One day last December, Brad Haines pulled a long black trench coat over his black shirt and pants, perched his trademark black fedora on top of his straight, shoulder-length hair and strapped on a backpack filled with a laptop and other electronics. And, like many people in Edmonton during the holiday season, he headed to the West Edmonton Mall.
The mall is home to more than 800 stores and occupies a space equivalent to roughly 48 city blocks, so Haines knew he'd have no trouble finding gifts. But he wasn't here to shop. No, this expedition was all work. His mission: Take a "warwalk" of North America's largest mall, using his equipment to search out unsecured wireless networks as he walked past the building's stores. (Do it in a car and it's called wardriving; on public transit, it's warriding.) The point of wardriving isn't to actually access anyone's wireless networkthat could result in warjailing. Rather, the idea is to simply survey the number of wireless networks within the building, evaluate their level of security and alert the owners to any vulnerabilities.
Haines, 28, had been wardriving through the streets of Edmonton since 2002 and had catalogued roughly 80,000 wireless networks, whether home-based or those belonging to companies. But the mall represented uncharted territory. "Nobody had done a good wireless survey of the West Edmonton Mall, and if you throw in Christmas shopping crowds, it's a little more interesting," he says. "Everything lined up for a really good guerrilla analysis, because you have big crowds and a massive amount of spending going on. If you're thinking as an attacker, that's the time of year you want to do something, because there are so many more targets."
Haines's fondness for wardriving, plus his all-black "uniform," would lead the average executive to conclude that he's a nefarious hacker. But since he first began mapping WiFi networks in and around Edmonton, Haines has become well known as a wireless security expert, often consulting for companies and government agencies (non-disclosure agreements prevent him from naming names). And he's regularly invited to speak at major security and hacking conferences in North America and Europe, including DefCon, ShmooCon and Hackers On Planet Earth, or HOPE. (A few of his recent presentations: "Legal and Ethical Aspects of Wardriving," "Standards Bodies ... What Were These Guys Drinking?" and "New Wireless Fun From the Church of WiFi.")
Though his trademark headgear says otherwise, Haines is a so-called "white hat" hackerone of the good guys. His corporate clients know him
as Brad Haines, but he has earned the most notoriety as RenderMan, the alias he uses online and within the WiFi hacking community. Haines maintains a Website, renderlab.net, where he posts his research, reports, presentations and the occasional article. "He's pretty well known, and he's well received at the [hacker] conventions," says Frank Thornton, a Vermont-based security consultant and the co-author of Wardriving & Wireless Penetration Testing. "He's a role model for some of the people out there who are getting into this stuff."
One of Haines's key contributions to the wardriving community is a code of ethics (see page 46). It dictates that wardrivers must never connect to a network they discover, should always obey traffic laws and stay off of private property, and never use the data collected for personal gain. The seven-point list also says wardrivers should adopt the hiker motto of "take only pictures, leave only footprints." "It's one of the things he's really well known for," Thornton says.
The countless hours spent mapping and analyzing thousands of wireless networks has enabled Haines to see firsthand the rapid growth of wireless Internet access in homes and businesses, and the lack of effort put into securing them. "To put it in perspective, the first time I went out wardriving in 2002, I found 25 networks in an evening driving all over downtown Edmonton," says Haines. "I can now drive around my block and get 25 networks."