Monday, December 11, 2006


Forgive Us Our Trespasses

This is a re-post of an item I wrote for a company blog on 14 July 2005.

[On 7 July 2005], CNN/money reported about a Florida man charged with wireless trespassing for using someone else's open wireless network. The article explains that he was sitting in his car outside someone's house, and was arrested after the homeowner complained to the police — and after the police officer checked on the law. "Unauthorized access to a computer network" is a crime in Florida (and in other states), and the man clearly knew what he was doing, by virtue of his sitting in his car, and trying to hide his laptop when the resident saw him.

One part that I find particularly interesting is this one:

The sentence we'll seek depends on whether he was accessing the Internet for basic personal use, or using it for pecuniary gain — like identity theft — or other illicit reasons

I doubt we'd see the same thing in other contexts. I think that if someone, say, breaks the window of my car and is caught at it, it won't really matter whether he planned to steal the car or was just looking for a shady place to sit. This is not the same thing, of course, but I find it interesting that they seem more concerned about his motives than they might be with other crimes. (In fact, I think we should take the perp's motives into account more than we do — and perhaps we do take them into account more than I'm aware of.)

How many of you have used an open network without asking, just because it was open, and with no ill intent? [Barry raises hand. Barry sees other hands raised too, yes, he does.] Let this be a warning to you. I have never done it in a skulking manner, and if I were confronted I would apologize to the owner of the network and assure him/her/it that I meant no harm and would not do it again. Still, that's no guarantee that I wouldn't be arrested.

On the other side, we should all follow reasonable precautions about setting up our own wireless networks. I hope you all do these, but I'll review them anyway.

  • Change the SSID on your network from the default. (It's actually hard for me to imagine how someone could be expected to know that a network was private when the owner left the SSID as "linksys" or "NETGEAR", or, worse, the D-Link default value, "default". Cisco used to use "tsunami"; I wonder if they still do.)
  • Configure your router or access point not to broadcast the SSID. That, combined with the previous item, means that casual users will not be able to use your network, and anyone who does use it can be deemed to have clearly "broken in". This isn't any real security, of course, because the SSID is sent during the protocol negotiation, but it means that the simple "look for networks" actions won't find yours, and that will be enough to keep most people out.
  • Despite the uselessness of WEP for real security, use WEP.[1] Use 128-bit WEP. Anyone who really wants to can break this, but it takes overt action and some level of expertise (at least to know where to get the software that'll do it) and determination. Again, casual users will not go there.
  • While I'm at it, and although this has nothing to do with security: always enter your WEP key as hex values, not as an alphanumeric string. This is because not all vendors convert the character string to a hex key in the same way, so you may have interoperability problems if you use a "convenient" character string. It might be easier to tell your friends that your WEP key is "RutabagaPrune", but that isn't of much use if half of them can't get to your network that way.

[1] Update to present time: Better, use WPA if your router supports it. The only thing is that not everyone's network hardware/software supports that, so if you use WPA and not WEP, some friends may not be able to use your network.

No comments: