Slashdot Mirror
Dutch Court Rules WiFi Hacking Not a Criminal Offense
loekessers writes "Breaking in to an encrypted router and
using the WiFi connection is not an criminal offense, a Dutch court ruled. (Original article in Dutch; English translation.)
WiFi hackers can not be prosecuted for breaching router security. The judge reasoned that the student didn't gain access to the computer connected to the router, but only used the router's internet connection. Under Dutch law, breaking into a computer is forbidden. A computer in The Netherlands is defined as a machine that is used for three things: the storage, processing and transmission of data. A router can therefore not be described as a computer because it is only used to transfer or process data and not for storing bits and bytes. Hacking a device that is no computer by law is not illegal, and can not be prosecuted, the court concluded. "
How many "bits and bytes" does a device have to store to be declared a computer? I mean, mine stores a password, those are a few bits, where is the limit? I don't know enough about the case to comment on the details, but it seems an odd thing to base a ruling on to me.
So what happens when you hack into my fancy router with the flash drive dock and I've got a memory card in there?
Every router I've seen for years has storage for log and configuration files. My current has four Gigabytes.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Speaking as though this passed in the US, I'm mildly concerned. There are plenty of extra costs that may be incurred, such as metered bandwidth or access of illegal materials. If this were to fly, it would also necessitate that other people using your network without authorization would not come back to bite the network holder.
So this means effectively that any network equipment is fair game for hackers in holland? This judge obviously does not understand that data storage doesn't require a hard drive (just ask my iPhone or my iPad or my routers, etc.). Also last I checked most network equipment has buffers that store data in transit (no different than an email transfer agent would, like sendmail or postfix which I'm guessing he would have ni trouble classifying as a server). All of this is especially ironic to me since I just finished an article on buffer bloat (the exact problem is that network devices are storing to much network data which impacts network performance).
Interesting, but don't routers have buffers, which store information, albeit only temporarily? Not to mention RAM for various things.
Honestly, this kind of action should have its own set of laws to cover it rather than relying on existing laws that weren't designed to cover such activities.
My router stores configuration data. My router processes DHCP requests. My router transfers packets between the internet and my network.
This judge fucked up.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
would beg to differ.
However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.
In layman's terms, the question can generally be worded as, "Can I install apps on it, write a term paper with it, then use it to browse the web." If the answer is, "yes," it's a computer.
Check out my sci-fi/humor trilogy at PatriotsBooks.
OK, so if my router can have a USB hard drive connected to it, am I safe then? Wait, is my computer a computer? Its hard drive doesn't process, its CPU doesn't store, and its ethernet card doesn't process? Is it a computer, or a Chinese Room?
Seriously people, technocracy NOW!
suddenoutbreakofcommonsense
am i right?
Just to clarify, cracking access to the disk should be criminal trespass in that you are accessing a resource (disk) that is effectively a part of my computer even though it happens to be physically attached using the network.
Seriously? Five minutes between posts for logged in users? What's wrong with this site? That's okay. I'll just click every second until it lets me post.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Especially routing information. They store the results of ARP requests too. And they process information to decide how to forward packets. Apparently the judge wasn't too clear on how routers work.
No one ever had to evacuate a city because the solar panels broke!
So an internet kiosk is not a computer since you can't perform word processing or install arbitrary applications on it? I don't buy that. Also your definition doesn't account for big iron mainframes, or smaller classes of commodity servers, or automotive telematics, or industrial controllers, or in fact a majority of the actual computers in existence. Like this judge, your definition is too narrow to be realistic
Although I'd not say that someone using such a hacked WiFi should not be punished, I find their reasoning more than questionable. I run a dual core 400 MHz P-II as a router (WLAN AP with 63 chars WEP2 key), so hacking mine would be criminal. I don't see why hacking a - properly secured - usual WLAN router box should be treated differently. I'd decide that based on the intention - if it was just for regular internet usage - OK then just give the offender a slap on his ass, but if it was to commit serious crimes, then kick his balls.
The judge is a fool. Routers store data such as DHCP info and passwords created by the OWNERS.
AFAICT, the law requires that a computer be accessed without authorization AND that "personal data" (I cannot find what their legal definition of this is exactly) must be exposed as a result.
Unless said router also has NAS capabilities in use or the log files can be considered personal data, the law does not apply.
upon the advice of my lawyer, i have no sig at this time
A switch isn't necessarily a computer but a router definitely is. Back in the day all routers were physical PC. Now they are embedded systems. And they store all sorts of information, most importantly routing information!
But a dunce cap on this guy and make him sit in the corner.
So servers aren't computers?
Honestly, I know people who use Linux boxes as routers. I also know of routers that can be configured to run small web servers (not just the configuration pages, mind you).
This decision is really, really weird.
or the judge used a previous court ruling that determined routers do not store enough personal security information (SSN/Credit card numbers/etc.), are not used as a "Computer" (in the traditional sense), and are not designed to do so.. thus they are a "computerized device" and not a "Computer".. which pulls routers out of the "Computerized Intrusion" law -- perhaps this is covered in another law and the lawyer wanted to pin the hacker on the hardest offense he thought he could pull off
A router is a computer and it stores information. Many routers have access logs. For me breaking into an encrypted WLAN is like mechanically removing the lock from an ethernet port on private property and plugging youerself in. In the normal case you still can log what is currently going on (Wireless can not be switched, so you see all packets), and in the worst case see logs or manipulate the router without any trace.
Should i move to the netherlands, i will use a VPN service to access the internet and a cabled lan to access my NAS (thats anyway my current config).
Every router I've ever worked on has stored data, processed it and transmitted it.
It appears "Intrusion" requires you view the information on the device...
Do they have a "theft of service" law in the Netherlands? If so, running up a big Internet bill might be grounds for that.
but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.
This is true of a "general purpose computer". Have you a citation that "computer" necessarily means "general purpose computer"?
Seriously? Five minutes between posts for logged in users?
I think you need 25 posts modded in-something to get fast posting privileges.
Your passphrase is personal data. Unless, you accept that a secured wireless router can be routinely accessed without a passphrase, they have personal information at their disposal. They also will have access to all your traffic to and from your other PCs. Accessing a network is as bad as accessing a particular PC. Seems the judge just made it open season on all private networks if there is an AP on it.
Good job!! /s
would beg to differ. However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.
Keep begging, I'm not letting you "differ"; Not with that bogus argument anyhow.
I SSH into my WRT54GL router w/ Tomato Linux firmware. My router runs Linux from the factory and has a "firmware upgrade" option that I used to install the aforementioned Tomato Linux.
I write my own small C programs, cross compile them for the router scp (copy) them into and run them in the router. It is every bit as much a computer as a web server is -- Hint: you use the HTTP web server interface to configure most every router. My "embedded" router IS a computer. It stores data & programs that processes my data, and transmits information.
Hell, my wired "router" that is connected to the actual modem is a Linux box with 5 NICs -- each of my WIFI routers (one for my devices only, the other for friends / relatives) are plugged into one of the NICs on the Linux box. This Y router configuration prevents devices on the "friends" router from being able to ARP poison machines on the other wireless router (my small programs running in the wifi router can detect and report ARP poisoning and other funny business, disable the WIFI and alert me).
Anyone who gains access to my "friends" WIFI router can ARP poison anyone connected to that router, MiTM attack & DoS attack them as well -- This judge is misinformed. Hacking into the "friends" router can actually allow someone to "steal" my own copyrighted software that it STORES and RUNS.
Anyone who gains access to my wired "firewall" router can subvert the whole system, and screw with my public GIT repositories (thankfully PGP signing exists).
Something you can do on a computer is play a Tetris clone against multiple live opponents and add to or view the stored high score tables. Well, I created a terminal application that uses Ncurses to do just this -- I run it inside the "embedded" WIFI router (4 players at once actually doesn't kill the router performance too much). Hell, search Ncurses games to find games you can run in your Linux based router and play via SSH. Also checkout OpenWRT, you may prefer it to Tomato Linux.
Rule of thumb: If you can play & create games on it and it can keep a persistent high score table its a damn computer.
Or at least bad interpretation. Of course a router is a computer. This is what happens when you let lawyers write laws about technical things.
I guess the Dutch can have a system where privacy is the real deciding factor, but I prefer the property-rights approach. This freeloader unjustly confiscated the resources of the router's owner, resources his labor was spent to acquire. Is it OK in the same court if I just borrow an owner's car (without permission) for a couple hours, if I don't look at his info in the glove box?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
However, it still isn't a computer. Embedded devices might be functionally capable of doing many of the same things, but what distinguishes a computer is whether it provides the ability to install and run arbitrary software (not just whatever the manufacturer installed) that allows the user to create and store significant amounts of information without hacking the device in any way.
Ever hear of DD-WRT? Optware? And no, before you say it, a firmware update is not "hacking the device" by any stretch of the imagination. By your logic, my Asus router would be a computer, but my linksys router wouldn't be.
Nonsense. Here's what Miriam Webster has to say on the issue:
computer
noun, often attributive \km-pyü-tr\
Definition of COMPUTER
: one that computes; specifically : a programmable usually electronic device that can store, retrieve, and process data
Any router I've ever seen would fit into that definition.
Router Logs.
Case closed Bro.
You're welcome, America.
A Judge is there to enforce the law not create or redefine it (exceptional circumstances excluded). From TFA the judge ruled the hacker did not gain access to the computer system only the network. The issue here is NOT the judges ruling, but the law.
By computer, I'm using the term to mean "general purpose computer", which is how the term has been used by the vast majority of the public for at least a couple of decades. By loose enough definitions, my wristwatch is a computer. That doesn't mean it is what people intended to protect when they wrote laws protecting against computer break-ins.
An Internet kiosk either can meet those definitions but has been specifically limited by the owner (a user) by installing software so that other users cannot do those things or it cannot, in which case it is not a computer. It's not my definition of computer that's wrong here, but your definition of user. Any administrator is also a user.
And my definition works just fine for mainframes and servers, too, for the same reason. The sysadmin can install apps (and in many cases, all users can compile and install apps, though again, that's a site-specific policy), you can browse the web (even servers typically have lynx, and even CICS can telnet to port 80...), and you can write a term paper on them.
Embedded electronics in your car, however, are not computers in any meaningful sense of the word. They are embedded devices. Industrial controllers are certainly not general purpose computers, either. That said, breaking into an industrial controller should fall under other laws, like any other form of sabotage of industrial equipment. That should have significantly steeper penalties than breaking into a general purpose computer, and there's no reason for the same set of laws to cover both.
Check out my sci-fi/humor trilogy at PatriotsBooks.
And you've hacked the router to do all of this. That's not the way a router was intended to be used. By that same definition, my laptop is a dinner plate, and a few of my old LEDs are firecrackers.
The purpose of laws against cracking computers is to prevent data and/or identity theft. To the extent that your router contains enough data to steal... maybe... but that's *really* a stretch.
Besides, nobody is talking about cracking into the device itself anyway, but rather cracking access keys to gain access to the network. I'm sure even you would agree that doing so does not constitute accessing a computer.
Check out my sci-fi/humor trilogy at PatriotsBooks.
I have an ASUS rt n16 with 128 MB RAM and a Broadcom4718A at 480 MHz, an external 2TB drive. By early 2000 standards that's a heck of a rig.
I was going to use an old p3 and use that as a router, but I guess it wouldn't work if I went to the Netherlands?
The other question becomes is did actually access the router?
If I came along with my laptop and plugged it into your LAN (lets assume legally but without your knowledge) get an IP and start surfing the web, have I accessed any of your computers?
I am from Germany and our goverment is a bunch of nazi-nitpickers when it comes to the rights of individuals but are ueber-liberal when it comes to the rights of huge corporates.
I welcome this example of how things in the netherlands, again, differ.
I love that small country.
so if you want to ensure prosecutability of intruders install dd-wrt and store some docs on there
Snowden and Manning are heroes.
And you've hacked the router to do all of this. That's not the way a router was intended to be used. By that same definition, my laptop is a dinner plate, and a few of my old LEDs are firecrackers.
Define "hacked". I used the router's own firmware upgrade feature. My point is that "router" doesn't have to mean embedded device -- Hell, take any computer with more than 2 nics on it and you've got a router. Some of the "factory" firmware upgrades add additional features -- Clearly the functionality is PROGRAMMABLE -- Guess what, that makes it GENERAL PURPOSE.
Your problem is that you are defining a "computer" by the software that it comes with -- from the factory. I'll have you know that none of the "General Purpose Computers" in my house came assembled from any "factory" I build them from parts -- The Hard Disk Drives I purchased came WITHOUT SOFTWARE. By your definition I "hacked" them into being "general purpose computers" and even "routers" by installing Windows & Linux on them... That's a really rediculous view. All of my PC and (embeded) router HARDWARE are capable, from the "factory", of installing additional 3rd party applications & OSs.
So, if you're granting that my "hacked" (firmware upgraded) router is a "general purpose computer", and is no longer an "embedded device", and my PC can also be a "router" -- We've just established that the terms "router", "embedded device", and "general purpose computer" all depend on what SOFTWARE is running on the programmable computer... Hint: It's programmable == It has software == It is general purpose, not tied to a set of tasks by the hardware == Yep, routers can be computers. Computers can be routers, some routers are computers, however, not all routers are capable of "general purpose" computing -- Just any that have a "firmware upgrade" option... (that's nearly all consumer routers; Very few are hard-coded non-programmable silicon -- Security flaws can't be updated, bad idea).
Your "install & run arbitrary applications" definition of a computer does not hold water.
The purpose of laws against cracking computers is to prevent data and/or identity theft. To the extent that your router contains enough data to steal... maybe... but that's *really* a stretch.
Perhaps you missed the whole part of my comment about how having access to a router gives you the ability to do a man-in-the-middle attack and thereby STEAL ALL OF MY WEB DATA. (Which is why I had to set up the Y config -- because anyone gaining access to a router can steal all of your web data traversing it via ARP poisoning/spoofing.)
Besides, nobody is talking about cracking into the device itself anyway, but rather cracking access keys to gain access to the network. I'm sure even you would agree that doing so does not constitute accessing a computer.
The NETWORK is made of COMPUTERS. Accessing the network gives you access to data that my computers are transmitting -- What, at your house you just have a bunch of "routers" with no "computers" attached? (What's the purpose of a router again? To connect COMPUTERS to other COMPUTERS.
Even if someone hacks the WIFI and only uses my Internet connection, they are unlawfully accessing the web service that I pay for -- I have a usage cap. If they fill up jugs with my water hose, they are stealing the water I pay for -- If they use my bandwidth they are stealing the service I pay for. I suppose you wouldn't care if someone just siphoned off the fuel in your car -- They didn't actually gain entry to the vehicle itself, they left it right where it was -- It's not stealing then, right? WRONG, it's illegal because they took something (fuel) that was yours.
If it's not illegal to steal my network bandwidth then it shouldn't be illegal to pull your electric meter can out, and close the gap with copper bars to use free electricity right? You're just using the electri
Vincent: So what you want to know?
Jules: Well, hacking routers is legal there, right?
Vincent: Yeah, it's legal, but it ain't a hundred percent legal. I mean, you can't walk into a restaurant, roll out your netbook, and start wardrivin' away. They want you to hack routers in your home or certain designated places.
Jules: Those are router bars?
Vincent: Breaks down like this, okay: it's legal to hack a router, it's legal to own one, and if you're the proprietor of a router bar, it's legal to sell routers. It's illegal to steal one, but that doesn't really matter 'cause get a load of this, all right - if you get stopped by the cops in Amsterdam, it's illegal for them to search you. I mean, that's a right the cops in Amsterdam don't have.
Good. It should not be up to the government/justice system to deal with this. You get good security, or you share.
a) Breaking into a password-protected router requires bypassing a security mechanism implemented by the owner of said router. It's the same as forcing the lock to my home's door, which last time I checked is 100% illegal (even if the burglar doesn't enter my premises).
b) Bypassing security mechanisms is the key idea behind the DMCA line of argumentation. Why is copying a DVD an illegal act and breaking into a router is not?
c) I spent considerable amount of time composing and testing a secure WPA key, which I keep to myself like my social security number or my ID card. Therefore, my WEP key is my private sensitive personal data that should be protected by law.
d) If I remember well, the contract and TOS of my ISP, who installed for me their ADSL wireless modem/router, specifically prohibits non-contractors (e.g. neighbours) accessing my router without my knowledge. In addition, in some countries, which escape me now (Germany?), it's quite illegal to operate an open (not password-protected) router.
e) If this type of activity (hacking routers) is declared legal (or at least not illegal), then everybody will be doing it and the security of ANY type of wireless networks will be seriously challenged. The incentive is huge and new idiot-proof hacking tools will no doubt be developed that will allow kiddies to effortlessly access their neighborhood's WiFi spots which have not blacklisted the .xxx TLD yet.
IANAL, but the only way I can explain how this horrendous ruling came about is by the combination of a very good defence lawyer and a 70 years old judge.
And if you hack a routers wifi that happens to have logging enabled, then you'll know what sites users of the router have been at. Hence Personal Data hosted.
Wonder if this ruling is a back door for law enforcement or other entities cough* google cough* to snoop at their own whim or reason.
Unfortunately for this court, they should not have defined a 'computer', the Dutch law speaks about an 'automated device'. In 2008 the Supreme Court defined an automated device as a computer or a network of computers. So the appeal to the Supreme Court could very well be successful.
I did not realize the Dutch were so naive.
DD-WRT/Tomato K26 builds with a USB Framebuffer + keyboard + XOrg Optware on a 1 TB external hard drive
Given, it's painful to do this on a RT-N16 with a MIPS32 processor, USB hub, and with only 128 MB of RAM, but it's entirely doable.
Did I mention that a lot of Broadcom routers run Linux out of the box?
I'm not here to defend this court's ruling, however I do think that I can clarify a bit by helping out in the translation (I am Dutch).
The point the judge seems to make in the original dutch article is that he works with the premise that routers are not intended to store personal data, only to facilitate communication. However many arguments can be made for it either logging, hosting a printer spooler, SMB, FTP, HTTP, torrent client or otherwise personal/private service that involves storage of (implied personal/private) data.
They go on saying that while using somebodies internet connection is not an offense under criminal law, it is under civil law. Due to the claim that one's bandwidth might have been limited by efforts of the offender. The reason, as they claim, that it is not an offense under criminal law is that the internet connection(bandwidth) is a service rather then an commodity and therefor can not be stolen in the definition of criminal law.
Suffice to say that there's a lot more in that article then google translate will let you decipher, although in my personal opinion it's still fundamentally wrong to let someone get away with breaking a security mechanism (as weak as it may be) to gain access to (public) network services. Would the defendant have been at a venue that offers free WiFi network access for instance, and connect without breaking the encryption it would have been a different story I guess.
As for breaking into the router/AP, there's no claim that the router/AP was broken into. Granted the defendant hijacked the network wifi signal but this can be done without breaching the router/AP device security. True it gives access to the internal interface of the router and therefor in most cases the management software on it, however the article does not state a claim that router/AP management was breached. I find it weird tho that they do not address this since usually the lawyers nitpick at everything, they are clearly not burdend with any actual knowledge of what happened.
Just my 2 (euro) cents tho..
It might be good to note, that these actions can still be prosecuted under civil law. That is, the intruder can still be held accountable for costs incurred by his use of the network. Having said that, I personally still think this should be a criminal offense, as it is a clear breach of privacy. What I do on my local network should be my business alone. Right now, the defense is required to prove eavesdropping on the network itself, which is very hard to do.
As a dutch person, I have of course followed this and the judge simply stated that with the current law, there is no ground for criminal prosecution in breaking into a PURE wifi-router. A lot of modern wifi-routers for consumers are no longer just plain routers but offer computer services like bittorrent and network attached storage.
Anyway, the judge did say you could start a civil case against the hacker.
But also keep in mind that the dutch legal system is extremely wonky, ruled by judges who are completely out of touch with reality. Yeah yeah, that is claim you can make in most countries but personally I expect this loophole, which it is because it goes against the spirit of the law, to be closed pretty fast.
Because right now, this judge has declared that taking fuel from his car is not theft. But oddly enough not said where he parks his car.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
sshd, vim and lynx, check, check, check. I can on my router. Infact I'm not running stock firmware on it at the moment.
i would say technically they did break into a tiny computer. however, googles wifi 'scandal' was completely innocent
I read the article in the original Dutch, and while it indeed states that hijacking someone else's "secured or unsecured Internet connection" is not a criminal offense, it is still a civil offense. You could sue for damages.
Another interesting note is that this is in the context of a school kid posting a death threat online. The kid was convicted for the death threat, but wasn't punished extra for having used his neighbor's network or Internet connection, presumably without permission.
Please correct me if I got my facts wrong.
By computer, I'm using the term to mean "general purpose computer", which is how the term has been used by the vast majority of the public for at least a couple of decades. By loose enough definitions, my wristwatch is a computer. That doesn't mean it is what people intended to protect when they wrote laws protecting against computer break-ins.
I'm pretty sure a router DOES fall under what they INTENDED to protect with anti hacking laws. For these are the gateways to private intranets housing sensitive corporate and personal data. The fact remains, The judge's interpretation is wrong, as is yours. Sorry but it's true..
I use a old Pentium 3 running Debian as a router. Ofcourse i didn't put a wireless card in it, since i don't need wireless connectivity, i doubt most people do, it's probably out of laziness that people use it instead of just pluggin in an ethernet cable... (unless your device doesn't have an ethernet port).
By the way, you can turn off the wireless connectivity on most routers and you should, if you're not using it...
all routers can run arbitrary code. look up ddwrt
sorry do you know anything a "general purpose" computer has a specific technical meaning in CS. and all routers pass that
i would consider my "secret" that i used to secure the router personal information in teh same way my atm card pin is personal information
I'll dissent a bit and say that IMO this is a fairly good ruling.
That's not to say it should be legal, but it should fall under a different law, something like "theft of services". Like whatever law applies to hooking up to somebody else's electricity or water supply.
I don't think breaking into somebody else's computer, and using their internet connection without permission are equivalent. They're done for different reasons, though they may be connected, and the seriousness isn't the same.
I disagree strongly with their ruling. If I place a password on my router and use encryption, it is OBVIOUS it is a private network. Breaking into that network for ANY reason is, essentially, trespassing and SHOULD be a criminal offense. It doesn't matter the reason.
Under their logic, I could place locks on my fences on my property, but someone would be allowed to go onto my property, pick the locks, and break into my backyard... but that is OK as long as they wear a blindfold?
Just having a wireless network is NOT an invitation for people to break into it or use it. One could argue that if it is not encrypted, then it is a public network... and I could go for that. But to say it is OK to break encryption (and it doesn't matter how easy that is) to gain access to a private network is just wrong. The encryption is a clear sign that those not given a key are not welcome, and someone using that network is using bandwidth and resources without permission, even if they don't "snoop".
You are a 5digiter, yet you ask *that*? wtf?
Note that the neighbour has given up the password of the (ADSL) router voluntarily because the internet connection of the suspect (probably cable) was sometimes unstable. So the message was just posted over a connection differently than the one he owned, probably to disguise his location. Nonetheless, it seems he just used the internet connection, albeit in a way that is not according to Dutch law. The neighbour has just been inconvenienced and will probably now think twice when somebody asks her to share her internet connection. But I don't see how this is the same as "breaking into a computer". If it was, imagine what would happen to you if you borrowed a piece of kitchen equipment while taking care of the house of your neighbour*1.
Note: I'm Dutch, if you require anything translated, please let me know by posting in this thread
*1) I'm starting to get old, nowadays you just ask over mobile :) But you get my drift.
Heck, my router stores a password! a list of personal Mac addresses! It could store the identity of my computers that talk gaming, VoIP! Nothing stops you from using your router to store internet passwords in, for example, mac address tables. The data would be safer there than on your PC!
My Cisco 871 I have here at home has flash storage, and usb ports for additional storage. I have a couple versions of IOS, and several configs stored in flash.
If i wanted, I could store other small files, un related to teh routers operation on there as well... So, where is the line drawn? Basic best-buy/wal-mart bought
home routers?\
So what happens if someone breaks your password (or even a business router's password) and sells the info to someone who WILL do something malicious? Is that person no longer liable due to the fact that he committed no crime?
My router stores data (some generic qwest shipped me for dsl, I don't care even to know the model). How else does it remember its MAC authentication settings? How else does it feature a web front-end to manage it? And also I can telnet in and modify the binaries that run on it. In fact, I do that. I have custom binaries running on the thing and I from time to time have to kill some processes. So you see, I *intend* my router to be a "computer" according to Dutch law. It's embarassing the ignorance in that ruling. At least in the states we know better, that's a crime to steal WiFi.
Having easy access to steal your data and actually stealing it are two different things. Both are wrong, but they are two different issues. It is akin to making the claim that someone who breaks into my home while I sleep is guilty of murder because he could easily kill me in my sleep.
The results of "breaking into" a router (whether it is wide open or not) is impersonation/identity theft and theft. If someone connects and then behaves themselves, then the results of the offense are nil. The issues become apparent when the intruder downloads GB of warez and you incur overage charges from your ISP and a visit from the police.
As for breaking in itself, instead of a car analogy, let's use a bike analogy. I like near a large cottage community that has free painted community bicycles. It's understood that the bikes are free for use, and than they're expected to be used nicely. There are also bikes in people's yards, some just laying there, some locked up. It's understood that those bikes, whether they're locked or not, are NOT ok to take. Why? Because they belong to people, and are not for public use.
Even children understand this. Judge has reasoning skills of a toddler.
A coffee shop network is understood to be public. Acting like connecting to a network in suburbia in the same way's ok is laughable. If I had taken a bike from a neighbour's yard when I was a kid, I would have been dead meat. Could you imagine the look on your parents' faces if you said "It's ok because they were just sitting there?" Could you imagine the reaction of the victim if your parents went to them and said they have no recourse because the bike was just capable of being gotten at, locked up or not?
No, I'm defining it based on the hardware's intended purpose. A router was designed to move bits around from one network to another. It was built with the absolute minimum amount of hardware needed to do a single, specific task.
By contrast, a traditional computer that happens to have two NICs was designed for general computing use, and is being used for a more limited task. There's a fairly fundamental difference between the two.
I don't think it's unreasonable to assume that 99.9% of people use hardware for the purpose it was designed for.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Depending on how you define I/O, they either do or do not pass that. I would argue that the original intent of the term was to refer to devices that provide input and output directly to the user, e.g. a keyboard and screen, in which case they don't.
Either way, the original intent of the term was to explain the difference between parts that were designed to be used for a single purpose via parts that were designed to be programmed for arbitrary computation. That distinction, thanks to economies of scale on standard CPUs, has shifted from the CPU level to the whole-system level. The term needs to evolve similarly, for as originally defined, it is a useless distinction; all devices with any sort of processing ability built in the last two decades or so qualify, including the 8-bit CPUs in my microwave oven and my clock radio. Clearly, this was not the intent when the term was coined, as neither qualifies as general purpose by any rational definition.
Also, the term as originally defined is a really poor piece of terminology because it does not describe a computer, but rather, a CPU/processor, which is something that the rest of the planet has not called a computer... well, ever.... Thus, I think that term should be renamed to "general purpose processor".
Check out my sci-fi/humor trilogy at PatriotsBooks.
Yes, it is. The manufacturer didn't design those routers with the intent that people would run their own applications on them. Sure, they might have been kind to homebrew hackers and added a little more RAM and flash than their firmware required in certain models, but clearly the assumption for these devices is that the firmware upgrade mechanism will be used for running prepackaged, manufacturer-provided software kits without modification or addition, not a completely separate OS with a whole new pile of software.
I said hacking, not cracking, just to be clear. You know, as in "exceptionally clever programming"—the sort of clever work that involves soldering JTAG pins onto the board and attaching a debugger to repair things after accidentally bricking the device because it wasn't designed for users to add arbitrary software to it....
That's decidedly different from, for example, a computer based on Windows or Mac OS X, in which the average user is expected to go out and download software to add functionality. From a system design perspective, one is general purpose, the other was designed for a single, specific task.
Check out my sci-fi/humor trilogy at PatriotsBooks.
It was annoying at two. Now, it's just obnoxious.
Check out my sci-fi/humor trilogy at PatriotsBooks.
From what I understand, the judge didn't rule that hacking the router is legal. Getting access to the network is legal.
This does not require getting any access to the router, just the key for the communication between the devices and the router.
The analogy would be that it would be legal to listen/join discussion where everyone used an secret language.
what point are you trying to make a router can be made to run arbitrary code what does IO have to do with it?
The router IS classified as a computer according to the Dutch rubric. It has a processor albeit not x86 it's a SOC (system on a chip). It does store quite a bit of data to include configurations, routing tables, and includes passwords. The data was also accessed and exploited (indirectly) by the intruder to gain access to the Internet, thereby classifying this as illegal to thier own standard. The judge was wrong on his classification, and the prosecution failed to provide the proper expert witness testimony to clarify what a router is and does. As far as the misguided "you better learn how to secure your router or it's your own fault." routine... Wireless is always considered an unsecure medium for this of us that are in the security field. Even WPA-2 is vulnerable given penetration software (freely found on the Internet), rainbow tables, time and other methodology. WPA-1 and WEP are even worse and a script kiddy can look up how to break into thier neighbor's wifi on YouTube. Fact of the matter is... If u have a wireless access point (most of us do) it's not impossible to crack. But, if you do encrypt it (and in this case it was encrypted)... most people feel they have a right to privacy on that network and should be able to assume that it's "reasonably secure" as the law should afford us (the general public) these rights and protections. (from a western legal ideological point of view). In the U.S. This has been accomplished by the electronic data acts... And the constitution. Posted from my iPhone :-)
I fundamentally agree with the outcome... that it is not criminal action to 'crack' breakable encryption. However, I think their assertion that a router is not a computer is simply incorrect.
I dont think the court had any experience with alternate router firmware that is available. I've tinkered with a few open source firmwares and they do allow for attaching a hard drive to the USB port. Anything can be stored on this drive including personal data that could be accessible to a wireless computer attached to this network.
In this case, I'm sure it was a standard router with the plain default router software installed. I'm just saying that this is not always the case.
Summary:
To say that a router is not a computer is incorrect.
To say this person committed no crime is correct.
...theft? ...of bandwidth?
What the court has failed to recognize is that once the hacker has gained access to the router, the hacker now has access to all data being transmitted through that device. It is not difficult, for even a "student" to establish an interception point for all data flowing through the router and then take action against it. While the court and the laws, by definition do not consider the router a part of the broader "computer" world, perhaps the prosecution should have been on a different front. Perhaps the charge should have been hacking into corporate and personal data instead.
I think it's a only a small violation, if one at all, to connect to someone else's router if it is unsecured, if you don't violate their privacy by hacking into their computer and reading their files. We live in an apartment building and left our router unsecured so other people could use it if they wanted, but it got too slow so we secured it. Now we let one neighbor use it by giving her the password. Sometimes laptops will connect to any available network, if one's own network is down. Hacking into a router and changing the settings is more of a violation, but I'm not sure it's a criminal one. Especially if the person who set up the security on the router used the manufacturer's default password. More of a nuisance than anything else. I wouldn't want this kid to do prison time for that. A misdemeanor or a warning for the first offense.
Yes, it is. The manufacturer didn't design those routers with the intent that people would run their own applications on them.
Actually, the Asus routers were specifically designed to be able to run third-party firmware. Seems irrelevant, though - what the manufacturer intended doesn't have anything to do with the definition of "computer". If I make a car but tell people they have to use it as a boat, that doesn't stop it from being a car. And if I remove the wheels from it, it's not "hacking" when the customer goes and puts on a new set.
You know, as in "exceptionally clever programming"
If you think that flashing firmware is "exceptionally clever programming", I don't think we're going to resolve this discussion in a civil manner.
my router has 32Mb data storage with private info, a USB port with external HDD and runs normal Linux OS and it's computer.
It's stupid setup but it works. It is a small computer.
This is where you see the incompetence of the defending lawyers, as the judge's claim was very poor....I could have contested that the configuration files that are saved on the router, in order to do backups or restore points for configurations of the routers and all the help pages for setting up your router are considered files that are saved on the hdd (however small it may be ) of the router, and I would have gone further with that claim, that if the said description of a router fails to imply it is also a computer, then most appliances and cars and planes even would not be considered to have computers in them as they hold no info either,which is bollocks because we all know you need space to compute info and most info stays in that space for a time.
I am very uncertain the judge is qualified enough to make this claim based on his sad argument, i am not sure if this is equal to the supreme court level, but I hope it does not parallel our justice system, and get used to set a precedent here..as I would not like to think that after i encrypted my connection, if someone broke it, then would use it without any problems what so ever.
Heck, maybe if that judge had someone using up his connection and bandwidth so he got surcharges from his ISP for downloading all these movies...maybe then he would realize his mistake.....anyone got his address, i want some free internet...
Actually some routers do store data because they can function as a NAS (network attached storage) and in the interface you have the ability to wipe those storage areas. Those type should fall into the computer category because they can even download directly to the storage area. For that matter mine has an internal 80GB hard drive that i use to store some backups and also download to once in a while.
Why judges who have no technical knowledge should not be allowed to judge a case of technical merit.
nor is smoking pot
I didn't have any photos or diary entries on the DEC and Prime computers I worked on at my first job? a computer is for more than entering pics of you on face book you know :-)
This whole issue involves subtle legal distinctions, so that reliance on machine-translation (Google or otherwise) from the Dutch could be unwise. I've posted my own translation of the original Dutch article on my EuroSavant weblog: http://www.eurosavant.com/2011/03/29/opw-other-peoples-wifi/