Wi-Fi Piggybacking Widespread

BaCa sent in this article about stealing network access that opens, "Sophos has revealed new research into the use of other people's Wi-Fi networks to piggyback onto the internet without payment. The research shows that 54 percent of computer users have admitted breaking the law, by using someone else's wireless internet access without permission." Of course, online polls being what they are, the results are hardly a plank for a full investigation, but a good share of the answerers did 'fess up to it as well.

I agree its wrong

[Lord+Byron+II]

but how is it illegal?

Re:I agree its wrong

[betterunixthanunix]

I don't agree that it is necessarily wrong, as long as it doesn't disrupt the service of the person who owns the Internet connection. What harm is done by me piggybacking on a neighbor's wifi connection at 2AM while they sleep, to check some email? As long as I don't mask crimes by it or interrupt the neighbor's ability to use their equipment, I fail to see what harm is done, and therefore, what is wrong with it.

Re:I agree its wrong

[dwillden]

The survey site and article are targeted at folks in the UK, where the legality of using an open wi-fi spot isn't as open as here in the US. Here, the FCC has said that if there is no attempt to lock it down, it's free game. There the rules are different. Thus the article is able to claim the act is illegal.

Re:I agree its wrong

[konohitowa]

"Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network. (7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.

By that definition, my operating system is in violation of the law whenever it scans for an available network and presents it to me for connection.

Re:I agree its wrong

[doshell]

"Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.

(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.

So every time you want to visit a web site, you write a letter or call up the webmaster to ask for permission?

If by setting up a Web server I'm tacitly permitting inbound traffic, then surely setting up an unprotected wifi access point is the same, as far as the law is concerned?

(I'm not saying Wifi piggybacking is or should be legal, just pointing out that the law you mention as it is is quite vague and open to interpretation.)

Re:I agree its wrong

[tkw954]

Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.

I would say that the beacon and authentication process would communicate that permission is granted:

Access Point Hey everyone, I'm open for business!

My Adapter Can I have permission to join your network?

Access Point Sure! Here's an IP!

Re:I agree its wrong

[nxtw]

Thing is, though, 802.11a/b/g/n clients usually "associate" with an access point. This is after the client receives a "beacon" from the access point, basically advertising its existence.

So, the access point tells the area that it's broadcasting, and the client sends an association request, and the access point associates with the client. Assuming that that association was gained by the client in a non-malicious manner (no MAC spoofing, no WEP cracking, etc,) it sounds a lot like the system was configured to give any client permission automatically.

Re:I agree its wrong

[jcuervo]

Only if you name your access point "FREE WIFI", or by some other means convey that it is free, since a website is implied to be public by default, and an access point is implied to be private by default, even if there isn't a password.

Uhm. My public network is not named "FREE WIFI". It's a Linux box with a Prism2 card doing HostAP, and it's free to anyone in range. In the interests of brevity, suffice it to say that I've put a lot of work into it.

So, if my network is intentionally left easily accessible, why do you say that "linksys", "NETGEAR", or "default" network isn't there because that's how they wanted it? Because the essid is factory default? I had a Netgear wireless router once. Nice piece of equipment, IMHO, but overpriced. I routed it through the Linux box I had handling that sort of thing at the time and left the access point itself unsecured (except the admin password, obviously). Basically the same setup as now, but less complex. I left it that way so that my neighbors could get online through me.

Am I the exception to the rule?

Stealing WiFi REALLY IS stealing, because you are depriving somebody of the bandwidth they are paying for when you use it without permission I'm sharing it. Willingly. Right now. Know why I didn't include traffic shaping in either of my descriptions of my current or previous setups? Because I never needed to. Besides that, if I'm just doing the usual browsing, it's not like it takes up a lot of bandwidth. Slashdot? Oh no. A couple of seconds where the connection drops below 153k/s. I'd be more worried about sbcglobal going down for a few hours again. One of the outages lasted so long, I wrote a system to gnuplot how often and how long my connection went down.

That you think anything unknowingly left unprotected is fair to steal illustrates your lax morals. Would you steal somebody's car if they left it unprotected without knowing it? Well then why would you steal somebody's wifi if they left it unprotected without knowing it? That you equate "open wireless" with "anything" illustrates your warped version of reality, and that you equate stealing wireless with stealing a car indicates that you, sir, with all due respect, are a complete idiot.

If you don't want someone accessing your network, fine. Enable encryption. I'll stay off of it. Most other people will, too.

Re:I agree its wrong

[Shakrai]

By that definition, my operating system is in violation of the law whenever it scans for an available network and presents it to me for connection.

New York's definition is a lot better. Of course, I can't pull it up right now, because section of the Assembly site with our laws seems to be down, but it basically requires that you have to bypass a "password or code system" in order to commit the crime of "unauthorized use of a computer".

That's actually quite logical. Connecting to an open wi-fi network is not a crime in New York State. Bypassing someones WEP key in order to use his wi-fi however, is.

Re:I agree its wrong

[Shakrai]

broadcasting the SSID is offering access. the purpose of the SSID is to say "hey i'm here, connect to me"

Actually, I thought the purpose of the SSID was to serve as the service set identifier to differentiate between networks. The SSID is also broadcast on an encrypted network, and anyone would agree that an encrypted network is not exactly saying "hey, I'm here, connect to me"

Re:I agree its wrong

[a_nonamiss]

Connecting to an open wi-fi network is not a crime in New York State. Bypassing someones WEP key in order to use his wi-fi however, is. I'd say that pretty much nails it right on the head. I feel very strongly that if my neighbor sets up an open access point called "netgear" and broadcasting it into my house, they're telling me that they don't care if I use it. In fact, maybe I don't want every person in my household to have unrestricted Internet access. If they're not securing their access point, my children could browse unsavory websites, and aside from taking their computers away from them, I couldn't do a thing about it. (legally) Now, I am a good neighbor, and I've made more than one household in my neighborhood aware that they were offering up free bandwidth to anyone who happened by, and I've even offered up my expertise free of charge to help them secure said access point.

Now, on the other hand, if I crack a WEP key, I am clearly crossing a black and white line. Cracking WEP, although trivial, requires effort on my part. If my neighbor puts up a sign on his front door reading "GOLD INSIDE." and buys a really flimsy lock, it's still clearly crossing a line for me to help myself to said booty.

Re:I agree its wrong

[Artifakt]

I'm not sure if a WAP is analogous to a webserver, but I don't see how either can be considered private by default. There are certainly public web pages, and there are certainly public wireless access points (i.e. the ones offered at Starbucks, Krystal, various hotels and others are intended to be publicly accessed, at least by their customers. Sometimes whole communities have set up public WAPs). Then there's WAPs that a completely innocently minded person might well assume are public, (i.e. the cases where a person parked outside the local library has accessed its wireless net, and knows that the library provides public terminals, so assumes this is part of the same service). The ratio of public to private WAPs favors private, but the law isn't based on some "is the majority private or public" test in most other cases.
      (For example there are lots of charter only buses, and some private buses with fixed stops and routes on the roads near my location, and there are lots of School buses, and a public transport community bus system that paints its vehicles with many different designs and colors. There's no law that says people should not hail a bus until they are absolutely certain it's not a private chartered vehicle, or anything remotely like that, and no one is looking at how many buses of what kinds are public or private, and what subtypes there are, when it comes to passing new laws. If the ratio of chartered lines to school buses changed, I don't think anyone would say we needed to change the existing laws vis-a-vis buses.).
      Most laws are built on reasonableness tests and the like, not some percentage test. Telling people they should assume any WAP not explicitly marked public is private is no different from telling them they should assume anything not explicitly marked public domain is still copyrighted, or should assume any road without a clear sign is a private drive. That pesky "Innocent unless proven guilty" principle includes not shortcutting the law by claiming that someone had criminal intent just because they didn't assume automatically that something was private unless clearly marked otherwise. Instead the law should have to prove the person didn't have a reasonable expectation that something was being made public. That's mostly well established law - hanging your wash out on a clothesline isn't making the wash legally takeable by the public, putting in a sidewalk that better supports access to an adjacent location is explicitly giving someone permission to walk that way (unless it's marked otherwise). Instead of whole new laws, WAP issues are best resolved by a body of precedents that follow existing examples. The courts can decide just how much or little the WAP owner has to do to have it considered private.
      We frequently tell private owners they should put up the signs or shut up (i.e. If you want parking in front of your business to be used for your business only, post it or don't complain, if you don't want your buried cable dug up, then mark it, etc.). We used to make copyright holders put explicit notices on works rather than make everyone else assume they existed unless proved to have expired. Let a person cross your land enough times without complaint, and you don't have to give them explicit permission to have established an easement. The law has many cases where not doing something to stop access counts as granting access. A legal decision that not changing the WAP defaults is in line with giving permission is justifiable on similar grounds. It's not necessarily the right call, but people who are arguing that the courts can't, or should never do that don't know common law very well (Or they know it very well indeed, but hope the general public never learns).

54 percent??!?

[thermopile]

Oh, come on .. I can't believe it's not more like 90 or 95 percent. In fact, I'm typing this while "borrowing" my neighbor's linksys network. The admi-- $$%110113944 NO CARRIER

Re:54 percent??!?

[RuBLed]

You mean like her? Mrs. Roberts

Encryption

[chill]

Considering many systems are configured to latch on to the strongest unprotected wifi signal they see, I've piggy-backed several times without intent.

If you can't be bothered to set up even 40-bit WEP, then you have nothing to complain about. Hell, there are five signals that I can see from my house! Your RF is in my space! I should charge rent.

Re:Encryption

[jamesh]

I was helping out someone over the phone at a client's remote office. He'd just come back from overseas and could connect to the wireless network and access the internet but couldn't connect to any of the internal systems. After checking all the obvious things I established a remote control session to his laptop and started looking around. The IP address of the wireless interface was nothing like what it should have been. I then connected to the Access point he was using and found that it was set up nothing like it should have been and DHCP was enabled. Aha! I thought. The Access point has been reset to factory defaults. I threw a new config at it and rebooted it, but things still weren't working right.

Eventually, I figured out that while he was away, someone in a neighboring office must have set up an access point with the same SSID (NETGEAR - so the chances of it happening were pretty high!) and his laptop decided to connect to that instead. And i'd just reconfigured it with a fairly high level of security. Oops.

Oh well... maybe next time their neighbor will put security on their access point!

Is this really breaking the law?

[compumike]

The article asserts that logging onto someone's AP without their permission is "breaking the law", but is that really clear? Do I have to explicitly ask for permission before I walk into a restaurant? Of course not -- there's a reasonable expectation that there are no barriers to my entry, so I'm allowed (even invited) in. But, while I think physical analogies to computer situations can be very misleading, in the real world entry becomes illegal when you've had to defeat some protection mechanism (a lock) to get in.

So, to summarize: I feel like cracking someone's WEP key to get on their net is pretty damn illegal. But I don't think hopping onto an open net is unsecured. In fact, the fact that it's open may be interpreted as a sign that the owner intends to allow open access!

--
Educational microcontroller kits for the digital generation.

Classic scenario - visiting the parents

[PhantomHarlock]

When you have an ornery parent...that REFUSES to get broadband...even if he's paying MORE for dialup through earthlink...you get desperate when you're visiting. Especially when two or three neighbors are running unsecured WiFi.

I think it should be legal unless you're cracking someone's WEP or WPA to get in.

I just read that news article with permission.

[Vellmont]

Did I break the law? I didn't call up someone at net-security.org and specifically ask them if I can read their article.

How is putting up an unsecured Wi-Fi connection any different than putting up an unsecured website?

• The WPA actually ADVERTISES the fact that it exists.
• When you connect to the network, most networks will have DHCP happily gives out all the information, even giving you an IP address automatically to any computer that asks.
• Many people actually put up an unsecured AP with the INTENTION of giving out access. (And thus this becomes common expectation)
• Many client computers will automatically connect to unsecured Wi-Fi APs
• The technology exists to easily put a password on the Wi-Fi connection to prevent anyone from connecting to it

oh, and here's one just for you people who like "it's like entering my house" analogies...

• The wireless signals often times go right into MY house. i.e. I don't have to be one someone else's property to connect to an AP

Re:Stealing? Or Sharing?

[Joe+Tie.]

Seriously. I leave mine open. If I see someone abusing the privilege I'll kick them off, but if someone wants to check google maps real quick then I'm happy to have been of help. There's been a large number of situations in my own past where an open network was of immense help, and I like the idea of being able to return the favor in some sense. I really hate the idea that the default way we're supposed to approach anyone is under the assumption that they're both too stupid to secure their connections, and too selfish to want anything but that.

I leave my connection open...

[Newer+Guy]

I leave my connection open and my SSID reads "Use but dont abuse". At any given time, there are 10 MAC addresses in my DHCP log (I have 4 devices total). From what I can tell, NO ONE abuses the connection. One person (my elderly neighbor) uses it to email her kids and grandkids. What's wrong with that? I always have the bandwidth I need, and will continue to leave it open. By the way, only one other AP in this area is open. It's SSID is: Linksys.

One other closed AP has the SSID: "Free Ride Is Over".

I live in a community. Leaving my AP open benefits others within my community without adversely affecting me.

Per Federal Law, Piggybacking IS legal

Per Federal Law, Piggybacking IS legal
US law clearly states that accessing unencrypted wireless is legal.
But first, I want to address a lie that was started by Alex Leary, a reporter for the St Petersburg Times. I have been following this story since it appeared. A "Benjamin Smith" was never arrested by the St. Petersburg Police for unauthorized access to a computer network, never charged with a third-degree felony, never booked by the Pinellas County Sherff's Office, and never scheduled for a pretrial hearing. There was no follow up to the story because there was no trial. Alex Leary made the whole story up.
Do not spread urban legends. Especially about the law. When you are told that something is against the law, ask which specific law? When you are told someone was arrested, ask for the booking number? Went to trial, docket number. When someone cannot answer these questions, do not believe them.
Accessing unencrypted wireless is VERY legal.
According to Title 18 (Crimes and criminal
procedure) of the United States Code, Part I
(Crimes), Chapter 119 (Wire and electronic
communications interception and interception of oral
communications) from
http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm :
2511. (2)(g) It shall not be unlawful under this
chapter
http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm
or Chapter 121
http://www.usdoj.gov/criminal/cybercrime/ECPA2701_2712.htm
of this title for any person --
(i) to intercept or access an electronic
communication made through an electronic
communication system that is configured so that such
electronic communication is readily accessible to
the general public;
2510. Definitions
(16) "readily accessible to the general public"
means, with respect to a radio communication, that
such communication is not --
(A) scrambled or encrypted ;
(B) transmitted using modulation techniques whose
essential parameters have been withheld from the
public with the intention of preserving the privacy
of such communication;
(C) carried on a subcarrier or other signal
subsidiary to a radio transmission;
(D) transmitted over a communication system provided
by a common carrier, unless the communication is a
tone only paging system communication; or
(E) transmitted on frequencies allocated under part
25
http://www.access.gpo.gov/nara/cfr/waisidx_04/47cfr25_04.html,
subpart D
http://edocket.access.gpo.gov/cfr_2004/octqtr/47cfr74.401.htm ,
E
http://edocket.access.gpo.gov/cfr_2004/octqtr/47cfr74.501.htm ,
or F
http://edocket.access.gpo.gov/cfr_2004/octqtr/47cfr74.600.htm
of part 74
http://www.access.gpo.gov/nara/cfr/waisidx_04/47cfr74_04.html ,
or part 94 http://wireless.fcc.gov/rules.html of the
Rules of the Federal Communications Commission
http://wireless.fcc.gov/rules.html , unless, in the
case of a communication transmitted on a frequency
allocated under part 74
http://www.access.gpo.gov/nara/cfr/waisidx_04/47cfr74_04.html
that is not exclusively allocated to broadcast
auxiliary services, the communication is a two-way
voice communication by radio; [The unlicensed
spectrum used by Wi-Fi
http:

Wifi Sharing

[photomonkey]

In 2004, I was covering the Presidential debate and Kerry rally following it in Phoenix.

The press facilities at the debate were adequate, but sucked nine kinds of ass at the Kerry rally.

As per company policy, I FTP'd my photos in following the event only to find out that most of them were received as corrupted.

So I drove around with my laptop on the passenger seat looking for an open wireless point. I drove past a house with every light on, and an open access point. Since the light was on, I decided to ring the doorbell to let the homeowner know who was camped out in front of their driveway with a laptop.

The guy came to the door and said the wireless was 'obviously' open for all to use, since he didn't lock it down. He told me I was welcome to come in and sit in the house while I worked, provided that he and his wife could look over my shoulder at the pictures.

I accidently reconfigured my neighbor's router

[MichaelCrawford]

My landlady said I could use her wireless (she lived upstairs from me) but both she and a neighbor, who I never identified, had unsecured wireless, with both networks being named "linksys". They also used two different ISPs.

My MacBook Pro's Airport card connected to each network more or less at random. When I connected to her's, it worked OK, but when I connected to her neighbor's, it didn't work at all. Sometimes the Airport would switch networks in the middle of my use of the Internet, which really got to be a drag.

So I finally convinced her to let me rename and secure her access point. This went very well, and I was able to set up both my Mac and her WinXP laptop to use the newly secured net.

Except that I made a crucial mistake: I performed the re-configuration wirelessly. I didn't do it by plugging an ethernet cable into her access point.

Imagine my dismay when I realized I had reconfigured her neighbor's access point, and not her's!

I sat in my room quaking with fear, awaiting the heavy bootheels of the Royal Canadian Mounted Police kicking down my door so they could haul me in for being a cyberterrorist.

I never heard any complaints though, and eventually my neighbor's network was renamed to "linksys" and was again unsecured. My guess is that LinkSys tech support explained how to do a hard reset.

My question for my Slashdot friends is this: who is the Rocket Scientist at LinkSys who decided to support wireless reconfiguration of their routers?