Penetration Testing mailing list archives
Re: Legality of WEP Cracking
From: Matthew Webster <awakenings () mindspring com>
Date: Fri, 18 May 2007 15:12:30 -0400 (EDT)
Richard, Your email address is a UK address so I'm assuming you are from the UK. I can only speak to US law on this matter so I apologize if my information is not accurate for UK law. First, there is a good chance they will act belligerently and sue you everything you are worth for attempting to crack private data - even if you are doing so passively. People may question your intent. Second, there are at least a couple of different (US) laws which may come into play. First, even passively, you are using their access point -- collecting data off of it and saving it. This is far different from just surfing for a legal access point to use while sitting in Starbucks. No data is saved to the system and you are not attempting to crack their encryption scheme (however poor WEP may be). While writing policy for laptop use, I came across the following web site which I found useful; http://www.cybercrimelaw.org/category/10/Hacking.html It details a few wireless cases and several US laws. Yes, it does say that war driving can get you in jail. The whole site is filled with good information about US cybercrime laws. Also, think about this from a PR stance. How will reporters look at this if they find out that a company is "hacking" other systems in order to drum up business. They will not make the fine tuned arguments that you will make and it will be negative publicity (which can be a good thing in some cases admittedly). So, from my limited perspective, legally, ethically, and from a PR stance, I would never attempt to do anything like what you suggest. I would only do what I am authorized to do an no more. That is the prime distinction between a pen-tester and a cracker. I would not delve into the gray areas at all (even if there is some legal gray space in your country), but that is me keeping my white hat on. Just me 2 cents... Matt -----Original Message-----
From: Richard Brinson <richard () kanoo-uk com> Sent: May 18, 2007 5:32 AM To: pen-test () securityfocus com Subject: Legality of WEP Cracking During an internal business development meeting yesterday we were discussing new ways of picking up pen testing clients. One of our junior engineers suggested that we go war driving, crack some WEP keys and then approach each company offering services to make them more secure. The idea was put down straight away on the basis that without prior approval we would be breaking the law. However, upon further discussion a case was made that (moral issues aside) provided we only captured traffic passively, and as long as we did not try to connect or send any packets to any devices - would the law be broken? Does the law state anywhere that we can not analyse air traffic that is broadcast into the public domain? (if so surely we would all be breaking the law every time we picked up a network other than our own) and is it against the law to know someone else's WEP key when they have not made that information available to you? What are your thoughts on this? Kind regards, Richard Brinson Kanoo Ltd This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Re: Legality of WEP Cracking, (continued)
- Re: Legality of WEP Cracking George Dragusin (May 18)
- Re: Legality of WEP Cracking Chris Travers (May 19)
- Re: Legality of WEP Cracking John Mason Jr (May 21)
- Re: Legality of WEP Cracking Paul Dickens (May 23)
- RE: Legality of WEP Cracking Richard Brinson (May 23)
- Re: Legality of WEP Cracking Nick Selby (May 27)
- Re: Legality of WEP Cracking Nicholas Chapel (May 23)
- RE: Legality of WEP Cracking Richard Brinson (May 23)
- Re: RE: Legality of WEP Cracking ebk_lists (May 18)
- RE: RE: Legality of WEP Cracking Erin Carroll (May 18)
- RE:Legality of WEP cracking scott (May 18)
- Re: Legality of WEP Cracking Matthew Webster (May 18)
- Re: Re: Legality of WEP Cracking cwright (May 18)
- Re: Legality of WEP Cracking Chris Travers (May 19)
- Re: Legality of WEP Cracking Bob Radvanovsky (May 19)
- Re: Legality of WEP Cracking Justin Ferguson (May 20)
- Re: Re: Legality of WEP Cracking Matthew Webster (May 19)
- Re: Re: Re: Legality of WEP Cracking ebk_lists (May 19)
- Re: Re: Re: Legality of WEP Cracking Justin Ferguson (May 20)
- Re: Legality of WEP Cracking cwright (May 20)
- Re: Legality of WEP Cracking Justin Ferguson (May 21)
- Re: Legality of WEP Cracking Larry Offley (May 21)
(Thread continues...)