Wireless Security and Non-repudiation

Devilpapaya

Member
Apr 11, 2010
146
0
0
First up, this isn't a thread to air your opinions about file sharing, please keep them to yourselves.

I was discussing the numerous security flaws of WEP with my coworkers the other day and we touched on the subject of legal liability of the network owner for unauthorized network access. That is, if you have a poorly secured wireless router, and someone accesses your network and uses it to do illegal fileshareing, are you liable for it (or, naturally, any illegal network traffic).

What if you have an open wireless network? does that become negligence rather than direct liability. What about well secured (WPA2-AES) networks that someone still manages to get access to?

In short, does a network owner incur liability for illegal activity on his network, even if the illegal traffic acquired the key to the network through illegitimate means.

Obviously, none of us knew for sure, and my (albeit not that in-depth) research has so far turned up inconclusive. So here I post to see if anyone was any unique insights into the matter.

Thanks.
 

Gamingphreek

Lifer
Mar 31, 2003
11,679
0
81
First up, this isn't a thread to air your opinions about file sharing, please keep them to yourselves.

I was discussing the numerous security flaws of WEP with my coworkers the other day and we touched on the subject of legal liability of the network owner for unauthorized network access. That is, if you have a poorly secured wireless router, and someone accesses your network and uses it to do illegal fileshareing, are you liable for it (or, naturally, any illegal network traffic).

What if you have an open wireless network? does that become negligence rather than direct liability. What about well secured (WPA2-AES) networks that someone still manages to get access to?

In short, does a network owner incur liability for illegal activity on his network, even if the illegal traffic acquired the key to the network through illegitimate means.

Obviously, none of us knew for sure, and my (albeit not that in-depth) research has so far turned up inconclusive. So here I post to see if anyone was any unique insights into the matter.

Thanks.

Define poorly secured....

It means different things for different people. Any competent hacker can generate enough packets to execute a brute force hack for WEP Encryption. On the other hand, Verizon (FiOS) defaults all their wireless routers to WEP Encryption - they obviously feel it is secure. WPA2-AES on the other hand is considered one of the most secure Wireless Security measures even by experienced users.

The phrase:
"Ignorance of the law excuses no man; not that all men know the law; but because 'tis an excuse every man will plead, and no man can tell how to confute him." -John Selden

immediately came to mind after reading that post. This rule was upheld in Ratzlaf v. US, US v. Freed, and Minnesota v. King.

If you are a highly inexperienced computer user, it is your job to ensure that you find someone who can properly set up the necessary protections.

In my mind Open Wireless networks are the only ones to which one can claim that the person is liable for any illegal activity conducted over their system.

One notable reason to support this is the fact that one MUST intercept packets in order to hack a given wireless network that is encrypted regardless of the method - in other words theft. Unlike an ISP, they cannot claim that it is their infrastructure and unlike the government they cannot claim National Security.

-Kevin
 

Devilpapaya

Member
Apr 11, 2010
146
0
0
Define poorly secured....

It means different things for different people. Any competent hacker can generate enough packets to execute a brute force hack for WEP Encryption. On the other hand, Verizon (FiOS) defaults all their wireless routers to WEP Encryption - they obviously feel it is secure. WPA2-AES on the other hand is considered one of the most secure Wireless Security measures even by experienced users.

The phrase:
"Ignorance of the law excuses no man; not that all men know the law; but because 'tis an excuse every man will plead, and no man can tell how to confute him." -John Selden

immediately came to mind after reading that post. This rule was upheld in Ratzlaf v. US, US v. Freed, and Minnesota v. King.

If you are a highly inexperienced computer user, it is your job to ensure that you find someone who can properly set up the necessary protections.

In my mind Open Wireless networks are the only ones to which one can claim that the person is liable for any illegal activity conducted over their system.

One notable reason to support this is the fact that one MUST intercept packets in order to hack a given wireless network that is encrypted regardless of the method - in other words theft. Unlike an ISP, they cannot claim that it is their infrastructure and unlike the government they cannot claim National Security.

-Kevin

Thanks for the reply, very insightful.

You mention that Verizon defaults their routers to WEP (whether because they feel it is secure or because its more widely supported, doesn't really matter) yet WEP was deprecated as a security standard in 2004; Officially it only remains an option for legacy support. So then, could an owner effectively argue that their wireless network was reasonably secure if they're using an encryption method that is no longer considered secure?

Obviously the hacker is still at the core of the blame, and gives the owner grounds for counter-sueing, but if the RIAA can't track down the hacker could they in turn sue the owner for negligence by not securing the wireless network via a "secure" encryption type.

An analogy, I'm not entirely sure if its a vaild analogy, but this is whats in my mind:

If you own a warehouse that a retailer uses to store expensive electronics equipment. You have insurance on the merchandise but the only security on the warehouse is padlocks on the main doors (I think fairly synonymous with WEP, simple to use and deter causal thief but any idiot can break them in less than a minute with the right tools). Someone breaks in and steals thousands of dollars worth of merchandise. The retailer Sues you for losing their merchandise, you obviously can sue the thief if you can find him, but will the minimal security measures you had in place protect you from liability in the current suit (insurance refuses to pay due to inadequate security measures).

Actually, it may be more valid if the thief stole your key to the padlocks, so it appears they were given access...

Thanks