Glenn Reynolds recently linked an April post he wrote about some poor schlub who found himself raided by a SWAT Team because person(s) unknown had downloaded kiddie porn using his unsecured WiFi signal.
That had prompted this advice from a reader:
Never, EVER set a password on your Wi-Fi router. Background : 30 years in IT. I have many clients who are defense lawyers, and this is the advice they are giving me based on ‘water cooler’ chat going on in the profession. Long story made short, passwords = you did it, at least in the eyes of less-than-tech savvy juries. The only way to establish reasonable doubt is to NOT have a password.
I’m not sure I would give that advice to unsophisticated, squeaky clean people, because in a very general sense it is true that under our system the totally innocent usually have less to fear than the completely guilty. And if you really aren’t doing anything illegal with your computer — meaning no drug or sex trafficking, no kiddie porn or copyrighted video downloading, etc. — then why leave your signal open for anyone in range to do those things?
But the lines are getting blurrier and blurrier. Even people who think they are squeaky clean might not realize that what they are downloading is copyrighted. And how can they be sure that their teenage kids aren’t breaking one law or another online?
As to those who are in fact dirty, or those who are vulnerable to being framed or blackmailed by enemies, while I am not advising anyone on how to commit a crime, I think they would probably be smart to leave their routers unsecured. Because, unless investigators find the goods inside your computer or something, anyone could have downloaded anything simply because the router was unsecure.
Think about it. If you’re dirty, doesn’t common sense suggest muddying the waters by letting everyone else share your bandwidth?
Not long ago, I learned about a hot spot which flooded a hipster neighborhood with a powerful T1 Wifi signal beaming from an apartment occupied by neighborhood drug dealers who came and went in an unpredictable manner. Assuming they were doing illegal things online, sharing that bandwidth made a lot of sense. Especially nowadays with everyone and his mama carrying a laptop. Unless the cops were to find the exact laptop that had downloaded the damning data, with the damning data still on it, it would be impossible to figure out anything, because anyone could have used the signal.
The name of the game is reasonable doubt.
I don’t mean to offer advice to cyber criminals, but I could easily see the idea spreading even to rebellious types, with entire neighborhoods deciding collectively to turn off security. Essentially, that would mean free neighborhood WiFi, with no way to control what anyone does.
When the government makes everything illegal and busts people for downloading what they didn’t download, they’re asking for such acts of civil cyber disobedience.
I can hear it now. “In a lawless world where we are all criminals, the only security is to be found in not having security!”
Hey, it isn’t illegal not to have a password, is it?
Comments
9 responses to “Massive insecurity could become contagious”
“Hey, it isn’t illegal not to have a password, is it?”
Not YET.
(Frankly, I avoid the whole problem by being a Luddite who won’t use WIFI…)
You share your computer with the world if you leave your wifi open, via file sharing or various o/s bugs that may turn up.
I was a Police Officer and most of us never locked our lockers. The reason? Well if something was found in your locker that should not have been there you would be able to say that anyone could have placed the item there. However if your locker was locked and you had the only key well then you would be in an awkward position. I never saw any lockers searched or know of anything found in mine or my fellow officers lockers however it was good practice to not lock the lockers. This practice extended further up the food chain. Most of the Sergeants didn’t lock their offices or lockers and the officer in charge, his private office was always unlocked.
My son has been goading me to secure our network (in a residential neighborhood). Now I’m not so sure.
I think I have read that in some jurisdictions it is illegal to have open Wi-Fi.
And why would it be civil disobedience to leave wifi open? What law or regulation are you disobeying?
John Henry
If it is illegal to have open WiFi, doing so might be civil disobedience in the ordinary legal sense of the term. But even then, technically it is supposed to be public.
Maybe I’m talking about the simple refusal to obey a social more that is being imposed without any debate.
Why would they be moving towards laws? What’s next? Will they be telling me I have to lock my front door?
Apparently. In the name of copyright protection, they are claiming that the failure to secure a connection is negligent infringement:
http://www.techdirt.com/articles/20110331/01112213706/not-securing-your-internet-access-to-block-infringement-is-negligence.shtml
The criminals will simply set up unsecured WiFi so their friends (or anyone else) can download freely. If I were such a criminal, I would have one “good” computer that was clean, and a “bad” computer kept hidden, or ready to self-destruct. That way, in the event of legal trouble, they would only have the boring “good” computer. Better yet, I would have the good computer wired from one of the plugin ports, and the bad one running wireless on a throwaway Linux OS on a flash memory hard drive using an untraceable usb wifi adapter without a permanent mac address. The flash memory (or thumb drive) could be destroyed at any time, leaving nothing, and I could say that I never used the WiFi (most routers come with it anyway), so I never set the password. Anyone who doesn’t think criminals are ahead of the game is not thinking.
Long story made short, passwords = you did it, at least in the eyes of less-than-tech savvy juries
I call shenanigans on that. Any competent lawyer would throw an expert witness at that – ideally with a live demonstration of real-time WEP cracking.
Juries don’t need to be savvy to watch the Guy In A Suit press a shiny button and “break the password” in 60 seconds, or to see dozens of citations from academia and the popular internet press about how completely insecure WEP or a short WPA password are.
(Thus: “To give you an idea of what’s involved, we used […] to find a nearby network’s WEP key in about five minutes.”
After hearing a dozen entries just like that, I don’t suspect even a non-“savvy” jury will be thinking “password means guilty”.
Especially if any of them have ever known anyone who’s, say, had their Facebook account “hacked” despite having a password – even though that’s completely irrelevant, by this point EVERYONE who uses computers knows that a password is fallible.)
(On Eric’s link, I agree with the cited source that there’s no way a judge will buy that “negligence” claim – which we should note is being pressed by one pornographic film company flailing for charges, not by the State.
There’s no duty to not have an open network; many places and persons do so quite deliberately.)
Anyone who got a DSL package from AT&T or any other provider that uses 2Wire (now Pace) CPE has to use the password that’s burned in to the equipment. It can’t be disabled.