When is using an open wifi network a crime?

Viewing 46 reply threads
  • Author
    Posts
    • #7127
      Eleven
      Participant

      I read this SANS paper and was surprised that they say using an open wifi network is illegal.  It was from 2003, so have things changed?

      As long as someone doesn’t bypass any security, or monitor communication, shouldn’t it be legal to use resources from an open network?  I don’t have to get explicit authorization to go to some website that was configured to be open, so why would I have to with a completely open wireless network?

      If someone uses an open web proxy without explicit authorization, is that a crime?

      If company X accidently makes sensitive documents available publicly on their website, you don’t have to get explicit authorization to download them do you?

      This whole can’t use resources of completely unprotected, publicly available resources seems kind of ridiculous.

    • #44359
      eth3real
      Participant

      It’s illegal to use any network that you don’t have permission to use.

      Legal: using wifi at a coffee shop that advertises free wifi.
      Illegal: using your neighbors wifi just because it has no password.

      I know there is a law for that in the state that I live in, but you’d have to check the laws for your area for the specific details.

    • #44360
      eth3real
      Participant

      I know what you’re saying, though. If it’s open, shouldn’t it be okay? Websites are open, and there aren’t any laws about using open websites, but it’s a little different. If I put up a website, and it’s open to the internet, I probably had to take some steps to deliberately open that to the public. There would usually have to be a firewall rule specifically allowing that type of traffic to that specific webserver. If there is to be a domain, a domain would have to be purchased and DNS entries setup. These are things that specifically open the site to the internet, it doesn’t usually happen by accident.

      With wireless networks, it’s different. The average user without any idea of security essentials would bring their new router home, plug it in, and say “it works!” and never change any settings, not knowing that they’ve created an open network. They’re still not giving you permission to access their network, they just don’t know any better. That being said, they probably would never know that someone connected, and wouldn’t know that an illegal activity is taking place, but that still doesn’t make it right for people to take advantage of it.

      FL Statute 815.06 states:

      Whoever willfully, knowingly, and without authorization accesses or causes to be accessed any computer, computer system, or computer network, commits an offense against computer users.

      I gave a presentation on WEP cracking recently, and had to know the rules before giving the presentation.

    • #44361
      Eleven
      Participant

      It’s not just not having a password, it’s not having any security at all.  If someone boots their laptop and an AP offers its resources, you can go to jail for using its resources?  What the heck?  If I setup a website and have a webpage I don’t want someone to connect to, it’s my responsibility to make some effort to limit access.  If I don’t do anything at all to limit access, and someone accesses it… without bypassing ANY security measure, without malicious intent, without any notification or indication it was intended to be private, using the services it offered, there is no way they should be guilty of a crime.

      Aren’t people often warned when they connect to an open AP that it is insecure?  It’s their responsibility to make some effort, even a small one to secure it.

    • #44362
      eth3real
      Participant

      The law doesn’t state that there are different rules whether or not you have security measures in place, the law is there to protect people who don’t know any better. Not everybody who buys a router is going to have to knowledge to setup security. Does that mean that person is not responsible for their own security measures? Not at all. Everyone is accountable for their own network security, that’s why there is a security field to begin with.

      Like I said in my previous post, would that person even know that a crime was committed? Probably not. Does that make it okay? Absolutely not.

    • #44363
      ziggy_567
      Participant

      Let me ask you a question, Eleven. If you were walking along in your neighborhood and you found that one of your neighbors had left their front door unlocked and windows open, would you go on in to the house and start using their water, electricity, cable, etc.?

      This is essentially what you’d be doing by using someone else’s open wifi. Sure, its not as bad as going in to their house and cleaning out their fine crystal, jewelry, and electronics, but stealing is stealing.

    • #44364
      l33t5h@rk
      Participant

      Most networks for free use make advertisements that this service is available. Typically a physical sign (a la coffee shop) or an acceptance agreement via the default page of the wireless service’s site.

    • #44365
      Eleven
      Participant

      @eth3real wrote:

      The law doesn’t state that there are different rules whether or not you have security measures in place, the law is there to protect people who don’t know any better. Not everybody who buys a router is going to have to knowledge to setup security. Does that mean that person is not responsible for their own security measures? Not at all. Everyone is accountable for their own network security, that’s why there is a security field to begin with.

      Like I said in my previous post, would that person even know that a crime was committed? Probably not. Does that make it okay? Absolutely not.

      I don’t know about that…  The same kind of people who are computer illiterate and don’t know how to make any effort to secure their AP are most often going to be the same kind of people who themselves are going to be convicted of using someone’s open wifi.  Heck, I’m a geek and I didn’t even know it was a crime.

    • #44366
      Eleven
      Participant

      @ziggy_567 wrote:

      Let me ask you a question, Eleven. If you were walking along in your neighborhood and you found that one of your neighbors had left their front door unlocked and windows open, would you go on in to the house and start using their water, electricity, cable, etc.?

      This is essentially what you’d be doing by using someone else’s open wifi. Sure, its not as bad as going in to their house and cleaning out their fine crystal, jewelry, and electronics, but stealing is stealing.

      Apples and oranges…  Open wifi networks are everywhere and an intentionally open wifi network is indistinguishable from an unintentionally open wifi network.  Also, an AP offers its resources… if someone has an open door with a sign inviting you in, that shouldn’t be a crime for going in.

    • #44367
      eth3real
      Participant

      Hate to tell you this, but not knowing the law doesn’t make it legal. You can defend this as much as you want, but I didn’t write the laws. You still need to check what it says for your area.

      @Eleven wrote:

      if someone has an open door with a sign inviting you in, that shouldn’t be a crime for going in.

      This is what we’re talking about. A sign implies advertising that it is an open service. If I have an unsecured house, it is not open to the public. If I have an unsecured wireless connection, it is not open to the public. If I have a sign stating that either of these are free, then by all means, go for it.

      Also, you can’t honestly say that you don’t know the difference between the wifi offered for free at a coffee shop, and an open wifi network in your neighborhood.

    • #44368
      Eleven
      Participant

      @eth3real wrote:

      Hate to tell you this, but not knowing the law doesn’t make it legal. You can defend this as much as you want, but I didn’t write the laws. You still need to check what it says for your area.

      Yeah, I know, but my point was you said the laws are to protect people who don’t know any better, I was just saying it’s going to convict those same people who don’t know any better.

      @eth3real wrote:

      This is what we’re talking about. A sign implies advertising that it is an open service. If I have an unsecured house, it is not open to the public. If I have an unsecured wireless connection, it is not open to the public. If I have a sign stating that either of these are free, then by all means, go for it.

      Also, you can’t honestly say that you don’t know the difference between the wifi offered for free at a coffee shop, and an open wifi network in your neighborhood.

      I see where you’re coming from.  But rather than putting the responsibility on everyone else to go hunting for a sign, they should put the responsibility on the few people who own the AP to make an effort to secure it.  Because at some point negligence becomes a factor, for example today I heard some places make it a crime to have an open AP.  Those jurisdictions seem to have my point of view of putting the responsibility on the owner of the AP.

    • #44369
      eth3real
      Participant

      I agree that anyone setting up an access point is responsible for protecting their network, from a security standpoint. If you don’t want your stuff to get stolen, don’t leave it out in the open. Obviously a malicious hacker is ignoring the law when attempting to gain access and steal information.

      However, my point is this: the law does not make any discrimination between an access point that is protected and an access point that is not protected. In my area, it’s very clear: “unauthorized access” is a crime. Being unprotected does not grant authorization.

    • #44370
      Eleven
      Participant

      @eth3real wrote:

      I agree that anyone setting up an access point is responsible for protecting their network, from a security standpoint. If you don’t want your stuff to get stolen, don’t leave it out in the open. Obviously a malicious hacker is ignoring the law when attempting to gain access and steal information.

      However, my point is this: the law does not make any discrimination between an access point that is protected and an access point that is not protected. In my area, it’s very clear: “unauthorized access” is a crime. Being unprotected does not grant authorization.

      I understand the law, I just don’t agree with it.  🙂  Personally, I view the combination of absolutely no security on the AP, and the AP offering its services as being authorized.  Similar to being authorized to come in my house if I have the door wide open (no security) and invite you in when you walk by (SSID broadcasts).

      I know the difference is technical and not everyone is going to understand how to configure an AP, but that’s why they should read the manual, or listen to warnings they get when configuring or connecting to their AP.

    • #44371
      ziggy_567
      Participant

      Its not apples and oranges.

      As with a house with an open door, an open wifi network is not an invitation to come on in and suck up bandwidth. There must be some other invitation other than the mere existence of the wifi network. Whether it be a hotel clerk telling you to connect to hhonors, a sign on the door of the Starbucks, or a landing page with a Terms of Use, there must be some sort of invitation to use the network.

      As with any legal question, if you are unsure of legality its best to not do it until you are sure. As ether3al has pointed out, ignorance of the law is no excuse.

    • #44372
      eth3real
      Participant

      @Eleven wrote:

      I understand the law, I just don’t agree with it.  🙂  Personally, I view the combination of absolutely no security on the AP, and the AP offering its services as being authorized.  Similar to being authorized to come in my house if I have the door wide open (no security) and invite you in when you walk by (SSID broadcasts).

      I know the difference is technical and not everyone is going to understand how to configure an AP, but that’s why they should read the manual, or listen to warnings they get when configuring or connecting to their AP.

      Now we’re starting to get on the same page. 🙂

      The only difference I have, is that I think the law is not the one that’s at fault here. I think the hardware manufacturers, or maybe the 802.11 standard, should require you to protect the access point during setup, and make you jump through hoops if you are absolutely sure you want your AP to be open and unprotected. This would force the lazy or non-security-aware people to at least have some sort of protection, and if they actually went through the trouble of making it open, then they knew what they were doing.

    • #44373
      Eleven
      Participant

      @ziggy_567 wrote:

      Its not apples and oranges.

      As with a house with an open door, an open wifi network is not an invitation to come on in and suck up bandwidth. There must be some other invitation other than the mere existence of the wifi network. Whether it be a hotel clerk telling you to connect to hhonors, a sign on the door of the Starbucks, or a landing page with a Terms of Use, there must be some sort of invitation to use the network.

      As with any legal question, if you are unsure of legality its best to not do it until you are sure. As ether3al has pointed out, ignorance of the law is no excuse.

      I guess it comes down to whether there should be an indication it is public, or an indication it is private.  I believe it should be the AP owner’s responsibility to notify it is private.  They don’t have to be an expert in security, they just have to read the manual.  Simple MAC filtering would be enough of an indication that it is private.  I’d even count having it open and naming the AP something like DoNOTconnect or PrivateNetwork; similar to a no trespassing sign.

    • #44374
      Eleven
      Participant

      @eth3real wrote:

      @Eleven wrote:

      I understand the law, I just don’t agree with it.  🙂  Personally, I view the combination of absolutely no security on the AP, and the AP offering its services as being authorized.  Similar to being authorized to come in my house if I have the door wide open (no security) and invite you in when you walk by (SSID broadcasts).

      I know the difference is technical and not everyone is going to understand how to configure an AP, but that’s why they should read the manual, or listen to warnings they get when configuring or connecting to their AP.

      Now we’re starting to get on the same page. 🙂

      The only difference I have, is that I think the law is not the one that’s at fault here. I think the hardware manufacturers, or maybe the 802.11 standard, should require you to protect the access point during setup, and make you jump through hoops if you are absolutely sure you want your AP to be open and unprotected. This would force the lazy or non-security-aware people to at least have some sort of protection, and if they actually went through the trouble of making it open, then they knew what they were doing.

      I agree 100%.  You’re right, ultimately the hardware manufacturers are responsible for creating this mess.  That we can agree on. 🙂

    • #44375
      El33tsamurai
      Participant

      @Eleven wrote:

      I understand the law, I just don’t agree with it.  🙂  Personally, I view the combination of absolutely no security on the AP, and the AP offering its services as being authorized.  Similar to being authorized to come in my house if I have the door wide open (no security) and invite you in when you walk by (SSID broadcasts).

      I know the difference is technical and not everyone is going to understand how to configure an AP, but that’s why they should read the manual, or listen to warnings they get when configuring or connecting to their AP.

      So instead of trying to “steal” or borrow in your case, their network why don’t you knock on there door and try to educate them.  Yes I know people can read the manual but there are “baby boomers” and “Gen X” people that these manuals make no sense to.  With knowledge comes responsibility, so instead of doing something malicious help these people out.

    • #44376
      eth3real
      Participant

      @El33tsamurai wrote:

      So instead of trying to “steal” or borrow in your case, their network why don’t you knock on there door and try to educate them.

      I actually did that once. The guy freaked out and turned off his wifi permanently.

    • #44377
      ziggy_567
      Participant

      I actually did that once. The guy freaked out and turned off his wifi permanently.

      That is an alternative solution….. ;D

    • #44378
      El33tsamurai
      Participant

      Better you told him, then “someone else” comes by and steals vital information from him.  Note the name of the site “The Ethical Hacker Network”, we are here because we want to do good not because we want to steal someones wireless or do malicious things.  

    • #44379
      Eleven
      Participant

      @El33tsamurai wrote:

      @Eleven wrote:

      I understand the law, I just don’t agree with it.  🙂  Personally, I view the combination of absolutely no security on the AP, and the AP offering its services as being authorized.  Similar to being authorized to come in my house if I have the door wide open (no security) and invite you in when you walk by (SSID broadcasts).

      I know the difference is technical and not everyone is going to understand how to configure an AP, but that’s why they should read the manual, or listen to warnings they get when configuring or connecting to their AP.

      So instead of trying to “steal” or borrow in your case, their network why don’t you knock on there door and try to educate them. 

      I don’t view it as stealing or malicious because they are offering a service.  And it’s not borrowing because they aren’t getting it back (they probably wouldn’t even notice it missing).  It’s simply using a service they offered.  If someone chooses not to shred their trash and they leave it in a public place like on their curb, it’s their own fault if someone takes their trash and goes through it.  If someone uses the trash for illegal purposes, or by passes security such as even the most insecure lock in the world to get to the trash or ignores a no trespassing sign, THEN that’s a crime.  If someone is broadcasting use of their open wifi to the world, it should be their own fault for not enabling any security and ignoring warnings that it’s not secure.

      Like I’ve said, there is also the analogy of someone creating a private web page on a website and choosing not to protect it at all and ignoring warnings.  Then the person who sees it advertised (indexed) in google, who has no malicious intentions, and clicks the link and that person should go to jail?  Nope.  It’s the sites owner’s fault for negligence.  Even though Apache defaults to making the web page public just like an AP might, even though the site owner has no idea what they’re doing, it’s still the owner’s fault for not making any effort to limit access.

      I never used an open access point.  I’ve never even owned a smartphone.  I’m about to get a wifi card for my desktop though to test my own wifi security and was hoping to also use it for open wifi networks.  Kind of bummed the last part is considered illegal.

      Yes I know people can read the manual but there are “baby boomers” and “Gen X” people that these manuals make no sense to.  With knowledge comes responsibility, so instead of doing something malicious help these people out.

      That’s the thing though, it’s not a matter of tech savvy people taking advantage of those who aren’t.  There are way more people who don’t understand technology than geeks, so I’m sure there are more computer illiterate people breaking this law than geeks breaking it.  But yes I have thought about yesterday and today of notifying people who may of accidentally have setup open wifi…

    • #44380
      yatz
      Participant

      @Eleven wrote:

      ultimately the hardware manufacturers are responsible for creating this mess.  That we can agree on. 🙂

      I don’t know about this.  The past few routers I’ve configured do a very good job of making strong suggestions to the user that secure is better, namely in these routers I would have had to jump through hoops and multiple warning messages in order to turn OFF security.  With WPA2, all you need is a PSK.  It’s another password, not even with the complexity requirements.  I don’t even care if the password is written on the router itself.  The problem is not manufacturers, the problem is always and will continue to be the human element.

      That said, open wifi is not an invitation.  Legally even the police can’t come into your house without a warrant, even if the door is open.  No explicit consent = no consent = illegal.

    • #44381
      eth3real
      Participant

      That’s good to know. I’ve seen way too many routers that you can take out of the box, plug it in, and it’s already up and running with a typical wifi name (like Linksys or Netgear), absolutely no protection, and utilize a default username and password for the admin console. Many people will see this, “it’s working!”, and never look at it again. While driving through my neighborhood with a laptop running airodump-ng or kismet, I can still find dozens of networks like this.

    • #44382
      Eleven
      Participant

      @yatz wrote:

      That said, open wifi is not an invitation.  Legally even the police can’t come into your house without a warrant, even if the door is open.  No explicit consent = no consent = illegal.

      It’s not just that the door is open (no security) it’s that the AP was configured to offer its services.  I don’t have to have explicit authorization to take someones trash, or view a webpage that has no access control.  Even though the owner may of considered them private, they are assumed to be public.  Entering and searching a house is a lot more sensitive than using internet.  If someone is monitoring communication of an open wifi, yes, that should be a crime.

    • #44383
      El33tsamurai
      Participant

      @Eleven wrote:

      @El33tsamurai wrote:

      @Eleven wrote:

      I understand the law, I just don’t agree with it.  🙂  Personally, I view the combination of absolutely no security on the AP, and the AP offering its services as being authorized.  Similar to being authorized to come in my house if I have the door wide open (no security) and invite you in when you walk by (SSID broadcasts).

      I know the difference is technical and not everyone is going to understand how to configure an AP, but that’s why they should read the manual, or listen to warnings they get when configuring or connecting to their AP.

      So instead of trying to “steal” or borrow in your case, their network why don’t you knock on there door and try to educate them. 

      I don’t view it as stealing or malicious because they are offering a service. And it’s not borrowing because they aren’t getting it back (they probably wouldn’t even notice it missing).  It’s simply using a service they offered.  If someone chooses not to shred their trash and they leave it in a public place like on their curb, it’s their own fault if someone takes their trash and goes through it.  If someone uses the trash for illegal purposes, or by passes security such as even the most insecure lock in the world to get to the trash or ignores a no trespassing sign, THEN that’s a crime.  If someone is broadcasting use of their open wifi to the world, it should be their own fault for not enabling any security and ignoring warnings that it’s not secure.

      Offering a service?  A service has to be advertised as a service which was post before.  So no its not a service.  

      “And it’s not borrowing because they aren’t getting it back (they probably wouldn’t even notice it missing).”  Jelly beans at the candy store are small and the owner would not miss if 10 or 15 were missing, so it makes it right to take 10 to 15 because he would not notice?  See this thing called “morals” tells me its wrong.

      ” If someone chooses not to shred their trash and they leave it in a public place like on their curb, it’s their own fault if someone takes their trash and goes through it.  If someone uses the trash for illegal purposes, or by passes security such as even the most insecure lock in the world to get to the trash or ignores a no trespassing sign, THEN that’s a crime.”  And if you check with the ISP they will tell you the same thing about using another persons internet ;).  

      “If someone is broadcasting use of their open wifi to the world, it should be their own fault for not enabling any security and ignoring warnings that it’s not secure.”  Like I stated before they might not understand and it takes “ethical people” to help them out.

      @Eleven wrote:

      Like I’ve said, there is also the analogy of someone creating a private web page on a website and choosing not to protect it at all and ignoring warnings.  Then the person who sees it advertised (indexed) in google, who has no malicious intentions, and clicks the link and that person should go to jail?  Nope.  It’s the sites owner’s fault for negligence.  Even though Apache defaults to making the web page public just like an AP might, even though the site owner has no idea what they’re doing, it’s still the owner’s fault for not making any effort to limit access.

      I never used an open access point.  I’ve never even owned a smartphone.  I’m about to get a wifi card for my desktop though to test my own wifi security and was hoping to also use it for open wifi networks.  Kind of bummed the last part is considered illegal.

      Yes I know people can read the manual but there are “baby boomers” and “Gen X” people that these manuals make no sense to.  With knowledge comes responsibility, so instead of doing something malicious help these people out.

      That’s the thing though, it’s not a matter of tech savvy people taking advantage of those who aren’t.  There are way more people who don’t understand technology than geeks, so I’m sure there are more computer illiterate people breaking this law than geeks breaking it.  But yes I have thought about yesterday and today of notifying people who may of accidentally have setup open wifi…

      You should do more then think about it, you should do it.

    • #44384
      yatz
      Participant

      @Eleven wrote:

      It’s not just that the door is open (no security) it’s that the AP was configured to offer its services.

      This is the source of confusion.  It’s not only the AP services that are being accessed, it’s the internet service that is being paid for by the owner that are being accessed.  Let’s consider them separately.

      1. Access to internal network from open wifi

      This is my point from earlier.  An open door does not imply consent.  The services the AP is offering provide entry into a personal network.  Just because the network is digital instead of physical, that doesn’t make it any less personal property.  The owner purchased the equipment, configured it for personal use, and it is serving the owner as such.  In the case where this serving is capable of supporting more than just the owner, it is still the owner’s property and requires the owner’s consent.  Unfortunately, there isn’t a very good way for an owner to grant that consent to a general audience, but this does not give blanket authority.  The consent is still required for access.  Getting a DHCP address on a network for possible access is equivalent to accessing a license, so yes, even connecting to an open wifi without explicit consent is not permitted.

      2. Access across subscription-based internet link to external network from open wifi

      This takes the same concept one step further.  Now the use is not limited to personal property use but also could violate the usage agreement between the owner and the service provider.

      Who is at fault if the owner enables this by disabling security?  Well, who is at fault if a car door is left unlocked in a mall parking lot and your CDs get stolen?  The owner may be at fault, but theft is still theft.  In the case of open wifi, the theft is just harder to classify.

    • #44385
      Eleven
      Participant

      @yatz wrote:

      This is the source of confusion.  It’s not only the AP services that are being accessed, it’s the internet service that is being paid for by the owner that are being accessed.  Let’s consider them separately.

      1. Access to internal network from open wifi

      This is my point from earlier.  An open door does not imply consent.  The services the AP is offering provide entry into a personal network.  Just because the network is digital instead of physical, that doesn’t make it any less personal property.  The owner purchased the equipment, configured it for personal use, and it is serving the owner as such.  In the case where this serving is capable of supporting more than just the owner, it is still the owner’s property and requires the owner’s consent.  Unfortunately, there isn’t a very good way for an owner to grant that consent to a general audience, but this does not give blanket authority.  The consent is still required for access.  Getting a DHCP address on a network for possible access is equivalent to accessing a license, so yes, even connecting to an open wifi without explicit consent is not permitted.

      2. Access across subscription-based internet link to external network from open wifi

      This takes the same concept one step further.  Now the use is not limited to personal property use but also could violate the usage agreement between the owner and the service provider.

      Okay, but how is that any different than someone who isn’t technical, spending money setting up a website they want to be private and not enabling any security what so ever to make it private.  If someone clicks a link to it, they haven’t been explicitly authorized to use the network and server resources that they didn’t pay for, but they can because it was configured to be open and therefore assumed to be public.  I just think open wifi networks should be considered the same way.

      Who is at fault if the owner enables this by disabling security?  Well, who is at fault if a car door is left unlocked in a mall parking lot and your CDs get stolen?  The owner may be at fault, but theft is still theft.  In the case of open wifi, the theft is just harder to classify.

      If the owner of the AP, configures their AP to offer its services without any restrictions, that should count as authorization for the same reason as when someone setups a web server to offer its services without any restrictions, it is implied authorization.

    • #44386
      Eleven
      Participant

      @El33tsamurai wrote:

      “And it’s not borrowing because they aren’t getting it back (they probably wouldn’t even notice it missing).”  Jelly beans at the candy store are small and the owner would not miss if 10 or 15 were missing, so it makes it right to take 10 to 15 because he would not notice?  See this thing called “morals” tells me its wrong.

      Again, I say the AP is offering its resources just like a website with no access control, so it’s more similar to being offered the jelly beans so no it wouldn’t be immoral.

    • #44387
      eth3real
      Participant

      Eleven, why are you trying to defend this so much?

      We’ve already covered the basics, having an open access point DOES NOT imply authorization, and the law EXPLICITLY says “unauthorized access” is a violation. What more is there to discuss?

      If you want to change the laws, send a letter to your congressmen. You asked why it was illegal, and we answered. The rest is an ethics question, and you already know where we stand. We can talk this in circles all you want, but now you know the law, it doesn’t matter if you feel like it should be okay or not.

    • #44388
      El33tsamurai
      Participant

      I feel someone is trying to defend there actions ;).

    • #44389
      Eleven
      Participant

      @eth3real wrote:

      Eleven, why are you trying to defend this so much?

      We’ve already covered the basics, having an open access point DOES NOT imply authorization, and the law EXPLICITLY says “unauthorized access” is a violation. What more is there to discuss?

      If you want to change the laws, send a letter to your congressmen. You asked why it was illegal, and we answered. The rest is an ethics question, and you already know where we stand. We can talk this in circles all you want, but now you know the law, it doesn’t matter if you feel like it should be okay or not.

      I’m defending my position as much as you guys are.  I understand the law that you have described.  I’m just saying the logic seems to be inconsistent.   You can make a single click of the mouse, have no malicious intentions, bypass no security at all, access a resource that was either intentionally or unknowingly configured to be open, a resource you do not own or pay for, a resource that has no indications it was intended to be private, and when talking about a wifi it’s illegal, but websites it is legal.  Does not compute.

      And no, as I said, I never connected to an open AP, My wifi card is on the way though, but now I’m just going to use for my own network; which is the main reason I bought it.  This isn’t even about me, I haven’t broken this law, but there are a TON of people who have.  I don’t see them as criminals.

    • #44390
      eth3real
      Participant

      Now that you know the law, you can assume that every open wifi network is unauthorized until you see a sign saying it’s okay, or ask permission.

      The moral of the story is that we didn’t write the laws, the laws don’t always make sense, but it is still unethical to break the laws regardless of your viewpoint. Just because you think it should be okay doesn’t make it okay.

      You say you’re defending your position as much as we are, but we’re not defending our position; we’re telling you what the law says. In the end, none of use can change the laws, we’re just telling you the facts.

    • #44391
      Eleven
      Participant

      @eth3real wrote:

      Now that you know the law, you can assume that every open wifi network is unauthorized until you see a sign saying it’s okay, or ask permission.

      The moral of the story is that we didn’t write the laws, the laws don’t always make sense, but it is still unethical to break the laws regardless of your viewpoint. Just because you think it should be okay doesn’t make it okay.

      You say you’re defending your position as much as we are, but we’re not defending our position; we’re telling you what the law says. In the end, none of use can change the laws, we’re just telling you the facts.

      Well it seemed to me like you guys agreed with the logic of the law and were defending it.  If you guys agree the law’s application of explicit authorization is inconsistent, but you should still follow it, you’re probably right.  But really the laws should be consistent.  When the average person has violated this one law and is a criminal, that’s a problem.

    • #44392
      eth3real
      Participant

      I agree that unknowing end-users of wireless routers should be protected from just not knowing any better. I don’t believe that this law is efficient in protecting those people, as most people don’t know the law exists, nor would the owners of the network even realize that such an event took place.

      I think these people should have protected networks, because I don’t think it’s right that they’re just open to anybody use their networks like we’re discussing. I definitely don’t agree with people legitimizing it “because it was open.” I don’t believe that the owners of open wireless networks are at fault for this. It is simply easier (in most cases) to leave it alone once it’s working, as most people who are not technical would be afraid of messing it up if they change anything. That’s not their fault; it should be easier to make it secure than easier to leave it open.

      Hardware manufacturer’s are not required to make the interface easy for people to use, or make the interface enforce any kind of security standards. Maybe that’s what needs to change, but I believe the current laws are fine where they are.

      You keep saying that the laws are inconsistent, but comparing it to a website is not a fair comparison. Wifi has a finite range, and it is easier to make it open than secure. If you made an open website on the internet, you had to go through the trouble of making it open on the internet, which can be accessed by the entire world. Not a fair comparison by a longshot.

      This is one of those laws that has good intentions, but very little effect in practice. Now that you know you’re “not allowed” to connect to open access points, doesn’t mean that there is anyone enforcing that law. If you go 5 mph over the speed limit, you are still breaking the law. Is anyone going to give you a citation for it? Probably not. Did you still knowingly break that law? Yes.

      My entire point of this, is that we need some kind of protection against attacks like this. If someone accesses my network that I did not authorize, I want to file charges. These wireless APs don’t come with a big disclaimer on the box saying “this may open your network to unauthorized access, potentially sharing your internet connection and network services to others in range.” Do you really think the end users are at fault for this?

    • #44393
      Eleven
      Participant

      @eth3real wrote:

      I agree that unknowing end-users of wireless routers should be protected from just not knowing any better. I don’t believe that this law is efficient in protecting those people, as most people don’t know the law exists, nor would the owners of the network even realize that such an event took place.

      I think these people should have protected networks, because I don’t think it’s right that they’re just open to anybody use their networks like we’re discussing. I definitely don’t agree with people legitimizing it “because it was open.” I don’t believe that the owners of open wireless networks are at fault for this. It is simply easier (in most cases) to leave it alone once it’s working, as most people who are not technical would be afraid of messing it up if they change anything. That’s not their fault; it should be easier to make it secure than easier to leave it open.

      Hardware manufacturer’s are not required to make the interface easy for people to use, or make the interface enforce any kind of security standards. Maybe that’s what needs to change, but I believe the current laws are fine where they are.

      You keep saying that the laws are inconsistent, but comparing it to a website is not a fair comparison. Wifi has a finite range, and it is easier to make it open than secure. If you made an open website on the internet, you had to go through the trouble of making it open on the internet, which can be accessed by the entire world. Not a fair comparison by a longshot.

      This is one of those laws that has good intentions, but very little effect in practice. Now that you know you’re “not allowed” to connect to open access points, doesn’t mean that there is anyone enforcing that law. If you go 5 mph over the speed limit, you are still breaking the law. Is anyone going to give you a citation for it? Probably not. Did you still knowingly break that law? Yes.

      It is their fault for not knowing any better.  This isn’t someone tech savvy tricking a user like with hacking; the users are notified their network is open.  I don’t know anything about cars, but if I choose to ignore an engine light, like someone does when configuring their AP or connecting to it, and say “well my car is working so I’m not worried about it” that’s my fault when something goes wrong. They configured the AP, they see the notification it’s not secure, it should be assumed it was intended to be public like other open APs, and websites.

      As for a website being an unfair comparison, it isn’t.  The wifi range has nothing to do with it. Also, websites, just like APs, and anything else, are easier to keep open than restricted.  As I’ve said, you could create a website you want public and have a page you don’t want public.  Regardless of the reason, if you do nothing to limit access to the page, it’s you own fault.  People aren’t criminals for clicking the link.

      I don’t want anyone connecting to my AP either.  That’s why I took measures to restrict access.  Something anyone can do.  If they can’t, there is the manual, google, message boards, free tech support, they could have a friend do it, or pay someone to do it.  Lots of options and no excuses for no security.

      My entire point of this, is that we need some kind of protection against attacks like this. If someone accesses my network that I did not authorize, I want to file charges. These wireless APs don’t come with a big disclaimer on the box saying “this may open your network to unauthorized access, potentially sharing your internet connection and network services to others in range.” Do you really think the end users are at fault for this?

      I definitely want anyone who attacks a computer to go to jail, but at the same time I don’t consider grandmas across the country making one click as blackhats who need to be jailed for violating the Computer Fraud and Abuse Act…

    • #44394
      eth3real
      Participant

      How about this:

      You didn’t know that it was illegal to access an unauthorized network.

      The people running open wireless networks don’t know that wireless security is something to consider.

      By your logic, you would be at fault for not knowing the law. You could have read up on the local laws and known better because that information is open to the public. You could have found it online, gone to a local library, etc..

      If people don’t know it’s a problem, how are they going to fix it? Are you going to be the one to inform the public that their access points need to be secure? Are really saying that leaving your access point unprotected that you’re giving people an invitation to access it?

      Let me ask you this, if you disagree with the law, what would you do to change it?
      If you think everyone should know better with their access points, how would you go about educating them?

      People obviously aren’t reading the instruction manuals that come with their products, and people obviously aren’t reading the laws for their area. What can you do about it?

    • #44395
      eth3real
      Participant

      You keep complaining about it like you’re offended, but you’re not offering any solutions? Try to help us out here. You have such a strong opinion about it, yet you’re making no effort to improve the situation.

    • #44396
      El33tsamurai
      Participant

      This is still going?

    • #44397
      eth3real
      Participant

      Eleven, just for clarification:

      Yes, the law implies that connecting to someone else’s open wireless network is a violation. But, the reality is, who could ever enforce this law? With so many open wireless networks, and so many laptops, smartphones, etc. utilizing wireless networks, how could anyone police this? “Grandmas across the country” are not going to jail for this. Seriously.

      You came here to ask:
      When is using an open wifi network a crime?

      The answer, written in law, is:
      Whenever you don’t have permission.

      End of story.

    • #44398
      El33tsamurai
      Participant

      Claps hands for eth3real

    • #44399
      Eleven
      Participant

      @eth3real wrote:

      How about this:

      You didn’t know that it was illegal to access an unauthorized network.

      The people running open wireless networks don’t know that wireless security is something to consider.

      By your logic, you would be at fault for not knowing the law. You could have read up on the local laws and known better because that information is open to the public. You could have found it online, gone to a local library, etc..

      If people don’t know it’s a problem, how are they going to fix it? Are you going to be the one to inform the public that their access points need to be secure? Are really saying that leaving your access point unprotected that you’re giving people an invitation to access it?

      Let me ask you this, if you disagree with the law, what would you do to change it?
      If you think everyone should know better with their access points, how would you go about educating them?

      People obviously aren’t reading the instruction manuals that come with their products, and people obviously aren’t reading the laws for their area. What can you do about it?

      It’s not okay to be ignorant of the law, but it is okay to be ignorant and negligent when it comes to security?  Not many people get legal notice that accessing an open wifi network is illegal without explicit authorization, yet the people who have open wifi ARE notified it’s open and not secure.  I understand it is illegal, I’m saying the law is also illogical.  

      The computer illiterate owners of open APs are not just “victims.”  Their negligence should also make them liable for crime when their wifi service is abused.  There is a big difference between due care and diligence and absolutely no security.  The latter is definitely negligent.

      Criminalizing the clients for using an open AP without malice, but not the AP owners for being negligent, doesn’t make much sense.  If one is a crime, the other probably should be too.  Which is worse?  Using an open AP to surf the web, or having your open AP be used to anonymously manage a 100,000 node botnet?  I’m sure if the police were aware of both situations, the guy who surfed the web would go to jail, yet the grandpa who configured the open AP being used to manage Zeus would get off scott free.

    • #44400
      Eleven
      Participant

      @eth3real wrote:

      Eleven, just for clarification:

      Yes, the law implies that connecting to someone else’s open wireless network is a violation. But, the reality is, who could ever enforce this law? With so many open wireless networks, and so many laptops, smartphones, etc. utilizing wireless networks, how could anyone police this? “Grandmas across the country” are not going to jail for this. Seriously.

      You came here to ask:
      When is using an open wifi network a crime?

      The answer, written in law, is:
      Whenever you don’t have permission.

      End of story.

      I guess you’re right, my question was answered… thanks! 🙂

    • #44401
      eth3real
      Participant

      If we criminalized people for being negligent, we wouldn’t have jobs in IT/security. ;D

    • #44402
      Triban
      Participant

      Part of me said to leave this thread to die.  But here is one other factor one should take into account before putting on their gray hat and using someone else’s WiFi….

      Lets say you are using it to do some “other” security research and you don’t bother to anonymize yourself.  Well now your neighbor’s IP gets logged while you are “testing” a website or downloading some malware “samples.”  Lets say that site was actually a government site and maybe not our government.  they intern start launching attacks on your neighbor and their system is compromised.  Next thing you know they are calling all their credit card companies and banks to file identity theft reports.  Or one more, someone uses their computer to hide child porn and some local law enforcement or fed track it down.  Lots of bad things happen because you felt that their “open” WiFi was an invitation for free internet. 

      As ethical hackers, we have to look past the open doors and windows and take it upon ourselves to tell the owners to close them when we find them.  Regardless if there is a law to protect them or not.  I am sure a savvy lawyer could get such a case thrown out in court by stating “Well they didn’t say NOT to use the open WiFi” and state that such signage wasn’t present. 

      Anyway just another way to think aside from the laws.

    • #44403
      Eleven
      Participant

      @3xban wrote:

      Part of me said to leave this thread to die.  But here is one other factor one should take into account before putting on their gray hat and using someone else’s WiFi….

      Lets say you are using it to do some “other” security research and you don’t bother to anonymize yourself.  Well now your neighbor’s IP gets logged while you are “testing” a website or downloading some malware “samples.”  Lets say that site was actually a government site and maybe not our government.  they intern start launching attacks on your neighbor and their system is compromised.  Next thing you know they are calling all their credit card companies and banks to file identity theft reports.  Or one more, someone uses their computer to hide child porn and some local law enforcement or fed track it down.  Lots of bad things happen because you felt that their “open” WiFi was an invitation for free internet. 

      As ethical hackers, we have to look past the open doors and windows and take it upon ourselves to tell the owners to close them when we find them.  Regardless if there is a law to protect them or not.  I am sure a savvy lawyer could get such a case thrown out in court by stating “Well they didn’t say NOT to use the open WiFi” and state that such signage wasn’t present. 

      Anyway just another way to think aside from the laws.

      Without a doubt, if someone is hacking they should definitely be punished.

      Anyway, I just found out New York has a reasonable law.

      New York law is the most permissive.[1] The statute against unauthorized access only applies when the network “is equipped or programmed with any device or coding system, a function of which is to prevent the unauthorized use of said computer or computer system”

      https://secure.wikimedia.org/wikipedia/en/wiki/Legality_of_piggybacking#United_States

    • #44404
      Anonymous
      Participant

      I think using a open wifi is fine is that is the purpose of the wifi.(Resturants etc) However if there is a house that has wifi but has not set wirless password then connecting might be illegal in the UK I think its the responsibility of the owner to make sure it is secure.

Viewing 46 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?