Having done my share of Web browsing in various Starbucks Coffee shops, I found this item in Jeff Hayes’ Security Blog as sobering as a double shot of espresso. It’s about a guy who was slapped with a fine for doing something most of us have done before — using a cafe wireless hot spot.
He wasn’t using it to tamper with the cafe’s Internet security or hack into the laptops of cafe customers. But in the cafe manager’s mind, he was guilty of freeloading.
Hayes writes about how on March 27, Sam Peterson II was sitting in front of the Re-Union Street Cafe in Sparta, Mich., surfing the Web from his new laptop.
“He had done this on multiple occasions,” Hayes wrote. “However, on this day, the cafe proprietor approached him and asked him where he was getting his Internet access. Sam replied, ‘The cafe.'”
It turns out Peterson was breaking a 1979 Michigan felony law (amended in 2000) designed to protect Internet and private-network users from hackers. “He was was given two choices: He could try to fight the felony charge and face a sentence of up to 5 years in jail or a $10,000 fine; or he could enroll in the diversion program, which would require paying a $400 fine, doing 40 hours of community service and staying on probation for six months,” Hayes wrote. “He chose the latter.”
The Re-Union Street Cafe offers customers online access with the understanding that they’ll hang out and buy another cup of coffee or another muffin. Peterson hadn’t purchased anything, so in the eyes of the law he was guilty of stealing Internet access.
As Hayes points out, the guy wasn’t hacking. He was simply doing something many have done from time to time — latching onto an open and unprotected hot spot without giving it a second thought.
Hayes believes the Cafe is partly at fault here. After all, he wrote, it didn’t take reasonable precautions to safeguard its wireless network.
“For many, Internet access is free,” he said. “Consider towns which are promoting free Wi-Fi. Ignorance of the law is no excuse. And you can bet Sam knew he was ‘stealing’ Internet access. I am not excusing Sam nor myself. But I would like to ask any business offering Wi-Fi to it employees and customers to figure out a way to secure it. It is not like it is overly costly or complicated to do so.”
Thor returns, but did he ever leave?
A few years ago, one of my frequent sources was Thor Larholm, at the time a senior security researcher with PivX. But all of the sudden, he became hard to track down, and then he disappeared. But this week I found him as I was writing about all the researchers who were gleefully picking apart Safari for Windows in search of bugs. My reporting led me to the blog of Larholm, who was among the Safari flaw seekers.
On the blog he describes himself as “a pretty ordinary guy from a small town in Denmark who enjoys hacking, web application development, founding businesses, playing soccer and traveling.” Nothing about PivX or any other security vendor.
And so if Thor is reading this, I’m interested in a a catch-up interview if he is.
Bot roast, anyone?
Wednesday, my colleague Dennis Fisher blogged about the FBI’s Operation Bot Roast, in which investigators managed to identify more than a million machines on the Internet that are 0wned by at least one bot. It turns out that alleged spammer Robert Alan Soloway, whom the FBI arrested recently, was taken down as part of this same operation.
So far, reaction throughout the security blogosphere appears mostly positive. Here’s what chamuco from the Offensive Computing blog had to say:
“The FBI and our friends at CMU’s CERT, in a display of impressive bureaucratic maneuvering and ninja-like paperwork prowess, have taken down a large botnet. This is really good news as it will hopefully set a precedent to enable further and more swifter action on other malware writers. Good work to all those involved.”
In the Fraud, Phishing and Financial Misdeeds blog, Ed Dickson wrote that Operation Bot Roast is like “chicken soup for the soul” for those who have fallen victim to the bot herders.
“Botnets are a primary cause for the ever increasing levels of spam,” he wrote. “Botnets are infected computers that their masters turn into zombies, spewing out spam emails by the millions. These bot herders cause a lot of us a whole lot of grief.”
They hate the Spy Act, Part 2
Last week I mentioned that a lot of security bloggers were reacting negatively to the Spy Act bill working its way through Congress. Software makers and online advertisers would face stiff requirements under the bill, which would require software distributors to clearly notify and obtain consent from consumers before programs can be loaded onto a computer. Those who oppose it say the legislation would penalize companies who distribute legitimate software and Web sites.
I’ve found that the bad reaction continues.
The Boing Boing blog is not a security site, but a self-described “directory of wonderful things.” But the blog does touch upon information security from time to time, and this week its verdict on the Spy Act is anything but wonderful.
Cory Doctorow wrote:
“This has already passed the House, but EFF (Electronic Frontier Foundation) has an action alert for writing to your Senator to stop this before it becomes law. The SPY Act, a new anti-spyware law, makes it impossible for consumer rights groups to sue DRM companies for putting spyware in their DRM (like Sony did last year, with its rootkit DRM). The irony is that spyware is already illegal, so all that this act does is immunize big media companies that sneak spyware onto your computer.”
He added the EFF’s description of the bill:
“The SPY Act is supposed to help stop spyware, deceptive adware, and other malicious software, but it is unlikely to do any good and could actually make things worse. If enacted, it would block lawsuits similar to the one EFF brought against Sony-BMG for infecting customers’ computers with privacy-invasive copy protection. Don’t let badware makers off the hook — tell Congress to go back to the drawing board and draft a more sensible law. Both the Federal Trade Commission and Department of Justice have said that they already have the authority they need to go after badware vendors, and this bill doesn’t add any funds or significant tools for federal enforcement.”
This bill is increasingly being dismissed as a turkey in the court of public opinion.
Making sense of the latest Microsoft patches
I end this week with a suggestion that you listen to the interview my colleague Rob Westervelt did with Shavlik Technologies’ Eric Schultze regarding the patches Microsoft released Tuesday. The podcast, which can be downloaded from the Security Wire Weekly blog, outlines which flaws IT administrators should patch with the greatest urgency.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.