Licensed to War Drive in N.H.

[Dave Farber <dave () farber net>]

Wired News
Licensed to War Drive in N.H.
02:00 AM Apr. 29, 2003 PT

DURHAM, New Hampshire -- A land where white pines easily outnumber wireless
computer users, New Hampshire may seem an unlikely haven for the free
networking movement.

But the state, known for its Live Free or Die motto, could become the first
in the United States to provide legal protection for people who tap into
insecure wireless networks.

A bill that's breezing through New Hampshire's legislature says operators of
wireless networks must secure them -- or lose some of their ability to
prosecute anyone who gains access to the networks.

House Bill 495 would, experts say, effectively legalize many forms of what's
known as war driving -- motoring through an inhabited area while scanning
for open wireless access points.

Increasingly popular with businesses and consumers, wireless networks use
radio waves to transmit data between computers in a network. The convenient,
low-cost equipment often is deployed to allow employees or household members
to share a single Internet connection.

To simplify installation, wireless systems typically ship without any
security features enabled. Because the radio waves broadcast by wireless
base stations are relatively powerful, it's not uncommon for residential
neighbors or adjacent businesses to inadvertently connect to each other's
wireless networks. 

Some wireless owners leave their access points unsecured on purpose. A
grassroots effort known as the open network movement is attempting to create
a worldwide grid of Internet-connected wireless access points. A computer
enthusiast with a DSL or cable modem at home may, for example, intentionally
provide free wireless access to the connection while he's away at work.

New Hampshire's proposed wireless law was hailed as "enlightened" by the
Electronic Frontier Foundation, a California-based digital rights advocacy
group. 

Lee Tien, a lawyer for the EFF, said the bill would help clarify the
legality of the open networking movement.

"It seems like a fairly clean way of accommodating the geek-culture practice
of having open wireless access points without doing anything bad for
security," said Tien.

The appeal of tapping into free Internet connections while on the go has led
to an activity known as war chalking, in which wireless fans scratch special
markings on pavement to indicate open connections. Thousands of wireless
"hotspots" offered by hotels, restaurants and other commercial
establishments also are listed in online databases such as
80211hotspots.com. 

To understand the genesis of New Hampshire's proposed law, just boot up a
wireless-enabled laptop at the Fusion Internet Cafe and Espresso Bar on Elm
Street in Manchester, the state's largest city.

Fusion has been offering free wireless access to coffee drinkers for the
past four months. But co-owner Carlos Pineda said he sometimes turns on his
laptop at the cafe and finds himself connected instead to a wireless
local-area network, or WLAN, operated by the CVS drugstore located across
the street. 

"I don't even think their employees are aware the signal from their Internet
is being broadcast outside of their space," said Pineda. "That means I have
access to their (Internet protocol) address so I can break into their
system. Personally I can't, but other, more-savvy people could do it."

The legality of such inadvertent wireless network intrusions is murky. Last
year, a Texas man was indicted, but later cleared, on charges that he
illegally gained access to the wireless network of the Harris County
district clerk. 

Like most state and federal computer crime laws, New Hampshire's existing
statute says it is a crime to knowingly access any computer network without
authorization. By analogy, just because someone leaves his house unlocked
doesn't mean you are authorized to walk inside, sit on the couch or help
yourself to the contents of the fridge.

But HB 495 turns that thinking upside down, experts said. It defines an
operator's failure to secure a wireless network as a form of negligence.
According to the proposed amendment, "the owner of a wireless computer
network shall be responsible for securing such computer network."

What's more, if an alleged intruder can prove he gained access to an
insecure wireless network believing it was intended to be open, the
defendant may be able to get off the hook using an "affirmative defense"
provision of the existing law.

As a result, some legal experts contend that New Hampshire's proposed
amendment to its computer laws could make it harder to throw the book at
criminals who take advantage of insecure wireless systems.

"If (wireless network operators) want to be able to prosecute people for
hacking into their wireless networks, they need to have done something to
have secured the networks," said Mark Rasch, a former head of the Justice
Department's computer crime unit.

Despite repeated warnings from experts, at present many wireless users
haven't secured their systems.

A 10-minute war drive down the main business district of Manchester earlier
this month using a laptop with a standard wireless card revealed nearly two
dozen open wireless access points, including some operated by banks and
other businesses. 

A variety of techniques can deter, if not eliminate, unauthorized access to
wireless networks. For example, enabling a technology called Wired
Equivalent Privacy, or WEP, can provide some security by encrypting
wirelessly transmitted data. Wireless networks also can require users to
provide a password before connecting. Another technique, called MAC address
filtering, only allows access to computers on a designated list.

But according to Jeff Stutzman, CEO of ZNQ3, a provider of information
security services, such security techniques are beyond the ken of many home
and small-business users.

"When I do a vulnerability assessment for a client, one of the first things
I do is test for open (wireless) access points. And I've been in places
where every access point I've picked up is un-WEPed," said Stutzman.

Pineda said the salesman at Best Buy who sold Fusion Internet Cafe its
wireless gear didn't even bring up the subject of enabling security
features. 

"People talk about wireless technology but no one talks about the security
problems ... people stealing the signal, hacking your system," said Pineda.
"That's not their concern. Their concern is to push a product out of the
store." 

Passed by the New Hampshire House last month, HB 495 currently is being
reviewed by the state's Senate Judiciary Committee. If signed into law, it
would take effect in January 2004.

Committee Chairman Andrew Peterson said the goal of the proposed law is to
protect those who innocently stumble upon insecure wireless networks. But
Peterson said the committee is open to arguments from anyone who believes
the bill could undercut existing protection for victims of wireless hacking.

"We want to be sure that it wasn't the case that, through trying to protect
people under certain circumstances, we were opening up greater opportunity
for criminal activity," said Peterson.
*******************************


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/