I'm trying to avoid sounding like Chicken Little here, but this article makes these actions very accessible. If you're someone who is just getting started toying with networks and security, it's likely that you haven't thought through what can happen if something you try actually works.
Nmap has a great page that discusses the ins-and-outs of the civil and legal issues involved with port scanning (a related activity). However, keep in mind that the guide linked here goes well beyond port scanning in to actually attempting, and presumably, gaining access to someone else's network. While the legality of port scanning is ambiguous, accessing someone else's network is not. If you land on the wrong guy's lawn, you can end up in a very expensive, and potentially dangerous place.
Legal and IMO worthy of much praise.
Laws are exciting and important (especially good ones like Newton's laws of motion), but laws could improve too: If someone gets caught doing this they probably ought to do community service working on some bug bounty program instead of going to jail.
True, you're less likely to actually be convicted, but the months/years waiting for trail is guaranteed to be worse than your actual sentence elsewhere, if not fatal.
If you think LLE or even the FBI is going to open the diplomatic channels necessary to pursue someone in Nigeria over access to a consumer-grade router, you're kidding yourself. For all practical purposes, these laws do not in fact apply there.
There are very few places outside the reach of US law enforcement. Especially if they bother to get Interpol involved.
Orders of magnitude more likely to find an open WiFi in a bank's parking lot than you are to find a WAN-facing consumer-grade router. Any employee in the company could screw up the former ("I didn't get good wifi so I brought in a router from home!"). The latter requires grossly incompetent netsec.
Yup. Luckily, when I tried something similar, I was very much a minor, so the only consequence was that our ISP banned our previous account and required us to sign up for a new one.
I am reminded of Steve Kemp's 2014 post »Secure your
rsync shares, please«, relating how he abandoned a project employing zmap upon
discovering numerous openly accessible rsync
shares containing sensible information. His
closing remarks echo the sentiment of the article
under discussion here: "I considered not posting
this, but I suspect 'bad people' already know..,"
What can be done? Are we reduced to just securing
our friends' and families' infrastructure, all the
while standing by idly while others outside of our
direct sphere of influence suffer the consequences
 A cleverly-built, fast network scanner,
This kind of "change through widespread knowledge of exploitation" strategy saw some success in changing the default encryption schemes of WiFi routers. So, we're already kind of in the same area.
No. We can write articles similar to this one which, instead of clearly explaining step-by-step procedures for exploiting weaknesses, clearly explain step-by-step procedures for REPAIRING weaknesses.
There's a reason things like the Geek Squad are around and can charge as much as they do...
But the truth is, replacing a cylinder in a car is so much harder than reading and following these instructions, and even if you don't understand either task the car cylinder task takes longer, requires more tools, makes a mess, etc.
An average person who has no intuition for passwords could just turn their router off when they aren't using it.
The variance in technical ability of the 'average person' nowadays is pretty wide. There are still pop-up clicking grandmothers on IE7 out there, but there are also plenty of baby-boomers with the ability to set the clock on their VCR's, which is a much more fair analogy to the task of router configuration.
I think the important thing is getting the message out that such configuration is much more important than having the clock on your VCR right, which is probably how important the average person thinks router configuration is. As you said in another comment, routers are effectively shipping to average people broken. I think if this were more commonly known, people would take the time to learn and configure their networks. Not ALL people, but more average people than do today. The real problem is not that people are not technically capable of doing the task, but they do not know that it is a task that is really necessary; it's not common knowledge that a brand new router is a security risk.
You could also try scaring people about the end of the Internet, their money stolen and their pets kidnapped if they don't secure their router, but that would still be education.
perhaps a mod can update the URL.
I wonder how many botnets use this technique instead of randomly scanning, whether it's their own implementation/database or using a service such as this. Also an interesting business model, "I've got the addresses of 10,000 XYZ routers, model 1234, for $50.00"
If you take over a single router, a provider does indeed have logs of both the inbound you used to reach the router, and the outbound traffic you create from it. Simple timing logging will show its you and if its "their" router, they'll (at least theoretically) be able to decrypt your traffic too. (And that's assuming it wasn't a great big tasty honey-pot to begin with, pooh-bear)
If you must do this, bounce between a few... and if you must do this, just use tor already.
> those are so voluminous that they probably aren't kept long.
1. I have a right to read or write public information in an anonymous way.
2. I have a right to prevent you from reading or writing MY private information in an anonymous way, even if the intent is to obtain the right to exercise #1 in the process.
3. Using someone else's infrastructure/compute/power to enable #1 without breaking #2 requires you pay for it. I would also propose my private information is available at a price.
Expecting the right to anonymity by removing the rights of others in the process places an individual in cognitive dissonance. It's not a good place to be.
With the advent of cryptocurrencies, we're finally in a place someone can pay me to use a portion of my infrastructure for enabling their anonymity. I'm willing to contribute to the cause as long as it's worth my while.
Your infrastructure will immediately be used to download or upload child pornography. If you're exceptionally unlucky, the FBI will come knocking and, if you're unable to provide them with a useful honeypot, you may risk legal consequences. If you're unable to prove your innocence (the request for the CP did come from your IP address, after all) then you may be very screwed.
I invite the community to toss around ideas about how to protect against this. I hypothesize that it's an unsolvable problem: if you enable strong anonymity, that anonymity will immediately be used for child porn.
One way to combat this would be to have some kind of credentialing, where you are able to generate credentials for the anonymous party to use. Assuming your infrastructure is set up as a Tor hidden service, then it's possible for them to use your infrastructure anonymously, and then you can revoke the credentials for individual violators.
However, under that scheme, your IP address(es) are shared by every user. 4chan will immediately ban all of them as soon as it becomes clear you're a proxy, for example.
It may still be worth exploring, but it needs some thought. Tor itself still doesn't have "endpoint bridges," that is, endpoints which aren't publicly listed. Meaning it's very easy to ban all of Tor, as far as I know.
I'm not sure if you would count this as a solution, but, conceivably you could "enable anonymity" at very low bandwidth ... say ... the equivalent of 9600 baud ?
This is fast enough for speech. It is not fast enough for any kind of multimedia that would be acceptable in 2014 and beyond. It might be a barrier that would cause all bad guys to use other networks, but still allow the kind of "freedom" that we're all convinced twitter gives us (and so on).
What a fantastic idea. This seems worth pursuing. It should be possible to configure a modern browser to work with low bandwidth: HTML/CSS/JS would load, but images and other media wouldn't. Is there any reason why HN, Reddit, Twitter, webmail, and other services like IRC wouldn't be usable under those conditions?
It seems like people might be much more willing to rent out their infrastructure to anonymous parties strictly for those purposes.
Also, you don't really need to configure a browser - just use lynx, which will ignore most of the bandwidth hungry aspects of a site.
The text on the current top story (the Wright Brothers article) is about 11kbytes. That doesn't include any html or css or anything else. That would make a page load at over ten seconds just for the text.
The point isn't that it can not be done, but that people would not tolerate it unless they had a real need.
Here's the issue. Return presumption of innocence back and problem's solved.
Obviously, that's impossible in a real world.
> credentials for the anonymous party to use
That wouldn't be anonymous anymore. And there's no way to realistically force a single human to have only one credential - if one's banned they'll just generate a new one.
If an authority were to come to you and demand you cooperate in determining my identity, then there would be no way for you to oblige, except by providing them with a log of the VPN activity, or allowing them to set up a pen trap to log the VPN activity. At that point, the privacy is still as strong as the Tor network, so both Tor and this extra layer would have to fall in order to be unmasked.
(In practice, it's more complicated than that: your infrastructure would be a fixed endpoint, meaning that if it's compromised then an adversary would gain a log of your activity. That would provide an overall picture of what you're up to on the internet. Tor rotates endpoints, making it hard to piece together that info. So in practice a user should want your service to be something like a middleman between two different anonymity services. But that's outside the scope of this comment for now.)
This becomes a pretty attractive idea, because it's not necessarily a great idea to assume that Tor should be the world's one realistic defense. Since Snowden used Tor, you can be absolutely certain that various powers are going to take a keen interest in penetrating Tor. They may use dirty tricks to do it, such as joining the Tor project as an apparently-trustworthy developer.
Extra layers of defense such as the one outlined above may be worth pursuing.
Am I the only one to whom this sounds absolutely crazy? How can I trust you if I don't know who you are? (I mean the general you, not you personally, devconsole.)
Your comments could have been deliberately sanitized -- perhaps you have trolling accounts elsewhere that you are exceptionally good at keeping separate from this one, and spend time making this one look good. One could be posing as a mild-mannered Python developer here on HN, but be spending one's evenings being Super-Mallory the Malicious, trolling and trading illegal information.
I really want to be able to support things like mesh networks and Tor, but the very risk the GP noted (people will use your resources for Bad Things, and good luck defending from the feds) prevents me from being willing to do so. There's no way I would trust you or someone else that I don't personally know enough to use my resources, unless I were somehow able to keep meticulous logs which exonerate me from any activity they do. (And, I don't trust that such logs would even do that...)
Saying that you should be able to trust a stranger is like saying that you should be able to run a courier service for strangers where you have no idea whether they are transporting drugs or counterfeit money.
Well, cryptographers had invented a fancy thing called "ring signatures" that allows one to check whenever a signature belongs to someone in a group, but don't allow to determine who exactly that was. So, technically, it's well possible to remail anonymous (as far as belonging to a group does not break your anonymity) and be trusted at the same time.
But, unfortunately, I don't think F2F mesh networks would prosper anytime soon.
What is a piece of legislation says and what is actually "law" is often not the same, as the courts can interpret it however they want.
But yes, we should think of the children, 9/11, etc.
My concerns are:
As for anonymity: Internet protocols require addressing - without an address where to send packets back you can only communicate unidirectionally - sending information but not receiving any. Does being identified by an address still considered "anonymous"?
As for prevention: I'm not sure why need any sort of law to do so. Is there any case - except for law enforcement situations - where one's prevented from disclosing their private information?
Also, writing "requires you pay for it" may have bad consequences. For example, in Russia we had a copyright law that said quite similar thing - a statement that any software license must explicitly define payment process (or explicitly declare rights being provided free of charge) - and this led to issue with perceived legality of some FLOSS licenses that don't say anything about. To my knowledge, this hadn't been ever examined in a court and had been fixed in laws since then, but hope you see the point.
Yes - default WiFi passwords for a big chunk of the routers in Europe are pretty easy to calculate.
I'm still amazed by how many people drive around leaving their cars unlocked.
(IANAL, it looks like a court is not likely to find you liable, but you're still exposing yourself to the hassle of a law suit.)
Your network and your car can/will be used by bad guys to do bad things.
You should care.
I don't think that locking your car while it is parked or not leaving your keys in it while it is unattended is too much to ask.
This is not necessarily an argument against tools like Tor, but it's a tradeoff that I think many Tor supporters are too willing to ignore.
Your argument is about as lazy as it is old. The only possible solutions are to make all criminals go extinct (good luck), or to take away tons of important tools away from the public, because get this, criminals might use them! How terrible.
The problem with this line of reasoning is that it covers such a small number of people. The only people your argument covers are serious criminals who a) are too stupid to be able to download a simple tool to exploit routers with unpatched vulnerabilities from last year and yet b) are still competent enough to use Tor without doing anything that would reveal their identity.
And that also excludes the most serious criminals because the set of people who can break into the computers of large organizations to commit crimes is essentially a superset of the set of people who can break into an unpatched consumer-level router.