[LINK] Google's WiFi bungle

Craig Sanders cas at taz.net.au
Wed May 19 22:50:33 AEST 2010 

On Wed, May 19, 2010 at 08:39:50PM +1000, Richard Chirgwin wrote:
> [ blah blah blah Broadcasting Act, ACMA, blah blah blah ]
> 
> As far as the Broadcasting Act and ACMA regulations are concerned, a 
> WiFi base station is not a broadcast transmitter.

please stop trying to confuse the issue even further by bringing in yet
more irrelevant stuff.

> > given that there are both "open" and "closed" networks operating on
> > the same wifi spectra and all interfering with each other to varying
> > degrees, it's unreasonable to assume that there's any privacy at
> > all when using wifi devices and it's more than unreasonable to
> > criminalise anyone listening to what is being broadcast.
>
> In other words, "I can receive this, therefore I have the right to
> receive it, and I have no obligation to respect the privacy of the
> base station."

the base station HAS no privacy.  it's a machine, not a person.

if the people using the base station want to keep their use of it
private, then they should perform the quite trivial configuration steps
necessary to enable encryption and access control. they should do this
for EXACTLY the same reasons that people who don't want others listening
to their voice conversations should refrain from conducting them via
megaphone in a public square. which are pretty much the same reasons as
why it's a bad idea to discuss your private secrets in a crowded bar
with hundreds of potential eavesdroppers (use an unusual language or
code if you really must do that).

the onus is on those who want some form of privacy in a public space to
take whatever steps are necessary to achieve the level of privacy they
want - and NOT on those who happen to also be using that public space
for other purposes.

similarly, if i walk around on a public street (or even in my house or
yard if i'm easily visible from the street or public place) it doesn't
matter in the slightest what my OPINION of the matter is, the FACT is
that i have no reasonable expectation of privacy wrt people observing or
even photographing the incident.

opinions aren't worth anything.  facts are.


and yes, broadcasting data on an unsecured wireless network is a
PUBLIC event, not private. that's a fact. no opinion, no belief, no
expectation, no wish, and no law can change that....the ONLY things
these can do is delude you into having a false sense of security/privacy
(and believing you are in private when you are, in fact, NOT is far
worse than simply knowing that you are not)



> > wifi is not a point to point link (even wifi connections set
> > up for that purpose aren't actually point-to-point), it's an
> > omnidirectional broadcast accessible by anyone within range.
> >
> > criminalising that would make it illegal to even scan for "open"
> > networks that you are allowed to use...
>
> Nobody said "criminalise authorised access". Unauthorised access,
> however, is already criminalised, which is the main reason Google is
> pleading accident. It has nothing to do with what actually happened;
> Google is merely trying to minimise its criminal jeopardy, because
> it's in a Jesus-load of trouble.

you miss my point. which was that in order to scan for and use open
networks (which you are, by definition, authorised to access) it is
INEVITABLE and UNAVOIDABLE that you will also detect traffic (including
any unencrypted traffic) from "closed" networks which you are not
authorised to use.

this is not a bug, or an underhanded loophole, it is part of physical
reality - it's inherent to the nature of wireless broadcasting. anyone
within range with compatible equipment can receive whatever you
broadcast.



> > because it's physically impossible to scan for those without ALSO
> > detecting any "closed" networks that are in range.
>
> Nobody said detecting the existence of a network was the same as      
> sniffing packets traversing the network.                              

how exactly do you imagine that scanning for wireless networks actually
works?

it will probably surprise you to learn that the process *IS* packet
sniffing.

a packet is still a packet whether it contains an ssid beacon or 
user data or encapsulates another packet.


> One is, as you note, intrinsic to WiFi. The other is a criminal act.  

actually, packet sniffing is not a criminal act.

there are particular circumstances where it can illegal be but there are
also circumstances where it isn't (and if i had to hazard a guess, i'd
say that the latter FAR outnumber the former).

as has been said before, it's not as simple and B&W as you'd like.

> It's really not that hard to tell the difference between saying
> "There's a network called Kent Street, but I want George Street", and
> logging into George Street; compared, on the other hand, to saying
> "Look! Kent Street is unsecured. That means they must *want* us to
> sniff their packets".

OTOH, it's not at all uncommon (or illegal) to say "look, there's a
George St network and a Kent St network and Kent St is configured to be
open access...i'll use that".

there are MANY wifi networks(*) that are deliberately set up like that
as a public service to provide free data services to anyone in the
neighbourhood. there is no way to distinguish between a network left
open deliberately and one left open through incompetence or ignorance.



(*) including the one i run from my own home. for the most part, it
allows unrestricted access to my debian and linux kernel mirrors. it's
also configured to proxy requests for windows security updates (incl.
several common anti-virus tools), even though i don't use windows at
all. i consider it to be a worthwhile public service to enable windows
users to keep their AV scanners up to date so that they are (slightly)
less of a menace on the public internet(**).

the access point primarily exists for my own use so i can wander around
the house with a laptop (and eventually i'll get a smartphone or tablet
- i'm looking out for good linux or android devices), and also down to
the creek and park if i so choose. but i don't mind if other people get
some use out of it.

when i use it, i'm aware that i'm broadcasting to the public and use
appropriate encryption - e.g. ssh to read my mail via mutt, https to
access private sections of my web server....same as i do when connecting
to my own servers from anywhere else on the internet.


(**) btw, i think anyone who trusts security updates received
via some semi-anonymous guy running a wifi access point is a bit
foolish...although the fact that most such updates are cryptographically
signed mitigates that somewhat.


> >> The equivalent of bouncing an infrared beam off house windows to
> >> eavesdrop conversations inside.
> >
> > absolutely not!
> >
> > passively receiving something that is being broadcast is VERY
> > different to actively snooping.
>
> Google *was* actively snooping. Its software sought and captured not
> just the SSIDs and MAC addresses, but payload data.

yawn.

please at least TRY to understand the technology before voicing your
opinions.

> Its PRs and legal counsel claim accident. But that speaks to the
> intent of the activity, not its nature.

whatever any "side" said became instantly worthless once PR and legal
people and media and politicians became involved. now it's all just
worthless spin. spin on google's side as damage control, and spin on
the political side from whoever thinks they can boost their popularity
temporarily by riding this "hot issue". and spin on the media side for
pretty much the same reason as politicians, but with a more immediately
moneygrubbing motive.

if you're in the habit of basing your opinions on what spin-doctors say
then you've got far bigger problems to sort out than this.

craig

PS: cracking encryption on sniffed packets isn't illegal either.
although it may be evidence of nefarious - or even illegal - intent.


-- 
craig sanders <cas at taz.net.au>

More information about the Link mailing list