I read something a while ago from an IP lawyer, he said that in such an occurrence they would instead just sue you for negligence.
There don't seem to be many wireless LANs using WEP anymore anyway because of the obvious security flaws. Perhaps some grandma with an old router could get away with claiming ignorance as a defence but the average HN reader probably couldn't.
As for the car analogy perhaps this would be similar to leaving your car unlocked knowing full well that it was likely to be stolen by criminals.
I don't lock my car, my house or my wifi. This isn't negligence, I do it on purpose. If somebody steals my car and runs over people with it, THEY are at fault, not me. And if somebody downloads "infringing" material over my internet connection, they are at fault. I really don't understand how this could be otherwise.
Suppose I invited a friend over to my house, and while I was asleep, they taped TV movies onto my VCR. Am I the one at fault because I didn't lock up my VCR? Is there any other place in the law where I am considered at fault when somebody else breaks a law? I'm not talking about "the getaway car", but more like "the guy who parked across the street from the bank and had his car taken by the robbers".
IANAL , but this depends if we are talking about criminal or civil law.
AFAIK in a civil case there would be more onus on you to prove that you didn't know what other people were doing with your stuff.
Also this would be affected by your circumstances, so if you work in tech/IT you might have a job arguing that you didn't know that running an unsecured wireless AP was a bad idea.
> Also this would be affected by your circumstances, so if you work in tech/IT you might have a job arguing that you didn't know that running an unsecured wireless AP was a bad idea.
Pointing to a renowned security expert saying he does the same might help, though:
If I were to leave my car unlocked in a high-crime neighborhood, my insurance may turn me down, but I still would not be liable for any crimes the thieves committed while using my car.
Then again, it's just an analogy, which holds little sway in a court of law.
An IP still isn't a person as your computer could be remotely controlled. Maybe grandma shouldn't have been so negligent when updating her Java package when a known zero day exists.. Expecting anyone besides a HN dork to know WEP is outdated shows how closed minded some of us are.
My point is that it's usually down to the ISP or whoever provides to router to make it secure. From what I have observed WEP routers are very rare in the wild so it would seem that they are doing their diligence here.
I'm also not sure how far ignorance goes as an excuse although this could well depend on whether we are talking about civil or criminal law. For example in pretty much any country there are literally thousands of laws that you are expected not to break. I doubt even veteran lawyers know all of these down to the letter , yet if I am charged with one of them that I have no knowledge of I cannot get away with saying that I didn't know it existed. In theory I guess it could be argued that you should never do anything without first consulting a legal professional.
Possibly a lawyer could say to grandma "If you didn't know anything about routers or Java updates, why didn't you hire an IT expert to configure your computer for you?"
> My point is that it's usually down to the ISP or whoever provides to router to make it secure.
Which ISP configures wifi routers? And I always see unsecured connections from default routers. Don't tell me you're never connected to the unsecured "Linksys" network..
Most ISPs in the UK do. Personally I use my own router but I have helped friends set up their connections.
Usually what happens is that they send a box with a router + modem + filters etc and instructions as to how to plug it all together.
They also give you a piece of paper telling you the SSID and key with strict instructions not to tell it to anybody.
I imagine the router also calls home at a regular interval and downloads updates automatically, so if there is a security issue it should be rectified relatively quickly.
Eircom, the largest teleco in Ireland shipped routers for ages where the wep key was easily derived from the ssid. There are 3 of these on the street where I live.
Not sure what is meant by a "default router".
AFAIK you can plug in any router you like without committing a crime, but if somebody believes that they suffered as a result of you choosing an unsecured router they might have grounds to take a civil case against you.
As far as I can tell in my googling none of these negligence claims so far have been successful but there has been no clear judgement on this matter to be sure one way or another what might happen in future cases. Also bare in mind that these judgements might differ between jurisdictions.
I simply think that saying "open up your wifi, now you're no longer liable for anything that happens on your internet connection!" is very dangerous advice to be spreading.
I agree with you in principle but I don't think legal doctrine in most countries where filesharing ligitation happens does. If your computer is compromised while used to torrent a movie, you'll have a hard time convincing a court of that ten months later.
It is also possible to crack WPA-2 networks, quickly and easily if WPS is enabled (mere hours), longer (or more costly) if it is not. I think it would be trivial to argue in court that if you have wifi its a reasonable argument that your wifi might have been hacked and hijacked.
Citation needed here I feel.
All of the WPA attack methods I can find work on the basis of using precomputed SSID/Password combinations, sniffing the handshake and comparing against the list.
I've personally seen this used to crack a WPA2 network in < 2 hours. However this isn't a problem with WPA, and disabling WPS renders this attack vector useless. Thou as noted in the white-paper some routers are intelligent enough to slow the attack down.
yes the 4-way handshake needs to be captured, and can be compared to a rainbow table (fast) however (and if i understand correctly) if it is not in the table you can then throw computing power at it to bruteforce it (slowly)
Yes its really slow, and would take practically forever for any reasonably long/secure passkey, but it is possible and only going to get easier as time goes on. I think it gives anyone with a wireless network an 'out' by being able to say they must have been hacked, either because they left WPS on or used a simple short passkey.
However i really have no idea if that would actually hold up in court.
In other parts of the world that's not a viable argument.
It was my local ISP the one who installed the WiFi with WEP and they don't provide the option to manage the router and disable it, even if I requested WAP2 explicitly.
There don't seem to be many wireless LANs using WEP anymore anyway because of the obvious security flaws. Perhaps some grandma with an old router could get away with claiming ignorance as a defence but the average HN reader probably couldn't.
As for the car analogy perhaps this would be similar to leaving your car unlocked knowing full well that it was likely to be stolen by criminals.