Log onto an unsecured wireless LAN, go to jail.
August 1, 2002 9:07 AM   Subscribe

Log onto an unsecured wireless LAN, go to jail. This frightening story involves a computer security expert doing a bit of war driving. The fact that he didn't access any of their files, and that they shut down the network instead of simply reading the manual on basic WEP security didn't stop them from claiming $5,000 in damages and bringing charges, with possible fines up to $250k and up to 5 years jail time.
posted by mathowie (12 comments total)
There are some more details in this Houston Chronicle story.
posted by mathowie at 9:09 AM on August 1, 2002

This at the end of the Houston Chronicle story: County Attorney Mike Stafford said he will resume his investigation into whether the security breach was corrected as promptly as county officials learned of it and the origin of a pornographic picture found on the clerk's office server in March.

Could this be the motivation for such swift action on the county's part?
posted by poorhouse at 9:23 AM on August 1, 2002

Here is the earlier article from March which talked about in the story linked to by mathowie.

It brings some more insight into some of the internal bickering going on about this security problem, including the accusation of Puffer posting a pornographic picture on the network. Sheesh.
posted by zsazsa at 9:29 AM on August 1, 2002

i blame the tech industry. lies of omission. cellphones are radios, wireless networks are radios, kids build radios for 6th grade science projects, radio is a more than a half-century old technology and not a mystery to much of anybody (but the clueless masses). solution? criminalize radio reception. it's already been done in the cell spectrums - way back in the 1930's the radio spectrum (the "airwaves") was declared to be a public asset. at the onset of the cell "phone" boom industry lobbyists convinced congress to declare certain areas of that public asset off limits to the public which owns it. i can't beleive the morons who buy this "wireless technology" (like best buy) and then react with surprise and outrage when they find out anybody can listen in. i can't beleive the gall of the industry that sells the stuff knowing full well that there isn't a secure aspect about it and yet fail to explain this to buyers. i can't beleive the public stands still while long established rights are stripped away for the convenience of an industry which sticks it to thier customers so blatantly.
posted by quonsar at 9:52 AM on August 1, 2002

They're charging him in the March 8 "wardriving" incident, not the March 18 demonstration to the officials. It also sounds like there's a subtext here of him possibly trolling for business as a "security analyst" -- which may have their hackles raised, considering their prior work relationship.

There isn't enough detail to show what was done on March 8, though the picture business indicates they suspect it was a serious intrusion.

I want to defend ethical hacking as much as anyone; it's probably not wise to treat it as a business opportunity. Nor is it wise to discourage people coming forward by throwing the book at them, though.
posted by dhartung at 10:03 AM on August 1, 2002

why isn't it wise? If someone can get in they can get in. Period. If you are a biz that uses wireless without tight ethernet MAC-ACL security _plus_ passwords _plus_ crypto on the traffic you are asking for it just like you would be if you put a terminal on the street for public use. These businesses are practicing an irresponsible policy that could harm the public (ie secret records stolen, financial systems compromised, etc.)

No one would be saying the same thing if they left their doors unlocked and propped open over the weekend as SOP. In that case it would still be a crime to go into their offices, but everyone would blame them for being stupid enough to leave themselves so exposed.
posted by n9 at 12:05 PM on August 1, 2002

...didn't stop them from claiming $5,000 in damages...

If I had evidence that someone had intruded on a network containing sensitive data, I would almost certainly shut that network down until I could plug the hole and ascertain what had been compromised and what hadn't. While I would hold myself responsible for the costs incurred of making the network secure again (something I should have done in the first place), I would hold the intruder responsible for the costs of ascertaining what had been compromised and what had not. The latter costs could easily surpass $5k.

If someone sneaks into my house and sodomizes my cat, I might take some responsibility for leaving the door unlocked, but they still gotta buy me a new cat
posted by joaquim at 12:10 PM on August 1, 2002

and what's wrong with the sodomized cat? he just walks a little funny, otherwise it's a perfectly good cat. what kind of heartless cruel person writes off a cat just because of a little sodomy? help fight this cruel practice by sending $20 to:

society for the sheltering of sodomized cats
p o box 01379b
grand rapids mi 49525
posted by quonsar at 12:39 PM on August 1, 2002

what kind of heartless cruel person writes off a cat just because of a little sodomy?

Q: What do you get when you cross an elephant with a cat?
A: A dead cat with a big hole in it.
posted by joaquim at 2:24 PM on August 1, 2002

quonsar, this is exactly why I like living in Canada!

I got bored and bought myself a scanner (again) that does all kinds of bands not so long ago. Rules up here say that unless you protect your transmission in some manner, its open game (but you aren't allowed to use the information you gather for profit, or discuss the contents of the information you gather with other).

Now, if we could just convince the supreme court that they are wrong for rewriting the rules on 9-1c of our radio communication act (this specific rule outlaws decryption of Canadian services without permission - rewritten to include unauthorized foreign services) I think Canada would become a haven for tech security people (not that it isn't already)! :-)
posted by shepd at 2:32 PM on August 1, 2002

matt: The fact that he didn't access any of their files, and that they shut down the network instead of simply reading the manual on basic WEP security didn't stop them from claiming $5,000 in damages and bringing charges,

A fully implemented WEP wireless network can be cracked once x amount of packets are obtained. Not only did he NOT have permission to do any of this, for all I know he cracked the key and then showed the reporters how easy it is to 'hack' a network. He's an ex-employee, perhaps with a bone to grind? Perhaps he wanted to burn the new IT people?

Regardless, there are smart and stupid ways to go about this kind of thing. I believe he took the stupidest way possible to make his point. You have to be pretty damn naive to expect the local government to pin a medal on you after showing them a vulnerability. What kind of precedent would that set for all the other kiddies out there dying for an excuse to run their scripts?

I don't think the charges are fair, but characterizing him as a victim is unfair. He brought this upon himself. If he really cared about security and not about, oh say plugging his business or embarassing the new IT contractors, he could have gone down a more legal path to pointing out system vulnerabilities or started a class-action suit if private records are made available to the public through the wireless.

If he was hired to do this job and arrested I would be shouting bloody murder just like any slashdot kiddie, but I suspect there's more to this than has been reported and certainly more to this than the Register's editorial slant would have us believe. "Ethical Hacker." eh? I remember the last guy who was caught hacking some newspaper's website and played himself off as an ethical hacker. Oh, how the geeks defended him! It was later proven he was just another idiot and was eventually convicted.
posted by skallas at 4:14 PM on August 1, 2002

...but they still gotta buy me a new cat...

Or at least plug the holes in the old one.

posted by mikewas at 11:42 AM on August 2, 2002

« Older   |   Newer »

This thread has been archived and is closed to new comments