Slashdot Mirror
Wi-Fi Piggybacking Widespread
BaCa sent in this article about stealing network access that opens, "Sophos has revealed new research into the use of other people's Wi-Fi networks to piggyback onto the internet without payment. The research shows that 54 percent of computer users have admitted breaking the law, by using someone else's wireless internet access without permission." Of course, online polls being what they are, the results are hardly a plank for a full investigation, but a good share of the answerers did 'fess up to it as well.
What about people who keep their access points open and connect to other people's access points when they're away? I'd imagine that if somebody purposefully leaves their AP open that it wouldn't be stealing. The trouble is knowing if somebody intentionally has an unsecured WAP or if the person just never knew/bothered to secure it.
Considering many systems are configured to latch on to the strongest unprotected wifi signal they see, I've piggy-backed several times without intent.
If you can't be bothered to set up even 40-bit WEP, then you have nothing to complain about. Hell, there are five signals that I can see from my house! Your RF is in my space! I should charge rent.
Learning HOW to think is more important than learning WHAT to think.
The article asserts that logging onto someone's AP without their permission is "breaking the law", but is that really clear? Do I have to explicitly ask for permission before I walk into a restaurant? Of course not -- there's a reasonable expectation that there are no barriers to my entry, so I'm allowed (even invited) in. But, while I think physical analogies to computer situations can be very misleading, in the real world entry becomes illegal when you've had to defeat some protection mechanism (a lock) to get in.
So, to summarize: I feel like cracking someone's WEP key to get on their net is pretty damn illegal. But I don't think hopping onto an open net is unsecured. In fact, the fact that it's open may be interpreted as a sign that the owner intends to allow open access!
--
Educational microcontroller kits for the digital generation.
When you have an ornery parent...that REFUSES to get broadband...even if he's paying MORE for dialup through earthlink...you get desperate when you're visiting. Especially when two or three neighbors are running unsecured WiFi.
I think it should be legal unless you're cracking someone's WEP or WPA to get in.
How is putting up an unsecured Wi-Fi connection any different than putting up an unsecured website?
oh, and here's one just for you people who like "it's like entering my house" analogies...
AccountKiller
The survey site and article are targeted at folks in the UK, where the legality of using an open wi-fi spot isn't as open as here in the US. Here, the FCC has said that if there is no attempt to lock it down, it's free game. There the rules are different. Thus the article is able to claim the act is illegal.
I'm too lazy to compose a creative sig.
By that definition, my operating system is in violation of the law whenever it scans for an available network and presents it to me for connection.
So every time you want to visit a web site, you write a letter or call up the webmaster to ask for permission?
If by setting up a Web server I'm tacitly permitting inbound traffic, then surely setting up an unprotected wifi access point is the same, as far as the law is concerned?
(I'm not saying Wifi piggybacking is or should be legal, just pointing out that the law you mention as it is is quite vague and open to interpretation.)
Score: i, Imaginary
I would say that the beacon and authentication process would communicate that permission is granted:
Access Point Hey everyone, I'm open for business!
My Adapter Can I have permission to join your network?
Access Point Sure! Here's an IP!
Thing is, though, 802.11a/b/g/n clients usually "associate" with an access point. This is after the client receives a "beacon" from the access point, basically advertising its existence.
So, the access point tells the area that it's broadcasting, and the client sends an association request, and the access point associates with the client. Assuming that that association was gained by the client in a non-malicious manner (no MAC spoofing, no WEP cracking, etc,) it sounds a lot like the system was configured to give any client permission automatically.
Look. 2.4ISM is an unlicensed band. Under 200mW, I have rights to transmit anything I want to. Period. If your router interprets it as a part of an HTTP request, that's not my fault. The "I'm swinging my arms, and if you walk into them it's your fault" theory.
And, I do think someone needs to introduce RFC 2131 (DHCP) into evidence. An open router responds to a polite request with a positive acknowledgment. It is possible to configure the box not to give that acknowledgment, probably via an encryption key, but also by MAC filters or turning off DHCP. Introduce the owner's manual while you're at it.
While I was away, my parents decided to get WiFi, without telling me until I returned. I looked at the configuration and they did not put a password on it. When I asked them about this, they said they didn't know about adding a password. Did they intend to make their internet available to everybody? NO. They just didn't know to protect it. An access point is open by default, so by your logic, all new access points are free to use until they're passworded, even if their owner doesn't know to add a password.
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
Why would putting a server up on port 80 be considered public anymore than putting up a wireless access point? I don't see how having a web server is "implied public". Just because I put it there doesn't mean I want everyone to access it. That's a poor example to use.
(a) dishonestly obtains an electronic communications service...
So it's "illegal" if it's "dishonest". How is it "dishonest" to connect to an open wifi point? No misrepresentations are made. Your PC/laptop requests access and it is granted. No hacking, cracking or dishonesty is involved. No dishonesty, no illegality, it seems to me.
So, if my network is intentionally left easily accessible, why do you say that "linksys", "NETGEAR", or "default" network isn't there because that's how they wanted it? Because the essid is factory default? I had a Netgear wireless router once. Nice piece of equipment, IMHO, but overpriced. I routed it through the Linux box I had handling that sort of thing at the time and left the access point itself unsecured (except the admin password, obviously). Basically the same setup as now, but less complex. I left it that way so that my neighbors could get online through me.
Am I the exception to the rule? Stealing WiFi REALLY IS stealing, because you are depriving somebody of the bandwidth they are paying for when you use it without permission I'm sharing it. Willingly. Right now. Know why I didn't include traffic shaping in either of my descriptions of my current or previous setups? Because I never needed to. Besides that, if I'm just doing the usual browsing, it's not like it takes up a lot of bandwidth. Slashdot? Oh no. A couple of seconds where the connection drops below 153k/s. I'd be more worried about sbcglobal going down for a few hours again. One of the outages lasted so long, I wrote a system to gnuplot how often and how long my connection went down. That you think anything unknowingly left unprotected is fair to steal illustrates your lax morals. Would you steal somebody's car if they left it unprotected without knowing it? Well then why would you steal somebody's wifi if they left it unprotected without knowing it? That you equate "open wireless" with "anything" illustrates your warped version of reality, and that you equate stealing wireless with stealing a car indicates that you, sir, with all due respect, are a complete idiot.
If you don't want someone accessing your network, fine. Enable encryption. I'll stay off of it. Most other people will, too.
Assume I was drunk when I posted this.
Ah, so you personally asked all owners/shareholders of SourceForge, Inc. if you could access this website and post comments on it...
When the LEOs knock on your door and take all your electronics b/c a squatter ran stolen credit cards on your network, then you may rethink your altruism. Sure you'll probably be cleared if the MAC's not a clone of yours, but that's after a long, long investigation. I've seen it happen twice in the last 2 years, not pretty. I suggest encrypting, filtering and sharing the hex key w/ the neighbors. But then, some crank will probably get in and do it anyways...nm.
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
At best you are disingenuous. A web page is put up on the internet for the specific function of being viewed. It is analogous to posting a flier on a public bulliten board. A wifi can be set up by third party techs in a house for family use. It is reasonable to expect others to not trespass.
Actually, I thought the purpose of the SSID was to serve as the service set identifier to differentiate between networks. The SSID is also broadcast on an encrypted network, and anyone would agree that an encrypted network is not exactly saying "hey, I'm here, connect to me"
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Now, on the other hand, if I crack a WEP key, I am clearly crossing a black and white line. Cracking WEP, although trivial, requires effort on my part. If my neighbor puts up a sign on his front door reading "GOLD INSIDE." and buys a really flimsy lock, it's still clearly crossing a line for me to help myself to said booty.
-Arthur
Cave ne ante ullas catapultas ambules
sure it is, it's then refusing to let you on if you don't authenticate, just like a club with a bouncer.
Snowden and Manning are heroes.
It's not unreasonable. My cordless phone didn't require a password, and I'd be pretty upset to find my neighbor using it.
I think access points should come with a password out of the box.
If they're not securing their access point, my children could browse unsavory websites, and aside from taking their computers away from them, I couldn't do a thing about it. (legally)
I know this is a stretch, and I know some people are averse now new and untested ideas, but - you could try *talking* to your children about what they are and aren't allowed to do.
Why get your knickers in such a twist about "unsavory websites" anyway? If they're old enough to be allowed the responsibility of using the Internet unsupervised, they're old enough to make their own decisions about what's suitable and what's not, and whether or not it breaks their rules.
I guarantee you, whatever you call an "unsavory website", your teenagers will already have seen something worse. And laughed at it.
I'm not sure if a WAP is analogous to a webserver, but I don't see how either can be considered private by default. There are certainly public web pages, and there are certainly public wireless access points (i.e. the ones offered at Starbucks, Krystal, various hotels and others are intended to be publicly accessed, at least by their customers. Sometimes whole communities have set up public WAPs). Then there's WAPs that a completely innocently minded person might well assume are public, (i.e. the cases where a person parked outside the local library has accessed its wireless net, and knows that the library provides public terminals, so assumes this is part of the same service). The ratio of public to private WAPs favors private, but the law isn't based on some "is the majority private or public" test in most other cases.
(For example there are lots of charter only buses, and some private buses with fixed stops and routes on the roads near my location, and there are lots of School buses, and a public transport community bus system that paints its vehicles with many different designs and colors. There's no law that says people should not hail a bus until they are absolutely certain it's not a private chartered vehicle, or anything remotely like that, and no one is looking at how many buses of what kinds are public or private, and what subtypes there are, when it comes to passing new laws. If the ratio of chartered lines to school buses changed, I don't think anyone would say we needed to change the existing laws vis-a-vis buses.).
Most laws are built on reasonableness tests and the like, not some percentage test. Telling people they should assume any WAP not explicitly marked public is private is no different from telling them they should assume anything not explicitly marked public domain is still copyrighted, or should assume any road without a clear sign is a private drive. That pesky "Innocent unless proven guilty" principle includes not shortcutting the law by claiming that someone had criminal intent just because they didn't assume automatically that something was private unless clearly marked otherwise. Instead the law should have to prove the person didn't have a reasonable expectation that something was being made public. That's mostly well established law - hanging your wash out on a clothesline isn't making the wash legally takeable by the public, putting in a sidewalk that better supports access to an adjacent location is explicitly giving someone permission to walk that way (unless it's marked otherwise). Instead of whole new laws, WAP issues are best resolved by a body of precedents that follow existing examples. The courts can decide just how much or little the WAP owner has to do to have it considered private.
We frequently tell private owners they should put up the signs or shut up (i.e. If you want parking in front of your business to be used for your business only, post it or don't complain, if you don't want your buried cable dug up, then mark it, etc.). We used to make copyright holders put explicit notices on works rather than make everyone else assume they existed unless proved to have expired. Let a person cross your land enough times without complaint, and you don't have to give them explicit permission to have established an easement. The law has many cases where not doing something to stop access counts as granting access. A legal decision that not changing the WAP defaults is in line with giving permission is justifiable on similar grounds. It's not necessarily the right call, but people who are arguing that the courts can't, or should never do that don't know common law very well (Or they know it very well indeed, but hope the general public never learns).
Who is John Cabal?
In addition to that, your typical mail client will check for new messages every 10 minutes. Windows will automatically download updates. Many manufacturers pre-install software that also automatically downloads additional software updates. These things all generate traffic.
Regardless, the crime people are being charged with is unauthorized computer access. The amount of traffic they generate is irrelevant. The law is interpreted as meaning that it's illegal to access the network device, regardless of the AP being configured to broadcast that it's open and offering IP address leases to machines that it sees trying to connect.
How is your average user supposed to know that the internet access they are given automatically is illegal?
How do you distinguish between APs that are open but illegal to use from APs that are intentionally left open for the public to use?