THE SNAKE IN THE GRASS - WITH NO RATTLE

Apologies in advance, to what was a well formatted paper, not blue book, but certainly more than afforded in this tool, as anyone who has tried to use it before can attest, it's limited, but the information is more important that the style, so I shall not let good be the victim of great.

Rattlesnakes are considered, the gentleman of snakes, they warn you when you get near so you know the danger, however in contrast, quietly, and with flagrant disregard for public health, basic human rights, the Law in statute and under implied time honored covenants - greed coupled with over stepping the lawful domains of jurisdiction, acting under the color of law, multi-tenet housing has teamed up with large corporations and contracted and outsourced traditional law-enforcement and state duties to circumvent the rules, with serious society-wide implications that are only now brought to light, as a result of the Covid-19 pandemic. The remote worker, and cyber-security, the law, and impact on the basics we all face today. Can I connect? Can I do my work securely? Am I safe ? Why doesn't my VPN work? This is mainstream media, as companies grapple with IP issues, security, regulatory requirements, and basic productivity, It's a virus in the realm of cyber brought to light by a rattle of virus in the physical. This is version one of a paper I wrote 6 months ago, which is a neophyte version of what I have learned and will be republishing in a more formal matter, with unfortunate truth, it was way worse than I thought. So this physical pandemic we will pull through, but how will we deal now with the truth of another hidden in our walls?

EMERGING THREAT TO SECURITY, HEALTH, OPERATIONAL CONCERN & LEGAL CONSIDERATIONS FOR ORGANIZATIONS REQUIRING VPN TO EMPLOYEES, CONTRACTORS, ETC. FOR OFF-PREM ACCESS

(Originally written as an advisory notice to a former customer, partner and later employer. Spurred on by a recent event, a colleague and I, had the same issue - yet he was mid deployment of a very large global roll out. This prompted me to research this out and consider its an issue that is pervasive, and growing, so although this is not a “root cause” analysis, I thought it worthy of my effort to examine all the layers to gauge the magnitude, of these otherwise unrelated events and stack them together to establish a wider context. I did some field and professional research to see how far I could discover the width and depth of this one incident.) 

This further re-enforces my long-standing observation that in modern society - Security, Medical, Finance and the Law are covalently bound!

Re: Regarding an unforeseen serious security and legal issue effecting remote access to Company XYZ employees access off prem, to perform work related tasks by a contractor (or even W-2 employee’s) VPN access under circumstances out of their control, and without notice, consent, or agreement to network changes at this property and similarly configured off premises location.

Discloser:  Since I previously stated, this was an actual research and findings on this one event, I have changed / omitted names of persons and organizations. So there a bit of narrative still in this. In version 2 of this paper, gloves are off, names will be named, and empirical evidence in full public view.

… This is a fluid situation, covering technical, security and legal issues. So, I will break that into those realms, after a short statement of facts as I know them now. (neophyte version dated months ago)

Henry Remote and I both live in an apartment complex, what was formerly known as Nice Park. I have been here 11 months, Henry Remote – roughly half as long. During that time period the property changed ownership overnight and became Gross Park, under new ownership, with many new lease T&C’s and going from a 3.5 star on Yelp to a “wish I could vote 0 stars” almost overnight. They have predatory business practices, broken or unusable amenities, physical security and safety issues and have a systemic pattern of ignoring tenants’ maintenance requests, fulfilling any of implicit common law doctrines, or statutory obligations to the tenants. Employ, contract, sub-contract to known criminals and sex offenders, and I have found many voidable provisions in the lease that are knock out blows or, that simply aren’t enforceable.

(neophyte version dated months ago – again my follow up with much more data, with much more ominous conclusions)

However, several months ago. They announced that as part of the “property improvement” The property had signed an exclusive agreement with Slime ISP to provide a “technology package”

[The reason I go into this detail is that if Company XYZ hasn’t experienced this yet, it’s coming more common and certainly affects several laws and security best practices frankly requirements that those dealing in sensitive data should be very concerned with.]

It’s well known and accepted practice even though it flies in the face of anti-trust, monopoly acts, and the FCC’s positioning, since the FCC has almost but not exclusive jurisdictional domain on the mater, the court system has made little progress adapting laws involving in the physical world to the cyber realm,  because the FCC, the EPA, FDA, OSHA could independent or collectively preempt in these matters. 

The FCC almost made a ruling prohibiting this practice but backed down this September. Internet access in today’s world has all the requirements of a utility, of which the states have more power to ensure competition through deregulation (which Texas is) and rules against who controls it, but the definition in law still hasn’t classified what is in reality a utility, but continues to fall short of classifying it as such legally.

The property owners get a nice kick back for the exclusivity, unilaterally charge their tenants more, for services they either don’t need or want and literally without being able to even physically, opt out by exposure alone. Furthermore, the terms of use contract, SLA’s, configuration, and liability between all parties gets very messy. Details between the property and Slimy ISP is unknown because you can’t pierce the corporate shield, and there is nothing to ensure any kind of fidelity of data and fundamentally changes your right to the legal doctrine of “Quiet Enjoyment” and “Hazard Free” - which are the pillar of all tenants’ rights under implied Coventry and landlords obligation.

This installation has been going on for about a month now, where the install in each unit, the apartment’s own owned or leased commercial router / AP. Not accessible physically by the tenant to even know what this mounted box is, what it’s doing or can do, or the harm, cost, theft and danger to health. And from a legal perspective the “in the wall” is explicitly not leased by the tenant and would certainly be in material breach of the lease and likely face criminal and civil charges as well – at least attempted given the ignorance or lack of precedent in law. Well you don’t have to do that if you know what you are doing, or the fact this has already played out in the United States Supreme Court.

Coming in November, its already “on” tenants of the property are going to be forced through contract an $89 month fee added to their lease for this faster, better, more uniform property wide Wi Fi and through sloppy configuration (more likely intentionally) be forced by paper and physics to use their services.

Compounding the issue is the apartment complex AP / routers, and command and control routers, all the way to the connection with the actual ISP are broadcasting so loudly in both the 2.4 and 5 GHz ranges that consumer grade equipment can’t keep up with it simply over powering and crowding out by orders of magnitude the best off the shelf consumer router can provide.

More of a concern is that each end point and CNC routers are configured in a mesh, so there is no escaping at least at the spectrum level, the signal layer, radiation by simply unplugging it.   Only 2 things affect it exposure 1) shielding 2) distance.

 This poses several issues:

 1)     Jurisdictional - as the FCC, EPA are involved in oversight, setting rules and regulations, so are other federal bodies like OSHA, the even the FDA, etc.  These bodies have the force of Law and are part of the Federal Government. It would be likely to presume litigation in any case where elements involve the oversight, permitting / licensing / leasing and fines / remedies could be integrated into the civil cause to claim, effect the original and subject matter jurisdiction then being removed to the federal district court. This removing to the federal court system is cathartic, effectively nulls a “writ of possession.” I.e., the eviction process - and untested in this use case, could assume the following inverse to be true as well. Known as the unlawful act referred to “constructive eviction” Which Texas has defined as the following:

“The condition makes the property unsuitable to live in, forcing the tenant to leave the property. When residential property is uninhabitable, it creates a condition under which the tenant has been constructively evicted; the facts and circumstances are such that the tenant is unable to have full use and possession of the rental property and thus has technically been evicted.”

·        Examples of Constructive Eviction, Common examples of a possible constructive eviction where the conditions are so bad that the tenant leaves the rental include: Which in Texas you cannot leave, because abandonment is a waiver of your rights of both statutory and remedies of common law.

 i.     shutting off the utilities; (which in this case it basically has in fact)

ii.     refusing to clean up an environmental hazard; (the EMF is a known environmental impact, and the EPA and FCC and FDA have jurisdiction here)

 iii.     blocking the entrance to a unit; (in the cyber realm which is now connected to the physical world they have)  

iv.  refusing to fix a leaky roof, causing damage to walls. (they did far worse but that is a separate matter)

v.     removing toilets or sinks; (how about bugging them?)

vi.     changing the locks. (they did that property wide with 1 days’ notice via email with a new Bluetooth “fob” system, which is significantly less secure, using Bluetooth, and is, as it is in essence a spying device, and one that can easily be hacked, and against the very specific language in Texas property code – this against protest citing the issue - was given no regard – blatant, narcissistic action flying in the face of the Law - and this gated complex, advertised as such hasn't by their own record had working gates for 16 months - as if this move was about tenet safety)

To me, I can draw strong correlation between these elements in the physical to their analog in the cyber realm. Rules vary so widely between the states, federal, local, municipalities in property law. Especially in Tenant / Landlord law.

By law, landlords must provide a safe and hazard free unit to live in. However, the amount of RF radiation these AP’s emits, in my installation, right behind where I spend most of my time, there is a legitimate and serious health concerns from these high doses of EMF.

• In the short term I can personally correlate severe headaches and problems in memory, etc. If you’ve ever had an MRI of the brain, even though an MRI has a 510K certification as being “non-invasive,” you can’t pass large amounts of energy through your brain, not having some short-term noticeable affects, remember your blood contains iron.  I have had two MRI neuro-scans in the last year for trauma, and I felt noticeably stupid for a day or two, forgetful, lack of sleep, sloppy in basic functions. This EMF effect has been reported by other tenets as well, correlating with the install date.
• These exposure levels have been proven to cause development issues in unborn children and new-born babies, a host of other issues relating to DNA mutations, etc.

My research on this matter, I found this published medical journal on the medical effects as a great reference, from a regarded journal "ScienceDirect."

“Wi-Fi is an important threat to human health” its current, extremely lengthy, detailed information covering: (copyright under creative commons)

.        7 effects have each been repeatedly reported following Wi-Fi & other EMF exposures.

·        Established Wi-Fi effects include apoptosis, cell oxidation. Stress.

·        Testis/sperm dysfunction; Neuro-psychological impact; DNA impact; hormone change; Ca2+ rise.

·        Wi-Fi is thought to act via voltage-gated calcium channel activation.

·        One claim of no Wi-Fi effects was found to be deeply flawed.

In my own experience I have noticed a strange warping of the background of my two Dell monitors that sit right in front of the AP in the wall behind it, like taking a magnet to an old CRT screen.

Also, to the strength of these AP’s my cell phone can’t hold a call for one second before dropping, I am now having to take calls outside. Discussing sensitive information within an earshot of who knows who.

1. From a legal perspective this has several issues of concern, how these agreements affect contemporary tenant / landlord law and have resurrected torts in court to apply new definitions and legal tests of matters of property lines, injury, trespass, who the actors are, injury, indemnity & liability etc. Furthermore, in the current configuration, all heath and safety issues aside, and skirting the rules around these issues, is fact that your ISP is now your apartment complex manager. So, they are acting under the color of the Law, (in certain context) and should be held to the same rules and regulations as governments are beholden to trespass, monitoring data, the application of 4th and 14th amendments of the US Constitution.

• The apartment complex (the property owners) enjoy the throat around your neck, privacy goes out the window, and your ability to have any control to ensure fidelity of data which is property of the tenant, their client(s) companies and governed by State Federal and International treaties, and the doctrine of “Quiet Enjoyment” is under attack.  Literally tortuous interference of your lively hood, your career, and personal life. This scenario can most certainly play havoc on chain of custody through any data a rest or in motion. Frankly a property owner who can’t get a working water in a tenant’s unit for 2.5 weeks and counting, has the skills to properly operate a sophisticated commercial grade high powered mesh network?
• In my research I found the following legal brief to be the best on the matter, including case law cites, definitions of these new balancing rules and analogs of the physical application of the law to how it is being interrupted by the courts in the cyber realm. 
•  This brief is thorough as any I have read on the matter titled and is a must read FOR ANY COUNSEL in order for the rest of this paper to have context: “Accessing the Internet through the Neighbor ' s Wireless Internet Connection: Physical Trespass in Virtual Reality”  - Ned Snow, Accessing the Internet through the Neighbor's Wireless Internet Connection: Physical Trespass in Virtual Reality, 84 Neb. L. Rev. (2005) ? Copyright held by the NEBRASKA LAW REVIEW

As to fault, risk, and indemnity, exceptions and waivers, this is the authoritative reference I use: “RISK MANAGEMENT FOR LANDLORDS, TENANTS AND CONTRACTORS: Through Contractual Provisions for Indemnity, Additional Insureds, Waiver of Subrogation, Limitation, Exculpation and Release” - William H. Locke, Jr.

From a pure security perspective, these newly adopted networks in multi-tenant homes, these configurations pose a serious concern right off the bat. First off, even with a VPN, through the hardware, this network is configured as a blind proxy and hidden from the client, before you touch the actual “Big Corp ISP.” So “man in the middle” attack is in place by default. VPNs will have difficulty connecting, to the desired source if working at all. Furthermore, in a mesh framework, every AP is talking to each client in broadcast, so you are significantly more at risk of getting hacked not only by default at the property owner’s management console, but by any other AP, or client connected to these meshed AP’s is exponential. It’s well known that edge and IoT are popular penetration points in a cyber-attack, and this very configuration lends itself to botnet attacks, and virus spreads like wildfire. One could not design a better incubation environment, for disaster. It’s a perfect petri dish for a virus, malware at a layer 1 level, which there is no countermeasure for. This has been verified by myself and a colleague both experts in Cyber Security and anti-terrorism as a business market validation exercise where applying cloud based, frankly easy to develop and deploy through Azure Docker. Adding AI, and machine learning, unleash a macro virus, containing a payload of service specific micro bots, it's game over. Thus targeting, weakest points, edge / IoT and spread its payload to unsuspecting victims and all through recognized, trusted WEB-Api’s. Malware, DDoS attacks, Phishing, etc. the list of threat vectors is only constrained by the creativity of the hacker.   

I particularly found this aggregation of info a good reference point to understand the perfect marriage, made in Hell with this network design and botnet attack’s wide breadth. This is naturally exposed in these scenarios: The reference section cites several links specific to the nature and realm of possibilities. “Botnets and Internet of Things Security”  - ? 2018 IEEE

Furthermore, these routers and AP use a hidden a SSID that matches the MAC address of the AP being advertised SSID for reasons I have not yet determined. (I figured that out and its not good - wait for version 2 of this paper)

Lastly, they employ the 1.1.1.1 technique for hiding the true client config via DHCP between the client and the gateway / AP / Router, and molesting the true IP address and port mappings, in a “double NAT configuration” which makes mapping and management of ports, maintenance and security a nightmare from the edge client to an enterprise application.

To make matters worse, the manufacturer’s own hardware training classes for configuring and setting these up are easy to find and thoroughly documented and the actual videos of the class were found easily on YouTube, providing the hacker valuable information of naming standards, default passwords, architecture, etc. Having access to this high detail, training, is kin to being on the green in one stroke, most of the questions you would want answered -how to setup and every detail of security setting, best practices are a click away.

The only remedy from a purely technical standpoint, is less than perfect and won’t cure all the issues but allow you some security and not break your lease agreement.  Although that is horse and carriage conversation.  I found these in a series of linked articles on “Ask-Leo.com” They are good, if not over simplistic illustration of the issue.

o  How do I protect users on my network from each other?

o  Is the Wi-Fi connection provided by my landlord safe, and if not, how should I protect myself?

o  A blog format from Reddit, further illustrates the technical difficulties, privacy and legal pitfalls, associated this issue.

That’s a mere tip of the ice burg technical. (again, working night and day on a substantially more detailed and data driven paper)

Legally it’s a total mess as who is to blame and ironically this modern technology enabled issue resurrects old torts from antiquated Courts of Equity to define, provide legal tests where the Cyber and the Physical have clearly melted together in fact but not fully even understood, and lightly tested in Law.

Every element of litigation is put to new rules, statutes become outdated, pleading standards, remedy that the Court can provide, (jurisdictional nightmare) rules of evidence, waivers, implied warranties and covenants, (which are pillars of Landlord / Tenant law) actors, victims, damages, etc. It's a new game whose best efforts rely on dusty old books, by Sir Edward Coke:

• As a side note namely Institutes and Reports which have been called "perhaps the single most influential series of named reports". Historically, he was a highly influential judge; within England and Wales, his statements and works were used to justify the right to silence, while the Statute of Monopolies is considered to be one of the first actions in the conflict between Parliament and monarch that led to the English Civil War. In America, Coke's decision in Dr. Bonham's Case was used to justify the voiding of both the Stamp Act 1765 and writs of assistance, which led to the American War of Independence; after the establishment of the United States his decisions and writings profoundly influenced the Third and Fourth amendments to the United States Constitution while necessitating the Sixteenth. (source Wikipedia)

For example: The most impactful referring back to “Accessing the Internet through the Neighbor ' s Wireless Internet Connection: Physical Trespass in Virtual Reality”  

What are the elements of trespass to chattels?

[In sum, the basic elements of a claim of trespass to chattels are: 1) the lack of the plaintiff's consent to the trespass, 2) interference or intermeddling with possessory interest, and 3) the intentionality of the defendant's actions. Actual damage is not necessarily a required element of a trespass to chattels claim property lines, negligence, unjust enrichment, constructive eviction, conversion, invasion privacy, trespass]

Furthermore: these devices (proven in the U.S. Supreme Court which up held the expert testimony of the medical impact and the power consumption) You are forced to pay for the harm physical and cyber - sold to you as "a great bargain" you can’t turn it off and you have no way to protect yourself, or protect that my by no cause of your own, inflict damage to another party, and can expand warrant searches and a search incident to arrest -  questioning the application of the 4th amendment. The parallels are obvious and ominous:

·        The Supreme Court’s Landmark “Cell Phone” Privacy Decision

The Supreme Court's June 25, 2014 decision in Riley v. California (No. 13-132) and U.S. v. Wurie (No. 13-212) (2014 U.S. Lexis 4497) decided “how the search incident to arrest doctrine applies to modern cell phones.” The Court held that under the Fourth Amendment “a warrant is generally required for such a search, even when a cell phone is seized incident to arrest.” - July 2014 ? 2020 Wiley Rein LLP

Personally, I am trying to see what I can accomplish better using a Pi3b connecting hardware to the one AP cat5 out, then setting up my own hidden SSID network, MAC address restricted hot spot, that I control, making me much more in control and much less vulnerable, than the landlords, one and only solution. (I will provide an update on its merit after I test more)

Lastly, as to not offend anyone’s intelligence on the matter, I prepared this so Company’s XYZ’s legal, security and operational members can glean value off it, to further find ways in Law and in technology to get around this frustrating, one way rip off, and security risk as the use case when -  without notice an employee or contractor, vendor, customer can’t access critical resources to do his or her job. As this is our lives, livelihood, reputations, all on the line. I became more miserable the deeper I researched the more I learned how much of an uphill battle this will be on all the areas I pointed out.  I continue my research and it gets more complex legally but go on record the situation facing the professional remote worker in these more common than ever unilateral agreements and violations of time honored doctrines, security risk to all parties, health and environmental concerns, along with technical challenges.

Jason Thomas Razien

[email protected]

https://linkedin.com/in/jrazien

737-802-6243