Re: Automated wireless testing script

[Aarón Mizrachi <unmanarc () gmail com>]

On Jueves 28 Mayo 2009 15:23:13 subscribe subscribe escribió:
> Thanks for your interest.. I wanted to ask you guys this. I'm a bit
> worried if my tool will cause me any legal problems incase it is
> misused.. Is GPL enough to protect me?
GPL does not protect you against legal problems derived of illegal use by 
third party...

GPL protect your software freedom to copy, modify, redistribute, etc.... And 
protect your software from being reassembled with commercial pourporses  ( GPL 
is viric ;-) )

-----------------

Im not a lawyer...  It may depend on country, but this is my opinion:

1. You can put a disclaimer who advice the end user that should not be used 
for illegal pourporse. For many countries, this should be acceptable.

2. MANY software can be used for malicious pourporses... SSH could be used as 
a backdoor, Microsoft SMB protocol also..., aircrack-ng suite also could be 
used for malicious pourporses, inclusive, the linux popular command "rm" could 
be used for crime also, Nessus is a harmful tool that can be used also for 
criminal pourporses. 

So, your software also can be used for malicious pourporses...

BUT. There is a fact, software like this one, can be used also for Pentesting 
(Ethical Hacking), and proof of concept. That is a legal pourporse.

Ethical point of view:

Your software is not exploiting a zero day, the full disclosure method are 
fulfilled, the vendor was adviced of WEP/WPA bugs and the time to patch this 
bugs is over. Nothing else to say.

--------------

I released a software in the same situation on 2004. 
Was called, URCS... and was a RAT (Remote Admin Tool).

URCS were designed with ethic, URCS does not hide their proccess, URCS have an 
authentication plataform, URCS also have an installer. URCS does not have any 
infection engines, URCS does not have also any method to prevent their hand 
removal, URCS activate logs by default with connection IP address, and 
commands executed.

URCS was the first remote admin tool that used the star and tree topology with 
reverse connections. URCS were designed because in this time, my ISP used a 
big NAT, therefore, if i wanted to connect to my computer, URCS help me a lot. 
URCS were released opensource.

I used URCS for legal pourporses like manage my home computers over NAT, and 
many of my users also used it for legal pourporses. But AV houses putted it on 
a blacklist and rated him as a trojan/backdoor... while some compilation of 
SSH and VNC servers, even Windows also can be used as a trojan/backdoor.

On many discussions with AV houses, their argument were that my program can be 
used silently, but, my argument is that if you run the main program (not the 
installer), then, this program is not automatically installed, only oppened 
(like when you start an tftp service alone without installing it...).

> 2009/5/28 Renato Bovo Inácio <renatobovo () gmail com>:
> > Very good, but where's the program to download? You can provide it with
> > GPL.
> >
> > Regards, congratulations,
> >
> > On Thu, May 28, 2009 at 12:59 PM, subscribe subscribe
> >
> > <subscr1b3m3 () gmail com> wrote:
> > > Hi,
> > >
> > > Just recently I wrote a program for testing wireless security. The
> > > program automates another program called aircrack-ng.
> > > Will crack all wireless access point in one command. No need to type
> > > anything, just hit enter. Useful if you find it daunting
> > >  to type commands while roaming around the client's premises during
> > > the wireless assessment. Check out the videos at:
> > > http://www.youtube.com/watch?v=aYWe4_zcY-I
> > >
> > > Please comment so I can make improvements before releasing it.. Thanks.
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Information Assurance Certification Review
> > > Board
> > >
> > > Prove to peers and potential employers without a doubt that you can
> > > actually do a proper penetration test. IACRB CPT and CEPT certs require
> > > a full practical examination in order to become certified.
> > >
> > > http://www.iacertification.org
> > > ------------------------------------------------------------------------
> >
> > --
> > ------------------------------------------
> > Renato Bovo Inácio
> > CSO - Chief Security Officer
> > ------------------------------------------
> >
> > AVISO LEGAL
> >
> > Esta mensagem é exclusivamente para a pessoa do destinatário, podendo
> > conter informações confidenciais ou legalmente protegidas. A transmissão
> > incorreta da mensagem não acarreta a perda de sua confidencialidade. É
> > vetado a qualquer pessoa que não seja destinatário usar, revelar,
> > distribuir ou copiar qualquer parte desta mensagem.
> >
> > LEGAL WARNING
> >
> > This message is intended exclusively for its addressee. It may contain
> > confidential or legally protected information. The incorrect transmission
> > of this message does not mean the loss of its confidentiality. It is
> > forbidden to any person who is not intended addressee to use, reveal,
> > distribute, or copy any part of this message.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require a
> full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.