Watching TV or listening to music from the street through an open door or window does not deprive the owner of anything, just as the passerby cannot un-hear the music or un-see the TV once they are aware of it.
WiFi is similar in really only one respect, for all those that say a broadcast SSID and/or no password is essentially the same as an open door or window, in that a STAtion (wifi device) within range literally cannot un-hear the signal as it is broadcast by the AP. At the same time, the rightful owner is not (yet) deprived of anything simply by another off-property person being able to receive the WiFi signal.
That is where the similarities end, for multiple reasons: (1) It is considered Industry Best Practice to enable an SSID to be broadcast as it simplifies connections and preserves mobile device battery life. Note that I am NOT advocating for no password.
(1a) Broadcast or NOT broadcast should neither be a technical security measure, nor a legal basis on which to form the rightful owner's intent for usage of the SSID.
(1b) Sometimes an SSID may be set to broadcast and left with no password, while the owner is troubleshooting a problem. Maybe, they forget to immediately reset the security credentials to be required, once troubleshooting is complete. Does this oversight by the owner constitute authorization to use? I think not.
(1c) Not setting an SSID to broadcast does NOT mean that it is never transferred in a WiFi frame and it would be a trivial effort to capture enough WiFi traffic to be able to determine what the SSID is, without hacking anything, just simple deduction and analysis.
(1d) Suppose a new neighbor moves in and, unwittingly, sets up their WiFi SSID and it ends up being the same as another neighbor's within range. Now, who is the rightful owner of that SSID literally being transmitted by two distinct owners and how would one convey trespass when there is no way to distinguish one from the other so long as both have the same SSID?
(2) The reception alone of a WiFi signal is useless until the STAtion initiates association with that SSID, which at that point constitutes an intent to use a resource.
(2a) Just as many will say that "all routers being shipped since blah-blah-blah will have security enabled by default", I could argue that all STAtions have a setting to auto-join known or even open wireless SSIDs, which COULD be turned off or set to ONLY join known SSIDs. For Security purposes, I would recommend disabling the setting of joining open SSIDs which are not otherwise configured on the device.
(2b) At the point that the STA-to-AP association is complete, there is a broadcast by the STA for an IP address which would be fulfilled by a DHCP server. So, now is having a DHCP server stating an intent for the entire neighborhood to freely use that as well?
(2c) Once an IP address is assigned, then the STA begins consuming bandwidth, very likely diminishing the value of the connection for the legitimate owner(s). At this point, theft of service has been committed.
(3) To the posts saying that logging into the owner's AP administration page or any other device recognized on the owner's network, that THIS is crossing the line. What if the admin credentials on the AP had been left at default? What if the owner's Windows machine has sharing enabled and the machine name is being broadcast on the network, as is almost always the case with Windows? Or, the Windows machine has Remote Desktop Protocol enabled? Is an "unauthorized user" supposed to infer that if he/she was able to openly gain access through the AP, gain an IP address from the DHCP server on the AP, and then receives broadcast UDP traffic from a Windows host with no security on a file share is ONLY THEN crossing the line and now has "HACKED" something that was very easily known just by listening?
IANAL, but I see very many places where these arguments fail when asserting that either broadcast SSID, that no password, or that both means fair use for anyone within range. I especially don't understand those who would say that accessing a broadcast, unsecured SSID is all good but then accessing anything local to the owner's network would be theft or trespass, while to bypass the local network and consume bandwidth on the Internet connection itself is then fair use again. You can have it one way, or the other, but not both! Either it is totally off-limits without express permission, or anything is fair game!
Lastly, for those who know enough about WiFi to know the terms WEP or WPA and think that you are espousing some wisdom related to Information Security, please forget those terms and never mention them in public again. WEP has been exploited for about 15 years now, and WPA1 with either AES or TKIP has for about 8 years. Only WPA2/AES, preferably with 802.1x authentication of the STA and the User, are true security for now (2017-06-27), but not forever! By mentioning WEP or WPA, and not specifying WPA2, others who may happen upon this thread may infer some technical merit in that and assume that they are secure with either of those when in fact they are even more of a target, because now they are signalling that there is something they want to keep outsiders from, but any 12-year-old would be able to break into it in a matter of minutes. Sure, this would be crossing the line into illegal territory and while we may have something to charge the offenders with, we aren't doing a DAMN thing to deter them by using WEP or WPA. If we want to talk about the next responsible attempts that AP vendors (and I work for one) could do to improve overall security, it would be to remove the code and administrative options to configure both of these legacy measures of OBSCURITY, *and* to make cloud-management of the AP easier (mandatory) such that some level of authentication of the user and machine is more readily available to the intentional non-Enterprise users. Shame on them for not doing it yet!
Personally, I favor enabling Guest access but not Open access, then we require some form of handshake that you've seen and agree to my terms and I allow you to use my resource within all legal bounds, so long as your use is not detrimental to mine. This would leverage a captive portal with an SMS PIN or some common hotspot user authentication framework, so that in the event that the RIAA/MPAA, or two MIB from an TLA come knocking on my door, I have some potential means of attribution of the wrongdoing. Then again, these may just be additional veils of Obscurity without meaningfully augmenting Security one bit.
Look forward to the responses....
Techdirt has not posted any stories submitted by RobTX.
Kicking an old thread which still has bad analogies
WiFi is similar in really only one respect, for all those that say a broadcast SSID and/or no password is essentially the same as an open door or window, in that a STAtion (wifi device) within range literally cannot un-hear the signal as it is broadcast by the AP. At the same time, the rightful owner is not (yet) deprived of anything simply by another off-property person being able to receive the WiFi signal.
That is where the similarities end, for multiple reasons:
(1) It is considered Industry Best Practice to enable an SSID to be broadcast as it simplifies connections and preserves mobile device battery life. Note that I am NOT advocating for no password.
(1a) Broadcast or NOT broadcast should neither be a technical security measure, nor a legal basis on which to form the rightful owner's intent for usage of the SSID.
(1b) Sometimes an SSID may be set to broadcast and left with no password, while the owner is troubleshooting a problem. Maybe, they forget to immediately reset the security credentials to be required, once troubleshooting is complete. Does this oversight by the owner constitute authorization to use? I think not.
(1c) Not setting an SSID to broadcast does NOT mean that it is never transferred in a WiFi frame and it would be a trivial effort to capture enough WiFi traffic to be able to determine what the SSID is, without hacking anything, just simple deduction and analysis.
(1d) Suppose a new neighbor moves in and, unwittingly, sets up their WiFi SSID and it ends up being the same as another neighbor's within range. Now, who is the rightful owner of that SSID literally being transmitted by two distinct owners and how would one convey trespass when there is no way to distinguish one from the other so long as both have the same SSID?
(2) The reception alone of a WiFi signal is useless until the STAtion initiates association with that SSID, which at that point constitutes an intent to use a resource.
(2a) Just as many will say that "all routers being shipped since blah-blah-blah will have security enabled by default", I could argue that all STAtions have a setting to auto-join known or even open wireless SSIDs, which COULD be turned off or set to ONLY join known SSIDs. For Security purposes, I would recommend disabling the setting of joining open SSIDs which are not otherwise configured on the device.
(2b) At the point that the STA-to-AP association is complete, there is a broadcast by the STA for an IP address which would be fulfilled by a DHCP server. So, now is having a DHCP server stating an intent for the entire neighborhood to freely use that as well?
(2c) Once an IP address is assigned, then the STA begins consuming bandwidth, very likely diminishing the value of the connection for the legitimate owner(s). At this point, theft of service has been committed.
(3) To the posts saying that logging into the owner's AP administration page or any other device recognized on the owner's network, that THIS is crossing the line. What if the admin credentials on the AP had been left at default? What if the owner's Windows machine has sharing enabled and the machine name is being broadcast on the network, as is almost always the case with Windows? Or, the Windows machine has Remote Desktop Protocol enabled? Is an "unauthorized user" supposed to infer that if he/she was able to openly gain access through the AP, gain an IP address from the DHCP server on the AP, and then receives broadcast UDP traffic from a Windows host with no security on a file share is ONLY THEN crossing the line and now has "HACKED" something that was very easily known just by listening?
IANAL, but I see very many places where these arguments fail when asserting that either broadcast SSID, that no password, or that both means fair use for anyone within range. I especially don't understand those who would say that accessing a broadcast, unsecured SSID is all good but then accessing anything local to the owner's network would be theft or trespass, while to bypass the local network and consume bandwidth on the Internet connection itself is then fair use again. You can have it one way, or the other, but not both! Either it is totally off-limits without express permission, or anything is fair game!
Lastly, for those who know enough about WiFi to know the terms WEP or WPA and think that you are espousing some wisdom related to Information Security, please forget those terms and never mention them in public again. WEP has been exploited for about 15 years now, and WPA1 with either AES or TKIP has for about 8 years. Only WPA2/AES, preferably with 802.1x authentication of the STA and the User, are true security for now (2017-06-27), but not forever! By mentioning WEP or WPA, and not specifying WPA2, others who may happen upon this thread may infer some technical merit in that and assume that they are secure with either of those when in fact they are even more of a target, because now they are signalling that there is something they want to keep outsiders from, but any 12-year-old would be able to break into it in a matter of minutes. Sure, this would be crossing the line into illegal territory and while we may have something to charge the offenders with, we aren't doing a DAMN thing to deter them by using WEP or WPA. If we want to talk about the next responsible attempts that AP vendors (and I work for one) could do to improve overall security, it would be to remove the code and administrative options to configure both of these legacy measures of OBSCURITY, *and* to make cloud-management of the AP easier (mandatory) such that some level of authentication of the user and machine is more readily available to the intentional non-Enterprise users. Shame on them for not doing it yet!
Personally, I favor enabling Guest access but not Open access, then we require some form of handshake that you've seen and agree to my terms and I allow you to use my resource within all legal bounds, so long as your use is not detrimental to mine. This would leverage a captive portal with an SMS PIN or some common hotspot user authentication framework, so that in the event that the RIAA/MPAA, or two MIB from an TLA come knocking on my door, I have some potential means of attribution of the wrongdoing. Then again, these may just be additional veils of Obscurity without meaningfully augmenting Security one bit.
Look forward to the responses....
Techdirt has not posted any stories submitted by RobTX.
Submit a story now.