Re: Marriott wifi blocking

[Jay Ashworth <jra () baylink com>]

Hugo, I still don't think that you have quite made it to the distinction that we are looking for here.

In the case of the hotel, we are talking about an access point that connects via 4G to a cellular carrier. An access 
point that attempts to create its own network for the subscribers devices. A network disjoint from the network provided 
by the hotel or its contractor.

This is a different case from the circumstance in a business office where equipment is deployed to prevent someone from 
walking in with an access point /which pretends to be part of the network which the office runs./

In the latter case, the security hardware is justified in deassociating people from the rogue access point, /because it 
is pretending to be part of a network it is not authorized to be part of/.

In the Marriott case, that is not the circumstance. The networks which the deauth probes are being aimed at are 
networks which are advertising themselves as being /separate from the network operated by the hotel/, and this is the 
distinction that makes Marriott's behavior is unacceptable. 

(In my opinion; I am NOT a lawyer. If following my advice breaks something, you get to keep both pieces.)

On October 3, 2014 11:04:08 PM EDT, Hugo Slabbert <hugo () slabnet com> wrote:
> On Fri 2014-Oct-03 19:45:57 -0700, Michael Van Norman <mvn () ucla edu>
> wrote:
>
> > On 10/3/14 7:25 PM, "Hugo Slabbert" <hugo () slabnet com> wrote:
> >
> > > On Fri 2014-Oct-03 17:21:08 -0700, Michael Van Norman <mvn () ucla edu>
> > > wrote:
> > >
> > > > IANAL, but I believe they are.  State laws may also apply (e.g.
> > > > California
> > > > Code - Section 502).  In California, it is illegal to "knowingly and
> > > > without permission disrupts or causes the disruption of computer
> services
> > > > or denies or causes the denial of computer services to an authorized
> user
> > > > of a computer, computer system, or computer network."  Blocking
> access to
> > > > somebody's personal hot spot most likely qualifies.
> > >
> > > My guess would be that the hotel or other organizations using the
> > > blocking tech would probably just say the users/admin of the rogue
> APs
> > > are not authorized users as setting up said AP would probably be in
> > > contravention of the AUP of the hotel/org network.
> >
> > They can say anything they want, it does not make it legal.
> >
> > There's no such thing as a "rogue" AP in this context.  I can run an
> > access point almost anywhere I want (there are limits established by
> the
> > FCC in some areas) and it does not matter who owns the land
> underneath.
> > They have no authority to decide whether or not my access point is
> > "authorized."  They can certainly refuse to connect me to their wired
> > network; and they can disconnect me if they decide I am making
> > inappropriate use of their network -- but they have no legal authority
> to
> > interfere with my wireless transmissions on my own network (be it my
> > personal hotspot, WiFi router, etc.).  FWIW, the same is true in
> almost
> > all corporate environments as well.
>
> Thanks; I think that's the distinction I was looking for here.  By 
> spoofing deauth, the org is actively/knowingly participating on *my 
> network* and causing harm to it without necessarily having proof that 
> *my network* is in any way attached to *their network*.  The assumption
>
> in the hotel case is likely that the WLANs of the "rogue" APs they're 
> targeting are attached to their wired network and are attempts to
> extend 
> that wireless network without authorization (and that's probably 
> generally a pretty safe assumption), but that doesn't forgive causing 
> harm to that WLAN.  There's no reason they can't cut off the wired port
>
> of the AP if it is connected to the org's network as that's their 
> attachment point and their call, but spoofed deauth stuff does seem to 
> be out of bounds.
>
> I'm not clear on whether it runs afoul of FCC regs as it's not RF 
> interference directly but rather an (ab)use of higher layer control 
> mechanisms operating on that spectrum, but it probably does run afoul
> of 
> most "thou shalt not harm other networks" legislation like the 
> California example.
>
> > /Mike
>
> -- 
> Hugo

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.