Security Risks of Running an Open WiFi Network

As I've written before, I run an open WiFi network. It's stories like these that may make me rethink that.

The three stories all fall along the same theme: a Buffalo man, Sarasota man, and Syracuse man all found themselves being raided by the FBI or police after their wireless networks were allegedly used to download child pornography. "You're a creep... just admit it," one FBI agent was quoted saying to the accused party. In all three cases, the accused ended up getting off the hook after their files were examined and neighbors were found to be responsible for downloading child porn via unsecured WiFi networks.

EDITED TO ADD (4/29): The EFF is calling for an open wireless movement. I approve.

Posted on April 26, 2011 at 6:59 AM • 177 Comments

Comments

HugoApril 26, 2011 7:14 AM

Do you lend your car to complete strangers? (ignoring the fact that they might steal it) No, because you will be helt responsible for what they do with it (getaway car for robberies, joyriding, running over people). Are there any disadvantage for not lending your car to strangers? No, so don't do it.

The same goes for sharing your wifi network.

@Bruce, most of the time I admire your way of thinking when it comes to security. But I think you are wrong on this one. When it comes to an open wifi, you have to chose between 'being held responsible for other people's crimes' and 'being polite'. Your choice for 'being polite' is remarkable.

What's wrong with a secured wifi and giving the passwords to visitors (or typing it in for them) instead of having an open wifi?

ThomasApril 26, 2011 7:15 AM

"In all three cases, the accused ended up getting off the hook after their files were examined and neighbors were found to be responsible ... "

So if the neighbors had had half-decent computer security ...

Luckily I'll never be tempted to run an open AP, not with my crummy i/net connection. It's just another way my Telco is looking after me :-)

FrankApril 26, 2011 7:16 AM

I don't know what the current legal situation here is, but at some point in time the German jurisdiction decided that anyone who runs an open WiFi is responsible for whatever happened on that WiFi network, so those three poor guys would be in serious trouble regardless if they found out the neighbours were in fact downloading that crap or not.

At that point I decided to lock down my WiFi.

Steven HooberApril 26, 2011 7:26 AM

I'd ask, for the German example but for all liability in general, how secure does it have to be? Its not very hard to find non-broadcasting networks, or to crack into many "secure" ones, as we've seen. So, what if you use security, but crappy security? Or you don't broadcast, but also don't change the ntwk name so people can literally just guess? Etc.

Even without this, the FBI and local LE needs to start being aware that computers are networked, and lie a lot. Just because it resolves to a house doesn't mean it wasn't spoofed, or there's a connection into there from somewhere else, or the neighbors are piggybacking on.

timApril 26, 2011 7:27 AM

The issue is is not open WiFi. The issue is that the police used a SWAT team and didn't perform basic police work. Why aren't we asking that the police involved to be held accountable and instead focusing on the open-WiFi issue?

Richard "RichiH" HartmannApril 26, 2011 7:27 AM

Yes, we Germans are required by law to encrypt our Wi-Fi.

The real story, which does not seem to get much traction, is that SWAT teams are invading homes with little to no actual evidence that someone specific did anything and in situations where normal police would more than suffice, though. Which is a huge problem for any free society.

Lee ZimmermanApril 26, 2011 7:29 AM

Locking up the wifi helps to sell more wifi networks. As Marilyn Manson said, "fear is how you sell something"

Gianluca GhettiniApril 26, 2011 7:35 AM

what about some stranger using your own computer in the living room when you are at work?

framecrashApril 26, 2011 7:35 AM

Presumably, then, open WiFi networks of commercial enterprises (for example, Starbucks) are liable for their customer's activity?

We're gradually learning: I am not my IP address.

kingsnakeApril 26, 2011 7:38 AM

Bingo. Exactly what I said a week ago about the security of files on computers and how one could easily be accused of such a crime despite not actually doing it. Expect a lot more of this ...

Gianluca GhettiniApril 26, 2011 7:40 AM

do we need to be responsible for using easy-to-pick locks on the doors and windows made of glass? :)

ChrisApril 26, 2011 7:46 AM

We Germans are NOT required by law to encrypt our WiFi. That is total Blödsinn. Read the supreme court ruling.

AlbertApril 26, 2011 7:50 AM

In Sweden there is an entire network of open unencrypted WiFi hotspots. It's called ipredia and was started as a response to the repressive IPRED law (which forces the ISP to give out the identity behind an IP-address). We are still waiting for a pilot case where someone is put on trial for something that happened on his/her open wifi hotspot.

Chris (a different one from the ones above)April 26, 2011 7:52 AM

I concur with the notion that providing wi-fi access to guests is a sign of politeness, but I strongly disagree with the dangerous and ill-advised idea to run an open wi-fi network.

Many vendors of home routers, such as the pretty awesome Fritz.Box by German maker AVM, offer a feature called "guest wi-fi". It's basically a second SSID with a different WEP/WPA password that runs in a separate VLAN on the router. You can activate it as soon as your guests ring the doorbell and automatically have it deactivated by the router a couple hours/days later.

IMHO, this is the way to go - not running an unencrypted network at home that potentially exposes your other machines to "guests".

Grant GouldApril 26, 2011 7:53 AM

Given that "secure" wifi networks are about as secure as a paper bag, I think these folks actually got the easy option: If they had secured their networks then nobody would believe that it was their neighbors who were downloading.

I run an open network for the same reason that I'd loan a neighbor a cup of sugar for a recipe (even though they could be making bombs!) or let them use my phone (even though they could be calling their terrorist plotter friends!): Because neighbors help one another, they'd do the same for me, and the odds of evil are small compared to the odds of good. Open wireless networks on random residential streets have saved my bacon more than once, and I'll keep returning the favor.

JohnApril 26, 2011 7:55 AM

I think by having encrypted WiFi (locks on your door) you are demonstrating your intention that your network (house) has restricted access. If someone accesses your network (breaks in) then they have performed a deliberate act and you are not responsible for what they do with your network (house, car).

kevinmApril 26, 2011 7:57 AM

I have seen a few SSID that read like "hello - call 555-1234 for password"

BBrianApril 26, 2011 7:58 AM

In all these cases, external logs of IP addresses were accurate in pinpointing the Internet connection the traffic came from. The only thing they didn't show was which device on that Internet connection was used, which further investigation showed belonged to a neighbor or someone other than the suspect. I'm not exactly sure how the police could have determined that information without examining the suspect's computer equipment and router. It seems like the main problem here was the over-the-top manner in which the police seized the equipment, and their attitude of declaring the suspect guilty right off the bat. But that's why we have a legal system and don't just let police make the determination.

To those suggesting this means there is liability for you if you let people use your WiFi network, that doesn't seem to be true in the legal sense. Once it was determined that the suspects involved weren't the bad guys, they weren't charged with anything further that I can see. Yes, there is "liability" in the sense that you have to deal with a pain in the butt police investigation. But on the other hand, you're taking action that can help someone commit a crime, and you're doing it in such a way that a lot of initial evidence points right to you. Chances are very good that people using your open wifi won't do anything wrong with it, but if they do, I really don't see how you can complain if the police come to investigate you.

Like I said, it seems like the major problem here is the ridiculous way the police "investigated" the suspect. Even if they were pedophiles, I'm not sure raiding them like they were violent drug lords is really necessary. Investigating them, sure, but a SWAT team seems like overkill.

Paeniteo - IANALApril 26, 2011 7:59 AM

@Steven Hobber: "I'd ask, for the German example but for all liability in general, how secure does it have to be?"

AFAIK no case of "too weak encryption" has been brought to a court (in Germany) - the actual case(s?) dealt with unprotected networks.
IIRC the court ruled that having to "password protect" your Wifi can be considered general knowledge in these days and that it would be reasonable for anybody to ask for external help if unable to set this up themselves.

Opinions voiced by some lawyers interpreting the case went into the direction that you'd have to protect your network to the best of your knowledge/ability, e.g., Bruce would have to use WPA2 with a secure passphrase whereas someone else might get out of liability with WEP or a weak password. It is also unclear what one would have to do if the used hardware is insecure (i.e., supports only WEP which may have been state-of-the-art when the device was bought).

JonadabApril 26, 2011 8:14 AM

Even if the police were a lot more polite about such investigations...

[Knock on door]
"Hi, I'm officer Smith, and this is officer Black. Do you mind if we ask you a few questions? We have reason to believe someone has been using your computer or your network connection in conjunction with some criminal activity that we're investigating..."

Even if it went down like that, it's still going to be a major hassle for the person operating the access point. What are you going to do, tell the police to go away? They'll just come back with a warrant. Any clear-headed judge will issue a warrant for search, because even if the perpetrators were neighbors or guys sitting in a van across the street, the investigation still obviously has to start where the network connection is and go from there.

There are valid reasons to run an open public access point. The public library where I work operates one, for example. I can see, potentially, a business case for running one at a business (depending on the business).

But I can't see running one out of my *home*. It's (potentially) too invasive, a problem I don't want in my home. The home is the one place where I have real privacy. Running public services out of it would take away from that, significantly.

I wouldn't invite random passersby on the street to come into my home and do whatever they like, unobserved. Why would I invite them to come onto my home internet connection and do whatever they like, unobserved?

I've said it before and I haven't changed my mind: running an open public wireless access point out of the home is a bad idea.

Gianluca GhettiniApril 26, 2011 8:16 AM

@Paeniteo: "It is also unclear what one would have to do if the used hardware is insecure"

or he/she has written down his/her truly random 256 bit password on a post-it notes and stuck it on the window.

ChrisApril 26, 2011 8:18 AM

@John: I think it is a poor state of affairs that if I leave my door wide open I somehow delegate my rights away to a total stranger.

If you're trespassing, you're trespassing whether my door is wide open or I have an M1 abrams parked in front of it. It is not my inaction that should be the crime here. My open wifi doesn't MAKE you download child-porn or movie torrents.

bobApril 26, 2011 8:23 AM

"Do you lend your car to complete strangers?"

What a moronic statement. Possibly, if we have to have a car metaphor, "Do you leave your car unlocked?" makes sense. At which point, "No, because you will be helt responsible for what they do with it." become obviously incorrect.

My wifi network will be open until it becomes illegal to have it so.

Another KevinApril 26, 2011 8:31 AM

@Steven Hobber: "but for all liability in general, how secure does it have to be?"

If the bad guys could break in, then it wasn't secure enough, and it's the network owner's fault for failing to use any measure that the Government could think up in hindsight.

If the network wasn't extensively secured, then obviously the network owner was asking for it and is guilty of at least being an accessory to the crime. Besides, anyone who doesn't secure a network must only be after "plausible deniability."

And if the network was extensively secured, then obviously that's conclusive evidence that any argument that it was hacked doesn't hold water; the owner must be guilty. Also, that extent of network security requires encryption, and we all know that only criminals need encryption because honest people have nothing to hide.

And the grey area in between? Both arguments hold - the owner was simply looking for plausible deniability incompetently.

Because, you know, it's easier to go after router owners. Routers stay put; they're not like portable and mobile devices. What matters is getting the conviction.

And after all, if that perv didn't have a wireless network, he wouldn't be in trouble in the first place! We all know that the Internet is a huge cesspool of crime and perversion. Ann Landers told us so.

EarwigApril 26, 2011 8:33 AM

To sum up:

1) It's the SWAT, not the WIFI.

2) It's the inconvenience*, not the liability.

*Which may extend to death, given [1].

RSaundersApril 26, 2011 8:44 AM

"Do you lend your car to complete strangers?"

No, of course not. When they have my car, I don't have it. WiFi isn't like that at all. My kids are in High School, and all their friends have smart phones or tablets with WiFi. When they come over they're always checking out things on the Internet. They might call it studying, but as someone who's reviewed the logs (yes, I'd one of those Dads) I can tell you it's much broader subject matter.

I pay for plenty of bandwidth, and all who visit my house are welcome to it. Contrary to what the ISP might think, my unused bandwidth is not their exclusive property. Unused bandwidth isn't like an undriven car, it's simply wasted. I'm neighborly. I leave a hose on the front outside faucet and I don't mind if a passing Amish carriage water's his horse, even though water costs money also.

The police can get a warrant and arrest you pretty easily. Convicting you on this sort of evidence is much harder. Convictions are what matters to the district attorney, and losing is bad for the reputation. As the early adopters who started down this direction at the behest of the RIAA, computer crimes are very hard to prove and reasonable doubt is everywhere. The bust might make good news on the Internet, but when you lose later and the citizen counter-sues for official misconduct it really sours the professional prosecutor.

rdApril 26, 2011 8:48 AM

"In all three cases, the accused ended up getting off the hook..."

It seems to me that this is a strong argument for NOT securing your network. With a 'secure' network, your deniability goes way down, even if you are innocent.

BF SkinnerApril 26, 2011 8:48 AM

@Hugo "same goes for sharing your wifi network."

yet free access is also provided as an amenity by Subway, Airports (in DC), malls, libraries (Yay!), hotels, conferences. . .are they or even the pay access ISPs on airline flights accountable? I'd say not.

BGApril 26, 2011 8:55 AM

Just a side note - there are other reasons to have your connection locked down. For example, here in Australia every home broadband connection comes with a limited download capacity each month, perhaps 30GB, sometimes more. If you left your network open, anyone could come in and use your monthy quota, potentially leaving you with a speed-throttled connection for the rest of the month. Or even worse, excess fees for every MB downloaded over the monthly quota.

sbiApril 26, 2011 8:59 AM

When telephone connectivity was still scarce in East Berlin (it took a while after the reunification until new cables were dug in everywhere), a friend let his neighbors use his telephone. They put a wire to his neighbor's apartment, so they could use his phone line as well as he could. One day when he came home his neighbor's door and his own door were broken in, and two SWAT team members with MPs were sitting on his couch, waiting for him to explain the situation.

It turned out the (Yugoslavian) neighbors were part of a ring that smuggled illegal immigrants across the border, which led to "their" telephone getting tapped, with the evidence pointing to the telephone's owner. After breaking in, the SWAT team had one look at the rather austere philosophy student's apartment, realized they were wrong, had a close look at the phone, and found the wire. Sp they stormed the neighbor's apartment, too, thereby finding what/who they were looking for. (Presumably the neighbors had realized the commotion, but were unable to get out of their apartment inconspicuously while the police was piling up on the stairs trying to drip into the friend's apartment.)

The friend had some trouble due to this (a broken door that needed repair, some paper work with the police, and presumably a sobering message from his phone provider for patching in the additional wire), but his biggest problem was the fear that this could ever happen again, this time with a SWAT team storming the apartment _while he was actually at home_, quietly sitting on his couch reading a philosophy book, or preparing himself one of his meager meals.

However, there's one question that I am asking myself in retrospect of that story ever since I have a DECT phone with a 4 digit password: What if one of my neighbors would ever break into this? Trying twenty combinations a day it would take less than 2 months for them to break in, and that presumes they start trying with "0000" and I have "9999". And once in, what if they do something nasty using my phone connection?
I'd probably _much_ better off with the obvious wire that friend had.

PaeniteoApril 26, 2011 9:03 AM

@rd: ""In all three cases, the accused ended up getting off the hook..."

It seems to me that this is a strong argument for NOT securing your network. With a 'secure' network, your deniability goes way down"

Mind you that all three persons most likely would not have been prosecuted at all, if they had secured their networks.
Also, they apparently only got "off the hook" because the real criminals were stupid enough to use a neighbour's wifi instead of one at the other end of the city.

JamesApril 26, 2011 9:11 AM

That disgusts me. Ugh.

Still, when my family and I do any traveling we typically rent a vacation home for the stay...and roughly 4 out of 5 homes we've been to do not have a secure wifi network.

I do them the favor of securing it and leaving the password with them when I leave. :)

HugoApril 26, 2011 9:16 AM

@BF Skinner: it depends on what country you are talking about. And when using a wifi in a hotel, etc, you are limited in what you can do via the wifi, mostly webbrowsing only via a proxy that filters porn. And you probably have (indirectly) agreed to a user agreement on what you won't do while using that free wifi network.

So, a free hotel wifi is very different from a private open wifi.

David ThornleyApril 26, 2011 9:16 AM

One security concern here is the SWAT raids. Any time armed men are trying to break into a home, there's the chance that the inhabitants thereof will try to defend themselves with firearms. This isn't a particularly pro-gun area, but I know several people who are strong believers in personal armament and armed home defense.

Once the shots start flying, people are likely to be killed. Once police officers start to get killed, they'll push for more force and the whole situation will escalate yet more, and more innocent civilians will get killed as the police get more trigger-happy.

The police are unlikely to accept responsibility themselves. There was a case around here years ago when a suspected drug dealer woke up from a nap, and found himself surrounded by men in plainclothes that he hadn't let in. He shot one of them, and put a police officer into a permanent vegetative state. Most of what I saw blamed the suspect for the injury, not the police officers or their procedure.

There should be no SWAT-type raids without specific written reasons why they are necessary.

GreenSquirrelApril 26, 2011 9:33 AM

I am ambivalent on the issue of open wifi networks. If you want to do it, good on you, but its not something I would do.

I dont perceive my WiFi network as being "inside" my home and I wouldnt view someone else using it as being the same as them walking into my house and helping themselves to the fridge.

On a similar note, I can see various reasons for and against holding the owner of a network responsible for what happens on it. However, my personal leanings are that they shouldn't be.

While a "secure" network might be harder for a criminal to use for illegal activity, it is a minor step increase. Should people be punished for not filtering out the less skilled hackers?

Using WPA2 etc might stop next door's teenager from downloading warez (might...) but its not going to prevent a determined assault. Should that lack of security be treated as a crime?

With the earlier example - if I fail to lock my car and it is taken for use in a crime, is that *my* fault? Should I be criminalised for that lack of action?

If so, and going back to network activity, then surely everyone owning a router or switch which allows criminal traffic to pass should be held responsible.

On the original topic, it strikes me that this whole thing is an example of how Law Enforcement in the developed world hasn't yet caught up with what information is being given to it and this is especially true with hot button items like child abuse and terrorism. Sensible police would be aware of this and pause to think every now and then. Sadly the more often reaction is to kick doors down.

No OneApril 26, 2011 9:38 AM

Just wait: "Obviously the defendant is the one who downloaded this horrible material. His WiFi network was password protected by the best algorithms available. Even the Sheriff's department admits that it is unable to obtain access through his layers of security. There is no doubt that only he had access through this channel."

Damned if you do, damned if you don't.

tedApril 26, 2011 9:42 AM

SWAT in the DC area has a history of shoot first and ask questions later. On top of that their is no accountability.

GreenSquirrelApril 26, 2011 9:46 AM

I have tried, and failed, to find reports of a case about 12 months ago where a UK pub was fined about £8000 for not properly securing its WiFi and allowing someone sitting outside to use it for illegal activity. If I find the link I will post it - likewise, if anyone else can find it, I would be very grateful.

Some others have mentioned the free wifi provided by hotels, McDonalds, Starbucks etc., and implied these are different - but are they?

Most have a trivial username / password combination or require you enter some unauthenticable data such as a Name / Email combination which is more for marketing than security. None of this makes them more secure than a fully open WiFi network and simply saying "You must not use this for criminal activity" to people who log on is not a defence. As someone who regularly travels, I have yet to come across a city in the UK where I have not been able to get free wifi without once providing legitimate access credentials.

How is it any different from someone leaving their own WiFi network open to guests?

(Obviously there are difference for the person and their privacy, but that is not the point of this particular thread).

kiwanoApril 26, 2011 10:00 AM

I find it somewhat telling that @sbi's example of a similar thing happening to a friend of his, was a story based in East Germany.

Harmy GApril 26, 2011 10:16 AM

In a couple years the story will be: "Security Risks of Living Near an Open WiFi Network"

Alan BostickApril 26, 2011 10:19 AM

Everyone is picking up the intended takeaway of "secure your wifi." A few people are remarking, "wait a minute, SWAT teams?"

No one has yet asked the to-me obvious question, "Hey, how did the cops get these people;s IP addresses in the first place?"

The most obvious way for them to have gotten it is for them (or the FBI or someone similar who tipped them off) to have checked their own referral logs on the child pornography server they keep as bait.

The market for child pornography is an artificial one; it wouldn't exist if the government weren't maintaining it for the purpose of ensnaring pedophiles.

Rick AuricchioApril 26, 2011 10:21 AM

@Hugo: "And when using a wifi in a hotel, etc, you are limited in what you can do via the wifi, mostly webbrowsing only via a proxy that filters porn."

Now we get into another foggy legal area. What is the culpability of the hotel in this case? If they fail to filter properly and completely, are they therefore allowing someone to make "criminal downloads?"

The threat of a TV-style SWAT raid has caused me to secure my wi-fi network.

EricApril 26, 2011 10:25 AM

I just got a new TOS notice from Verizon FIOS and they actually put in a provision that allows them to remote into the router and change the wifi password remotely in cases whtere they detect illegal file sharing or criminal activity.

Seems silly to me, since all that does is freak me out and make me use their router as a dumb wired box and plug a separate wireless router into it that I can control without big brother.

Still, I run a dual network - open wifi for guests and protected wifi with access to my computers at home. This makes me think I should at least be keeping traffic logs so that in the last resort I have some proof of what is or is not my activity.

Spaceman SpiffApril 26, 2011 10:29 AM

Given how easy it is to hack into WEP or WPA secured WiFi networks, I'd say that using the access point's IP address to "identify a user" in any situation is ludicrous. It's time we put a muzzle on these technoillitorati police forces. They aren't willing to go the extra yard and definitively identify real pedophiles through proper police work, but are instead looking for a quickie technical fix that ropes in the innocent.

mcbApril 26, 2011 10:46 AM

@ GreenSquirrel

"Some others have mentioned the free wifi provided by hotels, McDonalds, Starbucks etc., and implied these are different - but are they?

How is it any different from someone leaving their own WiFi network open to guests?"

One difference is that these commercial hosts use secured networks for business purposes, and thus enjoys an element of deniabilty by virtue of compartmentalization. Those of running open WiFi at home have no such advantage. Perhaps the gracious host could provide separate WiFi for the use use house guests, the kid next door, and any other total strangers within range.

hjpApril 26, 2011 10:59 AM

@Chris:

By "the supreme court ruling" do you mean http://openjur.de/u/32452-i_zr_121-08.html ?

Please read it again. The ruling states that a private person has to take adequate steps to guard their network against unauthorized use. It also states that encryption with the factory-set default key was not adequate.

OTOH, I am not aware of any ruling (in Germany or Austria) which declares open WLANs in pubs and cafes illegal.

Michael LockyearApril 26, 2011 11:17 AM

They got off. They would not have been able to blame the neighbors if their wifi was "secure" and hacked (there are tools freely available for hacking WEP and even WAP "protected" networks.)


MaddoggApril 26, 2011 11:23 AM

Pedophiles DO have one redeeming quality though:

They NEVER speed through school zones.

Disclaimer: I sometimes accidentally do. :-)

BF SkinnerApril 26, 2011 11:44 AM

@Jonadab "Hi, I'm officer Smith, and this is officer Black. Do you mind if we ask you a few questions?"

Repeat after me "Hello Officer. Let's talk out here on the porch. No I do not consent to a search. Am I being detained, May I go?"

@Hugo "a free hotel wifi is very different from a private open wifi."

Vary by country no doubt but ISPs are common carriers. Here in the US the telephone is used to commit the most gruesome crimes but the phone company isn't held liable.

We can more easily make an argument that the unsecure deployment is the responsiblity of WAP maker. Does your 86 year old grandmother packet geek for recreation? No but she likely has a WAP that maybe someone installed for her and then left.

DavidApril 26, 2011 11:46 AM

One of these raids was performed by ICE, Immigrations and Customs Enforcement. What the hell? Not enough smuggling going on?

SamApril 26, 2011 12:09 PM

Another issue that I'm surprised no-one is bringing up is the security implications of opening up your wifi. Unless you actually have a 2nd router or network partition, I consider it a major security risk to allow unauthorized strangers on my local network...

PonterApril 26, 2011 12:11 PM

When it comes to serious crimes (including but not limited to Terrorism, Child Pornography, Drugs, and Unpatriotic liberal criticism of the TSA), I think we'd all agree that it's always best to err on the side of caution. If a SWAT team bursting into the lair of a suspected terrorist, child pornographer, drug dealer, or treasonous TSA critic will neutralize the suspects before they can wreak their Evil, then that's what they should do!

I'd say effective protection is worth the small price of losing the occasional innocent individual in friendly fire. (And if their activities are sufficiently suspicious to attract the attention of the SWAT team, they can't be completely innocent anyway.) Their death or properly loss will not have been in vain, as it may deter others from considering similar offenses if they know the SWAT teams are ready to mete out shock and awe at the first hint of criminal conspiracy.

Liberals may whine and moan about the loss of "rights" and "privacy." But they forget that we're not merely at War, but at many Wars. Those "rights" and "privacy" may be appropriate in normal peaceful times, but in these perilous times numerous Evils beset our Homeland. "Rights" are merely useless impediments to keeping the Homeland secure. And "privacy" is something that only terrorists, child pornographers, drug dealers, and unpatriotic liberals hide behind! "Civil liberties" make us dangerously vulnerable to all the Evil conspirators who abuse them in furtherance of their plots to kill Americans. The old saying that "if you have nothing to hide, you have nothing to fear" has never been more true, or more appropriate.

We should never tolerate the selfish whining from ignorant liberals, which only gives aid and comfort to our enemies. Instead we should show our gratitude and appreciation to the Heroes, including the SWAT teams and the Transportation Security Officers, who fight daily at the front lines of the Wars to protect our Homeland and to keep our children safe.

Dr. I. Needtob AtheApril 26, 2011 12:21 PM

And what happens to you if your WiFi connection DOES have its security turned on but a neighbor (or some unknown person parked in a car nearby) has hacked it anyway and used it for illegal activity? Can you say with confidence that this is impossible? I don't think so.

What if your security is turned on but your key is weak or compromised?

What if your wireless router has a security weakness or back door?

What if the illegal activity happened before you turned on security, then you decided to turn it on, then you were raided. The confiscated equipment shows that you had security on and could invalidate your defense. On the other hand, CLAIMING that this was the case even though it wasn't might be a way to get a guilty person off the hook. The fact that security can be switched on and off at will complicates things.

Suppose also that your hard drives are encrypted (because you're a big Crypto-Gram fan and you think cryptography is cool, if for no other reason) and you're not willing to surrender your privacy and reveal the passphrase to the authorities who confiscated your computer? Would this work against you?

If your network is supposedly secure, could a good lawyer successfully argue that there's no way to prove it really IS secure and a neighbor could actually have used it for illegal activity? That sounds pretty thin in a society full of zeal to "save the children."

Are you better off with (1) an unsecured network that provides you with plausible deniability that activity from your IP address actually came from you, or (2) a supposedly secure network that might or might not keep a hacker out but also removes that deniability? Who can say?

It seems to me that whether you're innocent or not, there's no insurance. If they decide you're a creep then they'll get you, one way or another.

Dirk PraetApril 26, 2011 12:55 PM

As long as there is no specific law against open or badly secured WiFi networks, there is exactly nothing wrong with it. The same goes for stupidity. Anybody can be as big a moron as he/she wants to be, but this becomes a different issue when it leads to government sponsored home invasion, intimidation, physical violence, abuse of power, confiscation of goods and damages to property.

This is not about WiFi networks, but about the blatant stupidity displayed not only by the SWAT teams but also by their chain of command in assuming that an ip address equals a person instead of a device. It stands to reason that if they fail to understand this, their own home networks are probably just as insecure as those of the folks whose homes they invaded.

Something is very rotten in the state of Denmark when ordinary citizens need to start protecting themselves from corporate spying as well as LEA stupidity.

RSaundersApril 26, 2011 12:56 PM

@Sam,

Yes, having a public wifi facing the ISP and a wired, access controlled local network is more secure. It causes great confusion when some kid wants to print on the network printer and settings that work from my son's laptop don't work for him. But seriously, visitors who know enough about networking to ask that question are extremely rare in my experience. Perhaps the cocktail parties at Bruce's are better attended, he is a foodie, but I'd generally doubt that trolling houses in a van looking for open wifi is the best way to be a pedophile. Starbucks looks like a more reliable solution, provided you never visit the same one twice, and they are a lot easier to find.

AlexApril 26, 2011 1:13 PM

FWIW, I've run a public Wifi network at a public convention center/arena for the past 10 years. The only child-porn I've seen cross the wires was teenage swimsuit photos. The night janitor was to blame for that one and voluntarily resigned upon seeing the 500+ page printout of his nightly escapades.

Plenty of "normal" porn on there, but otherwise fine.

So, one incident out of 1,000,000+ connections we've had on the network. And what the perv was looking at wasn't illegal. Morally questionable, but well within the bounds of legal.

As far as filtering goes, our legal counsel advised us to NOT filter the content. We were told that once we started filtering content, we were responsible for said content. Thus, we've intentionally installed equipment that is incapable of monitoring/filtering by content.

HugoApril 26, 2011 1:25 PM

@BF Skinner: in the Netherlands, hotels can be held responsible for crimes commited via their wifi if they haven't take proper security measures. I know, this sounds vague, but that's how it is.

Anonymous 1April 26, 2011 1:44 PM

Hiding the SSID isn't worth doing given the existence of kismet (and the very much inferior NetStumber), not to mention that it can cause problems of its own.

Though WPA2 AES with a strong passphrase is good enough and pretty much everything half-recent supports it (the only known security vulnerability (Hole196) requires that you already know the passphrase to work and isn't going to be a problem for home users).

RobApril 26, 2011 1:52 PM

Someone with an open wifi network that reaches my property is trespassing on my property. I will sue them for exciting my electrons.

JagApril 26, 2011 2:29 PM

Often law enforcement agencies will use SWAT teams in situations that otherwise don't seem to require them for one reason: practice. They want to give their teams field experience is situations that are probably lower risk so they are prepared for the higher risk scenarios.

This can unnecessarily escalate tensions and cause unintended injuries or deaths. Kind of like if police officers pointed a loaded gun at you during every interaction, no matter how peaceful. Your fight or flight response isn't always helpful.

ps - You sometimes see the same thing with the military.

RookieApril 26, 2011 2:49 PM

@ Alan Bostick - "The market for child pornography is an artificial one..."
I assure you that you are 100% wrong with that part of your statement.

@Ponter - Politicizing the security discussion, even satirically, isn't very helpful. Are SWAT teams an over-the-top response to downloading illegal material? Probably, but discuss the facts on their merits. Conservatives, Liberals, men, women, priests, and athiests alike are impacted and concerned about these issues.

martinrApril 26, 2011 3:29 PM

In which way differs an open WLAN considered different from open streets/roads, open parks, open forests, open beaches, etc. ?

This seems riduculous. There is no law that each property must be walled off to the public with a strong and high fence or wall, doors with secure locks and ID-checks at all entrances.

And concerning the situation in Germany: there is no legal requirement to lock down your WLAN.

What has been decided by the highest german criminal court, though, is that based on the german copyright law, you may be held liable for aiding others to perform infringements. But that liability is limited to 100 EUR per case.

The distinction of holding private and commercial "end entities" liable for aiding others with copyright infringement, but excluding this very same liability for network providers, might prove unconsitutional, if anyone cares to challenge that.

anonApril 26, 2011 3:29 PM

The reason I have open wi-fi has nothing to do with being "nice" to my neighbors. It's that I have several home devices that use wifi (multiple game consoles, multiple dvrs, multiple computers, etc)...all of different ages running on a b/g/n network and in many cases connecting together. Frankly, my environment is too delicate to support even basic WEP encryption, which is a near-useless precaution anyway. So it's not about "being nice" or even about "convenience", it's about getting base-level functionality out of my environment. If the US is going to force WiFi encryption on me, then please have them enforce full interoperability over encrypted wi-fi upon all the many tech/entertainment vendors that I have.

Troy RiggsApril 26, 2011 3:41 PM

Since the networks were open anyway, why didn't the police sit outside with a sniffer until they figured out exactly which MAC address was generating the offending traffic?

Was busting down the door and storming in with a SWAT team really easier, cheaper, and more effective than one or two people sitting in a car with a laptop and some sniffer software?

Why do we think police should have the right to over react?

JagApril 26, 2011 4:01 PM

@Troy Riggs What would having the MAC address tell the police? They didn't know which MAC addresses were associated with the residents of that house and which weren't.

Plus most police forces don't have personnel with the technical savvy to conduct that type of surveillance.

AntonApril 26, 2011 4:03 PM

@kevinm: 'I have seen a few SSID that read like "hello - call 555-1234 for password"'

Yes that is what I do, but to date no one has called. My neighbours SSID is 'I've seen you naked'!

Great side channel.

Math ManApril 26, 2011 4:16 PM

From a numbers perspective, if we have a couple dozen false prosecutions in the US and millions of open Wifi networks, the risk of being falsely accused is incredibly small. Most people are decent human beings, so I would use Bruce's own risk analysis methodology to conclude that defending against an extremely rare event with a huge cost is mostly a matter of personal preference. Personally, I choose to trust other humans and accept the risk that a boogie man may some day come and create grief for me.

Clive RobinsonApril 26, 2011 4:30 PM

@ BF skinner,

"... are they or even the pay access ISPs on airline flights accountable?"

As you have noted ISP's 'might currrently' have common carrier status (but probably not the way various Governments are legislating).

Part of being 'common carrier' is offering a service to all without prejudice, the catch is the definition of 'service', which like 'reasonable' is one the courts just love to play with.

However 'service' comes with either an express or implied contract. That is the businesses are either charging directly for the service or as part of another service. Thus think of a chair in your favourite coffee house, the seats are available to "all customers" that is those who have (recently) purchased an item etc.

As a home owner you would have to show to a court how you were 'offering a service' and to do that you would have to show how you would enforce it...

There are a couple of reasons for this to do with 'trespass' and 'attractive nuisance'.

For instance if you had a swiming pool in your front garden would you allow the neighbours children to swim in it without you or another responsable adult being there, and how would you go about enforcing it?

They are the sort of questions you have to answer when another person might or has come to harm.

Now ask yourself if the porn downloader was actually at that impressionable child - adolescent age and 'suffered harm'. You could find yourself on the end of a large civil action especialy if the downloader became a sex offender etc etc.

That is it's not just having LEO's investigating you rather forcefully it's also ambulance chacing lawyers and other legal types doing all they can for their clients both for criminal and civil law.

Now you may not be a good target for the attention of such legal vultures, but Bruce almost certainly is.

To be safe from these types you have to be a no name, no property Mr/Ms invisable. The more name or assets you have the bigger a target you become, and Bruce is at the point where even starting such an action against him with little chance of success is still worth while simply because of the press it would get the legal vulture and the raising of their profile. It's free advertising they could not get any other way...

anonApril 26, 2011 4:43 PM

An easy way of beeing neighborly while avoiding trouble with the police is having separate networks and directly piping the open WLan into TOR or some other anonomizer. If you want to keep plausible deniability, you can place the config files for TOR on a crypto partition and hope that the occasional SWAT team is stupid enough to power-off your equipment / not competent enough to perform cold-boot attacks.

Furthermore, the internet access at most Hotels, etc is not restricted. They allow you to VPN out, which you should do anyway, since anybody who cares is MiTM against you on open networks (and commercial PKI is a joke, see MD5 Collisions Inc. or Comodo).

Dr. TApril 26, 2011 4:56 PM

@BBrian: "Chances are very good that people using your open wifi won't do anything wrong with it, but if they do, I really don't see how you can complain if the police come to investigate you."

In the most recent case to make the news, the police did not come to investigate. Instead, a SWAT team arrested the homeowner, seized his computer equipment, and called him names. There's a world of difference between those two actions.

Nick PApril 26, 2011 5:00 PM

@ Ponter

If the colonists held your views, we'd still be speaking with British accents, have no voting rights, and pay taxes that only benefit them. You should really read some of the writing of the Founding Fathers concerning trading liberty for security. You might also want to question the built-in assumption of the protection argument: that the government won't abuse their expanding powers for their own benefit or by causing needless detriment. There's at least one news story a month that proves otherwise.

Besides, protecting American's freedoms from government invasion & control is a libertarian and American ideal, not a liberal one.

asdApril 26, 2011 5:01 PM

@anon ,this country's ISP have the keys to the ssl kingdom, and with interconnected goverments i'm not shore whether tunneling to another point would help, if they decided to look

Dr. TApril 26, 2011 5:06 PM

@Ponter: "... If a SWAT team bursting into the lair of a suspected terrorist, child pornographer, drug dealer, or treasonous TSA critic will neutralize the suspects before they can wreak their Evil, then that's what they should do!..."

It's hard to tell whether this posting is satire or a heartfelt screed. I cannot decide whether to laugh or scream. Perhaps I should do both.

Clive RobinsonApril 26, 2011 5:12 PM

@ Dirk Praet,

"As long as there is no specific law against open or badly secured WiFi networks, there is exactly nothing wrong with it. The same goes for stupidity nothing wrong with it. The same goes for stupidity Anybody can be as big a moron as he/she wants to be"

No you are always liable for your actions and the consiquence of such actions unless you can show "mental incompetence", being stupid or a moron within the social usage of those terms is not sufficient to avoid culpability.

This includes negligent behaviour where the 'reasonable' view point is you should have been aware that your negligence could give rise to harm.

The usual example given of this is a garden with a pond in it where a child falls in and suffers some harm (ie drowns etc). In most jurisdictions it is assumed a "reasonable" person would know that a pond is dangerous and it should have restricted access such as a fence around it. Further it is also assumed a "reasonable" person would know that a pond is going to prove an atraction to children of all ages, thus the hight of the fence has to be appropriate to adults (ie 3 to 4 feet or 0.9 to 1.2meters) and any access point should be suitably secured.

In fact if you think about it every time you see someone being either "stupid" or a "moron" they are not behaving "reasonably" by social norms and thus usually there is part of either the criminal or civil code that addresses the behaviour.

LukeApril 26, 2011 5:31 PM

The FBI made an enormous error here. First, such ISPs as Verizon have the capability to log MACs, and remotely access their leased routers. The MACs could easily be compared to traffic logs and at least provide a clue during an investigation. A simple triangulation could also have been performed first. The FBI should be wise enough to consider before invading a home that
1. it is an open (wireless) network.
2. perhaps they should think about the situation before acting.
3. they might take a 101 forensics course and stop being so primitive and heavy handed.
4. They scarcely need more than wink at the ISP to receive all the data they could ever want.

There are ways of intelligently going about this stuff. I feel these actions are to scare people by example of shock and awe, as well as budget managing tactics to solicit or sustain funding. Child abuse is sick, but to address it carelessly seems to offer no advantage. The FBI has lots of resources, and no shortage of intelligence (seriously!). This is either a calculated error, or madcow.

Clive RobinsonApril 26, 2011 5:47 PM

@ anon,

"If the US is going to force WiFi encryption on me then please have them enforce full interoperability over encrypted wi-fi upon all the many tech/ entertainment vendors that I have."

Sadly the law can enforce you to "upgrade" without compensating you in any way which takes us back to the Baronial feudalism prior to Magna Carta.

An interesting aspect of this is "art -v- pornography". In the UK it is illegal to poses any images of people under the age of 18 that are considered to be sexual in nature or pornographic (non of which is realisticaly defined in the law other than sans clothing).

When the act came into force most libraries had books on art that where now not just pornography but child pornography (yup those little cherubs in much of Christian art become child pornography when reproduced as photographs). It is still an unresolved issue in many respects and shows how overly broad legislation has unforseen consiquences, and that gaining redress is only possible through the courts, where to get redress you have to admit to being guilty...

MikeAApril 26, 2011 6:02 PM

Businesses (e.g coffee shops) are not immune.
http://www.pittsburghcitypaper.ws/gyrobase/...

Summary: Police sized a router and computer from a video rental store after a fake "statement" from a police association (indicating they were backing down from whole-heartedly supporting some officers who beat the crap out of an student) was "traced to their IP". As the same router serves open WiFi to the adjacent coffee shop, this was pretty clearly intended to "send a message" to uppity citizens, rather than being a real investigation: "We have all your home addresses and rental records, so be careful who you criticise"

ZApril 26, 2011 6:03 PM

I'll add the lawyer's perspective here. First, as other people have correctly noted, securing your WiFi is about avoiding the inconvenience, cost, and embarrassment of being accused of a crime.

Second, for to the "how secure" questions, in US law, you'd probably need to take reasonable steps to secure your WiFi. There are a couple of ways to prove you took reasonable steps. Did you follow the instruction manual's suggestions regarding security? Did you follow any one of hundreds of news articles about how to secure your WiFi? If you are particularly knowledgeable about network security, you may be held to a higher standard than others.

Third, given the limited information in the news articles on this topic, it appears that a search warrant was probably proper. The only reasonable way to connect the dots from the router to the computer is to physically seize the router and potential computers and perform forensic analysis.

Determining the network was unsecured does not change the analysis at all. The owner could be using the open network just as easily as someone else. Remote accessing MAC address logs doesn't help. The owner could have spoofed the MAC address. They need to seize computers and perform a forensic review of their contents.

Fourth, regarding the execution of the warrant, when enforcing a search warrant on an unknown individual, police need to secure the premises. This is for their own safety. Some police departments are more assertive than others, but there doesn't seem to be anything outrageous mentioned in the articles I've read. Many police departments would send beat cops over to perform the search, though others would default to SWAT for any serious crimes.

Richard Steven HackApril 26, 2011 6:10 PM

Let me explain to you how cops work.

It's "us vs them" at all times. "Them" is YOU.

There was a classic case in IIRC Philadelphia years ago. The cops were paying a snitch to finger drug dealers for them (always a bad idea). The snitch spotted a house with apparently no furniture in it, and he figured to finger that house to the cops as a drug dealing house and get paid for it. What he didn't know is that the owner of the house had a messy divorce and the wife left with all the furniture. He still lived there.

The cops come slamming in early in the AM and he comes out of a sound sleep hearing a bunch of curses and he hauls out his self defense pistol. The cops shoot him in the head - but didn't kill him.

The cops ransack the house for a half hour (without calling for medical help for the "suspect" BTW). They find nothing. Unbeknownst to the cops, the guy is conscious but unable to do anything or speak.

The guy hears the cops debating whether they should FINISH HIM OFF to cover up the bad bust! They argue over this for some time but eventually give up the idea because FIVE SEPARATE JURISDICTIONS are in on the bust and they don't think they could keep it quiet!

This is how cops behave in the "real world" - not the world of "CSI" and "NCIS" and "Adam 12" and "America's Most Wanted" and all the rest of the police propaganda machine.

Cops are scum. The only good cop is a dead cop. Offended? Tough. Bite me.

As for running an open WiFi service, simple: put it on a different machine unconnected to your home network. Use a separate router. Use a banner service on the router that explicitly states this is an open WiFi service free to use with no owner culpability or responsibility for anything that goes on with it and zero support for anything to do with it and if the owner DOES detect anything criminal going on with it, he will report it to the authorities immediately.

Hard to see how the owner can be culpable in that situation, depending on the law in your country or state.

Of course, it won't stop the cops from being stupid just like in this case. However, the risk really is fairly low, probably on a par with being struck by lightning (or killed by terrorists.)

As for the general issue of router security, the reality is there are millions of devices, all of varying quality, still in existence. Unless every single one of them is recalled and replaced with something which is locked down totally, and all new devices are so locked down, AND there are no NEW vulnerabilities in these devices old or new (good luck with that!), there is absolutely no way to have a "secure" WiFi network.

Once again, we're back to my standard saw: You can have worse security. You can have better security. But you cannot HAVE "security."

There is no security. Suck it up.

Bruce ClementApril 26, 2011 6:21 PM

@Troy Riggs

To the average cop, the only purpose of knowing a MAC address is when there isn't a doughnut shop close enough.

This, of course, doesn't preclude having a specialist computer crime team, but somehow I doubt that they would be ever be available to sit outside a house monitoring traffic.

Richard Steven HackApril 26, 2011 6:28 PM

Z: Your first three points are mostly correct, if not the whole story.

Your last point is crap in this case (and many others that could be cited). The cops in this case were way out of line - but not at all surprising, since they are frequently out of line.

I long for the day when the cops bust in on some hacker who really cares about his security - and he mows them down with an AK-47 or a P90 with armor-piercing bullets while wearing better body armor than they do. And then escapes.

Then from then on, they can use that case to justify just blowing up a house rather than raiding it - which brings back the Philadelphia MOVE case if you remember that one where the cops destroyed a whole city block trying to get one group of nuts.

Cops don't just care about their "safety". Cops are cowards. They surrounded the Patty Hearst kidnappers with SIX HUNDRED cops and riddled the building with holes, nearly burning it down, to get half a dozen idiots who could have been waited out with ease.

In New York, they shot up an apartment building trying to get a guy (who shot several of them AND escaped in the process) and when informed that bullets were penetrating the building and threatening the neighbors dismissed that until they were told it was THEIR bullets doing this. And then they marveled at the guy's accuracy, saying "It was like his bullets had eyes on them", which prompted Illinois State Patrolman and expert combat handgunner Evan Marshall to comment wryly, "You don't suppose he aimed, do you?"

Cops are morons. Dangerous morons. If they are not put under strict control protocols, they go off the rails very easily and become a threat to any civilian near them, as much so as any terrorist group.

This is nothing new. It's part of law enforcement history going back centuries. It's only in the last three or four decades that public outcry has forced the state and the legal system to require some rules governing their behavior - and every day some head cop somewhere decries those rules and demands they be lifted so "they can do their job".

With results like this case - in which, fortunately, no one got killed.

Which reminds me, if you read this case in detail, you find a LOT of unprofessional conduct, cussing out the suspect, roughing him up, etc. Regardless of the crime he's accused of, it's not the cops' job to pass sentence a priori. Regardless of what level of scum is being arrested, cops are supposed to be professional. Once again, in the real world, it doesn't happen.

Dirk PraetApril 26, 2011 6:31 PM

@ Clive

Agreed on the pond example. And it is true that there are many laws in effect against acts committed out of stupidity, like DUI or p*ssing against a police car with the officers still in it.

WiFi routers IMHO are an entirely different case. The default install done by the telco at my 75 year old mum was open to all. By the time I had changed it to no SSID broadcast, WPA2 and a mac adress list, several neighbours had already been accessing it. Although quite smart and far from being mentally incompetent, my mum has no clue whatsoever about the dangers of running an insecure WiFi setup. It is not even reasonable for any party to assume that she does unless either her ISP or the router manufacturer have explicitly pointed out to her that she can be held liable for any damages caused by running an open network. Which of course many don't as not to scare potential customers away and no regulation or law is forcing them to do so. Compare it to the small prints in the manual of certain microwave oven manufacturers that these devices should not be used for drying small pets. A result of a big bucks lawsuit won by some genius who had accidentally fried a cat.

It is however quite reasonable for even a layman to assume that it is probably wrong to intentionally connect to someone else's open network unless explicit permission has been granted. It is even more reasonable to assume that LEA's/LEO's tasked with computer crime have a minimum understanding of what they're working on before violently raiding someone's home, or even worse assuming that it really doesn't matter because liability doesn't apply to them. What happened to these people is nothing short of Kafkaian.

If we transpose this to a hospital context, this would be the equivalent of a head surgeon ordering his team to operate on the wrong patient because he's got two files mixed up or simply has gotten the diagnosis wrong due to insufficient knowledge of the matter at hand. This would inevitably result in a serious lawsuit, suspension and/or license revocation. Like you said, we are all liable for our acts, except for those societies where some pigs are more equal than others. Again, the issue here is not WiFi security, but incompetence, lack of due diligence and abuse of power by parties who think they can get away with anything because they are the government and are waving the "terrorism" or "sex crime" card. It is exactly this kind of stupidity that causes people to lose faith in the system or endulge in a rant like @Ponter did.

LukeApril 26, 2011 6:47 PM

While I am generally indifferent to the health of US law enforcement, it is not so much them as it is who they work for. Yeah, they are a bit like prostitutes, performing for their political pimps, but there is also a damned good handful of the guys who don't like corruption. If the citizenry entirely alienates them (becoming quite possible) then they will certainly become worse. Support the good ones, and pound the hell out of the bad ones and their administrative overlords. Some of the very documents illustrating the abuse of power by law enforcement have been leaked by self conscious officers or those in the field. Not all approve of current trends, or historical ones.

Saying such things will fail to effectively express your frustration and simply make you look crazed. I have not met any good "dead cops", but I have met one or two decent living ones. They need major and serious reform no doubt, but lets be balanced and not be fiends ourselves. But I cannot disagree that it is often them vs "you" (or, us).

A more appropriate tactic may have been to patiently collect data, and find the pervert's friends (contacts) if any, and get something more out of the situation than failure and one bad guy. What irritates me is that they are too quick to move, aka trigger happy. Despite legal double speak, this was an error.

ZoomzoomApril 26, 2011 6:49 PM

The original news article is being picked up and repeated worldwide, but has anyone checked the veracity of the reporting?

I live next to a motorcamp and provide "free" (to them) wifi for all the tourists, on the principle of pay it forward. The day we stop doing charitable acts because of the fear of the 1 bad apple is the day we join the jungle.

Dirk PraetApril 26, 2011 6:58 PM

@ Z

"Did you follow the instruction manual's suggestions regarding security?"

If I were to give you a glass of water for every judge you can positively prove to me that he has read and applied the manual's security instructions of the electronic devices he owns, chances are that you would be a very thirsty man. Ordinary people don't read manuals, and even if they do - and understand what it says - it's to make the bloody thing work, not to make it secure. The only people I know of that actually do ... are lawyers.

LukeApril 26, 2011 7:01 PM

I can verify that at least one of the *other* incidents mentioned in the article did happen, with every bit the same level of apparent stupidity. It should be no surprise. I also provide free wifi when I can, and certainly will not stop because of this. I would only suggest (if possible) configuring a "hot spot" style AP, with an agreement to "what ever". But this probably violates ISP TOS and makes little difference. I guess you could use a DNS filter (OPen DNS?) on the router? I am sure there are ways to tighten things up without kissing legal arse.

GarrettApril 26, 2011 7:44 PM

@Z, RSH,

Would not the provision of Internet access to the public, on purpose, be considered a public good, or at least a charitable purpose? If you went through the effort, you could probably even set up a 501(c)3 organization to do so and then claim a $5 tax deduction every year for doing so.

Wouldn't making it clear that you wanted to make this available to the public as a charitable service help provide some cover in that case?

Clive RobinsonApril 26, 2011 7:56 PM

With regards what the FBI and other LEO's can do with regards to home WiFi.

Some of you may remember back to 2005 when the FBI demonstrated the "3 Minute WiFi Crack", the original article was on the www.tomsnetwork.com site.

But the site is comming up "not available" so have a look at the ZDnet story from that time instead,

http://m.zdnet.com/blog/ou/...

But more importantly they appear to have improved their techniques to cover even WPA,

http://m.wired.com/threatlevel/2009/04/...

Which brings me onto a couple of points.

The first is the FBI demonstration shows that the more senior of the LEO's in the US are fully aware that WiFi is crackable at a certain level (WEP) and quite happy to demonstrate it publicaly. Which is important for any defence.

The second is a bit more subtle and it is the difference between "tresspass" and "breaking and entry".

If you have an open WiFi then you can view it as the equivalent of "you don't have a fence around your back yard/garden", thus anybody you find there is at best guilty of tresspass.

If however you do not have an open Wifi then you can view it as having a suitably high fence and a locked gate around your back yard whereby unauthorised entry can only be gained by either picking the lock or breaking the lock, thus anybody you find there is guilty of commiting the crime of "breaking and entry".

Which gives rise to the question of "How strong does the lock have to be?", the answer to which is, only strong enough that it has to be there as a token.

Thus following similar logic, you put in "token" security (WEP) thus anybody not authorised to use your WiFi has "broken in". That is they cannot argue that their use was neither accidental or not invited, because they had to use a "tool" to defeat the "lock" to "gain access".

If however the LEO's do kick down your door then you can show that you had taken efforts to prevent accidental or unknowing access by others, but importantly not a level of security that the LEO's could in any way claim was unbreakable in court because the FBI had publicaly demonstrated it could be broken, in about the same length of time as it takes to pick a five pin tumbler lock (which is the standard door lock in most WASP countries).

Whilst this might protect you from criminal liability (fines/prison) of others actions it unfortunatly leaves civil liability (damages) open, though I'm not altogether sure how anybody would realisticaly mount such an action.

It would also help your case if you did have older devices that could only use WEP etc, such as games consoles.

There is however another attack vector you should be aware of. A sufficiently knowledgable attacker would use the WiFi to get access to your PC and thus use it as a proxie to download questionable content, and in the process leave copies of the files on your HD. You would find this very very difficult to defend against...

Which is why I don't have WiFi of any form and why I don't connect any of my systems with hard drives etc to the Internet, and for general browsing a smart phone (for now).

tommyApril 26, 2011 7:59 PM

BACK OT:

Seems the best bet for the pedo is to break into an unoccupied home, use the puter to d/l the stuff, copy to a flash drive, and take a few other valuables -- jewelry, money, any portable electronics, etc.

Cops trace to victim's house. If *somehow*, they nail the burglar/pedo, there's some deniability: "You got me. I stole the stuff. Including this flash drive that was lying around --- haven't even looked at it yet." (More convincing if the pedo has no prior record, not a registered offender, etc.)

Much better to plead to burglary and theft than to kidporn. Former -- maybe five years, less time off for good behavior. If it's truly the first conviction, possibly even probation+community service. And you don't have to register as a sex offender, and be tracked for the rest of your life. Compare to conviction for kidporn....

(Uh, in case there's any doubt, this was intended to help cast doubt on police practices and on the resulting convictions, *not* to help pedo's. I'm *against* kidporn, for the record.)


@ Richard Steven Hack:

We understand the chip on the shoulder, given that you've told us you're a convicted felon, but if most of us are mugged, burglarized, assaulted, etc., we're going to call.....

Your statement is a classic example of the "Fallacy of Hasty Generalization":

"Cops are scum. The only good cop is a dead cop. Offended? Tough. Bite me."

Okay, for "Cops", substitute:

Blacks
Native Americans
Women
Men
Gays
Lesbians
Hispanics
Doctors
Lawyers (OK, it's true about lawyers, LOL)
Asians
Indians
Dead White Guys
Live White Guys
Politicians (same as lawyers)
Jews
Muslims
Christians
Atheists
Americans
Germans
Cryptographers

Get the hint yet? Sorry for your unfortunate past, but please don't spew prejudice (root = "pre" + "judge"). Logic is a crucial part of security, cryptography, and debate. Let's keep the debate logical.


Richard Steven HackApril 26, 2011 8:30 PM

Tommy (and others): Let me just say this. While I may be over-generalizing, let me mention two points.

First, back in the "Hill Street Blues" days, there was an episode where Renko (IIRC that was his name) was busted down to to traffic control because he was caught peeing in public after a night at the bar. Then a week or so later, he comes across a burning building, runs in and saves a kid, and gets promoted back up and treated as a hero.

The two behaviors are not mutually exclusive. I'm sure we can find as many cases of cops saving lives and helping little old ladies across the street as we find cases of police brutality.

The second point was made by Ayn Rand once in describing as an example of someone who is still morally irredeemable a Nazi concentration camp guard who brings flowers to his mother on mother's day.

People are indeed complex. Not everyone is all one thing or another.

But the SYSTEM is what it is. And a difference which makes no difference is no difference (in practical terms, at least.)

The total effect of "law enforcement" in history is quite negative. OTOH, if there had been none in history, there's no guarantee things wouldn't have been worse.

This is why I'm a radical Transhumanist instead of "just" an anarchist. I recognize that human nature is the problem even more than the systems that humans set up to cope with it.

As for my experiences, let me point out that as an anarchist, I have spent more time than most in the past reading about law enforcement defects - because anarchists understand such things. Whereas most middle class Americans don't encounter police corruption or brutality in their day to day lives, and rely entirely on the portrayal of cops on television and movies for their understanding of law enforcement.

Only after you've had to deal with cops directly in an antagonistic way do you get to appreciate who and what they are and what your real relationship to them is. In fact, it's little different than suddenly confronting criminal behavior by being mugged or whatever. It's an eye opener people should go through just for the educational value in how the real world works.

The same applies to correctional officers. The whole "Bradley Manning is being treated inhumanely" thing going around is amusing to me because MANY prisoners in the Federal prison system are routinely treated that way. I myself have undergone it. Most people just don't understand (and don't care to understand) that this is the way it's done - and that it's BETTER now than it used to be because the legal system has been pressured to put on some constraints (even if they're mostly observed by ignoring them.)

So I may be over-generalizing - but not by much.

Clive: Good points. As for using WiFi to compromise the PC and use it for porn download, as you know this has been done (and in the UK specifically, IIRC). That's why I would recommend using a separate machine solely for the free WiFi. However, that really doesn't protect the owner, either, since the cops can still claim that machine was being used for child porn and that the owner was merely hiding behind the free WiFi as an alibi.

In the end, it comes down to risk analysis. How likely is it that one's free WiFi is going to subject one to this situation?

It might be better, rather than doing free WiFi oneself, to do it in concert with others as some sort of organization, which provides one with more "legitimacy". There are a number of "free WiFi" organizations around that specialize in setting up such services in a city.

Of course, if someone else STILL downloads porn onto one's machine, being part of such an organization probably won't cut it with the cops, either.

If I remember correctly, it's considered illegal in some jurisdictions to even VIEW child porn even in the course of a journalistic or legal investigation if you are not a member of a law enforcement organization engaged in an actual investigation.

In fact, I remember reading about one Sheriff of some city who was arrested for viewing child porn collected as evidence which he had on his machine in his own office.

So in the end, one has to decide whether the risk is worth the charitable behavior. In general, ANYTHING you do these days inside or outside your home exposes you to criminal or civil legal risk. It's just the luck of the draw whether one gets bitten.

And that's one big negative result of the emphasis on state protection of society rather than personal responsibility. You give the state the right to secure everyone from everything - and you end up securing no one from anything, least of all from the state.

5th amendmentApril 26, 2011 8:33 PM

Never talk to police. I don't think most people realize just how many people hang themselves all because they stupidly talked to the police. As someone said earlier, if the cops come a' knocking, go outside to greet them and shut the door behind you. Ask them what you can do for them and be very terse with your responses (it's better not to say anything at all). If they ask you if they can come in to talk, don't fall for it. As soon as you let them inside your door, they have the legal right to prosecute you for anything they see in plain sight (forgot to put that bong away? Oh well, you're going to jail now, even if the cops weren't there for that reason). Make it clear they cannot enter your house without a warrant.

Every American citizen should watch the following video by a law professor who goes into detail about why one should *never* talk to police even when one is completely innocent of any crime. I was skeptical, but it makes perfect sense and is quite eye-opening.

https://www.youtube.com/watch?v=i8z7NC5sgik

pfoggApril 26, 2011 9:52 PM

The point of a sudden, heavily armed 'SWAT' entrance for a computer crime is to make sure no one has a chance to destroy evidence (which can be done very rapidly on computers, with as much assurance as the user's knowledge and experience allows).

Looking at this purely from the law enforcement side, the police screwed up badly if the stories are accurate. The raids intended to surprise the perpetrators served only as clear warnings to the actual criminals, who (fortunately) didn't take notice.

If they'd perform a relatively small amount of additional, technically informed surveillance, they could come charging through the right door first time, and take even reasonably intelligent criminals by surprise (assuming there are enough of those to warrant the additional expense).

Richard Steven HackApril 26, 2011 10:11 PM

Not to mention if they'd done proper surveillance, they could raid the house while the owner was NOT THERE and secure the computers without ANY risk to themselves, then collar the owner on his return safely. They could even have bugged the computer secretly and gathered even better evidence.

No, they wanted a high-profile arrest and to beat up a suspect they despised - forgetting that he's a SUSPECT, not a convicted pedophile (and even if he WAS one known in advance, it's still wrong). All utterly unprofessional, not to mention incompetent.

RobertTApril 26, 2011 11:14 PM

I don't know about this whole story, it seems to me that there are a dozen technical roadblocks that the downloader could have created that are more difficult to penetrate than just a simple (leaching of a neighbors Wifi) Additionally anyone really involved in this activity would add all these VPN / TOR / botnet steps as well as leaching (so I'm not sure who these SWAT teams end up catching, but it is certainly not an organizational kingpin), my guess would be the 14 year old kid next door.

This all makes me suspicious that the real reason for creating the po*n phobia is to prevent open Wifi's from reducing fixed line and mobile comms revenue.

In other words, they should call this the 3G license fee protection plan, or maybe the landline revenue protection act.

XApril 26, 2011 11:56 PM


I've said it before. I'll say it again.

Some years ago, I upgraded the firmware on my Linksys NAT (router) device. Unbeknownst to me, the new firmware had a bug. It would no longer renew the WAN-side DHCP lease. So my internet access would die after a few hours.

Then it would mysteriously come back up. Oftentimes with all sorts of spurious packets (traffic) that was not initiated from my computers...

Eventually this was all figured out, a new firmware fix was pushed out, yada yada yada.

But the two important points I took home were:

1) Anybody can use my "IP" address from anywhere on the network. Whatever they do gets traced back to me, and there's no way to know who or where they are.

2) Anybody can sniff my traffic at will.

The use of SWAT worries me. It's just too damn easy for somebody to get shot. And that sort of thing happens,all too frequently! Just google on "police accidentally shoot".

Nick PApril 27, 2011 1:25 AM

@ Richard Steven Hack & tommy

"So I may be over-generalizing - but not by much."

In a nutshell, yes. I was about to provide the logic Tommy was wanting by posting the video, Don't Talk To The Police, which "5th Amendment" posted. This excellent video shows how many different ways a person can go to jail, innocent or not. It also cites specific examples of people imprisoned for ridiculous technical reasons and even mentally impaired people lured in by cops for a false confession. The most important fact of all from the video was that anything you say to a cop is a valid confession if it proves guilt, but anything that proves innocence is hearsay.

Don't Talk To The Cops (defense attorney's view)
http://www.youtube.com/watch?v=i8z7NC5sgik

Don't Talk to the cops pt 2 (cop's view/experience)
http://www.youtube.com/watch?...
Cop's first statement: "...and everything he said is true..."

Tommy, how exactly can one villanize cops any more than this? Cops are in the system to find reasons to arrest a person, not protect the innocent. Innocent people are only protected if the law can do that by design and it fits the specific circumstances. I won't say this is rare, but I've rarely experienced a situation I couldn't handle better than the law.

Since Richard is posting examples, I'll post a recent example. I was pulled over in one of those states requiring liability insurance and proof of it to be physically in the car. I had a new provider and forgot to put my temporary card in the car. The cop pulled me over because a tail light was out (well, the top-half anyway). I got a ticket for that "crime" and was told to prove insurance in court. I did. I got my ticked "waived" as a "warning" in exchange for paying double the ticket fine as a "court cost." I asked if I had done everything. "You're all set," said the judge.

Well, I actually wasn't. I went to renew my license and found out it was suspended. They referenced that court case, along with the words "failed to show proof of insurance." That's ridiculous because I had to do that in court and I called to confirm again that I was good with the court. I found out that the state had a ridiculous law that says after you prove your innocence in court you must prove it again to the state department handling insurance within around seven days.

For this unknown requirement, they suspended my license *six months later*, didn't tell me I was driving on a suspended license, took a $140 fine, made me go through all drivers license registration processes again, and put a SR-22 on my driving record, which usually means DUI & caused my insurance to more than double. Anyone seeing "failure to prove" on my record would assume I was uninsured, making it doubly unfair. As usual, this run-in with the law provided no protection to society or me, but cost me plenty of money & aggravation. They also forced me to be a criminal just to keep my job long enough to pay them, wait for the paperwork, etc. Every cop I saw was a potential jail sentence. For what? Because it was *the law*? "I'm just doing my job"?

I don't mind them coming to help when I call and there is a *need*, but otherwise they can stay out of my life. They've only made it more difficult with all of their mandatory, self-serving involvements.

5th amendmentApril 27, 2011 2:17 AM

@ Nick P

As was discussed in the video I posted, there are so many ridiculous laws on the books that it is literally impossible for even the smartest person in the world to be aware of them all. The "ignorance is no excuse" argument that the authoritarians amongst us like to invoke might work in a sane society with a well defined set of core laws that are easy to understand, but not when you have thousands upon thousands of pages of federal law (not to even mention state and local laws). The lawyer's example of importing fish from Honduras is but one example among uncountable thousands. If the police want to pin something on you, they can easily find *something*. So we are all essentially law-breakers just waiting for the ax to fall on us when the police decide it's time. That isn't freedom.

The main problem is that legislators feel it is somehow their duty to further burden us with more and more superfluous laws that really do nothing for the good of society. After all, it is their job to sit around and legislate (I suppose they feel they aren't doing their job if they don't continuously write new legislation). They forget to think about the reason for new legislation and whether said legislation will actually *solve* a problem (PATRIOT ACT anyone?) No, they are more concerned about their lobbyists, donors and local constituents to care. As long as they make it seem as though they are "doing something" they figure it will help them get re-elected.

This is why when I hear of a government shutdown, I cheer. The legislative branch needs to be shut down far more often than it is.

Carl April 27, 2011 2:54 AM

Many people keep saying WPA2 is "easy" to crack. AFAIK only WPA2 with TKIP (Not CCMP (aka AES)) is "crackable" and even then only in 2 ways: Without QoS enabled packets of up to 596 bytes can be injected, and short packets with some known plaintext (say, ARP), and with QoS enabled all packets can be decrypted, though no further injection is enabled. All this is only access point to client, not client to access point. Keystream recovery has not yet been demonstrated. 802.11i seems to be "secure" in that the only published attacks are dictionary and brute force attacks.

http://download.aircrack-ng.org/wiki-files/doc/... seems to be the most advanced attack against WPA2-TKIP currently known.

If anyone knows a better attack, please speak up!

Lop1April 27, 2011 3:15 AM

The problem is not the open network, but the police going to the wrong guy. They should first check who they are going after !

SlartyApril 27, 2011 3:38 AM

I run open WiFi (and, yes, I have been known to lend my car to strangers).

I do so as a defence against the completely disproportionate response to intellectual "property" actions.

But I also run it via a signed proxy. This means I have an audit trail.

The problem is that many law enforcement 'professionals' learnt their technology skills by watching CSI...

asdApril 27, 2011 4:31 AM

@Carl , this is more theory, but I thought I would throw it out thought(some one might find it useful)
The problem with strong ciphers like aes and such is they are to random. If you have a basic algo(like + 78 to cipher text,rinse and repeat) that uses the cipher text as the seed and then loops and uses the stuff generated to brute-force the keys. You could probably drop 256bit down to 8-10byte(2 days). Each different key would generate new combos to brute-force.

Strange that the strength is the weakness :( :)

IntelVetApril 27, 2011 5:14 AM

OK.

I "hide" my SSID and restrict my router to only talk with specific MAC addresses.

Is that considered "secure"?

TordrApril 27, 2011 5:18 AM

We will only get a change in this situation if the politician starts to feel the heat themselves. Therefore I want to propose the following (illegal) idea (which should never be carried out in real life).

Find out where high level politicians live and do drive by Wifi hacking and downloading of child porn or other illegal material.

PaeniteoApril 27, 2011 5:54 AM

@IntelVet: "I "hide" my SSID and restrict my router to only talk with specific MAC addresses. Is that considered "secure"?"

I have no idea what a judge would say, but speaking in a technical sense: No, it cannot be considered secure at all.
For a somewhat knowledgeable person, it would be rather trivial to find your "hidden" network and to spoof one of the allowed MACs.
Furthermore, it is (hopefully) obvious that all data transmitted on your unencrypted Wifi can be eavesdropped.

lennoApril 27, 2011 6:01 AM

at the end of the article, wpa 2 and strong password, right, but hidden ssid and mac filtering??? even if the ssid is hidden you can "find" the network and changing your mac adress is simple, too

BF SkinnerApril 27, 2011 6:18 AM

@David " raids was performed by ICE"

Probably a question of jurisdiction. If the material came from overseas then it crosses the boundary of their baliwick. I've heard they do a lot of child porn investigations.


@Clive Robinson "@ Ponter, Which ticket are you running on? "

The Mr Gumby ticket

@Z "securing your WiFi is about avoiding the inconvenience, cost, and embarrassment of being accused of a crime"

This is likely more about the Judge who issued the warrant. "So you've traced the traffic to the router. the router is in X's house therefore only X could use it?" "Yes your honor"

The logic of probable cause here is faulty.

GreenSquirrelApril 27, 2011 6:33 AM

@Clive (far up the thread)

I have a trampoline in my back garden. I am at work today and my children are away at their grandparents house. I have no way of knowing if a neighbour's kids have come into my garden (there is no gate preventing them from doing so) and used my trampoline.

Would I be held responsible if one did and ended up hurting themselves?

RonKApril 27, 2011 6:51 AM

@ Carl

Even if WPA2 is protected in some kind of absolute fashion by divine providence, that just means that the scenario being discussed is more likely to happen to you because your teenager downloaded dancing pandas.

What I'm surprised isn't being discussed is that the people involved only managed to clear themselves _because_ they weren't sophisticated users of crypto. As scenarios like these increase in frequency, that means that the related risks in using advanced cryptography increase accordingly. Plausible deniability is incompatible with the advantage of being able to "prove" one isn't concealing information. Even securely deleting information in the wrong way on your computer could make one suspect: the unallocated sectors containing random information _might_ be encrypted information.

PaeniteoApril 27, 2011 7:39 AM

@RonK: "What I'm surprised isn't being discussed is that the people involved only managed to clear themselves _because_ they weren't sophisticated users of crypto."

No. They were cleared because the *real* criminals weren't sophisticated users of crypto (and didn't have much common sense, either) so that they got caught.
Also, in the first place, those cleared people would not have been 'involved' at all, had they been using sophisticated crypto.

Clive RobinsonApril 27, 2011 8:23 AM

@ GreenSquirrel

"I have a trampoline in my back garden. I am at work today and my children are away at their grandparents house. I have no way of knowing if a neighbour's kids have come into my garden (there is no gate preventing them from doing so) and used my trampoline"

It would probably classify as an 'attractive nuisance' if it can be seen from the road or your kids have told other kids it's there...

Odd you should mention this my son has just come back from his grandparents with a broken arm (compound fracture of the radius). He broke it steping backwards on the neighbour's trampoline (that's what he says anyway).

Although the neighbours where in (he was playing with their son) they where not aware as far as I know that either of them where on the trampoline.

My view is my son was being daft and unfortunately he suffered an injury through his own fault, and hopefully he'll learn not to be as daft again.

However my viewpoint does not change the legal position of an 'attractive nuisance', only if I should seek to take action or not.

Now I don't know what other peoples views are but mine are "my son knows better" and that's the end of it (because I did similar daft things when his age). However as we know from TV adverts there are plenty of lawyers prepared to take on such cases, simply because the law alows them to.

GreenSquirrelApril 27, 2011 8:33 AM

@Clive

In my situation, pretty much every kid in the village knows which gardens have trampolines and which ones have swings etc., and all are broadly treated as communal property. I have provided it specifically for my children to use, but I have no issues whatsoever about others making use of it - but I wouldnt for one second accept liability for their actions while they are on it.

It would be interesting to see what the outcome of a court case about this was (as long as it was someone else involved, of course).

WearyAboutIPLawApril 27, 2011 8:41 AM

(I didn't have time to make it through all the comments so sorry if this is a repeat thought.)

I have a follow up situation that is probably pretty likely. It would involve a wifi owner that is not knowledgable about security at all. What if the owner was running a WEP secured router? Now lets assume the person accessing the network for the crime was also very savvy and broke into the owner's computer as well as cracked the WEP password and used their internet connection. What happens if the unauthorized person actually plants all their evidence on the owner's computer as well (by gaining access through some known vulnerability via a MITM attack or the like).

I'm not trying to make much of a point with this, but its seems like their will be a growing gap between people 'knowledgeable' of security and those that have very limited understanding. If laws start assigning IP addresses owners responsibility for all network communication then the ones who will suffer will be the less knowledgable people.

David ThornleyApril 27, 2011 9:41 AM

Dirk Praet: I find it reasonable that somebody would be using somebody else's wireless connections without knowing they were doing something wrong. Most people don't understand the technology behind the Internet. The Internet is this semi-magical thing that they can shop on, play Facebook games, and surf for porn. Consequently, if they bring a computer home, and find it comes with the Internets, they may not think anything amiss. (I have a Nook, which came with legitimate free 3G access, no further fees, no registration.)

@Alex: Nowadays, if you want teenage swimsuit photos, you want to know of Facebook accounts of young attractive women who live near a good beach, like to post pictures, and always accept friend requests. There's got to be lists out there somewhere.

TheOtherGeoffApril 27, 2011 10:20 AM

Paeniteo: "Also, in the first place, those cleared people would not have been 'involved' at all, had they been using sophisticated crypto."


I disagree. If Bruce is running sophisticated Crypto on systems behind his 'open' network, that brings all the suspicion on him, as he's not as transparent as the LEO would want him to be ("People with nothing to hide don't use Crypto"). they'd be looking for reasons to warrant his computers to decrypt all devices, open all safes (looking for more devices), check purchase histories (to see what devices he should have ['Mr. Schneier, the niece you say you gave that iPod Touch to says she lost it. But she didn't report it to anyone. So we think she's covering your story of even giving it to her. Now we're holding her on conspiracy to obstruct... until you change your story, or give up your crypto keys....'])


I remember when Phil Zimmerman said that until everyone uses crypto, then the powers that be will suspect people using crypto.

staudenmaierApril 27, 2011 10:20 AM

More of the same: Prosecution and arrest based on the false notion that users can control the contents of their hard drives.

AltairApril 27, 2011 10:27 AM

A stupid question: Where were those CP's hosted?

I mean, a plain HTTP server is too much in plain sight (in sense of security, IP logging, etc.) , and other "secure" ways (such as tor) should be immune to detection.

GreenSquirrelApril 27, 2011 10:59 AM

@TheOtherGeoff

You make an interesting point.

Once the police have kicked the door (metaphorically or otherwise) the reality is that it is time to prove innocence.

If you had your own "secure" network, the likelihood is that the police would never accept your excuses that it was the neighbour using the open part of the network.

Here in the UK, failure to provide decryption keys on request is in itself a criminal offence....

Bob GezelterApril 27, 2011 12:53 PM

These cases are troubling. There are many pros and cons to providing guest access through one's broadband connection. Mis-attribution and malware attacks are but some of the problems.

In general, I agree that it is reasonable to provide an unencrypted WiFi for guest use (if one wants to encrypt it with a separate cryptokey from the main network, that works also but is far harder to implement operationally -- think of what happens when one has many guests). But I digress.

In a "Cyber Hospitality in Safety: Protecting Shared Broadband against Contagion" (slides at http://www.rlgsc.com/trentoncomputerfestival/... ), my recent presentation at the ACM/IEEE Trenton Computer Festival, I noted that the placement of the "public" WiFi in the network topology is important. Unlike a DMZ, which is outside of your inner firewall, it is critical that connections from your trusted network not traverse the network visible from the public WiFi.

This presentation echoed my 2007 LISAT paper "Safe Computing in the Age of Ubiquitous Connectivity" (see http://www.rlgsc.com/ieee/longisland/2007/... ).

Incorrect topologies pose serious security threats. At one of my small clients, the broadband provider's technician "helpfully" enabled unencrypted WiFi. A major security penetration ensued (see my December 2009 blog entry "Networks Placed at Risk – By Their Providers" at http://www.rlgsc.com/blog/ruminations/... ).

Mis-attribution is a serious challenge, as are a variety of other scenarios for misadventure. Caution is recommended.

It may sound primitive, but there is something to be said for using a separate router to provide guest WiFi, and putting it on separate power switch with a clear pilot indicator. Leaving it powered-off when not in use will cut down on "drive by" attacks.

ZApril 27, 2011 1:25 PM

@Dirk Praet:
It's a question of taking reasonable steps. There are many ways to prove reasonable steps; following the manual is but one.

@Garrett:
That would only be of some help if (1) you actually didn't download illegal stuff; and (2) you were being prosecuted for *other* people downloading illegal stuff. At least in the US, I don't think that's happened yet. If it did, though, perhaps that fact may swap the jury.

@BF Skinner:
We'd need to read the actual warrants, but they are likely search and seizure, not arrest, warrants. Knowing that illegal material is running through a particular router is probable cause to search the router. If the router is in a private location (e.g., a home), then the warrant will likely need to authorize police to enter the home. Furthermore, there' most likely probable cause to search all computers in the house. But, you're right that it's probably not probable cause to arrest someone.

BF SkinnerApril 27, 2011 2:01 PM

@Z "running through a particular router is probable cause to search the router"

Hmmmmm. But data isn't persistent in routers. Even the IC doesn't try to extend class spill cleanups to the routers.

Reason by analogy - A known villian was known to have passed through a particular domicile. He is not still there. Does this give the LEO probable cause? Exigent circumstance maybe, in a chase but a big maybe.

In this case, I guess, because they assumed the illegal material passed through the edge device to mass storage on the inside. Their evidence presented to the judge was still based on the presumption that only the home owner had exclusive use of the router.

Big MikeApril 27, 2011 3:11 PM

OK, I'm tardy to the party, but Bruce, you've to be shitting me! You can be polite without opening yourself up to the bad guys. Never would have expected this from you. Wow. Blown away... what the fuck were you thinking!

BelornApril 27, 2011 5:45 PM

I find it kind of interesting that liability over what happens inside a wifi network only comes into question if the price is zero. If the owner would charge a price, then all liability is placed solely on the buyer. The common view is that bandwidth sellers has no liability over the action of their users, so why should gratis wifi change this?

John David GaltApril 27, 2011 6:37 PM

Stories like these (and the previously much more common phenomenon of wrong-address drug raids) ought to make us all rethink the entire field of rules-of-engagement for law enforcement. There are several wrongs here, and each one appears to need a separate law (or better yet, constitutional change) to reform it:

1) The courts need to recognize that unsecured Wi-Fi networks (and for that matter, spams and viruses which can put contraband on innocent people's computers) are much more common than pedophilia -- and therefore, the mere fact that some kind of network sniffer detects these files being exchanged is not "probable cause" and judges should refuse to issue warrants without evidence of intent on the computer owner's part.

2) Even if a judge did have probable cause to issue a warrant, police have no business sending SWAT teams to execute warrants where there is no cause to believe the target will fight. (They also have no business executing warrants at night, again unless there is cause to believe the target will fight.)

3) It is typically not possible for you and me to tell whether the performers in a work of porn are adults or not (a question that depends, not only on their ages, but on what state or country the film was made in, and sometimes their marital status). Therefore, the law has no business holding a consumer responsible for knowing the answer to that question. Granted that the use of children to make porn is a serious crime and worthy of felony penalties, imposing those penalties MUST require that the government prove intent. Otherwise it becomes unsafe to possess any porn at all.

These reforms are imperative. An America where innocence doesn't protect you isn't really America anymore.

asdApril 27, 2011 6:52 PM

sorry dpost
Nassim N. Taleb "Fooled by Randomness ", had a comment on the Black Swan theory and OJ Simpons murder trail that might be relevant

tommyApril 27, 2011 7:35 PM

@ Richard Steven Hack and Ned P.:

"5th Amendment" said pretty much what I was going to say. Cops don't make laws. Federal laws are made by Congress and signed into law by the POTUS (or a Congressional override). State laws are made by their respective legislatures, usually with similar provisions for the Governor to sign.

Consider prohibition of alcohol. Most Americans didn't want it; disrespected the law and disobeyed it; it gave huge wealth and power to certain formerly moderate-sized criminal gangs, who then corrupted judges, prosecutors, and cops. (It also gave us the Kennedy dynasty. Link in the sig.)

We learned the lessons after 13 years, but repeated that with Drug Prohibition, with exactly the same results, for exactly the same reasons. And with laws against prostitution, gambling, etc. Why are they harmful to us if they occur in Milwaukee, but not in Las Vegas?

Of course there are bad cops, and "mixed" cops. But being forced to enforce laws that the public doesn't support (and sometimes, the cop itself doesn't support) is the real problem here. Get rid of the drug laws, other "victimless crime laws", the USA PATRIOT Act, the power of warrantless wiretapping and e-mail scanning, and the prisons will now have enough room for *real* criminals, and the cops will perforce concentrate on said robbers, rapists, burglars, etc., thus protecting the innocent.

Nick P., sounds like your State's laws went way overboard, not the cop. Once you had shown your proof in Court, the cop had nothing more to do with it. Let your elected legislators and Governor know your feelings about this.

BTW, if you're going to refuse to talk at your home, I'd not even step outside. Talk, or refuse to talk, through a window. Then, either they break in, or they get a warrant, which they should have done in the first place if there were indeed probable cause to believe you've committed a crime. If they break in without that cause, it looks bad. If there were cause, the question of why no warrant was obtained becomes relevant.

I'm a strong civil libertarian, too. Get rid of these unconstitutional or ridiculous laws; then, a lot (not all, of course) of the abuses will end.

On a lighter note, re the OP: I don't provide an open WiFi for anyone, but if I did, I thought of naming the SSID "Cops monitor this network, so play nice."

Had considered "(CITY NAME) Police Dept. Free Wifi", but I expect there's a law against that. ;) Cheers all.

Nick PApril 27, 2011 8:32 PM

@ tommy

Good points. The law is a major source of the problem. You're missing two things though: implications for cops & human nature. If we have evil laws & cops are agents of the law, then the cops are evil in practice. Besides, the law only stands because people continue to accept or enforce it. The lawmen could say, "Hey, this is a bullshit law made by a corrupt politician that's about to cause this innocent person a lot of harm. I'm not going to enforce it." Instead, they act in accordance with the evil law or actively look for "violators."

Someone said it better than me though: "It's not who you are underneath but what you do that defines you." (Rachel, Batman Begins)

On your other points, the cop, the judge and the state went overboard. The cop took time out of my day and cause money out of my wallet because a light went out on my vehicle in a way that didn't harm anyone (just the top half of one tail light). Thanks to his participation, I ended up in court where a judge gave me a crooked deal to make his court more money. He and the state didn't make this information well-known and there's nothing illegal about that, unsurprisingly. Finally, agents of the state caused me even more trouble. An alternative approach would be informing me a tail light was out, recording the incident and issuing a punishment if it wasn't fixed after a certain time with no costs otherwise. (And making the rules reasonable & clear and not enforcing rules that made no sense...)

It all started with the cop, though. If he hadn't harassed me for nothing, then none of it would happen. This is usually the case when I'm pulled over, so I consider cops a threat to me rather than an asset. He had a choice, many choices, and always made the evil choices. He also continues to act as an agent of an organization that mandates its members to do evil. So he's evil. (One of the reason I didn't join a LEO or military branch, despite several offers with nice compensation.)

Human nature's also an issue too. Power is one of the most corrupting things one can possess. Most people I've met who joined a LEO weren't selfless individuals who joined for the good of the community. They wanted power, respect or money. The others were the exception. The very nature of their motivations make them likely to cause harm & give a reason to be distrustful of police in general.

Anyone doubting a decent person given power or authority can turn dangerous with little reason should look at the Stanford Prison Experiment. Experiments like these further justify a distrust in individuals of questionable motivation given extreme power in situations with little accountability.

Stanford Prison Experiment
http://www.prisonexp.org/

Doug CoulterApril 27, 2011 9:48 PM

Not to go back to the bad car analogy, but in the state of VA is IS illegal to leave your keys in a car, and it's a fine if a cop notices it or your car is stolen.
Not a large one, but.

I've been the target of one of these false "dynamic entries" -- over another issue, but one I was completely innocent of at any rate. Which they eventually figured out.

But I'm darned glad me and mine are "gun people" and knew just what to do -- those were some nervous agents, tons of drawn guns (including 2 hk5's, a shotgun, two assault rifles, and numerous .40's) and and they were acting very dodgy and giving commands that couldn't be complied with. Can you both freeze, and come out from behind a locked glass door with your hands up?

We went limp, of course, and were utterly non threatening. Once they did their homework, they found out they should have been asking my autograph as I was...well, I worked for an agency and had a decent record myself. And we were all pals then....sorta.

Most people would have gotten themselves shot, these guys were completely out of control. We were lucky were weren't shot or seriously hurt beyond being shoved into the mud and having our necks stepped on "for our safety".

For this we pay taxes? Even a tiny amount of homework would have prevented quite a waste of taxpayer money and aggravation. In fact, the one local cop they brought with them told them I was a straight up guy and no way what they thought.

Some minimal property damage, no big deal really. And I didn't get mad -- I got even, and wound up with a computer security consulting contract with them....hah! More money for less work than suing them would have been.

PaeniteoApril 28, 2011 2:42 AM

@TheOtherGeoff:
"Paeniteo: "Also, in the first place, those cleared people would not have been 'involved' at all, had they been using sophisticated crypto."

I disagree. If Bruce is running sophisticated Crypto on systems behind his 'open' network..."

I did not talk about Bruce, I talked about "those people". Don't throw abstrusely complex expert configurations into the mix when a simple WPA password would have been sufficient.
Open Wifi -> abuse by neighbour -> SWAT team -> necessity to "clear" oneself
WPA2 -> no abuse -> no SWAT -> no necessity for anything

NB: This counts for the cases at hand. I am quite aware that one can construct scenarios where abuse occurs in spite of WPA. But there is no indication whatsoever that this would have happened here.

Clive RobinsonApril 28, 2011 5:21 AM

@ Pfogg,

"The point of a sudden, heavily armed 'SWAT entrance for a computer crime is to make sure no one has a chance to destroy evidence (which can be done very rapidly on computers..."

That is a false premise, because of the "dead man's switch" philosophy (which SWAT teams are aware of with suicide bomb vests etc).

Thus anybody who want's to protect data to just short of eternity can do so with little effort. As many on this blog will tell you it's much easier to arange this than aranging to keep data for more than a decade ;)

What you do is simple and requires a variation of,

1, All data is stored encrypted without exception.
2, The key is kept in truly volatile "memory".
3, A "trip wire" to erase the "memory".

The trip wire could be any of a hundred or so things for example a simple IR alarm motion detector. when the SWAT team come blundering in they trip the beam or their smoke/CS canisters do the same. This then erases the truly volatile memory and cuts the power to all the systems etc (or triggers say thermite charges).

Although normal "semiconductor memory" is not truly volatile there are quite easy ways to do it (if you realy want to be "home brew" think how flamable a cigarette paper that has been treated with a peroxide or nitrate is and then work from there).

As I once mentioned the way to store a key in semiconductor memory is to keep it as a moving data shadow. This alleviates "burn in" and also if you do it correctly stops liquid nitrogen attacks etc.

Overly simplisticaly you have a "true random stream" that is added or subtracted from the "key value" in two or more other memory arrays, thus the value is held as the "shadow" between the data in the arrays not the actual data values. You use the "random stream" in a high speed interupt to change the data values in the arrays very frequently (but not the difference or "shadow" value).

When you need the "key value" you use the software interupt to read the arrays between updates and reconstruct it from the shadow.

You should also consider not storing the "key" in the shadow but the "expanded key" used in the rounds as this saves a considerable overhead. If you do it right the key is only used very infrequently and then it's temporary storage (CPU register) should be immediately over writen.

One such way to do this is to use the encryption/decryption in the interupt. It only needs to reconstruct the part of the expanded key needed for the individual round internaly in the CPU, which gets almost immediatly overwriten with the value for the next round... It's not particularly "efficient" but that's not the point ;)

When the "trip wire" signal is valid the interupt carries on updating the arrays by simply writing in the true random stream into the arrays thus obliterating the key shadow.

You also need to use a CPU where side channels are not inherant in the design, and you use software techniques that minimise the chance that they will be formed (this can be quite simple if you are happy to "burn CPU cycles" in exchange for security).

GreenSquirrelApril 28, 2011 6:40 AM

@ Clive - I agree with your tripwire scenario but this is way beyond the capabilities of 99% of people the police expect to raid.

The "logic" is that by storming the building at dawn with more paramilitaries than a Bosniac War Criminal is that the effect will be to stun the victim into inaction. Sadly for society, this is more effective than not so until everyone has good encryption on their data and robust tripwire security set up, the police will continue to do this.

BF SkinnerApril 28, 2011 6:51 AM

@John Galt "serving warrents. . .not only on their ages, but on what state or country the film was made in,"

re: SWAT - Alex Jones would tell us that it's just the criminal offshore banking cartels using our own LE to condition the citizenry to accept the Police State and ready us so they can grab guns.

I wouldn't be able to make that judgment because A. Jones is a nutcase and B. What kind of conditioning were the DC PD doing when they provided a motorcade escort to Sheen and his bimbos on the way to his show?

Police serve their warrants when they belive the suspect will be there to be served. (to serve and protect?) At 3AM is pretty good bet he's gonna be there and not spoiling for a fight or prepped to destroy evidence.

re: age of performers - it's according to the laws where the material is recieved/viewed that matters. The US doesn't care what standards are in Germany (nor does Malaysia care about what's acceptable in the US). The material becomes illegal just by fact of crossing the border (and why ICE is involved.)

And a lot of this crap? Doesn't revolve around a question of a couple of years. Infants, first second and third graders, tweens? - unlikely you'll find any country where it's legal to use them in porn.

asdApril 28, 2011 6:56 AM

computer security , arms race , MAD.
When do the n.k.s arrive , will we have neighbors , swat , who will have n.k.s

"If you had your own "secure" network, the likelihood is that the police would never accept your excuses that it was the neighbour using the open part of the network.

Here in the UK, failure to provide decryption keys on request is in itself a criminal offence...."
+ 1

mfeldtApril 28, 2011 6:58 AM

"AFAIK no case of "too weak encryption" has been brought to a court (in Germany) - the actual case(s?) dealt with unprotected networks.
IIRC the court ruled that having to "password protect" your Wifi can be considered general knowledge in these days and that it would be reasonable for anybody to ask for external help if unable to set this up themselves."

I guess it's similar to the german way of handling DVD piracy: You are allowed to copy the content (for private usage), but it's a crime to circumvent the copy protection, no matter how weak it is. Means: A protetction has to be there to change the ruling of a court, however, it doesn't have to be effective...

PaeniteoApril 28, 2011 7:16 AM

@mfeldt: "[in Germany] it's a crime to circumvent the copy protection, no matter how weak it is"

Not quite... The german law explicitly states that it is illegal to circumvent "effective" copy protections. However, again, no court has applied this term to a concrete case (i.e., noone has ever been charged for circumventing the CSS protection of DVDs).
Also, while possibly illegal, circumventing a copy protection does not carry a punishment, if done purely for "personal" use. You'd still be liable for civil charges (cease-and-desist, damages, ...). Again, no court has ruled about this, AFAIK.

Dirk PraetApril 28, 2011 8:10 AM

@ Z

"It's a question of taking reasonable steps."

No, it is not. Unless there are laws or legal precedents in place regulating operation and liabilities of a WiFi network - and these being pointed out to the end-user by ISP's and equipment manufacturers alike - there are exactly zero "reasonable" steps to be taken to secure your WiFi. Until such a time, running an open network is not a crime and shouldn't be treated as such. Apart from there being plenty of good reasons to operate one, it is absurd for judges to assume that having to password-protect them is general knowledge unless it is mandatory for owners to have some sort of "network permit/license" for which they have to pass an exam.

If my understanding of above mentioned cases is correct, no charges were brought against the folks who had their homes swatted once it was established that someone else had been piggybacking off their network, and probably because there was zero legal ground to do so.

See also the recent EFF article on why we need an Open Wireless Movement at https://www.eff.org/deeplinks/2011/04/open-wireless-movement .

Peter A.April 28, 2011 8:20 AM

@Clive and others re: pool in your front yard.

I realize that this is the current sorry state of affairs in many jurisdictions; but the logic behind it does not hold water (pun intended) at all.

If we're going to take for granted that not walling or fencing a swimming pool located on your private property and having someone drown himself in it is a criminal negligence punishable by law, how we're not holding the goverment officials responsible for all drownings throughout the country? The suckers criminally neglected to fence or wall all the coastline, all the lakes, reservoirs, rivers and any and all bodies of water that lie on the state-owned land!

I see as an abominable injustice that if a random citizen drowns in your own pool (without your help of course) it's your fault, but if he drowns in the Lake Michigan it's his fault.

Wayne RiddleApril 28, 2011 8:37 AM

I can understand SWAT teams and no knock warrants for some drug busts (fear of dealing with armed and perhaps drugged people), but child porn? Granted I'm for harsh punishment for people convicted of this crime but I fail to understand the level of force used to serve a warrant in such cases.

And my Wi-Fi is secure.

Clive RobinsonApril 28, 2011 10:21 AM

@ Peter A,

"If we're going to take for granted that not walling or fencing a swimming pool located on your private property and having someone drown himself in it is a criminal negligence punishable by law, how we're not holding the goverment officials responsible for all drownings throughout the country?"

Having an "attractive nuisance" on your property is not a crime it is part of tort / civil not criminal law and it's used to assess damages to be payed (or not) in the case of harm to children not adults.

There are various hurdles that have to be cleard before an action can succeed. If I remember correctly they are,

1, It is in a place where it is likley a child would trespass.

2, The object is one where it is likley a child would come to significant harm or death.

3, The object is such that a child due to youth will not realise the danger of unsupervised use (why leisure equipment is problematical).

4, Utility/cost/location -v- Risk. That is the utility of the object and the cost of making it safe to the owner against the actual risk (which is why putting a roped tarpauline over a digger left over night at the site of road works used to be considered acceptable but no cover was reasonable if left overnight in a remote location).

5, The owner of the object fails to take "reasonable" care to obviate the risk to children.

For civil authorities there is usually "Crown Immunity" which means you can't sue the Government over government owned property.

Even when there is no Crown Immunity the weasle out one for the civil authorities is cost -v- risk (4) so for instance a natural lake in a farm with hedged fields around it and no public roads or footpaths would probably be OK. However a pond or lake in a public park would require fencing, however the river feeding it would likewise require it in the park but probably not outside the park...

However as the world gets more PC/H&S mad the definition of reasonable is changing quickly and crown immunity is a rapidly disappearing protection in many places which is why we are seeing rivers and such like being drained, culveted, piped in or in otherways made inaccessable, not just to children but wildlife as well and it makes us the poorer for it.

Clive RobinsonApril 28, 2011 10:48 AM

@ Belorn,

"I find it kind of interesting that liability over what happens inside a wifi network only comes into question if the price is zero. If the owner would charge a price, then all liability is placed solely on the buyer. The common view is that bandwidth sellers has no liability over the action of their users, so why should gratis wifi change this?"

Simple answer is contract law.

In contract law something has to be given and something has to be received and the exchange has to be equitable on all involved parties.

The exchange does not have to be directly financial it can be as part of another service, that is when you buy your food you can sit at a "customer" table in the shop if you wish to.

If a contract (even an implicit one) cannot be shown then it all becomes messy legaly. So where something is given away totaly freely a contract does not exist and therefore you cannot show a mechanism of control etc exists...

However it is the degree of control that causes problems. Historicaly you might have been disadvantaged if you could not communicate with others on an equitable basis. Thus Governments realised communications was an essential service that all should have access to. As they themselves might not wish to run the service they would often pay others to do it for them. However they had to ensure equitable access for all it was thus argued that in return for "not knowing what was being carried" the carrier providing service to all should not have liability for what they carried. Thus the "Common Carrier" ethos and the no look no liability status.

AppSecApril 28, 2011 11:39 AM

I have only skimmed the post.. But..

While maybe SWAT was overkill, but they are going to bring a large force in regardless. They don't want to risk there being multiple people and one being able to alter/remove evidence.

At least that's what I keep telling myself to justify the action and give the benefit of the doubt.

ZApril 28, 2011 1:14 PM

@BF Skinner:
"But data isn't persistent in routers."

My router logs access. Presumably someone could string together the address of the computer that requested material the police knew to be illegal.

@Dirk Praet:
"'It's a question of taking reasonable steps.' No, it is not."

You're taking my statement out of context. The hypothetical context is (1) there is no dispute that you didn't download illegal material; and (2) you are being criminally charged due to someone else using your equipment to download illegal material. As I've already stated, I don't know of a case where this has occurred. I can easily see it happening.

In that hypothetical case, your policy arguments are nice, but probably won't get you anywhere with either a jury or a judge. Taking reasonable steps to secure your router, however, will help you with the jury.

ChrisApril 28, 2011 2:04 PM

@hjp
ohne Verschlüsselung kannst du abgemahnt werden, max. 100 Euro. Haftung wird explizit verneint.

MekoApril 28, 2011 2:35 PM

What we should be asking is "Security Risks of Connecting To an Open Wi-Fi Network".

It's amazing how many people setup an open Wi-Fi network to do nothing but information gathering on people looking to take advantage of someone's open network.

Anyone willing to hedge more people are victims this way than the other?

ErikaApril 28, 2011 3:05 PM

To clarify the situation in Germany about what happens if you don't secure your network and a third party uses it for copyright-infringing activities.

You are expected to protect your wireless access point using the customary means for your device (which usually means a password). Failure to do so, however, only allows third parties to get injunctive relief -- requiring you to secure your access point --, not sue you for damages. You cannot be expected to go above and beyond customary precautions for securing your network, either.

Under German law, basic injunctive relief is most commonly obtained not through the courts, but through a so-called "Abmahnung". An Abmahnung is basically a cease-and-desist letter written by an attorney on behalf of the injured party; unlike the US variant, if you agree that you engaged in the behavior outlined in the letter and agree to stop that behavior, you are responsible for the sender's legal fees (if you refuse, you don't owe anything, but the sender will then likely take the case to court, which is going to cost you more if you're guilty). In Germany, legal fees are regulated, and in the case of copyright infringement, the amount of legal fees you can charge for an Abmahnung in copyright infringement cases is also generally capped at 100 Euro (about $150 at current exchange rates).

If you're fluent in German, the press release of the BGH (Federal Court of Justice) is here, and it also contains a link to the PDF with the actual decision:

http://juris.bundesgerichtshof.de/cgi-bin/...

Nick PApril 28, 2011 3:39 PM

@ Clive Robinson

That's the scheme I created during our conversation about securely erasing storage. Credit would be appreciated. ;)

@ GreenSquirrel

It's easier than it sounds. If a Erase button or command is used instead, then an FPGA system that protects/encrypts memory can be used. The FPGA would loose the key upon Erase. This approach is used by the Air Force in their HAVEN virtualization system. Seemless encryption is applied to memory moving from or going to the processor's cache. A modified version of this would allow erase with a few SRAM overwrites & a cache flush. The components are relatively cheap. One person would design the system and publish it online, then the bar would be low for others to use the technology. If a graphics or sound card is included, their memory should be overwritten somehow as well.

Nick PApril 28, 2011 4:04 PM

On security + deniability

From what I gather, we've formed a consensus on two major points. The first is that the sharing of a public IP address between the owner and strangers creates the deniability, so long as no device logging is performed. The second is that allowing outsiders into the network creates additional security risks. If we're just focusing on solving these two problems, then there's a pretty easy solution.

A hardened OpenBSD PC could act as the guard. The wireless router for outsiders would use software that didn't log MAC's and such, although the home network side might use MAC filtering. The guard would enforce a security policy that only allows the outsiders to connect to the Internet. The internal wireless networks can use strong security measures. If deniability is necessary, the user just connects to the router for outsiders. LiveCD's, VM's, dedicated PC's, etc. can be used to further contain any data leaks.

Peter E RetepApril 28, 2011 4:44 PM

We are amplifying human abilities:
Communicating, observing, accessing, sharing knowledge.

There is also a 'responsibility inflation' going on.

Consider three examples:
Example [1]:
When I was working in a hospital on hot summer nights,
I could stop at the beach on the way home after midnight,
and just go for a swim. No one cared.

Then government began to involve itself:
First, they built easy access bikepaths to and along the beach.
Then, there was an increase in crime: drug use, etc.
Then, bright lighting was installed that turned off at 2:00 a.m.

Then it became illegal to swim in the absence of lifeguards.
No more midnight swims.
Being on the beach after dark became a ticketable offense.

Beaches became inaccessible legally
because they had become more accessible physically.

For example 2:
Now consider Home Hubs, or Portable Hubs
[which remind me of the famous Portable Holes,
both personally controllable universal portals.]

They are freely sold.
In fact,
cell communications and wifi
require universal access.
Buyers need only plug and play to turn them on.
Installers install them as-boxed, open.
We had one for two years at our school,
next to as freeway-street traffic jam, completely open.
Most people have no idea of communications
infrastructure behavior.

What will be attempted as the government gets involved?

Example 3:
Have you tried to re-record a home-movie video tape
that you took of your family to a DVD lately?
Since 2008 that function has been removed from the market
by Big Movie Companies.
The chip function to enable it is turned off in the chipsets sold in the USA.

Is owning this functionality illegal?
No.
Does it have a prevailing legitimate use?
Yes.
Is it available in the markets?
Not in the U.S.
Are there work arounds?

Conclusion?
This is as much a blend of business, legal, and social policy as of tech capacity.
Just as New Rules themselves seldom resolve a widespread problem,
so New Tech Restrictions will hve to compete with people empowered by
the First Ammendment to the US Constitution.

[POST-NOTE: Does anyone read Canada Tech?
A current problem is 'evidence suppression' of voter's 'voluntary testimony' within their borders,
when an on-line connect beyond their borders permits full simultaneous legal disclosures.
What to do? What to do?
Dare we let the people be free?]

Dirk PraetApril 28, 2011 5:22 PM

@ Z

"In that hypothetical case, your policy arguments are nice, but probably won't get you anywhere with either a jury or a judge. Taking reasonable steps to secure your router, however, will help you with the jury."

Unless I had Jacques Verges on my side, chances are indeed quite good that I would get convicted in the US, even though both the judge and the majority of the jury pre-trial would probably have had no clue whatsoever either that they had to secure their own Wifi network. It doesn't change the fact that to me it feels totally wrong. Can't wait for such a hypothetical case to go to court someday.

tommyApril 28, 2011 9:44 PM

@ Nick P:

I was aware of the experiment in question long ago, and Lord Acton was aware of the principle more than 100 years ago, long before the experiment proved his aphorism. (I wouldn't have inflicted the pain. Or would have refused to participate.)

Of course, powerful jobs will attract those with power-lust, including Congress and POTUS. The best solution, as Lord A. implied, is to limit the power as much as possible. This is exactly what the Founding Fathers intended, via the Constitution, Bill of Rights, etc., but those seem to be ignored at will, and have been for at least a century. Reduce the powers of Congress, President, and State politicians, and constrain the power of LE in the manner intended by said Fathers, and the jobs may attract fewer authoritarians and sadists, and more who truly wish to make their community a better place.

Another issue is the environment created by "crisis". (If there isn't an actual crisis, make one up.) Wars were formerly the justification for discarding civil rights. FDR used the "War Powers Act of 1917" to confiscate gold in 1933. Didn't they sign a treaty in 1918?... WWII saw imprisonment of perfectly-innocent American citizens of Japanese descent.

Now, 9/11 and terrorism are the buzzwords to move us from John Stuart Mill to Karl Marx, "the end justifies the means". The syllogism goes like this:

Terrorism is horrible.
Therefore, any means to fight real, suspected, possible, or imaginary terrorism is justifiable.

Which gets extended to:

Kidporn is terrible.
Therefore..... (ditto)

And on, and on...

When the Feebies openly flout the Constitution, with the sanction of *two* POTUS of radically-different factions, it convinces the sheep to accept these faulty syllogisms, and LE to think that they are being noble instead of evil in using "any means".

Also, a low- or mid-ranking LEO who refuses to enforce the unconscionable law, or to use unconstitutional means, is pretty much risking her/his job, even if they originally took it with the best of intentions. The change has to come from the top down, which means: change the law, and limit the power of the lawmakers.

With regard to your own situation, I agree with your assessment. In fact, many such minor violations (tail light, etc.) *do* receive a warning, with a reasonable time limit to correct. So, I'm curious, if you care to share: Do you drive a VW microbus? Look like a "hippie"? Have anti-establishment bumper stickers, window stickers, etc.? (Not that these justify anything. Just trying to figure out why you weren't let off with a warning. Still might have been, had the insurance been there.)

Give attitude right from the start? Or did you attempt a conciliatory "Thanks, Officer, I didn't know the light was out. I'll get it fixed ASAP."?

FWIW, I have had some friends in LE over the years, including one who is *very* high in rank and responsibility, even on a national ranking. The common saying regarding the escalation of minor violations is, "More people go to jail because of their mouths than for anything else."

Not accusing you, because I don't know. Just asking, as you've made me curious. If every encounter starts with an "us vs. them" attitude, "our rights vs. the Fascist Pigs", things are not going to go well...

I hope it doesn't happen again, but if it does, try a little kindness, even if you have to suppress your personal feelings and experiences. (As movie mogul Samuel Goldwyn famously said, "The most important part of acting is sincerity. If you can fake that, you've got it made.)

So, let's assume 100% of cops are authoritarian egotists. Play to that. Be humble, apologetic, respectful, thereby playing to his/her sense of maintaining status and control. As the old saying in sales goes, "When you meet the prospect, put your ego in your pocket, and leave it there until you leave." A bit of role-playing is worth a favorable outcome, no? (It's worked for me. ;)

Not that that's going to get you out of a serious charge, but until the laws are changed, don't carry drugs or residue in your car; don't leave that bong in plain sight, etc.

Agreed that many legislatures, judges, County Commissions, and PD's use traffic enforcement as a lucrative source of non-tax revenue. The AAA (Amer. Auto. Assoc.) tries to identify the worst locales, and to warn members as well as to pressure for change. In the meantime, be scrupulous enough not to give them any excuse... GL.

SeanApril 29, 2011 12:59 AM

If you are a man of a certain age, you shouldn't even think of being near an open network. This is one area where you are guilty until proven innocent. And once the brush has been slung, you are never ever innocent, though proven so.

Our country was founded on breaking away from the old adversarial law climate of a large portion of Europe. But we can tell we're living in an old, dying civilization. Everyone wants to be safe. Everyone wants to do it for the sake of the children. Old, dying civilizations find in the end that there is no such thing as safety. Only increasing self-imposed slavery.

Clive RobinsonApril 29, 2011 6:44 AM

@ Tommy,

"FWIW, I have had some friends in LE ove the years, including one who is *very* high in rank and responsibility, even on a national ranking. The common saying regarding the escalation of minor violations is, "More people go to jail because of their mouths than for anything else".

Actualy this is true but not for the reason you are implying.

In the UK there appears to be three basic was to go to jail,

1, Be a known "con" with a known "MO".
2, Commit a "Political / Public interest crime".
3, "Flap your gums" about your crime.

In the first case many of the crimes known criminals "get taken into account" were not commited by them it's a way for the Police to "close the books" for a "consideration"... Further it is known that a number of cons have been "fitted up" based on the quaint notion that "it's their turn".

In the second case if a crime attracts either Political or Public interest then the Police throw resources at it untill either it's solved or the interest goes away. If the interest does not go away and there is no progress the Police "try new methods" which are little different to "fitting up" (the old "Justice has to be SEEN to be done, not ACTUALLY done" principle)

In the third case this is actually the primary way many pettty and some serious criminals are caught. Basicaly the cons concerned are not the brightest light bulbs in the town, they go down the pub/club and "big it up" infront of their supposed friends who then "grass them up". They also do stupid things with their ill gotten gains and become "flash with the cash" and it's obvious to most they have suddenly come into money without good reason.

If anybody is thinking of a life of crime consider a few things...

Firstly don't commit a crime that attracts public or political attention or worse effects a LEO or their family.

Secondly minimise the involvment of others, there is the old joke about "two people can keep a secret if one kills the other". To a lesser extent make sure you have way way more "dirt" on your accomplices than they have on you and significantly more serious than the crime you are about to commit together.

Thirdly if you can don't commit obvious crimes. In the UK most housebreakers that are caught are stupid they take items that will be obviously missed and often difficult to transport, they also make their "break in" obvious by smashing doors and windows. They then go about getting rid of their "plunder" in stupid ways. It is belived by some that in the UK there are some female house breakers who are not ever likly to be caught as most of their crimes have gone unnoticed. They take considerable care how they make their entry, they search carefully and never take things that are on display or will be obviously missed. This means the date and time of the crime remains unknown and importantly most "forensics" have been destroyed by the normal occupants of the house carrying out their ordinary every day activities including cleaning moving around etc.

But importantly take precautions not to leave forensics in and around the scene of the crime. You would be amazed by just how many crooks dont wear gloves, low lint clothing hair nets etc. Worse some eat, drink, smoke etc and leave waste in and around the crime scene...

Further if you are making a career of it change your MO often to avoid setting up patterns, make your crimes sufficiently far appart in time and geography such that they effectivly appear random. Never commit crimes on the spur of the moment, never steal what you cannot dispose of anonymously and safely, plan your way in and out of the crime scene, have a reason for being in the area if you get stopped by chance etc. Then there are alibi's to set up (actually easier now in these days of high tech than it used to be).

All of which is a great deal of hassle, and actually shows a very low ROI so if you have the brains to do this, your time would probably be better rewarded by honest toil 9-5 etc.

However there is an exception to traditional crime which is as we know cyber-crime, the difference here is "every where" is both local and disatant, so distance is not a constraint and you can commit a dozen or so crimes in different juresdictions to your own all at the same time. The "tools of your trade" only have development costs there is zero duplication and usage costs, and they can be made autonomous in operation so you can be an army of a million or so directed by one mind. Finaly there are ways to isolate yourself from your activities so you are difficult to trace and almost impossible to prosecute and provided each crime stays below a certain threshold in any jurisdiction you are unlikley to be investicated or even in some cases recorded as a crime...

But again if you are smart enough to do this properly you are still probably going to earn more money more honestly.

So in the majority of cases theft type crime is for the stupid, and does not realy pay longterm.

FuujuhiApril 29, 2011 6:58 AM

Do I need to "protect" my girlfriend against rape in the street?

Because if she's walking "unprotected" and got raped, certainly she must be found liable for her misery?

Then we could discuss on the degree of "unprotection" (wearing a dress, wearing a skirt, being beautiful, showing her hairs or not)...

If that's the world we are supposed to live in, I'd better shoot myself.

It is a constitutional right to let people live in freedom. It is not a duty to help the government become a police state. And that's the *only* reason to forbid people having open WiFi. Being questioned because some fraud originates from my network, ok, but found guilty without any other charges than running an open WiFi is breaking the fundamental principle of "innocent until proven guilty".

tommyApril 29, 2011 8:14 PM

@ Clive Robinson:

Interesting post, and some good points. But not directly relevant to the discussion between Nick P. and me regarding traffic stops for minor cause:

"The common saying regarding **the escalation of minor violations** is, "More people go to jail because of their mouths than for anything else."

We were discussing some factors that might influence the LEO to let it go with a warning, or to play hardball. Still, thanks for the enlightening post. It's pretty much the same in the US.

Only minor quibble is that studies have shown that some crime *does* pay. E. g., the professional jewel thief, Net scammer, etc. may make much more than any honest job for which they were qualified. And they generally don't pay the Income Tax on their earnings, although precautions must be taken to avoid being nabbed for tax evasion. See, for example, Al Capone in Wikipedia.

Also, didn't know if you saw it a while back, but I'm willing to discuss (privately) my proofreading any book, paper, etc. that you plan to publish, given your acknowledged difficulty with the mother "toung" (sic, from another post). Not being mocking or insulting here; we all have different gifts. You're well above me in knowledge of hw, for example, whereas I have a flair for language and for spotting errors in it. Cheers.

All Season RadialApril 29, 2011 11:35 PM

Will IPv6 make all this moot? When NAT is as extinct as a wooly mammoth, each device will have its own unique identifier, right? So the cops won't have to bust a *network*, right?

I maintain a WPA-secured guest network with an easily-ascertained PW for public use (please do NOT block my driveway:). On my highly-secured private network, all devices are assigned static IPs. Would this make any difference to officials investigating me in a case similar to the one causing the controversy? TIA for any thoughts.

asdApril 30, 2011 12:22 AM

@All Season Radial, Don't know about IP6, but you could have iptables or pfsence firwall between the wireless access point and the internet gateway, with the ip set to 0.0.0.0 and ttl inc by 1, to mask or make it hidden, and then run snort in full logging

TorstenApril 30, 2011 4:06 AM

I think from the security point, the question about open wifi just boils down to the question, if you consider your AP to be part of your personal LAN or just part of the internet.

If you treat you wifi as just a part of the "evil" internet, there is no additional danger to letting random strangers use it, because there are already random strangers on the internet.

The problem with open wifi is, that while you can choose both ways in regard to how you configure your own systems, the police (and probably most courts) will default to blame everything that happens from your IP / your ISP account to you. So until there is a clear legal rule that forces an real identification of the person that did something on the internet instead just who's account was used, running an open wifi (while technical possible and maybe even commendable) is just asking for trouble.

Clive RobinsonApril 30, 2011 4:51 AM

@ Tommy,

Sorry my point was to show that the 'issue with peoples mouths and the law' is way way wider than just low level violations of what amount to civic street usage codes. It also applies to many many criminals at all levels, which is why the Police are heavily reliant on it.

My comments were mainly addressed to 'petty crime' such as house breaking where the return rate on stolen goods tends to be very low (although there are ways to increase the ROI such as stealing 'boxed goods' to sell on as new or 'stripdown for parts' etc).

With regards proffesional and specialised thefts where crime can pay, the same rules apply, however they generaly take real care to not make it a 'Political / Public interest crime'. That is there is a line at which you can steal high value items but still not attract a major investigation and it varies greatly from place to place.

However the people who make it to proffesional theft or major, organised crime have often made it up through the petty criminal ranks by a little luck and being carefull.

As you say their issue is then not attracting the attention of the tax man etc. Essentialy they are into a different type of crime which is "Money laundering" which surprisingly has only started getting real legislation in the last decade or so of the last century.

Clive RobinsonApril 30, 2011 8:23 AM

@ All Season Radial,

"Will IPv6 make all this moot? When NAT is as extinct as a wooly mammoth, each device will have its own unique identifier, right?"

Wrong.

IPv6 might have enough adressess for every device to have it's own IP address but that does not mean they will be used that way (only that they could if IPv6 gets taken up).

One problem is how routing over IPv6 is to be done as far as I'm aware none of the proposed systems have been sufficiently stress tested to see just how viable they are.

Also NAT might have started as a way to solve the IPv4 address space issue but it has become way way more usefull than that (one first use was to get around ISP's charging for multiple systems etc, and that issue has certainly not gone away).

In many respects IPv6 was to little way to late. I can remember having to tunnel IPv6 through IPv4 back in the 90's just to link a couple of IPv6 sites together. And to be honest it did not feel any better five years ago which was the last time I seriously played with IPv6, and I can see people still talking about "when IPv6..." in another 15years, and then we will probably spend the following 15years sorting out legacy issues with the likes of embeded systems etc.

Nick PApril 30, 2011 2:21 PM

@ Clive Robinson

"One problem is how routing over IPv6 is to be done"

Yeah, I don't have too much faith in the existing methods. We see researchers regularly complaining that the routing tables are exploding for the ip4-dominated internet and they need new methods to handle it. Then, the same group later says IPv6 with it's trillion trillion (or whatever) addresses will be more manageable and solve our current problems? A slight bit of math says our current problems will grow exponentially if IP6 was deployed widely. We need new protocols that can handle this stuff and maybe a new architecture for the Internet as a whole.

Clive RobinsonMay 1, 2011 6:05 AM

@ Nick P,

"We need new protocols that can handle this stuff and maybe a new architecture for the Internet as a whole."

I could sugest it's time to re-visit the ISO OSI work as a starting point ;)

There is however a major issue that is rapidly becoming "the elephant in the room" and that's users and how they cannot do what technologists consider the simplest of tasks.

As an example how ordinary mortals deal with big numbers.

We know from telephone numbers that humans have real difficulty remembering even five digit numbers without some pre association (area codes etc). Likewise some people have trouble with 4 digit PIN numbers.

Also few can manage to remember 3 digits for the length of time required to write them down when copying large numbers. Added to which is most humans cannot "hold their place" in a long number without putting their finger on the page.

We know that most people cannot work with 32bit numbers even when in quad dotted decimalised byte format.

So how on god's little green apple do we expect them to deal with 128bit numbers, that they will need to put into their various "white goods" and "home entertainment" systems. Especialy when few can even set the clock on a VCR.

I sincearly hope we don't go down the way of some bluetooth implementations where the devices only allow a small subset of the valid range to be used...

We already know from WiFi that few people can correctly enter in the required key information etc first time (which is one reason why there are a number of Open WiFi systems out there).

To be usable IPv6 needs to solve that basic "ordinary human usability issue"

Oh on another note for those who's ISP does allow IPv6 traffic there is a little event coming up on the 8th of June this year, "World IPv6 Day",

http://test-ipv6.com/ipv6day.html

Let's just say I'm taking the view point that it could cause all sorts of unknown problems, so I'm planning to have all my backups etc etc done a couple of days before that and I'm not planning on actually doing anything of importance on that day or the next few after it that involves the use of the Internet.

Why...

Well if a ChinaCom technician can make a big chunk of the Internet unavailable by making a simple mistake in updating a border protocol, (especialy when it was a known issue that Pakistan made before them,) how much mayhem potential does World IPv6 Day have?

Speaking of border protocol issues did you pick up on the one just over a mothe ago when AT&T facebook users traffic mysteriously went via China and South Korea?

http://www.blyon.com/...

Although Barrett Lyon thinks it was probably an accident others including some posting to his blog do not.

Rodney Joffe, senior technologist at DNS registry Neustar, thinks it was probably deliberat (shades of APTness?) and has coined the term "route hijacking." to describe it.

It does of course open up a whole can of worms over PII data theft etc, some people have suggested the use of Secure HTTP to get around this, but that ignores the issue of phoney CA certs and MiTM pages etc.

tommyMay 1, 2011 7:29 PM

@ BRUCE:

I appreciate your hard work with EFF to protect our privacy and liberty. However, I looked at the linked EFF article, and there's a very weak argument included:

"(... WPA2 is often easy to break in practice)" - with a link to a cracking site. The site uses a 136-million-word dictionary attack, and for extra cost, another 284 million. Plus numbers-only, for up to 8 characters, for a total of 520 million possibilities. (For easy math in this discussion, let's make that a billion, or 10^9.)

Anyone using an 8-integer key, or "dog", "abc", "router" "password", any default pw, etc. has probably already been pwned a long time ago. So we discard that subset of users as irrelevant to the discussion.

Using only 14 of total keyboard characters -- usually, around 95 permitted -- gives 4 x 10^26 possibilities. So their dictionary has a 1 in 4 x 10^17 chance of a hit -- except that it will try real words, combinations thereof, leet-speak, etc. first, reducing the hit chances even further.

They say 55 minutes for the combined 420-million-word "extended" dictionary, so let's say an hour to include the 8-digit dictionary. So, using their speed to brute-force the above 14-character random pw could take more than 45 trillion years. I don't think it would be of much use to them by then :) - unless they got *very* lucky, very quickly.

Also, Martin Beck admits that his TKIP attack of 25 Feb 2010 is easily defeated by disabling QoS, which most home users would *not* be aware of, or more simply, by choosing AES instead of TKIP. My six-year-old router supports WPA2-AES, so I'm assuming all current ones do. When the user sets up the new router for encryption, they must choose one of these. Router manufacturers should either set AES as the default, or else include strong recommendations in the instructions to choose AES unless there is an overriding need not to do so.

So until someone shows an indefeasible method of cracking *any* WPA2-AES key, of any permitted length, statements like this rely on Fear & Futility: "Your WPA2 is useless, so why bother to use it?"

Again, thanks for all your hard work with EFF, but denying the usefulness of currently-available encryption weakens their credibility, and hence, the strength of the entire argument for open WiFi presented there.

Epilogue: Is the home user who doesn't know to choose WPA2-AES supposed to know how to set up the open guest network *plus* her own secure network, or how to protect his machine from guests sharing the network? (50/50 PC pronouns there. ;) You do, and many readers here probably do, but Real World, please.

RobertTMay 1, 2011 9:25 PM

OT
Just a thought!
Is there any real identity security / anonymity when you configure your browsing PC's to be significantly different to the average home PC?
Think about the metadata aspects.
How many others within, say 1sq mile, use your exact configuration (openBSD? liveCD? mac-changer? VM? Safari)
I think inadvertently you've just created a regionally unique cyberID. If they can collect enough metadata on this signature, than it will be just as useful as your actual name and address.
I wonder if having this configuration AND running TrueCrypt is reason enough to warrant investigation.

Welcome to the United States of Paranoia!

asdMay 1, 2011 10:10 PM

@RobertT , was mucking around to see if tracert programs and such, when detected got forwarding it to the otherside of the world..no luck so far :(

bloxMay 2, 2011 12:13 PM

So does this mean that (after the law enforcement have been sufficiently embarrassed with this case) running an open WiFi network gives you an alibi for downloading child porn as long as you do it to a separate laptop (running some different OS and what-now in case it gets remotely fingerprinted)?

Nick PMay 4, 2011 3:50 PM

@ Clive Robinson

"Although Barrett Lyon thinks it was probably an accident others including some posting to his blog do not."

I wasn't aware of the incident. Thanks for posting it. Reading the comments and article, most evidence so far leans towards it being a re-routing due to an unstable network. Commenter n3kt0n posted some good data on this and pointed out that many of those foreign groups have an IP presence stateside. He also believably claimed that these reroutings happen often & are due to how the modern internet works.

If anything, the article is a good reminder of an old adage: the Internet should be considered UNTRUSTED. Anytime the Internet sits between two endpoints, a MITM attack may be occurring. Many security researchers stopped paying attention to old MITM network-level attacks because of things like DNSSEC and the complexity of the internet. Well, the article goes to show that complexity and very dynamic routing can actually make events like that easier, whether deliberate or accidental.

Old advice still follows: protect communication over a hostile network at the application layer with most resilient protocol available. Currently SSL3/TLS for web apps. Of course, China does have a CA that can rubberstamp connections as good. I think we need to move to a hybrid model where we use CA's, but we get them from communities of users. The communities will have like interests on what types of CA's they trust and will vet them PGP-style with signing keys or something. The PGP model is a nice start at decentralizing trust in CA's. "Trust in Verisign, Comodo, & China" doesn't seem like a good model to me....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..