Slashdot Mirror
Data Engineer In Google Case Is Identified
theodp writes "Meet Engineer Doe. A NY Times report has
identified Marius Milner as the software engineer at the center of the uproar over a Google project that used Wi-Fi sniffing Google Street View cars to collect e-mail and other personal data from potentially millions of unsuspecting people. Milner, creator of the wardriving software NetStumbler, referred questions to his lawyer. Google declined to comment. A patent search shows the USPTO awarded Google and Milner a patent in June 2011 for protecting Internet users from 'hackers and other ne'er-do-wells [who] may seek to tap into communications on a network.'"
Data Engineer In Google Case Is Identified
Fall Guy In Google Case Is Identified.
FTFY
#fuckbeta #iamslashdot #dicemustdie
Or in this case, if you have something that you don't want anyone to know, maybe you shouldn't be broadcasting it over the airwaves to the public at large.
Just a thought.
He's a witch! Burn him!!! Burn him!!!
Seriously, though, it sounds like he is a fugitive on the run that got fingered.
Or in this case, if you have something that you don't want anyone to know, maybe you shouldn't be broadcasting it over the airwaves to the public at large. Just a thought.
https is your friend. Seriously on any wifi network you should use https for anything secure.
You can't be that stupid. I live in a place that has wifi where you log in with password. It is encrypted, but after logged in you can still sniff everyone else on the network. It still doesn't make it right to do so. Likewise, your internet traffic goes unencrypted when it leaves your house. It doesn't make it right for me to plug in to that in between your house and ISP and capture that data. Google and Marius Milner can go fuck themselves.
So then you won't mind me recording your cell phone calls? You're broadcasting them to the public at large so that makes it okay, right?
If this guy is responsible for sneaking the phrase "hackers and other ne'er-do-wells" into an official legal document, I sort of like him already.
In general though I don't see much reason to single him out, when it seems fairly clear (from what evidence is available) that this was a Google project, not a "rogue employee" acting against management's wishes. There are cases where I'd support individual employees being held accountable, but I'm not sure this rises to that level; whether this turns out to be right or wrong, I think Google as a company should own the actions.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Neither of those analogies are appropriate, and your reaction is awfully spiteful for someone who likely wouldn't be on an unencrypted wi-fi network in the first place.
In one of your examples, you're given access to a private system with the idea that you won't mess with other.
In the other, you're tapping into a private circuit with the intent to steal data.
If anything, home routers should come pre-encrpyted, with the random default key on a sticker on the bottom, and display a warning and disclaimer for people who wish to run unencrypted wi-fi.
Someone before made the analogy about this being like having sex with the windows open, and then saying anyone who happens to stare for a few extra seconds can go fuck themselves and deserves to die. What kind of person ARE you???
Not every site supports https, and I don't want some random people to snoop data even if isn't as secure. And in fact, I do use VPN for exactly this reason, but I am in the minority that knows this stuff. 99% don't.
The reason we have laws is to prevent people from taking advantage of situations. Your reasoning is along the same as "you shouldn't go out if you don't want to get stabbed". It is not reasonable suggestion. We prevent people from abusing things like this with laws and there are penalties if they do. I hope Google gets fined big time and every engineer and supervisor associated with the project put into jail. That's what would happen to any individual doing this.
NetStumbler for Windows and MiniStumbler for Windows CE downloads are at: NetStumbler.com
Downloads are free but PayPal donations are accepted.
DarkStarZumaBeachSurfinApocalypseWow
You can't be that stupid...
If the system is open, an easily sniffable, you're an idiot for using it with stuff you don't want publically accessible.
* I don't use WiFi at home (easy enough to wire a place up, a simple weekend project).
* When I do use WiFi...
** If it is encrypted, then I will use things like email, etc. But only if they are on a secure pipe (such as https / pops / etc.). I still won't use it for anything financial.
** If it is unecrypted, then I will only do casual browsing - no stuff with user names or passwords.
* Wired is treated like secure/encrypted WiFi, except I will do financial things (if it is a network I trust)...
Remember, on the internet, paranoia is your friend because everyone IS out to get you.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
https is your friend. Seriously on any wifi network you should use https for anything secure.
MITM attacks on public wifi hotspots are mostly trivial. Yeah, keep believing that using HTTPS is securing anything.
I guess it would be beyond expectation for someone to tell anyone complaining their data was "stolen" that they should have been pumping it into the local atmosphere for all to read without any encryption or other basic protection.
Yeah, holding people accountable for their own idiotic actions would make too much sense. Beside, we make far too much money out of idiots who bought cool stuff with no clue how it actually works - me especially, a lot of my tech support clients use Macs.
I live in a place that has wifi where you log in with password. It is encrypted, but after logged in you can still sniff everyone else on the network. It still doesn't make it right to do so.
So it's not public.
It doesn't make it right for me to plug in to that in between your house and ISP and capture that data.
So it's not public.
You can't be that stupid. Yet you've made multiple posts showing otherwise.
If you broadcast your data over airwaves, without encryption, you get what you deserve. Seriously this is only an issue at all if dimwits would just enable encryption. Instead of google doing this it very well could have been your creepy next door neighbor. Which one would you rather see your packets? Oh right, neither, so turn on encryption.
I'm not sure how this story is still even an issue. Geeks should already understand this, if you don't, you aren't a geek. Also, troll stories are troll-e.
Your reasoning is along the same as "you shouldn't go out if you don't want to get stabbed". It is not reasonable suggestion.
Do you even have the ability to grasp granularity of magnitude that isn't all on or all off?
HTTPS isn't the issue here. THERE IS NO PRIVATE NETWORK ON OPEN WIFI. A secured connection, a dedicated connection from an ISP, these are PRIVATE connections. OPEN WIFI is a PUBLIC ONE.
You don't want people listening in on your phone calls? Don't have them outside in a public place, the hobos might steam your trade secrets (or whatever paranoia types like you subscribe to).
You don't want people listening in on your data? Don't transmit it on a "public" medium.
HTTPS and SSH cannot be sniffed on your wifi, nor does either one "go unencrypted" when it leaves your house. Broadband providers using DOCSIS protocols also are not sniffable by your neighbors.
However, I recommend you should worry more about "is it possible" and "is it likely" rather than "is it right". Our government and the big corporations (that's redundant, I know) clearly aren't at all concerned about your ideas of right and wrong.
Posting anonymous so this will not haunt me forever through the net (unless you are tracking me already har har).
Has anybody actually been hurt? Because, uh, I'm just asking. I'm all for privacy but I don't see anyone poring over my data in this case. So has anybody been hurt? Where is the victim?
Or are we talking about hurting the feelings of those poor electrons that used to mean something, however fleeting, before being vacuumed up by a hateful engineer?
And you know every atom whose state you have ever modified has certain inalienable rights..
I am pretty damned cynical about big corporations and those who presume to rule them, but there are plenty of white collar criminals in power in America and I have yet to see any at Google.
And for your info I think Sergey's and Larry's excellent space adventure shows me enough where those guys stand. I prefer to support Google and Man's Future In Space. The rest of the establishment, their cops and politicos and bastards who talk out the sides of their mouths, the warhawks and smack sellers, and all the self righteous fucks who turn a blind eye to killing, and the fucktards who find a moral pinnacle somewhere in there, they can all go off and fuck themselves until they die.
As for Milner? Well he is either completely innocent or a geek who has been hypnotized until robotic. Happens every day in America. There are one thousand other cases more worthy of prosecution.
You forgot to bring up the second part of the quote:
But if you really need that kind of privacy, the reality is that search engines, including Google, do retain this information for some time. And [...] we're all subject, in the US, to the Patriot Act, and it is possible that that information could be made available to the authorities.
The people they were snooping on weren't intentionally running an open WiFi and had an expectation of privacy. Google, also, wasn't "accidentally" connecting and grabbing data. IT WAS ENTIRELY INTENTIONAL to be sniffing people's traffic.
Your hate towards Marius Milner is so strong, you saw this article in the future and registered just in time to post this comment with same timestamp as the article?..
Tech(NY|LA|Cars|nicalExpert), you're so unsubtle :(
But how could he not write the sniffer program? A co-worker of mine wrote a fun screen-saver. It posted each image sniffed over wifi in a random place on the background, creating a real-time collage of what people were viewing on the Internet. He wrote the program and showed it to his boss, and fortunately being at a start-up, he found it amusing. He also hacked our WEP security in a few hours with some hacker software, leading us to upgrade our protection rather than get pissed. It is the nature of good engineers to be curious, and Joe Engineer does not offend me. It's the government that scares me.
Celebrate failure, and then learn from it - Nolan Bushnell
Your reasoning is along the same as "you shouldn't go out if you don't want to get stabbed".
This is the worst comparison I've ever witnessed. As a Slashdot user, I'm glad that it wasn't a car analogy. But still.. worst comparison ever.
I think it was stupid, but it doesn't look like it was a vast Google conspiracy to inhale as much data as possible for the takeover of the world. It looks like a stupid decision by an engineer and a layer of incompetent management.
I certainly don't condone anyone collecting WiFi data that most people expect to be private, but correct me if I'm wrong - they didn't crack WEP/WPA/hack their way into routers to obtain this data. That means it was floating free and unencrypted over the air for anyone to observe. It's shady and makes Google look bad, but technically it's not much different from receiving FM radio signals; perhaps short range walkie talkie conversations are a more apt comparison - still not illegal and not patently immoral.
...and you've eaten your pen. simply stunning.
https is your friend. Seriously on any wifi network you should use https for anything secure.
MITM attacks on public wifi hotspots are mostly trivial. Yeah, keep believing that using HTTPS is securing anything.
Written by someone who obviously doesn't understand how https works. Your site URL is validated against a server-side certificate. The protocol starts with an exchange of public keys, then uses session keys for the session. This makes a man in the middle attack impossible.
more like you go round every house in your city , taking a picture of that house, and checking to if the windows are open, then looking through the window where you see your mum and myself, then put that up on the company intranet to say that house keeps it's windows open and your mum there :)
Google long maintained that the engineer was solely responsible for this aspect of the project, which resulted in official investigations, some still unresolved, in more than a dozen countries. But a complete version of the F.C.C.’s report, released by Google on Saturday, has cast doubt on that explanation, saying that the engineer informed at least one superior and that seven engineers who worked on the code were all in a position to know what was going on.
The F.C.C. report also had Engineer Doe spelling out his intentions quite clearly in his initial proposal. Managers of the Street View project said they never read it.
Depicting his actions as the work of a rogue “requires putting a lot of dots together,” Mr. Milner said enigmatically Sunday before insisting again he had no comment. He said he was closely following the news reports on the issue.
If that's all to be believed, Milner reported on what he was doing, and sent it to his boss(es). They opted to "not read" the report. If at least six other engineers were in a position to know, then this sounds more like a "no, don't put this in writing or tell us what you're doing" situation than a rogue employee. If bosses aren't responsible for their employees, what are they there for?
www.clarke.ca
So, by "trivial" you mean "Easy, you just need to be a government official with a leverage over certificate authority, or you could simply hack a CA and issue a fake certificate. Trivial!"
Okay, non-subscriber who posts long reply with same timestamp as the story, I have a question. Since you claiming that Google stole this data intentionally, what was there motivation? What was their evil plot plot to turn this data into money?
He said it was an add-on to study WiFi use around the world as part of his 20% project. I dont know if you have report or get approval for your 20% projects at Google or elsewhere. But after this is may be a good idea to have some supervision.
It would be like adding some metric measurement software to what we ship customers. Then have that send back these data. Our customers may be unsure then if their personal data in this software is being compromised.
So you don't use WiFi at home but you don't mind using it in other places? Jesus, stick WPA2 on there, Enterprise if you're a paranoid fuckerlord and just get on with your life. It takes half a second to cancel a credit card and if you happen to be victim of fraud it will probably be because you clicked some bad link.
First step is to issue self-signed certificate. This was done to me. I declined it, but most people don't because they jstu want it to work. After that there are other ways, like serving http-components on https-page. Even Slashdot's HTTPS is currently broken, as it has parts that are http.
Now a former state investigator involved in another inquiry into Street View has identified Engineer Doe. The former investigator said he was Marius Milner ... The former state investigator spoke on the condition that he not be identified because he was not authorized to speak. ... Although the F.C.C. declined to identify the engineer, a footnote in the full text of its report said Google told the agency the identity of Engineer Doe “only because it had disclosed his name to state investigators on December 17, 2010.” Google declined to comment.
That's clearly Google's fault. They shouldn't have told state investigators ANYTHING. I mean, they got reprimanded for "obstructing investigation" or somesuch anyways, what does one more bit held back matter?
If you broadcast information publicly and without sufficient encryption, the public can listen in and record it.
Apart from the question of who is right in the abstract, punishing Google or other people isn't going to deter anybody who actually wants to do you harm, since passive listening is pretty much impossible to detect. What we might restrict and punish is the use of such information, for example rebroadcasting it, using it in legal proceedings without a prior warrant, or reselling it.
The real question we should be asking is how people are punished that broadcast private information (e.g., hospitals that use unencrypted networks).
So if I leave the door to my house unlocked it's OK for you to go in and take what ever you want? How much responsibility falls on the home owner? If they lock their doors and arm a security system but the system is old and easy to bypass and the thief has a bump key is it the owners fault. Google identifying open wifi while driving around is not the problem it's that they went into the network and collected data. If they sniffed any VOIP traffic then they committed a felony the only reason they have not been charged is that email and other communication are not protected under law.
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
I use wifi away from home only when it is a necessity. And only at when times I don't have an option. End even when I do use it, I restrict what I do (as stated previously, sorry if this mildly complex set of use-cases confused you). Also, it keeps anyone from accessing my home network via WiFI, should they manage a successful breakin. Using wifi elsewhere won't allow them to break in to my home network via wifi. If you need an explanation why, please go back to eating your crayons and glue.
If what I do is too complex for you, that's your problem, not mine. But I don't feel like wasting 10-15 mins on the phone to cancel a credit card, dealing with issues of someone having gotten into my filesystems because they've run rampant on my network, or having the cops come after me because someone hacked my network and started using my internet for illegal purposes.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
And now you're even recycling (invalid) talking points from previous accounts
I hope you're not getting paid for this, it would be a waste of money.
Written by someone who obviously doesn't understand how https works. Your site URL is validated against a server-side certificate. The protocol starts with an exchange of public keys, then uses session keys for the session. This makes a man in the middle attack impossible.
Yeah, who here doesn't understand things. I live in a country that has been serving fake certs and other trickery even when trying to login to fucking Slashdot using HTTPS. If you believe that there is no way around or no tricks to use against users you are being unbelievable naive and/or idiot. Hell, even Slashdot allows this because it has non-https components even if you browse with https. Go back to your noob-box and get some clue.
Bullshit, Certificates are international, and whenever certificate authorities have been compromised their issuing certificates have been revoked.
The ISPs and device vendors who sold UNSAFE PRODUCTS to consumers are the folks we should be mad at.
Car analogy: Do you get mad at the guy who slowed his car in front of you, or the auto manufacturer who sold you a car with the brakes detached from the brake pedal?
Oh stop this mentality.
Just because someone's data is out there does not give anyone carte blanche to do whatever they want with it.
Someone loses a check--has their account number and routing number in the MICR ink. Do they deserve to have their account hacked.
Someone has a public Wi-fi connection. They may be leaking data *to* *wardrivers* *only* but everyone else uses it honestly. They really deserve to have their data intercepted? Really?
Congrats. I keep forgetting nothing on a wired network has ever been compromised.
I still disagree that this is an issue. To me, there is no expectation of privacy if your communication is not encrypted. hell, this is the governments take on it as well, within the context of Total Information Awareness or whatever its called today. Why is it a big deal for google to do this over public airwaves, and its a non-issue for the government to do this over leased lines?
These people could have spent the 10 minutes more to encrypt their traffic or read and understand what it meant, they did not. Whats next, nail the kid next door for listening to your cordless phone conversation, baby monitor, etc?
If you leave your house unlocked, no, that doesn't allow me to go in and take whatever I want, because the DOOR IS CLOSED. Now, if you opened your door, and put a sign on the porch saying "Hey, I have stuff in here", then yes, it is your fault. Same as if you were broadcasting unencrypted wifi signals.
And while we are on the topic, let me educate you a bit. If you send out an unencrypted radio signal, and I do nothing more than receive it, then I did not "go into the network" to get anything. I received exactly what was sent to me. See the difference?
it's that they went into the network and collected data
They didn't "go into" the network. They collected data that was floating on the airwaves around them. The proper analogy isn't with walking into an open door, but taking a photo through an open window. From the street. Something that Google has already done.
Nah, it's really much closer to "go around the city, looking at every house, and find several people broadcasting video of them having sex", since nothing Google did violated the internal network, all they did was receive a radio signal that was unencrypted.
Sure. Oh wait, except that to do so, you would have to break the encryption, which is against the law. In fact, now that I think about it, that makes your analogy completely useless, doesn't it? You *do* see the difference, right?
If you leave your house unlocked, no, that doesn't allow me to go in and take whatever I want, because the DOOR IS CLOSED. Now, if you opened your door, and put a sign on the porch saying "Hey, I have stuff in here", then yes, it is your fault. Same as if you were broadcasting unencrypted wifi signals.
Nobody has put up any signs saying anyone is free to sniff their internet traffic.
Actually, it's more like putting a speaker outside your house, then playing personal information over it for anyone driving down the street to hear, and then getting angry that someone had the gall to record the audio that you were broadcasting to the world at large.
Aaaaand here goes another failed analogy. Your analogy would work much better if Google did "bypass" anything, but in this case you've left your big pink dildo in the driveway and now is troubled by the fact that it shows up on Google Streetview.
And yes, this ^^^ analogy works much better. They didn't break and enter anywhere, they didn't specifically look for dildoes and embarassing secrets, they just drove by taking pictures (and random full frames of Wi-Fi - though they should have grabbed only headers). In other words, it's completely the same as if they'd rummage through your wardrobe while you're not looking.
mod parent up
-- QED
May we burn her?
You don't want people listening in on your data? Don't transmit it on a "public" medium.
But google wasn't just incidentally listening to peoples data (like seeing the router name and signal strength). They were doing the equivalent of setting up a ladder on the sidewalk and taking multiple telephoto photos through each house's front windows on each block, in every town, in every state, then compiling and analyzing the data so they could better advertise to each household. If I'm in my kitchen doing dishes and someone looks at the kitchen windows while walking down the sidewalk that's one thing. But if a fellow sets up a ladder, climbs it, then whips out a camera with a telephoto lens, is that fellow just capturing light that I am broadcasting into the public medium? Sort of, but he's also making a substantial effort to see things that aren't intended to be public. To knowledgeable people the most that a wardriver would see is the router name and the signal strength. That's like the incidental glancing at the window, no big deal. That is public. Google was using advanced packet sniffing software to effectively get on the ladder and take telephoto pictures of what was going on inside. You try out the ladder/camera trick and see how long before the local police show up and toss you in the clink for being a peeping tom.
-- QED
Actually they did, by broadcasting it freely, unencrypted over the airwaves. This isn't "sniffing". You could receive that signal with a random piece of wire. If you broadcast something, it is, sort of by definition, BROADCAST. Get it? You not only left the door open, you threw your stuff out the window, then complained when someone came by and picked it up off the street.
I think it's more like you living in a home with large windows and no curtains.
The Street View car comes passing by and takes a picture of you standing nude in your house.
Are they going to publish it? No. Do they have it on their hard drive? Yes. Is it their fault you were standing nude in front of an open window? No.
If you didn't want a picture taken, then get some blinds.
Someone loses a check--has their account number and routing number in the MICR ink. Do they deserve to have their account hacked.
Losing a check is an accident.
They didn't "lose" their packets -- they broadcast them in the clear. And it was no accident, it was done for the express purpose of communicating with devices in range. Some other device was also in range, and heard it.
That's nothing like the same situation.
When this thing first came out Google said they hadn't done anything wrong as this was publicly available data (open networks broadcasting these packets). Now they blame everything on the 'rogue engineer'. Was what Google did wrong, yes or no? Why is not his manager and, ultimately, VP, accountable for this?
--
Sundar Pichai is the utter asshole whose incompetence has resulted in the shutdown of Google's Atlanta engineering office.
stop being retarded about the electromagnetic spectrum. radio and light are the same thing. so if i dont put up curtains that gives you free reign to peer into the windows of my house and make an inventory?
Hello you piece of shit atroturfing moron.
Could you be any more useless?
If you weren't such a fucking piece of shit asshole perhaps you would post on your main account, but no, you don't want any backlash regarding the bullshit you spout.
So, how much are you paid to be an asshole anyway?
so if i dont put up curtains that gives you free reign to peer into the windows of my house and make an inventory?
Um, pretty much yes?
If you/someone have at least one Android device on your wifi network and have the following option selected:
"Back up my data: Back up application data, Wi-Fi passwords and other settings to Google servers".
Then Google can decode the packets they captured.
This level of paranoia seems unwarranted to me for at least 2 reasons:
1. Even on your wired network at home, once your traffic leaves your house there are any number of people who with enough motivation could intercept your traffic.
2. As long as you are using websites that employ SSL the data between you and that site is encrypted, even if the WiFi signal is not.
I'm not saying you should not be paranoid but there reaches a point of diminishing returns.
I don't know about that, they knowingly assigned a well-known writer of war-driving software to the street view team. It is kind of obvious what is going to happen next. That was the reason Google hired him in the first place.
If you check out the name of the person who made first post, along with the time stamp you'll see why it was written as inflammatory as possible.
I'm finally coming around to the opinion that /. is taking money for some story submissions such as this one.
Don't know something? Look it up. Still don't know? Then ask.
The people they were snooping on weren't intentionally running an open WiFi and had an expectation of privacy.
A false one. Ignorance is not an excuse.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Golly! I guess my Palo Alto firewalls are lying to me.
We use these to prevent internal data loss, filter malware, virus, etc... and decrypt all SSL traffic as normal policy. The client never knows the difference because the firewall has its own cert issued by a trusted CA. You could always do the same yourself, but the process has been made trivial with an appliance.
Pull my finger for my public key.
I don't think you understand how radio works. It's like sound.
Your neighbor blares his stereo? Well, you can hear his music because of that.
You blare your unencrypted data? Well, I can read it.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Lets be proper about this.
Nobody picked it up off the street, they merely looked at it, and made a record in their journal.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
ctrf-f. yep retarded theft analogy.
It's communication. if you don't want someone to read a letter you don't have to secure it effectively you merely have to symbolically secure it with an envelope.
If you write your messege on a postcard then everyone between source and destination has every right to read it.
If you put it in an evelope then they don't.
easy isn't it.
If you don't want someone to read what you're broadcasting to the entire neighbourhood then don't broadcast it plaintext, that's perfectly equivilent to writing it on a postcard.
You don't have to secure it effectively, merely symbolically.
They didn't "go into the network". they just recordeded everything that was broadcast at them in plaintext on the public street.
They didn't crack anyones encryption, they didn't hack anything.
So, it's the tools problem when the user refuses to use it correctly?
God help us all when the butter knives get fed up with it.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
So, instead of just insulting people - do you plan on backing anything up?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
No, it's not OK even then. Only if I put up a sign saying "Hey, I have stuff in here AND YOU CAN HAVE IT."
I would argue that's exactly what you're doing if you broadcast unencrypted WiFi across your neighborhood. You cannot scream across the EM spectrum at the top of your lungs and demand the world not listen. People are not going into the public's house to get their wifi traffic. Ignorant members of the public are blasting it across an area greater than a football field with their house in the center.
No, it's more like walking down the sidewalk and noting how you and your boyfriend really are loud sex partners.
Since you can hear it from the sidewalk.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
*committed a felony the only reason they have not been charged is that email and other communication are not protected under law.*
oh, fuck, they are. if you're a school kid doing it then you're going to get busted.
but if you're google doing it!...
and well, usually it's not considered not stalking(legal) to be recording someones conversations with a laser pickup from the window either.
It is assumed. Am I to cover my ears when I walk by a house where someone is shouting?
Generally, yes - as long as I do it from a location I am authorized to be (such as my own property or the sidewalk in front of your house). If my actions were associated with some crime (such as a conspiracy to murder) or in violation of court order (such as if you had a restraining order preventing me from being within 100 yards of your house) of course it is not okay.
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
So if I leave the door to my house unlocked it's OK for you to go in and take what ever you want?
If you were throwing your private papers out into the street I wouldn't be too concerned about people making copies of them or reading them. Don't forget that intercepting your wireless traffic does not steal the bits out of the air or anything. Leaving your house door unlocked and your belongings inside is similar to using WEP. Polite people won't look through your belongings but morality is all that's stopping them.
If they sniffed any VOIP traffic then they committed a felony the only reason they have not been charged is that email and other communication are not protected under law.
If you broadcast your voice over public airwaves it is legal to intercept it. It doesn't matter if you *think* it's a landline, it simply does not have the same protection.
Actually, I'm fine with that. I don't feel that I have a right to stop people from using the data I voluntarily send straight to them.
Good luck decrypting it, though.
If it is encrypted, then I will use things like email, etc. But only if they are on a secure pipe (such as https / pops / etc.). I still won't use it for anything financial.
Aside from leaking DNS queries what's the harm in using https over wireless (or anything really) for financial transactions?
If you're handing out checks to everyone who passes within several hundred feet of your house, then you can't complain that someone has your banking information.
Actually using that information to break into your account and take money would be theft, of course, but have you proved that Google did anything untoward with the data that they were given (yes, given)? If not, your analogy does not hold.
Three key words: You have the *right* to leave your house doors open, but if you do, you'll find your *insurers* take a dim view of your sense of *responsibility*.
The analogy may or may not apply well to wifi.
~Tim
--
Rushing on down to the circle of the turn
Except Google didn't use "free reign to peer and make an inventory", but just snapped a random shot, just as it did X meters back and will do X meters forward, and your open window was in that shot. Good job adding yet another failed analogy to this thread.
The school kid hacked the account.
Question. Are the people who think this is a crime really that fucking stupid when it comes to technology on this site?
Or are they just so blinded by their own ideology that the stuff they used to know goes "poof" never to be seen again?
Why is it so hard to only have politicians for a few years, then have them go away?
How is this the engineer's fault? And Google's, for that matter? And really, are we going to say it's the user's fault? How does a grandma know what a wifi network means when it's not encrypted?
What we really need is to punish those wifi vendors. Force them to put a label on their products from now on: "Beaware of the Google Car if you don't encrypt your network!" Nothing a big enough warning cannot do.
> It's like sound.
Which in most states is illegal to record without the consent of at least one party?
And further, I'd also mention that the Supreme Court has ruled that people have an expectation of privacy with regards to their infrared emissions, which is a much better analogy. There is a huge difference between actual sensory data which you incidentally encounter, and data that you can only receive by using a specialized piece of equipment and specifically decoding it. (Mind that even unencrypted wireless is still encoded by the protocol. You cannot make sense of the data by simply 'listening', you need to actually identify the noise, devices, packets, retransmissions, etc.)
I'd liken it to you having sex with your wife on the front lawn and then getting mad that someone took pictures of it.
I discovered an access point at my local kroger that decodes and SSL certs and replaces them. I'm curious how many phone apps will even notice this is happening. I plan to do some testing.
Cheap storage VM.
if i dont put up curtains that gives you free reign to peer into the windows of my house?
Yes, if you're doing your girlfriend on the kitchen table with the windows open, I'm free to film it and post it on youporn. You wanted that to be private, close the curtains.
Neither HTTPS or SSH can be sniffed if you can properly authenticate your endpoint. I can still perform a Man-in-the-Middle attack if you are careless or uneducated. Given the right circumstances, I may be able to get my CA added to your browser.
Cheap storage VM.
"The former state investigator spoke on the condition that he not be identified because he was not authorized to speak."
Just like Rupert, Google is claiming 'We had no idea what our minions were doing; our job is merely to be wealthy.' #YeahRight
If you broadcast your voice over public airwaves it is legal to intercept it. It doesn't matter if you *think* it's a landline, it simply does not have the same protection.
Cordless phones many of which are unencrypted fall into your description, yet it is illegal in every state for a third party to monitor the phone call without consent of all participants. Most state laws also specify cellular and cordless calls, and others use all “electronic” communications, to cover ANY phone call. The protection is for any phone calls no matter how they are made.
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
"To me, there is no expectation of privacy if your communication is not encrypted."
Some people aren't capable enough to even program the clock on a VCR, yet you expect them to know how to magically set up encryption. The expectation of privacy is still there. It never goes away.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
You, along with many others commenting on this story are making the assumption that the common man is aware of how radio works. In each of the analogies being provided, I'm seeing examples of deliberate behavior:
-A persons loudly blares music
-A person has sex on their front lawn
-A person posts a sign in front of their house
In each of these cases, the person is extremely aware of what they are doing. Now, granted, you are correct - people are broadcasting their unencrypted data, which any one can collect. However, in this case, they are completely oblivious of the fact. Now, we can put on our nerd hats and proclaim that everyone should be intimately familiar with everything that we consider important, but I have to say, that isn't ever going to be reality.
Given the public's lack of understanding of the technology, it is reasonable to say that they can have an expectation of privacy for their wireless communication. As another poster pointed out, you need to purchase "specialized" equipment to collect this data. I don't simply walk down the street and have this data rudely forced upon me.
I use wifi away from home only when it is a necessity. And only at when times I don't have an option. End even when I do use it, I restrict what I do (as stated previously, sorry if this mildly complex set of use-cases confused you).
It didn't. You might be mentally retarded if you thought it was a complex use case, I'd check on that.
Also, it keeps anyone from accessing my home network via WiFI, should they manage a successful breakin.
But if they DO manage a successful break-in, they don't need to access your home via WiFi. They just managed a successful break-in. You're proving that WiFi isn't really the problem, just another method of entry that should be guarded carefully.
Using wifi elsewhere won't allow them to break in to my home network via wifi.
Thanks Major Obvious, because I was totally thinking people in internet cafés would use magic pixie dust to sniff your WiFi network credentials that do not exist.
If what I do is too complex for you, that's your problem, not mine.
No, it's definitely yours. Not that what you're doing is complex (do not equal being borderline paranoid with complexity), but I couldn't give half a monkey's left nut about your network.
But I don't feel like wasting 10-15 mins on the phone to cancel a credit card, dealing with issues of someone having gotten into my filesystems because they've run rampant on my network, or having the cops come after me because someone hacked my network and started using my internet for illegal purposes.
No, you'd rather spend an extra minute several times per month/year to plug in your laptop and in no time you will have surpassed the time it takes me to cancel a credit card maybe once every 10-30 years, with barely a scratch on my credit report. Not that I ever got my credit card stolen using https/ssh over WiFi in my damn house, but hey.
Well, I don't agree with your analogy, but I have something to point out in that regard.
Google drove their peeping tom car on to my property and took pictures of the inside of my house through my windows and published them on their "street view". And yes I do have curtains, but the wind blew them aside.
I asked Google repeatedly to take down their intrusive photos, but they insisted they had the right to do this, even though they were on my property.
Then I pointed out that they'd taken pictures of my minor daughter's bedroom. BOOM! Even Google fears the American obsession with paedophilia, and the pictures came down... my house is now a blacked out section in Google street view.
So: yes, broadcasting unencrypted wifi is asking for people to hear your traffic. But, also, Google is more than willing to invade your privacy for their own profit.
Just because you're stupid doesn't mean the law MUST protect you. Just because you believe something is private, that doesn't make it true. There already was a case where the court decided there is no expectation of privacy on unencrypted Wi-Fi, and in Google's case it wasn't found illegal by court as well, it was found questionable and irresponsible by public. Saying "But I didn't know how to secure it!" won't help you in court or in insurance company. People just need to learn to RTFM, all the routers now have manuals with Big Friendly Pictures and Big Friendly Setup Wizards which tell you to set the password.
Use this link.
OK, then i'll argue this way: you require specialist equipment to broadcast this internet. If you have it, you need to understand at least the super basics of how it works.
If suppliers are not ensuring you do, they are not exercising the due care that they should (yes, i know they are not required to. that's part of the problem)
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
You, along with many others commenting on this story are making the assumption that because a common man is not aware of how radio works, he must be legally protected from his own ignorance.
"It is reasonable to say they have an expectation of privacy" != "They have a reasonable expectation of privacy".
And yeah, any wireless card and a PC? That's pretty specialized data collection equipment required there. I mean, just tick the "automatically connect to open networks" checkbox and before you know - BLAM! - there's a bunch of data rudely forced upon your PC (and your PC rudely forces data upon someone) and you're invading someone's privacy. Shocking.
When you need knowledge you don't have, you hire a consultant. People have been doing it with their cars for years, it's no different with a computer. And yes, you can get screwed in both cases. It's called the real world.
If you're incompetent, pay for someone who is competent. It's that simple. People just act different 'cause it's a fucking computer and they have some sort of mental block that prevents their intelligence from working properly.
NetStumbler can't even capture WiFi data in transit and never did when this took place. It sends out probe requests and responses, unless he was writing some in-house stuff not available to the public, which seems assinine given that Kismet has existed for years and does everything this purportedly does, and is free with full source code available.
I think someone is not being honest here.
Apparently, you could watch it, but in most of the US recording the act would be illegal.
(You can check the validity of this analogy for yourself).
.: Semper Absurda
Your Palo Alto firewalls only work because the (self signed) global wildcard certificate they use has been manually installed on every client on the network, and is trusted by those devices.
Unless you can trick a user on a public wifi hotspot into accepting your self signed global certificate their browser will not validate the connection or pass data without a big red warning screen.
Just because you disagree doesn't mean it's not true.
Why not?
It is in a public air space. The sender wished to share it with others. That makes it fair game to me. That which is private simply can not be communicated to another person. It's a narrow definition but in many ways the only real definition. A trusted wife or friend can betray. When you throw the dice of communication you pretty much have to accept the consequences.
No but if you put all your belongings out on the front lawn, you can't tell people off for looking at them.
TEMPEST says that you shouldn't be doing internet banking at all. You are sufficiently paranoid, but insufficiently informed.
"Just because you're stupid doesn't mean the law MUST protect you."
Actually, that's what laws are for.
"People just need to learn to RTFM, all the routers now have manuals with Big Friendly Pictures and Big Friendly Setup Wizards which tell you to set the password."
Mine didn't come with a manual, nor a setup wizard. It just came with a slip of paper with the login code for the router, and the default wireless encryption key (and the wireless encryption was turned off by default.)
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
where do you live? i will be over tonight.
This is false. There is no expectation of privacy in public space, if I grab my phone and record sound in the street, and happen to overhear a conversation from inside a house, I do not need authorization from the person having said this conversation.
The opposite would be evidently idiotic.
entia non sunt multiplicanda praeter necessitatem
The most obvious analogy is a person having a conversation by the window of his house. I am standing in the street, and can hear his conversation from a public space. I am completely free to listen to it, remember it and then relay it to some other party, take notes of it, record it, and even enter it into a log with other publicly available data like the address, the time and date, and if the person has one of those little nametags in mailboxes, their fucking name.
If i have loud sex in my apartment, i can not say that it is a violation of privacy when my neighbor complains about the noise. I can not complain about him recording it from the privacy of his own home, either.
If the opposite were true, you would have to get permission of everyone that happens to be in hearing range of your phone whenever the phone's microphone is on, like when making a call, or recording an audio note.
If the opposite were true, you would have to get permission from anybody that appears in the background of a picture taken in public space.
"Awareness" on the part of those persons has absolutely nothing to do with it.
entia non sunt multiplicanda praeter necessitatem
you don't have to go that far: it's like having loud sex in your room, and then complaining about privacy when your neighbor complains about the noise
entia non sunt multiplicanda praeter necessitatem
they are all fucking retarded, and have no clue about what they are saying, because they have no idea of what a law is, and how it works.
it's the same sad story with all the morons that say that bsd licenses are "more free" than the gpl. blatant, utter, unashamed ignorance on the part of a bunch of moronic nerds that think that knowing how to vomit one or two more or less sophisticated lines of code gives them the right to pontificate about morals, politics, philosophy and the law, and generally have the argumentation level of eight graders.
like linus. or most bdfl's for that matter. awesome programmers and engineers, complete morons about everything else.
There is no harm, he's just one of 'those' people.
Don't know about the US but in the UK the law is clear regarding radio transmissions - whether clear or encrypted, whether audio or data : You need the permission of the transmitter (the person, not the equipment) to listen in. This covers everything, e.g. air traffic control is not encrypted but that doesn't mean you're allowed to listen to it. Same goes for CB chats between two trucker friends and also peoples WiFi.
So as you can see, arguing that "the wifi AP didn't have a password therefore the auto-negotiation between my laptop and their router constituted permission" will get you nowhere.
If you don't risk failure you don't risk success.
Care to provide citations? Especially considering the legal status of Wi-Fi.
Because a) it might fall under general transmission and not require any special permission to receive (just as it doesn't require any special permission to transmit), and b) your interpretation makes even just scanning for networks around you criminal - as in that screen which shows available networks in your phone settings and such. You see, I didn't give your phone a permission to receive my SSID and protection state - even though they are transmitted in the clear. I transmit them only for my laptop and phone.
Nevermind, found some fresh news from UK.
Seems like initial investigation was on Data Protection Act grounds, not just "listening in", though that part might be investigated now under other act.
From OFCOM: http://stakeholders.ofcom.org.uk/enforcement/spectrum-enforcement/guidance
This page is specific guidance about VHF Scanners, but cites laws regarding "transmissions" in general:
"...it is illegal to listen to anything other than general reception transmissions unless you are either a licensed user of the frequencies in question or have been specifically authorised to do so... "
and
"The services that can be listened to under the definition of general reception are:
licensed broadcasting stations;
amateur and citizens' band radio transmissions; and
weather and navigation transmissions
"
If you don't risk failure you don't risk success.
this is UK law, not US law but direct from OFCOM: http://stakeholders.ofcom.org.uk/enforcement/spectrum-enforcement/guidance
"It is an offence if a person ... uses wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of any message whether sent by means of wireless telegraphy or not, of which neither the person using the apparatus nor a person on whose behalf he is acting is an intended recipient."
It doesn't matter if I'm broadcasting unencrypted data. If you are not the intended recipient then you are breaking the law by sniffing it.
If you don't risk failure you don't risk success.
Since the HTTPS / SSL certs are replaced with Kroger certs, the CN (common name, or the webiste) no longer matches the site you're visiting, or they use a self-signed certificate.
Any modern browser (and any app using SSL) should at the very least warn that there's something fishy going on.
If not, I'd have the local law enforcement agency (or certificate provider) start poking around for fraud / impersonation.
Last time I bought a router, I had this big red sign "STOP READ THIS BEFORE USING" as the first pamphlet. Now, my router isn't Sony's but ...
http://dl.owneriq.net/6/664c405d-2d55-4ac1-acb9-9695f9093b88.pdf
I'm almost positive every router I've purchased has had something like this (I have/have had about 4 over the past few years). Takes about 10 minutes to set up, and they provide key-by-key walkthrough. Not sure how simpler they can get without bludgeoning purchasers over the head.
P.S.
"Specialized"? I can use a bog-standard Windows or *nux machine with a wifi card and an application to do this. If you argue that this is specialized, then I argue that installing the Facebook application on your favourite mobile device is also "specialized" hardware. Otherwise, you can't possibly understand the HTML/XML going through your wifi/3G connection. Are you saying there are millions of people who are running around with specialized hardware to Facebook?
Hey retard, go read this: http://www.paloaltonetworks.com/products/features/decryption.html
"A man-in-the-middle approach is used where device certificates are installed in the user's browser. By default, SSL decryption is disabled."
Hey! Turns out SSL is still not broken! Now stop jumping on the stupidity bandwagon and learn how your shit works.
Opera on my phone threw a cert warning. I plan to test some apps to see if they send any sort of warning. It probably depends on the programmer. I wonder how many apps actually use https instead of http...
The cert was not a kroger cert, it was something else and I did actually call the police because I thought it was a rouge access point someone had set up on the parking lot. It appears to be in the store's deli. I'm debating whether I should follow up to ascertain if they are aware it is set-up the way it is and how that could potentially open them up to liability.
Cheap storage VM.