funsec mailing list archives
RE: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act?
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Sat, 28 Apr 2007 16:39:16 -0400
T-Mobile runs the WiFi service for Starbucks. Does T-Mobile meet the definition of a common carrier? If so, the "readily accessible" defense does not apply, right? Quoting from your original message: "readily accessible to the general public" means, with respect to a radio communication, that such communication is *not* transmitted over a communication system provided by a common carrier Here's an older example of a WiFi security demo for the press gone bad: Ethical hacker faces war driving charges http://www.theregister.co.uk/2002/07/26/ethical_hacker_faces_war_driving/ I think this guy was charge under the Computer Fraud and Abuse Act. The jury found him innocent because he didn't cause any damages. Regardless, I wonder if he will ever do the same type of security demo again for the press....... Richard -----Original Message----- From: Matthew Murphy [mailto:mattmurphy531 () gmail com] On Behalf Of Matthew Murphy Sent: Saturday, April 28, 2007 4:21 PM To: Richard M. Smith Cc: funsec () linuxbox org Subject: Re: [funsec] Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 28, 2007, at 12:33 PM, Richard M. Smith wrote:
The Starbucks case is one for the lawyers to sort out if private WiFi network is readily accessible to the general public or not.
It's not a "private" WiFi network, Richard; it's unencrypted with SSID broadcast on and accessible to anyone within the vicinity of a Starbucks -- note, not necessarily inside. Unencrypted = public, in most cases, and surveillance is certainly one of them. If you want an affirmative claim to support prosecution of an ECPA/Section 632 violation, you have to encrypt the network's traffic. Even WEP has value, in the eyes of the law, because it shows a network provider who took an affirmative action to demonstrate to would-be users an expectation that the privacy of the network is to be respected.
My assumption is no. One data point here is intercepting insecure cordless phone conversations is illegal under ECPA even though older cordless phones can be heard with a $100 Radio Shack scanner.
Yes, because cordless phone conversations are explicitly considered "confidential communications" under both ECPA and the relevant California penal code. However, the criteria of ECPA for what is considered public among other, non-excepted communications is pretty solid: 1. Encrypted Not true in the case of Starbucks -- open authentication with no data encryption 2. Transmitted using non-public modulation techniques Given that 802.11b/g are spec'ed out in IEEE standards documents, I don't see this holding up. Furthermore, Starbucks' network broadcasts its SSID. 3. Carried on a subsidiary carrier 802.11 as implemented by Starbucks is inherently point-to-point, up until it reaches the AP and hits a wired line. 4. Transmitted over a common carrier network Internet providers are not CCs, as the net neutrality debate illustrates plainly 5. Transmitted over certain regulated frequency classes It's well-known that the frequency range for 802.11 is not regulated and can be used for any functional purpose. 802.11 with SSID broadcast and no encryption is NOT confidential under ECPA, period. The network is clearly "readily accessible to the general public", both in letter and in spirit of the law. California penal code also doesn't apply, because it requires a reasonable expectation of confidentiality, except in certain classes of communications like cordless phones. When users connect to an open WiFi LAN, they typically must affirm at least once that their communications are subject to interception if not encrypted. Thus, no reasonable expectation of privacy/confidentiality could be established for the purposes of Section 632, either, unless perhaps the transmitter was an illiterate -- good luck explaining *that* to a judge.
You don't really think the paper would've published this story if it would've subjected an individual identified within to criminalprosecution, do you? Absolutely. Back around 2003, the Washington Post did an article on how easy was for two computer security people to break into Windows computers owned by the Federal government. These computers had open shares which were easily detectable from the outside. A week later the two consultants were busted by the FBI. Not sure what the result of the arrests were.
Seems like another case of the administration pursuing a hopeless criminal case (e.g., terrorism charges against cell-phone unlockers). Unless the consultants were informed via warning banners or some other means that the resources they were accessing were for government use only, they have neither achieved unauthorized access nor exceeded their authorization. I was unable to find any information suggesting that the consultant who was charged was ever convicted. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iQIVAwUBRjOstXXzqEAiV8M/AQLdmQ//eZwQx5kau9c5vXy5ZFc/nQlfv5mszxde MHgb8OJZUfMZHEJ8sVBS8lI+1zBV5tmjO42xYaibDs6GThmv2AScVTvsialUJUbl 0YnXyvkj1wo3Cwoyld11015Vhkh6xlNqGtYjflweHq96Ee9NK5wa9BtOLU4QYuW0 yGRVEmKnwLJFjJvbaNb1TjV+rpAyhnft+7zPB7PgN8V5k0LwZji/Das7bzrXwBQK LJh1C86jUkgU38TTNtaH5RCgTZEemv92xGGL7jbIbmOO+Xyyv/LOGmfCBhz/oDiB dXZ3/bcn1vkPkVQZ4kqoF3dxZC/I1aLut09G2CyuUKUUDtH+LkiFcAYazWa3/U0i 6M9dxTT1pxcPZ8G4DuFrdObfbZTtXDxXZynZsFt7Ha0AtnDiqip803vzbz3WH87v ufRCZOM2AspdRaIzRFiw/F3S9RIsOtAOczvnNh+/Rchc3JZwHIe82Da2Z8zU3BBA 8H9SXEEI9/MCMCQv/y6Smb73aWn3mml2KmVRkMcPIqngCziGUvEp8/hivPGb7O0k mojT4u3eOx2Dox3qQnP6oxJeYEYQLeywUqxTRFsGPYHr6J8vL8sWpeBMDEK49KqJ ISW5chxhFCtPtDXMIzncYzwC1xQLahYASS5zTbMzsQrKv6rOzreLtKoXfb6PW/HY Ds0Vxg/Vvfk= =4DQJ -----END PGP SIGNATURE----- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Richard M. Smith (Apr 28)
- Re: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Matthew Murphy (Apr 28)
- RE: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Richard M. Smith (Apr 28)
- Re: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Matthew Murphy (Apr 28)
- RE: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Richard M. Smith (Apr 28)
- Re: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Matthew Murphy (Apr 28)
- RE: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Richard M. Smith (Apr 28)
- Re: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Matthew Murphy (Apr 28)
- RE: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Richard M. Smith (Apr 28)
- Re: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Matthew Murphy (Apr 28)
- RE: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Richard M. Smith (Apr 28)
- Re: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Matthew Murphy (Apr 28)
- Message not available
- Re: Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act? Matthew Murphy (Apr 28)