> Yes, the mechanism is different, but the basic problem of interfering with others' communication is the same.
The legal problem isn't the effect of interfering with others' communication, its the active intent to interfere with others' communication.
So, no, a noisy environment because lots of people set up WiFi hotspots with no intent to prevent use (even though it may prevent some uses) does not pose the same legal issue as an environment in which someone is intentionally actively denying people the use of WiFi hotspots by spoofing de-auth packets.
While I'm not a lawyer so I can't speak for how the law looks like, there is a clear difference in intent. The many users wifi interfering with eachother is not by intent, the de-auth packets is nothing but intent to interfere.
Also absolutely wrong. There is a complete difference between a noisy environment (lots of mobile hotspots / access points) and an environment with an active attacker (device sending out deliberate deauth signals). Try to understand the difference, it's the key to the case.
> The adversary has a limited ability to monitor short-range communication channels (Bluetooth, WiFi, etc).
That seems like a pretty big assumption. From what i understand there already exists deployment of wifi hot spots to track people (both for advertising purposes and for spying purposes) to the extent that phone providers started radomizing MAC addresses.
Because I'm not trying to defend what they did -- they were wrong and just trying to grab money.
I am saying that using deauth packets to prevent wifi from operating does not seem to be outright illegal and there are valid reasons to be able to do it. Considering basically every high end AP has the ability to target rogue APs and the FCC takes a dim view on people selling jammers, it seems like the context of the application of this determines whether you are jamming or not and not the use of deauth packets by itself.
>A busy public WiFi controlled by a hostile party is more likely to engage in port scans and other intrusive probes, so yes, this advice holds extra weight.
I mean if you define the party as hostile then yeah but that also all applies to a non-public network controlled by a hostile party but [Citation Needed] that this is something that people are likely to encounter in the wild. If were at all common it would be pretty noticeable because you'd notice any certificate shenanigans and it wouldn't take that long for a technical person to come along and notice any port scanning. That's before considering that OS's typically have a more aggressive firewall posture on public networks to begin with not making them particularly juicy targets.
>Brave browser does not implement this URL after a cursory examination.
Brave has to be a snowflake but it's just a restyling of the same settings page: brave://settings/security
>Google has also unquestionably had a caustic and corrosive impact upon privacy in a myriad of realms. They can and do receive subpoenas constantly, and the only way out of their databases is wiping all of their closed-source components from your devices.
Security != Privacy and those are frequently completely at odds. It's hard to argue that public wifi is anything but a privacy nightmare but from a purely technical security perspective, I must just shrug at public wifi now.
> Having a guest network also means you are not liable if someone misuses it
Wrong. Remember Dmitry Bogatov's case. Yes it was a Tor exit, not an open WiFi, but it doesn't matter. Even worse, there is now a law here in Russia that prohibits running WiFi access points that don't take technical or organizational measures to identify (e.g. get passport or phone number of) the person who is connecting.
The article is about side effects of wireless technologies ("if you make noise I can hear you"). It is not about the misappropriation of information stored in IT systems.
I don't see how anti-rogue AP tech can be legal either unless it is within the confounds of your own property. Where WiFi jamming is technically also legal if it does not affect any external party.
What gives you, company xyz, the right to essentially DoS an AP just because they share the SSID? Just because you call something CorpWiFi, doesn't really make it legal to DoS someone else's SSID that is also called CorpWiFi. There does not seem to be any kind of legal framework that would allow you do so, but inversely, you are essentially then not only committing multiple types of crimes, but you are also violating free speech.
I get the reason, but the solution really needs to be something else, even if that something else is some sort of change to the WIFI spec and inclusion of some kind of authentication or security layer.
> it feels creepy in a way that their regular internet behavior does not
And that is, of course, where people come to reasonable disagreement; it simply doesn't feel creepy to a lot of folk. I assume the difference in feel is whether one interprets "capturing unsecured wifi packets via wardriving" as akin to peeping-Tomming into every neighbor's house or akin to sailing along a coastline full of lighthouses broadcasting their beacons and writing down the strobe patterns.
That's a misnomer. It doesn't actually make it hidden, only transmit beacons with a blank ssid. That's why even if your network is hidden, it will show a "hidden network" option for you to manually enter the SSID[1]. Moreover, client devices that have hidden networks saved will send out probe packets with network names it has saved[2], so it can determine whether the hidden network is actually around. This is actually worse for privacy, especially if your network name is vaguely unique, because you're broadcasting this high entropy information everywhere you go.
>That's not how WiFi works. They cannot know for a fact that these WiFi hotspots are within the convention space, they could and likely are, blocking WiFi located outside of that space.
To play devil's advocate, some APs support rogue triangulation. Ours plot any rogues on a building map so we know exactly where they are. When combined with a proper wireless survey, you could ensure that they don't deauth anything beyond the building perimeter. Not that I recommend that, since at the very least someone should be able to tether their phone if they want. But also because it puts additional overhead on your APs, which are usually already taxed in high-usage areas.
> your home wifi threat actor is your neighbors kid playing with aircrack.
When working for an ISP it came up quite a few times that customers had extensive questions about security because they were genuinely worried about their ex-spouse spying on them. Even if they were all just "paranoid" in their specific cases (I wouldn't know), I think it's a fair concern. If all it takes is some googling and a bit of money to rent cloud GPU's, well, scorned lovers have done way more expensive and less effective things to cause damage or violate privacy.
> Your data can be eavesdropped or modified by someone in the middle. This would be quite rare within a LAN
Literally every single public wifi network, which is a significant percentage of all internet traffic (including basically everyone working from a wework for example), is vulnerable to eavesdropping/mitm
From the article:
"ESP based deauthers, to name one, always existed. Don’t yell at us “OMG they’re deauthing all over the city!!!”. Despite this stuff always existing, nobody bothered updating to technologies that work better and are more secure. That is the people you should be yelling at."
I'm not saying you're wrong, or that they're right. However, it seems to me that there has to be a middle ground between draconian signed blobs (which I'm not convinced will solve much for long, either) and the silliness that is the current state of things. Deauths have been used in so many wifi cracking schemes over the years and the fact we still don't seem to care about them (or treat them as harmful interference and blame the device) is getting silly.
The legal problem isn't the effect of interfering with others' communication, its the active intent to interfere with others' communication.
So, no, a noisy environment because lots of people set up WiFi hotspots with no intent to prevent use (even though it may prevent some uses) does not pose the same legal issue as an environment in which someone is intentionally actively denying people the use of WiFi hotspots by spoofing de-auth packets.
reply