From: Nick Selby (nick.selby@the451group.com)
Date: Sun May 27 2007 - 08:06:13 EDT
Sorry to pick this up late in the game, but some of my research prior to
joining my current firm agrees with Richard's, below (a friend and I
detected WEP-'protected' or wide open access points whose ESSIDs
indicated that they belonged to lawyers, doctors, banks and a state
senator's offices after a four mile drive in Albany, NY - makes one
wonder about compliance with things like, say, HIPAA and SOX).
Also regarding the legality issue, if it has not been done to death, the
issue - when I researched this last year - might not be as simple as
Craig suggested. He speaks accurately about prior permission. But I am
not sure the 'your state my state' issue should be dismissed out of hand
for that very reason: one problem seems to be that states seem to
control how such authorization itself is expressed, and lawyers and
legislators are unclear about how one can reasonably assume authorization.
The problem of successfully prosecuting someone who accesses an AP
without permission - even though arrests have been made - seems fairly
tough.
From a report I wrote on the problem of protecting AP's at the offices
of lawyers in New York State:
* *You cannot rely on existing laws to prosecute "unauthorized" WAP
access. It is difficult to determine how a user becomes authorized
to access a WAP, and there's no common mechanism by which to post
a notice that he is not. *
In early July, 2005, police in St Petersburg, FL, arrested Benjamin
Smith III for accessing a residential WAP and connecting to the Internet
- from his car. Smith was charged with unauthorized access to a computer
network.
He might get off. Who's to say it was unreasonable for Smith to assume
what he did was Kosher? The WAP he used was wide open. With the
proliferation of public Hotspots, who can say whether a person can
reasonably infer an Open WAP is /intended/ for public use?
Under current New York law, it is illegal to intentionally access
someone else's computer, computer network or equipment without
authorization to do so where such computer or equipment, "...is equipped
or programmed with any device or coding system, a function of which is
to prevent the unauthorized use of said computer or computer system.
The New York Penal Law also attempts to define "authorization" by
providing that to establish authorization, one must be either
(i) give actual notice in writing or orally to the user;
(ii) prominently post written notice adjacent to the computer being
utilized; or
(iii) a notice that is displayed on, printed out on or announced by the
computer being utilized by the user
Significantly, the Penal Law also provides for a presumption that notice
of such authorization is given where, "the computer is programmed to
automatically display, print or announce such notice ...."
Scott R. Almas, who was instrumental in developing the business and
technology model to implement many of the Hotspots throughout downtown
Albany, New York, is a technology attorney at the law firm of Lemery
Greisler LLC. While Almas does not endorse the unauthorized use of open
WAPs, he points out significant problems with New York's law when viewed
against the practical reality of the proliferation of Open WAPs.
"I am particularly troubled," Almas said, "by how a user is supposed to
know whether or not the owner of the Open WAP is authorizing use of the
access point where the owner broadcasts to the world the presence of the
access point and takes no steps to secure it. By the very nature of
WAPs, there is no reasonable way to post or provide oral notice, and it
can be difficult to interpret from the broadcasted name of the access
point whether authorization is intended."
"In light of the fact that protecting the WAP is free, simple to do, and
strongly recommended by the access point manufacturers during the set up
process," Almas said, "I believe anyone who sets up a WAP and does not
follow the advice to install even the most basic, minimal safeguards
should be presumed to be providing authorization to access the Open AP
for otherwise lawful Internet use."
"The presumption should not," adds Almas "extend to authority to access
information on the WAP owner's LAN, or other illegal or harmful
activities."
(whole thing: http://www.nickselby.com/articles/technology/?a=1805)
In trying to determine an interpretation of NY law, I came up with the
analogy that an AP was like a hallway leading to the internet. Walking
into the hallway and out to the internet on the other side was cool.
Walking through and jiggling the handles of all the doors you passed in
the hallway, and walking in to rooms that were unlocked along the way TO
the internet was not cool.
For fun, let me introduce the unknown and probably unknowable impact of
the USA PATRIOT act on the matter: we determined in talking the legal
scholars and looking at case study (I am not a lawyer but worked with
several in this research) that there could be a case for the USA PATRIOT
act applying to those who leave their APs unprotected. Imagine, if you
would, an open access point being detected by, say, Danish terrorists,
who later use the AP to access an email account and send each other
banned cookie recipes. Or other, perhaps worse, contraband. I can see
that the label of having supplied 'material aid' to a terrorist
organization could thereby be applied to a person failing to tighten
access to the AP!
There's my two cents. I have absolutely no idea what it's like in other
countries.
Nick
Richard Brinson wrote:
> That's a good idea about the war chalking Paul, although I haven't seen much
> evidence of it locally. As for the use of WEP, it is most definitely still
> in use by organisations of all sizes. Whilst parked up in a high street
> recently trying to connect to a hot spot, I picked up approx 20 wireless
> networks - only 2 were using WPA, the rest (including the council
> headquarters and 2 firms of solicitors!) were on WEP. This lack of education
> is obviously a huge problem.
>
> Regards
>
> Richard
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:50 EDT