Unsecured wireless access points and ethics

This thread is a result of many questions I read on this and many other forums.

Edit:Just in case if you wonder what ethics is: http://en.wikipedia.org/wiki/Ethics

Do we all agree on this: Unsecured AP owners due to their ignorance and lack of knowledge are actually poor and easy target for "evil" AP hijackers who steal their money and can make huge damage to their network.

Well, do we? Many people have different opinions. This is mine. Read on.

This is known to everybody I guess:

Technology:
It allows you to find and connect and use something (AP) in a easy, not always evil way. You turn on your notebook - it connects to a visible AP. Automatically. Now this is changing, but actually it is VERY EASY. I didn't set my computer to connect to an unsecured network (Vista does it more complicated though).
Evil side: not even the router has a password - I can change its settings! Make a secure network that only I can use!

Logic:
I need Internet. I want it as cheap as possible.
Oh well my notebook is on Internet. I don't pay for it.
Both premisses are fullfiled.
I don't know how my wireless works - so I don't know if I am doing anything illegal? It doesn't say in Windows Network what is legal and what is not. Read carefully all guidelines for connecting to a wireless AP. Usually there is no warnings or reminders to check who's AP it is. So I do a logical thing.

Ethics:
But who is paying for it? My neighbour? Well, is that right? I know he/she is a complete beginner, and knows nothing about security - but can I use that for my own benefit?

At this point the whole thing gets complicated. Here in Croatia I think it is very hard to find legal way of making this activity illegal.


But what if the above statement about poor AP owners isn't true?

Check out this scenario:
- I set unsecured AP connected to internet. I am connected to it too. My comp is secured. I am experienced evil geek with a target.
- I wait for someone to come and connect
- It is a trap
- I will be able to download whatever I want from his/her computer. If it is an ordinary XP user I guarantee at least 80% of success. Protected users will be disconnected and blacklisted.
- I can even delete important stuff
- I can plant my own software to be installed on the next boot
- I can set his Windows not showing disk volumes by puting simple hidden text autorun.inf in the root of each volume! (all mentioned things are easy and require average knowledge - making it very dangerous)
- I will teach him not to connect to any unsecured AP again

Well who is now poor and easy target? Who was doing the illegal thing? Both now? Hm. Who did the worse? AP owner or hijacker?

Ethics again?
An ethical thing would be to warn the AP owner and help him/her to set it right.
If you need cheap internet - ask him/her. Can you share the Internet connection? (Here if you find 8 people to connect and share expenses you get much faster Internet connection for the same money). What if he or she agrees? And AP is installed in the middle - both can use it? How possible is it?
I am sure you can think of some other ethical thing.

I hope this article made you thinking, as nothing is simply black and white. My idea was to give you some new ideas. Decide for yourself. Nobody can force you to be ethical. It is quality of human beings after all.

Cheers,

Ivan

 

On the occasional time I leeched, I never downloaded, I merely browsed websites. I really don't feel...bad for doing so when I'm not eating up bandwidth or doing illegal stuff on their network.

 

Well, small offenses are still offenses. You leech even a little bit, that doesn't make it right.

 

The moral stance is all good and swell, but I care about the legal stance.

Using an unsecured wireless network is illegal. A guy got 8 years for parking outside of Starbucks and using the network. Now the chance of getting caught using your neighbors wireless is slim to none, but it makes you a horrible neighbor. At least go and give them a pie every now and then.

 

It basically boils down to: Are you taking something that isn't yours? You're not paying for it therefore you should not be able to use it without the owner's consent. Plus you should educate or at least let them know their unsecured networks are being taken advantage. Not everyone in the world is born with the knowledge of knowing what other people know.

 

Interesting - I think we would never have that here in Croatia. European laws are different I guess. I like American laws where all kinds of hacking, cracking and even spamming is prosecuted. But what with the other scenario I suggested? Who would be punished more?

Ivan

 

I agree. Leave him a message on Windows desktop perhaps?

 

And I wanted to point out another thing: Ethics is not controlled by the law. Law is "lower" human achievement than ethics. Nobody can force you to be ethical. Not even law. You can be a good lawyer with no ethics at all. That doesn't make you a good person i guess. Only lawful.

 

Well said person doesn't care most likely. It's not on any printers or anything. Nor can you access the router (they know that much).

Considering they know how to take that option off you'd think they'd know how to set up a WEP key.

Hence I don't have any moral implications in using their network.

 

I went with the more expensive option and bought a wireless internet plan with a cellphone provider. Not precisely cheap, but it works more reliably. It also insulates me from any potential ethical/legal issues with using someone else's WLAN, or packet sniffing/honeypots.

I don't consider it particularly egregious to use an open AP, but I don't do it unless I know in advance its owner has no problem with that.

 

IMHO, that's like saying "My neighbor leaves his car windows open, but knows enough not to leave the keys in there. I don't mind reaching in now and then to grab something that catches my eye." Regardless of what security they may or may not use, the network isn't yours and isn't public domain.

Would you appreciate someone "borrowing" your wireless network without your permission? Perhaps they would send a few menacing letters to members of Congress. Who will the authorities visit? Hmmmm. "What you do not wish upon yourself, extend not to others." certainly applies, don't you think?

 

I think that is a bad analogy as I'm not "taking" anything. If anything it's like taking a penny or two from my neighbor's car (Hey I never said I was good at analogies). I'm not "stealing" anything that is not replaceable nor is anything "taken".

And like I said earlier, many people I know leave their networks open purposely. They don't really care if other people use it. I'm not doing anything illegal within their network (Just browsing websites), I'm merely using it for short periods of time (perhaps 5-10 minutes when my internet dies). And mind you, if THEY start downloading something it kicks me off as it's a really weak signal from my house (it's a B-router).

Now I have found people on my network who were downloading large files and promptly kicked them off as they were slowing down my internet.

 

This has been visited time and time again, I posted, even got repped.

Its still theft no matter how ignorant your neighbor is, or you pretend to be. A solution: inform them and help them set up security. They will probably be more than willing to allow you to leach.

What would you think if you were leaching off someone elses unsecure network and they were slipping you a virus mixed in with the packets? And it wiped your drive?

 

Perhaps this is a bit better: Your neighbor has a cordless phone that can support a maximum of four additional phones. He only has three. You buy a phone that matches his system. You can turn on your phone and use his phone line to make calls. It doesn't add to his bill (unlimited local and long distance plan), but is it the right thing to do?

Sorry, I didn't read that in your previous posts. Did you post that in a similar thread?

The original question is one of morals/ethics, not of legality, so your answer doesn't support why this action is morally right or ethically correct. This is a question of basic right-and-wrong. Is it right to use a system that does not belong to you without the permission of the owner? In my opinion, the answer is no.

 

Please someone give me the link for a guy getting 8 years for using the wireless link outside Starbucks....come on now!!!

 

I didn't find the Starbucks article (never even heard of that one), but I did stumble across an article reported by the BBC about a guy getting arrested for using a wireless broadband connection without permission. There are quite a few links - this is just one.

http://news.bbc.co.uk/1/hi/england/london/6958429.stm

Edit: I found a forum thread that may be behind the Starbucks story. Visit the link and then scroll nearly all the way down and you'll see a post where someone talks about Starbucks.

http://forums.macrumors.com/archive/index.php/t-136574.html

And here's the story that's discussed in the thread:

http://www.sptimes.com/2005/07/04/State/Wi_Fi_cloaks_a_new_br.shtml

 

Thanks kegobeer!

http://www.sptimes.com/2005/07/04/State/Wi_Fi_cloaks_a_new_br.shtml this is particulary informative and good. Rep for you.

Ivan

 

Yes Repped by me as well...thank you for the work!!!

 

I accidently connected to a neighbours or somewhat unsecured wireless, as i connected automatically. I dont know which neighbour it is, how can i let them now by leaving a message saying that their network is unsecured?

 

Well, tricky. First - you don't know what OS he is using.

Be sure that your comp is secured! You never know why that network is open.

For windows: Once upon a time there was a messaging service in Windows (winpopup and net send - not in Vista anymore).
There is also command prompt msg (google msg) but you need some more things to set in order to have it. Vista seems to be tricky to set it correctly. It works but XP-Vista link needs to be set carefully.
There is netsend for vista too - freeware, but XP has this service disabled by default.

You can change his SSID to "Please secure this network" - usually works if a guy has unsecured router or uses the default password for that brand, but there could be some legal issues.

See if you can access any comp on that network. Try putting a nice txt document on someone's desktop (possible legal issues). That comp is not secured obviously, if you can do that.

Now I have already written the procedure how to access someone's desktop(folders/files), but I think it is not a wise idea to have it here publicly. It is not illegal or something, just some people could have funny ideas.

Hints:
Easy - comp shares drives on network and is visible and not secured
Harder - You need to access unshared drives over IP and you need to know what is owner's IP (usually lower numbers at the end). Use netstat if nothing else works. Comp must be still unsecured.
Hardest/impossible(?) - comp is secured properly (firewall, accounts, permissions etc....). You know IP and everything, but you cannot access it without...

And finally - it works on any OS in the world:
Stick a sheet of paper on the tree in your neighbourhood! Is this legal?

Cheers,

Ivan

 

My friend kept complaining about 50+$ bills for bandwith overuse on his internet account. He kept complaining that a neighbour must be stealing his internet G connexion to download porn and games.... The fun part came when he finally rememebered that his friend 2 floors down kept braging that he was scoring free internet from "some idiot in the building" that never protected his connexion though he wasn't sure who it was.... It took him 8 months to connect the dots on this one...

 

Laws and ethics are two separate things entirely, however laws are usually based to some degree on what would be considered ethical behavior.

Even if this type of thing is not against the law in your Country now, many Countries are quickly trying to update their laws to take these type of things and many other computer related issues into account. Most politicians are not very well versed in the use of computers, let alone the infrastructure that supports them. One of the biggest issues right now is when a guy in Venezuela takes control of a network in London that is used to steal credit card information in the US and launch a DoS (Denial of Service) attack in Japan. If everyone knows who do it, how will this be prosecuted? What if none of these actions are against the law in Venezuela? Many governments are trying to work these issues out and it will still take some time to fully get it resolved, but in the meantime it creates a legal and prosecutorial mess.

I have heard of some proposed laws to make it illegal to operate an unsecured wireless network unless it is specifically designated and advertised for public use. I have not checked to verify the source, but I believe I heard on a security podcast that New York County was a law similar to this.

Until all of the laws are straightened out ethics are the only thing involved. Let's go back to kegobeer's example of stealing from someone's car. If you steal something out of the car and don't get caught, is it still against the law? Of course it is, but you are not punished because you were not caught. In my mind, doing something wrong (read unethical) that is not against the law is no different than doing something outlawed and not being caught. In both cases you are potentially doing harm to someone else or obtaining something that you do not deserve with no consequence for your actions. Another example is that it is legal in the US where I live to go through someone's trash looking for private or personal information about someone (as long as you don't have to trespass to do so). That certainly doesn't make it right and most people would be very offended to find you going through their garbage.

The argument referenced here and commonly seen is that it is the network owner's fault for not properly securing his wireless network making it so easy for people to connect. Let's say his router only supports WEP encryption and he has it enabled for the highest degree of security enabled. The RC4 encryption algorithm used in WEP can be cracked very easily using several different methods due to flaws in the encryption algorithm. Regardless of key size even up to 128 bit it is fairly easy to break. I have had some experience with this through some testing I have done personally as I plan to take on some IT Security projects soon and have been working a lot to practice my penetration testing skills. There are programs made available that can break WEP very easily without any effort or knowledge on behalf of the user. Does this make it right because it is so easy to do? The same people that often say "The network wasn't secured and was broadcasting the SSID so I connect and use it because it is so easy and the host's fault for not securing it" will say this is wrong when I present them with the scenario. How is it any different? Both are very easy to access. Accessing either is still wrong. It should be no different in that it depends on either the skill of the user or the user's knowledge of software that can be used for illegal and unethical practices.

Even if no law exists to prevent you from stealing wireless from someone, that doesn't mean it can't be prosecuted depending on your Country's legal system. Physical property laws are often applied to intellectual property for example. If this is the case, is it unreasonable to think that a case could be made that your physical network was compromised and attacked by non-physical means? I could certainly see a judge allowing that for a civil lawsuit in the US. Even more so, I could see a jury finding you liable in that instance. Kowell just gave an example of someone losing over $50.00 per month as a result of this type of theft. What if that person brought a civil suit against the ISP for damages because the ISP set up the wireless router for him? He recieves money from the ISP who now starts tracking and hands this information over to the DA's office for a criminal suit to be filed for the theft that took place. Just because there is no law doesn't mean you can't be prosecuted. I don't find any of these examples too terribly unreasonable.

You could argue the law all day and find ways to justify these actions, but it is still theft and it is still certainly unethical. I don't think anyone could make the argument that it is ethical because it may not harm the person on the other end. Even if that isn't the intent it often happens, and even if it doesn't you are obtaining service that requires a cost without paying that cost.

 

Oh geeze. If it's unsecured, it deserves to be used IMO. Most people know right off the bat from not living in a cave that you should secure it. Still others that didn't know, will stumble upon the settings in the config perhaps while running the wizard or browsing through. Much of the remaining people who know nothing about computers will see the warnings to secure etc etc. on the quick start guide telling them how to set the thing up!

I guess this post isn't that objective... I mean YES it's illegal. But doesn't anyone just think for a little bit, that those that don't secure are either 1. actually TRYING to share. or 2. Probably absolute tools?

Well I'm also pro satellite. "If something is floating through your airspace and bouncing off your head and walls in your personal property and your personal space, you should be able to see what it is!". So what do I know?

 

Oh what's that about the Starbucks guy? I never heard of that. 8 YEARS?! that's crazy! Did he like hack in or was he using public wifi access?

 

Did you read my post on the whole Starbucks thing? If you did, you need to re-read it and visit the links I provided.

 

You use cordless phones? cell phones? these also travel over open air waves. Current law prevents people from taking your signal and using it as thier own.
If someone did hijack your cell signal and called 3rd world countries should you pay the bill? Did your signal not use someone else's "satellite" plan?
You cant rationalize right and wrong. Its still wrong. 2¢