Posted: 5/15/2007 12:07:00 AM EDT
What are the security risks involved with using someone elses wireless signal. Lets say your sitting in your apartment, and you pop open your laptop and BOOM...a little balloon pops up and says "wireless network connections found" and you were to connect to their network to access the internet. Is it safe. What security threats does this pose, and would your neighbor be able to see all the midget porn sites you've been going to
|
|
While using someone's WiFi without their permission is considered illegal in many places these days, you're also running the risk that they intended you to connect to their wireless just to see if they can capture your traffic as you login to a financial institution, or PayPal or eBay, or other place that can either make it easier for someone to steal your identity or $$$. If you do piggyback on someone else's wireless you should just assume that it's an unsecure connection and not conduct any financial transactions during that connection. This story from the BBC has been covered here in the states too. This one just happens to be the first one that came up when I Googled "hotspot spoof". |
Yup, I don't agree really. It seems to me you are both advertising and inviting the public in when you create an access point that both announces it's presence and allows any card to associate that comes in range. Kinda like putting up a sign saying "Open House" then leaving the door open, then flipping out because someone had the nerve to walk into your home. All that said. You are skirting very close to some laws that have teeth. And you are a flat out fool if you start logging into banks and other protected sites while on one. For all you know I set it up simply to steal as much info from fools who connect as I can. |
Well, I think you have to take into consideration the owners of the access points. Nine times out of ten they don't have the foggiest idea about their computers and how they work. Somebody at Best Buy sells them on getting a wireless router and they either don't consider or are clueless about the security ramifications. They just want it to work so they can surf. So it's probably not typically hanging the sign on the door inviting everyone in as much as it's they don't know any better. |
|
re-read the second post in the thread. then think about how inconvneinet if would be for you if all of your laptop data were lost or stolen. if you do nothing of consequence on your machine, you'll probably be fine. otherwise, you'll probably find it not worth the risk. a majority of users are compeltley oblivious to the risks out there. posting here, you are not. and even as an exercise in just because, the amount of time it would take you to harden your machine for use on an unknown network and then proceed to do nothing of consequence because even if you take all known precautions you are still not completely safe, it's only going to be useful in helping you realize how vulnerable you really can be. best case - nothing happens and you get the access you need with no ill effects...ever. worst case - you encounter someone with skills who can turn your life upside down and inside out five ways over for no other reason than because they were bored that day and you were stupid enough to stumble into them. worst worst case - the same as worst case but you'll never get enough information to know it had anything to do with your 30 minute forray onto someone else's wireless network...because even the guy running the wireless network was not aware he had an intruder. granted, the probability of it happeneing is small because most people capable of operating at that level have better things to do with their time, but if you spend 30 minutes contemplating how everything you know about yourself could be used against you it shoudl give you real insight into the risks you ask about. |
If someone does not lock their front door it does not give you the right to go into their house and steal from them. Stealing network access is the same thing. |
This needs a little clarification. Network sniffers will NOT show everything that is "typed" on the keyboard of someone using said network. It will show everything that is submitted across the pipe. If the data is transmitted securely across the connection the traffic will just look like garbage to the sniffer. As an example, sniff the remote login for a telnet session and then compare that while using SSH instead. Same goes for SSL sites. If you have an SSL session with a remote site that traffic is encrypted. VPN...same thing. So yes, I wouldn't trust the connection in this example but if you watch what you are doing you won't let out your dirty secrets. Also, if you really want to browse that midget stuff on your neighbor's connection make sure you shift your MAC address before and after your session and then cover the rest of your tracks. Perverts. 
|
That's the problem. The basic operation of the equipment clearly invites any user to connect. First it announces it is there, second it greets any card that answers automatically, then it hands out an IP address to the network and the client is now on the network. The people buying them have a totally different expectation of what this all means and are completely shocked to find out they opened up their entire home network to any dude on the block. Lawmakers have now criminalized the very open operation the devices were INTENDED to provide in the open configuration. Is that free access point the park, the gas station, the hotel, or Bob's house? I have had signals lower in the hotel than from the RV park next door. Care to guess what happened now and then if I wasn't watching closely? |
This is a common theme here but I think it's very flawed. The same as putting up a website with no password and then attempting to scream at everyone for 'walking into your house'. I mean just because it's out there doesn't mean I can use it right? Wrong. The protocol says that you are offering a publicly accessible site by virtue of having a server listening on port 80. When you connect that to the public you can not then claim that everyone must keep out or face charges. You obtain that ability by creating locked content that requires keys to enter (passwords). Then it's fair to say that if someone busts the lock they are committing a crime. If you are ignorant of how to do this that is your own fault. The access point is OPEN and beaconing. That is not an unlocked house door, it's a flashing sign that says "I'm here, feel free to connect to me if you are in range". Many devices will do exactly that. That is how they were designed to behave. Trying to legislate in opposition to that creates a mire. There are lots of places and people who knowingly provide open access. Just like there are lots of websites that require no password. This makes the situation a little like stepping on a land mine if some guy with SSID linksys throws a fit when a dude sits down on a park bench and ends up on his network instead of wifilink001 for the public hotspot in the park. Intent goes a long way in my mind but that makes it really murky without fantastic logging. The only good way to know if someone is in the wrong being on your wireless is to secure the damn thing so every laptop in sight isn't picking it up and trying to join. The OS vendors are getting smart though. These days more and more you have to explicitly connect to an open AP rather than just automatically grabbing it when you get in range. |
|
Intentionally doing it is called stealing. That makes you a thief. You can rationalize it, and try to find out where you fall in between the guy who buys a brick of .22 ammo knowing the clerk only rung it up as one box instead of ten, or the guy who robs old ladies, but you are still a thief if you steal. |
That's the problem. The basic operation of the equipment clearly invites any user to connect. First it announces it is there, second it greets any card that answers automatically, then it hands out an IP address to the network and the client is now on the network. The people buying them have a totally different expectation of what this all means and are completely shocked to find out they opened up their entire home network to any dude on the block. Lawmakers have now criminalized the very open operation the devices were INTENDED to provide in the open configuration. Is that free access point the park, the gas station, the hotel, or Bob's house? I have had signals lower in the hotel than from the RV park next door. Care to guess what happened now and then if I wasn't watching closely?[/quote Back in my parent's neighborhood, there were at least 3 APs in range of eachother that were all in the default open configuration (eg SSID 'linksys', admin/admin).... Any of the residents of those houses (or anyone who bought a new AP and plugged it in) could be using any of the other people's connections, depending on where they walked, and not know one bit of difference.... |
That is because someone's PC connected to 'free public wifi' at one time. It's wireless software is configured to that SSID and when 'away' from that site it will broadcast that SSID and make it's own network under that name... |
When a theft is committed someone is deprived of something (e.g. property). If you browse the net through someone's wireless network what was stolen and who was deprived of something? Some people purposely leave their network open for use. So how do you make that determination when the protocol was designed for simple connection and use? A Windows PC will automatically connect to any open network. Bottom line is that anyone with a wireless network should at least take one step to prevent unwanted users. If they don't then by the protocols specifications it is an open network for all to use. |
If someone is paying for a product and a service- internet service and you intentionally take it without permission then you are stealing. If it is intentionally provided for public use and you use it, then it is not stealing. |
Sorry, but you are wrong. Look up the definition of theft and stealing. This isn't the black and white issue that you are trying to make it out to be. Many states are struggling with this one as we also are here in this thread. If a state decides to make it illegal it won't be theft or stealing it will be something else but don't call it what it isn't. Just like people that call Copyright Infringement theft. It's called copyright infringement because that's what it is. Don't make up the law as you go. If you had said that in your opinion this should be against the law then so be it. My point is "How do you know when it is or isn't OK to be on the network"? Just by nature of your PC connecting to the network says it "might" be OK. In fact there are some providers that say it is OK to share your wireless network with your neighbor. So how do you know this isn't the case. Another poster pointed out how the protocol works. If you are in an apartment complex it is very common and easy to not even know you jumped off your network and onto someone else's. Bottom line is that there are at least half a dozen things you can do to your wireless network to prevent access. You should do at least make a WEP key to stop the casual browser. Otherwise don't be surprised if a PC decides to hop on your network. |
|
this is why i use MAC filtering, WPA2, and a strong password on the router... the mentality that the router is broadcasting itself and it's wide open means that it's free for the taking is absurd...
so if someone were to plug an extension cord into an outlet outside of your house and use the electricity to power their appliances that wouldn't be theft? since you can't put electricity in a "box"? or if someone tapped into your phone lines on the outside of your house and made long distance calls that would be okay too? since utilites are a service and not a physical product? |
Bad analogy. If someone does that to me I have to pay for their use of those services. I incur an extra cost and I am deprived of money. If you hop on my already paid for network connection that I chose to leave open then no one was deprived of anything. Guys...I am not even saying I think it's OK to do this. What I am saying is that you need to secure your network just a little bit. I however don't think anyone should be criminally prosecuted for using an open network for legal purposes (i.e. no kiddie porn, etc...). Which brings me to another point. If you don't secure your router do you really want to take that responsibility? |
 I want to be his neighbor. Free cable, free long distance, free internet, free electricity... Maybe it would be permissible to siphon the gas tank once a week if he does not put a lock on it. |
The difference is if you are receiving a signal you are unlikely to be interfering with the service. When someone steels internet they are using and occupying a portion of the service (reception and transmission). |
Nope...none of those things would be ok to do. See my previous post why I feel that there is difference between them. |
So when someone takes from you it is not ok. |
I am not justifying taking something from someone else. |
|
|
Ultimately it comes down to intent. If the person that set up the WiFi network without some sort of protection (unknowingly) doesn't intend to share it with the public then it is not yours for the taking. If you knowingly access this network without permission with intent to use it (and not compensate the owner for the bandwidth they are paying for) you are stealing. Trying to rationalize it is doing nothing more than attempting to relieve yourself of guilt. The assorted arguments here won't stand in a court of law because no other reasonable individual would make the assumption that it was there for them to take. |
Actually from what you said before, Cable, long distance and internet might be ok to take from you. Electricity no, because you are metered for how much electricity, but (at least for me) cable, long distance and internet are all flat fees, so you are not incurring an additional charge if someone else is using the service as well. I'm not saying your reasoning on the whole matter is wrong, and I do understand the whole grey area here. One arguement is that let's say that I run a small business or some other activity that uses up a lot of bandwidth. If someone else piggy backs on to the system then that does take away some bandwidth and capability of the system from my own use. I think that that could be argued as stealing whether or not my radio is secure. Personally, I think it would be much easier if everyone just secured their network. I know that in my house, I can receive probably 3-6 other signals, but they are all secured networks. |
|
I don't want to get in the middle of the whole theft/not theft thing, but I do want to point out some of the things I do on my home wifi to hopefully deter others from piggybacking my connection. 1)enable MAC filtering. Yes, MAC addresses are easily spoofed, but doing so shows intent on the offending party to knowingly access my network without my permission. 2)Enable encription. I use WPA2. Breaking the code is time consuming, and again shows intent on the part of the intruder to access my network knowingly without permission. 3)Change the SSID. I have mine clearly labled "No_Public_Use". Again, anyone attempting to access my network without my permission is clearly not welcome, and therefore stealing bandwidth I paid for. I highly doubt I would have any trouble at all prosecuting someone for logging onto my network illegally. That said, unless I happen to notice someone in a vehicle parked outside my house for an extended period of time with a dim glow illuminating their face from an LCD monitor, I probably won't actually catch them. Using NetStumbler, or in my case iStumbler on my MacBook, when I first moved into my new home I was able to identify more than half a dozen wifi connections from the peace and comfort of my living room sofa. There were/are more than 4 open/unsecured WAPs available for me to use, which came in handy while I waited a few days for the cable guy to show up with my modem and connect my cable at the box. The pathetic thing was not that there were so many open WAPs, but that all of these were setup with the default configuration from the OEM, Linksys in this case which clearly leaves the login on all its routers the same, no username, password of "admin" (this is readily available in any online Linksys documentation, I'm not letting the cat out of the bag here). I could have easily locked these folks out of their own networks. I could have just as easily secured their connection, but I imagine I would then have to track down the actual owner, tell him what I did, and give him (or her) the login info personally. One other problem with the "bring it home and turn it on" mentality is that all these folks had their routers running on the same damn channel and the same SSID, which wasn't helping anyone's performance. I'm still half tempted to print up a flyer, anonymously, that explains all this, and points out where they could go to learn about securing their networks, but I'm a little afraid that I'll be found out as the author and tagged some kind of hacker. Sorry for the LP, Matthew Leland, NC |
Vector_Joe I agree with this. If there is someone on your network and it is preventing you from operating your business then yes a crime has been committed. When it comes around to prosecuting the individual they will not be charged with theft. You experienced a DoS (Denial of Service) and there have been many people prosecuted for such things. They may be charged with a couple other things as well but not theft. That's my whole point here. If you listen to what I am saying I am simply saying that this is not theft based on any law. Calling it theft is an opinion. tfod claims that I am "justifying taking something from someone" and that isn't the case. I even mentioned in my forth post that "I am not even saying I think it's OK to do this". So please stop trying to twist my words. |
Great post. At least do this for your friends and family. I have done the same and it's surprising that after I explain this to them how often I hear things like "I don't need to do that because I don't have anything to hide/protect".
|
Really? That's not what I'm hearing from other folks that do this for a living. Having a public AP and then prosecuting a case that stems from it are hard cases to win minus some other obvious hacking. Are you claiming there is no basis on which a person could say they thought they were using free wireless when they were not? Do you really think it's that easy to prove intent for casual surfing? I'm not rationalizing. It is the absolute unwillingness of the public to accept the basic fact that they were designed to operate this way unless you take steps to secure them that baffles me. If you know you are using a private persons connection then you are wrong, but then sorting all that out is stupid when all you had to do was take a moment or two to understand what you were installing and how to keep it private. To me it's like drawing lines over the grass and calling the inside 'my house' then acting like the neighbor kid cutting through the yard is a cat burglar for not respecting your 'walls'. It may not be perfectly right for him to cut through the grass but then it's perfectly stupid to secure your things inside pretend walls. This is not as black and white as some want to portray it and all the analogies are crude at best. To many people with little understanding of what they are doing are writing laws that deal with this stuff and it is being done poorly. |
|
I perceive a division between opinion here. On side "A" you have the opinion that people are responsible for their own actions and should respect other people around them. On side "B" nothing is wrong if you are not convicted and punished in a court of law for it. It is the responsibility of other people to prevent you from stealing their stuff. I will choose to be with the side "A" people. Honor and a moral code still have value to me. No further response from this is required. I rest my case. |
You perceive wrong. But that's alright. No further response is required. |
That's very generous of you, but you might consider the ramifications if someone starts doing illegal activities on your connection. Kiddie porn? Death threats against government officials? Fraud? It's the IP address that's in your name, and you'd be held responsible. To make it even scarier just go read about how successful the RIAA is in prosecuting music pirates with no more than an IP address. If you're really interested in providing an open access point I would seriously consider setting up a linux box running something like ZoneCD from PublicIP.net. You can get an older PC and all you need is a CDROM, ethernet card to connect to your router, and a compatible 802.11xx wifi card. Users can be anonymous, or they can be required to create an account, free, that you can moderate. You can throttle bandwidth of any/all the accounts, so you can reserve some for yourself. Just be aware that you're operating outside of your service agreement with most home broadband providers by willingly and knowingly providing access to their network to people outside of your household. Not condemning you here, just presenting the facts. |
Per the OP-
It is then safe to assume (in this case) that you are accessing a non-public network (read privately owned and operated). You asked-
I have used free wireless connections in hotels etc, and it was plainly obvious that there use was intended for patrons and such. In my state 13-1802.A.6 definition of theft is-
This pretty much sums it up here.
In my eyes you are still rationalizing. The unwillingness of someone to secure it is a moot point under the criminal statutes in this state. If you are using a service paid for by someone else without there permission (and not compensating them for it) you are guilty of theft.
+1 Living with honor and a morale code in such an instance will definitely keep you from being prosecuted. |
I do not live my life worrying about the theoretical worst case scenario. If I did, I would not have a computer in the first place. |
I didn't mean to offend, so I'm assuming the above is simply a statement and not meant as a sarcastic retort.  I wouldn't dream of preaching, I just believe that taking some simple precautions might save you some headaches if someone with lesser moral values were to take advantage of your generosity. Or, said another way, good luck with that...  |
That software isn't that user friendly, and any packet sniffers do not forgot the packets in readable text usually. You have to piece together information to make sense. -d |
No offense meant , none taken. |
Again and for the last time... I have not yet once advocated the use of anyone's service. I have simply stated that if your privacy is important and you care about the service you will be deeply offended if someone else uses, then take minimal steps to insure the public stays out. If this escapes you then I don't know how else to put it. I have visited more than one hotel with such obvious SSIDs as: Access Internet Open (as opposed to Secure) WiFi AP42 Main_Park (This turned out to be the RV park across the street. Was it open or was it their internal office net. How the hell would I know?) |
| I was wanting to know what the security risks are, not whether it's theft/not theft. I am already right in my mind as to if it's theft/not theft... If I were to use the signal, then I wouldn't be doing secure transactions...mostly just to browse. I plan on getting my own service installed in the near future, but didn't know what the security risks of were IF I were to go on their network to browse the web until I got service connected. I do most of my internet activity at work, so it's really not that big of an issue. |
I don't know what kind of neighborhood you live in, but if it's easy to identify which of your neighbors has the open access point you might consider asking if they mind you using it while you wait for your own to be installed. If one of my neighbors asked me nicely, perhaps even offering a nice 6pack of my favorite barley-pop, I'd be happy to grant them access. |
I don't know about the rest of the country... but in the PRK (where I grew up) it is called "Theft of Services" and IS a crime. Probably a misdemeanor but a crime nonetheless. It includes using most any utilitysomeone else has paid for. So if you drop a bag of household garbage in your neighbor's dumpster, you've broken the law. It happened to a neighbor: some kid broke her kitchen window (technically a burglary) to use her electrical outlet, and the police wanted to give him the word without screwing his record up permanently. So they charged him with theft of services. It stuck. That said: How about the use of an Internet hookup that IS open to the public, but intended for "Customers Only?" |
The security risks are high. |