Ready for another ethics question? "Stealing" wi-fi connection
 

Man Arrested for Accessing Wi-Fi Network

Florida man is charged with a felony after allegedly using someone else's home Wi-Fi network.

Stephen Lawson, IDG News Service
Friday, July 08, 2005

A man who allegedly accessed a home Wi-Fi network in St. Petersburg, Florida, from a parked car got logged off the hard way: He was arrested and charged with a felony.

Benjamin Smith III, 40, was arrested on April 21 outside the St. Petersburg home of Richard Dinon and charged under a Florida law that prohibits unauthorized access to a computer or network, says George Kajtsa, the police department's public information officer. A pre-trial hearing in the case is scheduled for Monday, according to the state attorney's office for Pasco and Pinellas counties.

Dinon saw Smith sitting in a parked sport-utility vehicle in front of his house and wondered what he was doing there, then saw he was using a notebook computer, Kajtsa says.

"What made him suspicious was, every time he looked toward the car, the guy closed the lid on his laptop," Kajtsa says. Dinon called police. When they came to the scene and approached the vehicle, Smith closed the computer again. The police asked him what he was doing and he finally owned up to it, Kajtsa says. Smith was arrested and the PC seized and sent to the Florida Department of Law Enforcement as potential evidence.

Dinon was worried that Smith might be doing something illegal or inappropriate, Kajtsa says.

"What he was concerned about was not so much that the guy was accessing his [network], what he was concerned about was what he was accessing," Kajtsa says. Dinon was afraid he might be linked to whatever Smith was doing because it was his LAN being used, he says. "This guy did not want himself to be identified as accessing porn sites or child pornography."

Little-Used Law
The state law under which Smith was charged prohibits accessing a computer or network knowingly, willfully, and without authorization. Kajtsa says it's the first time anyone has been arrested in St. Petersburg for using someone else's Wi-Fi.

"This is a very little-used statute," Kajtsa says.

Gartner analyst Ken Dulaney has no sympathy for Wi-Fi users such as Dinon.

"He should have put security on his wireless LAN system. It's the guy's fault that he left it open," Dulaney says. "Don't the police have anything better to do?"

Open wireless LANs are still common in many residential areas even though Wi-Fi routers can be set not to broadcast their names and tools for encryption have improved since the early days of the technology. Dulaney estimated that half of all wireless LANs are completely open to unauthorized users.

If you leave the keys to your car on the hood, and someone steals your car, is it still a crime?

You can say that the owner shouldn't have left it available and open for theft like that, but it's still stealing something that someone else paid for. And this isn't even as open to rationalization like software (the "if I copy it, it's a perfect copy and the original can still be used fully" argument) -- if you're using my wireless network, that's diminishing the bandwidth that I have available.

The person using the "free" wireless network could claim innocence ("Really? That's a private user's network? I thought the nearby coffeehouse was providing the free WiFi.") I doubt it would stand up in court, given the circumstances.

Here's the legal trespassing analogy:

If someone cuts across your lawn, that's not trespassing.

If someone jumps a fence to do it, that is.

It's very easy to put up a "fence" with any Wi-fi AP, if you choose not to, it is easily argued that access is implied. Certainly there is a strong legal basis for it, separate from an ethical question.

As far as diminished use, what if you're just reading some text mail or IM? You could hardly measure that traffic against a broadband connection. What if the owner of the system isn't home?

In this case it appears the user knew what he was doing. What about the cases where your computer just grabs the first available/strongest network, as Windows machines do by default? Should this potentially expose a user to prosecution?

What's wrong with the fence/yard analogy? Why should the same principle apply to Wi-fi?

I'd argue something along the lines of lack of technical necessity to know you need set up a fence for your yard. It's very apparent if someone's yard has a fence or not -- no tech skills necessary to understand that. Just getting the idea across that if you have a wireless router you need a "fence" can be quite a hurdle for some people. Of course it isn't a perfect analogy, which is the case for most things translated from software to real life.
What if you're spreading a virus? That probably doesn't need much bandwidth either.

Can you steal a car and get away with it if the person who owns the car was on vacation? As long as you return it before they get back, they lose nothing, right? I'm doubting that this argument would hold up in court.
Again, claiming negligence goes only so far. If the person who has the router is expected to put up a "fence", why is there a double standard for the person grabbing the WiFi? They should know better (according to the yard/fence analogy).

Be not inhospitable to strangers lest they be angels in disguise
 

Had this evil wardriver read the advice on this website:

http://www.flexyourrights.org/

the St. Petersburg police would probably have had a hard time to nail him.

No doubt, just asking the WLAN owner for permission would have been the smart way to go here.

Whether this degree of wrong-doing without even knowing what he was up to is reasonably punished by up to five years behind bars appears to be highly questionable however.

There are lots of slightly friendlier people out there who keep their WLAN open on purpose and if a 28-year-old veterinarian wants to keep his network free from the unwashed masses of kiddie-porn-peddlers, music-pirates and why not, while we're examining mainstream uses of the internet, terrorists, one should reasonably expect him to switch on encryption.

It should also be noted that, unless you use techniques like VPN, the risk goes both ways. If I cared to run the appropriate tools on the linux box that handles my WLAN-AP, I'd probably be able to grab a fair amount of mail and passwords from the passers-by I see...
Setting up fake for-pay hotspots to capture credit-card-info is more than just a theoretical threat as well.

I'm hoping with Carlos that, as the information sinks in, those who are hospitable to strangers and prepared to offer them a free glass of virtual water will continue to run open networks and the others will just keep their nets and doors locked and all will be just fine.
And the St. Petersburg police will have all the time they need to take care of +real+ third degree felonies...

Darwin has a theory to cover the weak links...

Every mile put on a car has a direct, obvious, and well-documented cost. In the US, nobody pays for broadband internet service by usage.

According to that analogy and legal precedent, lack of a fence implies that access is allowed. This is the current law, not something I'm pulling out of nowhere.

Yup, if he'd said, "None of your damn business, piss off," they could have done nothing. I'm guessing he started out that way and then weakened when threatened, so the cops were pissed and wanted to nail him on something to regain their masculinity and authority.

I thought Microsoft fixed that. The last time I helped a newbie get on the Internet at a coffee shop, their Windows machine wouldn't connect until we went into the wireless network list and checked "Allow me to connect to the selected wireless network, even though it is not secure." Seems that both Microsoft and Apple have been concerned about this issue (corporate accounts complaining about employee laptops connecting to their business neighbor's intranet?) and made it the default to not attach to the strongest signal without explicit approval or pre-authorization. If this is the default condition, anyone joining a stranger's network has made a conscious decision to enter that network.

You are right, you have to tell it to automatically connect to non-preferred networks now. From what I've seen, nearly all users do that, and then they end up on random networks. I often have to troubleshoot problems where they can't get to their resources because they've hopped into the wrong network automatically. Unlike Mac OS, where it asks you each time you encounter a new network, once you tell it to use them automatically it does it for all new networks.

Also, if you tell Mac OS to always connect to a network, any unsecured network with the same name will be auto-connected. Let's say you go to your friend's house and his router has a default name. You connect and tell it to always connect. Now you will always connect to any router of the same brand with the default settings.

Yes, because it's not their car nor their keys. The analogy also limps in that there are free, public wifi services, which the person arrested could say they thought they were accessing (as has been noted).

Interesting topic, but I'd have to agree that it's easy enough to protect a wireless network.

I think if you're parked outside someone's house using your laptop wirelessly, you know you are using something that isn't yours. If you are parked outside a Starbuck's, that's a different story.

It'll be interesting to see how this whole thing unfolds.

I just think it needs to be easier for the average (read: not used to delving into their router's web interface set-up to set up either a WEP key, access based on Mac address, or whatever other type of protection) user to 1) understand that they need to protect their wireless networks and 2) know how to do it

So the man was out in an SUV? I haven't driven in a while but I would guess it costs more to fill that tank up once than it would to pay for a monthly internet bill.

Man, I hate that. You'd think it would differentiate duplicate names by their MAC addresses. There's a coffee shop that has a router set to "linksys" so I have to allow that to use it, which means my PB can't be prevented from joining the "linksys" network from my neighbor at home!

Gas is just the start of it. Anyone who can afford to pay the loan payments, gasoline, insurance, maintenance, and license fees (all $$$$) for a large new car has to have enough cash flow to pay for broadband. Unless it simply isn't available way out where he lives and he has to drive into town to get it...or he doesn't want to have his particular flavor of downloads traced to his home IP address......

The more likely scenario is a traveler. I hop on any open access point while I'm traveling. I've parked in front of Starbucks, miscellaneous non-brand coffee shops, CompUSA, Fry's, Kinkos, etc (when they're closed, otherwise I go inside and buy product, fair trade). Never someone's house. I have hopped onto an AP named "linksys" at the local car wash a few times; I have no idea whether the wash owns it or a neighbor. I don't go out of my way to steal/crack/whatever, but if there's an open AP I'm going to use it.

I'd never consent to a police search or answer their questions, however.

Uh huh. And we as a society go around that by protecting our sick and weak. If society ran off of the idea that only the strong should survive, this would be a very different place to live.

This is a clear thing for me, I don't know why it is so hard to conceptualize for others. You are using something you did not pay for, and were not offered for free. By definition, that's theft.

I don't believe in a black and white world, so there are varying degrees of theft. Stealing internet service is nowhere near the same level as car theft, or swiping someone's laptop. But it's still stealing.

So going along with the fence/yard law (which I don't think is appropriate here, as I've already said). If someone cuts across your yard to go somewhere else, that's not trespassing. What about if someone sets up a lawn chair in your yard to catch some sun and read a book? Is it trespassing then? I don't know the law, but I'd be willing to bet yes. Why? The trespasser didn't consume anything that isn't still there -- air and sunlight are free. Maybe the grass has some dents from the chair, but those aren't permanent.

We don't make laws based on permanent damage. Some laws are based on that, some aren't. As much as I hate to skirt the issue of music theft -- if you steal someone's CDs, listen to them for a week (while they're on vacation) and return them -- stealing? If the car has "direct, obvious, and well-documented cost" but the CDs don't -- what does it take to admit that yes, indeedy, it's theft? Do you think a jury would buy the fact that the CDs were returned in the nearly the same condition? Again let me emphasize that I don't know law. But I'm inclined to believe that in this case you'd be judged to have performed a criminal act. Would you go to someone's house and use their phone for a local call without asking? Think it's legal?

I'm not talking the accidental connections -- if you set your machine to automatically connect to a "linksys" network and it latches on to someone's home network, there should not be criminal charges. But you should also disconnect immediately. But if you go sit in front of someone's house and intentionally connect to their open LAN -- hello, theft.

As more and more people learn more about computers and network basics, I think it will be less likely to have open networks that aren't intended to be open. But as I said before, there's a certain level of technical knowledge that comes with the configuration of a wireless network. And not everyone has that knowledge. On the other side of that coin, not everyone realizes that connecting to an open network could mean theft. Both sides need to be educated.

I don't particularly care if the neighbours use my wireless for email or browsing. I use theirs occasionally. Carlos can park by my place anytime. If you leave the door unlocked and announce "please come in" someone is going to do just that. HOWEVER, Mr. Smith the Third was up to something, and he knew it. Why he didn't just get a corner table in the local WiFiBucks and a privacy filter for the monitor will remain a mystery until the trial.

Lots of analogies limp. We are running into new territory with things like LAN access, so it's going to be very hard (I think) to find analogies that fit precisely.

If someone from some deep dark jungle had some driving lessons, and came across a car with the keys on the hood -- drove the car off, then returned it when they were done -- that I can see as not being theft. They truly didn't know any better. I'm fine with accepting that, as long as it's clear. Someone sitting outside a house in a car with a notebook? I'd be a lot less inclined to believe they didn't know better.

For those of us who have the technical knowledge to secure a wireless network, yes, it's not too difficult (although I've read plenty that "secure wireless" is an oxymoron). For my grandmother, who wants to be able to browse the internet from the patio with a laptop... not so easy. Depending on the router, of course. But my Linksys is not user friendly in that manner at all.

Just one last post on this for the evening, I promise.

If it's clear that it's a free network, great. Name it something obvious -- like "please_use_as_you_see_fit" or "open_network". If I was sure that my neighbors wouldn't suck up all of my bandwidth downloading pr0n or doing illegal things like distributing viruses, I'd be happy to share my connection. But it (obviously) makes me very unhappy to think of people who don't have the technical knowledge to secure their network being taken advantage of.

Everyone's talking about the criminal aspect of this, but I think it's more likely that the civil liability will be the bigger influence. Router manufacturers are selling a product that will work right out of the box, but leaves you open to a known significant and unnecessary risk. It doesn't seem likely that they won't have to take some of the blame.

Car makers today install many safety devices that work automatically, and I think you'll see router makers doing the same to limit their liability. You'll likely need to log into future routers via the ethernet port(s) and set the security parameters before you can use them with wireless devices.

Just to add something silly. When I had my first wireless router it came with a failure out of the box. Before knowing this I tried to configure it several times. In most of the ocations, when reseting the router, I had to look for a network called "linksys" but the card will pick the strongest one. Now most of us know that there's a high chance that one of your neighbors will have such an open network and indeed I was connected to his network thinking it was mine!. After changing the router password and Web Password, I practically forced him to reset his own router and loose his previous configurations (probably the factory settings given that he never changed the admin password).

In any case, I am liable for any "damage" I may have caused him?

R.

Unless my dictionary is defective, that's not true. My dictionary includes "deprive another of property" as part of the definition.

Legally no. It is trespassing only after you tell the person to leave, if they stay. Same applies to stores and other pseudo-public locations. The legal presumption is that you have to make a reasonable effort to let people know you don't want them there.

There has to be a presumption of responsibility somewhere. No technical knowledge is required, just the ability and willingness to read the easy directions. If you're unwilling to do that, well, then too bad. We expect people to know that they need to put gas in a car, and press the brake to stop, and other things which they have to go learn. This is no different. Also we have to define "taken advantage of." In this case, there is no evidence that any damage was caused in any way, so where's the loss to the person who didn't secure his network? How was he taken advantage of?

I have a lot of sympathy with these points. Personally I blame the lousy documentation and stupid web browser management interfaces for a lot of the lack of security in the access points. It's why I think quite highly of Apple's configuration tools for the Airport family, because they provide graded levels of the tools for different user skill levels.

heluani, I think at least the regulation they try to apply in the case at hand requires intent, so you're off the hook.

However, this example illustrates the complexity of the problem with at least three parties involved:

The owner of the AP, who might argue he bought an appliance and expected it to work securely straight out of the box.

The manufacturer who'd tend to retort that his customer is responsible for sensible administration of the documented features.

And finally the one who runs with more or less intent into an open network and uses it in all kinds of interesting ways and as heluani showed, sometimes even without being aware of it.

I don't think there are easy answers. What I see here looks a lot more like a field the general public does not yet have sufficient understanding about.

Everybody is pretty much able to define a half-way decent security policy for his own home. That may range from no-doors-locked in small rural communities to sophisticated access-controls planned by professional security firms depending on the risk assessment.
Yet we see a guy people trust with the lives of their cats and dogs not taking appropriate steps to enforce his no-passers-by-on-my-WLAN-policy. At this level of academic education, plain stupidity is not the most probable explanation.

The use of computers comes with lots of risks, many of which are not well understood, some hyped and exaggerated by the media, others ignored by all but security experts. The awareness that you need to address those risks, either by reading up and acting accordingly or by getting help from trustworthy experts -like you would to have a stronger front-door installed- is yet to come.
The perception that "having it just work" leads many owners of Windows botnet drones to the (wrong) conclusion that as long as their box doesn't crash or hog bandwidth like crazy, they're fine.

This is no excuse at all for makers of bug-riddled operating systems or access-point-designers failing to inform about the security features in order to reduce tech-support costs.

But in the end of the day and while we wait for that to improve, only an educated user will be able to reduce computer-related risks to a level he is willing to live with.

As Rod Serling might say, "submitted for your approval..."

http://news.com.com/Hacker+U.S.+defe...l?tag=nefd.top

Interesting. From the article it sounds to me like he should submit a consulting bill for his security testing services.

There's quite an interesting interview of that bloke in the Guardian

http://www.guardian.co.uk/weekend/st...523143,00.html

Here are the actual charges with the IPs of the compromised machines:

http://cryptome.org/ips-bared.htm

To keep it slightly on topic:
It would probably be rightly so considered evil if you drove by an open WLAN of someone you dislike, hammer the IPs in the document quoted above, then hide and wait for the MiB to come and kick his door ;) .

Really? This just sounds odd to me. With this logic to me it seems that I can go anywhere that does not have an express sign there telling me what I can and can not do and treat it as my own, whether it be a store, a person's yard, or a beach. So, if I like to smoke my cigarettes and just toss the butts on the grass I can, because that is what I would do at my place if the people didn't have a sign up telling me to use the butt can.

While the law might say that the person has to set up the rules, wouldn't common courtesy dictate that it's best to ask the "owner" what a guest can do? I highly doubt the person setting up the lawn chair on someone else's lawn would be so kind as to not come out with a shotgun to someone on their own lawn, or more to the point of the article I doubt the person who is sitting in his SUV has decided to allow others to use his home wireless network.

There certainly does need to be some responsibility. Technical knowledge is not the issue, neither is the choice to read the directions or not. Advertisments (by the companies) sell a user the world and don't tell them what is needed to be safe. As long as things are sold as simple when they are not there is going to be problems.

Finally, there are only a handful of those who take who are also willing to give back, as in share. Many who take aren't so keen on sharing though, so to me that is when it is wrong, most of the time not in a legal sense, but in a be nice to others way.

That's a good suggestion and one that I've seen implemented in airports (e.g., Airport - Free) and highway rest stops (WiFi - free).

Alternatively, the default name for routers could have "private" or something like that in the name and could ship with password protection with the password noted in the manual. That would go a long ways to solving a lot of problems; anyone wanting to change that config could dig a little more into the manual to see how to set it up.

-----

Agreeing with Craig and others on the difficulty of configuring a router; to this day, only IE works with one of my old routers, and who would think to try anything beyond their default browser? Some kind of admin utiltiy like Airport Administrator would be great! Getting it to work with the wide range of routers out there would be a challenge, however.

In that case, everyone - or at least those looking to cause trouble - would know how to log into an 'unconfigured' router. That's why I believe it will be necessary to limit access out of the box to those on a hardwired network. The buyer is then forced to configure the router if wireless access is desired. A web standards based interface would be best. I hate having to use IE to access my Linksys. ;)

Well, not if they have different passwords. That would be the ideal.

I like your suggestion as well, cwtnospam

A felony is way to harsh of a charge I feel. Even if they want to go to lengths to protect WiFi, a felony is an absurd charge. I can understand how breaking an entering into a network is similar to breaking into a house. But this is hardly malicious hacking we are talking about. it's parking on residential street to check mapquest on an someones open wifi. This "crime" is in the same catagory as murder!? Stealing something out of a store is only a misdomeaner, and in this case NO one was even harmed.

I am speaking more general, than this case. In this particular case it seems the person clearly knew he was stealing wifi and I understand him being charged, but a felony is much to high a price to pay for sucha minor crime.

Looking it up on Dictionary.com I see "a criminal taking of the property or services of another without consent". If theft is something that is only concerned with tangible things, tell me why it's illegal to hook into a cable box to get free cable.

Maybe theft isn't the perfect term for this. But we're down to quibbling over definitions of crimes -- an exercise I find to be completely pointless. Trespassing is maybe more appropriate, but only slightly. The exact word for the act of using someone's wireless network without consent is something I'm not worried about. I think I've made it pretty clear that I find the act to be wrong. I do agree with Twelve Motion, though -- felony is not appropriate here.

I would like to see routers shipped with the wireless network settings off. When the user turns on the wireless capability, they'd have to choose their own network name -- no more defaults of "linksys". This would, I think, drastically reduce the accidental connections to an open network which was never intended to be open.

You must have missed our threads where we discussed ethical issues pertaining to intellectual property, which would be included in the definition you gave (which is a good one, imo). So "tangible" has to include such realms as ideas, software, and even wi-fi signals, if it can be demonstrated that they rightfully "belong" to someone.

Getting lost in a residential area, and opening up your laptop to check mapquest using a random houses wireless is felony. Thats pretty absurd.

A person should be responsible for all of his own stuff. If there is a 20$ bill laying on the sidewalk, or a parking lot and someone picks it up thats hardly stealing I think most people would agree. If anything it's the fault of the person who dropped the 20$, he should be more careful and take better care of his belongings. Consider this being poorly protected and looked after wireless internet being "dropped" on the side walk or parking lot. If the WiFi is being broadcast over public property, and you are using it from that public property, I say it's public property, just like loose change on the ground. If don't want your stuff getting stolen, keep it out of the street. if you don't know how to keep it out of the street, then i highly doubt any amount of people using it will every bother you. If it does start to visible slow down a person connection he will initiate the next logical step and calle support. They will tell the person to lock it down and walk them through it. No law needs to be made for this.

You know what would be kind of cool. Anyone who has an open wireless at thier home, is allowed to use open wireless at other peoples homes. So if you are cought doing this sort of thing, the police would check to make sure you are doing it on you home router also. If you are, you are free to continue. Kind of like, giving a public service in order to use a public service. I haven't really thought the logistics of this out, but it seems pretty interesting.

http://www.freenetworks.org/

is one initiative among many to promote this idea.


And just for the record:
In the now-closed thread on copyright Phil mentioned

http://forums.macosxhints.com/showthread.php?t=37178

quite some participants would not agree that you own copyright the same way you own your accesspoint.

There is a very interesting lawsuit going on to challenge some alledgedly unconstituitonal changes to the US copyright-law:

http://cyberlaw.stanford.edu/about/c...ashcroft.shtml

Brewster Kahle, the guy behind http://archive.org tries to preserve orphaned works, something greatly hindered by the way copyright has recently evolved.

How do you get from being able to go onto private property to "treat it as my own?" You don't see the stretch there?

Do you really think you could be arrested for trespassing if you cut across a neighbor's yard? No, if it's an open yard. There are dozens of legal precedents saying that trespass doesn't apply to open land with no indication that you may not enter.

I'm sorry. I seem to have misunderstood what you said. After re-reading it I see it like the casino rule where they can at anytime call you a trespasser and kick you out or have you arrested.

That said, I do see many with the "treat it as their own" attitude and this to me is what makes things like this tough. Should they be legal issues. I really don't think so.

But - there are some good examples here of reasons here where I wouldn't be mad if someone used my wifi. Actually my neighbors and I share. When they are on the front stoop smoking they use my wifi, when I am on the fire escape in the back of the building I use theirs.

Let's take the lost and needing mapquest example. Now let's say that I found my directions but I figure that since I went through the effort to grab the laptop out of my imaginary back seat and I'm already lost and late so I might as well check my email when I am done getting the directions. Oh look - someone sent me that funny iFlea commercial. I should check that out. So I download it and watch it. Oh, might as well check the scores as well. It's not taking up a lot of the wifi resources to do this and the owner probably doesn't even notice me there - but it's at the point I decide that I will use someone else's something as my own that I really think I crossed the line.

To me, it's a lot more about respect then it is about the law.

I agree. My computer illiterate sister pays for a RoadRunner supplied/installed/configured wireless router. When first installed, I dropped in to check it out since I had offered to install a wireless router for her (to prevent the monthly rental fee).

The wireless access point was wide open to all takers! I told her that she was at risk of taking the legal heat for someone who might use her connection to do bad/illegal things and I advised her to call RR and complain until they reconfigured the router. I doubt that she called them and, since she doesn't generally listen to big brother's advice, I'll allow her to learn the hard way.

I'm somewhat surprised that RR would leave a router open like this.

-- Rob

The problem with asking manufacturers and providers to provide security is that it will cost a lot of money in support time. If someone can connect, they won't call. If they can't, they will. If they get hacked, too bad, the TOS says that's your problem.

The first company to start shipping routers with the wireless not ready to use will need a huge tech support budget. So why do it?

I like the idea (mentioned above) of an admin utility that you'd have to install and configure to enable the router. This wouldn't need to be complicated -- maybe just a few check boxes, with the instructions right along side. That shouldn't be so hard to do and might even help to save tech support a whole lot of time. Chances are that people who DO want to go beyond the default setup will need some kind of help, so a utility app would cut down on that kind of support time.

If you can connect, but can only get a web page telling you that you need to set up your router and how to do it, you won't have a reason to call. ;) Of course, that will require the router makers to employ people who can write in complete sentences. :eek:

Linksys has a setup utility for its bridges and some other stuff, so it shouldn't be hard to make one for the routers. However, even with bridges they get a lot of calls from idiots who don't read enough to know that they need to run the utility. They were talking about shipping the bridges with "connect to anything" turned on by default.

Make something idiot-proof and the universe will counter with a better idiot.

Nothing beats plug and play, unless you can come up with a fiendishly clever marketing spin to sell the extra security as being a feature rather than an annoyance +and+ get it right so it won't induce too much tech-support calls.

Not seeing any regulation coming neither, at least not until RIAA and friends have yet another brilliant inspiration and get a bill passed to shut down all those p2p-sucking WLAN-parasites ;) . Getting access points with crypto on by default would indeed -for the wrong reasons- be a Good Thing.

Thing is, they'd probably try to outlaw community Wi-Fi as well while they're at it, so finally not such a good idea...

The liability in the long run is likely to cost much more than the tech support calls. It's really just a matter of time before somebody sues router makers over this. When that happens, you'll see them lock down every system they sell.

Apple ships computers with everything locked down (ports and services) and this is, in part, why OS X is considered so secure. I see no reason why router manufacturers can't do the same. Advanced needs always require extra knowledge so users with advanced needs should be prepared to educate themselves or pay someone who has the skill to help them.

Furthermore, even though I'm generally against passing more laws and regulations, I feel that in light of all the zombie computers out there, all computer users who plan to connect to the Internet should be required to pass a basic, security related test before making the connection (it should be required by ISPs instead of relying on legislators who know little about computer/network security). With that said, I certainly don't see the need to accommodate users' lack of knowledge by installing a wide open router.

-- Rob (activating flame shield)

Because a locked-down Mac can still initiate outbound connections and do what the average user wants to do.

A locked-down wireless router would appear "defective" from the end user perspective. I mean, if the user is too lazy or ignorant to read the "quick start" and enable security, then the user is probably not going to figure out how to connect to a secure router either. Nobody calls the router vendor to complain that it worked out of the box. They will call when it doesn't.

Rob, we share the conviction that more red-tape is probably a bad idea.

The problem for crypto on APs is not that much the fact that it would generate slightly more tech-support-requests, but the competetive advantage for those who don't bother. If the major vendors can get their act together and agree on a common agenda, that would probably be the best solution.

And before requiring an internet-permit, it might be just as efficient to have a closer look at the security model (or complete lack thereof) of that other operating system with a scaringly high market share. If a default-install of a Windows PC directly connected to the internet only has few minutes to live before it gets converted into a botnet-drone, it is probably not the user who is to blame for more than the poor buying decision he made.

If manufacturers sell something as easy, well the customer expects it to be easy to set up/use/maintain.

If manufacturers sell something as "this product takes a bit of know how, but once you know the how it's a rocking product" then the customer knows what they are getting into.

Computers (and all the goodies that go along with them) still are sold as something easy, when in reality they are not. They are complex machines that are built to do many things while most machines are built to do one thing and one thing only. Manufacturers/sales people/etc aren't going to explain to the buyer that they might need to learn something to use it properly because people (in general) will not buy it then. They don't want to invest all the time and money is something like that. That drives up cost and lowers profits.

Right! It's the guy who recommended he get that system who's at fault. :D

Then maybe the router manufacturers need to add a Little Snitch-like feature where even outbound requests are initially questioned.

I'm sorry but given the amount of money that is spent addressing the problems created by zombie computers, I feel that there is no obligation to make it easy for ignorant people to connect to the Internet. If they refuse to be responsible for their own equipment, they shouldn't be allowed to connect. I have family and friends who fall into this category and I would be happy to unplug them. We (USA) require permits for stuff with far less impact on the world in general (fishing, hunting, cutting hair, garage sales, etc.) so why not for something that allows a user to inflict damage that can cost millions/billions of dollars to repair or guard against. It's time for people to be responsible for their own actions/inaction, even if it costs them extra time and money, instead of requiring equipment/software to be dumbed down to the lowest common denominator.

In the end, I reckon all of us will always be required to pay for the ignorance of others since it's the easy way out.

Peace. :)

-- Rob (who plans to avoid a drawn out debate on the issue)

I have just disconnected from my own wireless connection and taken my pick of my neighbours wireless connections to write this message! :D


really.... I am serious..... I have choice of 4!...... idiot windoze users!

How would you implement that? How can you put up a screen on the user's computer when it can't even connect because the AP is secure?

I agree 100%. Somewhere around 1996 I saw that it was getting easier to connect to the internet, and we were the worse for it. I had a poster over my desk saying "You must be at least this smart to use the internet" and it had an arrow right between "mollusk" and "ape." I firmly believe it should be harder to get on the internet, because when it was, it kept out the riff-raff. Same with driving and other things which people should make an effort to learn. Not by licensing, which is pointless (does anyone really believe a driver's license confirms skill??).

However, there is still the issue that it is better for the manufacturers to make the product easy rather than secure. The dumbest people are also the cheapest, and won't pay more for the better product.

Between my house, my parents house, and my girlfriends house I have a pick of over 13 different wireless connections. It's easier for me to commit a felony than ever!

Will keeping stupid people off the net make them smarter ?
 

If I could get back to the golden days of the internet when Jon Postel +was+ the IANA, AOL users couldn't yet post to usenet and your e-mail actually consisted of meaningful, non-html messages you wanted to read from the first to the last, yeah, I would.

However, I'm afraid that is not going to happen before time-travel gets ready for prime time.
So far, the net has proven to be quite efficient in doing its own net.police thing and the only problems it has a hard time to deal with are botnets spamming and DDoSsing like there was no tomorrow essentially because it is so scaringly easy to 0wn Windows.

In a world where microwave-oven-makers feel compelled to explicitly discourage the use of their product to dry cats, dogs or anything else still alive, something has clearly gone terribly wrong.
But preventing dense people from using the net and thereby potentially wisen up is probably not the best way to go neither.

I don't know how it might be implemented. Maybe access from the LAN side to the router could be allowed for the purpose of throwing up an informational page that advises (a) of the evils of insecure connections and (b) how to secure the WAP. I'm not ignorant nor am I an expert, so I'll leave it to the experts to come up with a solution. :p

Sad. :(

-- Rob

I fully agree that forcing someone to log in via wired would be IDEAL. However, the support burden for the company doing that would go through the roof, as would product returns. I don't think you could argue that. People would say it's defective because they plugged it in and can't see it.

So what's the motivation for the manufacturer?

BTW, how does an Airport Extreme or Express come configured? I've never used one.

To reduce liability and avoid some very expensive lawsuits. Naturally, they won't begin to act until they start to see suits being filed, but that's just a matter of time. ;)

Carlos, my son-in-law has airport and uses the Airport Admin utility to configure it.

See this page for info on how to set up AirPort Express. It makes use of a connection wizard that apparently interacts with the Network preferences (you can use the AirPort Admin utility, too). During this process, you can name your network and set up security. So that's the way Apple has handled it -- not exactly plug and play -- and it would seem that other Wi-Fi router providers could do the same, maybe even interacting with the AirPort Admin utility.

So when you plug in an Airport router it doesn't work at all out of the box? Does the config have to be done by cable?

Anybody who sets up a router himself, can also set it up to have an encryption (even if it is weak,it's enough to blow off most).
The problematic cases is the ones that don't know, when the neighbour kid did it or some bad tech service that never filled em in.

I personally think if someone leaves his network open, it's not like leaving your car keys, it is more if you are in a park and invite everybody to have a seat on one of the benches and use the beautiful sunlight and air. Appropriate behaviour expected, please don't crap on the bench or assault the others.

Those who are not conscious of these dangers and leave their network open anyway, they need to be filled in. In some regions it is dangerous to sit down in certain parks too and not everyone knows about it. Information on these topics should be mandatory.

I can't believe there are some posts that say hooking up to unsecured wifi (that is not expressly declared as public) is not theft. I often use my broadband for business purposes. There are times when I need to download a couple hundred MB of project files. Now, I paid for a certain amount of bandwidth, and I'm not rich, so I'm on a rather low DSL plan. If one or more unauthorized users were to use my line and download some large files of their own at a time when I need full bandwidth, they are depriving me of value. Theft.

Now, I'm aware of that, and I don't want them or the potential liability for their actions, and I'm lucky to have the awareness and motivation to figure out my home network equipment, so my wireless network is invisible to casual users and WPA-secured. But if I was more naive, theft would be possible.

Let's say you leave your cell phone on a table, and while you're out of the room, someone you do not know who "really needs" to make a phone call picks up your phone without permission and does so, and in doing so, manages to use up some of the limited minutes you paid for. That seems like a similar form of theft.

I'm not pure, I've jumped on such networks myself. But I think it's best to avoid them, and not just for moral reasons. For one thing, if you can see them, they can see you. If you happen to jump on a network where a savvy user exists and monitors traffic (let's say a parent is too naive to secure the family router but their kid happens to be running a sniffer from his bedroom), all your unencrypted traffic is quite readable to them. Most of my friends do not know enough to set their e-mail client to use a secure e-mail protocol, for instance. At least I do that.

I think the manufactureres should take responsibility for thier products.
I understand why devices do not come with encryption turned on, but...

It is too hard for the average home user to setup wireless security and if they can activiate it on the router, they can't join their computer to it. So they end up not using it because of the hassle.

Most users think that "I don't have any critical files, so I don't have anything to steal" so they don't bother with security.

Users should be made more aware of the issue. Routers that "nag" until encryption is turned on. Easier Setup on devices, like Linksys's "Secure Easy Setup"(not perfect, but a start.).

On the other side of things, because the router is sending out a signal that anyone can pick up, it's way to easy to "jump on" and use. If you use a CB Radio to communicate with your buddy, any one else can listen in, they just need a CB radio too. Radio scanners have been picking up broadcasted signals way before Wireless Networks.

People will always take what they can get for free, and sending out a wireless signal accross the street is easy to pick up. So right or wrong, to stop people from using your network I think it's up to the user to secure thier network and the manufacturer to supply easier to use products.

I use both WPA2 and MAC Filtering and turn off SSID broadcast so you're welcome to use my wireless network anytime.

I can't believe there are some posts that say this IS theft. How are you to know if the AP is intentionally public or not?

No it's not, they're just lazy. And if they're not bright enough to make it work properly, they should hire a professional to make it work properly. Should electrical cable manufacturers be liable because they don't make it simple enough for a homeowner to wire his own stove?

There is a price for being stupid and/or lazy.

If WPA2 is cracked, the others are completely irrelevant. Since WPA2 so far is uncrackable in a real world situation, the other stuff is not adding security, just inconvenience.

limited bandwidth
 

Limited bandwidth does not apply to everyone, so in the countries where bandwidth is usually unlimited, you can use my park-analogy (even though I think it's stupid to waste that many analogies on this topic). You don't actually harm the users and in most cases when you use someone else's WLAN you hook up, check your e-mails and off you go, no harm done.
The few cases, where you actually abuse your neighbours' WLAN (I don't really see why you can't ask then. For a tech kid, it should be easy to persuade elderly neighbours, that it doesn't change a thing for them, if he uses their router and offers some computer help in exchange, but I guess most tech kids are too introverted for that.) that might mean, that you steal their bandwidth and they have to pay more than usual, but in some countries, Sweden for example, this just is not true, most users here have high speed and unlimited traffic, they won't ever notice, if someone uses their connection (except if he really slows it down, but I hope that will be reason enough for them to take a look at their settings).

I also think that the manufacturers should take the responsibility to inform their users, but please NO nag screens, there are actually users who give and get and want their network to be public. In my hometown for example, there are students, that open up their WLAN network and give access to their public files and that's kinda cool.

Nag screens aren't needed. What's needed is for Wireless to be turned off by default. Using the same web page for both turning on wireless and security settings would put the burden squarely where it belongs: with the user. If you can't turn it on, then you need professional help. ;)

Impractical in today's world. It would result in thousands of support calls. The burden is already on the user. Your proposal would shift it to the manufacturer.

A lot of manufacturers now include a "one button setup" routine which adds security and auto-configures the system. I've never used it so I can't tell you how well it works. I believe it means all the devices have to be from the same company though.

This law should go in degrees. Like drug policy. Since it's pretty easy to see what abuse of a public network is, with simple everyday use it seems feasable. For example if someone hops on to a wirless network parked in a street, to check weather, and google maps, it's not a big deal they used up what ... 2mb of bitrate at most? However if a person down the street has been leeching off a neighbor for over three months, cancelling his own service because it's so easy. Well that indeed is theft, and intentional abuse. It's hard for me to image a situation where it isn't 100% clear that one person is abusing the unaware user.

Although if I had to simply pick, it would simply be legal to use all publicly open networks. Put a password on it, thats it.