Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Legality of WEP Cracking

From: Carl Livitt <carllivitt () yahoo com>
Date: Sat, 19 May 2007 00:00:20 +0100

The UK law is clear, I quote from the UK Computer Misuse Act 1990
(http://www.opsi.gov.uk/ACTS/acts1990/Ukpga_19900018_en_2.htm):

**1.**—(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure
access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the
function that that is the case.


Let's consider:

(1) the act of WEP cracking as a 'function',
(2) the unknown WEP key as 'data held in any computer',
(3) the 'intent to secure access' as your deliberate use of WEP cracking
software,
(4) you do not have permission to view the target's data (WEP key), and
(4) if you undertook such an exercise now, you would do so with
knowledge of the law.

Given this breakdown, you would almost certainly be in breach of the UK
Computer Misuse Act 1990. Not to mention that it's ethically
questionable at best.

Carl.

Richard Brinson wrote:

During an internal business development meeting yesterday we were discussing
new ways of picking up pen testing clients. One of our junior engineers
suggested that we go war driving, crack some WEP keys and then approach each
company offering services to make them more secure. The idea was put down
straight away on the basis that without prior approval we would be breaking
the law. However, upon further discussion a case was made that (moral issues
aside) provided we only captured traffic passively, and as long as we did
not try to connect or send any packets to any devices - would the law be
broken?  
 
Does the law state anywhere that we can not analyse air traffic that is
broadcast into the public domain? (if so surely we would all be breaking the
law every time we picked up a network other than our own) and is it against
the law to know someone else's WEP key when they have not made that
information available to you?
 
What are your thoughts on this?
 
Kind regards,
 
Richard Brinson
Kanoo Ltd
 
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message, which arise as a result of e-mail transmission.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: