Unsecured wireless network debate. [Archive] - Glock Talk

PDA

View Full Version : Unsecured wireless network debate.


lomfs24
08-04-2005, 21:30
I have read a couple articles like this one....
http://money.cnn.com/2005/07/07/technology/personaltech/wireless_arrest/

I have read another article that I don't imediately have the link for but was on the same topic. And I have come to a conclusion. The conclusion is that no one, and I do mean NO ONE, in America wants to take any responsibility. They all want to blame someone else. It doesn't matter what for. And we can see it all too plainly here. So let's look at both sides.

We are going to look at a couple different types of people. For the sake of argument let's call them "white hats" "black hats" and "dunce caps".

A "white hat" would be someone who knowingly or unknowningly uses an unsecured wireless network for benign yet personal gain. Like checking email, surfing legitimate sites, etc...

A "black hat" would be someone who would use the same network for a malicious intent. Such as looking for personal information, passwords, hacking, launch point for attacks, etc... This person uses open networks as they are much easier than breaking a network first to get in. But would not have a problem with hacking a network if need be. He is the guy who doesn't say much and is thinking to himself "Doesn't matter what you do I will break it anyway."

Then the "dunce cap" would be a wireless network owner who doesn't have a clue.


Let's take a look at the "white hat" first. The supposed bad guy who simply logs on to an open network for no regard for anyone else to check his email. These are the people who I have heard say things like "My computer simply attaches to any network it sees and sometimes I don't even know that I am connected to the wrong one. How can I be held responsible for something I have no control over?" These are the people who think that there should be no laws. As long as people don't secure their router it's free game. News flash for you. Your computer doesn't have to be setup that way. There is a check box in your wireless settings that says "Connect only to preferred networks". If you check that guess what, it won't connect to everything it sees. What, you said you didn't know that option was available? Are you telling me that you don't know how to properly use the 802.11x protocol? Yet you are making suggestions to lawmakers on what to do about the technology? That's scary. If you did know that option was avaiable then I don't want to hear you whine about your computer attaching to any network it sees.

It's YOUR RESPONSIBILITY to LEARN how to run YOUR equipment.

Some think routers should be shipped with security on by default. Let's look at that for a moment. Right now they are shipped with default usernames and passwords. There are sites out there with lists of those usernames and passwords listed by model. In order to ship routers with WEP on by default then there would have to be a default WEP key. Right? How long do you think it would take to get the default WEP key and list it by model as well. That is information that would be supplied by the manufacturer and could be found on their website, just like default passwords are right now. That option won't work. I am sure there are people out there who are saying that routers could simply be shipped with individually distinct WEP keys. That means that each box would have to have a specially printed piece of paper or sticker that is unique to router. Then if you lost or forgot that key how would you get it back? That won't work either. Plus, it would drive the cost of equipment up to have unique keys on all routers.

Again, YOU have to learn how to run YOUR equipment.

So to the people who are "white hats" simply make your computer not log on to anything it sees. Then if you go to an unfamiliar coffee shop or hotel you can log onto their network manually. Then you don't have a worry.

The law that I would propose for these folks would be that all laptops must have the function that makes them automatically attach to a network disabled. I will explain why later.

Now lets look at the dunce caps. These are the people who are making suggestions to lawmakers to make attaching to their network a crime. They use feeble excuses like "I don't know how to set up WEP." "It's too difficult" "I can't afford to pay someone to come set it up for me". Etc..... If you have access to the internet, which I would suppose you do if you have a router, you can look up how to's, look up manuals, download manuals, read your own manual. There are ways to learn how to use WEP encryption. If you don't know how to properly use 802.11x equipment like routers the last thing I want you doing is making suggestions to lawmakers and lobbying for said laws.

Again it's YOUR RESPONSIBILITY to learn how to use YOUR equipment. Are you starting to see a pattern here. RTFM

Now my proposed law for the "dunce caps" would be that everyone must have their wireless routers encrypted.

Now, neither of the two laws listed above could or would really be enforced. So why have them? To make the exsiting laws have teeth. If the white hats had to manually connect to a foreign network, and everyone who doesn't want someone on their network have it encrypted the only person that would be in your driveway would be a clear cut black hat and could be prosecuted as such. However, if someone is in the driveway using your network and law enforcement arrests them and then checks the network owner and finds that they didn't have their network encrypted the law enforcement could look at them and say "We can and will arrest this person for using your network if you want but if that happens we can and will arrest you for not having your network secured" Charges would all be dropped and we could move on. And if you have your laptop setup to not connect to anything and everything you would have nothing to worry about.

I an not one who likes to see more laws. Yet the implementation of those two simple laws would make the other hacking and computer espionage laws have some teeth in the new wireless world. Because, with those two laws, there is a clear cut criminal. Even if it was a simple key, with only 64 bit encryption, the easiest to setup, someone would have to actively work to get on your network. Clearly breaking laws in the process. It would be simple to break but never the less would have to be broken. If you cut a padlock it doesn't matter if it's a big one or a little one, you broke the same law.

Of course, people would have to take the responsibility to learn how to run their own equipment. Which brings me back to my first statement. That is the problems with people in America today. NO ONE want's to take responsibility for their own actions.

Glock Bob
08-04-2005, 22:19
You bring up some good points. It reminds me of a girl I went to college with. We were both going for our BBA in Management Information Systems (databases and the like). I once asked her what o/s she was running. All she knew was that it was Windows and she thought it was XP (she didn't know if it was Home or Pro). I then asked her specifics about her system (RAM, HDD, CPU, etc) and she didn't know. I finally asked her what brand it was, to which she replied "it's black, that's all I know." It still amazes me that she graduated at all.

Clyde
08-05-2005, 08:16
lomfs24

+0.5 ;f

JinVA
08-05-2005, 08:49
I'm using WPA-PSK/TKIP...that's better than WEP, right?
I do pick up a couple unsecured signals in my house, but the signal strength is pretty weak anyways.

Wulfenite
08-05-2005, 17:00
I dont see what the big deal is with using a connection that someone leaves unsecure as long as there's no malicious intent.

They're paying for the connection by the month not by the byte.

If the tree they plant throws shade into the street I wont feel bad about standing in that shade.

NGWT
08-05-2005, 23:33
I feel the same way about cable tv and phone service.

I mean the pole is just sitting there on MY property. They won't lose any bandwidth if I just tap into that sucker.

Wulfenite
08-05-2005, 23:40
Cable and phone are selling a service.

This is more akin to watching a PBS broadcast but not sending them any money.

lomfs24
08-05-2005, 23:55
Originally posted by Wulfenite
They're paying for the connection by the month not by the byte. And you know this how? There is at least one company here locally where you pay a base of $5.00 for high speed internet but pay for every meg that goes through your connection. They offer other plans that are more akin to cell plans where you get so much free and then start paying. Not everyone in this country has a "pay one fee, use all you want".

JinVA
08-06-2005, 07:44
If someone's paying for bandwidth by the meg instead of month, I bet he's got the network secured and gives out the passcode on pieces of paper that self-destruct in 10 seconds. ;f

lomfs24
08-06-2005, 08:28
Originally posted by JinVA
If someone's paying for bandwidth by the meg instead of month, I bet he's got the network secured and gives out the passcode on pieces of paper that self-destruct in 10 seconds. ;f I worked for this company for about a year and a half. And oddly, there is nothing about your statement that could be farther from the truth. The people who actually bought this sort of plan in the little old granny who only checks email twice a month and emails Jimmy on Sunday's. She never once thinks of her router as a week spot cause after all, she turns her computer off when she isn't using it so she's safe right?

Then they show up one day confused about a $450 bill.

lomfs24
08-06-2005, 13:08
Originally posted by Wulfenite
I dont see what the big deal is with using a connection that someone leaves unsecure as long as there's no malicious intent.

They're paying for the connection by the month not by the byte.

If the tree they plant throws shade into the street I wont feel bad about standing in that shade.

Wulfenite, don't get me wrong by my comment about not everyone paying only by the month. I completely agree with you and even as I type this am using an unsecured AP provided by the local Chamber of Commerce. HOWEVER, not everyone agrees with this. So let's look at how the laws would impact this type of usage. If you had your laptop setup to manually connect to forgeign networks, as mine is, you would have to manually connect to it, as I just did, AND, if the Chamber didn't want me on it, it would be their responsibility to secure it. Thereby making my actions of casual surfing totally legitimate.

The case that I mentioned above would never go to court. The network owner would not have secured his network makeing the accused totally legit. That would be the purpose of the laws. To make everyone responsible for their own equipment. Allowing causal user like you and myself legal while still allowing regular laws have teeth for those who do choose to secure their networks. And making a clear cut criminal in the process.