War Driving To Be Protected In NH 387
AllMightyPaul writes "A big article on Wired.com talks about the new House Bill 495 that would legalize the innocent stumbling upon open wireless networks. Basically, it put the burden of securing a wireless network on the owner of the network and allows people to connect to open networks that they believe are supposed to be open. This is excellent news as I'm sure we've all tried to connect to one wireless network and ended up accidentally connecting to another one. Being from NH, now I can finally drive through Manchester and connect anywhere I want with little worry, but not until after January 2004, and that's if the bill passes the Senate."
Re:Its excellent news..... (Score:2, Insightful)
Legalize it? (Score:5, Insightful)
Wait a second... (Score:5, Insightful)
The law has decent motivation, but it's basically saying "Go ahead and break into wireless networks, because if they're not completely secure, it's not your fault." What happens when people start snooping the traffic, stealing corporate secrets, and then claim that the wireless network wasn't secure, so they can't be responsible?
good. security can gain some awareness then. (Score:3, Insightful)
a law like this can't do any harm, besides the harm that has been done (or is happening) already. it sounds like to me that this is a good thing. raising awareness around network security is always a good thing.
*well, except when it fosters more fear than actual security
Re:Its excellent news..... (Score:5, Insightful)
Frankly, I feel that this is a good approach to hacking in general. Why should buisineses, who often lobby to pay the state less in tax revenue and whatnot, still expect the state to prosecute people who break into thier networks because they were too lazy to apply a patch?
Now, as a caveat to this, I feel that if the company can show that they took all reasonable precautions to secure thier network, then the state should go ahead with prosecution. This way a company that is 'following the rules' is not unduly punished, but the company that is too lazy or too cheap to implement good security is, and cannot fall back on fear of the state to be thier security apparatus.
Re:Its excellent news..... (Score:1, Insightful)
What about at the state line... (Score:3, Insightful)
Re:Wait a second... (Score:5, Insightful)
Re:Where is NH? (Score:5, Insightful)
New Hampshire is bordered by Canada on the north and by Massachusetts on the south. On the east, New Hampshire is bordered by the Atlantic Ocean and Maine and on the west, New Hamsphire is bordered by Vermont.
And for all you Wardrivers... it's
Longitude: 70 37'W to 72 37'W
Latitude: 42 40'N to 45 18'N
Won't this just encourage more SPAM? (Score:5, Insightful)
However, if you have the ability to use someone's network "accidentally" how do you distinguish someone who is using a lot of bandwidth for an innocuous reason from someone using a little bandwidth for a protective screen? I seem to recall reading an article about SPAMmers using open links to anonymously go through SMTP sites to further propogate their "stuff"...
And if the company is running Windows and has shared network resources, where does my 100 page accidental printing land on the scale of things?
I agree that you don't want to arrest someone for browsing through "linkedsys" when they meant "linksys" (or picking up the wrong "linksys" which is probably even more likely). But I'm not sure this is the answer.
FWIW,
Ewan
Re:Its excellent news..... (Score:3, Insightful)
Morals vs. Practical Issues. (Score:4, Insightful)
And as long as things are set up so that connecting to the network doesn't involve anything more than just happening to be where that network is, the idea that you could be prosecuted for 'breaking into' their network is a scary one. There's often no 'breaking' involved. If I end up connected to somebody's network, and it required nothing more than a laptop configured for my *usual* wireless access, then no, it's not my fault.
If you have a wireless network and you're using it to transmit 'corporate secrets', etc, then secure the thing. People who run around purposefully trying to find other people's networks to go online from are a little slimy, maybe, but it's not 'breaking in'. It's complaining that somebody's sitting on the chair you happened to leave on the sidewalk. It may be your private resource, but you've left it sitting in public space with absolutely nothing to indicate that people *shouldn't* sit in it. And the average stranger who does is probably just resting his feet, not sabotaging your property.
Re:Its excellent news..... (Score:1, Insightful)
Re:Its excellent news..... (Score:5, Insightful)
That being said, I think it's completely different with wireless networks precisely because you don't even know what network you're picking up -- and you can pick up the network completely by accident. This is in effect similar to the case where an non-scrambled phone conversation is picked up via a scanner accidentally...perfectly legal to listen in, at least in most states.
Re:Its excellent news..... (Score:5, Insightful)
If I were to hypothetically sniff some of these packets, I might hypothetically discover that they are going to different ISPs, which makes me hypothetically believe that most if not all of these belong to different companies.
So imagine you are an employee of one of these companies and the boss tells you "hook up to the linksys"
This law puts the burden on the hardware owner to make the fucking tiniest effort (I'm not talking IPsec or even turning on WEP
This is GOOD, not BAD.
The signal is physically going through my body and if it doesn't say "Don't Use Me", then by fuck, I'm going to use it! I figure that's in exchange for the 0.00001% increased cancer risk.
I debated going into these businesses and telling them that I'm a computer security professional and would be happy to give them some free consulting but then I decided at least one of them would get panicky and have me arrested. "But
No good deed goes unpunished you know.
As other posters have pointed out... (Score:3, Insightful)
Frankly, I'm kind of appalled at this line of thinking. When did it become out of fashion to be a decent human being?
I love my NH (Score:4, Insightful)
I'm seeing a lot of "the idea is good but...", but I do think it's a good idea. I read the analogy of walking into someone's house if it's unlocked and taking their food, etc, but I don't think that's the right analogy.
A better one, (which also applies in NH) is that if you're hunting in the woods, you can't be prosecuted for trespassing unless it posted "No Trespassing" or the owner comes along and tells you to leave. This keeps people who are in the woods and might not have a convenient parcel map from the town from being prosecuted because they wandered into an adjacent lot. Do note that this is not the same as walking into land that is expected to be private, i.e. a house or an office building (during non-business hours).
Just my input.
Live Free Or Die.
Re:Its excellent news..... (Score:2, Insightful)
DHCP expresses permission (Score:5, Insightful)
- My laptop sees a signal and requests access to the network by asking for a DHCP address.
- Access point sees my request and GRANTS me a lease on an IP address with which I can access their network
- I surf using the network
- I leave.
I asked, they said YES. They could have easily denied me, but they invited me into the network when I asked if I could. There are SO MANY different ways to keep people out, that owners of AP's just have to do something to secure themselves. Shame on them if they fail to do that.
Re:That's a good law, but.... (Score:3, Insightful)
I APPLAUD them for solving the problem BEFORE it becomes important, and thereby stopping our enemies before they become strong enough to attack our freedoms.
Re:Legalize it? (Score:5, Insightful)
IMHO this is not a good thing. One of the problems Americans face today is the presence of so many laws reducing explicit or implied freedoms, as you noted. Yet explicitly stating in statute tangible freedoms contradicts the Constitutional notion of preexisting rights fundamental to the human condition. The goal of the Constitution is to recognize freedom, protect it, and limit rights only to the extent necessary to support the common good.
At first blush you are right, its about time we had freedoms recognized by politicians. But I would much rather see them tear down thousands of bad laws and restrictions, and get a couple of really good, common sense ones in there, and enforce them. I don't want to start to have my freedoms enumerated by a Congress, Court, or Executive.
P.S. This is all without respect to political affiliation. Wireless, RIAA, M$ monopolies, Guns, Abortion, Environment...all these issues may have different sides, and all need applicable laws, but I am just saying that the laws should not state a freedom and protect it, only restrict abuses contrary to the will of the Constitution, the people, and the common good.
Re:Won't this just encourage more SPAM? (Score:3, Insightful)
All this laws does is say: "If you leave your doors wide open, you have no right to complain if some someone comes into your house to get out of the rain."
The law does not in any way make it legal for you to spam/print from their network, just as the above statement would not let people take stuff out of your house just because you left your door open.
Only applies to really open networks (Score:5, Insightful)
What this law means is that, if you don't want people to use your wireless network, you have to use some sort of technological measure to let them know to stay out. This makes a lot of sense, because there's no way to find out that someone does want you to use their network.
Right of use doesn't equal abuse... (Score:3, Insightful)
Come on, that's like saying that if I'm allowed to enter a business with an open door, then I'm also allowed, by default, to rob the place and give the owner a Dirty Sanchez [g0d.org].
The law assumes that an open network was left that way intentionally (or that the owner doesn't much care). That's a very cool thing. But nowhere does it say that you are absolved of responsibility for your actions when using the network. So industrial espionage and cracking other, secured servers is still as illegal as it would be if you were doing these things from any other system.
Re:Legal ? (Score:3, Insightful)
However it's not illegal to own or modify a device in order to receive cell bands...unless you actually use it. Makes sense doesn't it?
There are so many grey areas and conflicting legislation, it's going to be a very long time before all this is sorted out.
Marconi never knew what he was getting us into.
The moral bankruptcy of Slashdot readers (Score:4, Insightful)
They see no harm in taking goods and services that they did not pay for and are therefore not entitled to.
Now they see no problem with hijacking bandwidth someone else paid good money for simply because it's available over the airwaves and unsecured? Tell you what: let me know where you live so I can help myself to your water, electricity, and internet access if your door happens to be unlocked. It's not my fault if I sneak in, you were too stupid to secure your house!
Also, I don't really buy the whole "this is good, now we'll see some better security" argument. Right. You're telling me you'd like nothing better than to see ALL wireless networks secured so you can't go joyriding and stealing bandwidth? Right. A Slashdotter who doesn't want to get a free ride. Next thing you know you guys will be telling me that you'd be in favor of a foolproof scheme that protects your fair use rights for music and movies but prevents you from sharing with millions of random people.
This is really sad when you think about it. The prevailing morality among young people seems to be "screw everyone else, if it's not bolted down I'm taking it!" There used to be a time in this country when you could leave your doors unlocked because people were decent enough to respect each other's property. Not anymore, I guess.
Well, someone has to pick the nits... (Score:4, Insightful)
Brian McWilliams obviously thinks this is a bad law, and he has slanted his article accordingly. I'd have thought Wired's editors would have caught this sort of thing.
First off he refers to "war driving" and "war chalking" without ever once spelling out Wireless Access Reconnaissance even though he finds the space to define WEP. Makes it sound a bit aggressive, and not by accident.
New Hampshire's existing statute says it is a crime to knowingly access any computer network without authorization. By analogy, just because someone leaves his house unlocked doesn't mean you are authorized to walk inside, sit on the couch or help yourself to the contents of the fridge. But HB 495 turns that thinking upside down, experts said.
No, it doesn't, and if you new the first damned thing about this technology you would never repeat what your (unverified) experts have told you. Walking into someone's open house and helping yourself to the contents of their fridge, is trespassing and stealing, and in showing such low regard for their personal space it becomes reasonable for them to wonder if your are a threat to safety and bodily harm. We're not talking a simple risk of data here.
What's more, if an alleged intruder can prove he gained access to an insecure wireless network believing it was intended to be open, the defendant may be able to get off the hook using an "affirmative defense" provision of the existing law.
That's not "getting off the hook." That's having committed no crime in the first place.
And here we are pandering to the fears of the masses again:
A 10-minute war drive down the main business district of Manchester earlier this month using a laptop with a standard wireless card revealed nearly two dozen open wireless access points, including some operated by banks and other businesses.
To the sadly un-geek of the world this suggests that NH is passing a law that makes it legal for hackers to hack your bank accounts. Clearly untrue, clearly flamebait.
And in closing he reminds everyone that the committee is, "...still open to arguments from anyone."
And closes with, "We want to be sure that it wasn't the case that, through trying to protect people under certain circumstances, we were opening up greater opportunity for criminal activity," said Peterson.
If Brian had wanted a decent analogy to explain WAR driving he could have used the following: It's like passing a law that claims it is legal for someone walking by on the sidewalk to let their dog drink from your sprinklers. Technically their dog is trespassing, and technically it's your water it's drinking, and technically it's allowing strangers to loiter near your house where they might become more aware of your houses security vulnerabilities. But as the lawmakers might have said themselves, "let's just get reasonable"
I like the pretty pictures in Wired, but I cannot renew my subscription in good conscience as the folks in NH are making a rare stand for reasonable behavior and a technology magazine is issuing flaimbait articles in response.
So Brian, if you're walking by my house with your wireless card in the sleeve of your IPAQ, feel free to check your e-mail and grab some headlines from
Re:Its excellent news..... (Score:5, Insightful)
In your example, would you think the person that takes your car is guilty if the city you lived in routinely leaves cars with the keys in the door as a public service, allowing anyone to use them.
The truth is, that your example is not even accurate. A better example would be if cars come with an optional LOCK. They give strict instructions that if you do not want everybody in the world to use your car, you should install a Lock. If asked, they say they build them without locks so that you can get your own lock, not one that they can open, and to allow pbulic oragnizations to make them available for general use without a Lock
If you get a car without a LOCK, then it is YOUR fault if someone takes your car, and the person that took it has the RIGHT to claim they thought it was a one of the cars made available to the general public for free.
Re:The moral bankruptcy of Slashdot readers (Score:1, Insightful)
"It's not my fault if I sneak in, you were too stupid to secure your house!"
Which is:
"It's not my fault that your locks were so easy to pick. You should've used stronger security measures."
Re:Who brought out the clue-by-four? (Score:5, Insightful)
This law does NOT make it legal to take things at all, let alone things that you know the owner did not want you to take.
All the law does is make it LEGAL to enter the house if you leave it open. Which makes a LOT of sense considering that a lot of people are intionally leaving their doors open so that if you want to get out of the rain, you can enter their house. (Analogy - public groups are offering free services).
The law does not allow you to steal data, it just lets you wardrive. war drive is using their network to access the internet. If you use their network to access the private, secret data of the company, that is theft, and you can still be prosecuted.
Admittedly, the law does make it harder to prosecute you, as you have to be caught with the goods, but that is fair. After all it SHOULD be harder to prosecute a theif when the MORON of an owner takes ZERO effort to protect their property.
War Driving != Malicious (Score:4, Insightful)
War driving is going around looking for open networks to connect to and use. The person war driving isn't necessarily connecting to be malicious and this bill (that isn't law yet) wouldn't legalize malicious connections. However, what it specifically does is designate open wireless networks as networks that you can connect to without getting in trouble. As one person said, it's like the "No Trespassing" sign. If it's there, you have to follow it, but if it's not, you're allowed to walk onto the property (for the most part, there are exceptions).
War-driving isn't malicious. You're just looking for open networks, which this proposed law will protect. Once you're on the network, you're still subject to laws regarding spam and cracking and all those other things that are already illegal.
Re:In these uncertain times... (Score:3, Insightful)
No, however if someone filled up their water bottle from your hose connection, you could have them arrested for that. The same with someone who plugs in to an outlet you have on the outside of your house. Do you have hose taps and electrical outlets outside? Do you lock them up? Of course not, because it's expected that people understand they're not free for public use.
Re:The moral bankruptcy of Slashdot readers (Score:5, Insightful)
If you accidentally get on someone's network, fine -- disconnect and try again
On the side of good. (Score:3, Insightful)
A use for WEP! (Score:3, Insightful)
By turning on WEP one would be clearly signalling that the network was not for public use...
Bad analogy! (Score:5, Insightful)
You leave your T.V. pressed up against your window, and then people walking down the street watch it.
Or...
You put a speakerphone in the middle of the street, and then yell out your window whenever you make a call... and then people can listen to your conversation, and even add some comments in.
Difference between US and UK (Score:3, Insightful)
Trespassing per se was not a crime. So you can stand in someones yard or unlocked house without committing a crime. Of course if you do criminal damage that *is* a crime. Breaking and entering is a crime - entering an open door is not.
If you want to extend the analogy to hacking, if someone puts their info on a web server with default security set to "serve all files to anyone who asks", that should not be a crime to view. If you are creating a special stack-smashing packet that happens to kill version 2.78.2a of a web server, that might be another matter.
Re:Wait a second... (Score:2, Insightful)
Well, no, no it's not saying that. If you read the article, or the article review for that matter, it says that people can access a network if they reasonably believe that it was intended to be open. If it is intended not to be open, it is still illegal to access it, regardless of how poorly closed it is. If some schmuck sets up a wireless network requiring a login and the password is "password" or "12345" or something like that, it is still intended to be closed, and thus off limits, in spite of the fact that it is pathetically protected.
Re:Who brought out the clue-by-four? (Score:4, Insightful)
The point is, how can I tell that I'm not supposed to be on a network?
In New York State, where I live, the computer crime laws state a person must defeat an access control mechanism when accessing a computer for it to be considered tresspass. That means: If your computer is accessible via a public network and with no password, it can assumed to be open to the public.
If you leave your "juicy stuff" on a computer with no password, on a publicly accessible network, it your fault. It's like posting it on a webpage (they fall under that definition). If I visit the webpage, passwordless FTP server, windows share, etc where you put all this information I should be legally in the clear. You are the one who put out there for the public. If you didn't meant to: "How the hell should I know?" Your incompetentcy shouldn't mean that I'm a criminal. There shouldn't be any arguement over what my intent was in looking for/accessing that information. You put it there! You made it publicly accessible.
This law just makes sense. If you want to be able to take someone to court for accessing your network, you should have an access control mechanism in place on that network. If you aren't making minimal the effort to control who gets onto your network, then you shouldn't expect the courts to care.
I have no problem with the assumption that open APs are meant to be that way.
Finding an open AP is like finding a PC set up and running in the town square. If I sit down at it and it doesn't ask me for a password, then I can assume that the public was meant to be able to access it.
Your "It's wrong to walk into an open house and take things when you know the owners didn't want you in there." analogy fails for lots of reasons. The airwaves are a public resource. You don't own them and neither do I. The obviousness of entering someone else's house isn't there with wireless networks. If I see an ESSID "linksys" how do I know if that person doesn't want me using their network? Maybe they want me to so they left the router in is default open state. Maybe they didn't, but were too incompetent to configure the router to implement their desires. Maybe they want me to, AND didn't know how to to configure the router to implement their desires and it just happend to work for them that way.
The point is, it's more like leaving something by the side of the road and having it get taken then inside your house. As a little kid I left my bigwheel at the end of our driveway and someone took it. They had a reasonable right to assume that it was there for anyone who wanted it to take, or it was going to get picked up with the trash. I'm sure the guy who took it wasn't an "amoral turd" for taking it. It was my fault for leaving it there. I may have been too young to understand what would happen at the time, but that doesn't make they buy who took it home to his kid a bad guy.
I left something publily accessible and in such a position that someone could reasonably assume they could just take it. You're doing the same thing with your bandwidth when you set up an unsecured AP.
again with the house? (Score:3, Insightful)
I am so sick of this house analogy being applied to wireless networks. It doesn't apply because a wireless network by its very nature is ephemeral. You can't broadcast a house.
It is more akin to having a conversation with someone. If you don't want others to hear what you're saying, then find a private place to do so (in other words, secure the network).
There are people (journalists, for example) who hang out in public places and listen to other people's conversations. It is your tough luck if you decide to disclose things in a public setting, and someone overhears, regardless of their intentions. You made the mistake of saying it in public, they just took advantage of it.
Bad Analogies (Score:4, Insightful)
That's a bad analogy. Why? Because there is a widely growing movement of setting up open networks that anyone can connect to. There's no widespread movement to leave homes unlocked and free food in the kitchen.
This bill doesn't give people the right to break WEP encryption or spoof MAC filtering. They probably couldn't even use it for defense if the SSID had the word 'Private' or something similar in it. The bill simply recognizes the growth of free connections and tells people that if they don't want to be mistaken for a free connection then it's their responsibility to do something about it.
Re:Won't this just encourage more SPAM? (Score:3, Insightful)
Hate to say the analogy of choice is the old "Information Superhighway". If you're driving along and get lost or take an unfamiliar turn...If the road isn't marked Closed then it isn't closed. There is no way to tell a Private Driveway apart from a side street unless it's marked. Same with networks.
With a ubiquity of connections sprouting everywhere, all different, we need to drop that house analogy yesterday. The highway analogy is much better, especially if it is assumed most cars are on partial autopilot most of the time. Can you imagine asking explicit permission to drive down every road not marked "State Route" or "Public Road"? Of course not.
You know what, this analogy really carries. I disagree with the NH bill because it requires more than marking the network (road). It requires a chain on the road and guard gate. That's too far the other way.
All the law should require is that the owner properly mark, warn, post, whatever. No more, no less.
Re:Its excellent news..... (Score:3, Insightful)
Why compare to obviously different cases (walking into someone's front door versus wireless networking)? The difference between clearly marked physical resources and wireless resources is a clear one, both ethically and legally.
The NH law would seem to inject some much needed personal responsibility into the equation. Somebody sitting at a cafe shouldn't be accused of breaking into an unsecured network across the street, unless they really do break some security.
Re:Bad Analogies (Score:3, Insightful)
If you don't do this, then you are tacitly agreeing to allow passersby to view the content. However, if you do set up some kind of privacy (bushes, a fence), then you may become upset at people that purposely attempt to circumvent your security.
I believe that this more closely matches the spirit of the law.
It also works for the content ownership question.
For instance, imagine a pay-per-view event is shown on a TV in such public conditions. If the pay-per-view provider wanted to sue, they would have to sue the person who owned the TV, not the viewers because it was the TV owner that is misusing the content. Now, if the TV owner took steps to prevent those that didn't pay from viewing the program, the owner wouldn't be liable, even if some people managed to twart the protection.
Basically, it comes down to due diligence.
Re:Won't this just encourage more SPAM? (Score:3, Insightful)
Part of the problem is you fail to admit that there is a LEGAL and requested "war-driving" going on. (If you live in NYC, I know that Chelsea Market advertises the fact that they offer a free network for people to log in - I heard about it and I do not even own a network card for my computer). Shooting people is NEVER legal.
Try again but remember that PUBLIC minded groups are intentionally leaving networks open and WANT you to use it.
The TRUE analogy is NOT someone that is leaving their cars onlocked, but people that buy cars without locks and ignore the instructions from the manufacturer to put a lock in. The reason the cars are sold without locks is that many cities buy them without locks and leave them around for their citizens to use free of charge.
Once you realize that is going on, then locking up some innocent guy that takes your car when you were too STUPID to buy a lock for it, is not fair.
AND MORE IMPORTANTLY, THE GUY IS NOT TAKING ANYTHING. - he still lets you use it.
So that means the true analogy is you buy a car without any locks, ignore the manufacturer's warning to get locks, ignore the fact that the local groups are leaving unlocked cars around for free, and then the guy that takes your car only does it when you are asleep, and he brings it right back to where you left it.
And then the IDIOT that did all of this wants to arrest and charge the poor, innocent man (who thought he was just taking advantage of a common practice for using it.
remember, the law does not make it illegal to steal the data, it just makes it legal for the guy to use your network if you make NO attempt at all to secure it
Re:In these uncertain times... (Score:3, Insightful)
To take your analogy further, should you have to move your lawn so it doesn't get watered by his sprinkler because you're stealing his water?
The problem here is that everyone is using analogies to prove their points. While analogies provide useful insights into certain situations, one must be careful to evaluate the argument on the facts, not clever analogies.
In this case, WiFi networks that are unsecured can be stumbled upon accidentally and often unknowingly. This happens especially when wireless networks overlaps. As stated previously, there are simple ways of distinguishing your network from another.
This law is merely in place to protect those who accidentally stumble upon networks that are broadcasting unsecured and without any positive identification. For this purpose it is good.
There are, however, some interesting legal questions regarding wardriving that should be addressed, but the substance of the law is still very useful and good.
Re:Time to use up some of those extra bits,, (Score:2, Insightful)
Re:On the side of good. (Score:2, Insightful)
If you left your house unlocked and went away on vacation, whos fault is it that your house got broken in?
The burglar's fault!