Wednesday, December 20, 2006

WI-FI Theft: Any punishment for abetting the crime?

Pre-sentence report for youth who tapped on wireless internet illegally

By David Teo/Noor Mohd Aziz, Channel NewsAsia Posted: 19 December 2006 2017 hrs

SINGAPORE: A 17-year-old, charged with illegally hopping onto another's wireless internet connection, will have to wait a little longer to know his fate.

This is the first such case to go to the courts in Singapore.

A district court judge has called for a pre-sentence report on Garyl Tan Jia Luo, who has pleaded guilty to using his laptop to gain unauthorised access to a home wireless network.

Details that came out of court say that early on 13th May, Tan was "bored" and wanted to access the internet but his mother had locked up the cable modem.

He left home with his laptop, and went in search of an unprotected internet connection in his neighbourhood which he found outside 6 and 7, Casuarina Walk.

A man who spotted him surfing illegally on the kerb side questioned him, and called the police.

In mitigation, Tan was remorseful and said he did not know it was an offence.

He was a first-year student at Republic Polytechnic and had dropped out of the course, said his lawyer.

The pre-sentence report will be heard on the 16th January. - CNA/so



Dear friends,

Correct me if I am wrong.

Wasn’t Gary extremely resourceful? His mum punished him by taking away his internet connection and he went out and did what any one would have done. He walked around and found an unsecured wireless access.

Unless I am mistaken, he did not use fraud to break into the network. He did not crack the password to hack into the system.

I have wireless connections in my house. And it is UNSECURED. ( I won’t tell you the address).

I expect that once in a while, my neigbours might be using my bandwidths with my compliments. But I don’t make a fuss about it. If I did not want to share my bandwidth, I would have password-secured it!

Is it not like this scenario?: A man keeps the front door of his house open, and through this door daily flies out wads and wads of dollar notes for no conceivable reason. The man makes no attempt to close the door and his neighbours had been walking past to pick up the notes from day One.

On the 2,345th day, Gary walks by and picks up a two-dollar note. Some nosy guy then stops him and calls the police. Gary gets to see the judge and then gets the slammer?

The person who let the dollar notes out for the previous 2344 day is not guilty of abetting this "hideous" crime ?

What’s happening?

No wonder, JBJ says ,” The Law is an ASS”

Lawyers please enlighten me. I am confused.

Merry Christmas everyone!

Dr.Huang Shoou Chyuan

1st Addendum from an Infosec professional ( Capella)

Cappella said...

I am not a lawyer, but a InfoSec Professional.

WiFi, otherwise known as IEEE 802.11, was DESIGNED to have OPEN access. They put in security is so as to RESTRICT unauthorised people from accessing it. Look at the IEEE specs to understand the intentions of the people who design the specification.

If the owner of the Wifi does not secure their network, by IEEE 802.11 standard, it means you give consent for people to access it. In Wifi, the onus is for the owner to secure it.

I think the law has gone TOO FAR in finding a scapegoat. They probably think Wifi is just like a normal Internet connection where accessing it illegally is a crime. The law-enforcers never know that Wifi was meant to be shared openly in the first place, with security implemented if you want to have restricted access. HAIZ!
1:21 PM

Latest addendum from Capella (22.12.06 11.42am) "Wireless 101 Class"

Cappella said...

Dr Huang, thanks for quoting me in verbatim in the ST Forum. All of a sudden my friends start calling me and said I am in ST Forum!??! :P

Anyway everyone, I shall conduct a Wireless 101 lesson here. Short and brief, to explain why what the law thinks has nothing to do with the way this technology was designed.

IEEE 802.11 clearly states that it already does not have the security and privacy of a wired network. Why so? Wired network is secure for the fact that you need to PHYSICALLY be connected to the network to be secure. For wireless, as it uses air as a broadcast medium, there is simply no way to control how the radio waves reach the intended client.

Because of this, they have implemented an authentication mechanism to help the implementors of wireless network to secure their networks. Now, what makes the whole thing damn confusing BACK THEN was that there was two kinds of authentication mechanism: Open System and Shared Key. According to IEEE 802.11 standard Page 59 Section 8.1.1, "Open System authentication is the default authentication algorithm." Now, in case you think it is anything special, Open System authentication is not even a secure form of authentication, all it requires from the client is to specify the correct SSID, and you are in.

You may think, hey, that is not secure at all. Yes and no. If today the Wireless@SG network access uses a different unique SSID for every single access point, the users will feel extremely frustrated as they roam from one wireless network to another (EBSS mode), because they have to change their SSID constantly. So, by using this default authentication mechanism, users can be assured that they are connected to the very same "GROUP" of wireless network. The problem here lies in the fact that the people who design the standard never expect that one day the SSID "linksys" actually can be implemented by 100 people staying near the same block, but are actually not related to one another.

Because of this, IEEE 802.11 also provides provision for the secure implementation of password security, which most of you probably have heard terms like WEP, WPA, WPA2. On top of that, high end wireless routers implement 802.1x, which authenticates by each individual wireless client. Most also implement stuff like MAC address authentication (which is pretty easy to break anyway). All in all, there are features to help the implementor of access point to secure their wireless network, but they HAVE TO ENABLE IT. Out of the box, if you look at all the access points available in the market, NONE has security enabled. The maker of the wireless product DOES NOT KNOW how is it being used. That is why I have said earlier, the onus is for the owner to enable it if they do not want people to use their wireless network. Otherwise, it is implicitly taken that you intend to share out your wireless network.

That is why in the last 1 to 2 years, most wireless routers vendors tend to put additional text or information about securing the wireless network for these people who are technically illiterate to make them aware about this issue. So for these people, even after reading these text, they still think they do not want to go through the hassle of enabling it, then again, you are implicitly allowing people to access, since you have been warned to secure it but you did not.

The law in Singapore has sided too much on the clueless. It is time to throw the responsibility back on these clueless and make them take responsibility for it. Just as you will not let someone who has no driving licence to drive a car, you will also expect that the user of a wireless access point should have some technical competency to secure it. I for one will be peeved if I found out that someone's wireless network has been taken control of by a malicious user attacking my PC. Yes, the malicious user is to be faulted, but the owner of the wireless network should never have provide that chance for the malicious user to hijack their network to attack my PC in the first place.

So all in all, I support the view of Dr Huang and others that this whole this is nothing but a mere scapegoat catching exercise. :P

36 comments:

Cappella said...

I am not a lawyer, but a InfoSec Professional.

WiFi, otherwise known as IEEE 802.11, was DESIGNED to have OPEN access. They put in security is so as to RESTRICT unauthorised people from accessing it. Look at the IEEE specs to understand the intentions of the people who design the specification. If the owner of the Wifi does not secure their network, by IEEE 802.11 standard, it means you give consent for people to access it. In Wifi, the onus is for the owner to secure it.

I think the law has gone TOO FAR in finding a scapegoat. They probably think Wifi is just like a normal Internet connection where accessing it illegally is a crime. The law-enforcers never know that Wifi was meant to be shared openly in the first place, with security implemented if you want to have restricted access. HAIZ!

nofearSingapore said...

Hi Capella(again I think),
Your comments are so salient and significant that I will insert it as an addendum to my post.
Thank you

Dr.Huang

Whispers from the heart said...

Dr Huang,

my sentiments exactly when I read the news!

But aunty is no IT geek nor lawyer.

However, my human sense tells me the same thing too.

For the hell of me, I don't know if mine is secured or not. But, I still won't penalise anyone slowing down my access by sharing my internet. Afterall, it's my onus to keep my house safe, no?!

Sigh ... people nowadays hor, cannot live happily ever after.

Merry Christmas to all!

Aaron said...

Dr Huang,

Unfortunately, I have to disagree with you on this. The neighbour was not wrong, although the method is questionable.

I've posted my own thought on this.

Aaron said...

whispers from the heart:

I suggest you secure your wireless access because the concern is that you might have a tech savvy neighour who may do illegal things through your network, and you may end up taking the rap for it. Imagine if that guy taps onto your network and download illegal software, or worse, hack and deface someone's website. When tracing is done, it will be traced to your internet protocol address.

Well, I suppose that you can always turn over the logs of your wireless router (assuming that the logging function has been turned on. If not, good luck.) to prove your innocence if that happens. However, why go through the hassle in the first place? All it takes is probably 15 minutes of reading the wireless router manual and you should know how to set up an encryption key to prevent unauthorised access.

If you are not sure how to do it, I'm most willing to assist. Sharing is a nice thing, but the problem with wireless access is that it has like 100ft range at least, meaning that you can't be too sure who might tap onto your network. If you really want to share, secure it with a key and then give the key to neighbours you can trust.

Anonymous said...

Aaron has a valid point there...especially if someone is tapping into your net to download porn or hack into the CIA, for example.

nofearSingapore said...

Hi Whisper,
Like you I know that using unsecured wifi is foolish but I have lost the manual and don't know how to retrieve the default password. ( Actually too lazy to find out).
I know that such foolishness allows others within X meters to use free bandwidths.
By not securing the network, I have surrendered my right to exclusive use of this network.
So if there is a teenager sitting outside my gate surfing the net, if he is brought to me by the police, I would say, Constable, I do not consider him a thief.

Another point: The neighbour who reported to the police is incidental. Should he have called the police or not is incidental. Anyone can call the police for ANYTHING and it is up to the police whether to take any action or not.

Garyl did not know he had committed a crime ( on that night). I still think he has not.

The police should have just enlightened him that there is a law (albeit a stupid one) concerning using unsecured networks without permission blah blah ... and that would have been it.(& let him off with a warning)

To charge him and make an example of this poor boy is uncalled for.

Dr.Huang

Anonymous said...

It's at least refreshing that we have a resourceful 17 year old around....it will be sad if his future will be tainted for this inconsequential offence which actuall hurt nobody except maybe the service provider....justice wasnt meant only to punish..

not_regulated said...

The point here is not about secured or not secured. I see that there is a pattern here from the government doing the "fixing" on the use of the internet. It is a sublimal message telling you that anything that deal with the "freer" world wide web, the government will make known to you that they are there too to cover it.

Like the FREE Wireless@SG initiative, you are required to register with great details to use it freely.

Aaron said...

Dr Huang,

The beauty of the Internet is that most things can be found online. I'm pretty sure the model of your wireless router is printed on the router itself. Just go to the manufacturer's website, find the corresponding model and you should be able to find the PDF version of the manual, even if it happens to be a discontinued product. I would suggest you to secure your network as quickly as possible to avoid the possibility of mischief or worse, a breach of the law by someone who manages to log into your network.

Aaron said...

With regards to pressing charges, I don't think that it is up to the police. Firstly, it's a criminal act and the police are obliged to act as it is their duty to enforce the law. Even if they do not wish to press charges, if the neighbour wishes to, there is little the police can do but to press charges. The question really is that even if the neighbour is right, is it necessary to go to that extent over a 17 year-old?

nofearSingapore said...

Hi

not-regulated: I don't have such a suspicious mind as yours. I think the police screwed up. They didn't know a thing about the whole thingaling and some smart alect DPP carried on and here we are.

Aaron: I am sure the police could have done better.To be fair, I don't even know if the owner of the network is in the loop of things ( pun intended). Maybe the neighbhour just wanted to make sure the kid learns whose the boss in the neighbourhood.
No one was hurt in the bandwidth sharing. OK, maybe the owner surfer about 0.5 msec slower.
So what?
Get my drift? The law is supposed to help us live meaningful lives, not tie us down with red tapes and miles of legislations.

Dr.Huang

Whispers from the heart said...

Aaron,

thanks for your kind advice!

As it was, my smarter other-half gave me a simple plug and play laptop, meaning he did all things necessary. Nonetheless, old fogey here took the rest of the day to surf the internet on this router thingy.

Maybe the law was drafted to protect intentional criminals who used illegal access for unauthorised activities. However, I really think it uncalled for to resort to police for the mentioned case.

Technology becomes a tool to alienate people not help build communications. I think that's tragic. There should be a better way to relate to the community around you other than calling the police and putting everyone behind bars.

Whispers from the heart said...

Oops,

I meant to say "protect us from" intentional criminals.

Aaron said...

Dr Huang,

I totally agree with you that no one was hurt, and what's the big deal, really. Unfortunately, the neighbour was the one who thinks its a big deal. I still don't think we should blame the police though. I mean, if the police say, "let's just give the boy a warning" and the neighbour disagrees, then write in to the ST to complain what if the boy had hacked a website using his/her Internet access, the police will similarly be blamed. They're in a catch-22 situation, and I think they merely followed their SOP to avoid the situation.

The one who technically could do something, and who actually did was the judge. We should applaud the judge for actually trying to find out if the most lenient punishment was possible. By our justice system, if anyone has unhappiness to be redressed, it is only right to go to the courts. Once the court has ruled, there's nothing more the plaintiff can say. Given the relatively "malicious" intent of the neighbour, I believe that the neighbour probably sought for a more punitive punishment, which was not the case.

In fact, by dishing out the most lenient sentence available, the judge is indirectly signalling to the plaintiff that he/she has been a little too much in deciding to take the kid to court.

nofearSingapore said...

Hi Aaron,
I agree that the judge probably did the best possible thing.
But if I were the judge, I would have given the police prosecuter a roasting for wasting the people's money in bringing such a case to the court. ( Lucky I am not a judge!)
Merry Christmas to all

Dr.Huang

Dr Oz bloke said...

How about looking at it this way.

I put a telephone plug outside my house in full open view of everyone. I do not lock it. It is easilyu accesible.

People come and plug their phones into the socket and call their friends.

Who's at fault? Surely I am partly to blame isn't it? If I really don't want people to use my stuff then I should make it seem like I don't and keep things secured.

I personally feel that they should have given a warning to both parties and then made it clear what the law is. Don't make scapegoats when it isn't clear in teh first place.

xyndz said...

walao eh the stoopid gahmen
cappella go correct them =D
eh btw how to put password huh?

then somemore the lil boy drop out now =.=

nofearSingapore said...

Hi
Droz: The analogies all cannot match the actual facts. I cannot find any analogies that show how ridiculous I find this case is.

xyndz: walao, your singlish dam good man!

The Straits Times will be printing my letter in the forum page soon ( unless higher-up intervene.)

I usually have high regard for our police ( which I like as they are not corrupt and essentially efficient- I am not joking).
But I think Garyl needs a break.
Perhaps the full story is not known to us -hence it sounds so unbelievable. Unless Garyl is a hacker and he was surfing porn in front of the neighbour's lawn etc etc...

Dr.Huang

Cappella said...

Dr Huang, thanks for quoting me in verbatim in the ST Forum. All of a sudden my friends start calling me and said I am in ST Forum!??! :P

Anyway everyone, I shall conduct a Wireless 101 lesson here. Short and brief, to explain why what the law thinks has nothing to do with the way this technology was designed.

IEEE 802.11 clearly states that it already does not have the security and privacy of a wired network. Why so? Wired network is secure for the fact that you need to PHYSICALLY be connected to the network to be secure. For wireless, as it uses air as a broadcast medium, there is simply no way to control how the radio waves reach the intended client.

Because of this, they have implemented an authentication mechanism to help the implementors of wireless network to secure their networks. Now, what makes the whole thing damn confusing BACK THEN was that there was two kinds of authentication mechanism: Open System and Shared Key. According to IEEE 802.11 standard Page 59 Section 8.1.1, "Open System authentication is the default authentication algorithm." Now, in case you think it is anything special, Open System authentication is not even a secure form of authentication, all it requires from the client is to specify the correct SSID, and you are in.

You may think, hey, that is not secure at all. Yes and no. If today the Wireless@SG network access uses a different unique SSID for every single access point, the users will feel extremely frustrated as they roam from one wireless network to another (EBSS mode), because they have to change their SSID constantly. So, by using this default authentication mechanism, users can be assured that they are connected to the very same "GROUP" of wireless network. The problem here lies in the fact that the people who design the standard never expect that one day the SSID "linksys" actually can be implemented by 100 people staying near the same block, but are actually not related to one another.

Because of this, IEEE 802.11 also provides provision for the secure implementation of password security, which most of you probably have heard terms like WEP, WPA, WPA2. On top of that, high end wireless routers implement 802.1x, which authenticates by each individual wireless client. Most also implement stuff like MAC address authentication (which is pretty easy to break anyway). All in all, there are features to help the implementor of access point to secure their wireless network, but they HAVE TO ENABLE IT. Out of the box, if you look at all the access points available in the market, NONE has security enabled. The maker of the wireless product DOES NOT KNOW how is it being used. That is why I have said earlier, the onus is for the owner to enable it if they do not want people to use their wireless network. Otherwise, it is implicitly taken that you intend to share out your wireless network.

That is why in the last 1 to 2 years, most wireless routers vendors tend to put additional text or information about securing the wireless network for these people who are technically illiterate to make them aware about this issue. So for these people, even after reading these text, they still think they do not want to go through the hassle of enabling it, then again, you are implicitly allowing people to access, since you have been warned to secure it but you did not.

The law in Singapore has sided too much on the clueless. It is time to throw the responsibility back on these clueless and make them take responsibility for it. Just as you will not let someone who has no driving licence to drive a car, you will also expect that the user of a wireless access point should have some technical competency to secure it. I for one will be peeved if I found out that someone's wireless network has been taken control of by a malicious user attacking my PC. Yes, the malicious user is to be faulted, but the owner of the wireless network should never have provide that chance for the malicious user to hijack their network to attack my PC in the first place.

So all in all, I support the view of Dr Huang and others that this whole this is nothing but a mere scapegoat catching exercise. :P

nofearSingapore said...

Hi Capella,
Thanks for sharing with us your knowledge about this Wifi thingy.
As you probably know by now, I am definitely no expert on this subject ( or many other subjects).
I am sure if an potential defendant need an expert witness in the court, you will be the ideal person.
Have a great Christmas.
I will again add your latest comments onto my main post.

Dr.Huang

Cappella said...

One last contribution, and a food for thought.

Two case study:

Say to those who thinks that accessing wireless networks illegally is a crime, think about this for the moment.

Case Study 1
------------

Your laptop's wireless configuration has the SSID "linksys" configured to your own access point. One day, in a rush, you suspend your laptop, and rush for a meeting. In the meeting outside near a residential area, you want to show your customer some reports, and as you turn on the laptop, your wireless client automatically looks out for a wireless network (that obviously does not belong to you) also SSID "linksys" and sent out some mail that is in your outbox waiting to be sent. Assuming that someone found this out and identify you as the culprit, should you be charged as intended and be sent to prison?

Case Study 2
------------

Let's say Alan, his laptop is configured with SSID "Wireless@SG" because his access point also uses this SSID. Why he does this, because he is too lazy to change the wireless configuration as he moves from his home to those publicly accessible networks. One day, a guy named Aaron opens his laptop near his house, sees a "Wireless@SG" wireless network, and thought it is a free network provided by SingTel, QMax and iCell, and connects to it. Alan found this out and is not happy, and sues Aaron. Should Aaron goes to jail because of this?

Think about it.

Dr Oz bloke said...

Going by the precedence so far, the answer would be yes, it is an offence.

SO the onus is now on the people using the WLAN to make sure they connect to one that they are allowed to use legally.

We can all leave our networks uprotected. NO need WPA WEP password whatever, the law protects us already.

I think that's what the law says.

Aaron said...

Dr Huang,

I give you my utmost respect for the length you are willing to go to for this boy. You have a big heart.

Capella,

I will respond to your case study 1 and 2.

Case 1.
-------

If there are multiple SSIDs available, it would be downright silly for the client to just find one to connect without asking which is the right one. If the person seeking to connect the network does not take reasonable steps to determine which is the right network, then is it the fault of the owner of the network for not choosing a "unique" SSID?

Case 2.
-------

This one is more complex. In this scenario, to determine who should be punished, the court will have to look at to what extent Aaron is clueless and to what extent Alan is clueless. The way I see it is that Wireless@SG is commonly known to be the free wireless network, and that anyone who chooses to use this SSID on his/her access point can possibly be argued to be engaging in some form of deception.

Of course, if both parties are clueless, then both parties are innocent.

In anycase, while both your case studies illustrate important points to consider for policy makers, it doesn't prove that the boy who landed himself in court is innocent. The court would not have found the boy guilty if it could not have been proven beyond a reasonable doubt that the boy did know he was deliberately accessing another person's network without his or her consent. In both of your case studies above, there is reason to doubt that the end user is unaware that he/she is on the wrong network.

Anonymous said...

Aaron said: However, why go through the hassle in the first place? All it takes is probably 15 minutes of reading the wireless router manual and you should know how to set up an encryption key to prevent unauthorised access.

Same for the owner of the wireless network, all it takes is 15 mins of reading. Being IT clueless just doesn't excuse the owner, the kaypoh neighbour, the police, the DPP, the court and the media for its overreaction to the theft... I thought not too long ago Mr Wang wrote something about the courts having more leeway? This case could have been handled with more discretion, considering the youth of the offender and his (probably) lack of malicious intent, to minimize impact to his future.

It just brings to mind Famous Amos' tongue-in-cheek declaration that the wonderful smell of their cookies is free with the huge sign of "Free smells"! Guess in Singapore, maybe its not really a joke?

Such a pathetically ungracious nation we have become in the effort to prove we're right / the best / numero uno. E.g. Youngsters like blogger Aaron arguing his case with an awfully distasteful analogy. :-( How can one compare the damage of rape to a momentarily reduced speed of internet access (if any)?

Aaron said...

Dear Anonymous,

If you insist on thinking that the damage is limited to momentarily reduced speed, go ahead and leave your network unsecured. If one fine day, the police shows up at your home with an arrest warrant for online fraud, hacking and illegal software sharing activity, I'll have something else to write about the naviety and stubbornness of some people. :-)

Cappella said...

Folks, your inputs on the various potential scenarios that I raised are really valid in real world conditions. Really, if you look at the applicability on how wireless networks can be implemented or used, you will find that there can be myriads of situations happening.

For the law to be fair and understand the right context on how the technology should be used, they have to consider all possibilities and spell out clearer definitions. Otherwise, it is just a waste of taxpayers' money and creating FUD on everybody on what is really acceptable or not.

Today, I disagree with how the law-enforcer prescribe the slogan "Connect to wireless network without permission, you commit a crime!" simply doesn't make sense.

What do you mean by without permission? What if someone wants to share out freely for people to use, but just have no time to give explicit consent to each and everyone to use? Where do we draw the line? A cafe wants to let all their kopi-drinkers free Internet access, but did not say that non kopi-drinkers access, so does that mean the non kopi-drinkers can access or not? Maybe the cafe also wants to do that, so how to announce that intention easily?

Just so for your information, I did my wireless hacking research and presentation back 5 years ago, and I can safely say that what makes wireless networks so popular today is its ease of implementation (security-less). Yes it may not be a good thing back then, but well technology evolves, and it helps the this technology to move forward today. 2FA took us more than 10 years before it reach the house of everyone using Internet banking. :P

There are two ways you can implement wireless network access: Allow all, deny some; or deny all, allow some. Most of the people probably wants to do the latter, but doesn't know how to do it. As I said, you need to have certain technical competency to secure your wireless network, because people can make use of your wireless network to commit malicious acts. If you do not secure your wireless network, then you should be prosecuted under Computer Misuse Act. Why? Because you create that environment and opportunity for malicious attacker to use your network to affect others. So under CMA, you are part of the facilitator that allows computer crime to happen.

So, my message really is, we have to do much more than just blindly applying the rule that connecting to wireless network without permission is a crime. Prescribe the conditions, the intents, that both the owner and the user could be liable.

Anyway after talking so much, the guy PG. What can I say? :P

Cappella said...

Aaron,

I shall respond to your response with regards to my case study.

Case 1
------
Not too sure how many corporate users you have supported in your life, but I can tell you most people just simply are not bothered. Users just expect technology to work without trying to learn. So yes you are right, the user should take correct steps, but sometimes even users who go through that step can get confused. I did not mention this "linksys" SSID incident for no reason. I have, on too many occasions, been approached by users saying if they see 10 "linksys" SSID around them, how do they know which one is their one? The current Windows XP wireless configuration interface is so simple that you cannot just tell them to lookout for the AP MAC address. In fact, even using the term MAC address freaks them out. So till you have encounter such incidents over and over again, you will have no idea how big and widespread the problem is. The answer I told them, no choice, just humtum one by one, and see your wireless network LED light blinks while you ping (freaks them out too), then probably that should be the right one. Then again, when technology is developed without considering all these problems, it creates confusion in the market. That is why the law should be very sensitive in such matters.

Case 2
------
Regarding about the person trying to engage in some form of deception, if there are 10 "linksys" around, does that mean everyone is try to engage in some form of deception? IEEE 802.11 standard does not say that it is wrong to use the same SSID even amongst wireless networks. So saying engaging in deception does not stand. This is where you still have not fully appreciate how this technology really works.

Yes, both users may be clueless, but in the context of Singapore where people like to complain, being clueless is not going to stop people from complaining and suing.

Lastly, I like your last sentence "there is reason to doubt that the end user is unaware that he/she is on the wrong network.". Well, Garyl claims he is unaware he is committing a crime, but the police still prosecute him anyway. So I am not so sure in Singapore context, where witchhunting is so abound, I doubt even using the reason that I do not know I am connected to the wrong network still will get you out of the hook. IF the IO wants you to die, it will be pretty hard in Singapore to clear yourself.

Cappella said...

To Dr Oz bloke,

Your comment that the law protects those people who does not secure the wireless network.

This is what I fear, protecting the clueless who in turn are sometimes responsible for crimes committed because of their inactivity.

Just for those who might be interested, if you noted the number of increase of spam in the last few months, you want to know why spam mail just increased all of a sudden? Well, the people who sent the spam mail makes use of botnets and wireless networks to do it. For botnets, the user of the PC just does not bother to patch their PC. For wireless networks, there is this term called "fly-by spamming" where a spammer looks for an open network, blast out thousands of email through this wireless network, and moves on, thus guaranteeing that the recipients will not blacklist them. In both incidents, it is all because of the OWNERS' complacency and inactivity that leads to this problem.

Maybe, the Computer Misuse Act should do something to these goondus, don't you think?

Veefer said...

First let me state that I disagree with the prosecution of this case but on the flip side, i.e. none IT side of the story, using an analogy.

If I were to leave my bicycle unlocked, someone came along, took it for a few days for his use with the intent to return it to the spot where he first found it. Would he be guilty of theft?

Any lawyers out there who can clarify the similarities or differences with the case and the analagy?

Anonymous said...

Aaron's response: If you insist on thinking that the damage is limited to momentarily reduced speed, go ahead and leave your network unsecured.

Hi Aaron,

Tsk, tsk... what are the facts of this case in particular? Only a (possibly) reduction of internet access speed, isn't it? If you really want to argue about the "theft" treatment of this case being due to the full potential effects of the neighbour's unsecured network, then I would support Dr H that the OWNER IS ALSO LIABLE in this instance (pls research on what the law says about abetting a crime by offering access to a network). Thus, going by your arguments based on potential effects, then really the law was biasedly applied in this instance.

Btw, I had also been in IT support before and fully agree with cappella's observation that "Users just expect technology to work without trying to learn" and thus "the law should be very sensitive in such matters".

My point is: This case could have been handled with more discretion, considering the youth of the offender and his (probably) lack of malicious intent, to minimize impact to his future. Similarly, the IT-clueless neighbour should be appropriatedly advised to secure his network.

Think I'll (probably) leave this topic on this tack, for I fully understand the arrogance of youth.

Aaron said...

Capella,

I'm not sure if Garyl claimed he is innocent, because he pleaded guilty. By pleading guilty, he admitted that he committed a crime, although the guilty plea probably was the advice of his lawyer who reasoned that there's little chance of winning the case.

That being said, I think more can be done, not just in terms of the law. In my opinion, the law is not wrong in choosing to be conservative and protecting innocent people from harm. On the other hand, because this very law cuts both ways, i.e. it protects innocent owners of wireless networks, but persecutes innocent users of wireless networks, perhaps more can be done in terms of advocacy.

Given the prevalence of home wireless networking today, perhaps some form of public education can be done to educate Singaporeans. If people can be educated about SARS and dengue, why not about things like securing your wireless network? Ultimately, the best scenario is one where everyone knows how to protect oneself.

Aaron said...

Dr Huang and Capella,

Care to comment on a response to your letter in the ST when you're back from holidaying? I'm interested to hear your views about what the guy raised, particularly on the part of the TOC.

The link can be reached here.

jun said...

I think theft is defined as "when the subject takes for its own use something which does not belong to the subject". So it is pretty simple actually.

There is a feeling that the gov is using this case as a "kill one to warn hundreds" example. So this 17 year old is quite unlucky...

Btw, I have recently made a police report regarding unauthorised access and use of my wireless network. I don't know how secured my network was but my SSID was not on broadcast (I had switched it off), I had the WEP on blah blah blah. For my case, the culprit had made an intentional access into my network...so I am looking forward to meet the culprit in court.

Cappella said...

Hmm, I am not on holiday, and I cannot access the letter referenced in the link, but somehow, I can remember what Biala Sameer wrote. I believe the TOC you mention is about the breach of the contract with the ISP.

First of all, we have to get this very clear, breaching the contract with ISP has nothing to do with the question if someone sees a free network, can they just use it freely? They are fundamentally mutually exclusive events. I did not even try to bother to respond to Biala on such public forums is because, well, very hard to explain something when someone just don't get it.

Again, I want to re-iterate (for the 3rd time) that unless you understand what this technology is all about, we can argue till the cows come home and we continue to argue. This technology is meant to be by default ALLOW ALL DENY SOME technology. If you want to DENY ALL ALLOW SOME you have to enable security on it. Very simply put. I think many readers here have made the same comments that if you do not want other people to access your network, password protect it!

The problem with most people who treats this whole thing as theft is you treat wireless network technology like a physical property, something that can be stolen, taken away from you such that you do not own it anymore. No no no, wireless network technology is like an idea, an idea that you can share. If you do not want others to have access to your idea, then you patent it, trademark it, whatever. Otherwise, if you go around broadcasting your idea, do not expect people not to listen or use your idea.

By understanding how this technology was conceived in the first place, then could one understand why there is such a big backlash. Most of the InfoSec professionals that I spoke with agreed that the onus lies with the owner, not the one who access their network.

You know, at the rate if people wants to complain here and there and not bothered to understand the technology properly, soon in time to come you neighbour may have the right to sue you because your wireless network waves is intruding into their house and affecting their health. Don't laugh, because it already happened somewhere where people complaint of intruding wireless network waves. Then what? Ban wireless networks totally???

I have also performed a demo once, and I can tell you it become a blurry line, and then you see people complaining here and there. In case if you are not aware, Bluetooth is using the same 2.4 GHz frequency. The new Bluetooth 2.0 spec already allows Bluetooth devices to operate as far as 100m. What does that mean? It means it will interfere with your wireless networks. If one fine day, you realised your wireless network is severely degraded because your neighbour is using super-duper powerful Bluetooth emitter device for his top-of-the-end computer system, are you going to call the police to catch him just because it affect you???

People, c'mon, all these unreasonableness (and Garyl's case) has to be stopped.

It can be pretty hard to explain to normal people when their perception of ownership applies to wireless network technology, which cannot be similarly applied. That is why I am still debating to myself should I respond or not. Since the discussion is STILL going on, I thought I may just jump in the fray to continue this whole discussion in the hope that someone knows what the hell I am talking about.

Aaron, you last para on the importance of educating the users is something that the industry (and possibly the government, since they like to go witchhunting) should have done. However, problem with human beings is until they faced a problem, they are simply not bothered to learn.

Jun, it can be pretty easy to secure your wireless network these days. Your method of disabling SSID and turning on WEP has absolutely no effect on securing your wireless network, just merely adding obstacles for people to access your network. I do hope that you (or the police) have identified the culprit, because it can be pretty hard to prove that the person has used your network.

I will be discussing with SIG^2 to see if we can hold a public forum to educate the public on how to secure their wireless networks, and the tips and tricks on how to know who have accessed their wireless network. Till then, I am still waiting for SPF to respond to this whole entire saga.

Speranza Nuova said...

Dear Dr Huang,

My apologies for coming to this topic a bit belatedly, but it is in the news again now that a second person has been charged.

I think part of the difficulty is in how existing policy attempts to tackle the problem. Maybe the router manufacturers and distributors need to change the default setting from unsecured to secured? (The IEEE 802.11 specification notwithstanding.)

I've written some analysis on this at Singapore Angle -- you are welcome to visit and share your insights... :-)

Mooch Ado About Something: Illegal Wireless Access