April 25, 2011

NEW CASE ILLUSTRATES WI-FI PRIVACY DANGERS?

Lying on his family room floor with assault weapons trained on him, shouts of “pedophile!” and “pornographer!” stinging like his fresh cuts and bruises, the Buffalo homeowner didn’t need long to figure out the reason for the early morning wake-up call from a swarm of federal agents.

That new wireless router. He’d gotten fed up trying to set a password. Someone must have used his Internet connection, he thought.

“We know who you are! You downloaded thousands of images at 11:30 last night,” the man’s lawyer, Barry Covert, recounted the agents saying. They referred to a screen name, “Doldrum.”

“No, I didn’t,” he insisted. “Somebody else could have but I didn’t do anything like that.”

“You’re a creep … just admit it,” they said.

Law enforcement officials say the case is a cautionary tale. Their advice: Password-protect your wireless router.

I think it should be a cautionary tale for law enforcement officials, too: Don’t go off half-cocked, then try to blame technology for your own sloppiness. Think they’ll learn it? Only if somebody gets fired. And how likely is that?

It didn’t happen here: “The homeowner later got an apology from U.S. Attorney William Hochul and Immigration and Customs Enforcement Special Agent in Charge Lev Kubiak.”

An apology is nice, and merited. But I’m not sure it’s enough. It certainly won’t be enough if it happens again. And why is the Department of Homeland Security involved in this investigation? Not enough terrorists to catch? More evidence that too much tax money is going to law enforcement, I guess.

UPDATE: A reader sends this contrary advice:

No. Never, EVER set a password on your Wi-Fi router.

Background : 30 years in IT. I have many clients who are defense lawyers, and this is the advice they are giving me based on ‘water cooler’ chat going on in the profession. Long story made short, passwords = you did it, at least in the eyes of less-than-tech savvy juries. The only way to establish reasonable doubt is to NOT have a password. Read on for more of the why.

You are correct : the cops did not have their ducks in a row. Everything – EVERYTHING – that hooks up to a network has what is called a MAC address, and in theory it is unique. It has nothing to do with Apple, Inc.; it stands for M edia A ccess C ontrol. The bad news : like most everything else in computing, that unique address can be “spoofed”; that is to say it can be faked. As part of the investigation the investigators SHOULD have pulled the MAC addresses as well as the IP addresses, et cetera. That they did not is, in my eyes, serious negligence. If the MAC addresses did not match, they should have exercised caution or at the very least obtained a search warrant for the computer, and not stormed the place in a raid.

So in my professional judgment the cops were lazy and put on a show to justify their budgets.

But none of this is being raised in court, according to my clients. The juries are deciding guilt the instant they learn ANY security was enabled, and especially if there was a password. The logic, faulty though it may be, is going like this : if there was a password, then it was impossible for anyone else to have done it. They listen to nothing else during the trial. The problem is simply that no wireless network is secure. They can all be defeated with enough resources and time. Then your network can be used by whoever, all the time looking like you, and they can commit whatever crimes they wish.

In other words, enable that password protection and you just became someone’s built-in patsy. And to prosecutors you will have a big, juicy bullseye on you, and most importantly the color is not red, but EASY.

I’ve heard this theory before, but I’m not sure it’s correct. But yes, no network is completely secure, and wi-fi encryption is quite breakable.