Several Britons agreed to give up their eldest child in return for the use of free wifi, in an experiment to highlight the dangers of public Internet, published on Monday.
Londoners were asked to agree to terms and conditions as they logged on to use free wifi in a cafe in a busy financial district and at a site close to the houses of parliament.
The terms included a "Herod clause", under which the wifi was provided only if "the recipient agreed to assign their first born child to us for the duration of eternity."
Only six people agreed to the terms and conditions, however:
In just 30 minutes, 250 devices connected to the hotspot -- some of them doing so automatically due to their settings.
The company was able to collect the text of emails they sent, the email addresses of the sender and recipient, and the password of the sender.
(Score: 3, Insightful) by Anonymous Coward on Tuesday September 30 2014, @10:11AM
the headline kinda detracts from the real issue highlighted in this story... just by providing a free open wifi hotspot, you can scrape a bunch of personal information from people's mobile devices... often without them even realizing
the 'herod' clause would be thrown out of court; contracts may be legally binding, but in pretty much every country statute law trumps any contract
(Score: 0) by Anonymous Coward on Tuesday September 30 2014, @10:26AM
would be good to have more technical info about how this is done. i'm not aware of my phone having samba or anything installed so not sure how files etc could be exposed. are there other protocols exposed?
(Score: 1) by yarp on Tuesday September 30 2014, @10:36AM
I heard that if your phone runs a software tool called "Bash" then it's being pwned as I type this.
(Score: 0) by Anonymous Coward on Tuesday September 30 2014, @10:40AM
ah. likely just MITM over HTTP/SMTP/etc using wireshark... hence passwords, emails etc
thanks to marcello_dl for helping the penny to drop
(Score: 1) by darnkitten on Tuesday September 30 2014, @04:13PM
The Guardian reported that
"the popular POP3 email protocol revealed passwords in plain text when used over Wi-Fi. This vulnerability dates back 13 years to 2001, showing how little effort has been put into fixing a potentially critical issue."
The BBC this morning didn't cover the password vulnerability, but framed the misnamed "Herod clause" as hacking and recommended that no one use free wi-fi.
(Score: 0) by Anonymous Coward on Wednesday October 01 2014, @07:24AM
Really, is POP3 actually popular these days? Considering how much better IMAP is I'm surprised anyone still uses it.
It's disappointing that the BBC doesn't mention it though, but not surprising as their tech reporting is usually quite poor.
(Score: 2) by hoochiecoochieman on Tuesday September 30 2014, @11:49AM
Not so sure if this is true for the US. Maybe they need to write a specific law for it.
(Score: 3) by TheRaven on Tuesday September 30 2014, @03:17PM
sudo mod me up
(Score: 2) by HiThere on Wednesday October 01 2014, @12:41AM
I'm pretty sure that the GP was a snark.
If so, then I'd rate it as insightful, as quite often there are already laws that prohibit certain acts, and yet, often the first response to their occurrence is a demand for a new law.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by marcello_dl on Tuesday September 30 2014, @10:16AM
Before using public hotspots (which might as well be a laptop or a cellphone playing MITM) I'd set up a vpn or ssh tunnel with pre shared keys. So my only connection would be to my home server and reasonably difficult to tamper with.
The home server or VPS becomes your exit node.
(Score: 4, Insightful) by Dunbal on Tuesday September 30 2014, @11:03AM
People don't read terms and conditions when they sign up for things.
(Score: 1, Interesting) by Anonymous Coward on Tuesday September 30 2014, @11:45AM
Whoop-de-fucking-do. Mod parent obvious.
No offence meant to Dunbal, but I don't bother reading them because I don't regard them as legal or binding unless they have my fucking signature at the bottom.
Clicking a checkbox means fuck-all as far as I am concerned. And if they think different then they can fucking prove it in court.
(woah, a bottle of merlot and I start channelling ethanol-fueled :) )
(Score: 1) by yarp on Tuesday September 30 2014, @12:05PM
Legally binding or not they probably at least include warnings that the network is insecure and your network traffic (including personal data, passwords) is available to anyone who cares to have a look.
Then again I don't imagine most people care much about that until it's too late.
(Score: 4, Insightful) by Leebert on Tuesday September 30 2014, @12:32PM
What you believe or don't believe about the degree to which such agreements are legally binding is pretty much irrelevant. You should care very much what a court will believe.
(Score: 2) by TheRaven on Tuesday September 30 2014, @03:15PM
A court requires evidence that a meeting of minds has occurred. A signature does not constitute a legally binding agreement, it is merely widely accepted evidence that a meeting of minds has taken place. Pieces like this are good evidence if you need to argue in court that one has not: they show that such agreements are usually clicked through without reading or the person being aware of the terms.
sudo mod me up
(Score: 3, Funny) by marcello_dl on Tuesday September 30 2014, @01:50PM
But I wanted to get rid of my firstborn for real, you insensitive clod!
(Score: 0) by Anonymous Coward on Tuesday September 30 2014, @08:24PM
Joke's on you, I don't have kids, you insensitive clod!
(Score: 3, Interesting) by VLM on Tuesday September 30 2014, @12:01PM
"some of them doing so automatically due to their settings"
On android the best app I've found is called "wifi web login". It works pretty well at my favorite restaurant, the public library, and the local food store. And my wife's dentist. Generally the simpler the form the better it works.
Its nice not having to click thru some spam just because I walked into a supermarket before I can check gmail or whatever. Suddenly wifi "just works" again, like the very oldest days of wifi. Bye bye stupid captive portal idiocy. Nice.
Needless to say its not an AI that passed law school and the bar that reads and thinks about the idiotic legal disclaimers, its just something you set up once per SSID where it watches you click a button and/or checkbox once, then just auto sends it whenever it detects its can't access the net while on that SSID in the future. It can do fairly sophisticated things with filling out textboxes and passwords.
There are probably competitors, I'd be moderately interested to hear about them. I'm not interested in captive silo login tools that only connect to AT&T hotspots if you have an AT&T account or whatever, that would be completely useless.
(Score: 1, Interesting) by Anonymous Coward on Tuesday September 30 2014, @12:26PM
Sounds pretty exploitable. Have the attacker set up a network with the same SSID somewhere else where you might pass by, serve a copy of the web page, and have that application automatically enter your password, or your credit card details, and send it to the attacker.
(Score: 3, Funny) by Thexalon on Tuesday September 30 2014, @12:25PM
Obviously, there are lots of parents who would just love the opportunity to get rid of the little bastard! And you get free wifi, what's not to like?
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Funny) by c0lo on Tuesday September 30 2014, @12:56PM
The little bastard? The... little... bastard? You mean the unshaved stinky progeny who tricked them in offering the basement (is was thought as a scare to convince him moving out, but... that bastard took it as an offer too good to refuse) and is dwelling there for the last 8-12 years?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Tuesday September 30 2014, @01:50PM
Do like my parents did to me. "rent is due on the 1st and it is 500 dollars"
(Score: 3, Funny) by Thexalon on Tuesday September 30 2014, @03:18PM
3 words can solve that problem: Strategic sewage leak.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Tuesday September 30 2014, @02:40PM
the recipient agreed to assign their first born child to us for the duration of eternity, and free use of their car for five years.
Everyone knows that assigning away use of their primary transportation to work isn't legally enforceable.
(Score: 1) by darnkitten on Tuesday September 30 2014, @06:28PM
I, mean...
...demanding the firstborn isn't the same as killing them
...and even then "Abrahamic" or even "Mosaic" clause would be more accurate, as Herod, according to the narrative, didn't limit himself to the firstborn.
Can't we expect even basic cultural literacy from the press? (Retorical; I know we can't)
(Score: 2) by MrGuy on Tuesday September 30 2014, @08:52PM
I don't know how contract law works in the UK (come to think about it, IANAL, so I guess I can't claim to know how it works in the US).
However, as I understand it, contract law requires two conditions for a contract to exist. A "meeting of the minds," and some form of exchanged consideration.
A study such as this, which neatly proves that a click-through license such as this involves no effective "meeting of the minds," could at least be argued as evidence there's no enforceable contract created by a click-through license. If you can establish that people will routinely "agree" to unconscionable terms, you can't reasonably argue any meeting of the minds has occurred.
Now that I think about it, there's really no exchange of consideration either (at least that I can see). A promise to give someone something, or to take something from someone, isn't an enforceable contract. Both parties must profit in some way. What consideration does the owner of a wi-fi enabled coffee shop receive (at least, from a user who walks in and uses the wifi without buying coffee)?
Though in theory we've already fought and lost that battle with shrink-wrap licenses. So yeah, you're probably screwed either way.