Hijacking a broadband connection

Yes, and that hasn't been clearly defined. I suspect a business relationship might constitute implied consent. Same with owner posted documentation and access instructions as in a hot spot. However, my guess(tm) is that wireless access will be treated like the property trespassing laws, where denial of access is the default condition and that written access to the property must be provided. The problem there is that trespassing has the concept of "attractive nuisance", where the owner of the property is responsible for securing the property or they become liable for any consequential damages. A good example is a swimming pool, which might easily attract kids. If the kids get hurt, and the pool owner did not properly secure the swimming pool, the pool owner is deemed responsible. That's why we have chain link fences surrounding empty lots.

You might wanna read some related comments I scribbled on the subject of wireless vendor liability and responsibility.

Never mind "responsibility". Think "liability". If my car crashes because the safety equipment failed, who gets the blame? If my network gets hacked because my security features were disabled by default, who gets the blame? The analogy isn't perfect, but it's close.

The presumption that a security appliance (also known as a wireless router) should be secure on initial installation is probably legally actionable. Look at the package advertising of a typical wireless router. Most of the buzwords and acronyms on the box are to give the consumer the impression that the wireless router is secure. One would have a reasonable expectation that such a device is secure by default and that all the mentioned features are functional. When you buy an automobile, you can reasonably assume that the safety features are enabled and functional on delivery.

Yet, that doesn't seem to be the case for wireless routers. Sure, the instructions cover the necessary steps to tighten security, but that's just passing the manufactory's responsibility to the customer. Since such wireless routers are now deemed consumer products, the presumption of necessary technical expertise no longer applies (as it does in industrial equipment). I would go so far as to accuse the wireless router vendors of negligence. How hard is it to be secure by default? 2wire.com ships all their routers with a password for access set, WEP128 enabled, hex encryption key assigned, and a unique SSID.

See:

another of my rant on the subject.

I've been pushing for exactly that for several years. The standard excuse is that it would be "difficult" to impliment. Never mind that

2wire.com has been shipping routers secured by default for quite a while. Each one is different.

I contrived a public key scheme based on the unique MAC address and some random rubbish on the serial number tag, that could be used to recreate a lost password without much difficulty. Cayman/Netopia and

2wire have been using such a scheme on their routers for quite a while. Anyway, it's not all that difficult and only requires a modified serial number label and some firmware tweaks. As for tech support, one group manager told me that if it cut down on the number of difficult to answer, paranoia based questions surrounding security, it would be a big improvement.

Perhaps the right approach would be for Sveasoft and other alternative firmware developers for Linksys WRT54G would work out the details on how to deliver a router that's secure on arrival and let the other just copy it.

The usual encouragement for manufacturers is litigation and class action lawsuits. My guess(tm) is that when some judge rules that the manufacturer is at least party responsible for the victims financial loss, perhaps they'll wake up.

Let's see if I understand you. It's difficult for a manufacture to supply the router pre-configured, but it's "trivial" for the user to do the same? Methinks that's a bit hypocritical. As for consumers failing to understand the implications, methinks even the experts have problems understanding how wireless works and what's necessary (and superfulous) in secureing the network. I had a customer last week tell me that their wireless router is secure because they assigned a password. It was the password for access to the configuration.

Ask an average home PC user whether s/he knows about such sites. I would be surprised if as many as 1 in 20 answer in the affirmative, and I suspect that a great many have no idea what anP address *is*.

How about McDonalds? Many hotel lobbies?

They all do, they have to.

With dynamic IP they keep logs of who is using a particular IP at any time.

IME my dynamic IP hasn't changed in 3 years it's just that it's not

*guaranteed* to be unchanged so I'd be unwise to publish it. I'd have to pay a bit extra for that.

DG

There are whole towns with free Wi-Fi, something that has terrified the DSL and Cable companies. You already have red states enacting laws prohibiting municipal WiFi, i.e., see: "

" The cable companies and phone companies are big campaign contributors to Republicans, so they are able to get these laws passed.

However what they can't stop, are businesses and individuals from providing free WiFi. There are probably about 25 places in my relatively small city where I can get free WiFi, including a public park 1/2 km from my house, and a cafe 1/4 km from my house. It's the exception, rather than the rule, for a cafe to have paid WiFi. Starbucks has T-Mobile hot spots, but sometimes you can get free Wi-Fi even at Starbucks.

not really, the SSID could be broadcast (as in a local community LAN near me) and it then use a variety of security measures including encryption, MAC authentication, forced intro pages etc.

The presence of an SSID to faciltate location does not imply it is open to all to access.

Phil

I always seem to end up at a web page wanting to get to know my credit card.

Phil

and near 100% coverage and much higher market penetration, so maybe its not all bad. The mobile phone tariffs paid by users are pretty similar in cost, as its the landline caller that gets to pay the premium for the calls.

Phil

in the UK it is an offence to receive broadcast TV signals without a licence, so there's one example where broadcast doesn't mean anyone can use it for free with impunity

Phil

you pay for those

Phil

typing "IP address" into Google is within most peoples reach

people seem fairly conversant with static and dynamic IP addresses from ISP web sites etc, anyways even if they don't that is irrelevant to your point that its really difficult to find the IP address of the wireless network you are leeching off - its trivial.

Phil

Actually, not all ISPs can map an IP address to a customer. They can usually do so for broadband connections and can usually do so with contracted customers. But ISPs that offer a "pay-as-you-go" dialup service may only, at best, be able to link an IP address with a telephone number. If that number is an unregistered mobile phone, the user of the IP address could be anyone.

It's probably not very practical to run a WiFi service through a mobile phone but it's tecnically possible.

Another interesting scenario (from a technical point of view) would be to connect a WiFi service via a VPN to one of the ten million or so compromised Windows PCs scattered throughout the world, via a few port forwarders for added security. Now that would be totally untraceable and trivial to set up by anyone with the appropriate expertise.

Mike.

You are changing the subject from homes to public properties, in a desperate attempt to prove your point. It will not work. You cannot compare shops, or other publicly accessible properties, to private homes.

Dvorak got it right, the unlocked house analogy is a dopey analogy, which does not apply, even though his water analogy is also not very good.

At least in the U.S., any analogy needs to address the fact that many individuals and businesses intentionally leave their networks open to use by others, even when they do not explicitly broadcast their availability. The wide availability of free wireless means that if a business wants to charge for wireless, or if an individual or business does not want others using their connection, that they should use one of the several security methods available on their router.

If you want to find a proper analogy, find a service that meets the following criteria:

1. The service is very often intentionally provided for free by businesses, and municipalities,

2, The service is very often intentionally provided for free by individuals,

1. Some businesses charge for the service,

1. Some individuals and businesses don't want others to use the service so they prevent others from using the it, with security that costs them nothing to implement,

2. Some individuals and businesses don't care if anyone uses the service, but that don't encourage the use either; they take no steps to prevent the use by others, but neither do not advertise the availability of it,

1. Some individuals and businesses don't want anyone else to use the service, but they are too lazy or dumb to take steps to prevent the use by other,

2. The user of the service has no reasonable way of determining whether free providers of the service are doing it intentionally, or doing it because they are lazy or dumb.

You have to look at the big picture here. Since the most popular OS will automatically associate with an open network, whether it is legal or not, it is the responsibility of the network owner to prevent this from occuring if they don't want it to occur.

You should not use a wireless network that the owner does not want you to use. But given the reality of how WiFi works, the network owner has to take some personal responsibility as well.

I'm not "making it available" if I simply plug it in, as supplied, and start using it, unaware of any further technical details, as I suspect most home users (and probably quite a lot of business users) will do. It's quite ridiculous to suggest that I'm offering something to all and sundry just by being unaware of how many can see it and how easy it would be somebody to take it without my knowledge or consent.

Rod.

And who sets them up? You have to take _some_ responsibility here.

That is a big assumption. If I were to make my network insecure, and available to others, I would keep the factory set name. In case of any trouble I could claim that I never intended the network to be available for anyone else to use.

Bad idea, one that leaves the individual open to all sorts of trouble. The safest way to share your connection is to do it inexplictly.

Because you are making it available for anyone to use, and advertising its availibilty.

Derek probably didn't realise that this thread is cross posted to a non-UK group. Two of the three groups are UK specific, and the case that started the thread is UK specific.

In the UK, it is required that they do so.

That is US based.