Data Engineer In Google Case Is Identified

theodp writes "Meet Engineer Doe. A NY Times report has identified Marius Milner as the software engineer at the center of the uproar over a Google project that used Wi-Fi sniffing Google Street View cars to collect e-mail and other personal data from potentially millions of unsuspecting people. Milner, creator of the wardriving software NetStumbler, referred questions to his lawyer. Google declined to comment. A patent search shows the USPTO awarded Google and Milner a patent in June 2011 for protecting Internet users from 'hackers and other ne'er-do-wells [who] may seek to tap into communications on a network.'"

If you have something that you don't want

[NotMariusMiller]

Anyone remember Eric Schmidt's words:

"If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

Oh wow, looks like Google tried to protect the guy being identified in courts and now he is outed by NY Times. How big hypocrisy is that? Oh wow, turns out he is a wardriving software creator, hacker and the patent application Google and he was awarded was about protecting against the exact thing Google and he JUST DID, worldwide snooping and collection of private data. Just wow, Google. Just wow.

MariusMilner.com and every other associated domain is free. Hint hint. He probably has nothing to hide, so there's no problem if someone lists all the publicly available information, pictures, images, live movements etc there ;-)

Re:If you have something that you don't want

[SaroDarksbane]

If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.

Or in this case, if you have something that you don't want anyone to know, maybe you shouldn't be broadcasting it over the airwaves to the public at large.

Just a thought.

Re:If you have something that you don't want

[NotMariusMiller]

If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.

Or in this case, if you have something that you don't want anyone to know, maybe you shouldn't be broadcasting it over the airwaves to the public at large.

Just a thought.

You can't be that stupid. I live in a place that has wifi where you log in with password. It is encrypted, but after logged in you can still sniff everyone else on the network. It still doesn't make it right to do so.

Likewise, your internet traffic goes unencrypted when it leaves your house. It doesn't make it right for me to plug in to that in between your house and ISP and capture that data.

Google and Marius Milner can go fuck themselves.

Re:If you have something that you don't want

[Chrisq]

If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.

Or in this case, if you have something that you don't want anyone to know, maybe you shouldn't be broadcasting it over the airwaves to the public at large. Just a thought.

https is your friend. Seriously on any wifi network you should use https for anything secure.

You can't be that stupid. I live in a place that has wifi where you log in with password. It is encrypted, but after logged in you can still sniff everyone else on the network. It still doesn't make it right to do so. Likewise, your internet traffic goes unencrypted when it leaves your house. It doesn't make it right for me to plug in to that in between your house and ISP and capture that data. Google and Marius Milner can go fuck themselves.

Re:If you have something that you don't want

So then you won't mind me recording your cell phone calls? You're broadcasting them to the public at large so that makes it okay, right?

Re:If you have something that you don't want

You're an idiot.

Re:If you have something that you don't want

Neither of those analogies are appropriate, and your reaction is awfully spiteful for someone who likely wouldn't be on an unencrypted wi-fi network in the first place.

In one of your examples, you're given access to a private system with the idea that you won't mess with other.
In the other, you're tapping into a private circuit with the intent to steal data.

If anything, home routers should come pre-encrpyted, with the random default key on a sticker on the bottom, and display a warning and disclaimer for people who wish to run unencrypted wi-fi.

Someone before made the analogy about this being like having sex with the windows open, and then saying anyone who happens to stare for a few extra seconds can go fuck themselves and deserves to die. What kind of person ARE you???

Re:If you have something that you don't want

[NotMariusMiller]

Not every site supports https, and I don't want some random people to snoop data even if isn't as secure. And in fact, I do use VPN for exactly this reason, but I am in the minority that knows this stuff. 99% don't.

The reason we have laws is to prevent people from taking advantage of situations. Your reasoning is along the same as "you shouldn't go out if you don't want to get stabbed". It is not reasonable suggestion. We prevent people from abusing things like this with laws and there are penalties if they do. I hope Google gets fined big time and every engineer and supervisor associated with the project put into jail. That's what would happen to any individual doing this.

Re:If you have something that you don't want

[ByOhTek]

You can't be that stupid...

If the system is open, an easily sniffable, you're an idiot for using it with stuff you don't want publically accessible.

* I don't use WiFi at home (easy enough to wire a place up, a simple weekend project).
* When I do use WiFi...
** If it is encrypted, then I will use things like email, etc. But only if they are on a secure pipe (such as https / pops / etc.). I still won't use it for anything financial.
** If it is unecrypted, then I will only do casual browsing - no stuff with user names or passwords.
* Wired is treated like secure/encrypted WiFi, except I will do financial things (if it is a network I trust)...

Remember, on the internet, paranoia is your friend because everyone IS out to get you.

Re:If you have something that you don't want

[Desler]

https is your friend. Seriously on any wifi network you should use https for anything secure.

MITM attacks on public wifi hotspots are mostly trivial. Yeah, keep believing that using HTTPS is securing anything.

Re:If you have something that you don't want

I live in a place that has wifi where you log in with password. It is encrypted, but after logged in you can still sniff everyone else on the network. It still doesn't make it right to do so.

So it's not public.

It doesn't make it right for me to plug in to that in between your house and ISP and capture that data.

So it's not public.

You can't be that stupid. Yet you've made multiple posts showing otherwise.

Re:If you have something that you don't want

Your reasoning is along the same as "you shouldn't go out if you don't want to get stabbed". It is not reasonable suggestion.

Do you even have the ability to grasp granularity of magnitude that isn't all on or all off?

HTTPS isn't the issue here. THERE IS NO PRIVATE NETWORK ON OPEN WIFI. A secured connection, a dedicated connection from an ISP, these are PRIVATE connections. OPEN WIFI is a PUBLIC ONE.

You don't want people listening in on your phone calls? Don't have them outside in a public place, the hobos might steam your trade secrets (or whatever paranoia types like you subscribe to).
You don't want people listening in on your data? Don't transmit it on a "public" medium.

Re:If you have something that you don't want

[Medievalist]

I live in a place that has wifi where you log in with password. It is encrypted, but after logged in you can still sniff everyone else on the network. It still doesn't make it right to do so.

Likewise, your internet traffic goes unencrypted when it leaves your house. It doesn't make it right for me to plug in to that in between your house and ISP and capture that data.

HTTPS and SSH cannot be sniffed on your wifi, nor does either one "go unencrypted" when it leaves your house. Broadband providers using DOCSIS protocols also are not sniffable by your neighbors.

However, I recommend you should worry more about "is it possible" and "is it likely" rather than "is it right". Our government and the big corporations (that's redundant, I know) clearly aren't at all concerned about your ideas of right and wrong.

Re:If you have something that you don't want

You forgot to bring up the second part of the quote:

But if you really need that kind of privacy, the reality is that search engines, including Google, do retain this information for some time. And [...] we're all subject, in the US, to the Patriot Act, and it is possible that that information could be made available to the authorities.

Re:If you have something that you don't want

[Desler]

The people they were snooping on weren't intentionally running an open WiFi and had an expectation of privacy. Google, also, wasn't "accidentally" connecting and grabbing data. IT WAS ENTIRELY INTENTIONAL to be sniffing people's traffic.

Re:If you have something that you don't want

Your hate towards Marius Milner is so strong, you saw this article in the future and registered just in time to post this comment with same timestamp as the article?..

Tech(NY|LA|Cars|nicalExpert), you're so unsubtle :(

Re:If you have something that you don't want

[WaywardGeek]

But how could he not write the sniffer program? A co-worker of mine wrote a fun screen-saver. It posted each image sniffed over wifi in a random place on the background, creating a real-time collage of what people were viewing on the Internet. He wrote the program and showed it to his boss, and fortunately being at a start-up, he found it amusing. He also hacked our WEP security in a few hours with some hacker software, leading us to upgrade our protection rather than get pissed. It is the nature of good engineers to be curious, and Joe Engineer does not offend me. It's the government that scares me.

Re:If you have something that you don't want

[NotMariusMiller]

On top of that, Google outright LIED that it was just accident, and they have been now busted on their lie.

Re:If you have something that you don't want

Your reasoning is along the same as "you shouldn't go out if you don't want to get stabbed".

This is the worst comparison I've ever witnessed. As a Slashdot user, I'm glad that it wasn't a car analogy. But still.. worst comparison ever.

Re:If you have something that you don't want

[minerat]

I think it was stupid, but it doesn't look like it was a vast Google conspiracy to inhale as much data as possible for the takeover of the world. It looks like a stupid decision by an engineer and a layer of incompetent management.

I certainly don't condone anyone collecting WiFi data that most people expect to be private, but correct me if I'm wrong - they didn't crack WEP/WPA/hack their way into routers to obtain this data. That means it was floating free and unencrypted over the air for anyone to observe. It's shady and makes Google look bad, but technically it's not much different from receiving FM radio signals; perhaps short range walkie talkie conversations are a more apt comparison - still not illegal and not patently immoral.

Re:If you have something that you don't want

[Chrisq]

https is your friend. Seriously on any wifi network you should use https for anything secure.

MITM attacks on public wifi hotspots are mostly trivial. Yeah, keep believing that using HTTPS is securing anything.

Written by someone who obviously doesn't understand how https works. Your site URL is validated against a server-side certificate. The protocol starts with an exchange of public keys, then uses session keys for the session. This makes a man in the middle attack impossible.

Re:If you have something that you don't want

more like you go round every house in your city , taking a picture of that house, and checking to if the windows are open, then looking through the window where you see your mum and myself, then put that up on the company intranet to say that house keeps it's windows open and your mum there :)

Re:If you have something that you don't want

[NotMariusMilner2]

Written by someone who obviously doesn't understand how https works. Your site URL is validated against a server-side certificate. The protocol starts with an exchange of public keys, then uses session keys for the session. This makes a man in the middle attack impossible.

Yeah, who here doesn't understand things. I live in a country that has been serving fake certs and other trickery even when trying to login to fucking Slashdot using HTTPS. If you believe that there is no way around or no tricks to use against users you are being unbelievable naive and/or idiot. Hell, even Slashdot allows this because it has non-https components even if you browse with https.

Go back to your noob-box and get some clue.

Re:If you have something that you don't want

... I live in a country that has been serving fake certs and other trickery even when trying to login ...

So, by "trivial" you mean "Easy, you just need to be a government official with a leverage over certificate authority, or you could simply hack a CA and issue a fake certificate. Trivial!"

Re:If you have something that you don't want

Okay, non-subscriber who posts long reply with same timestamp as the story, I have a question. Since you claiming that Google stole this data intentionally, what was there motivation? What was their evil plot plot to turn this data into money?

Re:If you have something that you don't want

So you don't use WiFi at home but you don't mind using it in other places? Jesus, stick WPA2 on there, Enterprise if you're a paranoid fuckerlord and just get on with your life. It takes half a second to cancel a credit card and if you happen to be victim of fraud it will probably be because you clicked some bad link.

Re:If you have something that you don't want

[NotMariusMilner2]

First step is to issue self-signed certificate. This was done to me. I declined it, but most people don't because they jstu want it to work. After that there are other ways, like serving http-components on https-page. Even Slashdot's HTTPS is currently broken, as it has parts that are http.

Re:If you have something that you don't want

[jimbolauski]

So if I leave the door to my house unlocked it's OK for you to go in and take what ever you want? How much responsibility falls on the home owner? If they lock their doors and arm a security system but the system is old and easy to bypass and the thief has a bump key is it the owners fault. Google identifying open wifi while driving around is not the problem it's that they went into the network and collected data. If they sniffed any VOIP traffic then they committed a felony the only reason they have not been charged is that email and other communication are not protected under law.

Re:If you have something that you don't want

[ByOhTek]

I use wifi away from home only when it is a necessity. And only at when times I don't have an option. End even when I do use it, I restrict what I do (as stated previously, sorry if this mildly complex set of use-cases confused you). Also, it keeps anyone from accessing my home network via WiFI, should they manage a successful breakin. Using wifi elsewhere won't allow them to break in to my home network via wifi. If you need an explanation why, please go back to eating your crayons and glue.

If what I do is too complex for you, that's your problem, not mine. But I don't feel like wasting 10-15 mins on the phone to cancel a credit card, dealing with issues of someone having gotten into my filesystems because they've run rampant on my network, or having the cops come after me because someone hacked my network and started using my internet for illegal purposes.

Re:If you have something that you don't want

And now you're even recycling (invalid) talking points from previous accounts

I hope you're not getting paid for this, it would be a waste of money.

Re:If you have something that you don't want

[Chrisq]

Written by someone who obviously doesn't understand how https works. Your site URL is validated against a server-side certificate. The protocol starts with an exchange of public keys, then uses session keys for the session. This makes a man in the middle attack impossible.

Yeah, who here doesn't understand things. I live in a country that has been serving fake certs and other trickery even when trying to login to fucking Slashdot using HTTPS. If you believe that there is no way around or no tricks to use against users you are being unbelievable naive and/or idiot. Hell, even Slashdot allows this because it has non-https components even if you browse with https. Go back to your noob-box and get some clue.

Bullshit, Certificates are international, and whenever certificate authorities have been compromised their issuing certificates have been revoked.

Re:If you have something that you don't want

[NotMariusMilner2]

Did it ever cross your mind that not everyone lives like you? Or lives as closely guarded in his home as you?

Re:If you have something that you don't want

[jdgeorge]

The ISPs and device vendors who sold UNSAFE PRODUCTS to consumers are the folks we should be mad at.

Car analogy: Do you get mad at the guy who slowed his car in front of you, or the auto manufacturer who sold you a car with the brakes detached from the brake pedal?

Re:If you have something that you don't want

Oh stop this mentality.

Just because someone's data is out there does not give anyone carte blanche to do whatever they want with it.

Someone loses a check--has their account number and routing number in the MICR ink. Do they deserve to have their account hacked.

Someone has a public Wi-fi connection. They may be leaking data *to* *wardrivers* *only* but everyone else uses it honestly. They really deserve to have their data intercepted? Really?

Re:If you have something that you don't want

Congrats. I keep forgetting nothing on a wired network has ever been compromised.

Re:If you have something that you don't want

I still disagree that this is an issue. To me, there is no expectation of privacy if your communication is not encrypted. hell, this is the governments take on it as well, within the context of Total Information Awareness or whatever its called today. Why is it a big deal for google to do this over public airwaves, and its a non-issue for the government to do this over leased lines?

These people could have spent the 10 minutes more to encrypt their traffic or read and understand what it meant, they did not. Whats next, nail the kid next door for listening to your cordless phone conversation, baby monitor, etc?

Re:If you have something that you don't want

[madmark1]

If you leave your house unlocked, no, that doesn't allow me to go in and take whatever I want, because the DOOR IS CLOSED. Now, if you opened your door, and put a sign on the porch saying "Hey, I have stuff in here", then yes, it is your fault. Same as if you were broadcasting unencrypted wifi signals.

And while we are on the topic, let me educate you a bit. If you send out an unencrypted radio signal, and I do nothing more than receive it, then I did not "go into the network" to get anything. I received exactly what was sent to me. See the difference?

Re:If you have something that you don't want

it's that they went into the network and collected data

They didn't "go into" the network. They collected data that was floating on the airwaves around them. The proper analogy isn't with walking into an open door, but taking a photo through an open window. From the street. Something that Google has already done.

Re:If you have something that you don't want

[madmark1]

Nah, it's really much closer to "go around the city, looking at every house, and find several people broadcasting video of them having sex", since nothing Google did violated the internal network, all they did was receive a radio signal that was unencrypted.

Re:If you have something that you don't want

[madmark1]

Sure. Oh wait, except that to do so, you would have to break the encryption, which is against the law. In fact, now that I think about it, that makes your analogy completely useless, doesn't it? You *do* see the difference, right?

Re:If you have something that you don't want

[TechCar]

If you leave your house unlocked, no, that doesn't allow me to go in and take whatever I want, because the DOOR IS CLOSED. Now, if you opened your door, and put a sign on the porch saying "Hey, I have stuff in here", then yes, it is your fault. Same as if you were broadcasting unencrypted wifi signals.

Nobody has put up any signs saying anyone is free to sniff their internet traffic.

Re:If you have something that you don't want

[timholman]

They didn't "go into" the network. They collected data that was floating on the airwaves around them. The proper analogy isn't with walking into an open door, but taking a photo through an open window. From the street.

Actually, it's more like putting a speaker outside your house, then playing personal information over it for anyone driving down the street to hear, and then getting angry that someone had the gall to record the audio that you were broadcasting to the world at large.

Re:If you have something that you don't want

Aaaaand here goes another failed analogy. Your analogy would work much better if Google did "bypass" anything, but in this case you've left your big pink dildo in the driveway and now is troubled by the fact that it shows up on Google Streetview.

And yes, this ^^^ analogy works much better. They didn't break and enter anywhere, they didn't specifically look for dildoes and embarassing secrets, they just drove by taking pictures (and random full frames of Wi-Fi - though they should have grabbed only headers). In other words, it's completely the same as if they'd rummage through your wardrobe while you're not looking.

Re:If you have something that you don't want

[NotMariusMilner2]

Yeah, you just continue to show clueless you are. Are you high or something?

Re:If you have something that you don't want

[madmark1]

Actually they did, by broadcasting it freely, unencrypted over the airwaves. This isn't "sniffing". You could receive that signal with a random piece of wire. If you broadcast something, it is, sort of by definition, BROADCAST. Get it? You not only left the door open, you threw your stuff out the window, then complained when someone came by and picked it up off the street.

Re:If you have something that you don't want

I think it's more like you living in a home with large windows and no curtains.

The Street View car comes passing by and takes a picture of you standing nude in your house.

Are they going to publish it? No. Do they have it on their hard drive? Yes. Is it their fault you were standing nude in front of an open window? No.

If you didn't want a picture taken, then get some blinds.

Re:If you have something that you don't want

Someone loses a check--has their account number and routing number in the MICR ink. Do they deserve to have their account hacked.

Losing a check is an accident.

They didn't "lose" their packets -- they broadcast them in the clear. And it was no accident, it was done for the express purpose of communicating with devices in range. Some other device was also in range, and heard it.

That's nothing like the same situation.

Re:If you have something that you don't want

stop being retarded about the electromagnetic spectrum. radio and light are the same thing. so if i dont put up curtains that gives you free reign to peer into the windows of my house and make an inventory?

Re:If you have something that you don't want

Hello you piece of shit atroturfing moron.

Could you be any more useless?

If you weren't such a fucking piece of shit asshole perhaps you would post on your main account, but no, you don't want any backlash regarding the bullshit you spout.

So, how much are you paid to be an asshole anyway?

Re:If you have something that you don't want

[niado]

so if i dont put up curtains that gives you free reign to peer into the windows of my house and make an inventory?

Um, pretty much yes?

Re:If you have something that you don't want

This level of paranoia seems unwarranted to me for at least 2 reasons:

1. Even on your wired network at home, once your traffic leaves your house there are any number of people who with enough motivation could intercept your traffic.
2. As long as you are using websites that employ SSL the data between you and that site is encrypted, even if the WiFi signal is not.

I'm not saying you should not be paranoid but there reaches a point of diminishing returns.

Re:If you have something that you don't want

[DarkAce911]

I don't know about that, they knowingly assigned a well-known writer of war-driving software to the street view team. It is kind of obvious what is going to happen next. That was the reason Google hired him in the first place.

Re:If you have something that you don't want

[X0563511]

The people they were snooping on weren't intentionally running an open WiFi and had an expectation of privacy.

A false one. Ignorance is not an excuse.

Re:If you have something that you don't want

[6ULDV8]

Golly! I guess my Palo Alto firewalls are lying to me.

We use these to prevent internal data loss, filter malware, virus, etc... and decrypt all SSL traffic as normal policy. The client never knows the difference because the firewall has its own cert issued by a trusted CA. You could always do the same yourself, but the process has been made trivial with an appliance.

Re:If you have something that you don't want

[X0563511]

I don't think you understand how radio works. It's like sound.

Your neighbor blares his stereo? Well, you can hear his music because of that.

You blare your unencrypted data? Well, I can read it.

Re:If you have something that you don't want

[X0563511]

Lets be proper about this.

Nobody picked it up off the street, they merely looked at it, and made a record in their journal.

Re:If you have something that you don't want

ctrf-f. yep retarded theft analogy.

It's communication. if you don't want someone to read a letter you don't have to secure it effectively you merely have to symbolically secure it with an envelope.
If you write your messege on a postcard then everyone between source and destination has every right to read it.
If you put it in an evelope then they don't.

easy isn't it.

If you don't want someone to read what you're broadcasting to the entire neighbourhood then don't broadcast it plaintext, that's perfectly equivilent to writing it on a postcard.

You don't have to secure it effectively, merely symbolically.

They didn't "go into the network". they just recordeded everything that was broadcast at them in plaintext on the public street.

They didn't crack anyones encryption, they didn't hack anything.

Re:If you have something that you don't want

[X0563511]

So, it's the tools problem when the user refuses to use it correctly?

God help us all when the butter knives get fed up with it.

Re:If you have something that you don't want

[X0563511]

So, instead of just insulting people - do you plan on backing anything up?

Re:If you have something that you don't want

[SecurityGuy]

If you leave your house unlocked, no, that doesn't allow me to go in and take whatever I want, because the DOOR IS CLOSED. Now, if you opened your door, and put a sign on the porch saying "Hey, I have stuff in here", then yes, it is your fault.

No, it's not OK even then. Only if I put up a sign saying "Hey, I have stuff in here AND YOU CAN HAVE IT."

I would argue that's exactly what you're doing if you broadcast unencrypted WiFi across your neighborhood. You cannot scream across the EM spectrum at the top of your lungs and demand the world not listen. People are not going into the public's house to get their wifi traffic. Ignorant members of the public are blasting it across an area greater than a football field with their house in the center.

Re:If you have something that you don't want

[X0563511]

No, it's more like walking down the sidewalk and noting how you and your boyfriend really are loud sex partners.

Since you can hear it from the sidewalk.

Re:If you have something that you don't want

*committed a felony the only reason they have not been charged is that email and other communication are not protected under law.*

oh, fuck, they are. if you're a school kid doing it then you're going to get busted.

but if you're google doing it!...

and well, usually it's not considered not stalking(legal) to be recording someones conversations with a laser pickup from the window either.

Re:If you have something that you don't want

[Bigby]

It is assumed. Am I to cover my ears when I walk by a house where someone is shouting?

Re:If you have something that you don't want

[uncqual]

so if i dont put up curtains that gives you free reign to peer into the windows of my house and make an inventory?

Generally, yes - as long as I do it from a location I am authorized to be (such as my own property or the sidewalk in front of your house). If my actions were associated with some crime (such as a conspiracy to murder) or in violation of court order (such as if you had a restraining order preventing me from being within 100 yards of your house) of course it is not okay.

Re:If you have something that you don't want

So if I leave the door to my house unlocked it's OK for you to go in and take what ever you want?

If you were throwing your private papers out into the street I wouldn't be too concerned about people making copies of them or reading them. Don't forget that intercepting your wireless traffic does not steal the bits out of the air or anything. Leaving your house door unlocked and your belongings inside is similar to using WEP. Polite people won't look through your belongings but morality is all that's stopping them.

If they sniffed any VOIP traffic then they committed a felony the only reason they have not been charged is that email and other communication are not protected under law.

If you broadcast your voice over public airwaves it is legal to intercept it. It doesn't matter if you *think* it's a landline, it simply does not have the same protection.

Re:If you have something that you don't want

[SaroDarksbane]

Actually, I'm fine with that. I don't feel that I have a right to stop people from using the data I voluntarily send straight to them.

Good luck decrypting it, though.

Re:If you have something that you don't want

If it is encrypted, then I will use things like email, etc. But only if they are on a secure pipe (such as https / pops / etc.). I still won't use it for anything financial.

Aside from leaking DNS queries what's the harm in using https over wireless (or anything really) for financial transactions?

Re:If you have something that you don't want

[SaroDarksbane]

If you're handing out checks to everyone who passes within several hundred feet of your house, then you can't complain that someone has your banking information.

Actually using that information to break into your account and take money would be theft, of course, but have you proved that Google did anything untoward with the data that they were given (yes, given)? If not, your analogy does not hold.

Re:If you have something that you don't want

[PigleT]

Three key words: You have the *right* to leave your house doors open, but if you do, you'll find your *insurers* take a dim view of your sense of *responsibility*.

The analogy may or may not apply well to wifi.

Re:If you have something that you don't want

Except Google didn't use "free reign to peer and make an inventory", but just snapped a random shot, just as it did X meters back and will do X meters forward, and your open window was in that shot. Good job adding yet another failed analogy to this thread.

/. and analogies - they go together as well as bread and ... I dunno, some thing that doesn't go well with bread at all. Except when you add some peanut butter, then it might do. Well, not so much if you're allergic to peanuts, of course, but what does peanut butter have to do with Slashdot? Nothing at all! That's why analogies don't work so good at /., you need to find a non-allergenic replacement for peanut butter first... Wait, what was that I was talking about, again?..

Re:If you have something that you don't want

[Dishevel]

The school kid hacked the account.
Question. Are the people who think this is a crime really that fucking stupid when it comes to technology on this site?
Or are they just so blinded by their own ideology that the stuff they used to know goes "poof" never to be seen again?

Re:If you have something that you don't want

[Artraze]

> It's like sound.

Which in most states is illegal to record without the consent of at least one party?

And further, I'd also mention that the Supreme Court has ruled that people have an expectation of privacy with regards to their infrared emissions, which is a much better analogy. There is a huge difference between actual sensory data which you incidentally encounter, and data that you can only receive by using a specialized piece of equipment and specifically decoding it. (Mind that even unencrypted wireless is still encoded by the protocol. You cannot make sense of the data by simply 'listening', you need to actually identify the noise, devices, packets, retransmissions, etc.)

Re:If you have something that you don't want

[yabos]

I'd liken it to you having sex with your wife on the front lawn and then getting mad that someone took pictures of it.

Re:If you have something that you don't want

[pnutjam]

I discovered an access point at my local kroger that decodes and SSL certs and replaces them. I'm curious how many phone apps will even notice this is happening. I plan to do some testing.

Re:If you have something that you don't want

if i dont put up curtains that gives you free reign to peer into the windows of my house?

Yes, if you're doing your girlfriend on the kitchen table with the windows open, I'm free to film it and post it on youporn. You wanted that to be private, close the curtains.

Re:If you have something that you don't want

[pnutjam]

Neither HTTPS or SSH can be sniffed if you can properly authenticate your endpoint. I can still perform a Man-in-the-Middle attack if you are careless or uneducated. Given the right circumstances, I may be able to get my CA added to your browser.

Re:If you have something that you don't want

[jimbolauski]

If you broadcast your voice over public airwaves it is legal to intercept it. It doesn't matter if you *think* it's a landline, it simply does not have the same protection.

Cordless phones many of which are unencrypted fall into your description, yet it is illegal in every state for a third party to monitor the phone call without consent of all participants. Most state laws also specify cellular and cordless calls, and others use all “electronic” communications, to cover ANY phone call. The protection is for any phone calls no matter how they are made.

Re:If you have something that you don't want

[Khyber]

"To me, there is no expectation of privacy if your communication is not encrypted."

Some people aren't capable enough to even program the clock on a VCR, yet you expect them to know how to magically set up encryption. The expectation of privacy is still there. It never goes away.

Re:If you have something that you don't want

[tooyoung]

You, along with many others commenting on this story are making the assumption that the common man is aware of how radio works. In each of the analogies being provided, I'm seeing examples of deliberate behavior:

-A persons loudly blares music
-A person has sex on their front lawn
-A person posts a sign in front of their house

In each of these cases, the person is extremely aware of what they are doing. Now, granted, you are correct - people are broadcasting their unencrypted data, which any one can collect. However, in this case, they are completely oblivious of the fact. Now, we can put on our nerd hats and proclaim that everyone should be intimately familiar with everything that we consider important, but I have to say, that isn't ever going to be reality.

Given the public's lack of understanding of the technology, it is reasonable to say that they can have an expectation of privacy for their wireless communication. As another poster pointed out, you need to purchase "specialized" equipment to collect this data. I don't simply walk down the street and have this data rudely forced upon me.

Re:If you have something that you don't want

I use wifi away from home only when it is a necessity. And only at when times I don't have an option. End even when I do use it, I restrict what I do (as stated previously, sorry if this mildly complex set of use-cases confused you).

It didn't. You might be mentally retarded if you thought it was a complex use case, I'd check on that.

Also, it keeps anyone from accessing my home network via WiFI, should they manage a successful breakin.

But if they DO manage a successful break-in, they don't need to access your home via WiFi. They just managed a successful break-in. You're proving that WiFi isn't really the problem, just another method of entry that should be guarded carefully.

Using wifi elsewhere won't allow them to break in to my home network via wifi.

Thanks Major Obvious, because I was totally thinking people in internet cafés would use magic pixie dust to sniff your WiFi network credentials that do not exist.

If what I do is too complex for you, that's your problem, not mine.

No, it's definitely yours. Not that what you're doing is complex (do not equal being borderline paranoid with complexity), but I couldn't give half a monkey's left nut about your network.

But I don't feel like wasting 10-15 mins on the phone to cancel a credit card, dealing with issues of someone having gotten into my filesystems because they've run rampant on my network, or having the cops come after me because someone hacked my network and started using my internet for illegal purposes.

No, you'd rather spend an extra minute several times per month/year to plug in your laptop and in no time you will have surpassed the time it takes me to cancel a credit card maybe once every 10-30 years, with barely a scratch on my credit report. Not that I ever got my credit card stolen using https/ssh over WiFi in my damn house, but hey.

Re:If you have something that you don't want

if i dont put up curtains that gives you free reign to peer into the windows of my house and make an inventory?

Well, I don't agree with your analogy, but I have something to point out in that regard.

Google drove their peeping tom car on to my property and took pictures of the inside of my house through my windows and published them on their "street view". And yes I do have curtains, but the wind blew them aside.

I asked Google repeatedly to take down their intrusive photos, but they insisted they had the right to do this, even though they were on my property.

Then I pointed out that they'd taken pictures of my minor daughter's bedroom. BOOM! Even Google fears the American obsession with paedophilia, and the pictures came down... my house is now a blacked out section in Google street view.

So: yes, broadcasting unencrypted wifi is asking for people to hear your traffic. But, also, Google is more than willing to invade your privacy for their own profit.

Re:If you have something that you don't want

Just because you're stupid doesn't mean the law MUST protect you. Just because you believe something is private, that doesn't make it true. There already was a case where the court decided there is no expectation of privacy on unencrypted Wi-Fi, and in Google's case it wasn't found illegal by court as well, it was found questionable and irresponsible by public. Saying "But I didn't know how to secure it!" won't help you in court or in insurance company. People just need to learn to RTFM, all the routers now have manuals with Big Friendly Pictures and Big Friendly Setup Wizards which tell you to set the password.

Re:If you have something that you don't want

[X0563511]

OK, then i'll argue this way: you require specialist equipment to broadcast this internet. If you have it, you need to understand at least the super basics of how it works.

If suppliers are not ensuring you do, they are not exercising the due care that they should (yes, i know they are not required to. that's part of the problem)

Re:If you have something that you don't want

You, along with many others commenting on this story are making the assumption that because a common man is not aware of how radio works, he must be legally protected from his own ignorance.

"It is reasonable to say they have an expectation of privacy" != "They have a reasonable expectation of privacy".

And yeah, any wireless card and a PC? That's pretty specialized data collection equipment required there. I mean, just tick the "automatically connect to open networks" checkbox and before you know - BLAM! - there's a bunch of data rudely forced upon your PC (and your PC rudely forces data upon someone) and you're invading someone's privacy. Shocking.

Re:If you have something that you don't want

[gparent]

When you need knowledge you don't have, you hire a consultant. People have been doing it with their cars for years, it's no different with a computer. And yes, you can get screwed in both cases. It's called the real world.

If you're incompetent, pay for someone who is competent. It's that simple. People just act different 'cause it's a fucking computer and they have some sort of mental block that prevents their intelligence from working properly.

Re:If you have something that you don't want

[reve_etrange]

Apparently, you could watch it, but in most of the US recording the act would be illegal.

(You can check the validity of this analogy for yourself).

Re:If you have something that you don't want

[poptix]

Your Palo Alto firewalls only work because the (self signed) global wildcard certificate they use has been manually installed on every client on the network, and is trusted by those devices.

Unless you can trick a user on a public wifi hotspot into accepting your self signed global certificate their browser will not validate the connection or pass data without a big red warning screen.

Re:If you have something that you don't want

[Your.Master]

Why not?

Re:If you have something that you don't want

No but if you put all your belongings out on the front lawn, you can't tell people off for looking at them.

Re:If you have something that you don't want

TEMPEST says that you shouldn't be doing internet banking at all. You are sufficiently paranoid, but insufficiently informed.

Re:If you have something that you don't want

[Khyber]

"Just because you're stupid doesn't mean the law MUST protect you."

Actually, that's what laws are for.

"People just need to learn to RTFM, all the routers now have manuals with Big Friendly Pictures and Big Friendly Setup Wizards which tell you to set the password."

Mine didn't come with a manual, nor a setup wizard. It just came with a slip of paper with the login code for the router, and the default wireless encryption key (and the wireless encryption was turned off by default.)

Re:If you have something that you don't want

where do you live? i will be over tonight.

Re:If you have something that you don't want

[galoise]

This is false. There is no expectation of privacy in public space, if I grab my phone and record sound in the street, and happen to overhear a conversation from inside a house, I do not need authorization from the person having said this conversation.

The opposite would be evidently idiotic.

Re:If you have something that you don't want

[galoise]

The most obvious analogy is a person having a conversation by the window of his house. I am standing in the street, and can hear his conversation from a public space. I am completely free to listen to it, remember it and then relay it to some other party, take notes of it, record it, and even enter it into a log with other publicly available data like the address, the time and date, and if the person has one of those little nametags in mailboxes, their fucking name.

If i have loud sex in my apartment, i can not say that it is a violation of privacy when my neighbor complains about the noise. I can not complain about him recording it from the privacy of his own home, either.

If the opposite were true, you would have to get permission of everyone that happens to be in hearing range of your phone whenever the phone's microphone is on, like when making a call, or recording an audio note.

If the opposite were true, you would have to get permission from anybody that appears in the background of a picture taken in public space.

"Awareness" on the part of those persons has absolutely nothing to do with it.

Re:If you have something that you don't want

[galoise]

you don't have to go that far: it's like having loud sex in your room, and then complaining about privacy when your neighbor complains about the noise

Re:If you have something that you don't want

they are all fucking retarded, and have no clue about what they are saying, because they have no idea of what a law is, and how it works.

it's the same sad story with all the morons that say that bsd licenses are "more free" than the gpl. blatant, utter, unashamed ignorance on the part of a bunch of moronic nerds that think that knowing how to vomit one or two more or less sophisticated lines of code gives them the right to pontificate about morals, politics, philosophy and the law, and generally have the argumentation level of eight graders.

like linus. or most bdfl's for that matter. awesome programmers and engineers, complete morons about everything else.

Re:If you have something that you don't want

There is no harm, he's just one of 'those' people.

Re:If you have something that you don't want

[cyclomedia]

Don't know about the US but in the UK the law is clear regarding radio transmissions - whether clear or encrypted, whether audio or data : You need the permission of the transmitter (the person, not the equipment) to listen in. This covers everything, e.g. air traffic control is not encrypted but that doesn't mean you're allowed to listen to it. Same goes for CB chats between two trucker friends and also peoples WiFi.

So as you can see, arguing that "the wifi AP didn't have a password therefore the auto-negotiation between my laptop and their router constituted permission" will get you nowhere.

Re:If you have something that you don't want

[anonymov]

Care to provide citations? Especially considering the legal status of Wi-Fi.

Because a) it might fall under general transmission and not require any special permission to receive (just as it doesn't require any special permission to transmit), and b) your interpretation makes even just scanning for networks around you criminal - as in that screen which shows available networks in your phone settings and such. You see, I didn't give your phone a permission to receive my SSID and protection state - even though they are transmitted in the clear. I transmit them only for my laptop and phone.

Re:If you have something that you don't want

[anonymov]

Nevermind, found some fresh news from UK.

Seems like initial investigation was on Data Protection Act grounds, not just "listening in", though that part might be investigated now under other act.

Re:If you have something that you don't want

Since the HTTPS / SSL certs are replaced with Kroger certs, the CN (common name, or the webiste) no longer matches the site you're visiting, or they use a self-signed certificate.

Any modern browser (and any app using SSL) should at the very least warn that there's something fishy going on.

If not, I'd have the local law enforcement agency (or certificate provider) start poking around for fraud / impersonation.

Re:If you have something that you don't want

Last time I bought a router, I had this big red sign "STOP READ THIS BEFORE USING" as the first pamphlet. Now, my router isn't Sony's but ...
http://dl.owneriq.net/6/664c405d-2d55-4ac1-acb9-9695f9093b88.pdf

I'm almost positive every router I've purchased has had something like this (I have/have had about 4 over the past few years). Takes about 10 minutes to set up, and they provide key-by-key walkthrough. Not sure how simpler they can get without bludgeoning purchasers over the head.

P.S.
"Specialized"? I can use a bog-standard Windows or *nux machine with a wifi card and an application to do this. If you argue that this is specialized, then I argue that installing the Facebook application on your favourite mobile device is also "specialized" hardware. Otherwise, you can't possibly understand the HTML/XML going through your wifi/3G connection. Are you saying there are millions of people who are running around with specialized hardware to Facebook?

Re:If you have something that you don't want

Hey retard, go read this: http://www.paloaltonetworks.com/products/features/decryption.html

"A man-in-the-middle approach is used where device certificates are installed in the user's browser. By default, SSL decryption is disabled."

Hey! Turns out SSL is still not broken! Now stop jumping on the stupidity bandwagon and learn how your shit works.

Re:If you have something that you don't want

[pnutjam]

Opera on my phone threw a cert warning. I plan to test some apps to see if they send any sort of warning. It probably depends on the programmer. I wonder how many apps actually use https instead of http...

The cert was not a kroger cert, it was something else and I did actually call the police because I thought it was a rouge access point someone had set up on the parking lot. It appears to be in the store's deli. I'm debating whether I should follow up to ascertain if they are aware it is set-up the way it is and how that could potentially open them up to liability.

ftfy

[girlintraining]

Data Engineer In Google Case Is Identified

Fall Guy In Google Case Is Identified.
FTFY

Re:ftfy

How could he be the "fall guy" if they kept his name anonymous?

Re:ftfy

Exactly. This poor schmuck is going to get thrown under the bus so Google can attempt to save face by claiming this wasn't their exact intention. Maybe next time they should read up on wiretapping laws?

Re:ftfy

[NotMariusMiller]

Maybe, just maybe, Google and their idiot engineers realize what it feels like when all their info leaks out? This is why he needs to be singled out, and all his information made public.

Re:ftfy

[RealGene]

I thinks it's exceptionally clever of Google that they found a wifi hacker with street cred to write the sniffer, so that they could be shocked! SHOCKED! to find wifi sniffing was taking place in their establishment.

Re:ftfy

[girlintraining]

I thinks it's exceptionally clever of Google that they found a wifi hacker with street cred to write the sniffer,

Dude... there's nothing exceptionally clever about it. There are dozens of sniffers out there that are easy to configure and use. The fact that Google hired a guy who wrote one isn't clever; It's business. Clever is leaving this guy twisting in the wind, with no future job prospects, no stock options, and only a few months' unemployment to coast on before beginning his new career in retail -- thus protecting the Google brand identity and slogan "Do No Evil". Determining whether or not ruining someone's life for doing exactly what was asked of them by management qualifies as evil or not is left as an excercise for the reader.

Re:ftfy

[khipu]

Well, I don't think it happened in this case, but pretending to keep someone's name anonymous and then leaking it is a pretty common strategy in politics.

Re:ftfy

There's no harm to Google in passively protecting his name, until they actually need to start deflecting.

Still, I don't blame Google for this as a whole company, this is just the sort of crap that happens when you start getting big and units in your organization start becoming unaccountable and separated from your supposed values. This short of crap was just inevitable.

On the other hand, perhaps Google should think very carefully about what sort of company they want to be, a big, ubiquitous corporation, or perhaps some smaller, more accountable companies split off from the whole.

Re:ftfy

[khipu]

What kind of twisted world view do you have in which corporate employees are transformed into mindless minions that have to obey every command? As an employee, you still have moral and legal responsibilities. If he had thought that this was the wrong thing to do, he could have said "no". In fact, the way Google works, he probably could have said "no" without consequences.

I think what rather happened is that he thought this was an OK thing to do. Good for him! I hope he makes that argument stick, because I think he's right and it's the principled position to take. However, it still comes down to the fact that he made that choice to go ahead, and he needs to now deal with the consequences. And the long term consequences may still be good for him and for all of us, in that people may come to realize that we shouldn't have useless and ineffective legal restrictions on recording publicly broadcast data.

Re:ftfy

[RealGene]

Sorry, forgot the "ironic" tag. The clever part is in finding the perfect fall guy, not the perfect coder.

Re:ftfy

[girlintraining]

What kind of twisted world view do you have in which corporate employees are transformed into mindless minions that have to obey every command?

My 'twisted' world view is called 'capitalism'. And yes, if you want to stay employed, you do what the person signing your paycheck tells you to do.

As an employee, you still have moral and legal responsibilities.

Yes, the moral responsibility to keep eating, paying the rent so you can keep a roof over your head, etc. It's very easy to act all indignant that someone would choose to eat food instead of morals; It's a lot harder when you're the one choosing between keeping your job, or losing your car, house, family, etc.

In fact, the way Google works, he probably could have said "no" without consequences.

The evidence does not agree with your 'world view'. Also, although cliche, I have to say "Citation needed." You haven't claimed you work for google, nor provided any citation or information that might suggest Google is somehow above its fiduciary responsibility to its shareholders; Because before this guy got fired, the Board most certainly looked at the issue and determined one man's future was not worth Google getting raked over the coals in a PR disaster. To suggest that they would take the moral high ground on that is preposterous: All businesses react the same way to a perceived threat -- they jettison it and distance themselves from responsibility for it as quickly as possible.

I think what rather happened is that he thought this was an OK thing to do. Good for him! I hope he makes that argument stick, because I think he's right and ...

... And that'll be the last time he gets a job in this industry. What's the first thing a prospective employer does these days? Type your name into a search engine and see what it comes up with. And right there, as the #1 result for the rest of his life, will be "Caused PR disaster." Whether that's true or not is irrelevant; Future employers won't take the risk. Taking the moral high ground is not without its consequences; That is why so few people these days do it.

, in that people may come to realize that we shouldn't have useless and ineffective legal restrictions on recording publicly broadcast data.

I'm sure he'll take great comfort in raising public awareness on this very important issue, while he's asking you if you'd like fries with that.

Re:ftfy

Wirelesstapping laws?

Re:ftfy

Marius Milner

Good start.
What about "known to supervisors and at least seven other engineers".
And how about some mug shots.

Re:ftfy

[khipu]

My 'twisted' world view is called 'capitalism'. And yes, if you want to stay employed, you do what the person signing your paycheck tells you to do.

No, your world-view is Marxist because you view employees as little more than slaves. In a capitalist system, people change jobs when their employer doesn't treat them right. And Milner would have had no problems finding another job if he didn't want to record this data; skilled networking software developers are in high demand.

The evidence does not agree with your 'world view'. Also, although cliche, I have to say "Citation needed."

You fabricate the idea that Milner was forced to collect that data. Then you fabricate the idea that Milner will be fired over this. And you fabricate the idea that Milner is now unemployable. Where is your evidence?

Future employers won't take the risk. Taking the moral high ground is not without its consequences; That is why so few people these days do it.

If you think that recording this data was wrong, then the "moral high ground" would have been to quit before recording the data, in which case Milner wouldn't have this on his record.

Re:ftfy

Because before this guy got fired

He wasn't fired.

Re:ftfy

My 'twisted' world view is called 'capitalism'. And yes, if you want to stay employed, you do what the person signing your paycheck tells you to do.

Not all companies take capitalism to the same extreme. And before playing the fiduciary obligation to shareholders card, you might want to learn a thing or two about Google's corporate governance, including the fact that the founders hold the majority of the voting rights and have explicitly said that they won't always act to maximize short-term profits.

Yes, the moral responsibility to keep eating, paying the rent so you can keep a roof over your head, etc. It's very easy to act all indignant that someone would choose to eat food instead of morals; It's a lot harder when you're the one choosing between keeping your job, or losing your car, house, family, etc.

I'm pretty sure any engineer who has worked at Google since 2003 is not going to have to worry about paying for rent and food ever again.

Because before this guy got fired, the Board most certainly looked at the issue and determined one man's future was not worth Google getting raked over the coals in a PR disaster.

Except he hasn't been fired. RTFA, it says he's still working for YouTube. You can look at his LinkedIn page and confirm this yourself.

Re:ftfy

[girlintraining]

No, your world-view is Marxist because you view employees as little more than slaves.

Your red-baiting will not work here, Sith Lord.

Re:ftfy

[khipu]

Your view of Milner is that he is exploited by his company, alienated from his work, and unable to change jobs because of a labor surplus. That is, you hold the classical Marxist view of labor; that's just an objective fact. If you didn't know that was Marxist, start doing your homework.

The capitalist view of labor is that it operates in a free market, so workers can negotiate fair wages, prefer their current work to the alternatives, and can change jobs if another job offers them a better overall value.

One can argue about whether the Marxist view of labor applies to unskilled factory workers (and that observation alone wouldn't amount to a full-scale endorsement of Marxist ideology), but it certainly does not apply to Google engineers. Milner had a choice whether to collect this data or not, and he wouldn't have starved if he had chosen not to.

So it looks like you are now adding fabricated outrage to fabricated facts.

Re:ftfy

Except the person is a STATE INVESTIGATOR. This person is not employed by Google.

Inflammatory Headline

[eternaldoctorwho]

He's a witch! Burn him!!! Burn him!!!

Seriously, though, it sounds like he is a fugitive on the run that got fingered.

Re:Inflammatory Headline

I know right? I was just about to say that as soon as I saw the headline.

"Urhh yerr we don't know anything about that there wi-fi sniffing"
"haaaang on a minute, we found your guy! This guy done it! This guy right here!"

All blame put on him, gets screwed over, life ruined, all to keep Google "good".
Pathetic.

like the phrase

[Trepidity]

If this guy is responsible for sneaking the phrase "hackers and other ne'er-do-wells" into an official legal document, I sort of like him already.

In general though I don't see much reason to single him out, when it seems fairly clear (from what evidence is available) that this was a Google project, not a "rogue employee" acting against management's wishes. There are cases where I'd support individual employees being held accountable, but I'm not sure this rises to that level; whether this turns out to be right or wrong, I think Google as a company should own the actions.

Re:like the phrase

[second_coming]

It all depends as to whether he added the code without permission from the higher ups.

I must admit, it sounds to me like he's being turned into a sacrificial offering.

Marius Milner's Software Downloads

[DarkStarZumaBeach]

NetStumbler for Windows and MiniStumbler for Windows CE downloads are at: NetStumbler.com

Downloads are free but PayPal donations are accepted.

Re:Marius Milner's Software Downloads

[Sipper]

NetStumbler for Windows and MiniStumbler for Windows CE downloads are at:
NetStumbler.com

I've been told that the software that actually did the sniffing wasn't NetStumbler, but rather it was Kismet. I don't know the original source of who knows this firsthand though, so I can't verify this. However if this is true it's interesting, because it would mean A) Google was likely using a non-Windows system to do the wireless packet sniffing, B) the author of NetStumbler was using another sniffing utility to do the work rather than his own tool, which would be an interesting irony.

Re:Marius Milner's Software Downloads

Adding to this, Netstumbler can't even capture data as its hopping channels. The only way to accomplish this if the author wrote another program that used another wireless card to sniff on the selected channel, which seems highly unlikely. If word got out what software Google was doing to accomplish this, wouldn't you think it would inspire someone to find ways to break it when a Google car is in your neighborhood? Presuming of course, they simply turned off the pcap capturing and continue to use it.

Re:Marius Milner's Software Downloads

[Sipper]

Adding to this, Netstumbler can't even capture data as its hopping channels. The only way to accomplish this if the author wrote another program that used another wireless card to sniff on the selected channel, which seems highly unlikely.
If word got out what software Google was doing to accomplish this, wouldn't you think it would inspire someone to find ways to break it when a Google car is in your neighborhood? Presuming of course, they simply turned off the pcap capturing and continue to use it.

Interesting -- NetStumbler sounds like a very different tool than Kismet is. Concerning the packet sniffing Google did, my understanding is that the main issue was sniffing and storing of unencrypted packets, so yes, that would generally be easy to fix by turning encryption on. My understanding is that Google was likely mostly interested in sniffing and storing the SSIDs of access points along with GPS data on where they were located, and context like whether the AP was encrypted. In other words, they were essentially "war driving" while collecting map data. I don't think they had any ill intent, and likely just forgot to turn the logging off. *shrug*

Idiots

[StoneyMahoney]

I guess it would be beyond expectation for someone to tell anyone complaining their data was "stolen" that they should have been pumping it into the local atmosphere for all to read without any encryption or other basic protection.

Yeah, holding people accountable for their own idiotic actions would make too much sense. Beside, we make far too much money out of idiots who bought cool stuff with no clue how it actually works - me especially, a lot of my tech support clients use Macs.

Re:Idiots

[StoneyMahoney]

Take note kids, this is what happens when you post dehydrated.

Re:Idiots

[NotMariusMiller]

I guess it would be beyond expectation for someone to tell anyone complaining their data was "stolen" that they should have been pumping it into the local atmosphere for all to read without any encryption or other basic protection.

Yeah, just like we should not prosecute crooks that steal credit card numbers from ATM's, but instead we should blame the victims because they were "too stupid" not to see the modifications?

Re:Idiots

Bad analogy.
 
If those same 'victims' were walking around with their account information on a giant board around their body, yelling that they have available resources and anyone can use them if they want too, then yes, we would call those people stupid.

Re:Idiots

[Desler]

I guess it would be beyond expectation for someone to tell anyone complaining their data was "stolen" that they should have been pumping it into the local atmosphere for all to read without any encryption or other basic protection.

Most people didn't set up their home network and probably had expected that it wasn't publicly accessible. In most cases, these people had their WiFi setup done by whoever came from their ISP to set it up. They had an expectation of privacy. This is really no different than the fact that you can't just record phone calls without consent either.

Yeah, holding people accountable for their own idiotic actions would make too much sense.

Like holding Google accountable for someone purposefully going around sniffing people's traffic?

Re:Idiots

[NotMariusMilner2]

It is perfectly fine analogy. Most people don't know the implications of using non-secured WIFI. They aren't "yelling anyone to use their data", they (reasonably) think it wouldn't be possible because they don't know about it. Just like you might not know that some crook is stealing your credit card number.

Re:Idiots

[madmark1]

So let me see if I understand your argument. People aren't stupid, because they don't know the implications of unsecured wifi. Or put another way, people aren't stupid because they are ignorant and lazy instead? Every freakin router manual you will ever find, as part of the 'simple setup steps' tells you to change the default SSID, and turn on some sort of encryption. If they don't do that, then it sure sounds stupid to me.

Re:Idiots

[Bigby]

I'm going to open a radio station and broadcast a private station. Every couple minutes it will say "this is a private feed and it is illegal for you to listen to it without permission". Then I will sue everyone that does...

Profit!

Re:Idiots

Understand what you you're arguing:

If someone happened to be using the same channel of a walkie-talkie as you were and perhaps recorded it, you would sue them too? Or would you think "don't yell your personal info over the air, you idiot"?

Only the unencrypted information is useful

If you broadcast your data over airwaves, without encryption, you get what you deserve. Seriously this is only an issue at all if dimwits would just enable encryption. Instead of google doing this it very well could have been your creepy next door neighbor. Which one would you rather see your packets? Oh right, neither, so turn on encryption.

I'm not sure how this story is still even an issue. Geeks should already understand this, if you don't, you aren't a geek. Also, troll stories are troll-e.

Re:Only the unencrypted information is useful

You (and the 100 other posts with the same sentiment) are frickin' morons.
Yes you should protect you data as much as possible, but there are always
ways around that and looking through other peoples stuff is wrong. just because
you *can* doesn't mean you *should*. If you mail a letter, I could grab it out of you
mailbox shine a light or something to read the contents (or unseal/read/reseal).
would your response be "Well, I guess I should have put the letter in a stainless steel
box and welded it shut"

Re:Only the unencrypted information is useful

[madmark1]

Uhm, no, my response would be tampering with the mail is a federal offense. Receiving unencrypted, publicly accessible radio transmissions isn't. If you are broadcasting unencrypted wifi signals, you do not have an expectation of privacy, any more than broadcasting an FM radio signal does. If I seal an envelope and mail it, and you steam it open, or shine a light through it to read it, you know you are looking at something you shouldn't, because it was SEALED. Get it?

Re:Only the unencrypted information is useful

Nope. Sending letters in envelopes, and setting up wifi encryption - just as any router's "Insert a disk and follow the instructions" installation wizard nags you to do - is reasonable expectations of privacy. Open Wi-Fi is like sending open postcard and hoping no one catches a glimpse of what's written there.

If Google was doing the equivalent of "shine a light or something", i.e. breaking WEP encryption or something, that would be a different matter and they wouldn't get off with just $25000 fine for obstruction.

The big cat in the room.

Posting anonymous so this will not haunt me forever through the net (unless you are tracking me already har har).

Has anybody actually been hurt? Because, uh, I'm just asking. I'm all for privacy but I don't see anyone poring over my data in this case. So has anybody been hurt? Where is the victim?

Or are we talking about hurting the feelings of those poor electrons that used to mean something, however fleeting, before being vacuumed up by a hateful engineer?

And you know every atom whose state you have ever modified has certain inalienable rights..

I am pretty damned cynical about big corporations and those who presume to rule them, but there are plenty of white collar criminals in power in America and I have yet to see any at Google.

And for your info I think Sergey's and Larry's excellent space adventure shows me enough where those guys stand. I prefer to support Google and Man's Future In Space. The rest of the establishment, their cops and politicos and bastards who talk out the sides of their mouths, the warhawks and smack sellers, and all the self righteous fucks who turn a blind eye to killing, and the fucktards who find a moral pinnacle somewhere in there, they can all go off and fuck themselves until they die.

As for Milner? Well he is either completely innocent or a geek who has been hypnotized until robotic. Happens every day in America. There are one thousand other cases more worthy of prosecution.

Re:The big cat in the room.

[tnk1]

Would you have preferred that they waited to deal with this after someone actually got hurt?

Google's not going to go out of business here, and even those who believe this was less of a mistake and more of a "project", don't think that it was necessarily going to be used as more than some sort of research into something else.

That said, Google has set the bar for itself, and it needs to be consistent about it. The company needs to actually enforce its core values or they are going to be seen as either a good idea that would never work in the "real world" or worse, an egomaniacal expression that actually means "Evil is what we say it is".
 

Re:The big cat in the room.

Thanks for replying though I was AC.

I think you are correct on all points. However I object to the media fest and attempt to destroy this man's career.

Perhaps Google needs to be taught a lesson certainly the words of Schmidt in the past indicate callousness to privacy although that is probably moderate compared to most corporate CEOs. So yes Google cannot afford to take both high and low ground at the same time. Though being arbiter of morality might appear to be bad for their bottom line in the short term.

Still, my point remains. Someone is having their career destroyed because Google is a big fat target and yet, no victims exist. Being on the cutting edge and pushing things to see where the law will step in is perhaps how they do business even, however it is sufficient to erase the excessive data and make legislation. The impression is that Google is not as good at lobbying as say the RIAA, Tobacco or Oil are. The difference of course is that when Google oversteps unclear bounds, still nobody has actually been hurt. Whereas when RIAA, Tobacco or Oil overstep much clearer bounds, you get things like spammed prosecution of the innocent and a protection racket (RIAA), death (Tobacco) and destruction of water resources and the atmosphere (Oil). Google's visibility makes it risky for people to work there it seems.

Doesn't seem to be a "rogue employee"

[aclarke]

Here's a choice tidbit from the article:

Google long maintained that the engineer was solely responsible for this aspect of the project, which resulted in official investigations, some still unresolved, in more than a dozen countries. But a complete version of the F.C.C.’s report, released by Google on Saturday, has cast doubt on that explanation, saying that the engineer informed at least one superior and that seven engineers who worked on the code were all in a position to know what was going on.

The F.C.C. report also had Engineer Doe spelling out his intentions quite clearly in his initial proposal. Managers of the Street View project said they never read it.

Depicting his actions as the work of a rogue “requires putting a lot of dots together,” Mr. Milner said enigmatically Sunday before insisting again he had no comment. He said he was closely following the news reports on the issue.

If that's all to be believed, Milner reported on what he was doing, and sent it to his boss(es). They opted to "not read" the report. If at least six other engineers were in a position to know, then this sounds more like a "no, don't put this in writing or tell us what you're doing" situation than a rogue employee. If bosses aren't responsible for their employees, what are they there for?

Re:Doesn't seem to be a "rogue employee"

[Richard_at_work]

If this were anyone other than Google, Slashdot group think would be shouting "incompetent company!" as loud as they could...

Re:Doesn't seem to be a "rogue employee"

[girlintraining]

If bosses aren't responsible for their employees, what are they there for?

To provide individual profit without individual responsibility. Unless, of course, profit is threatened, in which case sacrificing an individual is a reasonable response. See also: The reason most people over the age of 30 are fired. I can't tell you how many times I've heard someone blubber "But I did what they asked me to..." on the way out the door. I've worked corporate jobs long enough to know that when someone asks you to do something you think might backfire, you smile, agree, and work as slowly as possible on the project while working as quickly as possible at finding another job and getting your name off the reports. Corporations will not hesitate to throw their employees under the bus -- afterall, it's not like you're unique or important... there's fifty more just like you a phone call away.

That is the raisin de etre for a corporation: Individual profit without individual responsibility.

Re:Doesn't seem to be a "rogue employee"

"no, don't put this in writing or tell us what you're doing"

Standard government m/o - and numerous corrupt outfits.

But, hey, it's Google and the Do No Evil (TM) so they get a free pass

Re:Doesn't seem to be a "rogue employee"

[Wheatie]

If I were a shareholder, this sort of loose operations control would seriously worry me. I know that Google was at least partially built on letting creative people run off and do what interests them, but there also needs to be a decent level of oversight and guidance to ensure that employees don't inadvertently (or even intentionally) get themselves into legal troubles.

Re:Doesn't seem to be a "rogue employee"

Please refrain from speaking French.

You literally wrote: That is the "raisin of is".

Re:Doesn't seem to be a "rogue employee"

[ELCouz]

FYI : That is the raison d'être for a corporation

Source: I speak french
Source #2: http://en.wiktionary.org/wiki/raison_d'%C3%AAtre

Please update your internal dictionary slightly outdated ;)

Re:Doesn't seem to be a "rogue employee"

[reve_etrange]

On pense que quelqu'un ne comprende pas la difference entre les infinitifs et les conjugations.

personal project to study WiFi spots gone bad

[peter303]

He said it was an add-on to study WiFi use around the world as part of his 20% project. I dont know if you have report or get approval for your 20% projects at Google or elsewhere. But after this is may be a good idea to have some supervision.

It would be like adding some metric measurement software to what we ship customers. Then have that send back these data. Our customers may be unsure then if their personal data in this software is being compromised.

Re:personal project to study WiFi spots gone bad

Our customers may be unsure then if their personal data in this software is being compromised.

Happily, such uncertainty isn't applicable in the case of Google.

Didn't RTFA? Just pull comments out of your ass!

Now a former state investigator involved in another inquiry into Street View has identified Engineer Doe. The former investigator said he was Marius Milner ... The former state investigator spoke on the condition that he not be identified because he was not authorized to speak. ... Although the F.C.C. declined to identify the engineer, a footnote in the full text of its report said Google told the agency the identity of Engineer Doe “only because it had disclosed his name to state investigators on December 17, 2010.” Google declined to comment.

That's clearly Google's fault. They shouldn't have told state investigators ANYTHING. I mean, they got reprimanded for "obstructing investigation" or somesuch anyways, what does one more bit held back matter?

pursue and punish where it does some good

[khipu]

If you broadcast information publicly and without sufficient encryption, the public can listen in and record it.

Apart from the question of who is right in the abstract, punishing Google or other people isn't going to deter anybody who actually wants to do you harm, since passive listening is pretty much impossible to detect. What we might restrict and punish is the use of such information, for example rebroadcasting it, using it in legal proceedings without a prior warrant, or reselling it.

The real question we should be asking is how people are punished that broadcast private information (e.g., hospitals that use unencrypted networks).

Re:pursue and punish where it does some good

If you broadcast information publicly and without sufficient encryption, the public can listen in and record it.

Not legally. Jesus Christ, if Sergey Brin raped your mother, you'd probably say she was asking for it.

Re:pursue and punish where it does some good

Anyone caught broadcasting protected healthcare information, as in your example, would face federal fines that vary from small to severe if the violation is willful.

Re:pursue and punish where it does some good

[Solandri]

I tend to fall on Google's side on this (because other companies do the same thing or worse; Google only got "caught" because they did the honest thing and publicly admitted their mistake). But placing blame entirely on people who fail to encrypt their wireless is going too far in Google's favor. If I don't lock the door to my house, yeah it's my fault if I get robbed. But that doesn't make the robbery legal.

If you find a neighbor's wifi network is open, that doesn't give you carte blanche to use it and snoop their devices and data; especially in the countries where privacy laws afford some protection against that sort of snooping. This spills over into a grey area regarding data on encrypted networks. What happens if I record your encrypted wifi data, and 10 years from now computers have gotten fast enough that what was sufficient encryption at the time of the recording can be broken in a few seconds? Do I get to say "tough, you broadcast that data on public airwaves using insufficient protection; it's now mine to do with as I wish"?

Your private data has to be afforded some legal protection regardless of the amount or strength of encryption. The dividing line has to be whether the user had an expectation of privacy when transmitting that data. I think most courts would buy the argument that you don't have an expectation of privacy only on openly public networks (e.g. Starbucks). I think wifi is new enough for non-tech people that for a home network, most courts would agree the owner had an expectation of privacy even if he failed to turn encryption on.

Re:pursue and punish where it does some good

[khipu]

But placing blame entirely on people who fail to encrypt their wireless is going too far in Google's favor. If I don't lock the door to my house, yeah it's my fault if I get robbed. But that doesn't make the robbery legal.

But we have a long-standing principle that if you use the public airwaves, people have a right to listen. Why do you want to change that principle and suddenly criminalize behavior that's been legal for as long as we have had radio?

If you find a neighbor's wifi network is open, that doesn't give you carte blanche to use it and snoop their devices and data

I do not have a right to use it, nor is anybody arguing that you should. Use requires broadcasting and interfering with the access points. I should have a right to passively listen and record whatever my neighbor broadcasts, just like any other radio transmission.

Your private data has to be afforded some legal protection regardless of the amount or strength of encryption. The dividing line has to be whether the user had an expectation of privacy when transmitting that data

If you broadcast your private information over the radio, if you print it on fliers, if you have loud conversations about it sitting at Starbucks, it ceases to be private. Whether information is private is not defined by the information, it's always defined by what you have done with it in the past. If you publish it, it ceases to be private.

I think wifi is new enough for non-tech people that for a home network, most courts would agree the owner had an expectation of privacy even if he failed to turn encryption on.

Catering to people's stupidity isn't going to protect them from criminals. The only way to keep your private information from criminals is for people to use encryption. So, we could outlaw unencrypted connections, or we could require companies to print big warning labels. But making listening in to broadcast over the public airwaves illegal has no benefits and only threatens basic and important rights that we all have.

mod parent up

[ukemike]

mod parent up

Re:mod parent up

damn you are a moron.

We found a witch!

[Errtu76]

May we burn her?

Better analogy

[ukemike]

You don't want people listening in on your data? Don't transmit it on a "public" medium.

But google wasn't just incidentally listening to peoples data (like seeing the router name and signal strength). They were doing the equivalent of setting up a ladder on the sidewalk and taking multiple telephoto photos through each house's front windows on each block, in every town, in every state, then compiling and analyzing the data so they could better advertise to each household. If I'm in my kitchen doing dishes and someone looks at the kitchen windows while walking down the sidewalk that's one thing. But if a fellow sets up a ladder, climbs it, then whips out a camera with a telephoto lens, is that fellow just capturing light that I am broadcasting into the public medium? Sort of, but he's also making a substantial effort to see things that aren't intended to be public. To knowledgeable people the most that a wardriver would see is the router name and the signal strength. That's like the incidental glancing at the window, no big deal. That is public. Google was using advanced packet sniffing software to effectively get on the ladder and take telephoto pictures of what was going on inside. You try out the ladder/camera trick and see how long before the local police show up and toss you in the clink for being a peeping tom.

Re:Better analogy

... To knowledgeable people the most that a wardriver would see is the router name and the signal strength. ...

I take it you're not of those people then, because this is just false. Wardriver would be interested in the router name, signal strength and state of encryption. He would see all the same that Google car did. It doesn't take any supersecret "advanced packet sniffing" spy hardware and software.

Re:Better analogy

" advanced packet sniffing software"

your definintion of advanced needs some work.

you can do almost everything they did with a single 100 doller laptop and cain and able.
You can do exactly what the did if you use a seperate laptop or wifi card for each channel. they didn't hack anyones wep, just recorded everything that was broadcast in the clear on the standard channels.

people keep using more and more stupid analogies like yours because it's the only way they can make it seem unreasonable.

google drove down the street with a few wireless network cards listening in promiscuous mode and recorded everything they picked up. they picked up a few seconds of traffic on open wifi networks in much the same way that you pick up a few seconds of the conversation of the people around you as you walk through a mall with a video camera recording.

Re:Better analogy

[Dishevel]

No they were not.
They were driving by listening to ambient sounds when you went outside and screamed at your wife that just because you had your ass pummeled by the plumber once does not make you gay. They recorded it. Then they did not publish it. But you got scared and sued Google because they heard it.

Re:Better analogy

[bob')DROP+TABLE+user]

They were doing the equivalent of setting up a ladder on the sidewalk and taking multiple telephoto photos through each house's front windows on each block, in every town, in every state, then compiling and analyzing the data so they could better advertise to each household.

Citation needed.

Which one is it?

When this thing first came out Google said they hadn't done anything wrong as this was publicly available data (open networks broadcasting these packets). Now they blame everything on the 'rogue engineer'. Was what Google did wrong, yes or no? Why is not his manager and, ultimately, VP, accountable for this?

--

Sundar Pichai is the utter asshole whose incompetence has resulted in the shutdown of Google's Atlanta engineering office.

Re:Which one is it?

[nanoflower]

I think part of the problem is that we are dealing with different standards in different countries. I'm in the USA and while I think what they did was inadvisable I don't think it was completely wrong. The problem is that I think it is against the law over in Europe where they have much stronger data privacy laws. That's the sort of thing that could easily catch the engineers involved by surprise, but it appears that they covered that base by suggesting that the project be run by the legal team. It seems like that didn't happen which is likely a management issue, even though no one is admitting that because they don't want to take on that responsibility and the legal implications.

Google can decode encrypted packets too

If you/someone have at least one Android device on your wifi network and have the following option selected:
"Back up my data: Back up application data, Wi-Fi passwords and other settings to Google servers".

Then Google can decode the packets they captured.

Re:Inflammatory Headline - Paid Astroturf Spot

[Jeng]

If you check out the name of the person who made first post, along with the time stamp you'll see why it was written as inflammatory as possible.

I'm finally coming around to the opinion that /. is taking money for some story submissions such as this one.

Wrong target

How is this the engineer's fault? And Google's, for that matter? And really, are we going to say it's the user's fault? How does a grandma know what a wifi network means when it's not encrypted?

What we really need is to punish those wifi vendors. Force them to put a label on their products from now on: "Beaware of the Google Car if you don't encrypt your network!" Nothing a big enough warning cannot do.

double standards

"The former state investigator spoke on the condition that he not be identified because he was not authorized to speak."

Re:double standards

[nanoflower]

Yea, I noticed that. He felt it was fine to potentially ruin someone's career by identifying him but isn't willing to put his own name behind his statement?

Murdoch

[ThatsNotPudding]

Just like Rupert, Google is claiming 'We had no idea what our minions were doing; our job is merely to be wealthy.' #YeahRight

Side step the paywall

Use this link.

They got the wrong guy.

NetStumbler can't even capture WiFi data in transit and never did when this took place. It sends out probe requests and responses, unless he was writing some in-house stuff not available to the public, which seems assinine given that Kismet has existed for years and does everything this purportedly does, and is free with full source code available.
I think someone is not being honest here.

It's not private

[glorybe]

It is in a public air space. The sender wished to share it with others. That makes it fair game to me. That which is private simply can not be communicated to another person. It's a narrow definition but in many ways the only real definition. A trusted wife or friend can betray. When you throw the dice of communication you pretty much have to accept the consequences.

Citation

[cyclomedia]

From OFCOM: http://stakeholders.ofcom.org.uk/enforcement/spectrum-enforcement/guidance

This page is specific guidance about VHF Scanners, but cites laws regarding "transmissions" in general:

"...it is illegal to listen to anything other than general reception transmissions unless you are either a licensed user of the frequencies in question or have been specifically authorised to do so... "

and

"The services that can be listened to under the definition of general reception are:

        licensed broadcasting stations;
        amateur and citizens' band radio transmissions; and
        weather and navigation transmissions
"

Re:Citation

[anonymov]

You're quoting wrong parts, as every Wi-Fi device uses same "frequencies in question" and "licensed user" is any certified Wi-Fi card.

But further down the page there's applicable excerpt from RIPA:

".. intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of:
a public postal service;
a public telecommunication system."

Which seems to mean that because it was seen as accidental before, it was not included, and now that it seems to be intentional, there might be a new investigation - see my previous message.

UK Law prohibits it, encrypted or not

[cyclomedia]

this is UK law, not US law but direct from OFCOM: http://stakeholders.ofcom.org.uk/enforcement/spectrum-enforcement/guidance

"It is an offence if a person ... uses wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of any message whether sent by means of wireless telegraphy or not, of which neither the person using the apparatus nor a person on whose behalf he is acting is an intended recipient."

It doesn't matter if I'm broadcasting unencrypted data. If you are not the intended recipient then you are breaking the law by sniffing it.

Re:UK Law prohibits it, encrypted or not

You realize that since Wifi is a broadcast standard (just like radio) that every packet from an AP is read by all connected wifi hardware? Each machine must necessarily try to determine "the addressee" from the packets broadcasted from the AP (and the "sender" too, if there's more than one AP on the same channel in range).

This makes most wifi hardware illegal under that phrasing (assuming there are at least two simultaneous users on that AP).