Re: Legality of WEP Cracking

[Chris Travers <chris () metatrontech com>]

Hi Richard;

Pen testing without permission is dangerous.   I would advise against it 
both from a marketing an a legal perspective (IANAL).

Marketing:  What you are proposing stinks like a protection racket.  I 
know that is not your intent, but that is what a customer is going to 
think.  Wardriving, looking for WEP connections may be OK from this 
perspective provided that you don't do any further action (like key 
cracking).  I would also say that you may be able to get further 
permission to demo the problems, and then it would be OK first.  (Just 
ask first ;-) )

Legal (IANAL): Whenever you crack anything without permission you may be 
argued to be tresspassing.  This may mean that you have to plead your 
case in court right or wrong.  If you want a legal opinion, however, I 
would suggest hiring an attourney.

Be careful, contact an attourney, and also run mock sales pitches by 
others who are not technically savvy to see how they respond.

I am leaving the original email below as a point of reference to the 
proposal I am warning about.

Best Wishes,
Chris Travers

Richard Brinson wrote:
> During an internal business development meeting yesterday we were discussing
> new ways of picking up pen testing clients. One of our junior engineers
> suggested that we go war driving, crack some WEP keys and then approach each
> company offering services to make them more secure. The idea was put down
> straight away on the basis that without prior approval we would be breaking
> the law. However, upon further discussion a case was made that (moral issues
> aside) provided we only captured traffic passively, and as long as we did
> not try to connect or send any packets to any devices - would the law be
> broken?  
>  
> Does the law state anywhere that we can not analyse air traffic that is
> broadcast into the public domain? (if so surely we would all be breaking the
> law every time we picked up a network other than our own) and is it against
> the law to know someone else's WEP key when they have not made that
> information available to you?
>  
> What are your thoughts on this?
>  
> Kind regards,
>  
> Richard Brinson
> Kanoo Ltd
>  
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and delete
> this e-mail from your system. E-mail transmission cannot be guaranteed to be
> secure or error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses. The sender
> therefore does not accept liability for any errors or omissions in the
> contents of this message, which arise as a result of e-mail transmission.
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
>
>

Attachment: chris.vcf
Description:

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------