Safe and Insecure?

JoeCotellese writes "Can making your network insecure actually improve your security? That's the question asked in this story running in Salon. The author makes the case that by 'making my Internet connection available to any and all who happen upon it, I have no way to be certain what kinds of songs, movies and pictures will be downloaded by other people using my IP address. And more important, my ISP has no way to be certain if it's me.'"

In related news...

[k4_pacific]

Bacon grease cures heart disease!

Re:In related news...

[Total_Wimp]

Nope, this is the genuine artical. This guy is so dead on it's not even funny. How do you think Comcast avoides being put out of business if someone should use their connection to download illegal materials? Answer: "your honor, we're just the pipe. We let others actualy use it. We have no idea what goes on in that pipe that we rent out."

This guy is behaving just like Comcast. He's the pipe and he doesn't know what goes on in that pipe. Unless the Judge were to determine that the pipe owner is responsible (and Comcast will certainly help him fight _that_ kind of fight) then he's ok.

BTW, he also said he turned off logging. In many, many cases, there is no law that says you have to log, but there is a law that says you can't destroy evidence you alread poses. If you don't have a log in the first place, you have nothing to turn over to the feds and you have no evidence to destroy. I think that's a big step closer to true freedom.

TW

Re:In related news...

[Archfeld]

BUMP...the above about logging is SO TRUE...

First note to anyone setting up commercial installations is ONLY KEEP WHAT YOU ABSOLUTELY NEED, actively /dev/null everything else. Records have a way of getting outed in court, refer to Netscape/M$/MCI cases.

I helped set up local public library systems and we ensured that no personal information was kept regarding book history, or check out history beyond the confirmation of return. We do track how many times and for what duration a book is out, but not who had it beyond the most current user, assuming the book is in fact out, if it is checked-in there is no user associated data kept. If the FBI under the guise of keeping us free from terrorism wants to know, we can tell them that the anarchist's cookbook gets LOTS of out time, and who currently has it but not what that person had prior or any sort of user history for a particiular subject, just the bare data that is required to maintain a good inventory of books and cut loose the dead weight that doesn't get used...

Re:In related news...

[computersareevil]

I think you're wrong. This is no different than leaving your front door unlocked. If someone enters you house without your permission and shoots somebody from inside it, you can not be held liable for "wreckless disregard".

In the USA you should be free to assume that somebody will not break the law. Assuming people will break the law is very, very dangerous, and has cost us many of our freedoms through "preemptive legislation" like license plates, inummerable searches without probable cause (travel lately?), and handgun registration.

Re:In related news...

[computersareevil]

In most jurisdictions (in the U.S., at least), you would be held legally liable for failing to properly store your firearm,

It was properly stored; it was in my private residence where nobody is allowed to go! You again are telling me I MUST ASSUME that somebody is going to break the law and I'm responsible for THEIR illegal actions. How can that be? That's very dangerous!

[gestapo voice] YOU ARE NOT ALLOWED TO HAVE THAT [insert anything] BECAUSE SOMEBODY *MIGHT* TAKE IT FROM YOU AND USE IT TO COMMIT A CRIME! [/gestapo voice] The abuses of that logic are endless! Where do they stop?

If you buy something dangerous like a gun, you should be expected to take precautions to prevent its misuse...

I also own a 10" über-sharp Wüsthof kitchen knife, which is "dangerous". If somebody takes it from my house and kills the President, should I go to jail? Do I have to lock up all my forks too? Where does it stop?

If you're so irresponsible as to neglect to install a fence to prevent trespassing neighborhood kids from falling in, then as far as I'm concerned, you have no business building a pool in the first place. Most municipal laws agree on this point as well.

What about the parents? Aren't THEY irresponsible for not preventing their kid from trespassing? Again, you are telling me I'm responsible for the consequences of SOMEBODY ELSE's illegal actions! That's not right!

(But I'll grant you I'd be nuts not to put a fence around a pool, but because it's the right thing to do, not because I'm responsible for the illegal actions of others.)

Not likely to fly...

[danielrm26]

"Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear. Now, anyone with a wireless card and a sniffer who happens by can use my connection to access the Internet. And with DHCP logging turned off, there's really no way to know who's using it."

I'd have read the whole thing, but I was morally repelled by the salon.com ad policy. Anyway, this concept seems to be some perverted cousin of "security by obscurity" -- only this has less to do with protecting your security and more to do with having a way out when someone comes knocking on your door.

Unfortunately, I think this only applies when you *don't do it on purpose*. From my point of view, if you design a network solely for the purpose of relieving yourself of responsibility for what traverses your network, you are pretty much screwed once you get to court. This reeks of the "I accidentally did it on purpose" defense, and isn't likely to fly with any judge that has even a portion of a clue.

Re:Not likely to fly...

[bladernr]

It is a fact after you do open your net up there is no way for them to proove that you commited the illegal acts.

You may be forgetting all the civil and criminal facilitation laws. The article describes a deliberate attempt to allow unlawful activity and to obscure its source (disabling of all filtering). You may not be able to prove you did the activity, but proving who facilitated it is a snap.

Consider night clubs that "look the other way" on illegal drugs. They get slapped with a criminal facilitation charge.

Up to the point of turning off the logging, you could argue ignorance (by default, most wireless routers ARE wide open, except they log things). As soon as you intentionally create a launch-pad for illegal activities, you are hardpressed in court to prove to a reasonable jury a legitamite purpose (notice I said reasonable, as in reasonable doubt, not "shadow of a doubt," the standard some believe you must achieve but, in fact, don't need to).

privacy != security

[jb523]

That's not improving your security. That's improving your privacy (via anonymity) at the expense of your security.

Re:privacy != security

[incast]

the author acknowledges this (and even uses similar words: "I'm willing to trade a little security for privacy.") in the article. the poster made the bad implication, not the original author.

good eye though!!

That is so retarded

Or am I the only one who has terms and conditions which say that I am responsible for everything that passes over my connection?

Wishing something doesn't make it so.

Salon: News writen by Sophomores...

[LostCluster]

Somebody forgot to read the TOS of their ISP... because absolutely ever ISP out there has something to this effect in thier TOS: As the person who pays the bill, you're responsible for keeping the Internet connection you're buying to yourself and people who you trust with it. The reason why they're warning you to do that is because if you allow your connection to fall into "enemy hands", the usage that goes over your wire will be

By choosing to run the "notoriously vulnerable technology", as the author admited in his confession letter, he admitted that he knowingly chose a piece of technology that could be exploited yielding his internet equipment making a request on behalf of somebody unknown. That's nice... you just gave that unknown person the gift of a liability shield at your expense.

As I just posted last thread, annonymity these days is really achieved by somebody else who had the chance to know who you are intentionally failing notice or promising not to tell. The thing is, that other person is taking on the liablity for what you do.

How nice of you to pay his MPAA/RIAA verdict bill for him, you'll be a hero to copyright pirates everwhere. I'm sure they'll be excited to learn there's still people dumb enough to fall for this trick still out there.

Are you kidding me?

[Sgs-Cruz]

You also have no idea what kind of FTP server your computer has become, what kind of child porn people are downloading, how much spam you're forwarding. This doesn't seem like a very good idea to me.

Re:Are you kidding me?

[zeroduck]

Just remember, every time you run an insecure network, you run terrorism.

And by keeping a loaded gun in my mailbox...

[mungtor]

I never know who might get shot or when! And the police would never find out if it was me doing the shooting!!

This is brilliant. I'm in total awe.

Doubtful

[linuxtelephony]

It is doubtful you could qualify as a type of common carrier. If anything, you may increase your odds of being liable because you may be held responsible for what others do on your connection.

It would be interesting to see how this would play out. The closest analogy I can think of would be automobiles. If you allowed someone else to use your car, you may be held liable for damages they cause while they are driving it. As far a criminal activity, you may be targetted if your car is identified as taking part in a crime, though you have a pretty good chance of being found innocent if you can prove you weren't driving the car.

Not perfect, but close. The idea sounds good though.

Get a life

[Richard_at_work]

I'm not deliberately opening my network to hackers and miscreants bent on downloading copyrighted material. I'm simply choosing not to secure it. That's no different from the millions of people who haven't installed anti-virus software and the millions more who don't keep theirs up to date.

But he IS deliberately opening his network to these people:

Last week, I turned off all the security features of my wireless router. I removed WEP encryption, disabled MAC address filtering and made sure the SSID was being broadcast loud and clear.

If he didnt have them enabled in the first place, then I might have agreed with his statement, but this is nothing like the "millions of people who havent installed anti-virus software", or the "millions more who don't keep theirs up to date". Those people dont intentionally install said protection and then disable it.

And more important, my ISP has no way to be certain if it's me.

And how is this going to matter? The ISP is renting YOU the connection, so its arguably your own responsability for the traffic passing through it. Your landlord might have something to say if you left your front door open to all who might be passing, and drug dealers take up residence. Id love to see his line rentals terms and conditions, they will amost certainly forbid what this guy is doing (intentionally sharing his connection with third parties).

If it ever comes down to a lawsuit, who can be certain that I was the offender? And can the victim of hacking be held responsible for the hacker's crimes?

Theres no hacking (cracking) going on here, the networks wide open. And there are such laws as accessory to a crime, which if you are doing this wilfully, then Id almost certainly say you were.

I hope this guy took legal advice about this, and about his stance regarding correspondance with Comcast in the future, because from where I can see, he may be on the shakiest legal ground. This article is pretty lame imho.

Re:Get a life

[bigHairyDog]

The ISP is renting YOU the connection, so its arguably your own responsability for the traffic passing through it

You're missing the point. We're geeks. We can see how its your responsibility, but the rest of the world doesn't see it like that, and the courts are part of the rest of the world fellow.

In court, if the defendent said "I just bought this wireless thing from wallmart and now they're telling me that its my fault someone drove by my house and used it for bad things" then the judge/jury would go with them. If the prosecution then said "but purchasing that wireless router gave them a responsibility to learn how to generate and distribute WEP keys" they would be laughed off stage

No, what really screws him is that he WENT AND TOLD THE WHOLE WORLD ABOUT IT! in a Salon article. There goes his alibi...

I just leave my front door open

[Dolohov]

and people wander in and out. So, it's not my fault that there are 12-year olds drinking 40s on the front porch. No way is it my fault someone's selling crack in the living room, or that someone drowned in the pool.

Ultimately, if you knowingly leave your computer open to mask your own poor behavior, you won't get off, you'll just get busted for all of it, and then get busted for knowingly providing a venue for this.

How cowardly!

[maximino]

Lord knows I hate the RIAA/MPAA as much as the next guy, but this is just stupid. Let's read between the lines here. The only reason that the author of this piece would be worrying about that letter from Comcast is if he's intending to download some copyrighted material himself, in which case he ought to be a man about it and fight The Man in court if it comes down to it and he believes it's within his rights to do. He's intending to lie, in other words.

Not only does he not have the courage to stand up for himself, he's causing trouble for the rest of us. People can use his connection to send out those penis-enlarging e-mails to the rest of us. And as mentioned above, the FBI isn't likely to be amused by his defense if he becomes the hub for a child-porn ring.

"Security through apathy". Yeah, right.

I believe that you are wrong.

[fmaxwell]

Unfortunately, I think this only applies when you *don't do it on purpose*. From my point of view, if you design a network solely for the purpose of relieving yourself of responsibility for what traverses your network, you are pretty much screwed once you get to court.

The prosecution must prove that you committed a crime, not that you tried to make their job difficult. They can't convict you for something just because you tried to obsfuscate your actions or gain plausible deniability.

As the article title says, "safe and insecure." The author has decreased the risk he faces from lawsuits launched by the RIAA, MPAA, BSA, SPA, etc., in exchange for reduced network security.

Where he is in grave danger is from his ISP, which could cancel his account in a moment should they get a DMCA complaint, spam complaint, hacking complaint, DoS complaint, or virus complaint tied to his IP address. The courts have to give him due process. His ISP does not.

Once, you could log into Stallman's account

[Animats]

Long, long ago, anyone could log into Stallman's account at MIT via the Internet. He didn't have a password. That was intentional. Anyone on the net could look at and copy his files. Even make changes, although you didn't do that without a really good reason. That was how free software worked in 1981.

So that's where this all came from.

Re:Spinder Award Winner!

[cybermancer]

Long ago I ran a BBS (a bulletin board system is a computer with an open modem where people could dial in an send e-mail, exchange files, play games, chat, etc. This is what geeks did before the Internet was available.) In running my BBS I did some research into the common carrier law. This is the law that protects the phone company (at the time) and ISP's today from the actions of their subscribers. In essence, if you don't monitor the activity on your system / network (e.g. Don't listen in on calls), then you are not liable for the actions of those on the network.

If you are providing wireless network access for your neighborhood, houseguests, or even patrons in your restaurant, then you are a carrier and protected. Just in case you were not sure, IANAL.

So the question really is if you are in violation of your Terms of Service or not. My experience has been that most cable Internet providers restrict your usage to you and your household - no operating servers (e-mail, web, etc.) This is because of the shared bandwidth nature (bus topology) of the connection. If you are consuming mass quantities, then your neighbor's connection slows down. Same is true of most satellite systems. I am sure there are some satellite and cable ISP's that offer guaranteed bandwidth, so obviously they are the exception to my comments.

xDSL on the other hand is guaranteed bandwidth (star topology). In essence you have a dedicated pipe between you and the central office. Granted if you could consume all the bandwidth at the CO then you would slow everyone else down, which is why they throttle you and have a really fat pipe there. Now xDSL typically allows servers and other activities that could result in greater bandwidth consumption because you cannot degrade the performance of your neighbors connection.

So to sum up, it would seem that this strategy would work to defray suits from MPAA, RIAA, etc., and if you were running xDSL it may even be allowed under your TOS. But, your TOS probably says you are responsible for anything that goes over your pipe. This means you are responsible to your ISP, not to anyone else. So if your ISP says "Hey, you can't do that!" then they might pull your plug. It would seem to me that loosing your ISP and having to switch to one of the competitors would be much less of a inconvenience then being sued by RIAA, MPAA, SCO, etc.

Bottom line, if you think there is a chance that incriminating traffic might take place on your connection (by you or someone else) then you may improve your odds of claiming it wasn't you by adopting this strategy. But when you are trying to download game patches or some other large download, and it is taking a lot longer then you expected, remember that is the price you pay for freedom in this country.

What you need is a router that provides bandwidth priority to some connections and not others (I forget the term), and also that partitions the public portion of your personal network off from the private portion. And instead of claiming ignorance, claim you are a nice guy who just wants to help out your neighbors, houseguests or restaurant patrons.

This is in no way an endorsment or advocation for any of the actions outlined in this comment, the comments of others, or the original news post. It is just an observation.