Chinese USB Wifi Crackers Make Three Strikes Laws Obsolete? Drew Wilson | May 6, 2010 With many countries considering a three strikes law, it’s interesting how privacy and copyright can go hand in hand online. With China’s notoriety for online censorship, it’s only interesting that a new product is out in the Chinese market that allows for easy Wi-Fi hacking. Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes There’s a number of objectives set out when a country considers a “graduated response” or three strikes law if you believe proponents. One of those objectives is to simplify the ability to go after alleged file-sharers when all that is available is an IP address and a time stamp. Another objective is that it’s suppose to reduce file-sharing. While, on the surface, a new product known as network-scrounging cards doesn’t seem to do much for file-sharers, it really puts another dent in the robustness of a three strikes law. Networkworld describes the network-scrounging cards as a USB device that allows “a user with little technical knowledge can easily steal passwords to get online via Wi-Fi networks owned by other people.” The USB item comes with two CDs – one for installing the drivers and the other being a live Linux CD for the purpose of using BackTrack. Once installed “the user can run applications that try to obtain keys for two protocols used to secure Wi-Fi networks, WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access). After a successful attack by the applications, called Spoonwep and Spoonwpa, a user can restart Windows and use the revealed key to access its Wi-Fi network.” The bundle, according to NetworkWorld, sells for 165 yuan ($24). In other words, it’s not much more complicated then installing the drivers for a mouse or webcam. Here’s why this is so significant when looking at this through the perspective of a three strikes law. The three strikes law depends on an IP address accurately identifying an individual. At best, some countries mandate that a WiFi access point be secured (protection that seems to be all but destroyed with this product). If one were to access another persons Wi-Fi, the only person that authorities could possibly track copyright infringement to is the owner of the Wi-Fi point, not the individual using it without authorization practically speaking. As for efficiency, NetworkWorld had this to say about the set-up: One of the kits took over an hour to crack the WEP key equivalent to the password “sugar” in a test attack on a personal router set up for the purpose using 40-bit encryption. Still, when someone is, say, living in an apartment building with 20 some access points to choose from right from your own living room, an attacker has all the time in the world to crack the passwords. How often to Wi-Fi owners, on average, change their passwords anyway? Unfortunately, such a product only exists in China currently, but who knows? It might come to other countries who are determined to pass such a flawed law in the first place. As for the developer of BackTrack, they aren’t happy that their product is being used in this fashion because BackTrack was meant for penetration testing more than anything else. Still, it shows another example of why tightening copyright laws will never solve anything with regards to file-sharing. Functionally speaking, this has resemblance to the “HADOPI router” which was actually a fake ad (more recently, another company released a similar product), but this iteration seems to be more portable. Perfect for the growing use of laptops. It’s easy to say that this alone makes a three strikes law obsolete because even if a hacker is tracked down, the resources spent on tracking him/her down pretty much obliterates a lot of the objectives set out by a three strikes law in the first place. Drew Wilson on Twitter: @icecube85 and Google+.