Pirating in Portland about to get easier.

[AlecWest]

Some of you may remember this story I related a while back regarding a potential problem dealing with music and video pirates. Here's the scenario.

A friend of mine moved into a new apartment. He had 2 computers. He wanted to get broadband for his main computer and, via router/nic, allow his 2nd computer to piggyback off his main computer's connect. However, before he contracted for broadband service, he noticed his second computer could already access the net. He was obviously able to piggyback off the internet connection of someone who lives close by (unbeknown to them). So, instead of getting a router, he just bought a 2nd wireless NIC for his main computer and it, too, could access the piggybacked connection. As of yesterday, the connection for him is still working. All he had to do was get a web-based email address ... and everything else is free.

The problem for the RIAA and MPAA is obvious. If someone so stealthily connected chose to pirate MP3s or movies, there'd be no way they could catch them. At best, they could attempt to bring charges against the person who had the wireless router ... a totally innocent person, oblivious to the nefarious use of his signal.

Well ... in Portland, Oregon, the problem is going to get even harder than that. In fact the problem probably already exists in a number of California towns. A provider named MetroFI is offering "free" wireless broadband internet access in 8 California cities and is expanding into Portland, Oregon and Aurora, Illinois. At this point, their closest hotspot is 8 blocks away from me (sigh). But, that may change by the end of the year.

MetroFI's free service has no "customers" per se. There are no special software download requirements nor are there any registration requirements. The free service is paid for by forced browser ads delivered to customers. In short, everyone is anonymous ... and all IP numbers belong to MetroFI.

And, MetroFI is just one provider. A number of other free wireless internet services are popping up all around the country. And if they become popular, this is going to be a real headache for copyright watchdogs.

http://www.metrofi.com

[Noahtuck]

That's funny that you posted this.
Last month my oldest daughter bought a laptop for college & it has a wireless connection built in, not sure exactly what as i never had a laptop or wireless, i have not even seen the laptop yet.

Anyway's she live's in an apt., not on campus or anything, just a public apt. building not anywhere near school, and her and her BF fired it up and it connected online and has worked fine ever since, i asked her how or where they set up their wireless......
They go, we didn't.... we just turned it on and it has worked ever since
so someone nearby must have it and they must have just hooked into it

[SquirrelDip]

If the company (or an individual for that matter) knows how to protect their connection and knows that if they do not protect that someone will likely connect and knows if someone connects they will likely use the connection to download P2P then isn't their not protecting negligence?

[thecoalman]

I got a guy across the street from me with a unprotected connection, I even told him about it... Guess he don't give a shit.

[Lucifers_Ghost]

I have my wireless connection encrypted with WEP (I think .. the 26 or 28 digit one). Anywho .. when I go into my nic card and search for other available networks, I find 5 that I can and have connected too (just for purposes to see if they were encrypted or not).

I have always been tempted to use their connections but since I know its illegal, I dont. Mind you, a few years ago I would have.

People are silly. Im not computer wizard by ANY stretch (as evidenced by my above lack of "key" knowledge) but its not hard to encrypt your network. In fact, its relatively easy compared to some other things.

To each their own I guess. They will learn the hard way one day.

LG

[SquirrelDip]

... since I know its illegal ...

Is it illegal? Or is it just against the rules of their provider?

Wouldn't them having an open network be an invitation for you to connect?

[Lucifers_Ghost]

... since I know its illegal ...

Is it illegal? Or is it just against the rules of their provider?

Wouldn't them having an open network be an invitation for you to connect?

Er, I thought it was illegal.

Hmmm ... is not seeing a speed limit sign on a given street an invitation to speed? lol I mean, we know what the limit is on a "normal" street. Just cause its not posted means nothing :P

[thecoalman]

Is it illegal? Or is it just against the rules of their provider?

Wouldn't them having an open network be an invitation for you to connect?

I did a quick search and didn't come up with much, this guy however got aressted for it: http://money.cnn.com/2005/07/07/technology/personaltech/wireless_arrest/

"The arresting officer wasn't initially sure a violation took place," said George Kajtsa of the St. Petersburg Police Department. "He consulted our legal staff and they looked up the relevant statute."

The charge, unauthorized access to a computer network, applies to all varieties of computer network breaches, and gives prosecutors considerable leeway depending on the severity. It carries a potential sentence ranging from probation to 5 years in prison.

If it's not specifically illegal you can bet that it will be, I'm surprised that I couldn't find more on it, the laws probably have not caught up to the technology yet. I'd imagine any state that has a law on the books that breaking into a network is illegal could be applied such as it was in the aforementioned article. The fact is you would stealing a service from someone else, whether they left it wide open is irrelevant. If you leave your front door open that's not an invitation for someone to walk into your house, the same can be applied to a wireless network.

[SquirrelDip]

My point is that if there are organizations that give it away for free then isn't your only way of knowing it isn't free would be the fact that the connection is protected?

Let's take your example of that house with an open door... Put a store beside it. How do we know we can go in the store but not the house? Pretty easy, there's a sign on the store saying it is a store. With the wireless we don't have any way of seeing a storefront (or an "open" sign) - our only real way of knowing that we are not invited in would be that the connection is protected.

So, as long as there are groups giving away connections any open connection should be an invitation to hook up.

[thecoalman]

That's a pretty good point but I would imagine it would be the responsibility of the person connecting to the network to determine that they are connecting to one that is inviting them. My neighbor for example had used his last name to name his connection which is why I knew it was him. His would clearly be one that could be identifiable as a private connection, mine on the other hand is just a bunch numbers... Supposing I left mine open in a na area where there were public connections available, I don't see why I shouldn't expect the same protections under a law that he gets just because someone can't determine if the connection is public or private.

[SquirrelDip]

Don't get me wrong - I'm not disagreeing (entirely), I'm playing devil's advocate. The main point is that it is so easy to protect your wireless connection you are prudent to do so.

I have a wireless router at home. I use it for my laptop and a shared computer in my living room (shared keeps Wife & Daughter out of my office and away from my computers). It has happened that my router was down (for whatever reason) and the shared computer automatically connected to an available open connection. Wife/Daughter never knew they weren't connected to my router - I didn't know until they bitched that they couldn't print... Have I done something illegal?

Another example... Say I want to share my connection... This may be against my ISP agreement but not illegal. If someone driving through the neighborhood connects with his laptop has he done something illegal?

Let's say all in my neighborhood have wireless routers and all decide not to protect. In this way anyone in the neighborhood can sit at the little park and watch their kids while working on their laptop. Once again, this may be against your ISP agreement but not illegal.

I think any of these examples are possibilities.

[thecoalman]

The main point is that it is so easy to protect your wireless connection you are prudent to do so.

Absolutely, concerning the original topic title using my connection to upload pirated movies would be the lest of my concerns, that's pretty trivial when you consider some of the other things someone could do with an open connection. That brings up another interesting example, if you're providing free access such as the company mentioned above who's going to be responsible if someone does something illegal online? If they can just connect at will they are pretty much untraceable.

Those are real possibilities that you have given but when you break the law ignorance of the law isn't a defense nor would not being aware that you were breaking it.

[Conquest10]

A lot of people still do not know how to protect their connection or know that they should or can (read mostly Apple users). People think they just turn it on and provide the username and password for the connection and thats it.

[SquirrelDip]

"ignorance of the law isn't a defence" - Absolutely!

If someone attached to my wireless does something illegal then he is responsible for his actions. No question about that.

But, my examples were given to make a point the the act of connecting to an open wireless connection should not be illegal (as long as the connection is not used for illegal activity). Now, should the owner of the wireless router be liable for the actions of those who connect?? This is the tough question.

I'm going to answer no. Is your ISP responsible for your actions? Is a newspaper responsible for people advertising stolen goods? Is the telephone company responsible for people... etc...

How do you trace/record who's connected? Should I have to? What has to happen is the powers have to find another way to catch the bad guys.

So let's look at this from another point of view. Say I have my wireless connection protected - the only connections come from people under my control. If my daughter were to download a copyrighted movie then I am liable for her actions. Now lets say I leave my wireless open and my daughter downloads that same movie. Unless the powers actually confiscate her machine I shouldn't be liable.

So. Is it more prudent to protect your wireless or not to protect?

[thecoalman]

Now lets say I leave my wireless open and my daughter downloads that same movie. Unless the powers actually confiscate her machine I shouldn't be liable.

Basically the reason it should be illegal. A) you are providing an avenue for people to do such things, we all knoiw that criminals woldn't connect to a unprotected connection if it was illegal. B) More importantly you are leaving the possibility that the owner can claim ignorance... "Wasn't Me!"

In conclusion I would suggest that it be illegal for someone to connect to an open connection and that it also be illegal for the owner to leave it open.

[SquirrelDip]

Once again - I'm not dissagreeing with you. But how do public hot spots operate? Are the owners liable for the actions of those that connect?

[thecoalman]

Are the owners liable for the actions of those that connect?

I don't know but I would think they should be. If they can't be held responsible now It will only take one high profile case for media to sink teeth in and it will be. Again with the analogies but if you had a car that you left thekeys in for anyone to use and someone got all boozed up and killed someone you would be partly responsible.

[lordsmurf]

Not the dumbass keys in the door" analogy. Mr Jack Valenti.

Maybe consider the satellite tv analogy. It's more accurate. The rule right now is "just because it's beamed your way doesn't mean you have the rights to access it".

I personally think that logic is bullshit.

But when it comes to FTA and free wireless, there are no rules.

[SquirrelDip]

The problem isn't so much watching satelite it's decrypting the signal. Hence breaking into a protected wireless would be illegal but not if it were open.

So why insn't your ISP, even partially, liable for your actions on their connection?

[AlecWest]

To each their own I guess. They will learn the hard way one day.

LG

There may be nothing to learn, the hard way or any other way (grin). The 2nd half of my post dealt with the proliferation of "free" wireless broadband internet providers. MetroFI is a totally unprotected network - except by physical distance from a hotspot. In my own case, right now, I have Comcast. But when MetroFI's region expands 8 more blocks to the east (my area), it will be hard to justify spending $50 a month for something I can get free and legal. For me, the only important thing is that my broadband phone service is compatible with MetroFI (and works). If it does, Comcast will probably be history.

Nowadays, the law is not proactive, it's reactive ... not stepping in to close the proverbial gate until after the horse has left the barn. Protected wireless connections should have been mandated a long time ago ... but, they weren't. And, I don't think the complaints will arise until MetroFI is already serving a million or so local people.

FWIW, I never even thought (duhhh) to put in a wireless NIC first to check for connections before signing up with Comcast. It just never occurred to me. Later this year, I'm getting a much newer computer system. But in the next month, I'll be getting a laptop for my zillion trips to the library (and trips out of town). And, it will be WIFI ready. If I can find a strong broadband connection ... and if I can somehow figure out how to run my broadband phone off the connection ... my Comcast addiction may end much sooner. MetroFI is not the only local-area broadband wireless provider, just the newest one on the block.

[SquirrelDip]

@AlecWest : Do you have to sign up for MetroFI? Or simply attach?

If you simply attach to their service how do their monitor who you are and your activities?

[thecoalman]

weSo why insn't your ISP, even partially, liable for your actions on their connection?

Because they can point the finger at you and say he did it...

[budz]

Funny how I just had a conversation with one of the administrators in my office who said she thinks she encrypted her home network. I told her I have no experience with wireless but I do know that it should be encrypted to protect anyone else from accessing the internet and her computers.

Here's a interesting article about security for wireless networks:

http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2007/03/12/BUGGDOHBCQ1.DTL&type=tech

When many of the computer industry's top security gurus gathered in San Francisco last month for a conference, an Atlanta company decided to point its radar toward the airwaves and see how much of the show's wireless activity it could see.

[Podcast: TED takes on everything from touch-screen monitors to global warming ]

The distressing and ironic answer? The Boston hackers could eavesdrop on more than half of the wireless traffic ... at a security conference!

If most of the people attending last month's RSA Conference have not taken the basic precautions to protect their online activity while using public Wi-Fi, then what of all those civilians setting up shop in cafes and airports?

In short, say computer security experts, people are putting themselves at risk every day.

The risk could be reaching one of its highest levels as the country approaches tax season and some of the most sensitive personal and financial information travels the Wi-Fi airwaves. More than 73 million people filed their taxes electronically last year, according to the Internal Revenue Service, and 46 million have already done so this year.

"When it comes to wireless security, there is a profound amount of user indifference. You don't really see what you are getting yourself into," said Amit Sinha, chief technology officer of AirDefense, the Atlanta company that conducted "wireless airwave monitoring" one morning at the RSA Conference. AirDefense found that 56 percent of 623 devices -- laptops, cell phones, personal digital assistants and PCs -- were susceptible to attacks.

Sandra Toms LaPedis, area vice president and general manager of RSA Conferences, said the conference's Wi-Fi network was secure -- and in fact drew complaints because it was so hard to access. But companies with booths at Moscone Center set up their own wireless networks, which were much easier to compromise.

"It underscores the battle (information technology) professionals are undertaking in corporations, as they try to get their people to understand the risks that are out there," LaPedis said.

The risks are everywhere, not just in the cafes.

"Wi-Fi, as implemented out of the box, is not only not secure, it's promiscuous," said David Perry, director of global education for Trend Micro, a Japanese maker of security software.

If you use it at home, you're likely to be opening yourself up to attacks unless you take precautions. If you use Wi-Fi in a cafe, "It turns your network into a radio station," Perry said. Or you could be connecting to an "evil twin" -- a Wi-Fi network set up by a bad guy posing as the cafe's network.

And if you use a publicly available computer, such as one in a library, "assume that it's compromised," Perry said. "A lot of those are infected with keyloggers, screenscrapers, bots, rootkits, data stealers, all kinds of stuff."

At the Black Hat Convention in Washington last month, where security experts gather to marshal forces against the dark side of computing, Robert Graham of Errata Security, a high-end firm in Atlanta, demonstrated his new tool, Ferret. It impressed even the wizards at Black Hat with its ability to watch all the traffic in a network. Graham has made the tool available free on his Web site.

"We demonstrated how open people are, and how much they're broadcasting to the world, even if they're using (security tools such as) virtual private networks and encryption," Graham said.

In addition to the threats in public, many people do not secure their home Wi-Fi networks, sometimes because of the hassle, and sometimes because of an egalitarian impulse to share their Wi-Fi. After all, many well-meaning people have participated in "wardriving," the practice of driving around a neighborhood until you find a connection you can piggyback onto without needing a password. Sinha at AirDefense said the Web site www.wigle.net lists more than 9 million such connections that users have entered, a number growing daily.

"The home presents even more vulnerabilities than hotspot environments," said Stu Elefant, senior product manager at McAfee Inc., the security software firm in Santa Clara.

"With wireless networks, your data is being transmitted over the open air," Elefant said. "Anyone can grab those data packets. And they can jump on your home wireless network to do bad things to you, and to other people. It's as if they came in your front door and plugged into your network. They can look for vulnerabilities, out-of-date security software, unpatched operating system holes," and they can set up your computer as a "bot" or "zombie" that they can use for other attacks.

"Wireless gives them a semblance of anonymity," he said. "They can launch spam on other people, launch virus attacks on other people, steal pirated material, and the homeowner is the one who is going to get the knock on the door from the FBI."

And while it might feel unlikely that someone will drive through a particular neighborhood looking for a Wi-Fi network to exploit, Elefant said they don't need to. "It's been proven through Defcon, an industry trade association, that wireless networks can be connected to from 100 miles away with a high-gain antenna."

But all the scary rhetoric doesn't mean there are no solutions out there. There are many things people can do to make themselves safer, but those things often mean spending a little money and time.

Two of the most popular solutions are from Bay Area security software companies Symantec and McAfee. McAfee Wireless Protection sells for $29.99 for a year and its flagship McAfee Total Protection is $59.99. Total Protection offers a more complete suite, including firewall, backup, antivirus and antispam. Symantec's Norton Internet Security 2007 features antivirus and firewall, among other things, and is priced at $69.99 for a year's subscription; Norton 360 is $79.99 for one year and includes backup and tuneup, and is billed as being more comprehensive and easier to use. Both companies' products may be installed on up to three machines.

One small free solution is from San Francisco's OpenDNS, which offers a new approach to the Internet's Domain Name System. While OpenDNS says it can speed up Web cruising, it says one other benefit is that it can tell what is a real site and what is an "evil twin," even if there is no difference to even the most experienced user.

"Users who set up OpenDNS are prevented from getting pharming attacks when using compromised access points at Internet cafes," said David Ulevitch, the chief executive.

AirDefense also offers a free download, AirDefense Personal, that protects against evil twins, although most of its products sell for more than $1,000 to large corporations.

With the solutions available, people should feel somewhat safer in their online interactions. Run everything through what Paul Miller, managing director of Symantec's mobile security group, calls a "secure tunnel," and you should be safe.

"It's up to you to have good security," he said. "We want to foster confidence in a connected world." Safe wireless surfing

Security experts offer these tips when using wireless Internet access:

-- Use a suite of security software, including a firewall, like those available from McAfee, Symantec and Trend Micro. Make sure your software is up to date. Some companies, such as Webroot of Boulder, Colo., offer free scans of your system from their Web sites.

-- When logging on in a cafe or hotel, make sure you find out from an employee what the name of the network is, so you don't fall for a phony network set up by a hacker.

-- Change the password when you set up your router at home.

-- Try using OpenDNS, a free service at www.opendns.com, which will change the router's settings and, among other things, prevent pharming attacks (in which you think you're entering data at, say, your bank's Web site, but really you're at a fake site).

-- When on a secure financial site, make sure the address bar reads https (the "s" at the end stands for "secure") and that a picture of a lock shows up next to the address.

-- To get particularly tricky, when setting up your laptop, Robert Graham of Atlanta's Errata Security suggests giving yourself a gender-bending sign-in. If your name is Bob, make your sign-in Mary. Most hackers wouldn't suspect people of lying to their own computer, and it will throw them off the trail of your data.

-- If you get confused, call tech support for the router or the security software. You can also pay for a service like Best Buy's Geek Squad to fix the problem.

[SquirrelDip]

Overall, my problem with this whole matter is (not including your ISP's rules about sharing) that the only reason why an open wireless connection is wrong is that the Motion Picture Association and the Recording Industry would have a more difficult time catching someone using P2P. And we all know that whoever has the most money - wins.

[thecoalman]

I'd disagree with that, as i mentioned above if I had an open network that would be the least of my worries. Somone using it to commit other crimes such as trying to hack into a government computer, banking institutions etc... those would be on the top of my list. Uploading pirated video is a trivial matter compared to that.

[SquirrelDip]

If someone was going to hack into a government computer they'd hack into your network first... From what I've read, it's really not all that difficult.

[AlecWest]

@AlecWest : Do you have to sign up for MetroFI? Or simply attach?

If you simply attach to their service how do their monitor who you are and your activities?

You simply attach. That's the rub. The city fathers in Portland, Oregon decided they wanted Portland to be known as a WIFI friendly city ... where traveling businesspersons, conventioneers, and tourists could access instantaneous and free broadband wireless Internet.

The best they could do (regarding pirates) is tell the RIAA/MPAA which hotspot you were in when your computer accessed the net. And if you're a pirate with a laptop (and a car), that hotspot could change from one day to the next. Of course, we could allow the RIAA/MPAA to cordon off neighborhoods in a given hotspot zone and perform random Gestapo-like house-by-house searches (grin).

I suspect the reason why lawmakers haven't gotten "hot" on the issue of unprotected piggybacking is because they see the problem as small due to range issues. A given router owner probably could count piggybackers on one hand. But by the end of this year, MetroFI will count piggybackers by the millions. Multiply that by the hundreds of other free wireless broadband Internet providers springing up across the country and you have a recipe for DMCA calamity (not to mention a Homeland Security nightmare).

[dnix71]

You still have to spoof your MAC address to be completely anonymous. If someone had the traffic logs of you hijacking an open wireless connection, it would be pretty easy to show that someone other than the owner was using the connection.

I cost Office Depot an $800 sale one afternoon over this. There was a lawyer in front of me with an armload of expensive wifi stuff, and I asked him how he was going to secure/encrypt his connection. I didn't know much about wifi at the time and figured he could give me some free advice. He thought about my question for a few seconds and then put all the goodies back. He was in an office building and if I hadn't asked he would have put his clients records over the air unencrpted.

[AlecWest]

You still have to spoof your MAC address to be completely anonymous. If someone had the traffic logs of you hijacking an open wireless connection, it would be pretty easy to show that someone other than the owner was using the connection.

Yes, this proof would absolve MetroFI of any direct guilt ... but would still retain the anonimity of the culprit's human identity. And even then, a MAC address "can" be spoofed - making the rabbit hole go much much deeper. One thing, though - to put a fine point on the matter. If a wireless broadband Internet provider is granting immediate and unlimited access to their network, the term "hijacking" would not be valid.

The Grokster defense didn't work because the music industry could prove that the majority of people used it for purposes of copyright infringement. But Grokster didn't have the financial and legal backing of multiple municipal governments ... whereas MetroFI (and other providers) do. It would be an interesting court battle to watch (and we may very well watch it in the not-too-distant future).

[adam]

Connecting to someone else's wireless network without permission is called piggybacking. The term is also used for other types of technology like cell phones. The short answer is that yes, it is illegal. It has been sucessfully prosecuted under the Federal Computer Fraud and Abuse Act but the statute is ambigous so these are not slam dunk cases. But the act should quite clearly constitute theft of service under state law. As far as civil liability to the owner of the account, just about any intentional act that causes damage to someone creates civil liability under tort law. Just connecting and using someone's account doesn't cause any damage I don't think, but I could certainly think of examples where you could cause monetary damage. (ex: force them over some download/upload quota which allows their isp to charge them more.)

AlecWest if you read MetroFI's support section there is indeed a registration requirement before you can use even the free service. I don't know how difficult it would be to provide false information and still get registered, but if the information used is correct than a 3rd party can still, quite easily, trace you. The IP addresses may be "owned" by MetroFi but each user of the service is still assigned a unique IP address each time they log onto the service. So anyone witnessing an infringement on some P2P service would just trace the IP address through MetroFI and it would lead them straight to the MAC address of your access device. With accurate registration info they'd find you no problem. Without it, I don't know, they'd have your MAC address but may not be able to narrow down your location anymore than what hotspot you are using. But I tend to think that your registration is going to be linked to your MAC address.