 We have four panelists myself. I'm Matthew Schuchman. I'm one of the founders of war driving world calm Okay, we have render men a famous hacker and a superb war driver Okay, we have Robert Hale who's a lawyer from San Francisco who's written on this subject of Wi-Fi and the law And we have Frank Thornton thorn Who is a former law enforcement official and as well a great hacker, so we'll give some different perspectives Firstly Firstly, I'm gonna ask if you can hold your questions till the end We're only gonna have about 40 minutes, so we'll try to get through it so we can leave a few minutes at the end for questions firstly, you know definition of what is war driving and The simple definition of what is war driving and whether you're walking around There's been a lot of play with the verbs here whether you're driving around whether you're walking around it's the the act of having a laptop or a PC of some form and Detecting other people's Wi-Fi signals and recording some information about them The simplest case was recording the information that the access point is there Maybe the speed of transmission and if you have a GPS maybe the location so There's been a lot of talk of whether war driving is legal so there was a dunesbury cartoon which which covers this and The question of is war driving legal There have been a number of articles in the newspaper where you've seen that people have been addressed arrested for war driving however What I'll say is with one exception in each of those cases the people who were arrested for war driving were doing something else Some other nefarious activity some crime in this criminal activity in this for instance in one case in Toronto The man was spamming child pornography But using somebody else's Wi-Fi signal to get it out We certainly can all agree that spamming child pornography is a crime and it's really not the war driving. That's the issue It's the other crime involved another case involves someone who was two people who are grabbing credit card numbers Off of a Wi-Fi signal near a retail store We don't certainly agree. They're stealing credit card information. That's separate from the war driving There's a recent case where a man in Tampa was outside of somebody else's house and he was caught The man went out the president of the house went out found him outside and said hmm What are you doing here? But didn't say anything he then went out drove his girlfriend home came back The man was still sitting there in the van with the global laptop screen is the report It's in the newspaper say he called the police the police came by Whoever this guy was was not so smart He didn't leave after the first two times and the police came by and they arrested him for war driving We're not sure what else he was doing We're not even sure what was on the screen, but when that case comes to trial later in the fall Maybe we'll know something about it. There are a variety of laws both at the state and federal level Which cover? Accessing networks both legal accessing of networks and Accessing a network that you might that might not be yours where it's an illegal activity Some of these laws have been extended and will cover Wi-Fi access of networks, but not all of them There have been some new laws that have been brought into play Which will cover some of the distinctions with regard to Wi-Fi access But very few of these have had the chance to be tested yet in court And if any of you have had experience with the law knows it's not what the law says It's what becomes the precedent within the judicial system. So the first question I'm going to ask our panelists is If in the very simplest case we're war driving we're driving around with a laptop and We are accessing And that we are detecting access points Using a package. Let's say like Marius Milner's net stumbler and recording the location and Something about the signal. Is this a legal activity? I'll first ask my first panelist render man Hey, just for clarification. I am from Canada my Up, all right. I am from Canada. So my knowledge is mostly around Canadian law I'm not a lawyer But in my research I found in Canada It's a lot more sane Sainly written laws than in the States in regards to this anything in the 2.4 gigahertz ISM band is Basically, it's public to make it's free to transmit free to receive up to one lot Anything that is transmitted If it's unencrypted you can listen to legally you cannot disrupt and You cannot decrypt if it is encrypted, but that's all the rules there are this very nicely Frames basic war driving because all we're doing is passively detecting the signals from these networks Just listening to the information that they're spewing out We're not accessing them because then at that point we get into computer trespass laws But the information coming in is nice and legal Yeah, it's quite legal where I'm from Okay. Thank you Robert Hill. Yeah, I think I would just mention two things one quickly is it would it be a violation of the computer fraud and abuse act which is kind of the Bible of a lot of the stuff and you have to show unauthorized access you have to show obtaining information You have to show damages, so Render just nicely outlined Although it might not be in the Canadian context you could I think in the worst-case scenario may be proved something there It was the access authorized Well, if they didn't have a any kind of protection up around their access point You might be able to squeeze that in obtaining information seems pretty weak again. What are you actually doing with the router? It's pretty minor and then where are the damages so it's pretty a pretty attenuated However, I will say this I think to the extent that an organized group that's setting up and again I said this is a worst-case scenario that's setting up kind of a You know we we showing people were a bunch of wireless access points are it's conceivable That some various zealous or overzealous authorities might view that as a as a facilitation of Other of bad acts although they're not doing a bad act They might be able to say it's conspiracy or aiding in a betting. I know it sounds pretty horrible, but It's it's certainly not unreasonable or irrational or inconceivable. So those are the two things out there. Thank you, Thorn I from my standpoint, especially with my background law enforcement my my Interpretation of this and not being an attorney, but being someone that is familiar with interpreting laws Is that this is completely legal to just detect and to record locations? I think a prosecutor would have a real hard time pushing it out to the effect that you're doing something nasty by recording this stuff It's probably a lot more information that is publicly available in a phone book That would cause a lot more damage than someone just going down the street and detecting whether there's an access point Near a particular location Thank you Okay, that's the simplest case now. Let's take the next case Let's say that we have a situation where I'm still there's a situation where we can set up Something called promiscuous mode promiscuous mode is not as dirty as it sounds promiscuous mode is that some Wi-Fi devices cards can be set to listen to any packet coming across And they do it passively. They don't send back an acknowledgement packet. So you're simply receiving everything that's out there in the ether so I'm receiving these packets and I'm receiving them for the purpose of pulling them down onto my PC and What I want to do is to break is to crack the encryption. I'm simply doing it for the sport I'm not interested in going on to that person's network and stealing any information from them It's for the purpose of receiving information. That's being broadcast out to me in the free airwaves as dunesbury said And but for the sport of being able to crack the web Is that a legal activity? Renderman in Canada basically it's free reign and the ISM band and Yeah, capturing anything that you want within reason in that Spectrum is perfectly legal. You cannot divulge to other persons what you capture and you cannot decrypt if You cannot decrypt the information you do receive Those are the only two provisions if you're trying to if you're just looking at you know screen dumps of The packets going by you know seeing what web pages people are looking at things like that That's all perfectly legal. It's entirely passive. You're not disrupting You're not doing anything that I can tell is legally bad When you start getting into cracking web if it's something that is not your access point not your property and no permission Definitely you're starting to get out of the radio communication acts more into the preparatory stages for computer intrusion so computer trespass laws You could probably argue the case that not having the two that that having the two Tools like air crack and a dump file Themselves are not illegal. However having processed the dump file through air crack and having the key Then they probably want to speak to you But you'd really have to get somebody's attention to have them go after that it wouldn't be worth their time Just if you're doing it for sport Not something I recommend because if you've got the wireless gear to go out and collect this stuff Anyways, you've probably got an access point at home and can tinker around in your own lab rather than you know Driving halfway across the city and doing it there like I'd rather sit at home in air conditioning Thank you Robert. I would talk to three things mainly this the CFA a elements then again The the sort of conspiracy enterprise theory and then also really public policy I think from the CFA a standpoint again, we just go through our elements. We've got unauthorized access Yes, we do have an authorized access Obtaining information There's there's a case that controls CFA that says even looking at information Is is obtaining it? Is that the right decision again? We could debate that but that is the president So if you're just looking at it as render said you've satisfied that element of the CFA Then you have your damages now if through that act of cracking the encryption The user is then led to have to spend a lot of money to you know reconfigure their system or something again One it's a stretch But you could say that you have damages there now moving on to the conspiracy part again If you have a group of people doing this and they again they may some of them say it's for sport But there's a kind of a gray area there. I could see the feds coming in and saying, you know You guys are aiding and abetting you're not doing any you say you meant to be do anything bad But if you know that something bad is going to occur down the line You're you're aiding and abetting bad actors The third thing I'd say is that really you know since and we're going to get to this in your third segment the public policy aspect You know you want the that these companies develop tools to enable the user to protect their access point So to the extent that you go around cracking them I mean it might be contrary to public policy, but you also argue that it facilitates a good public policy So but we'll debate that next Yeah, Mike my view on this portion of it is when you start getting into if you're just receiving straight data without any Any encryption on it? You're probably completely okay You may be treading into an area of a problem if you start reading email, which is completely Clearly illegal under a couple of different laws However, if you're just getting a packet and you're looking at a packet seeing what it is you're probably all right When you start doing the web breaking You're you're crossing into a real gray area in my mind, and I think that having worked with prosecutors That would show clear intent in their mind if they were going to try and Grab someone for doing something the fact that someone went out and was breaking web on Someone that they did not know they did not have permission Most prosecutors would say that that is a clear intent to commit a further criminal act Thank you now we get to What I think is the most interesting question here from my perspective which is If you were to go out and purchase a typical link sys or a Belkin router You'd find that the SSID that has been the name given to the router is it usually either default? Or in the link sys case, I believe it's link sys a consumer goes buys that router sets it up at home Follows all the instructions goes into their Windows XP machine and Sets it to access their link sys router. No protection is set They check the mark check the box and it links up to their router Now a week later they go out and they take their laptop and they're sitting in a park in another part of town working on their own on their own PC and The laptop detects another consumer who's done the same thing in the area and it of course thinks oh, I have a router named link sys It's not protected. I've already been programmed and What is what is Microsoft's operating system do grabs onto that signal and connects you directly to the internet? so The question is one. I've done nothing active I've simply followed the instructions of Microsoft and link sys gave me Have I done anything wrong? And then the question becomes who is responsible is it the person who manufactures? Is it the person who is accessing the signal? Is it the consumer or the business which happened to follow link sys and Microsoft's instructions and set up the router that way? Is it the hardware manufacturer should they have set security as a default? Rather than insecurity as a default Or is it the responsibility of the operating system not to automatically jump on to somebody's router without asking permission each time? So it's an interesting question not only from a legal standpoint, but also from a public policy standpoint Thank you. Renderman. I Don't think any sane person would want to hold a consumer Responsible for an accidental connection like that You know if they open up their laptop and get the little bubble says you're now connected, you know, and they realize oops This isn't my network, you know, and they they log off or disconnect I don't think anyone would ever try to convict somebody for that However, if they decide hey, I'm on a network. I want to check my email and then they go forward Yeah, that's that's theft of service plain and simple The consumer should have enough brainpower to realize that yeah, you've towed up to that line. Let's not cross it. I Personally blame a lot of the manufacturers Link sys is probably the worst everybody's probably heard the links this global network, you know, like 60% of the access points out there or link sys Most of them are on default How and they bury the security warnings in the manuals. They're not easy to set up Different manufacturers have different High-level encryptions and everything they don't play nice together. It just gets really confusing for the customers I actually have sadly have to give props to Microsoft when they were in the wireless Gear development stuff and they're selling to their routers and cards their software Wizard that came up you specifically had to tell it. No, I don't want web on by default It would ask you for a key for Your security you had to specifically tell it. No, so just by not going for Insecure by default. I think they did a really good job. However, everybody who had built-in wireless cards and you know had some sort of like 128 bits Try to set 128 bit encryption because different manufacturers were using different methods to get 128 bit at the time That nobody could get on it. So if they set the security as high as they could we're couldn't connect Okay, I'll just turn it off and leave it So there's a lot of these companies that I think just need to sit down readdress what they're doing They're not taking care of their customers. They're intentionally putting them in harm's way I'm just waiting for the first day that somebody is Convicted for having an open access point and facilitating a crime I don't know if that's within the realm of the law But I could see somebody even civilly, you know if company a gets attacked by bad person You know by a bad person through my access point can company a sue me civilly for facilitating the access It's a scary thing Thank you, Robert. Yeah, I think with respect to the users that that's really the risk there I but but the extent we're gonna hold links is liable they relate because links is ships these things with the default and they do it for reason because There's a they're advertising a product that will provide ubiquitous You know Wi-Fi access People just want it to work. Yeah, they really do so you've got that Smashing up against the the real sort of implications of shipping this stuff the way they do so I think that to the extent that they start to make it easier for the users to To implement quickly with some sort of restrictions Then you might get into a case as you described where there would be some liability on the WAP operator Even if it's someone in their house As far as you know holding links is liable. I certainly think pressure is coming on to them I know that the I mentioned in my paper that they're developing some there's a consortium to develop some kind of product That's gonna they're gonna add on to the router to make it easier for people to implement security whether that's gonna be any good I don't know Anyway, and you know again I don't the the efforts to hold ISPs and manufacturers liable in the past have been pretty Haven't gone really anywhere except for when they're going after Monopoly type situation, so That that that would be my view at this time You know a lot of this has come about because 802-11 has been a victim of its own success. I think a lot of the manufacturers originally envisioned setting these things basically as a very short-range item that would work only in a house and and People are going out using them in places. They never dreamed of the manufacturers never dreamed up So it's going out. It's being used a lot more than it was ever anticipated and the technology Implemented was never intended to be used this way. So we've got kind of conflicting things going on here On the other hand, I think there's a certain amount of responsibility of the operator There's this very old thing that I think you've probably all heard called our TFM You have to be able to operate your own equipment Properly you're supposed to be able to figure out what's going on with it while I would agree that the manufacturers Oh responsibility of the general public to get this stuff right The operators do have some responsibility in getting it right themselves Thank you. I think the questions that we begin to ask ourselves as fellow hackers are Although it's not totally independent of what the law requires of us is what is the definition of Ethical war driving and that's something which our friend render man here has given a first stab at But it becomes a question of the sense the law hasn't quite caught up with Wi-Fi So the question is how do we as hackers act in an ethical manner now in the first step we do Sound of like John Muir said, you know We have to walk softly and not leave too many footprints in the sand on the other hand the act of cracking a web We're pretty soft. No one really knows we're there until we've actually cracked the web So it's a very interesting question Are there any questions if it's the one I'm thinking of what I've heard is it's basically the telecoms are trying to fight Municipalities from getting in to what they consider their business You know, it's it's one of these private enterprise versus So giving away something on a municipal level You know, I I've got mixed feelings about some of that stuff as much as I'd like to have free access everywhere I Don't particularly want my tax dollars going for it. I'm one of those people that I hate paying taxes So and where I am I get minimal services anyways for what I get, you know I'm not sure I want to pay more for something. I may not use I I Just think that like we can all agree that this sort of stuff would be really nice It was like a utility like phone power water, you know, you turn it on it's there I think it's a good step the municipalities are realizing that internet access is not just going to go away You might as well start providing it for everybody and just there's already Enough internet access if one wanted to do really bad things with wireless you could get internet access anywhere Let's just organize it and you know do this sanely It is just a money grab by the telcos trying to hold on to their their old-school monopoly Because now they don't have the wires to control There's a limit that they can do they're just trying to you know stem the tide as long as they possibly can I don't know of anything like this in Canada. I honestly hope it doesn't go through down here Yeah, I would just add that I think an interesting legal concept comes into view If you do move toward a municipality model, which is that it's called sovereign immunity Which the government essentially can't be held liable even for negligence So something to think about for those of you who were awake Government control of the internet so government control the internet would actually be a positive It might be if you're looking to kind of you know have a good time I think a lot of it depends on how it's set up who's running it. There's Before we get to the next question I wanted Robert Robert Hale has written an article on this if you look in the CD that you got with DEF CON There are some pieces written by render men on a first stab Which I think is great at a hacker code of ethics for war driving as well as Robert Hale has an article on this which Delves into some of the issues But I wanted Robert to comment on the computer fraud and abuse act because if I recall reading There's a part of the CFAA which basically says that it shall not be a crime To access a Wi-Fi signal that is unencrypted You know What I will focus in on That makes sense and that's that seems consistent with a lot of the things that I've read and what we've been talking about But I think probably the biggest unknown There is what the definition of unauthorized access is There's a huge disparity of opinion The act doesn't define it as anybody who's who's delved into it knows And they really left it up to the courts To to to come up with a definition and as a result There is a very very wide spectrum of views on what that unauthorized access and the crux of it is that is the user When they approach the internet are they in the default position of being unauthorized So or is it the exact opposite that unless the something on the the the the internet end Give some kind of signal to the user that you can't come in here is the default of the user coming in Actually, I have open access so it really comes down to a policy debate about the whether the internet's open or not And I think that that that and there's a paper that I refer to in my paper if you want to get to excruciating detail on the status of What not what unauthorized access means I would point you to that for further detail, but Irrespective of what? Some commentary on the CFA may say I really think that the future of where this is going to go at least at that Level is going to come down to unauthorized access Yes, you stand up I can't hear so your question is That if you're broadcasting it and it's unencrypted you don't have the right of privacy to what you're broadcasting Okay, I don't know anyone want to comment on that Basically, I think you're correct in that you don't have a right as far as the reception goes it you've sent it out there However, there are some laws that will conflict with that directly specifically the one regarding email It's it's illegally intercepted email if you don't if you're not the recipient if you're not one of the carriers Or you're not the one that's transmitting it so Yeah, see that and that's the real gray area if you capture it and you realize it's an email Where you where you're crossing the line because you know if you just get a header and it's an email header And you say oh geez I'm not going to read any more Have you crossed the line? You know I'd say maybe maybe not If you go through the whole thing you you've probably definitely gone way past where you should have gone so But if if someone's just broadcasting everything that's going out there that they've been getting all their web surfing and all that a lot of That's completely open. That's their own problem Yeah, I would add that that and I discussed this a little bit in my paper If you want to get push the computer fraud and abuse act aside for a minute and get down to common law issues like trespass There's a there there have been cases in which they've likened unauthorized access to trespass and and With the views that come down there or if you're not protecting your access point and taking steps to protect it then there's an implied authorization you're giving to the user and Again that relates to the point I made earlier about the debates about The this unauthorized access business. I would also add that I think that you really boil it down to the bone right now The feds can tap into the internet without a warrant I mean that's basically the way it stands right now, so we can debate that endlessly But I think that's really if you really boil it down. That's really what's the bottom line So the feds could tap into the Wi-Fi network without that's my current understanding But again, you know, again, there's probably there's a lot of conflicting views about that. Yeah, the questions Okay, one other issue I'm gonna bring up again is this issue of who's responsible So I think what we've talked about here is the problem Which is they try to make it easy for you to use Wi-Fi at the same point. They make it insecure So one of the things that I've talked about with several of the members of the panel here is in a sense that We believe there needs to be a much stronger effort on the part of the software and the hardware manufacturers to change In a sense, not only their marketing literature, but change the way they ship this equipment and this software So that in a sense security becomes a default and I know we dressed out a little bit I'm asking that specific question. Do they believe that if a case were to happen That we would did have on the authorize access Do you believe that the software and the hardware manufacturers share some responsibility? I don't think that the software and hardware manufacturers could be held directly liable the end user You know stupidity is not a valid defense if you didn't secure your access point and you know you You know somebody ends up Accidentally being on there intentionally my personal opinion is that if you leave it open and You specify in the SSID that it's free access then go for it if it is not Specifically telling you free access, you know serve me anything like that Take some pity on these people. You've probably got high speeder in at home You don't need to move job of other people hotels have Wi-Fi usually There are much better ways of doing it than you know trouncing around in this legal gray area and get yourself in trouble At some point or another It's going to be ubiquitous. You know, we're just gonna be all open things up and it's there all nice and legal But for now, yeah drive the two blocks down to the kinko's or wherever and use theirs Just cover your butts. I just really wish I could smack links this around a couple of years ago when they were Putting this stuff out because they just they seem to be the biggest part of the problem. Their manuals are getting better But I still hold them responsible for so much of this because they're making it so easy It's not even like you're having the tools are out there to break a lot of the security that's in place But they just make it so much easier for everybody As he said if you have a link sys at home links us out in the park It just hops on there and suddenly people can suddenly commit a felony on their own You know the software and everything helps them they could very easily go too far and you know start checking emails start Realizing hey, I can use this as a launching point for other things Thank you Robert. I would just say that it's the job of the plaintiff's bar to come up with a lot of these outlandish and bizarre Theories of liability as any of you know from buying appliances like toasters and hairdryers and Pretty much anything nowadays. It's got warnings all over it that you you know really stupid stuff like you know Do not iron pants while wearing? Yeah. Yeah. I mean really and that's all there because of the There's enough books to fill this room about product liability The reason I mentioned that is that the whole idea here is to make well Maybe not you know everybody would agree with this, but they're trying to make computers a newer appliance, right? So To the extent that that keeps getting pushed You it's not inconceivable that you could come up with some kind of theory like that So I think it's extremely unlikely that links us or other companies ever come under any kind of liability, but it's not Impossible given the history of litigation within the product liability space But I completely agree with the points made that they really need to do more doesn't mean we can't yell at them still though Yeah, yeah, I would agree with that. You know like I said earlier You know there's a certain amount of our TFM. However, I also think the companies as companies Oh as something to get their product right and you know for all the abused Microsoft takes on a lot of different things that they absolutely deserve The one thing they did right in my opinion was was with their Wi-Fi Appliances they Went to a default encrypted mode They were the first and the only product to do that I'd like to see the other products do that love to see it Thank you before we finish I just want to know if you any of you saw this article in the newspaper Which we have up at our booth that ten more commandments were found and I'm not sure that anybody were aware of it So we made up a t-shirt about it Which I think really talks on what we're going for ethical war driving the 11th commandment now shout not covet thy neighbor's Wi-Fi Thank you all very much for coming I think we If you're actually hoping to have some level of security by hiding your SSID I don't think that anyone would actually say that Works a security You could make an argument, but it's just a matter of using a different tool to find it I Don't think there would be enough there for anybody to complain That they try that I was trying to secure my stuff why are you on here? Okay Thank you all very much All right, we got time for two more go ahead. I really wish that they would I'm not a lawyer, but I've seen cases where companies will go in install wireless access You know all over the place in a business leave it wide open and walk away and just I don't think it's due diligence And it's not very professional The companies I think would probably be best sued civilly if something did happen ethically Who are these people they're setting these things up in securely they're supposed to be you're hiring the expert Why aren't they reading the manual? Why aren't they doing what their job is? I'd say two points. It's conceivable. They would be held liable civilly Maybe the second thing I'd say is most of these laws have loopholes for You could say sort of information security or set, you know technical loopholes to allow for These types of things so it's conceivable they could get immunity under something like that Yes Does that count as wiretapping? It's conceivable that that's a topic I mentioned briefly in my paper It's certainly again if you're going to find liability under CFA under the facts you described There's no reason why you wouldn't find it in the wiretap laws one of the points that we make in the beginning here is that What we know what we interpret some of these state and federal laws to be the question remains over the next few years How the courts will interpret them and we need to walk as hackers and as people who advise people out in the field We need to walk a fine line and make sure that we're not going into an area Which is gray without knowing that we're going into a gray area Any other questions? Okay. Thank you all very much