Have 802.11, Will Travel: The ethics of network detection
by Stephen Cobb, first appeared in Mich Kabay's Network Security News for Network World
Allow me to present a clickable ethical dilemma hidden under the Network icon in Windows Explorer, a.k.a. Network Neighborhood. Click it and what do you see? All of the networks and computers visible from your computer. Some may not be ‘accessible.’ You might not be able to get into them, but you can see them and a few more clicks might get you into some of them (the exception is when Windows is having a bad day and you can’t see anything but your own machine).
Clicking Network is just one of many ways to navigate a network, but personally, I use it quite often, for example, to find a printer when I’m visiting the offices of friends, employers, or clients. Networks were made for sharing and that icon is one way to find out what has been shared.
But what if you click the same icon when you are not in an office, but in the park, at a bar, or in a hotel room? You may find that there is some unintentional sharing going on. You may be able to access hard drives that belong to strangers. What do you do? Were you wrong to click the icon? Do you inform the parties who are exposed? Therein lies the dilemma, which is far from academic now that the air around us is thick with data, especially in trains, planes, hotspots, and hotels.
Over the last twelve months we’ve seen numerous convictions for ‘wireless crimes.’ These have ranged from the criminal hacking of medical records in North Carolina, to the attempted interception of credit card transactions at the national headquarters of the Lowe's home improvement chain (coincidentally in North Carolina) via an ‘open’ network connection which the perpetrators detected, wirelessly, from a Lowe’s parking lot in Michigan.
Reports of such cases invariably invoke the term ‘wardriving.’ I’m sure editors love the sound of it but are unaware that it’s not the same as wireless intrusion. Indeed, wardriving, as defined by the vast majority of those who do it, is the detection of wireless networks that are broadcasting data into public airspace (typically with a laptop, a Wi-Fi card, and software such as NetStumbler).
Before you point to any motes in the wardriver’s eye, remember that your Windows XP laptop is probably beaming the air right now, by default, since Wi-Fi detection is part of XP’s standard operating procedure. (This hints at another dilemma: Would Microsoft would be an accessory to criminal acts if wardriving was ruled illegal? After all, the recording industry is trying to pin piracy on peer-to-peer software.)
For clarification on the definition of wardriving, check out “Wardriving: Drive, Detect, Defend, A Guide to Wireless Security,” by Chris Hurley, Michael Puchol, et al (Syngress, 2004). On the legality of wardriving, read Patrick S. Ryan’s paper in the Virginia Journal Of Law & Technology (Summer 2004 Vol. 9, No. 7). The article, “War, Peace, Or Stalemate: Wargames, Wardialing, Wardriving, And The Emerging Market For Hacker Ethics,” makes several points that are relevant to a group of people not normally associated with the term ‘hacker.’ I refer to business travelers, a.k.a ‘road warriors.’
I consider myself a road warrior. My laptop and I check into numerous different hotels every month. Am I tempted to click Network? Yes, because when I plug my laptop into the Internet port in my hotel room, or connect with Wi-Fi at a hotspot, I want to know, without running software that could be mistaken for ‘hacking tools,’ whether anyone else can see my system. Think of it is as wartraveling. The fact is, at some hotels, clicking Network shows me other guests’ laptops. With a few more clicks I could probably read files off some of the systems I see, but I won’t go that far. I think it would be wrong.
Surprisingly, the hotels where I’ve seen this problem aren’t cheap places where you fear for your life as well as your data. They’re brand name hotels, venues where doctors and other professionals hold conferences and rooms start at $300 per night. Sadly, in some of them, that $300 is not going towards good network design.
So, do you click Network or not? And if so, what do you do about the result? You can hardly call the front desk and say “Please let Dr. Doe know his patient records are exposed.” But you could enter a comment on one of those ubiquitous Customer Feedback forms: Your guest network is not secure.
Reference links:
Virginia Journal Of Law & Technology
Stephen Cobb