RE: Interlopers on the WLAN

["Frank O'Dwyer" <fod () brd ie>]

On Wed, 2002-11-06 at 20:54, Philip J. Koenig wrote:
[...]
>  if a hacker hops on an insecure 
> WLAN and causes damage to some other site by DoS'ing it for example, 
> who's at fault - the commercial site that the hacker attacks, the 
> operator of the insecure WLAN, or the hacker?  I say 1) the hacker 

Me too. Why is there a need to blame anyone else.

> and to a lesser extent 2) the operator of the insecure WLAN.  

Why? Firstly, you're assuming the WLAN is "insecure" simply 
because it lets anyone connect without asking who they are. 
Maybe that's what the owner and users of the WLAN want. His
network, his policy. If you don't like his policy, maybe 
you need make sure your network isn't connected to his in
any way that matters to you. Maybe you need to put pressure
on the ISP to stop giving connectivity to such "insecure"
hosts. Or maybe yours is the insecure network that shouldn't
be connected - it's not at all obvious who is putting who at
risk here.

Regardless, someone's network is not insecure just because it
doesn't comply with *your* security policy. It may well be 
perfectly secure with respect to its own assets, security 
goals, and policy. 

> Certainly not the final victim of the attack.

Of course not. At least not until someone starts setting precedents
for holding people liable for running "insecure networks". Because 
the ultimate victim of an attack is also going to look bad under
that standard.

> In this particular 
> case the WLAN was "used", not "damaged" per-se.

Yes, but so what. Many other networks were also used. The victims 
own network equipment was used. Requiring everyone to pull the 
plug for fear of lawsuits related to the actions of some script
kiddie is not only an unreasonable imposition on the law abiding,
it doesn't even solve the problem.

> > I can't think of any reasonable definition of "operating an
> > insecure network" that doesn't apply first and foremost to the
> > target of any successful attack. OTOH, I can think of at least 
> > two reasonable definitions that *don't* necessarily apply to 
> > an open access point. 
>
> There are various attacks (ie DDoS attacks) that are next-to-
> impossible to mitigate simply by network security.  

They won't be mitigated by holding private individuals liable 
either. In fact, the attacks you mention have so far been 
associated with the hijacking of *wired* hosts. If anything 
there's a better case for holding the owners of such hosts 
liable ("attractive nuisances" and all that), but that's still
a 'blame the victim' mentality. 

IMO The proper response is (a) to help people to secure their own
networks (and no that does not mean shutting down open access 
points) and (b) prosecute hackers. Making criminals of the rest
of us is unjustifiable, ineffectual, and may even be 
counterproductive.

[...]
Cheers,
Frank.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards