The Ethics of Wireless Networks

[Saggy]

So I'm not sure how many people here are aware of what's going on with Google right now. Basically though, they had some Wi-Fi sniffing devices on their StreetView cars that were going around culling together the locations of people's wireless networks. Google claims it was to help improve their GPS location technology when GPS can't be reached. In any case, what they did was just glob together all the MAC addresses and names of wireless routers, but some people are concerned with what other data they may have intercepted, and this has got people interested in whether or not this should count as wiretapping.

 

A lot of people see the network being unsecured and open as some kind of welcome mat, and make many analogies to open vs locked storage compartments, looking into a person's window, etc. It seems that the general argument here is that packet sniffing technology and methodology is so simple and common place in today's world that anyone leaving their network open is basically asking for this to happen and are themselves at fault.

 

I don't see it the same way, and I think it's a lot different than seeing your neighbor's bits in the window as you glance at their window, or even accidentally picking up telephone calls on your guitar amp or something--both which have happened to me and are awesome luck btw. In any case, I don't see this as the same kind of, "Well, it was all out in the open, so it's not my fault if I see it," kind of reasoning here because there is much more user intervention required to turn the WiFi radio waves from the electric-binary that the receiver turns the radio waves into, all the way up through the OSI layers into data that makes any sense to people.

 

The whole idea of there not being any criminal liability against you if you sneak a peek at your neighbor's goods or start picking up phone conversations... Is that it's accidental, you're walking down the street and look up and see them undressing, or your whatever-electronic-device (I've picked up land line conversations by accident on both computer speakers and guitar amps) is improperly grounded and starts picking up telephone conversations, you can't help that, you didn't intentionally try to view their bits or listen into their conversation, it just happened.

 

I don't think that's at all the same as packet sniffing on a WiFi network. Just simply running packet sniffer software in itself already demonstrates an intent in a step that is not taken with other cases of privacy-invasion that people seem to think are benign. Realistically though, by the time the radio waves hit the WiFi receiver and are translated into radio waves, it's got at least 7 more layers of user intervention and processing before that data can be observed, let alone stored in any way. So just to retrieve the MAC address and name of a wireless network requires several extra steps to be performed than say a radio picking up phone conversations. A radio picks up waves, translates them to electricity, which is interpreted as sound by us; a computer picks up radio waves, translates it to electricity which is then interpreted as binary by the computer, which is in turn processed to reach the encapsulated data. Just to retrieve the MAC addresses Google would need to follow Layer 2 protocols, and at the least there would require an extra step to parse, filter and log such information. That is a lot more complicated than a poorly grounded electrical device turning itself into a radio, or someone with wandering eyes seeing more of their neighbor than they should have.

 

What I really think is funny about it, is that in the judge's actual ruling he describes packet-sniffing as "sophisticated technology" Specifically he said,

 

 

“Further, plaintiffs plead that the data packets were transmitted over Wi-Fi networks that were configured such that the packets were not readable by the general public without the use of sophisticated packet-sniffer technology.”

 

What really gets me about this statement is how many people totally misunderstand the word "sophisticated". Just so we're clear...

 

 

so·phis·ti·cat·ed/səˈfistiˌkātid/Adjective

1. (of a machine, system, or technique) Developed to a high degree of complexity.

2. (of a person or their thoughts, reactions, and understanding) Aware of and able to interpret complex issues; subtle.

 

Apparently there's a lot of people out there who think that the judge was intending the second definition... Whether that's because it's the only context they've ever heard the word in, or it massages their egos to hear such trivial software being called "sophisticated", a lot of people seem to have missed the point.

 

Obviously the judge feels as I do, that with so many extra steps ( complexity ) required to observe any useful information from this data, it is not at all comparable to any of the analogies I keep seeing people trying to make.

 

 

Eventually though there's another argument in this... Should it really matter? If someone leaves their wireless network insecure, then shouldn't that be the same as saying, "Yeah, I don't care if the rest of the world sees what I'm doing and wants to use my Internet to Facebook and downoad MP3s." A lot of people seem to think whatever happens to these people doesn't matter, but in some way I think that's a bit more of that ego coming in to play... "I'm so smart, I'd never think of running my network open, and anyone who would is an idiot and deserves what they get."

 

I mean, to me that's kind of like saying that a person who gets their house robbed should have locked their door. That's not exactly untrue, but does that mean it shouldn't count as a crime against them? With that kind of logic, you'd assume the rape victim would be out of luck if they left their bedroom window open. I just don't really think it's okay to say that, because that's basically assigning fault to the victim.

 

The other issue I see is... How secure can you really make wireless networks? I mean, how many people are out there right now using nothing but WEP that think their network is "secure"? Are we supposed to say, "Heh, you should have known WEP was as secure as a wet paper bag, it's your fault!" What happens when WPA becomes easily crackable? Then the one after that...

 

Anyway, long story short, I think people's opinions on what is and is not okay to do with an unsecured network is a little warped. It seems really interesting to me too that a lot of people will think, "Well, they deserve what they get," but if you handed them a laptop with BackTrack connected to open_wireless and with an ARP spoofing command ready to go, how many would actually take the opportunity to sit there and spy on the people? People are not kidding that packet sniffing software is not at all hard to find, and so you kind of have to wonder, "Why aren't there more people out there spying on unsecured networks?" Is it really a "niche" thing where only a few people know how to do it or are interested?

 

Then compare that with the number of people that are willing to just hijack a person's Internet connection with the idea of, "Well, they left it insecure, they must not care if people use it," and still don't see it as stealing. I guess it makes sense that these types of people wouldn't see packet sniffing as spying, but when you mention to them, "Oh, yeah, you can run a few commands and see what everyone on the network is doing," they get up on their morality soapbox and talk about how they'd never spy on anyone. Yeah, go ahead and steal their Internet connection because it's there and they're not securing it and it doesn't hurt them, but spying is still dirty and despicable. Quite an interesting double standard...

 

In any case, I'm interested to see what others think about the matter when it comes to things like leeching off people's internet, spying on them, even to the more blatantly criminal acts such as acting as MITM on their network stealing their credit cards and the like.

 

...and while we're on the subject, how much do you actually think about wireless security in your day-to-day use of the computer? Ever log in to an unsecured wireless network in public? Do you ever think, "I wonder if that guy at the next table is stealing my credit cards," or do you just dismiss the idea out of hand? Personally I'm very aware of the threat and try to use an SSL enabled site whenever it's available (wireless or otherwise actually), plus with my home wireless network I've configured it with WPA/PSK as well as MAC white-listing

Edited July 1, 2011 by SagaciousKJB

[d00d]

This is an interesting topic, hitting quite general but similar ground to a post I made in the hacker thread.

 

Fact is wi-fi is relatively new compared to sneaking a peak or picking up phone calls, and the problem is a lack of education. The sad truth is most people don't know the risks that leaving your network open poses. In fact, they don't even know that you can password protect a network. They're happy to set up their ISP-supplied router out of the box and as long as it works, get on with it. If people were told about the risks, they would secure-up.

 

Now as far as Google are concerned, I don't personally see anything wrong with gathering SSIDs. Its publicly available information and you'd get the same if you went around (disputing time), exactly the same as the Street View service. However if they actually went around using sniffers to obtain packets and node details then thats bang out of order. They know perfectly well what the reprocussions could be and what rights they have over what kind of information, and the ethics involved.

 

I think about security most of the time, I may not act to the extent you do though. For example if I'm out in public and I'm on my iPad trying to surf the net, I'll almost never connect to any shady open Wifi networks (they're usually ad-hoc). I'd rather switch on my 3G and have a slower, but more secure connection. Well, maybe not secure but at least I know the absolute risks involved. I'm often mocked by my girlfriend for precautions I take but I simply lay down the facts - I've never been a victim of any kind of identity theft of fraud, I've never had a virus despite not using virus scanners and I've never had a break in. She's had her ID stolen and has had multiple fraud attempts made, and her laptop is a state. Frankly I don't even know what I'm doing with her. (/sarcasm)

[nlitement]

You know, honestly, we wouldn't have this problem if a) Internet and computers hadn't started becoming this widespread and common so quickly b) people were taught how to work their damn computers in school.

 

Just look at all the crap we have on the Internet because of ignorance. Botnets that are made possible because people don't update their OSs or take precautions with security. And I just want to say right here that antiviruses IMO can even be more harmful than helpful... sort of like airbags when they first came out and some people stopped using seatbelts and got massive deadly chest injuries in car crashes, people just install their 30 DAY FREE MCAFEE TRIAL PERIOD and feel secure, not realizing that even the best antiviruses fail to detect a lot of malware even with heuristics enabled and go on www.freepornpasswords.biz with Firefox 0.8 or IE6 and get infected. The other thing is spam, people really do actually you know read the emails that go something like "fr E 3 p3 n is e n l a Rg4 m ent P i Ll lZ" without having any second thoughts... and because it's so cheap to send spam, you only need maybe 1 hit per 100,000 to make it economically viable.

 

This ignorance is what also makes so many people with open WiFi networks. I'm not saying these people are "stupid", just that since they never were into computers like you and me, there's no way they could have known better, so it's our responsibility to teach them. But it's also the router manufacturers' fault. I dunno how some of the newer models work, but even my 2006 make still has unencrypted WiFi running in the factory setting. Why do that? Make sure people read the manual!

 

But yeah, I think it's just silly to blame Google for this. Yes, they shouldn't have actually sniffed packets, but I the sophisticated part I'm not sure about either... what about programs like Kismet? People forget that Google (as you mentioned) scanned the WiFi stations to make it possible for you to find your location in the city, particularly in congested areas with tall buildings where GPS reception can be very poor and when wireless cell based locators are too imprecise.

 

EDIT: To answer your question about my own behavior when it comes to wireless networks: I tend to avoid them, cuz I have unlimited Internet access on my cell phone, which I trust just fine, but if I'm in a foreign country, I might use free WiFi but won't actually log in anywhere.

Edited July 1, 2011 by nlitement