Unsecured wifi might be contributory negligence

Ian Batten igb at batten.eu.org
Sat Feb 18 07:10:35 GMT 2012


On 18 Feb 2012, at 02:20, Tom Thomson wrote:
>  For example Telefonica (in Spain) supplies a router manufactured by Thomson (the French company, nothing to do with me) from which Thomson's firmware (which supports both WPA and WPA2 in PSK mode) ripped out and Telefonica (or Movistar - not sure which) firmware added that cannot be configured to use WPA or WPA2. I imagine there will be UK ISPs that have done the same silly thing (I haven't had the misfortune to discover one yet - it's been something I've checked for ISPs I've considered using since I've switched to wireless from wired  access in 2005, but I've considered only a very small proportion of UK ISPs so that's no indication that they are all sensible).
> I wonder what the liability of a subscriber caught in that silliness would be if the law changed to create a duty to protect against IP infringement.

Most Eurocylinder locks are susceptible to at least one of bumping and snapping, and many of them both; if your house is secured with them, as most modern ones are, then there is a strong chance that a prospective intruder can open the doors irrespective of the number of rack bolts and so on that you have.   Bumping is a problem if you have a "signs of forced entry" clause in your insurance, because it doesn't leave any, while lock snapping does at least leave a large footprint.   But no insurance company --- whose ability to say "sorry, we're not paying" without challenge is a great deal larger than a court's ability to make up law --- has attempted to claim that your insurance is invalid unless you have replaced all of your locks with bump and snap-resistant cylinders. So even though the locks (read encryption) is not as strong as it was intended to be, it's still regarded as sufficient to show you have taken reasonable precautions.

It would be manifestly unreasonable to argue that encryption marketed as sufficient in fact wasn't and a random customer should have known that, and such a claim wouldn't survive in court.  One might as well argue that people are responsible for the poor qualify of the RNG in their key-generation process even though they were using WPA2 (I used a hardware RNG to generate the keys from home, but should it have had a CESG Claims Tested mark?  Should I seek EAL4+ for my home wireless base station?)

ian




More information about the ukcrypto mailing list