RE: Legality of blue tooth hacking

[Cedric Blancher <sid () rstack org>]

Le vendredi 17 mars 2006 à 10:28 +0100, tomaz Bratusa a écrit :
> In my opinion there's no problem because the guy who tested bluetooth
> security didn't have evil intent. He was just checking devices and
> informing people about security holes in their devices.

As far as I understand the story, he wasn't just testing their security,
he was actually breaking into their phones to download their personal
data and then show them they were vulnerable, without their prior
consent. In that case, he can fully argue good faith, but what he does
is illegal. It's the main difference between doing things you belive
legitimate (I'm trying to help) and legal stuff (I'm not breaking the
law). You can help people, but actually breaking the law, and thus doing
illegal things.

The thing is law (at least in France) on computer crime does not take
intent in account. It defines what's an intrusion as using the system
without owner consent. There's no "legitimate purpose" for breaking into
IT systems (without owner consent). So you may have the best intentions
in the world, if you're breaking into a system without prior consent,
you break the law, period.

Futhermore, the OP question was on bluetooth hacking as a more general
matter:

        "He got up and presented the information saying there was no law
         preventing him from snarfing information."

I understand this as "if I was a malicious user, you couldn't sue me
because there is no law that actually prevents me to download your
personal data from your phone". And that is just plainly untrue. Now
maybe my english not being good prevent me from understanding some
subtility in this.

And as WiFi and wireless protocols in general privacy over the air was
mentioned before, downloading stuff from a phone using a wireless link
is truely different from just listening or probing around. Thus, I don't
think you can compare it to wardriving for instance.

> Are you a burglar if you go past your fiends house and see that the
> front door is open na take o look?

To me, analogies with real world mostly suck...


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> > Hi! I'm your friendly neighbourhood signature virus.
> > Copy me to your signature file and help me spread!

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------