I think I can safely say that anybody who has run a wireless network at home has, for at least a while, ran it without some sort of security before realizing the potential dangers that they face. (no mac filtering, no encryption, etc.)
Right now, I have my network encrypted using wep, but it is also filtered by mac address. So I may not be 100% secure, but given the hardware and software I have, I feel fairly comfortable, given the competence of my surrounding neighbors.
On to the point...
About three weeks ago, I noticed a new network pop up in my apartment complex. I thought what the hey, connected, and viola! internet access!
It didn't occur to me to poke around to see how far I could go until earlier tonight.
I found that my neighbor's network not only does not use any form of encryption, but does also not filter by mac. - consequently, multiple directories containing (I'm assuming) important information are marked as "shared" and are world writable to anybody who is on the network. I found this out because the wireless router being used on the network is a linksys 802.11b router, using the default username and password.
Now the Evil Andrew in me wants to exploit these vounerabilities to their fullest extent....
However, I remember a HCI class where we had to read "The Case of the Killer Robot" and as such, I don't think that would be the most ethical thing to do.
My dilemma is as such:
I would like to secure this neighbor's network, however,
I know what building the router is located, but I do not know which particular neighbor owns the router, and can not figure this out based on a naming convention.
I am assuming that this neighbor is a novice to wireless networking, so I don't want to do anything that would freak him/her out, and ruin first contact...(think "wake up neo")
I do not want to make any changes, only to "force" my neighbor to find me. (i.e. changing the SSID to my contact info)
Has anyone had experience in this kind of situation?
My first thought is to change the password on the router (the most subtle change) and then attempt to make contact, thus enforcing the concept to my neighbor that this needs to be addressed.
But as of right now, I haven't made any changes.
WWCD ? ( What Would CAOS Do ? )
Thanks for any help.
you should just change the default administrative password. it's already working the way it is intended by the manufacturer and end-user, and this prevents configuration abuse by would-be troublemakers. if the rightful owner does get wise, they have physical access to the device and can do a hard reset to regain administrative access.
if you really feel obligated to notify them, get creative. maybe poke around for an e-mail address, name, or print something out on their printer. personally, i'd just leave them be. i've found most peoples' general attitude about security, including many computer "enthusiasts", is that they just don't care.
Playing devils advocate for a moment:
Pointing out people’s security problems is risky business. Several students on campus had their computers confiscated by the State of Illinois for doing just that and six months later had not gotten them back. This is despite the fact that everyone concerned believes that the contents of the student's hard drives will exonerate them (eventually). Thus, my suggestion, however unethical and impolite it is, is to pretend that you never noticed the security problem. This puts you on far safer legal ground, as you are not legally obligated to point-out this vulnerability; yet pointing it out (or even noticing it) may be legally defined as computer intrusion or â€Ã...“Hackingâ€Ã,Â.
If you wait long enough, the general public (and eventually the law) will adopt a more technically informed view of security and will probably stop punishing people for trying to do the right thing. The problem now is not that the law wants to punish do-gooders it is that it is not educated well enough to tell do-gooders from evildoers.
Posting an anonymous note somewhere in the apt. complex strikes me as a way to satisfy your innate desire to do the "right thing" while still staying above board, legally speaking.
You could write something to the tune that there is an unsecured network somewhere in the bldg. and that someone's shared directories are out in the open like so much dirty laundry. In fact, I'd post it in the laundry (room). Everyone goes there sooner or later, don't they?
Under no circumstance, however, would I encourage you to manipulate the hard drive in any way. That would unequivocally be defined as "hacking" and could be a very punishable offense.
Hacking is the deliberate and unauthorized access, use, disclosure, and/or taking of electronic data on a computer and is covered under federal and varied state criminal statutes. They don't care why; it's enough that you went ahead and did it.
*****************************
"People fear what they do not understand"
It has been a while since I posted the dilemma, so I was thinking it was about time to update everyone as to what's been going on.
I followed Bill's advice, and changed the username and password. Everything else I kept the same.
It was probably about 2 weeks before anything changed. Every night I would attempt to log in, just to verify. On the evening of either the 2nd or 3rd of April when I noticed that the username and password had been reverted. (I guess that they figured something out!) I was going to change it back, but I thought about waiting. So I gave it an hour. When I came back to check, WEP was enabled. So I guess they figured something out.
The next night, they attempted to hide the network by changing the SSID to nothing. Not "", but "nothing". I guess whoever they talked to wasn't very descriptive when they were told to change the wireless network name.
At any rate, their network is now secure, and I get a good chuckle whenever I look at the available networks in the area.
If anyone has ever gone "Wardriving" in the Edwardsville/Glen Carbon area, one will find that there are a lot places around here, homes and businesses, that have "insecure" wireless netwroks. I am one of them, and proud of it if I might say so.
When I first got my router and decided to set everything up, I read the manual, changed what I felt necessary, and left WEP disabled with no mac filtering. You might be telling yourself, "This guy is a nutjob! Leaving his internet open for whomever to use. Wow?" Lets just say that I like to share, and that I like others to share as well. If I'm paying for an X megabit line to my house and not using it, I don't mind if anyone else uses it. My shared folders on my hdd are Windows default and another folder called Everyone. If anyone sees something they like on there, they can just take it and I really wouldn't care. It just saves them the trouble of locating it on the Internet. If for some rason I notice that my connection is going a little bit slower than usual, I just log in to the router for a second, check out everything, and if something/somebody is abusing the connection I just set up a mac filter for them for a week or so. I said that I like others to share because if I'm driving around and my buddy has his laptop with him and we need to look up what time Sin City is playing tonight, for example, we just hop onto someones connection for a second, see what time the movie is playing, and leave the connection. Just think what it would be like if everyone shared their connection. You could drive through all major cities with a constant connection, little slow, but still just enough to search eBay for new computer parts. That would be nice.
I guess now this is lingering more on the topic of Socialism with everyone sharing. I know that this will simply never be done for the fact that are people in the world who would abuse the system. Also, I believe that the general population do not know much about networking and possible threats of hacking and hijacking so really the only people who benefit would be the ones who understand the security risks.
My next door neighbor has a high speed dial up connection and a wireless router. If Charter goes down for me, I'm not at a complete loss, I just use his until Charter comes back on.
This is a very sticky topic and is a great topic for a debate. I'm going to be late for class, but I'll put some more input later.
Also, did you ever think that maybe they wanted there network like that just as I do?
I agree with Andy that you should not have changed their password. You can get into legal trouble, and you should've just left a note saying the problem should be resolved.
Glassprograms, nothing against your personally, but I just feel that leaving a wireless network insecure is wrong.
I'm looking at it from this perspective:
I don't know how much/little you have to work, but for me I have to work a few hours to come up with my $30/month internet payment to charter (used to be more than that). As such, I don't think it's right that someone else should benefit from the fruits of my labor without some kind of compensation. Encryption and mac filtering ensure this to a good degree.
Now with that said, once you've paid for access to your home, it is up to you what you do with it. I think that if someone wants internet access, they should pay for it. I know I have to.
If you want to give it away, that's your decision. You pay for it. More specifically, you are allowing someone else to use for FREE what you have to pay for.
Finding an open access node in a residential area makes me feel like a sucker that I'm paying for something that I (or my neighbors) could be getting for free.
This is why I believe that wireless networks should be protected. It grants access to those who should have it, and denys access to those who should not have it.
ianal, but, i believe that in order to get into legal trouble, you have to do something illegal. he just used the wireless router device exactly as the manufacturer developed it to be used and the consumer configured it to be used. i see no signs of attempt or intent to prevent access (making it "unauthorized access", which, afaik, is what is used to discriminate legal use from illegal use). had he used this access to do something illegal is another story.
i think that, in actuality, leaving a note is infinitely more likely to stir up some sort of trouble for yourself, legal or otherwise.
i don't think there is anything wrong with having open access, but there is definitely something wrong with not changing the default password. these are two drastically different things. if you like to share, fine. i regularly use unprotected APs, i'm glad people do (or don't know not to) share their access. but if you give FULL access, you're just making yourself vulnerable.
i also pay for my own access at home, which i do not share. i simply don't want to risk anyone else doing anything illegal on my net connection. if this happens, who is gonna catch hell for it? me. not worth the risk. i don't think an open ap is a valid alibi.
http://www.cybercrime.gov/cclaws.html
i don't see anything in there that says "if you don't own it, don't use it". if there were a door in your house, that was open, and without any notice, verbal, visual or other, that you couldn't walk through it, wouldn't you say it's OK to do so? so why not respond to radio waves being broadcast into your house in the same way?
QuoteYou can get into legal trouble, and you should've just left a note saying the problem should be resolved.
Leaving an note causes it's own problems. If I lived in an apt and I saw a public note telling of an insecured network I'd be reeeallly tempted to see what the note was talking about and try to connect to it.
Bringing an old post back to life here.....
Got a new laptop for X-mas. Very nice , very fun. Today I was uptown when I ran across an open network. 30 seconds later I'm checking my email. Out of curiosity I checked to see whose network it was. To my surprise I discovered it belong to a local law office and someone (most likely a secretary) had left what is most likely THOUSANDS of confidential legal documents out in the open across the airwaves.
Being the moral small town kid I am I intend to leave an anonymous letter in their mail box informing them of there lack of security and that this information is available to the world. I have NOT downloaded any of this material.
I believe this is the best course of action.
1) I'm letting them know of the issue
2) I have not copied the information
3) They don't know who I am, there for I'm covering my own
butt
So yes, I have seen some other open networks and not said anything, or tried to make contact(in person or otherwise). But I thought that there was much more at risk here: both the legal office's obligations to confidentiality, and the personal lives of there clients.
Thoughts Anyone?
My thoughts? Your plan sounds nearly perfect to me. How are you going to verify that it's been taken care of? Logging back onto the wifi network could alert them that it was you (if they care enough to find out, but I'd bet they won't.)
Well,
Its been about two weeks now, so I'm going to stop by some night and see if I can access (let my comp auto connect) again. If it still works I'll send them one more letter and after that they are SOL.
Scott
oops forgot to log in :)
I'd stay very far away from that network. Steve Gibson, from grc.com, had informative Podcast discussions (http://www.grc.com/securitynow.htm) about open WAPs and the implications of using them. He suggested that a good sameritan act like tipping someone off about their open WAP could be more trouble than its worth. Afterall, could you prove that you didn't access the network and copy volumes of files, I doubt it.
Consider this situation. You come home and find someone in your house:
You: "What the hell are you doing in my house?"
Intruder: "Oh, you left the door open, I was just leaving you a note to inform you of your poor home security."
So yeah, seems awkward, eh? How would you know what the intruders *real* intentions were?
I think that analogy is slightly flawed. Since I doubt the owner of that network could prove you were in it, I'd assume it's an "innocent until proven guilty" thing. I can prove you were in my house if I see you there. (Well, as much as an eye-witness account can really prove anything.) I'd say it's more like you catch someone looking at your house and observing an open door- something that isn't a crime. I can see open networks without logging on and accessing any data.
Well,
Stopped by to check on that network today. Not only is it now secured with a 128 bit key, but they also lowered their signal strenght significantly ( i barely picked it up about 50 feet from the office).
So...
Mark one up for the good guys.
Scott
Good deal. I recently had a success story like that, too. I accidentally logged into an unsecured network in a neighborhood of nice homes when I was working on a client's home machine. I did a quick scan to see what they had and if anything had port 80 open. One thing did- some sort of DLink wireless card for an XBox. I changed some settings on there to make sure it wouldnt work anymore and the next day the whole network was secured with 128bit WEP.
The lesson: don't convince people they need security- just piss off their kids (thus, starting the chain reaction). I bet that was all it would take ot get more parents to set things up properly the first time. :)
And if they didn't know what you changed or how to secure it? You just cost them a service bill for some tech support company to send a guy out and "fix" their network you just busted...
I'm with Peter - even if the door is unlocked and open, it's still breaking and entering in the terms of the law. And as far as not proving who was in their network, that's a joke... While it is unsecured, so they most likely aren't as knowledgeable as one would hope to start with, some wireless routers track quite a bit of information that is transmitted over their networks. Do you want to guess that the feds have access to information on computers that are sold as assembled units if they need it? And that each laptop/tower sold has a serial number matched to a build sheet that lists the wireless device's MAC address? It doesn't take much to track computer users these days...
I'm also in accordance with leaving networks alone. I think Geoff makes a good point about possibly causing them financial loss, which is also a separate criminal offense. If you find yourself on an unsecured network by accident (ie your NIC has no essid set and chooses the first one it hits), then just logout and possibly leave an anonymous letter; however, don't go back once you know about the problem.
I figured my post would be an unpopular one, but I felt that some evil needed to be injected into this topic. It's hard to argue with these results, though. Now their network is secure and their data is safe(r) after just a little mischief on my part.
2 wrongs don't equal a right. Next time we'll just sneak into your home's window when it's cracked to let you know in the future that you shouldn't leave it open.
Sometimes people who don't realize that they have a problem need to be let known. Leaving a window open and breaking into a house is a horrible analogy. Everyone knows to lock their doors, but does everyone know to use 128bit encryption on their wireless connections?
Do people in the country lock their doors? Probably not.
Umm, well lets see here, I live in the country. And uhh, I can guarantee that everyone I know locks there doors. Now so far I haven't gotten into to this ethical issue only told my story. So here is how I see it.
YOU CANNOT RELATE THIS MATTER TO THAT OF DOORS AND WINDOWS.
Why?
Because those are both matters where people(in general) completely understand how they work, what they do and the risks involved with leaving them open.
Wireless networks are a different mattter. The general public is simply not knowledgable enough to know whats going on. In my case I DID NOT go LOOKING for the network, I happened to run across it. And in all honesty I chose to send them the letter because I hope that someone would have the common curtousey to do the same for me.
I could care less whether or not they could sue the pants off of me. I would have had a guilty conscious knowing that all that personal confidential info was out there and I had the ability to help protect it and did nothing.
I see it as a matter or doing whats right, regardless of what keeps my own butt out of the sling. Hell, if we always did what the law, and lawyers say is right we would never make progress as human beings. For crying out loud our Fore Fathers could have been killed for the risks they took , and they are the reason we have out FREE country.
You cannot always go by what someone says is right or wrong. You MUST go by what you KNOW is right.
Scott
*end rant*
You don't know many country people then. I know lots that don't lock their doors. Also, who are you to say you are right? Just because you think you are right doesn't mean you are; people need to learn things on their own. And you're right, they could possibly sue you, especially if you caused them financial loss.
QuoteYOU CANNOT RELATE THIS MATTER TO THAT OF DOORS AND WINDOWS.
Why?
Because those are both matters where people(in general) completely understand how they work, what they do and the risks involved with leaving them open.
Wireless networks are a different mattter.
AMEN. Raptor and I are on the same page, it seems. Ignorance is a problem that should be fixed- one way or another.
The bigger question is this- why do I keep forgetting to log in before posting? :)
Just as a side note, the few people I live around (in the country) that don't lock there doors are the kinda people I wouldn't want to meet in the middle of the night. Being on the recieving end of a shot gun isn't my idea of fun, but its what some of us call state 'o art security system. Fixes the problem, everytime. Guaranteed not to return. :gunfire:
Bring this back from the dead after the guy in WA got arrested for mooching on a coffee shop's WiFi for 3 months without a purchase...
Found this article on IL law and WiFi usage:
http://arstechnica.com/news.ars/post/20060323-6447.html
hmmm.... next time i can't find a network