[AusNOG] Google creepier than Conroy?

Narelle narellec at gmail.com
Mon May 31 20:49:35 EST 2010


On Sun, May 30, 2010 at 4:18 PM, Craig Askings <craig at askings.com.au> wrote:
> Why do I get the feeling that Dale Clapperton is lurking on this list and
> just shaking his head as we all play Telco Solictor..... Badly

IANAL and neither have I read Google's actual code (so I am making
assumptions on what they've done)

BUT

I have read both the Telecommunications Act and the Telecommunications
Interception Act and it is my professional opinion that neither of
these acts is relevant to the activity under question. Both of these
relate to 'network units' or 'links' provided under carriage
services...

Neither is the Privacy Act relevant.

The one I do think is relevant, however, is the Crimes Act, at least
in NSW it's section 308 - the parts related to unlawful access to
someone's computer. Federally, it's the CYBERCRIME ACT 2001 - SCHEDULE
1. You'd have to follow that assessment up with a review of relevant
case law, and this I haven't checked.

The question in legislation imho is long settled that just because you
left the window open the burglar is still - in law - deemed to have
broken in...


On to the question of home network security and WiFi access points:
these things are appallingly insecure in general use. Consumers are
not generally aware that they are making their networks easily
accessible by anyone in the vicinity of them. Their expectation is
that they will be lucky if they can get it to work at all, so are
happy when their own computer/s can connect to it and then the
Internet.

I've set up a few recently for people, and, as a statistically
unrepresentative sample, I've been using the set up wizards just to
see where they take me. None of them, so far, have left me with a
secured access point! The most they do is set a new SSID - they don't
prompt users to turn off broadcasting, nor add even a WEP key (let
alone something stronger), NOR change the default password! [These
are, of course, the next few steps I take...]

Anyone who's spent any time on a helpdesk will also know how much fun
it is talking people through these steps on a telephone. One recent
experience I had with this went round and round  with the device
repeatedly refusing to accept the config... Of course, it "worked"
fine just following the bouncing ball, but, yes, it was totally
insecure. Customer was happy to have it totally open, as long as they
could get to the Internet... [yes, I fixed it later]

imho Google may have done people a service by publicising this level
of insecurity. That said, I didn't see them actually publish any
useful data on - for eg - rates of insecurity in home wireless LANs,
or helpfully advise people that x level of WLAN usage exists. Please
don't get me wrong - I do consider what has been _alleged_ to have
occurred unethical!

Has anyone seen the code in question? I saw in question time that Sen
Conroy had seen it, but I doubt he will have "decoded" it...

What is Google's intent with this data? What have they admitted to
doing with it? How are they securing the information they have
collected? Have they issued a public statement on the topic?

I have a strong recollection that had I done a similar thing as part
of a research study there would have been ethics committee approvals
required... but we wouldn't have had the funding!



-- 


Narelle
narellec at gmail.com



More information about the AusNOG mailing list