[AusNOG] Wifi Security and Interception

[Bevan Slattery]

Chris,

> Due to these "new" technologies that are only really finding 
> their feet in law now, there's a lot about the way that the 
> old communications networks were treated that just plain 
> needs to be thrown out the window.
> For example, the one I'm hearing most commonly in discussion 
> off-list about this issue is the old parallel that listening 
> to unencrypted wifi is the same for it being okay to just 
> walk into someone's home if the front door was unlocked.
> 
> IMO that's not a correct analogy, because you still have to 
> -go into- someone's house.

I agree that the analogy is not correct, but I disagree that the law is fundamentally incorrect, or that interception of unprotected Wifi payload shouldn't be illegal.

People develop laws based upon some pretty basic principles.  The simple principle regarding interception is that you unless you are the intended recipient of the communication and unless you receive the communication in error then you should not inject yourself in the communication path and 'intentionally listen in and record'.

Now, the issue being discussed here is that an unprotected Wifi network is ripe for the 'hacking'.  Much like a house with the front door open and a "I'm on holidays sign" out the front.  However, to gain access to that network, access the payload information and download the said payload requires a DELIBERATE ACT to intercept and record that information.  Much like a person who enters the home and takes property is still breaking the law despite the negligence of the owner to secure their property.  Much like it is illegal for someone to steal your bike that you have leant against the front fence of a friends house (on public property being the footway/road reserve) who you were visiting (and forget to chain up to the fence).  The theft of property requires a deliberate act and is illegal regardless of the location or the level of security you afforded your property.

It's tech-elitist or naïve to think that everyone out there should know how to encrypt their Wifi access points.  A quick walk down to any retail ISP's help desk will clearly underscore the pace of change and how difficult it is for non-tech users to even understand how a Wifi network operates.  A/B/G, WEP, WPA, WPA2, SSID, DHCP, IP, LNS.  To them it's more confusing than complete your taxes in 1998.

If you walk down a path whereby the law will not afford protection to those who do not adequately secure their property/networks, then you are opening yourself up for hackers having plausable defence from prosecution due to you:

- using known crackable encryption methods such as WEP and WPA
- not upgrading firmware, software of your WAP, router
- not upgrading your O/S, patching your applications and servers
- not installing a suitable firewall on your home/office services
- not using encryption on your important file system on your 

I'm sorry.  But society operates on a basis that generally people operate within the law and that is a baseline/minimum level of protecion.  Geez, how would you feel about the guy at the café/bar putting some extra drinks on your tab or even worse writing down your expiry date and then going online a buying a whole heap of merchandise without your consent?  I can see the people on the CREDITCARD-NOG pointing out that the banks shouldn't have to re-imburse that tech-noob because he was so stupid to let his credit card out of sight.  And as he was not taking the appropriate security precautions, it's his own fault.

So here's where I'll leave it.

I remember being a kid in a country town where we actually would leave our front door open when we were at home and doors unlocked.  I remember when we slept at night with our windows open without security screens protecting us from intruders.  Maybe I'm just getting old and I'm a sentimental fool.  But I used to live in a time where people respected other peoples property and understood what was right and what was wrong.  I'm not saying that having a lack of Wifi security is a good thing, but I'm trying to remember the day when it became a bigger crime than the crime itself...

[b]