Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Wireless Networking Crime United Kingdom

Weak Wi-Fi Password May Have Led UK Police to Bust an Innocent Couple (bbc.co.uk) 109

Slashdot reader esm88 shares the BBC's story about a couple who experienced "a knock on the door from the police" investigating child abuse images posted online. "The couple insisted they had nothing to do with it. But the next few months were 'utter hell' as they attempted to clear their names," before their case was finally dropped in March: In February, a conversation with a friend who worked in cyber-security alerted them to the possibility that their router, supplied by their broadband provider Vodafone, might hold clues to what had happened. They had not changed the default passwords for either the router itself or the admin webpage, leaving it susceptible to brute force attacks. "We think of ourselves as competent users but we are not IT experts," said Matthew. "No-one told us to change the password and the setting up of the router didn't require us to go on to the admin menu, so we didn't.

"It came with a password, so we plugged it in and didn't touch anything."

Ken Munro, a security consultant with Pen Test Partners, told the BBC that it can take "a matter of minutes" for criminals to piggyback on insecure wireless connections... "So what I guess has happened here, is that the hacker has cracked the wi-fi password and then made changes to the router configuration, so their illicit activities on the internet appear to be coming from the innocent party." In March, when the couple's devices were returned and the case closed, the police officer assigned to liaise with them seemed to corroborate that unauthorised use of their wi-fi was to blame. But it couldn't be proved... The problem is industry-wide, points out Mr Munro.

"Internet service providers have started to improve matters to make these attacks harder, by putting unique passwords on each router. However, it will take years for all of the offending routers to be replaced," he said.

This discussion has been archived. No new comments can be posted.

Weak Wi-Fi Password May Have Led UK Police to Bust an Innocent Couple

Comments Filter:
  • The PDs need reform. Serious reform. Sadly, that means the people who set their rules need it as well. And damn, that all comes back on us.

    • by SvnLyrBrto ( 62138 ) on Sunday May 23, 2021 @02:10PM (#61413664)

      What else really needs to be said? Trying to railroad innocents into prison for crimes they didn't commit like this should have been a career-ending decision for every officer involved. There should be prison time for the robbery of their possessions, doubly so if they actually arrested or detained or laid hands upon the couple in any way for any length of time. And obviously the civil penalties should utterly crush every cop involved too. That all goes pretty much without saying.

      But we all know there will be no repercussions. The system is so corrupt... so entirely unwilling or unable to hold the police accountable for their misdeeds... that nothing will come of this. Since they didn't go in guns-blazing and summarily execute the couple this time; this is actually a relatively minor case of police abuse of the public. Really, there should be news stories if ever a day does *NOT* go by when the police harass innocent people.

      • Comment removed (Score:5, Informative)

        by account_deleted ( 4530225 ) on Sunday May 23, 2021 @02:45PM (#61413748)
        Comment removed based on user account deletion
        • by SvnLyrBrto ( 62138 ) on Sunday May 23, 2021 @03:30PM (#61413868)

          The article specifies that the couple was not, in fact, guilty. So for the police to accost them at all, in any way, was entirely out of line. And this was far from a harmless one-time-and-done chat. The cops stole their stuff; cutting them off from all human contact beyond landline conversations during the pandemic. They slandered and libeled the couple; attacking them at the levels of their employers, social services and children's school, trashing the husband's reputation with his company and getting the wife removed from her position at the school. And... they kept it up for MONTHS.

          Okay... I forgot in the moment that UK police are less militant and less likely to just summarily shoot someone to get their jollies for the day like our are wont to do. But in no way was what they put this couple through A-OK hunky dory. There needs to be compensation and accountability. The officers involved need to burn (Figuratively, of course.).

          • The article specifies that the couple was not, in fact, guilty. So for the police to accost them at all, in any way, was entirely out of line.

            So true. If only the police training had included that famous documentary "Minority Report", all of this could have been avoided.

            • Maybe presume innocence and build an actual case to prove guilt? Whoever modded you insightful is a moron.
              • Maybe presume innocence and build an actual case to prove guilt?

                You mean by gathering evidence and questioning suspects? No, we've already established that such an approach is completely out of line. Clearly the only acceptable solution is psychic cops.

          • by Aristos Mazer ( 181252 ) on Sunday May 23, 2021 @05:57PM (#61414244)

            Police legitimately act on reasonable suspicion. It is the courts to decide innocence of guilt. False arrests are going to happen... thereâ(TM)s really no way around it. The arrest often has to precede hard evidence so that guilty parties do not destroy evidence. And exonerating evidence comes to light as part of the deeper investigation. As a society, we have to apologize to innocents who are arrested. But even great policing will result in situations like this regularly. Thatâ(TM)s not a failure of policing.

            • You are using the words "reasonable" and "police" in the same sentence without there being any negation. You are not describing a world that I have every inhabited.
              • I am not saying there aren't major failures in policing in the USA. There are. I'm only saying that this in particular -- the arrest of an innocent person based on [what the cops see as] reasonable evidence -- is not an example of such a failure.

          • > The article specifies that the couple was not, in fact, guilty

            If only the police had thought to read this article written six months later first!

          • by thegarbz ( 1787294 ) on Monday May 24, 2021 @05:20AM (#61415420)

            The article specifies that the couple was not, in fact, guilty. So for the police to accost them at all, in any way, was entirely out of line.

            That is not how the justice system works. The world doesn't determine by news headline if someone is guilty. They determine that through a process where a verdict comes out towards the end. The system is designed to minimise the possibility of errors resulting in an incorrect *conviction* at the end. The police involvement is at the beginning.

            Unless you have a time machine there's literally no way a criminal justice system can work without involving police *before* determining if someone is innocent or guilty. It is after all not the police's job to make that determination.

            Innocent people get caught in the crossfire, but what if they weren't? Let's assume for the fact that they were guilty, and they were known pedophiles. During the ongoing process you want to keep people at schools? Also the police don't slander, in fact they don't do anything. They aren't calling up your friends, families, and coworkers and telling them you jack off to children. They present evidence. Just because that evidence turned out to be misleading doesn't make something slander.

            Now if you want to talk about reputation damage, how about you direct your attention to outrage media so quick to vilify people based on an allegation. In some sane countries the names of people are legally not allowed to be published regardless if they are guilty or innocent. Maybe we should address the angry judgmental mob rather than the police doing their job.

            • by Anonymous Coward

              All maybe true, but the police have been known to be "discrete" when talking to (say) a wife about a husband who has used his mistress as his alibi. As such, given how the general public and media react to CP issues, some discretion could be used when investigating, especially given the uncorroborated, and highly flimsy (and subsequently found to be entirely false) evidence at hand.

              If an IP address being used for something is enough to ruin your life, then we have something seriously wrong with our criminal

          • by nagora ( 177841 )

            The article specifies that the couple was not, in fact, guilty. So for the police to accost them at all, in any way, was entirely out of line.

            You have confused the Police with the Court. The Police's job is to act on suspicions, collect evidence, and if the evidence supports the suspicions, present it to a court.

            There clearly was evidence that something was going on using IT equipment in the house - because there was.

            I mean, what scenario do you expect?

            "Excuse me, are you a paedophile?"

            "No, officer. And neither is my wife."

            "Very good, sir. Just checking. Can't be too careful these days, can you?"

            "Indeed not, officer. Quite all right."

            ???

            The real

          • by hattig ( 47930 )

            This is idiotic.

            The police had a lead linking to an address. They took the devices because that was reasonable cause to take the devices to check for further evidence (clearly not found). Obviously they had to question the people who lived at the address, and obviously there was distress caused because they were innocent, but they still have to check things out.

            Now what should happen is that the police should provide a statement exonerating the couple, for them to regain their standing. And yes, there shoul

      • by jenningsthecat ( 1525947 ) on Sunday May 23, 2021 @06:45PM (#61414348)

        I had modded you down, but thought better of it and decided to reply instead.

        First off, let me say that I hate law enforcement over-reach, I don't trust the police, and I'm in favour of the 'defund' movement to the extent that it wants to stop police forces from buying military-type toys that are only suitable for repression and oppression rather than engagement and enforcement. Having said that...

        To me your anger seems very misplaced. What the couple in TFA went through was sad and regrettable - but what else could the police do? They can't rely on mere impressions - "gee, this is a nice couple with small kids" - to exonerate suspects. They have to dig up and follow the evidence, which is what they did.

        Notwithstanding that police departments' feet ought to be held to the fire every time they resort to thuggery, lying, etc., I think the real culprits here are the service and equipment providers responsible for implementing laughable default security measures in routers, IOT devices, etc. If this couple had been forced to go to a web page served by their router, and to change the default password to something meeting some fairly strict criteria before the router would function, we probably wouldn't be having this conversation. Additionally, said web page might contain examples - such as this story - of what can happen when you don't take computer security seriously.

        Distributing insecure hardware to Joe and Jane average is not too different from handing a loaded gun to someone untrained in the use of firearms. Even if they don't injure someone with it, they might leave it lying around for someone else to cause injury or death. For that reason, I would like to see providers be subject to at least civil liability, and perhaps criminal penalties, for failing to enforce basic security. I really don't think the cops could have done much differently than they did in this case, but the ISP sure as hell could have.

        • Re: (Score:2, Insightful)

          but what else could the police do?

          Employ at least one 15 year old who has heard of dynamic IPs for a start.

          I think the real culprits here are the service and equipment providers responsible for implementing laughable default security measures in routers, IOT devices, etc.
          Yes - they should be held responsible for the loss and suffering. With punitive damages - including banning all the directors from being company directors again.

          • by Cederic ( 9623 )

            Employ at least one 15 year old who has heard of dynamic IPs for a start.

            How would that have made a difference?

            They may have used the ISP logs to track down to which address that IP address was assigned at the point at which the crime was committed.

            The router may have had the same IP address for the past seven years.

            I'm on a home internet service in the UK and my IP address hasn't changed for several years.

      • What else really needs to be said? Trying to railroad innocents into prison for crimes they didn't commit like this should have been a career-ending decision for every officer involved. There should be prison time for the robbery of their possessions, doubly so if they actually arrested or detained or laid hands upon the couple in any way for any length of time. And obviously the civil penalties should utterly crush every cop involved too. That all goes pretty much without saying.

        But we all know there will be no repercussions. The system is so corrupt... so entirely unwilling or unable to hold the police accountable for their misdeeds... that nothing will come of this. Since they didn't go in guns-blazing and summarily execute the couple this time; this is actually a relatively minor case of police abuse of the public. Really, there should be news stories if ever a day does *NOT* go by when the police harass innocent people.

        Only in the USA

    • by mr.morbo ( 6346556 ) on Sunday May 23, 2021 @07:43PM (#61414502)

      The PDs need reform. Serious reform. Sadly, that means the people who set their rules need it as well. And damn, that all comes back on us.

      I'll reply all the way up here because this whole thread seems to be intended to point out that this was police bullying.

      But what else were police supposed to do? They had evidence of a crime and they had a piece of evidence linking the crime to a location. They got a warrant and attended the location looking for more evidence. The didn't smash in the front door. They didn't kill the family dog. It sounds from the article that they were generally fairly respectful when dealing with their suspects even though the suspected crime was fairly heinous.

      That sounds like good old fashioned police work to me. You know, the way it's supposed to be done.

      • "But what else were police supposed to do? ", you ask.

        How about doing some simple investigation before jumping to conclusions? Do you really think they spent more the 2 seconds considering what else could be going on before they fired the big guns?

        Your fundamental assumption is the police never make mistakes and they consider the consequences of what they do. The opposite is true; they routinely screw up and they will do anything, up to and including lying and and destroying evidence to get the perp.

        Arr

    • Child pornographer: "Oh that couldn't have been me that uploaded those, see, I never changed the password on my router."
      PC Plod: "Understandable, have a nice day Moe Lester."

    • by hattig ( 47930 )

      To be honest, a two month turnaround on a case like this to close it is pretty fast, from a UK police perspective.

      However in any case involving IP addresses, the home internet situation should be the first thing that is checked out.

      And weak devices mean that if you are a perpetrator of these crimes, you can get plausible deniability just from having a known insecure router at home - although any serious perpetrator would also a VPN or go an hack someone else's WiFi...

      Dunno how they couldn't order new stuff,

  • Internet service providers have started to improve matters to make these attacks harder, by putting unique passwords on each router.

    Passwords should be unique? What a modern improvement! You know, not something they would have come up with, say, 60 years ago. There's always an implementation lag on new computing concepts, so I guess we shouldn't place too much blame on them.

    • Not as amazing as the problems caused by an always-on connection.

    • Unique!?

      That isn't especially good. They could simply use the serial numbers or mac address or something else that is supposedly unique, like customer number.

      Being unique doesn't cut it, and making that statement shows a lack of understanding, imo.

      • by Pascoea ( 968200 )
        I guess you could say that "unique" is the wrong word. I'd be wiling to bet "random" was the word they were after. A random (unique) password is generated during the initial firmware flash and stickered to the bottom of the router. Even if it was something based on the serial number (or customer number) it would be 1000x better than every router they ship out being admin:admin.
    • Re:What an idea! (Score:4, Insightful)

      by NFN_NLN ( 633283 ) on Sunday May 23, 2021 @03:20PM (#61413840)

      > Passwords should be unique?

      (A)
      You should use a somewhat easy password that isn't too obvious. That way there is plausible deniability.

      Imagine if they had a difficult and unique password AND they just happened to be hacked. This story would have went a different direction.

      (B)
      Similarly when airport security asks you if "you packed your bags, and they never left your sight and you're responsible for what's in them", do you run up and say "you bet, and if you find any drugs or contraband it's because I explicitly put them there. No need for a trial."

      • by NFN_NLN ( 633283 )

        That's why I use "hunter3" for my Wifi.

      • by rastos1 ( 601318 )

        Similarly when airport security asks you if "you packed your bags, and they never left your sight and you're responsible for what's in them", do you run up and say "you bet, and if you find any drugs or contraband it's because I explicitly put them there. No need for a trial."

        I wonder if anyone ever tried to answer that question with "um, No. I did not walk here from my bedroom with my eyes fixed on my luggage".

  • Let's see "The problem is industry-wide, points out Mr Munro." and "The couple insisted they had nothing to do with it. But the next few months were 'utter hell' as they attempted to clear their names," before their case was finally dropped in March". Seems someone at the police doesn't understand the concept of nonexistent evidence.

    • by PPH ( 736903 )

      Seems someone at the police doesn't understand the concept of nonexistent evidence.

      The police? Or the prosecutor's office?

      The police are simply agents of the prosecutor. Rounding up suspects and collecting evidence to build a case. The prosecutor should have realized that they didn't have sufficient evidence to 'connect the dots'. And either sent the cops back to collect more or thrown the case out.

      • by Cederic ( 9623 ) on Monday May 24, 2021 @03:37AM (#61415274) Journal

        The police? Or the prosecutor's office?

        The Police.

        The police are simply agents of the prosecutor.

        Maybe in the hellhole you live in but not in England and Wales.

        The prosecutor should have realized that they didn't have sufficient evidence to 'connect the dots'. And either sent the cops back to collect more or thrown the case out

        The "prosecutor" likely didn't even know there was a case being pursued. The couple were never even charged.

    • by DesertNomad ( 885798 ) on Sunday May 23, 2021 @02:25PM (#61413702)

      And the obvious, yet non-physical, and possibly permanent, violence and injury imparted to their reputations and lives.

    • Let's see "The problem is industry-wide, points out Mr Munro." and "The couple insisted they had nothing to do with it. But the next few months were 'utter hell' as they attempted to clear their names," before their case was finally dropped in March". Seems someone at the police doesn't understand the concept of nonexistent evidence.

      No. It sounds like someone at the police force got a warrant based on probable cause - the IP address was demonstrably used to commit a crime. Given the nature of the crime, it doesn't appear possible to "spoof" the source address in a way that would allow uploading abuse images - not without the criminal being in the ISP game. The most probable explanation is that someone was connected to the network at that address in order to commit the crime from that IP address.

      Police went to the address looking for fu

      • It sounds like someone at the police force got a warrant based on probable cause - the IP address was demonstrably used to commit a crime.

        Reading the small print, it looks like the ISP had no record of the IP address, and almost all UK IP addresses are dynamic unless you specifically pay for a static one.

        I think the police lack the understanding of IT needed to prosecute such cases at all, and jail time for the top management is the only way to sort that out. What will actually happen is "the police" w

        • Reading the small print, it looks like the ISP had no record of the IP address, and almost all UK IP addresses are dynamic unless you specifically pay for a static one.

          I did read the small print in the linked article. Nowhere does it say that their ISP did not have a log associating the IP address with their account. It says that their ISP (Vodafone) did not have "records of their Internet activity". In other words, their ISP wasn't logging their activities online. They almost definitely did have records linking IP/time -> account.

          Dynamic vs static IP doesn't make one lick of difference if they're retaining ip->account information. Clearly there was enough evidence

  • by ytene ( 4376651 ) on Sunday May 23, 2021 @02:15PM (#61413678)
    The reason this sort of thing still happens is, sadly, because the average user simply doesn't think about or understand security concepts well enough to know if their home setup is insecure.

    It doesn't have to be that way.

    Imagine how much safer/more secure things would be if all home routers had a "first-run" setup script that walked end users through the activation of basic security principles. The worst thing is, this would not be hard to do: if you have a laptop or desktop-style computer, you should be able to get a physical (wired) connection. If you don't have traditional devices (say just a smartphone or tablet) then the hardware vendors should be offering a combination of a smartphone/table application that can be downloaded from the respective software library, coupled with a physical switch on the front of the router that flips it into admin mode and lets you set up devices.

    We should demand that all new home routers are sold with the ability to whitelist devices, the ability to hide SSIDs and the ability to allow the device operator to take a look at traffic and see what devices are using the network [just to keep a watch for unknown users].

    Unfortunately for us, the vast majority of the public don't realize the risk they are taking with their home network equipment and therefore the vendors are perfectly happy to not spend money securing their devices.

    The "absolute minimum" really needs to include:-

    1. The latest wifi security protocol - and the ability to upgrade effortlessly, as new protocols are ratified
    2. Strong password enforcement, auto-generating if needs be
    3. White-listing of known-good devices, preferably with this turned on by default, coupled with a simple registration process [i.e. smartphone app, web page, etc.]

    We also need to keep an eye on latest security trends. For example, Apple's latest iOS changes the MAC address of wifi adapters in their devices... which helps defend the device against hacks on insecure public networks, but it also screws up MAC white-listing on trusted home networks. This isn't hard to manage, but we need to keep educating users so they don't become frustrated and disable good security features if/when they stop working.

    But we definitely don't want to end up in a situation where people are getting arrested thanks to lazy vendors.
    • by Arnonyrnous Covvard ( 7286638 ) on Sunday May 23, 2021 @02:49PM (#61413760)
      First of all, you don't know what you're talking about. How can I tell? You want "the ability to hide SSIDs". This is well known to be counterproductive. It's security theater. Hiding the SSID only removes it from beacon frames and has the side effect that all your devices have to actively send probe requests with the "hidden" SSID all the time to know if they're in range of your access point. This makes you more susceptible to attack.

      Secondly, this is not going to be solved by perfect security, because perfect security can not exist. The solution must involve recognizing that an IP address in a log is not a damning indictment. Too much faith is put in a false equivalence of public IP address and perpetrator, not just because of CGNAT, and no, this can't be fixed by also logging port numbers. Fixing the problem requires good old-fashioned police work, e.g. observation. As long as people think that asking an ISP "who used that IP address at that time" is all the police work needed to get a search warrant, these incidents will happen and innocent people will be put through hell.
      • Imo, they'd do better to remove the password altogether and make it an open network, like a coffee shop or hotel.

      • by N1AK ( 864906 )

        Fixing the problem requires good old-fashioned police work, e.g. observation. As long as people think that asking an ISP "who used that IP address at that time" is all the police work needed to get a search warrant, these incidents will happen and innocent people will be put through hell.

        Unless you are suggesting the police "observe" what everyone is doing at all times then how exactly do you expect this to work. Someone does something criminal, you go to court and get the home address linked to the traffic

        • Wireless transmissions can easily be observed without entering the premises. In this case, for example, the police could very likely have caught the actual perpetrator by collecting information about the devices which connect to the compromised wireless network. But more importantly, they could have figured out that devices from outside the premises access the network, which calls into question the assumption that the owners of the internet connection must be involved in the crime. Instead they just assumed
    • by JaredOfEuropa ( 526365 ) on Sunday May 23, 2021 @02:55PM (#61413772) Journal
      The first demand must be that IP addresses or traffic originating from your home should never count as conclusive evidence. It is - at most - a reason to further investigate you.
      • by Cederic ( 9623 )

        So.. exactly what happened on this occasion?

        • Stuff like this:

          They were told their devices would need to be checked for evidence and would be returned in "a few days" - but it was the middle of March when they finally got them all back. That presented practical problems: Kate and Matthew were working from home and their children were home-schooling.

          The police needed to unlock Matthew's work laptop, which was encrypted. He had to tell his boss about the case in order to get the decryption key. And the police had also informed social services and the children's school about the investigation, meaning Kate was suspended from her role as a governor there. When their children went back to school in March, the couple were told they were not allowed on the premises other than to drop their children off.

          I don't know exactly how UK law works, but if they start impounding computers and informing social services about this, they might as well be formally charged. Way, way premature.

          • by Cederic ( 9623 )

            I'll grant you that social services involvement is harsh. At the same time too many children in the UK have been gang raped while social services sit there going, "it's cultural, we can't get involved, we'll be accused of racism" so I'd rather they did their fucking job and investigated risks properly.

            The police also need to investigate crimes. Someone committed a crime. The evidence led to a house. How would you investigate the people associated with that house for that crime without, I don't know, checkin

            • So you take the devices or you just go 'yeah, the evidence trail leads to this house but we will stop here, maybe it is you, maybe it is not, we will never know'.

              This is a false dichotomy.

              Another option would be for the forensic copies to be made in a reasonable amount of time, and the originals returned to their rightful owners immediately thereafter. There is absolutely no legitimate reason for electronic devices to be impounded for months or years when copies take minutes or hours to make. To do otherwise punishes people who haven't even been formally charged, much less convicted.

              Also, the level of investigation permitted should be limited to a proportion to the

              • by Cederic ( 9623 )

                Another option would be for the forensic copies to be made in a reasonable amount of time, and the originals returned to their rightful owners immediately thereafter.

                By police standards two months is astonishingly quick.

                There is absolutely no legitimate reason for electronic devices to be impounded for months or years when copies take minutes or hours to make.

                It'll take minutes and hours for the devices to be returned to the police station. There they have to be catalogued, then put into envelopes for transfer to the forensics department.

                That transfer shouldn't take more than a couple of days and then the forensics department will log receipt and add the devices to their work queue.

                That work queue may be a few days long or it may be a several week backlog.

                Then they need to make a secure copy, do whatever else

          • by hattig ( 47930 )

            What were they meant to do?

            In cases like this, the warrant is to enter and seize all the electronics for investigation.

            You cannot leave devices with potential suspects. You cannot allow them to have contact with children. The work thing was unfortunately but it should only be known by the direct manager, who should have obfuscated any reason with the IT people who sorted it out.

            It's really bad luck for these innocent people, and there is no restitution beyond getting their stuff back, but at least it was on

    • by AmiMoJo ( 196126 )

      Most routers come with a decent random password now. It's usually printed on a label somewhere. This was either a very crappy or very old router.

      The real problem is that the police didn't bother check this earlier.

      • Stop trolling (Score:4, Informative)

        by Martin S. ( 98249 ) on Sunday May 23, 2021 @03:17PM (#61413834) Journal

        The Police did investigate based on the evidence they had that child abuse images had been posted online from their IP address.

        The couples' equipment was seized in January, investigated and returned in March and no charges were laid. The police did their job.

        Cases have been reported on Slashdot were innocent Americans have been deprived of their equipment for years, or it has been returned trashed.

        • Having all electronics confiscated for a few months is still a BIG DEAL for many people. My work requires me to have computer equipment at home and like many people losing my equipment and data will make it difficult to keep my income, pay my bills etc. Yes, we want to stop child porn, but not at the cost of disrupting the lives of factually innocent people. This couple had no security but what if their security had been pretty good - but hacked in a way that was not obvious to the police? What if it was
          • by hattig ( 47930 )

            It's the big fear isn't it - doing the right thing to protect yourself, but someone still getting in, and now you can't explain things.

            Luckily remote access, through a reasonably secured router, and secured device, is not easy, and an attacker will likely prefer to look for a weaker target to attack. But that's not guaranteed.

        • Re: (Score:2, Flamebait)

          by sjames ( 1099 )

          How would being unable to work from home for 2 months or use your cellphone while you're being accused of child porn work out for you?

          Plus that's a pretty damning accusation to be tossing around based on practically non-existent evidence.

          • by Cederic ( 9623 )

            The police seize my electronics and I'm back online 90 minutes after they stop interviewing me.

            I'm back working from home maybe 2-3 days later, less if my office offers remote desktop facilities.

            It's a shitty situation but it's not 2 fucking months offline.

            • by sjames ( 1099 )

              For many people, it IS 2 months offline. It was for the couple in TFA, for example.

            • by hattig ( 47930 )

              90 minutes? With what equipment, if all the stores are shut because of covid. Oh you hid a Raspberry Pi they didn't find? Oh, they'll like finding that later on - you hid this device Sir, please come with me?

              And maybe they didn't have the spare money to buy two new laptops - and they were told it would be a few days - which was wrong, the police should have set reasonable expectations up front, so they knew whether to buy new cheap/refurb/secondhand laptops or to just wait.

              The guy's work should have provide

              • by Cederic ( 9623 )

                90 minutes? With what equipment, if all the stores are shut because of covid

                In 90 minutes I can get to the homes of no fewer than 20 different people willing to lend me a phone. Some of them will also lend me a laptop.

                Sorry that you have no friends, it must be hard for you.

    • "1. The latest wifi security protocol - and the ability to upgrade effortlessly, as new protocols are ratified"

      New security protocols typically require new encryption mechanisms that have to be implemented in hardware by the wifi chip to work with a reasonable throughput. Some of it can be patched, but changing to a new security mechanism (like WEP -> WPA) means new hardware.

    • by thegarbz ( 1787294 ) on Monday May 24, 2021 @05:31AM (#61415432)

      The reason this sort of thing still happens is, sadly, because the average user simply doesn't think about or understand security concepts well enough to know if their home setup is insecure.

      No. The reason this thing happens is because we as an industry have failed by *expecting* the user to understand. The industry can solve, and in some ways have. Modems are now shipped with custom passwords, printed on stickers on the bottom. No more default admin accounts. The only question is, why has this taken so long. When the very first Wifi modem came out, the very first cable modem with a goddam Admin page we should have noticed this problem and fixed it then. It shouldn't have taken us 20 years to do so.

      The fact that any modem supporting 802.11 g/n/ac is open to this is a failing of the industry. The problems were known when the first wifi devices hit the market and the industry did *nothing*. Hell fast forward 15 years when IoT became a thing and the industry continued to do *nothing*.

      We don't sell cars without seatbelts, why do we still sell consumer IT equipment with known default passwords? We should be holding the vendors legally accountable for their true incompetence. A quick google shows that IT cybercrime is suspected to pass the $10trillion mark annually in 2025. This is something you should be able to get law makers to give a fuck about.

  • by ghoul ( 157158 ) on Sunday May 23, 2021 @02:22PM (#61413690)
    Everyone seems to be focussed on the tech problems yet noone s focussing on the incompetence of the cops. Sure they left their wifi unprotected. So what? Its the cops' jobs to investigate and find actual evidence. If I left my home unlocked by mistake and someone broke in and used the place to have sex with a minor would the cops be investigating me? No. They would be looking for the actual perp. With cybercrimes the cops understand so little that if they get a small piece of a clue they just run with - I mean computers cant be wrong can they? Cops need to be trained on the concept of garbage in garbage out. Computers are not infallible.
    • It's not 'incompetence'... it's the exact same standards used by dedicated and sophisticated task forces. They've decided that an IP address linked to child abuse images, alone, constitutes probable cause to subpoena the person it's assigned to and execute a warrant to seize all electronic devices in their home. They know there's circumstances where an IP doesn't correctly identify people, and thank god here they did recognize that and not continue to railroad them and try to extract a plea deal before a fu
      • An IP address is about as useful an identifier as the return address on an envelope.
        If someone sent a letter-bomb to the prime minister and the return address was a doughnut shop, would they get a warrant to seize all chemicals at that address?
        Would it take them two months to figure out they were wrong?

        • If someone sent a letter-bomb to the prime minister and the return address was a doughnut shop, would they get a warrant to seize all chemicals at that address?

          Yes.

          Even the American police would do that. Police cannot manage anything more technical that a 19th century bicycle in most "advanced" countries. If you can "do IT" you sure as hell don't join the police.

        • Would make sense to at least investigate the doughnut shop. Maybe interview people who work there.
        • by Cederic ( 9623 )

          An IP address is about as useful an identifier as the return address on an envelope.

          No, it's far more useful.

          It won't always lead you to the perpetrator but it often will, and many people possessing child pornography have been arrested because of images found on their electronic devices following a warrant executed based on the IP address from which interactions online occurred.

        • by N1AK ( 864906 )

          If someone sent a letter-bomb to the prime minister and the courier who collected the letter from a house had footage showing them picking up that parcel from the property

          Fixed it for you.

          It worries me how ignorant some people are about tech on a site like /. The IP address came from the ISP; if you think this can be spoofed as easily as a return address on an envelope then I'm glad you don't called as an expect witness often! I don't think anyone is suggesting that the most likely scenario is that the

        • "Do you have any enemies, perhaps an employee with a grudge?" is a perfectly valid question for whoever is on that return address.

      • So it sort of an agreement between child abusers and the police. There is a lot of technological sophistication in those circles. "If anyone bothers you, say, one of your victims, just hack into their wifi and we'll take care of them for you".
        As soon as the police modus operandi becomes predictable and dumb this will be abused by the smarter targets to achieve exactly the opposite. With the absolute support of course of many apologists on here.
        Criminals use police profiling practices that way. When you hav

    • If I left my home unlocked by mistake and someone broke in and used the place to have sex with a minor would the cops be investigating me? No.

      If the police found that a number of minors took an Uber to your house and were never seen again, yes, the police should investigate you. Hopefully you have some evidence you were away from your unlocked house on most or all of the occasions, but if you don't, the police has to investigate further to see if they can link you to the disappearance of a minor. Unfortunately this may mean you have to be interviewed and the police may have to ask you for personal information, like your travel records, credit car

    • If I left my home unlocked by mistake and someone broke in and used the place to have sex with a minor would the cops be investigating me?

      Er, probably? Hopefully they find evidence implicating others and not you, but if the crime was committed at your house, that would be a good enough reason to at least investigate.

    • Yes, they would be investigating you! If it happened in your home then you'd be a prime suspect.

      The police investigate and find evidence by arresting likely suspects and interviewing them.
    • by Cederic ( 9623 )

      Its the cops' jobs to investigate and find actual evidence.

      By, for instance, using evidence to pinpoint a likely location as the source of the crime, getting a search warrant, retrieving evidence and analysing it.

      The evidence they retrieved demonstrated that the home owners were unlikely to be the perpetrators so no charges were pressed.

      the incompetence of the cops

      So they did precisely what you seem to want them to do, following the law, following their own procedures, following a reasonable course of action, and yet you still want to declare them incompetent.

      Perhaps you'd like to share with

    • If I left my home unlocked by mistake and someone broke in and used the place to have sex with a minor would the cops be investigating me?

      Yes they would you child sex trafficker! Okay jokes aside, how did you get through writing your post? You simultaneously criticised the police for both investigating and not investigating at the same time. Then you said they should have investigated more and investigated less.

      Your post is incoherent. The cops did their job here. They investigated, had suspicions, got a warrant for further investigation, a judge agreed, they proceeded to do further investigation, investigation takes time, and at the end thei

  • That's probably something to think about again, if you're not changing your default router-password.
    • Dunning-Kruger effect?

      It's almost certain they didn't read through the user manual of the router. Pretty sure security steps are in there.

      Or they just failed to get their tech savvy niece or nephew to do it for them.
    • If the ISP owns the router, then shouldn't it be the ISP that was served the warrant and investigated? The ISPs should be legally responsible for ensuring what they are renting to people are secure when provided, secure when setup, and secure after that.

      • by Cederic ( 9623 )

        No. The offence wasn't having an insecure router. The offence was related to activity linked to an IP address.

        The insecurity of the router offers a sensible reason (although there are others) why the people living at the home identified by that IP address should be eliminated from the investigation now that they have been investigated and found not to have direct evidence of committing the offence.

        Without those reasons they could potentially remain suspects and additional investigation activity undertaken.

  • it was a LTE router .. (bad DSL there, rural area) .. they were using the default password, the router stood totally visible in a window (ground floor) having the "default_config" sticker facing to the outside of the window

    Yeah I also masked that part out.

    Fun Fact: the password for the guest Wlan was configured to be the same as the owners private Wlan and the config-psw for the router was not yet set. So every guest could use the key to connect to the private WLAN and just initially set the router-access password.

    The WLAN-Signal was quite strong - which would be good for any evil person.

    Ohh and well the WLAN was running WPA+WPA2.

    Yet ~ 8 yrs. and I advised them to dump this piece of old plastic and phone their mobile provider to get a hardware update. Good thing it was not running that stable their cat had recently thrown it to the ground.

    And well the owners had totally no clue (75+ yrs.) but now they know who they can call and who also explains in easy terms what's going on and what's a proper course of action.

    A security nightmare lurking and prevented.

  • .. when the police investigators were good and the abusers not.

    They might have a MAC-Address of the connecting hardware and that corresponding hardware should be in a somewhat 100m radius to be found.

    And when they are even better then they'd have a chance of identifying that hardware manufacturer and device type

    Also on many invoices the serial number (and sometimes the MAC-Address) of the devices is written down which is in most cases directly linked to the MAC-Address.

    Except the perpetrator was better and

    • You do know that anyone who has enough training to know how to search for, find, and connect into a wifi network because it had a default password is also smart enough to know that they can be traced by their MAC address and will spoof it right? The easiest way now is simply to run a VM, with the added security that it can leave digital foot prints of a non-existent entity with no way to trace back to the underlying physical hardware that it was run on (assuming they were smart, and understand the tech, whi
  • Even the title is wrong, the problem was they kept the DEFAULT password, not whether it was weak but the default.
    • No quickstart guide for a ISP supplied router ever has anything about changing the password. It's just "plug this in the wall, that in the phone socket, turn it on and connect, using 'hunter2' when prompted". They also don't come with manuals, just a crappy web admin interface that sometimes they don't even tell you exists, let alone how to use without inadvertently locking yourself out.

      As most won't have the slightest clue that the password is "susceptible to brute force attacks" or what that phrase even m

  • in a wifi password. Most people shorten it to the minimum of eight. And that makes my job so much easier.

    This message is brought to you by your friendly neighbourhood pentester and digital forensics analyst.

  • This is how the Recording Industry Ass. of America got popped for suing a 65-year-old grandmother for downloading gangsta rap [sfgate.com] and suing a dead woman [theregister.com]. And these were civil lawsuits, not criminal prosecutions.

    • by N1AK ( 864906 )
      Which is why the IP address was used to gather more evidence and no prosecution was brought. What I really can't understand is what the people acting like the crime should have been ignored because "an IP address means nothing" expected to happen? Imagine for a second that the images were sent by someone at that property, how exactly would they have been caught if the IP address wasn't used to get a warrant? Do you really think society, which is still pushing towards ID being needed for social media account
  • The TR;LD: Use weak passwords on your modem.

    If you still get hacked with a strong password (can list 10 different ways this could happen), they you would be in deep trouble. However if you use a dumb modem with a weak password, at least you get a defense.

    Yes, our current incompetent cyber crime climate requires really broken "solutions".

  • I got internet service from some major ISP and their tech set up the wifi router with a password something like first four letters of the last name with last four digits of the home phone number. Asked a friend with the same service and his was done the same way. Assuming it was a policy thing so I reported it on their bug bounty page which of course was rejected as not a security issue.

    Another fun bug was that simply being on the same wifi as me got a friend logged into my Facebook account. This lead to an

    • by King_TJ ( 85913 )

      I'd agree with Bug Bounty on that one. The techs who come out to set up people's wi-fi aren't supposed to be providing the "end all, be all" of secure passwords for everyone. They're just supposed to get the equipment up and running for them, while using some sort of password that's not just a factory default or identical for each installation.

      If people can't be bothered to learn how to change the wifi password themselves, then that's not the ISP's fault. The random "war driver" looking for a wireless con

  • Giving my guests a password is a pain and I don't really care if my neighbours use some of my bandwidth. Hell I should be able to run a Tor exit node from my house (provided that doesn't violate my ISP contract) without fear of the police knocking on my door. Sure the police can use my public IP address to start an investigation but they shouldn't be able to arrest or even confiscate any of my equipment on that alone. They better have some sort of evidence tying the traffic to a specific person.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...