• Welcome to Computer Association of SIUE - Forums.
 

Wi-Fi dilemma

Started by Matthew Thomas, 2005-03-15T01:15:33-06:00 (Tuesday)

Previous topic - Next topic

Matthew Thomas

I think I can safely say that anybody who has run a wireless network at home has, for at least a while, ran it without some sort of security before realizing the potential dangers that they face. (no mac filtering, no encryption, etc.)

Right now, I have my network encrypted using wep, but it is also filtered by mac address. So I may not be 100% secure, but given the hardware and software I have, I feel fairly comfortable, given the competence of my surrounding neighbors.

On to the point...

About three weeks ago, I noticed a new network pop up in my apartment complex. I thought what the hey, connected, and viola! internet access!

It didn't occur to me to poke around to see how far I could go until earlier tonight.

I found that my neighbor's network not only does not use any form of encryption, but does also not filter by mac. - consequently, multiple directories containing (I'm assuming) important information are marked as "shared" and are world writable to anybody who is on the network. I found this out because the wireless router being used on the network is a linksys 802.11b router, using the default username and password.

Now the Evil Andrew in me wants to exploit these vounerabilities to their fullest extent....

However, I remember a HCI class where we had to read "The Case of the Killer Robot" and as such, I don't think that would be the most ethical thing to do.

My dilemma is as such:
I would like to secure this neighbor's network, however,

I know what building the router is located, but I do not know which particular neighbor owns the router, and can not figure this out based on a naming convention.

I am assuming that this neighbor is a novice to wireless networking, so I don't want to do anything that would freak him/her out, and ruin first contact...(think "wake up neo")

I do not want to make any changes, only to "force" my neighbor to find me. (i.e. changing the SSID to my contact info)

Has anyone had experience in this kind of situation?

My first thought is to change the password on the router (the most subtle change)  and then attempt to make contact, thus enforcing the concept to my neighbor that this needs to be addressed.

But as of right now, I haven't made any changes.

WWCD ? ( What Would CAOS Do ? )

Thanks for any help.
Superman wears Jack Bauer pajamas

bill corcoran

you should just change the default administrative password.  it's already working the way it is intended by the manufacturer and end-user, and this prevents configuration abuse by would-be troublemakers.  if the rightful owner does get wise, they have physical access to the device and can do a hard reset to regain administrative access.

if you really feel obligated to notify them, get creative. maybe poke around for an e-mail address, name, or print something out on their printer.  personally, i'd just leave them be.  i've found most peoples' general attitude about security, including many computer "enthusiasts", is that they just don't care.
-bill

EvilAndrew

Playing devils advocate for a moment:
Pointing out people’s security problems is risky business.   Several students on campus had their computers confiscated by the State of Illinois for doing just that and six months later had not gotten them back.  This is despite the fact that everyone concerned believes that the contents of the student's hard drives will exonerate them (eventually).  Thus, my suggestion, however unethical and impolite it is, is to pretend that you never noticed the security problem.  This puts you on far safer legal ground, as you are not legally obligated to point-out this vulnerability; yet pointing it out (or even noticing it) may be legally defined as computer intrusion or â€Ã...“Hackingâ€Ã,.  

If you wait long enough, the general public (and eventually the law) will adopt a more technically informed view of security and will probably stop punishing people for trying to do the right thing.   The problem now is not that the law wants to punish do-gooders it is that it is not educated well enough to tell do-gooders from evildoers.
......

Guest

Posting an anonymous note somewhere in the apt. complex strikes me as a way to satisfy your innate desire to do the "right thing" while still staying above board, legally speaking.  

You could write something to the tune that there is an unsecured network somewhere in the bldg. and that someone's shared directories are out in the open like so much dirty laundry.  In fact, I'd post it in the laundry (room).  Everyone goes there sooner or later, don't they?  

Under no circumstance, however, would I encourage you to manipulate the hard drive in any way.  That would unequivocally be defined as "hacking" and could be a very punishable offense.  http://www.uslegalforms.com/lawdigest/legal-definitions.php/US/US-COMPUTER_CRIME.htm">Hacking is the deliberate and unauthorized access, use, disclosure, and/or taking of electronic data on a computer and is covered under federal and varied state criminal statutes.  They don't care why; it's enough that you went ahead and did it.  

*****************************
"People fear what they do not understand"

Matthew Thomas

It has been a while since I posted the dilemma, so I was thinking it was about time to update everyone as to what's been going on.

I followed Bill's advice, and changed the username and password. Everything else I kept the same.

It was probably about 2 weeks before anything changed. Every night I would attempt to log in, just to verify. On the evening of either the 2nd or 3rd of April when I noticed that the username and password had been reverted. (I guess that they figured something out!) I was going to change it back, but I thought about waiting. So I gave it an hour. When I came back to check, WEP was enabled. So I guess they figured something out.

The next night, they attempted to hide the network by changing the SSID to nothing. Not "", but "nothing". I guess whoever they talked to wasn't very descriptive when they were told to change the wireless network name.

At any rate, their network is now secure, and I get a good chuckle whenever I look at the available networks in the area.
Superman wears Jack Bauer pajamas

Brian Glass

If anyone has ever gone "Wardriving" in the Edwardsville/Glen Carbon area, one will find that there are a lot places around here, homes and businesses, that have "insecure" wireless netwroks.  I am one of them, and proud of it if I might say so.

When I first got my router and decided to set everything up, I read the manual, changed what I felt necessary, and left WEP disabled with no mac filtering.  You might be telling yourself, "This guy is a nutjob!  Leaving his internet open for whomever to use.  Wow?"  Lets just say that I like to share, and that I like others to share as well.  If I'm paying for an X megabit line to my house and not using it, I don't mind if anyone else uses it.  My shared folders on my hdd are Windows default and another folder called Everyone.  If anyone sees something they like on there, they can just take it and I really wouldn't care.  It just saves them the trouble of locating it on the Internet.  If for some rason I notice that my connection is going a little bit slower than usual, I just log in to the router for a second, check out everything, and if something/somebody is abusing the connection I just set up a mac filter for them for a week or so.  I said that I like others to share because if I'm driving around and my buddy has his laptop with him and we need to look up what time Sin City is playing tonight, for example, we just hop onto someones connection for a second, see what time the movie is playing, and leave the connection.  Just think what it would be like if everyone shared their connection.  You could drive through all major cities with a constant connection, little slow, but still just enough to search eBay for new computer parts.  That would be nice.

I guess now this is lingering more on the topic of Socialism with everyone sharing.  I know that this will simply never be done for the fact that are people in the world who would abuse the system.  Also, I believe that the general population do not know much about networking and possible threats of hacking and hijacking so really the only people who benefit would be the ones who understand the security risks.

My next door neighbor has a high speed dial up connection and a wireless router.  If Charter goes down for me, I'm not at a complete loss, I just use his until Charter comes back on.

This is a very sticky topic and is a great topic for a debate.  I'm going to be late for class, but I'll put some more input later.

Also, did you ever think that maybe they wanted there network like that just as I do?

William Grim

I agree with Andy that you should not have changed their password.  You can get into legal trouble, and you should've just left a note saying the problem should be resolved.
William Grim
IT Associate, Morgan Stanley

Matthew Thomas

Glassprograms, nothing against your personally, but I just feel that leaving a wireless network insecure is wrong.

I'm looking at it from this perspective:
I don't know how much/little you have to work, but for me I have to work a few hours to come up with my $30/month internet payment to charter (used to be more than that). As such, I don't think it's right that someone else should benefit from the fruits of my labor without some kind of compensation. Encryption and mac filtering ensure this to a good degree.

Now with that said, once you've paid for access to your home, it is up to you what you do with it. I think that if someone wants internet access, they should pay for it. I know I have to.
If you want to give it away, that's your decision. You pay for it. More specifically, you are allowing someone else to use for FREE what you have to pay for.

Finding an open access node in a residential area makes me feel like a sucker that I'm paying for something that I (or my neighbors) could be getting for free.

This is why I believe that wireless networks should be protected. It grants access to those who should have it, and denys access to those who should not have it.
Superman wears Jack Bauer pajamas

bill corcoran

ianal, but, i believe that in order to get into legal trouble, you have to do something illegal.  he just used the wireless router device exactly as the manufacturer developed it to be used and the consumer configured it to be used.  i see no signs of attempt or intent to prevent access (making it "unauthorized access", which, afaik, is what is used to discriminate legal use from illegal use).  had he used this access to do something illegal is another story.

i think that, in actuality, leaving a note is infinitely more likely to stir up some sort of trouble for yourself, legal or otherwise.

i don't think there is anything wrong with having open access, but there is definitely something wrong with not changing the default password.  these are two drastically different things.  if you like to share, fine.  i regularly use unprotected APs, i'm glad people do (or don't know not to) share their access.  but if you give FULL access, you're just making yourself vulnerable.

i also pay for my own access at home, which i do not share.  i simply don't want to risk anyone else doing anything illegal on my net connection.  if this happens, who is gonna catch hell for it? me.  not worth the risk.  i don't think an open ap is a valid alibi.

http://www.cybercrime.gov/cclaws.html

i don't see anything in there that says "if you don't own it, don't use it".  if there were a door in your house, that was open, and without any notice, verbal, visual or other, that you couldn't walk through it, wouldn't you say it's OK to do so?  so why not respond to radio waves being broadcast into your house in the same way?
-bill

Guest

QuoteYou can get into legal trouble, and you should've just left a note saying the problem should be resolved.

Leaving an note causes it's own problems.  If I lived in an apt and I saw a public note telling of an insecured network I'd be reeeallly tempted to see what the note was talking about and try to connect to it.

raptor

Bringing an old post back to life here.....

Got a new laptop for X-mas.  Very nice , very fun.  Today I was uptown when I ran across an open network.  30 seconds later I'm checking my email.  Out of curiosity I checked to see whose network it was.  To my surprise I discovered it belong to a local law office and someone (most likely a secretary) had left what is most likely THOUSANDS of confidential legal documents out in the open across the airwaves.  

Being the moral small town kid I am I intend to leave an anonymous letter in their mail box informing them of there lack of security and that this information is available to the world. I have NOT downloaded any of this material.  

I believe this is the best course of action.
1) I'm letting them know of the issue
2) I have not copied the information
3) They don't know who I am, there for I'm covering my own  
   butt

So yes, I have seen some other open networks and not said anything, or tried to make contact(in person or otherwise).  But I thought that there was much more at risk here:  both the legal office's obligations to confidentiality, and the personal lives of there clients.

Thoughts Anyone?
President of CAOS
Software Engineer NASA Nspires/Roses Grant

Michael Kennedy

My thoughts?  Your plan sounds nearly perfect to me.  How are you going to verify that it's been taken care of?  Logging back onto the wifi network could alert them that it was you (if they care enough to find out, but I'd bet they won't.)
"If it ain't busted, don't fix it" is a very sound principal and remains so despite the fact that I have slavishly ignored it all my life. --Douglas Adams, "Salmon of Doubt"

Guest

Well,

Its been about two weeks now, so I'm going to stop by some night and see if I can access (let my comp auto connect) again.  If it still works I'll send them one more letter and after that they are SOL.

Scott

raptor

President of CAOS
Software Engineer NASA Nspires/Roses Grant

Peter Motyka

I'd stay very far away from that network.  Steve Gibson, from grc.com, had informative Podcast discussions about open WAPs and the implications of using them.  He suggested that a good sameritan act like tipping someone off about their open WAP could be more trouble than its worth.  Afterall, could you prove that you didn't access the network and copy volumes of files, I doubt it.

Consider this situation.  You come home and find someone in your house:

You: "What the hell are you doing in my house?"
Intruder: "Oh, you left the door open, I was just leaving you a note to inform you of your poor home security."

So yeah, seems awkward, eh?  How would you know what the intruders *real* intentions were?

SIUE CS Alumni 2002
Grad Student, Regis University
Senior Engineer, Ping Identity
http://motyka.org