[ISN] Safe and insecure

InfoSec News isn at c4i.org
Mon May 24 03:19:52 EDT 2004

Forwarded from: Chad W. Didier <cdidier at cdsupportservices.com>

I think this would fall under the category of "willful neglect". No
one can be held responsible for the abuse of a technology that is
flawed. But, to publically state you're not going to make reasonable
attempts to secure it is "willful neglect". One could be held liable.
Perhaps not criminally but, in a civil trial one may find themselves
held responsible and liable for damages for the abuses of another.

-----Original Message-----
From: isn-bounces at attrition.org [mailto:isn-bounces at attrition.org] 
On Behalf Of InfoSec News
Sent: Wednesday, May 19, 2004 8:21 AM
To: isn at attrition.org
Subject: [ISN] Safe and insecure 


By Micah Joel
May 18, 2004  

Last week, I turned off all the security features of my wireless router.
I removed WEP encryption, disabled MAC address filtering and made sure
the SSID was being broadcast loud and clear. Now, anyone with a wireless
card and a sniffer who happens by can use my connection to access the
Internet. And with DHCP logging turned off, there's really no way to
know who's using it.

What's wrong with me? Haven't I heard about how malicious wardrivers can
use my connection from across the street to stage their hacking
operations? How my neighbors can steal my bandwidth so they don't have
to pay for their own? How I'm exposing my home network to attacks from
the inside? Yup.

So why am I doing this? In a word, privacy. By making my Internet
connection available to any and all who happen upon it, I have no way to
be certain what kinds of songs, movies and pictures will be downloaded
by other people using my IP address. And more important, my ISP has no
way to be certain if it's me.

In mid-April, Comcast sent letters to some of its subscribers claiming
that their IP addresses had been used to download copyrighted movies.  
Since Comcast is not likely to improve customer satisfaction and
retention with this strategy, it's probable the letter was a result of
pressure from the Motion Picture Association of America or one of its
members. And to Comcast's credit, it stopped short of direct accusation;
instead it gives users an out. Says the letter, "If you believe in good
faith that the allegedly infringing works have been removed or blocked
by mistake or misidentification, then you may send a counter
notification to Comcast."

That's good enough for me. I've already composed my reply in case I
receive one of these letters someday. "Dear Comcast, I am so sorry. I
had no idea that copyrighted works were being downloaded via my IP
address; I have a wireless router at home and it's possible that someone
may have been using my connection at the time. I will do my best to
secure this notoriously vulnerable technology, but I can make no
guarantee that hackers will not exploit my network in the future."

If it ever comes down to a lawsuit, who can be certain that I was the
offender? And can the victim of hacking be held responsible for the
hacker's crimes? If that were the case, we'd all be liable for the
Blaster worm's denial of service attacks against Microsoft last year.


More information about the ISN mailing list