STE WILLIAMS

Dutch Courts Rule WiFi Network Hacking Is Not a Crime

A Dutch court has ruled that hacking into Wi-Fi connections is not a crime providing any connected computers remain untouched. However Wi-Fi freeloaders would still lay themselves open to civil proceedings.

The unusual ruling came in the case of a student who threatened a shooting rampage against staff at students at Maerlant College in The Hague. The threat was posted on 4chan, the notoriously anarchic internet image board, after the student broke into a secure Wi-Fi connection. The unnamed student was caught and convicted of posting the message but acquitted on the hacking charge.

The miscreant was sentenced to 120 hours of community service.

Reports are vague on how the student hacker was tracked down, but it may well be that the denizens of 4chan got the ball rolling by reporting the threats to police, something that happened in a similar school massacre threat case in Michigan back in February.

The Netherlands has a computer hacking law that dates from the early 1990s and defines a computer as a machine involved in the “storage, processing and transmission of data”. Since a router is not used to store data, a judge reasoned, it fails to qualify as a computer – and thus the computer hacking law isn’t applicable. The ruling, which surprised legal observers in The Netherlands, means that piggy-backing (or leeching) open wireless networks is not a crime: though civil proceedings against leechers would still be possible, so a free-for-all is unlikely.

Most countries have laws the apply to hacking into computer networks as well as computers but not, it would seem, The Netherlands. The Dutch attorney general has decided to appeal the verdict in the case, a process that may take several months

Researcher cracks Wi-Fi passwords with Amazon cloud

A security researcher has tapped Amazon’s cloud computing service to crack Wi-Fi passwords in a fraction of the time and for a fraction of the cost of using his own gear.

Thomas Roth of Cologne, Germany told Reuters he used custom software running on Amazon’s Elastic Compute Cloud service to break into a WPA-PSK protected network in about 20 minutes. With refinements to his program, he said he could shave the time to about six minutes. With EC2 computers available for 28 cents per minute, the cost of the crack came to just $1.68.

“People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so,” Roth told the news service. “But it is easy to brute force them.”

Roth is the same researcher who in November used Amazon’s cloud to brute force SHA-1 hashes. Roth said he cracked 14 hashes from a 160-bit SHA-1 hash with a password of between one and six characters in about 49 minutes. He told The Register at the time he’d be able to significantly reduce that time with minor tweaks to his software, which made use of “Cluster GPU Instances” of the EC2 service.

As the term suggests, brute force cracks are among the least sophisticated means of gaining unauthorized access to a network. Rather than exploit weaknesses, they try huge numbers of possible passwords until the right phrase is entered. Roth has combined this caveman approach with a highly innovative technique that applies it to extremely powerful servers that anyone can rent at highly affordable rates.

Roth’s latest program uses EC2 to run through 400,000 possible passwords per second, a massive amount that only a few years ago would have required the resources of a supercomputer. He is scheduled to present his findings at next week’s Black Hat security conference in Washington, DC. ®