Posted on 10/03/2004 9:36:46 AM PDT by gitmo
SNIP
At some point in their wardriving experience, Timmins and Botbyl came upon a Lowe's hardware store with an open wireless network. Timmins later admitted to Kevin Poulsen of Security Focus that what he did next was technically illegal: he used the Lowe's network to check his e-mail. When he realized it was Lowe's private network, however, he says, he disconnected.
That in itself might have been the end of the story. However, Lowe's became aware of the breach and contacted the FBI, who, after its investigation, charged Timmins with one count of unauthorized computer access. And that by itself would have been a significant story: Timmins's plea has been reported as the first instance of a wardriving conviction. I think the claim is an exaggeration, however. The charge would have been the same had he used a wired connection.
SNIP 
(Excerpt) Read more at reviews-zdnet.com.com ...
According to this article, Lowes left their network unprotected for years after the first incident. Why aren't stockholders jumping down their throats?? They estimated their losses in excess of $2.5 million, and customers' credit information was available to the world. They never even enable WEP on their routers. This is a trivial task and gives protection against the casual intruders.
If I was their insurance carrier, I'd be jacking up their premiums.
I think a Sarbannes-Oxley audit will put some Lowes folks in prison.
I don't know the specifics of this case. However this is a bad law. Dvorak has written about it. If I'm sitting in a cafe in a city I'm visiting and see a network available I tend to use it to check my email. In this day of public hotspots everywhere one assumes that a wide open network is being provided for customers in the area. However technically I am a felon under the law, if I've picked up some Joe's home wireless.
The law is an ass in this case.
Obviously other laws cover people stealing credit cards already. Or malicously invading computer systems.
The article contains an invalid link that reportedly discusses the law ... he summarizes it as "(Synopsis: You can look, but don't touch other people's networks.)".
I don't know if this would apply to using an open network to surf the web or send/receive email from your personal account. I agree with you. I've hit hotspots, both public and careless ones. I did wander into the network of a Fortune 500 company's corporate office, but I wasn't interested in sticking around once I realized where I was.
Read the link, they deserve to go to jail.
s
Oh, I agree. But Lowes is being incredibly irresponsible with stockholder assets. If they can rack up millions of dollars in losses because they won't spend a few hours encrypting their LANs, they should be liable to the owners of the company. The first intrusion mentioned in the article occured long before the damage was done. They saw it and didn't even bother to turn WEP on. This is comparable to leaving the doors of the store unlocked as a matter of policy.
This is a bad law. Its motivation is at least partly to enhance the profit opportunities of phone companies, vendors of DSL.
If it was just surfing the web or checking email, I'd agree.
I think where these guys went wrong was that one of them went back to Lowes and started surfing Lowe's internal network and logged into a few different stores and started checking out some Lowes IT applications. That's a whole different beast than piggy backing on their internet connection.
I think the law worked correctly in this case.
I'm not sure I agree. Unless you are mooching off your neighbors' networks, it's not going to motivate you to purchase more DSL.
Where folks tap into networks is away from home ... in hotels, in cafes, etc. Public hotspots ENCOURAGE DSL proliferation, they don't DISCOURAGE it.
Err, well, it goes a bit beyond unauthorized checking of one's email ;)
But here's where the story gets interesting. Several months later, Botbyl returned to the Southfield, Michigan, Lowe's with a new friend, Brian Salcedo, now 21. Salcedo, it turned out, was in the final weeks of a three-year probation for an earlier computer crime.
Knowing the Lowe's wireless corporate network was exposed, the pair gained access on October 25, 2003. This time, they routed through the company's North Carolina headquarters, then out to the satellite stores nationwide. Log files show they connected to several stores located in California, as well as Florida, South Dakota, Kentucky, North Carolina, and Kansas.
While inside the Lowe's system, they found a custom app, Tcpcredit, which Lowe's uses to process credit card purchases. On November 5, 2003, from the parking lot of the Lowe's in Southfield, Michigan, the pair attempted to load an unspecified malicious program on several computers in a Long Beach, California, store. It might have been an early attempt to capture credit card transactions, but the app crashed several point-of-sale machines at the store.
If Lowes wanted to attract customers, it would create a free hotspot in a cafe on premises.
They didn't just check out Lowes' apps, they intoduced a trojan that logged credit card transactions so they could download them later. In the process, they crippled some of the Point of Sale registers in California.
So it was more than just parusing the systems. They were modifying systems and stealing credit card data.
I think we agree and see the same facts. I have a problem with criminalizing casual, nommalicious access to an open wireless network.
Making casual, nonmalicious access a crime almost like trying to charge people for the smell that wafts out of a pizzeria.
No, it is the same as leaving a standard phone sitting in the parking lot after hours and the user made a local call to check his voice mail. There was nothing to indicate that the user was not supposed to use the network for a quick email check. A wide-open wireless network is known as a hot spot - several businesses have them. How was this guy to know that it was not an purposely open wireless internet connection?
I've done this very thing using any nearby open network. Was I breaking the law?
Now, if he'd done anything to crack into a less-protected, but protected nonetheless, network - that would be a different story.
>>The law is an ass in this case.
As is any prosecutor who would use the law to prosecute a case, given there is the existence of prosecutorial discretion.
On a NY trip early this year, there was an open wireless connection available from my hotel room with the SSID "surf_here". I did. The idea that I could be prosecuted for using that connection is just absurd, but I suppose that it is possible.
Nice analogy. And many businesses are using public hotspots as a means of attracting customers. How is the casual user to know if he's on a legal or an illegal hotspot?
I would like to understand the law better. I suspect it is not as harsh as it sounds. The "look don't touch" could possibly mean you can't muck with the owners' network, data, and apps but you can use their bandwidth to surf the web. The link in the article is a dead link. ZDNet does that a lot.
I think you're wrong. The assets of the company were available to anyone to walk off with. Customers' credit card information was available for the taking. And anyone could easily cripple their network. The company was negligent. I think stockholders of Lowes should demand some heads.
If a company has a hotspot that doesn't endanger their assets, that is fine. In many cases it is a public service, used to attract customers to their location. Starbucks is doing this, as are many hotels. It is a fringe benefit provided by the company.
I hope that law distinguishes between these. Actually, I think the law is unnecessary. There are already laws against 'hacking', either changing the company's systems or stealing information from them. This law simply distinguishes based on how the perp got into the system.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.