Slashdot Mirror
Safe and Insecure?
JoeCotellese writes "Can making your network insecure actually improve your security? That's the question asked in this story running in Salon. The author makes the case that by 'making my Internet connection available to any and all who happen upon it, I have no way to be certain what kinds of songs, movies and pictures will be downloaded by other people using my IP address. And more important, my ISP has no way to be certain if it's me.'"
Bacon grease cures heart disease!
Unknown host pong.
"Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear. Now, anyone with a wireless card and a sniffer who happens by can use my connection to access the Internet. And with DHCP logging turned off, there's really no way to know who's using it."
I'd have read the whole thing, but I was morally repelled by the salon.com ad policy. Anyway, this concept seems to be some perverted cousin of "security by obscurity" -- only this has less to do with protecting your security and more to do with having a way out when someone comes knocking on your door.
Unfortunately, I think this only applies when you *don't do it on purpose*. From my point of view, if you design a network solely for the purpose of relieving yourself of responsibility for what traverses your network, you are pretty much screwed once you get to court. This reeks of the "I accidentally did it on purpose" defense, and isn't likely to fly with any judge that has even a portion of a clue.
dmiessler.com -- grep understanding knowledge
That's not improving your security. That's improving your privacy (via anonymity) at the expense of your security.
Or am I the only one who has terms and conditions which say that I am responsible for everything that passes over my connection?
Wishing something doesn't make it so.
Somebody forgot to read the TOS of their ISP... because absolutely ever ISP out there has something to this effect in thier TOS: As the person who pays the bill, you're responsible for keeping the Internet connection you're buying to yourself and people who you trust with it. The reason why they're warning you to do that is because if you allow your connection to fall into "enemy hands", the usage that goes over your wire will be
By choosing to run the "notoriously vulnerable technology", as the author admited in his confession letter, he admitted that he knowingly chose a piece of technology that could be exploited yielding his internet equipment making a request on behalf of somebody unknown. That's nice... you just gave that unknown person the gift of a liability shield at your expense.
As I just posted last thread, annonymity these days is really achieved by somebody else who had the chance to know who you are intentionally failing notice or promising not to tell. The thing is, that other person is taking on the liablity for what you do.
How nice of you to pay his MPAA/RIAA verdict bill for him, you'll be a hero to copyright pirates everwhere. I'm sure they'll be excited to learn there's still people dumb enough to fall for this trick still out there.
You also have no idea what kind of FTP server your computer has become, what kind of child porn people are downloading, how much spam you're forwarding. This doesn't seem like a very good idea to me.
Karma: pi (Mostly due to circular reasoning in posts).
Sounds like a Zen master was smoking some weed and found a network administrator manual to read to pass the time while his friend ran down to the 7-11 for munchies.
I never know who might get shot or when! And the police would never find out if it was me doing the shooting!!
This is brilliant. I'm in total awe.
It is doubtful you could qualify as a type of common carrier. If anything, you may increase your odds of being liable because you may be held responsible for what others do on your connection.
It would be interesting to see how this would play out. The closest analogy I can think of would be automobiles. If you allowed someone else to use your car, you may be held liable for damages they cause while they are driving it. As far a criminal activity, you may be targetted if your car is identified as taking part in a crime, though you have a pretty good chance of being found innocent if you can prove you weren't driving the car.
Not perfect, but close. The idea sounds good though.
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
First: great link! I get to see some awesome 30 second PBS commercial.
Second: stupid f'en idea
In a word, privacy. By making my Internet connection available to any and all who happen upon it, I have no way to be certain what kinds of songs, movies and pictures will be downloaded by other people using my IP address. And more important, my ISP has no way to be certain if it's me.
But since you're liable for everything that goes through your connection, you're fucked if something really bad does happen from your IP. That whole article sounds like it was written by some 14 year old. God... the logic employed in that article is truly amazing!
Casual Games/Downloads
Is to run a public AP. /. does the same thing, they refuse to log so that the logs cannot be used to incriminate people.
A public AP turns you into a transport provider instead of a liable agent. No one is going to go after the library for what offenses are caused there because they merely provide transit. Yeah your ISP will stil disconnect you but you will stay out of jail.
Salon is talking about networks open by design, not insecure networks.
There's a huge difference in implimentation, and also when speaking of liability and your situation in the eyes of the law.
I'm not a lawyer, so I'll hold off from saying more.
RD
Too bad that has nothing to do with security or insecurity...more like stupidity.
Second, forgetting that your name is still on the bill for that ISP, and that in all likely hood (see your ISP TOS) that makes you liable for what happens over your line.
Here's what I do: Bitty Browser & Andromeda
I'm not deliberately opening my network to hackers and miscreants bent on downloading copyrighted material. I'm simply choosing not to secure it. That's no different from the millions of people who haven't installed anti-virus software and the millions more who don't keep theirs up to date.
But he IS deliberately opening his network to these people:
Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear.
If he didnt have them enabled in the first place, then I might have agreed with his statement, but this is nothing like the "millions of people who havent installed anti-virus software", or the "millions more who don't keep theirs up to date". Those people dont intentionally install said protection and then disable it.
And more important, my ISP has no way to be certain if it's me.
And how is this going to matter? The ISP is renting YOU the connection, so its arguably your own responsability for the traffic passing through it. Your landlord might have something to say if you left your front door open to all who might be passing, and drug dealers take up residence. Id love to see his line rentals terms and conditions, they will amost certainly forbid what this guy is doing (intentionally sharing his connection with third parties).
If it ever comes down to a lawsuit, who can be certain that I was the offender? And can the victim of hacking be held responsible for the hacker's crimes?
Theres no hacking (cracking) going on here, the networks wide open. And there are such laws as accessory to a crime, which if you are doing this wilfully, then Id almost certainly say you were.
I hope this guy took legal advice about this, and about his stance regarding correspondance with Comcast in the future, because from where I can see, he may be on the shakiest legal ground. This article is pretty lame imho.
and people wander in and out. So, it's not my fault that there are 12-year olds drinking 40s on the front porch. No way is it my fault someone's selling crack in the living room, or that someone drowned in the pool.
Ultimately, if you knowingly leave your computer open to mask your own poor behavior, you won't get off, you'll just get busted for all of it, and then get busted for knowingly providing a venue for this.
This might hold up if he were called on it. Where I live you're better off not shovelling your walk in winter rather than shovelling it imperfectly. If you let people trip and fall because you didn't shovel it's a natural condition and not on your property (the city ows the sidewalk). If you do shovel and an icy patch develops, you're liable because you created the dagerous conditions.
I shovel and salt to try to make it safer and damn the liability.
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
It work until a really malicious guy secure up your wireless access point, just before you get busted...
Not only does he not have the courage to stand up for himself, he's causing trouble for the rest of us. People can use his connection to send out those penis-enlarging e-mails to the rest of us. And as mentioned above, the FBI isn't likely to be amused by his defense if he becomes the hub for a child-porn ring.
"Security through apathy". Yeah, right.
The concept of "stealthing" network ports is due for a retirement party. It was great as a young kid, but it aged at Internet time speed. Now it's overdue for a retirement party.
See, stealthing is the idea of simply not answering the door when somebody unwanted knocks on it, instead of answering "I'm here but I'm not letting you in." which is what happens when a port is "closed" instead.
It was a great idea when port scanners didn't expect it. The idea being if the first request for a connect never gets a negative reply, the scanner will assume there's no computer at that IP and move onto the next possible victim. It worked against the port scanning threats of the time.
However, today's worms aren't so nice. TCP, by its nature, attempts to retry when a connection request is ignored, figuring the packets got lost in the Internet cloud somewhere. However, if you send the "I don't accept that kind of traffic!" message, the attacking server hears that, and that sends the attacker on to its next potential victim with no further waste of your incoming bandwidth.
"Stealth" is the new "Closed". Yeah, it's one of those fashion things where what's cool to do is just what everybody else isn't doing at the moment. So, keep watching, eventually it'll flip back.
OK, now let's make a substitution:
"by making my gun available to any and all who happen upon it, I have no way to be certain who will be shot by other people using my gun. And more important, the police have no way to be certain if it's me."
Please help metamoderate.
Yes, in the same way that lighting yourself on fire will (eventually) make you impervious to flames! The fact that you will be a smoking pile of ashes would be a drawback however.
I Am My Own Worst Enemy
Notice that Speakeasy encurages you to share the bandwidth and also share the bill. Suddenly your WiFi leach is now a party to your ISP agreement. :)
Open or closed, your wireless access point has plausible deniability.
Keeping the connection open just makes it much more convienent to access for the vast majority of people who are doing nothing illegal.
Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear
and then a few paragraphs later:
Don't get me wrong. I'm not deliberately opening my network to hackers and miscreants bent on downloading copyrighted material. I'm simply choosing not to secure it.
Clearly, the author contradicts himself when he first describes exactly how he went about disabling all those security features, and then later stating that he is not deliberately opening his network.
If it ever comes down to a lawsuit, who can be certain that I was the offender? And can the victim of hacking be held responsible for the hacker's crimes?
Yes you Honor, the police found a girl's dead body in the trunk of my car, but then, I leave the doors open and the key on the ignition all the time, so how can you be certain it was me?
Come on, this must be a joke...
This has got to be the most screwed up article I've read in a long time... I mean, where to begin?
Are people so desperate when it comes to computer security these days they're willing to commit suicide like this? His problem in the first place was with his ISP, so why not switch to a different one instead of applying his brand of twisted logic?
Seems like a pyrrhic victory if you ask me. He may be safe from lawsuits from his ISP, which he should have stopped using in the first place, but all the while his systems are open to whoever wants to use them for launching attacks, running little spam operations, you name it... It's not being smart, it's just being irresponsible and let the rest of us suffer the consequences.
This is a problem for Comcast, not us.
_ and_insecure/index.html | sendmail abuse@comcast.net
$ wget -O - http://www.salon.com/tech/feature/2004/05/18/safe
Let me get this straight...
I won't get hacked because I leave my computers open to hackers?
Perhaps he's hoping that real hackers (not crackers/pirates) will see him as the lame dipstick he is, take pity on him and leave him alone, to move on to more challenging hacking...
Unfortunately, I think this only applies when you *don't do it on purpose*. From my point of view, if you design a network solely for the purpose of relieving yourself of responsibility for what traverses your network, you are pretty much screwed once you get to court.
The prosecution must prove that you committed a crime, not that you tried to make their job difficult. They can't convict you for something just because you tried to obsfuscate your actions or gain plausible deniability.
As the article title says, "safe and insecure." The author has decreased the risk he faces from lawsuits launched by the RIAA, MPAA, BSA, SPA, etc., in exchange for reduced network security.
Where he is in grave danger is from his ISP, which could cancel his account in a moment should they get a DMCA complaint, spam complaint, hacking complaint, DoS complaint, or virus complaint tied to his IP address. The courts have to give him due process. His ISP does not.
"...my ISP has no way to be certain if it's me.'"
But they will have no problem holding you accountable by the terms of usage agreement.
End of discussion.
The next remark is false. The previous remark is true.
So that's where this all came from.
That has nothing to do with security, and may remove some protections you otherwise might have to keep people from breaking into your own computers.
You are looking for lawsuit immunity, which is very different than security. How well that might work is going to depend on when somebody is actually willing to go toe-to-toe against the **AA in court. So far it hasn't happened. They blackmail -- you pay. I don't expect if you just say, "Hey, I had an open Internet connection. Could have been anybody," is going to have them reply, "Oh, sorry, we're dropping our suit immediately." Their case might be weak in court since it would be very hard for them to prove it was actually you unless they served a search warrent against you, siezed your computers, and did forensic analysis on your hard drives and any CD/DVD - R/RW's they got along the way, but that's only after you get to court against their deep-pockets.
Besides, if you do open your connection intentionally, you are probably in violation of the terms of your ISP.
Your argument is essentially the same as any Freenet user has -- and that has yet to be tested as well.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I think that we just found our second winner for (sure lets call it) the Spinder Award ("a person who makes a good effort at removing themselves from the Internet). I am sure that some Comcast tech is trying to track him down as I type. Can you say Terms Of Service, (I knew you could).
The grass is only greener, if you don't take care of your own lawn.
I don't know. I understand that the author is going for privacy at the expense of security, but this seems like the same logic employed by the person I heard about who had 6 deadbolts installed on their door and randomly locked only 3 of them--he figured a burglar would try to turn the bolt in all 6, thereby leaving several locked at any one time. His legal trouble is just going to smash the window and climb in.
I think all Joel is doing is setting himself up for the high-tech equivalent of a attractive nuisance suit.
I put up with the advert - actually I made some coffee while it was on.
... except him.
The guy says that he's done this so that if his ISP ever accuses him of downloading illegal stuff, he can say "my connection was not secure; it could have been anybody". The fact is, he's posted an article on a publicly available site which tells everybody that he is doing this deliberately. "Well", says the ISP, "you are too stupid to have an internet connection". Snip go the scissors on his line. If this is not in their terms of service, I'm sure they can withdraw it with just a little financial compensation e.g. refund a couple of months of fees. But basically, they will not want anybody who exhibits such deliberate antisocial behaviour as a customer. (Antisocial because, for instance, a spammer could use his connection to send spam).
He's doing this so he can tell the ISP that it's not his fault if they detect somebody from his IP downloading illegal stuff. He has neglected the fact that if his connection was secure, nobody would be able to download illegal stuff from his IP...
hmmmmmmm.....
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
...contract (civil) law and criminal law? Your ISP will cut you off in about .02 secs flat if you violate your ToS, and if someone else has had access to it, you have. No and, ifs or buts. Unless your ISP would like to argue that you deliberately or grossly negligently (people are so computer illiterate, it doesn't even exit) broke the terms, they have no case.
You rented a car, the car got stolen? You don't get sued for violating the contract saying you couldn't turn it over to anyone else (you might have to pay for the car/insurance, but that's in their contract, not a violation of it).
Criminal law is a different matter. You either have to commit, be an accessory to or facilitator of the crime. Normally you could have trouble by being grossly neglient, like having an unsecured well, but again: People are so computer illiterate it won't fly.
To qualify as an accessory or facilitator of, you'd have to either actively contribute or actively avoid knowing about it. Here's the clue-by-four: Electronic communication is invisible. People have tons of spyware, viruses, open relays and so on. Open wireless is just one more type.
The ignorance defence works. Where I think it'll fall down is if you try to use it as a cover for committing crimes yourself. For anyone to care about your claim that wardrivers/aliens/gremlins did it, they'd have to actually look at your setup.
And if they got to that point, they'd probably recover more than enough information from your hard drive to take you down hook, line and sinker. Unless you do religious encryption, wiping and so on, in which case they'll slam your ass for details because "he probably deserves a lot more".
So if they're going after you based on IP address alone and you want to bluff (note: Falsifying evidence, perjury are serious crimes), install an open wireless afterwards. If you're doing something bad enough the FBI raids your ass and examines your computer, it won't do you any good anyway.
What have you gained by opening it up now? As far as I can tell, nothing more than the good chance your ISP will cut you off, or the FBI raid your ass based on what someone else has been doing. I'd rather take my chances as a casual pirate than a casual pirate whose wireless network was used to release kiddie porn or the latest windows worm, all things considered...
Kjella
Live today, because you never know what tomorrow brings
If you load your car to a friend and they kill someone, you're liable
Rubbish. The only person liable is the driver, not the owner (provided I had no reason to believe that they would do that if I lent it to them). That's like saying if I kill someone in my car you can prosecute the car dealer who sold it to me, or the manufacturer who made it.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
The problem here is that for some activities, the liability quotient is strict liability, that is, liability without fault. If the material is not stored on his computer, he has no liability. If someone stores kiddie porn on his computer, generally there is no defense available; it's presumed you knew it was there unless you can get a jury to believe you didn't download it. Now whether failing to secure his network makes him liable (or relieves him from liability) is another issue.
Paul Robinson >Postmaster@paul.washington.dc.us>
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
You are a legitimate user. Please send your keys and passwords to the FBI. And the CIA. And the NSC. And your local police. And the lawyers in your town, nearby city, your state capitol. And their accountants. And their psychiatrists. And their priests. And their doctors. What are the chances something bad will happen? You have nothing to hide, and they're all trustworthy, right? And with your passwords and keys so widely distributed, you won't ever get locked out of your car, house or ATM, and you need never remember anything, keychain to wallet. You have achieved total freedom!
"Freedom's just another word
For nothing left to lose"
- Kris Kristofferson, "Me & Bobby McGee"
--
make install -not war
It is not acting in reckless disregard, the legal term you are looking for is "attractive nuisance."
For an example, lets say you have a swimming pool. You put up a fence keep the gate locked. You post signs saying "danger, no lifeguard." You chase away all the neighbor hood kids when they come around, but one climbs in late at night and drowns. You are at fault.
The author of this article has shown himself to be a sophisticated technical consumer. Someone who knows what they are doing. By choosing _not_ to protect access to his line he is acting in a negligent manner and his open AP could be considered an attractive nuisance.
Actually, the defence brought by the author is exactly the same as is done with Freenet (see a recent /. article about Freenet&paypal). Only, Freenet does it much, much safer.
Strange, I don't see many replies here crying faul and shouting that it is 'supporting childporn'. What? Keeping no log will provide a safehaven for all those myriads of baby-rapists out there, no?
Ah well...maybe one should forbid that too, then. And wile we're at it, all 'hot spots' should be forbidden too.
Shows how absurd those arguments were.
And furthermore, those people that claim that ISPs, as a carrier, have protections while we have not, don't know what they are talking about. If you use your puter/server as a carrier, then, by definition, you fall under the same protections (at least where I live). There is nothing in the law that says end-users can't have carrier-protection when they act as a carrier, but companies can.
You could still be violating your TOS, however, that is true. Though, it should be noted that some ISPs allow it, and in any case, a TOS-violation isn't that big a deal within a free market-economy where ISPs battle for marketshare.
--- "To pee or not to pee, that is the question." ---
Indeed! We, the FBI are not EVIL. We are GOOD. We are the FRIEND you always wished for but never had! We are your best PAL, ever.
Trust us!
You, sir, make a very, very good point!
Since you are, without doubt, a legitmate user of the internet, please provide us with your login and passwords of all your emailaccounts or any other internetservice or tool you might use. Also, can we count on you to promote the use of encryption where we, as part of your trusted government, have the key/pasword of? It didn't work out the last time we and our pals on the NSA tried it, but with enough help of you and your ilk, we just might succeed, this time.
Thanks for your cooperation, and be sure to distribute our leafflets "Trust your Good Friend the FBI to Do what's Right". Please don't forget to place your name and address on that leaflet, however, because we try to change the law so we can make that obligatory.
To combat CRIMINALS ofcourse, not law-abiding citizens like you!
your friend,
the FBI
--- "To pee or not to pee, that is the question." ---
Most people here are missing the point. The point here is not that the Salon guy isn't honoring his TOS, or any of the other objections I've seen so far. It's that he's being morally irresponsible.
Some have mentioned equivalent scenarios such as leaving your gun in your house, and someone stealing it, and then whether or not you should be liable for the damage they do with it.
The difference here is that the writer of the article isn't like just some shmoe hillbilly or weekend hunter who happens to have a gun. These are ordinary people, with valid (or at least plausible) excuses for not securing their property if a mishap occurs. No, the writer is like a cop, who knows full well what happens when guns get stolen, and yet keeps his gun in plain sight in an unlocked cabinet in his unlocked home.
What is important here is not the ability he has to safeguard his stuff, but the knowledge that he's doing something irresponsible. He's trying to fake an insanity plea. He's an out-and-out liar if he tries to claim that he "just didn't know" someone would use his connection.
The other part is that, as a (I assume) at least semi-educated netizen, he should know that it takes everyone's participation to make things better. If MOST of the people who used wireless networks secured their networks, wardriving wouldn't be such a big hobby. If most of the people who used Windows practiced safe patching, antivirus, antimalware and email techniques, Windows wouldn't be such a big target.
He's shuffling the blame. "Let someone else deal with it," he is saying. That's a combination of irresponsibility and laziness.