For the record, i just find connecting to unsecure "open" APs ethically wrong. Slowly the states are defining the legality of the issue of who is held legally liable (connector or the open AP provider), but as the laws stand today, it is possible to be charged under a long list of federal and state laws vaguely. Now that there are more idiots in the news (child porn, spammers, etc.) expect the laws to start to be clarified state by state, then at a federal level.
That being said, if you really wanted to connect, chances are you would not be caught as long as (and I assume no responsibility for any of your actions with this info):
1)Keep your connections to the APs random
2)Cracking weps is bad, hmmm, ok.
3)Keep a running firewall to block your internal info.
4)Stick to ones known to be residental due to lack security. Most businesses will not also be on the up and up, but you run a higher risk of connecting to a honeypot or trigerring an intrusion detection system.
5)Dont' be downloading warez, porn, bittorrents, etc. Keep to only webpages and no downloads.
6)Don't login to your email, mp3car.com, etc. Most webpages and ISPs keep logs, and they can easily be turned over in a supeona by the web server provider and their ISP, and anything inbetween if you are doing not doing the above. This only leaves a trail eventually over time back to all the places you connected, and to your home.
In chaing your MAC, it really doesn't matter if you keep changing your MAC or that ****. If people repeatedly see you around and not being random, raising thier bandwidth, doing stupid stuff, and are serious enough to track you down, they will, especially businesses and dedicated security professionals.
Think about it. The URL of where you visited is just a simple line of data in a database or flatfile in comparison of all the crap you download in images and html to a single log entry. You break rule # 6 and they log, you just identifed yourself.I think they would be more concerned with the K/B size of the log, then the tiny footprint you left behind.
With a simple PII 450mhz box, you can easily run a Linux Intrusion Detection System to log odd activity. Hell, even a simple proxy server logs activity. I am actually planning to set up one to see how many wardrivers/open AP surfers there are as a small personal project. Of course, no free internet and it will have no connections to a network, just a direct wi-fi card in ad-hoc mode.To actually nail someone, you gotta have some more equipment than what 95% of networks have. and if they have the fancy smancy stuff, their ap are going to be on lockdown, and if you get in, then you might find some issues. Gov Networks, yes they are fancy shancy, log into one, and they might have a bit more info on you than just some trace route Network traffic Id info.
You don't need gobs or $$ or knowledge to detect a wardriver. Hell, netstumber has it own unique signature of a response packet when it recieves one and then another back to get an SSID name and its info. Connecting to Open APs are the same dealo, just more info to get based on your actions and setup.