Greg Freemyer wrote:

At work (a small company) I run multiple subnets with different security for each.

The wireless is just a service for clients that need to borrow it. I have it sitting directly on the Internet behind a simple NAT firewall. No wireless security at all. Just like a coffee shop!!!

The rest of my subnets are behind their own separate NAT firewalls at a minimum, so I'm secure from whatever happens on that unsecure segment..

Greg, what about your/your employers liability wrt possible criminal use of your wifi? A freeloader downloading child-pornography, making plans for world domination or sharing copyrighted material via bittorrent? /Per -- Per Jessen, Zürich (3.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Per wrote:

what about your/your employers liability wrt possible criminal use of your wifi? A freeloader downloading child-pornography,

The person doing it would be committing an offence but would the company (as long as they didn't know about it)?

making plans for world domination

This is the main purpose of companies and governments alike, isn't it? That can hardly be an offence.

sharing copyrighted material via bittorrent?

This definitely isn't an offence. One of the reasons the GPL works is because the source is all copyrighted. So you do this whenever you download opensuse. Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Dave Howorth wrote:

Per wrote:

...

what about your/your employers liability wrt possible criminal use of your wifi? A freeloader downloading child-pornography,

The person doing it would be committing an offence but would the company (as long as they didn't know about it)?

No, there would be no 'Mens Rea' on the companies part unless there was evidence of conspiracy between the company and the person doing it (such as evidence that the company was a knowing facilitator or access for that purpose). I am not away of any 'strict liability' statutes covering open wireless in the US. A relatively similar example where strict liability would apply would be a situation where a parent negligently allowed a child access to a gun and then the child kills them self or someone else. Here the parent would obviously be an "unknowing facilitator" but would still be strictly liable for the death or injury under a number of state laws covering the securing of firearms. (not in all 50 states, but somewhere around 1/2) So in the case of the company and the wireless, it would take a statutory change that requires the securing of open wireless connection before liability could apply because securing open wireless connections certainly isn't a creature of common-law. Cheers David! -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

...

...

/Per

I don't know about in Zürich, but in the US I don't think the liability is significant.

Are you talking about the liability of being investigated.

That's the part of the problem, yes. There is however also a possiblity of an individual or a company being accused of having facilitated an unlawful activity by a third party without being an actual telecoms provider.  When you're not an ISP or similar, all activity on your network is essentially your responsibility.

Never heard of that in the US and I work in the field of computer forensics. Meaning I know the law fairly well but IANAL. If true, then every coffee shop, McDonalds, bookstore, hotel etc. would have liability for the activities of their wireless users. That just does not seem to be true, or they would not be offering wireless connections. One can certainly get pulled into an investigation, interviewed, subpoenaed, issued interrogatories, etc. but not actual responsibility. Mind you in the US, if you become _aware_ of child porn(CP), you must notify law enforcement (LE). I don't know the exact details, but certainly if a corporate employee became aware of same, they would have a legal obligation to notify LE. Basically in the US CP is considered an ongoing crime, so even attorney client privilege does not trump the legal requirement to notify LE.

...

FYI: I'm aware of a situation where an apartment dweller had a wide open wireless.  His neighbor used it to hack into his home PC.  And then stored illicit images there.  When the police came, yes they first arrested the owner of the PC.  Further investigation showed he had nothing to with storing the images, so he was not convicted of child porn activity.

Sounds like just the kind of thing that would be very difficult to deal with: "I didn't download those pictures and I didn't store them on my PC".

Agreed, but my wireless subnet is firewalled off from my other subnets in exactly the same way that I firewall off the rest of the Internet. And I have zero assets on the wireless subnet that someone could try to hack. So physical proximity does not make it any easier to get data from the unsecure subnet to my secure subnets. In my case the wireless router has an actual routable Internet IP, so it lives directly on the Internet. As expected the wireless router does NAT,etc. but that is only to offer limited to anyone borrowing my wireless. My opinion for business need is that if you treat the wireless subnet the same way you treat a direct Internet connection, then you should be safe. ie. connect the wireless to the unsecure Internet, not to the secure side of your firewall. If you want wireless to be semi secure, then create a DMZ and put it in there, but never connect it to a secure network. Use VPNs etc. if you need connectivity.

/Per

Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, Mar 4, 2009 at 2:03 PM, Per Jessen wrote:

Greg Freemyer wrote:

...

My opinion for business need is that if you treat the wireless subnet the same way you treat a direct Internet connection, then you should be safe.

I treat our wireless network as part of our corporate network. It is exclusively intended for our and our employees use.

...

ie. connect the wireless to the unsecure Internet, not to the secure side of your firewall.  If you want wireless to be semi secure, then create a DMZ and put it in there, but never connect it to a secure network.  Use VPNs etc. if you need connectivity.

Hmm, how about this comparison - if you want access to my secure physical network, you only need to break down a door and plug in your ethernet. If you want access to my wireless ditto, you need to break WPA.  Both are doable, both are criminal, but the former takes less effort.

/Per

Wasn't WPA cracked a couple months ago? I don't care because I treat all wireless as unsecure. Apparently you treat it as secure, so you have to keep track of these things. Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 04 Mar 2009 15:26:09 -0600, Boyd Stephen Smith Jr. wrote:

I've heard this, but not seen a demonstration or other evidence to back that up. It might be that we must move to something stronger or simply accept when we are beaming things into the air they can be read.

Or use a VPN connection in conjunction with wireless access. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Boyd Stephen Smith Jr. wrote:

On Wednesday 04 March 2009 13:43:28 Greg Freemyer wrote:

...

Wasn't WPA cracked a couple months ago?

I've heard this, but not seen a demonstration or other evidence to back that up. It might be that we must move to something stronger or simply accept when we are beaming things into the air they can be read.

As I mentioned in another note, use WPA2. WPA was only intended to be an interim measure until 802.11i was finalized. The full 802.11i is WPA2 with RADIUS server. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Greg Freemyer wrote:

Wasn't WPA cracked a couple months ago?

I don't care because I treat all wireless as unsecure. Apparently you treat it as secure, so you have to keep track of these things.

WPA was partially cracked, but not WPA2. For best security, run WPA2 & RADIUS server. I use WPA2 & preshared key. However, should you manage to break WPA2, you still have to get through my firewall, which allows only SSH (with key, not password) and OpenVPN. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

At 07:33 PM 3/4/2009 +0000, Jim Henderson wrote:

On Wed, 04 Mar 2009 13:19:29 -0500, Greg Freemyer wrote:

...

If true, then every coffee shop, McDonalds, bookstore, hotel etc. would have liability for the activities of their wireless users. That just does not seem to be true, or they would not be offering wireless connections.

This actually varies from state to state. IANAL or a computer forensics expert, but I know here in Utah there have been laws proposed that would make the provider of open wireless systems liable for the actions of users.

It may be a subject for debate, but, to my knowledge [from someone in the ISP business], there are no laws anywhere that require the ISP to prevent ANY type of access. The only issues our lawyers tell us to be cognizant of are keeping proper logs so that law enforcement can access them with a subpoena, which can only occur when illegal acts have occurred and are the subject of an investigation. We DO normally setup access points with a default TOS page that all users must acknowledge - that seems to pacify the lawyers we have encountered. Lee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

* Jim Henderson [03-04-09 14:36]:

On Wed, 04 Mar 2009 13:19:29 -0500, Greg Freemyer wrote:

...

If true, then every coffee shop, McDonalds, bookstore, hotel etc. would have liability for the activities of their wireless users. That just does not seem to be true, or they would not be offering wireless connections.

This actually varies from state to state. IANAL or a computer forensics expert, but I know here in Utah there have been laws proposed that would make the provider of open wireless systems liable for the actions of users. It's been a topic of discussion in Pete Ashdown's blog because his company (XMission) provides free Wifi at many locations throughout the city, and if the law passes, he's going to have to shut that service down because he can't afford to defend against potential suits that say he didn't do enough to protect kids from being able to surf to undesirable sites.

Because - as COPA has demonstrated so very well - you can never to *enough*. It just takes one person getting through to a site that wasn't properly blacklisted and you've got to defend yourself.

Isn't it ridiculous that we have come to the point that you are the guilty party when you fail to protect yourself and/or your property from another's transgressions. You are guilty because you have availed someone the opportunity to commit a crime. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

At 03:12 PM 3/4/2009 -0500, Patrick Shanahan wrote:

Isn't it ridiculous that we have come to the point that you are the guilty party when you fail to protect yourself and/or your property from another's transgressions. You are guilty because you have availed someone the opportunity to commit a crime.

Agreed - it's a shame, really, .. that an entire industry [legal torts], unique to the US, has arisen around such concepts that have absolutely no basis in common sense or any sane body of law. I, for one, hope that cooler heads prevail and do not pass such obscene laws. Lee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Brian K. White wrote:

L. V. Lammert wrote:

...

At 03:12 PM 3/4/2009 -0500, Patrick Shanahan wrote:

...

Isn't it ridiculous that we have come to the point that you are the guilty party when you fail to protect yourself and/or your property from another's transgressions. You are guilty because you have availed someone the opportunity to commit a crime.

Agreed - it's a shame, really, .. that an entire industry [legal torts], unique to the US, has arisen around such concepts that have absolutely no basis in common sense or any sane body of law.

I, for one, hope that cooler heads prevail and do not pass such obscene laws.

Laugh. Although it was only an April fools day joke that one of our states passed a law redefining pi to simply 3, so many other things just about as dumb are dishearteningly real. Science news has been running a series in honor of Darwin recenlty and pointed out that teachers are still actually obligated by law in some places to basically lie and claim that the theory of biological evolution is no more supportable by fact/evidence/logic, than creationism. And the debate is actually still hot and the creationists may yet get more legislation of greater impact written into law than already exists.

There was a Nova on PBS recently, that covered the situation in Dover Pennsylvania. Apparently a couple of people tried to get the local school board to teach "intelligent design" (creationism) as science. Fortunately, after going to court, they lost. I also seem to recall some attempt in Kansas recently, to redefine science to include creationism. It's amazing that sort of nonsense still exists in this day & age. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 2009-03-04 at 15:12 -0500, Patrick Shanahan wrote:

* Jim Henderson [03-04-09 14:36]:

...

On Wed, 04 Mar 2009 13:19:29 -0500, Greg Freemyer wrote:

...

If true, then every coffee shop, McDonalds, bookstore, hotel etc. would have liability for the activities of their wireless users. That just does not seem to be true, or they would not be offering wireless connections.

This actually varies from state to state. IANAL or a computer forensics expert, but I know here in Utah there have been laws proposed that would make the provider of open wireless systems liable for the actions of users. It's been a topic of discussion in Pete Ashdown's blog because his company (XMission) provides free Wifi at many locations throughout the city, and if the law passes, he's going to have to shut that service down because he can't afford to defend against potential suits that say he didn't do enough to protect kids from being able to surf to undesirable sites.

Because - as COPA has demonstrated so very well - you can never to *enough*. It just takes one person getting through to a site that wasn't properly blacklisted and you've got to defend yourself.

Isn't it ridiculous that we have come to the point that you are the guilty party when you fail to protect yourself and/or your property from another's transgressions. You are guilty because you have availed someone the opportunity to commit a crime.

Isn't this really just the absurd extension of suing someone because you were hurt while pulling a B&E on their property? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, Mar 4, 2009 at 5:17 PM, James Knott wrote:

Greg Freemyer wrote:

...

FYI: I'm aware of a situation where an apartment dweller had a wide open wireless.  His neighbor used it to hack into his home PC.  And then stored illicit images there.  When the police came, yes they first arrested the owner of the PC.  Further investigation showed he had nothing to with storing the images, so he was not convicted of child porn activity.

Greg

Perhaps not, but think of all the "fun" he had in the mean time.

Yes, but he actually had CP on his computer. Far, far more serious than his wireless was used to transfer CP. Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Vincent Arnoux wrote:

MAC address spoofing is much more difficult to perform.

???? Mac spoofing is very easy to do. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tue, 03 Mar 2009 18:21:46 -0800, Randall R Schulz wrote:

On Tuesday March 3 2009, James Knott wrote:

...

Vincent Arnoux wrote:

...

MAC address spoofing is much more difficult to perform.

????

Mac spoofing is very easy to do.

But if you try, Apple will come after you.

What a terrible example of paraprosdokian humour. ;-) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tue, 03 Mar 2009 18:39:34 -0800, Randall R Schulz wrote:

...

What a terrible example of paraprosdokian humour. ;-)

Hey, thanks for the vocabulary upgrade!

Certainly - I received that update about a week ago from a coworker who has a background in linguistics. :-) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Thu, 2009-03-05 at 00:51 +0100, Amedee Van Gasse wrote:

Amedee Van Gasse (amedee.be) schreef:

...

On Mon, March 2, 2009 10:55, David C. Rankin wrote:

...

Listmates:

I had dropped WPA-tkip protection for WEP so my son and daughter could access the internet with their Nintendo DS game console. After doing so, I decided to poke around a bit to see how easy it was to break WEP encryption. To my utter dismay -- it was simple. True to the claims, it takes less than 60 seconds.

*snip*

I don't know about game consoles, but how about the following setup:

* wired and wireless network on separate subnet * wired network is routed to the internet * wireless network is not routed * OpenVPN server on the wifi router * OpenVPN client on the laptops * OpenVPN network is routed to the internet and to the wired network

This config is a bit paranoid, I know. But I can't imagine any script kiddie that would break a 2048-bit RSA/DSA key in less then the lifetime of the universe.

Did this one get to the list? There seemed to be a problem at my end.

I did get both original and repost Amedee. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org