Staff Writer, CNET News.com
A Southern California man pleaded guilty to spamming people through unprotected hot spots, the first-ever conviction under the Can-Spam Act, and a case that again raises concerns about the risks of open-access Wi-Fi service.
Nicholas Tombros admitted driving around Venice, Calif., last year, searching for unprotected hot spots—an activity called "wardriving"—and exploiting them to distribute unsolicited e-mail that advertised pornographic Web sites.
Tombros pleaded guilty on Monday to unauthorized access to a computer to distribute multiple commercial spam messages. He is scheduled to be sentenced Dec. 6 and faces a maximum penalty of three years in prison, according to the United States Attorney, Central District of California.
The case is the first conviction in the nation under the much-publicized Can-Spam Act of 2003, signed in December. Since it became law, Can-Spam has failed to generate significant litigation, despite the continued proliferation of spam marketing campaigns. In April, the U.S. Department of Justice filed a criminal complaint against four Detroit-area men under the law, the first case sparked by the legislation. In July, the Massachusetts Attorney General's office filed suit against a Florida man suspected of sending spam e-mail to thousands of consumers.
The Tombros spamming case also underscores the significance of security, or the lack thereof, in wireless networks.
Experts have said current security measures are cumbersome for the average consumer to use and that many consumers don't even know they should activate them. As wireless networking reaches a nontechie, mass market audience, incidents such as the Tombros affair could increase.
"Security measures are getting better, but they're still an issue," said Craig Mathias, an analyst with researcher Farpoint Group. "The novelty of wardriving is wearing off, but the fear is those who are malicious, and the threat of installing viruses or spyware onto a network and computer. Many of these attacks can be avoided if people take basic precautions, but many just don't know they should."
Security experts have long known that unauthorized users could hijack open wireless Internet connections in order to mask their online activities. Some experts have even offered dire warnings that open Wi-Fi hot spots could abet terrorism. Still, a surprisingly high number of consumers choose not to activate security protocols on their wireless networks.
Industry groups and manufacturers have been working to develop easy, convenient and strong solutions and encryption standards for consumers, but the process is tough.
"Making security easy is probably the most difficult thing we've had to do," Linksys President Charlie Giancarlo said Wednesday at a press event.
For manufacturers and consumers both, dealing with such security features involves walking a fine line: A powerful measure is needed, but it must be easy to install, and it must also leave the network available to authorized users. One of the reasons Wi-Fi technology has become so popular is because it has been so open and easy to use.
The FBI has documented several incidents of alleged cybercrime involving unauthorized use of open Wi-Fi access points. The Tombros case is one of four such investigations involving 802.11b technology reported by the agency as part of its joint law enforcement project known as Operation Web Snare. The others include
An attempted wireless break-in at a Lowe's department store in Southfield, Mich., in November 2003 aimed at stealing credit card transaction data. Suspects Adam Botybl and Paul Timmons were arrested and charged with transmitting data to intentionally damage a protected computer. Both pleaded guilty to conspiracy charges.
An Internet extortion scheme that involved the use of unsecured 802.11b access points through businesses in Maryland and Virginia. Myron Tereshchuk, 42, of Hyattsville, Md., pleaded guilty and faces sentencing on Oct. 22 for attempting to extort $17 million from a patent company.
An alleged phishing operation in Atlanta that used open wireless access points to send spam designed to fool recipients into handing over credit card and banking information. An investigation is ongoing in the case.
Other reported incidents include a case in Canada involving the use of an unsecure Wi-Fi access point to retrieve child porn.
In November 2003, Toronto police stopped a car for a traffic infraction and discovered that the driver was naked from the waist down and was playing, on a laptop computer on the front seat, a pornographic video that had apparently been streamed by way of a residential wireless hot spot. The driver was charged with possession, distribution and creation of child pornography, as well as theft of telecommunications—a first in Canada, according to local authorities.
CNET News.com's Matt Hines contributed to this report.