Slashdot Mirror
Wireless Hijacker Dealt First UK Punishment
paella_dodger writes "The BBC is reporting on a recent UK court case whereby a man was fined £500, sentenced to 12 months' conditional discharge and had his laptop confiscated for browsing the 'net on his neighbour's wireless Internet conenction. Perhaps I should secure my neighbour's wireless connection for him before Windows automagically connects to it and gets me arrested!"
``before Windows automagically connects to it and gets me arrested''
Fortunately, most courts still discriminate between intentionally and accidentally doing something. If you're connecting to someone else's wireless network from your car (which, I assume, means that you don't have any wireless network facilities of your own around), it's pretty hard to maintain that you did it by accident.
On the other hand, if my mom is found to use the neighbor's network to access the Internet, it will be pretty hard to maintain that she was doing so on purpose. All she knows is that computers can be used as glorified typewriters. GUIs are not for her, much less wireless network configurations.
Please correct me if I got my facts wrong.
Not really. Despite the BBC hedging it's bets, and putting the conspiracy angle on it a touch, The Register has a clearer account of what happened.
Basically the bloke was engaged in Wardriving, and deliberately hooked into the wireless network.
It'll certainly be murky waters when windows automatically selects the average joe's router instead of their own, but with many routers at least asking people to put better security on wireless points, this should start becoming less frequent.
From all accounts, he was caught tapping away on his laptop, moved away when police watched, then came right back to the same point again. At which point he was investigated as he looked a little 'suspicious'.
Wardrivers remember! Just because you're invisible in the network, it doesn't make you invisible to the local copper walking on the street, or the local neighbourhood watch!
Perhaps, but the same logic still applies; this guy was not just stealing it, he was making himself a target to be caught.
He is obviously not very smart, either, considering he was seen for the past three months in the same locations. That usualy means he was using the same network for the same deeds each time.
Honestly, I do not blame the UK government for going down on this guy; he deserves it. Especially since he was stupid enough to get caught the way he did. Sure, war driving is one thing, but blatently sitting infront of someone's home, leeching their network is a whole different case.
Sadly, this is just like what happened to the term "hacker" back in the day - it was idiots, like this guy, that ruined it for the real "hackers" out there; the script kiddies. Now, guys like this, and the other guy that got caught doing it, will give the term "war driving" a bad name. Hell, you mention "war driving" somewhere and people are going to start believing you're a "hacker" who uses "linux" to steal credit cards from them.
All in all, people should learn to secure their wireless networks. If they are unable to, or know nothing about the processes, they should be wired like the other drones. Or they should simply hire someone to secure it for them -- It's honestly not that difficult these days, especially with a linksys router. You simply type in a few things and click a coulpe check boxes and you're done. But this does prove that the common person, joe sixpack if you will, does not care enough about computer security to do anything until someone takes advantage of them. Then they cry foul.
Hey, you use your car for maybe an hour each way to work. It's being wasted the rest of the day. Fair that I grab it without you knowing in between then?
Of course not. Anything you decide to do becomes their problem. And, well, it's just rude! If it's one of the low cap broadband connections, perhaps you're going to push them over their limit? Or several people using it will do that?
Still alright to cost them money?
All it takes is a nip round to your neighbour's place and say "Look, you've got a wireless point there and broadband.. Mind if I chuck you a bit of cash each month and piggyback on top of the link, 'cos I can't really afford it?". Many would say to just hop on anyway if it's not used, without you paying anything. That's certainly the arrangement I have with my neighbours that can't afford the link (now have 3 people on mine).
Nothing wrong with sharing a link, it's just good manners to ASK before taking things.
>>So if you have your door open in summer, I'm welcome to walk into your house and help myself to some of the cookies that are on the kitchen table?
Bad analogy - that would involve tresspass; there is a physical boundary of someone else's property that implies private access.
A better analogy would be if those cookies were floating through the air, coming in MY window and out my door, and I happened to eat a few as they went by.
Although it may not reflect the law, I personally believe that unsecured wifi should be public domain. WEP (even 1-bit for god's sake, to show that the intention for it to be private) should be enabled by default on routers, and it should be blatantly clear that you're providing public access (with consent) if you turn it off.
MadCow.
I used to have a sig, but I set it free and it never came back.
"Fortunately, most courts still discriminate between intentionally and accidentally doing something. "
Except for one thing, you can't know if he neighbours INTENT was to share his open wireless connection for sharing. Thats the whole point of Open WiFi afterall, sharing. By doing this they're making Open WiFi illegal, because not only does your computer have to get permission to connect to the network (via the login) but now extra permission is needed too.
Let me put it another way. Suppose you have free open municiple wifi and Fred Bloggs open wifi, you computer has no way of telling which is the free Municiple open wifi and which is not so it connects to Fred Blogs's net, attempts to login and is given permission -> crime comitted. You had the intent to connect to an open network, but not the method to determine which network is permitted.
Or rather you did have the way, the login, but the court ignored that.
Say you're using their connection to do some illegal stuff like black hat hacking or spam fraud and the IP gets traced back to your neighbors, then what?
Or simpler; a forum which you both happen to visit decides to ban the IP for your bad behaviour or a poll-system allows only one vote per IP.
The real problem is not using the bandwidth, it's the online identity theft through use of their IP.
And how about a VPN? Is it okay to access that too through the WiFi connection?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Personally, I leave my wireless network deliberately open, and the login message (when seen) says "welcome to...". I do this in a public minded spirit, in the hope that if I need a public network in some other place, some other kind soul will leave one open as well.
Fixed computers actually on my network are individually firewalled off.
If I ever find evidence of massive bandwidth leeching, I may change my policy, but even then I would prefer to simply cap non-me connections.
Morally, I don't feel it is wrong to borrow enough bandwidth off an open wifi node to read a few web pages or collect email.
Massive bandwith leeching, copyright theft or invading someone else's samba shared files via an open network (that they probably intended to be network private) are off limits, of course.
These days, I would hope that people are aware that these things are open by default - there have been enough articles in the major newspapers about it, and certainly I would prefer that hardware manufacturers shipped them in a default secure configuration, but I don't think this should prevent people leaving them open if they want to.
If i leave a plate of biscuits (cookies) just inside the open gate to my garden with a sign saying "take one please", is it a crime for someone to take one?
Some geeks have attempted to hijack "There's no encryption on this node" or "My SSID is public and is..." to mean this, but given most WAPs are configured by default to have no encryption and to publically broadcast a SSID, and given both can be explained by many other reasons, this is simply legally non-sustainable as an argument.
Hiding a SSID in some ways is anti-social as it makes it more difficult for your neighbours to find your network if it interferes with their's. The lack of encryption is also a bad choice, I've come across wireless equipment that works "out of the box" but requires connection to a PC to configure any encryption features - adapters to put X-Boxes and PS2s on a wireless network generally work this way. Owners of such devices are very likely to want to use unsecured WAPs.
The wireless network would have been advertising its presense. This is a useful feature. But it wasn't "inviting anyone" any more than a door knob does.
Geeks need to get out of the habit of assuming that a default configuration amounts to "permission to use". It doesn't. Only permission to use is permission to use. The only surefire way to know if you have permission or not to use a network is to look for a publically posted notice, or to get written or oral permission from the network's owner. One day, 802.11* might have something added to make it easier to make it possible for a user to unambigiously give other's permission to use their networks (and that would be a useful feature anyway), but until then, look for notices, or talk to the operator. Don't assume.
You are not alone. This is not normal. None of this is normal.
Honestly, I do not blame the UK government for going down on this guy...
Hmm, UK justice is very different from US justice...
Some geeks have attempted to hijack
Bullshit, there is no hijacking involved! Frikin walk up to the curb, open laptop, and use it. Do you need permission to turn on the TV and watch open air TV shows? How about 'permission to view' the flowers in front of my house? If people are too ignorent to use a piece of hardware, they shouldnt purchase it. Read the frikin big printed poster that shows you how to secure your access point. Otherwise, you deserve what you get.
No I didnt spell check this post...
" ...the door is unlocked = no encryption, no security."
Man 1: "Knock knock",
Man 2: "Come in",
Man 1: Goes in.
Man 2: Police arrest that man.
Man 1: But I knocked and you said I could come in
Man 2: But that was a misconfiguration, if I wanted you to come in I would have put a "FreeToComeIn" sign on my door.
Geeks need to get out of the habit of assuming that a default configuration amounts to "permission to use". It doesn't. Only permission to use is permission to use. The only surefire way to know if you have permission or not to use a network is to look for a publically posted notice, or to get written or oral permission from the network's owner. One day, 802.11* might have something added to make it easier to make it possible for a user to unambigiously give other's permission to use their networks (and that would be a useful feature anyway), but until then, look for notices, or talk to the operator. Don't assume.
That wireless routers ship unsecured in their default configuration is a problem with the vendors (and it wasn't always like this). Vendors do this to make it easier for people to setup their first wireless network... in fact it's basically automatic. Any Windows machine with a wireless card will automatically connect to any unsecured wireless access point. Period. Allow me to repeat this. Any Windows machine with a wireless card will automatically connect to any unsecured wireless access point. But people really do need to log in and change the default configuration, both for security purposes (it's trivially easy to find default passwords online), and functionality reasons. But the biggest reason is that the way to say something is available for use in the online world is to allow people to use it without authentication.
The standard way of saying something is open and available on the 'net is to not require a password. If you put your pictures up on your http site even if you don't publish the link anywhere you're giving your consent for people to connect and look at your pictures. Not just your consent... your hardware, which is your stand-in online, is actively doing it. The moment you put a password on your http site, you're showing that the site is private, and attempts to enter can be considered hacking. If you have an FTP site with no password, you're giving people permission to use it. Open chat servers, bulletin boards, p2p nodes... The universally accepted convention about networking protocols is "open unless locked." I don't need to call you and get your explicit permission to connect to your website if it isn't locked... by not having a password on something you are showing that it is available for all to use. This post bounced through 20 or so routers at various locations throughout the world, but I didn't need to get explicit permission to use any of them. I didn't have to: I had implicit permission built into the hardware's choice of protocol.
Likewise, if you have networking hardware that has no password or protection whatsoever, you're giving people permission to route through it. In fact, hardware you own is more than facilitating it... it's broadcasting its SSID, it's responding to my card's MAC address, it's responding to my session handshake, and it's not asking for authentication. That's no less than four steps along the line when it could have simply and trivially stopped anyone whom the owner didn't want on the network. The hardware actively engaged in the process. This isn't like checking everyone's door to see which is unlocked, this is like walking past a building downtown and having the glass door automatically open for you.
I should also say that lots of people do intentionally share their wireless networks, out of a sense of social support. There are several 802.11b networks permeating my apartment right now, several of which have altered SSID's and configurations but which are unlocked all the same, showing that the owners knew enough to change the configuration of their routers but still chose to leave them unlocked. This turned out to be good for me, as I had been unintentionally connecting to a neighbor's wireless network for about 1/2 of a year... My wireless card had a faulty WEP driver, and for half a year I didn't notice that it would fail to connect to my network and automatically went out and found another
The ______ Agenda
If I see a store with a sign labeled 'open' on the front of it, would you consider me a burglar if I walked into it without asking the shopkeeper first? If there's a bus sitting on the curb and the door is open, am I hijacking the bus if I just walk into it? If there's a house with a sign labeled "garage sale" out front am I tresspassing if I start wandering around the front yard looking at things sitting out?
The AP this guy connected to had a big giant sign *actively* saying "OPEN" on it. 802.11 provides many ways to make that sign say CLOSED instead. This AP used none of them. The guy's laptop sent a message to the AP saying "hi, is it ok if I connect" and the AP said back "sure, here's an association for you and an IP address you can use.".