I read something a while ago from an IP lawyer, he said that in such an occurrence they would instead just sue you for negligence.
There don't seem to be many wireless LANs using WEP anymore anyway because of the obvious security flaws. Perhaps some grandma with an old router could get away with claiming ignorance as a defence but the average HN reader probably couldn't.
As for the car analogy perhaps this would be similar to leaving your car unlocked knowing full well that it was likely to be stolen by criminals.
I don't lock my car, my house or my wifi. This isn't negligence, I do it on purpose. If somebody steals my car and runs over people with it, THEY are at fault, not me. And if somebody downloads "infringing" material over my internet connection, they are at fault. I really don't understand how this could be otherwise.
Suppose I invited a friend over to my house, and while I was asleep, they taped TV movies onto my VCR. Am I the one at fault because I didn't lock up my VCR? Is there any other place in the law where I am considered at fault when somebody else breaks a law? I'm not talking about "the getaway car", but more like "the guy who parked across the street from the bank and had his car taken by the robbers".
IANAL , but this depends if we are talking about criminal or civil law.
AFAIK in a civil case there would be more onus on you to prove that you didn't know what other people were doing with your stuff.
Also this would be affected by your circumstances, so if you work in tech/IT you might have a job arguing that you didn't know that running an unsecured wireless AP was a bad idea.
> Also this would be affected by your circumstances, so if you work in tech/IT you might have a job arguing that you didn't know that running an unsecured wireless AP was a bad idea.
Pointing to a renowned security expert saying he does the same might help, though:
If I were to leave my car unlocked in a high-crime neighborhood, my insurance may turn me down, but I still would not be liable for any crimes the thieves committed while using my car.
Then again, it's just an analogy, which holds little sway in a court of law.
An IP still isn't a person as your computer could be remotely controlled. Maybe grandma shouldn't have been so negligent when updating her Java package when a known zero day exists.. Expecting anyone besides a HN dork to know WEP is outdated shows how closed minded some of us are.
My point is that it's usually down to the ISP or whoever provides to router to make it secure. From what I have observed WEP routers are very rare in the wild so it would seem that they are doing their diligence here.
I'm also not sure how far ignorance goes as an excuse although this could well depend on whether we are talking about civil or criminal law. For example in pretty much any country there are literally thousands of laws that you are expected not to break. I doubt even veteran lawyers know all of these down to the letter , yet if I am charged with one of them that I have no knowledge of I cannot get away with saying that I didn't know it existed. In theory I guess it could be argued that you should never do anything without first consulting a legal professional.
Possibly a lawyer could say to grandma "If you didn't know anything about routers or Java updates, why didn't you hire an IT expert to configure your computer for you?"
> My point is that it's usually down to the ISP or whoever provides to router to make it secure.
Which ISP configures wifi routers? And I always see unsecured connections from default routers. Don't tell me you're never connected to the unsecured "Linksys" network..
Most ISPs in the UK do. Personally I use my own router but I have helped friends set up their connections.
Usually what happens is that they send a box with a router + modem + filters etc and instructions as to how to plug it all together.
They also give you a piece of paper telling you the SSID and key with strict instructions not to tell it to anybody.
I imagine the router also calls home at a regular interval and downloads updates automatically, so if there is a security issue it should be rectified relatively quickly.
Eircom, the largest teleco in Ireland shipped routers for ages where the wep key was easily derived from the ssid. There are 3 of these on the street where I live.
Not sure what is meant by a "default router".
AFAIK you can plug in any router you like without committing a crime, but if somebody believes that they suffered as a result of you choosing an unsecured router they might have grounds to take a civil case against you.
As far as I can tell in my googling none of these negligence claims so far have been successful but there has been no clear judgement on this matter to be sure one way or another what might happen in future cases. Also bare in mind that these judgements might differ between jurisdictions.
I simply think that saying "open up your wifi, now you're no longer liable for anything that happens on your internet connection!" is very dangerous advice to be spreading.
I agree with you in principle but I don't think legal doctrine in most countries where filesharing ligitation happens does. If your computer is compromised while used to torrent a movie, you'll have a hard time convincing a court of that ten months later.
It is also possible to crack WPA-2 networks, quickly and easily if WPS is enabled (mere hours), longer (or more costly) if it is not. I think it would be trivial to argue in court that if you have wifi its a reasonable argument that your wifi might have been hacked and hijacked.
Citation needed here I feel.
All of the WPA attack methods I can find work on the basis of using precomputed SSID/Password combinations, sniffing the handshake and comparing against the list.
I've personally seen this used to crack a WPA2 network in < 2 hours. However this isn't a problem with WPA, and disabling WPS renders this attack vector useless. Thou as noted in the white-paper some routers are intelligent enough to slow the attack down.
yes the 4-way handshake needs to be captured, and can be compared to a rainbow table (fast) however (and if i understand correctly) if it is not in the table you can then throw computing power at it to bruteforce it (slowly)
Yes its really slow, and would take practically forever for any reasonably long/secure passkey, but it is possible and only going to get easier as time goes on. I think it gives anyone with a wireless network an 'out' by being able to say they must have been hacked, either because they left WPS on or used a simple short passkey.
However i really have no idea if that would actually hold up in court.
In other parts of the world that's not a viable argument.
It was my local ISP the one who installed the WiFi with WEP and they don't provide the option to manage the router and disable it, even if I requested WAP2 explicitly.
The issue is that physical security (such as cars and houses) just works in different ways to information security. Although cars are starting to use secure ECUs etc.
For example , someone with enough brute force is always going to be able to break into your house and someone with enough patience and sneakyness is always going to be able to find an opportunity to steal your car keys.
You can always improve you physical security, but after a while the costs and inconvenience start to become unrealistic. You probably can't afford to fit your home out with bulletproof glass and bank vault style doors for example.
With computer security you can make the brute force (for example deriving an RSA private key from the public key) entry nearasdammnit impossible without spending really any money at all (just implement openSSL).
Of course the downside is that sidechannel type attack can render this security effectively useless. Even a crappy lock or a glass window provides some protection against thieves especially in the sense that they might be spotted when trying to bypass it.
On the other hand, having an information security system that uses strong encryption provides 0 protection against somebody who can use metasploit if the software itself is full of exploitable and publically known bugs.
Which raises the question often brought up in various forms:
Is a person responsible if someone has been using his or her router for file-sharing because they were able to crack its WEP-encryption, while the accused in question hardly knows what a router is?
Most non tech people are just using an ISP provided router, every ISP that I know of provides a router with WPA2 and went around replacing old WEP routers a few years ago. I can't remember the last time a WEP network showed up on my smartphone.
Of course there are other ways someone may have broken into your network.
Actually, many routers have easily predicable WPA2 passwords. Based on the MAC address or the access point name, it is often possible to deduce the default key (which many/most people don't change).
It's not like WPA2 would be terribly secure either. One minute of googling directs you to a step-by-step tutorial using aircrack. WiFi is nice to have but one has to be aware of the security issues that arise with it.
All of the WPA2 attacks I've seen assume predictable SSIDs and Passwords.
Again , ISPs seem to be ahead of this. Looking in my local area most of the APs have names like "BThub543897534895" and I assume that the passwords are randomly generated.
aircrack-ng assumes pre-shared keys. Cracking long passwords is quite time-consuming (read: takes a VERY long time). They actually explicitly state that in their wiki. I'm not exactly sure but I think I read something about using GPUs to accelerate bruce-force times with a speedup of 100x. That's quite substantial, however even with that brute-forcing is not an option here, which gets us back to the fact that an attacker will hope for a weak password, possibly in a dictionary.
You're right about ISPs being on the safe side with their SSIDs and passwords, but I think you're underestimating the users here. For the sake of it I've spent an hour and a half driving around town a year ago, logging locations of access points. I never did anything with the data except for looking at how access points are distributed across my town. Most of the AP names where common words or a combination of such. Concerning passwords, I've used wifi at friends and coworkers places quite a few times and most of them had weak passwords.
An attacker might just go and do some wardriving and randomly attack access points and I believe he'll find one weak enough without much of a hassle.
Bottom line it's the same as always: In the real world security isn't as depended on technology as it is on how much the user is concerned with it. How that works out in a lawsuit is a different question though.
In Austria it is since the introduction of data retention. Every time someone is assigned an IP address by his or her ISP, an entry is made so IP addresses can be mapped back to the person at any given time. It's pretty much the same across the EU, I reckon. I haven't heard of any cases yet where this data was used in a court of law though, but it is theoretically possible. Why would there be a law to oblige ISPs to do that if not for using this data in lawsuits? Back in 2006 when the EU guideline was made the official version was the usual terrorism bullshit (data is only usable for the prosecution of severe criminal action). In April this year the EU decided that file sharing is severe enough.
A side fact: Data retention hasn't proven to be very successful yet.
That would log an IP to a computer that is it. If I'm at your house and jump on your computer and download the latest and greatest movie. That would be logged as you doing that not me. The ISP would only have one piece of the puzzle, hence the problem with just tracking IP address.
> "All the monitors observed during the study would connect to file-sharers and verify that they were running the BitTorrent software, but they would not actually collect any of the files being shared," he said.
> "It is questionable whether the monitors observed would actually have evidence of file-sharing that would stand up in court."
However, it’s not really that much more work to verify if that peer is sharing the file in question. Just request/offer few random blocks. There’s no mechanism in place to assign peers in BT network varying degree of trust.
Depending on where you live, being the owner (or responsible, or whatever you may call it) of an IP used to pirate things can be enough to be condemned.
[1] http://torrentfreak.com/judge-an-ip-address-doesnt-identify-...