I read this SANS paper and was surprised that they say using an open wifi network is illegal.  It was from 2003, so have things changed?

As long as someone doesn't bypass any security, or monitor communication, shouldn't it be legal to use resources from an open network?  I don't have to get explicit authorization to go to some website that was configured to be open, so why would I have to with a completely open wireless network?

If someone uses an open web proxy without explicit authorization, is that a crime?

If company X accidently makes sensitive documents available publicly on their website, you don't have to get explicit authorization to download them do you?

This whole can't use resources of completely unprotected, publicly available resources seems kind of ridiculous.

I know what you're saying, though. If it's open, shouldn't it be okay? Websites are open, and there aren't any laws about using open websites, but it's a little different. If I put up a website, and it's open to the internet, I probably had to take some steps to deliberately open that to the public. There would usually have to be a firewall rule specifically allowing that type of traffic to that specific webserver. If there is to be a domain, a domain would have to be purchased and DNS entries setup. These are things that specifically open the site to the internet, it doesn't usually happen by accident.

With wireless networks, it's different. The average user without any idea of security essentials would bring their new router home, plug it in, and say "it works!" and never change any settings, not knowing that they've created an open network. They're still not giving you permission to access their network, they just don't know any better. That being said, they probably would never know that someone connected, and wouldn't know that an illegal activity is taking place, but that still doesn't make it right for people to take advantage of it.

FL Statute 815.06 states:

I gave a presentation on WEP cracking recently, and had to know the rules before giving the presentation.

The law doesn't state that there are different rules whether or not you have security measures in place, the law is there to protect people who don't know any better. Not everybody who buys a router is going to have to knowledge to setup security. Does that mean that person is not responsible for their own security measures? Not at all. Everyone is accountable for their own network security, that's why there is a security field to begin with.

Like I said in my previous post, would that person even know that a crime was committed? Probably not. Does that make it okay? Absolutely not.

Most networks for free use make advertisements that this service is available. Typically a physical sign (a la coffee shop) or an acceptance agreement via the default page of the wireless service's site.

Apples and oranges...   Open wifi networks are everywhere and an intentionally open wifi network is indistinguishable from an unintentionally open wifi network.  Also, an AP offers its resources... if someone has an open door with a sign inviting you in, that shouldn't be a crime for going in.

Yeah, I know, but my point was you said the laws are to protect people who don't know any better, I was just saying it's going to convict those same people who don't know any better.


I see where you're coming from.  But rather than putting the responsibility on everyone else to go hunting for a sign, they should put the responsibility on the few people who own the AP to make an effort to secure it.  Because at some point negligence becomes a factor, for example today I heard some places make it a crime to have an open AP.  Those jurisdictions seem to have my point of view of putting the responsibility on the owner of the AP.

I understand the law, I just don't agree with it.    Personally, I view the combination of absolutely no security on the AP, and the AP offering its services as being authorized.  Similar to being authorized to come in my house if I have the door wide open (no security) and invite you in when you walk by (SSID broadcasts).

I know the difference is technical and not everyone is going to understand how to configure an AP, but that's why they should read the manual, or listen to warnings they get when configuring or connecting to their AP.

Now we're starting to get on the same page.

The only difference I have, is that I think the law is not the one that's at fault here. I think the hardware manufacturers, or maybe the 802.11 standard, should require you to protect the access point during setup, and make you jump through hoops if you are absolutely sure you want your AP to be open and unprotected. This would force the lazy or non-security-aware people to at least have some sort of protection, and if they actually went through the trouble of making it open, then they knew what they were doing.