RE: Legality of WEP Cracking

["Richard Brinson" <richard () kanoo-uk com>]

That's a good idea about the war chalking Paul, although I haven't seen much
evidence of it locally. As for the use of WEP, it is most definitely still
in use by organisations of all sizes. Whilst parked up in a high street
recently trying to connect to a hot spot, I picked up approx 20 wireless
networks - only 2 were using WPA, the rest (including the council
headquarters and 2 firms of solicitors!) were on WEP. This lack of education
is obviously a huge problem.

Regards

Richard

-----Original Message-----
From: Paul Dickens [mailto:paul.dickens () iop org] 
Sent: 23 May 2007 08:33
To: Richard Brinson
Cc: listbounce () securityfocus com; pen-test () securityfocus com
Subject: Re: Legality of WEP Cracking

Richard

First of all; good post. I haven't yet read all of the responses but some
valid opinions. 

As a UK customer I wouldn't feel to great about someone cracking my WiFi
network but what would happen if someone malicious got their dirty hands on
it? I have also heard of others chalking symbols near cracked zones. 
Perhaps you should go on a walkabout and take lots of photos and use this
material to circulate amongst your geographic potentials! 

Another point, who still uses WEP in business? Clearly some must in order to
get such a response from your posting. I thought WEP was flawed technology!

Kind regards


Paul Dickens
IT Security Officer
IOPP
UK 



"Richard Brinson" <richard () kanoo-uk com> Sent by:
listbounce () securityfocus com
18/05/2007 10:32

To
<pen-test () securityfocus com>
cc

Subject
Legality of WEP Cracking






During an internal business development meeting yesterday we were discussing
new ways of picking up pen testing clients. One of our junior engineers
suggested that we go war driving, crack some WEP keys and then approach each
company offering services to make them more secure. The idea was put down
straight away on the basis that without prior approval we would be breaking
the law. However, upon further discussion a case was made that (moral issues
aside) provided we only captured traffic passively, and as long as we did
not try to connect or send any packets to any devices - would the law be
broken? 
 
Does the law state anywhere that we can not analyse air traffic that is
broadcast into the public domain? (if so surely we would all be breaking the
law every time we picked up a network other than our own) and is it against
the law to know someone else's WEP key when they have not made that
information available to you?
 
What are your thoughts on this?
 
Kind regards,
 
Richard Brinson
Kanoo Ltd
 
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message, which arise as a result of e-mail transmission.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic See HOW Now with our 20/20
program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------




************************************************************************
This email (and attachments) are confidential and intended for the
addressee(s) only. If you are not the intended recipient please notify the
sender, delete any copies and do not take action in reliance on it. Any
views expressed are the author's and do not represent those of IOP, except
where specifically stated. IOP takes reasonable precautions to protect
against viruses but accepts no responsibility for loss or damage arising
from virus infection. For the protection of IOP's systems and staff emails
are scanned automatically.

IOP Publishing Limited Registered in England under Registration No 467514.
Registered Office: Dirac House, Temple Back, Bristol BS1 6BE England Vat No
GB 461 6000 84.


No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.467 / Virus Database: 269.7.6/814 - Release Date: 21/05/2007
14:01
 

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.467 / Virus Database: 269.7.6/814 - Release Date: 21/05/2007
14:01
 


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------