Re: Legality of WEP Cracking

[Nick Selby <nick.selby () the451group com>]

Sorry to pick this up late in the game, but some of my research prior to 
joining my current firm agrees with Richard's, below (a friend and I 
detected WEP-'protected' or wide open access points whose ESSIDs 
indicated that they belonged to lawyers, doctors, banks and a state 
senator's offices after a four mile drive in Albany, NY - makes one 
wonder about compliance with things like, say, HIPAA and SOX).

Also regarding the legality issue, if it has not been done to death, the 
issue - when I researched this last year - might not be as simple as 
Craig suggested. He  speaks accurately about prior permission. But I am 
not sure the 'your state my state' issue should be dismissed out of hand 
for that very reason: one problem seems to be that states seem to 
control how such authorization itself is expressed, and lawyers and 
legislators are unclear about how one can reasonably assume authorization.

The problem of successfully prosecuting someone who accesses an AP 
without permission - even though arrests have been made - seems fairly 
tough.

From a report I wrote on the problem of protecting AP's at the offices 
of lawyers in New York State:

   * *You cannot rely on existing laws to prosecute "unauthorized" WAP
     access. It is difficult to determine how a user becomes authorized
     to access a WAP, and there's no common mechanism by which to post
     a notice that he is not. *

In early July, 2005, police in St Petersburg, FL, arrested Benjamin 
Smith III for accessing a residential WAP and connecting to the Internet 
- from his car. Smith was charged with unauthorized access to a computer 
network.

He might get off. Who's to say it was unreasonable for Smith to assume 
what he did was Kosher? The WAP he used was wide open. With the 
proliferation of public Hotspots, who can say whether a person can 
reasonably infer an Open WAP is /intended/ for public use?

Under current New York law, it is illegal to intentionally access 
someone else's computer, computer network or equipment without 
authorization to do so where such computer or equipment, "...is equipped 
or programmed with any device or coding system, a function of which is 
to prevent the unauthorized use of said computer or computer system.

The New York Penal Law also attempts to define "authorization" by 
providing that to establish authorization, one must be either

(i) give actual notice in writing or orally to the user;

(ii) prominently post written notice adjacent to the computer being 
utilized; or

(iii) a notice that is displayed on, printed out on or announced by the 
computer being utilized by the user

Significantly, the Penal Law also provides for a presumption that notice 
of such authorization is given where, "the computer is programmed to 
automatically display, print or announce such notice ...."

Scott R. Almas, who was instrumental in developing the business and 
technology model to implement many of the Hotspots throughout downtown 
Albany, New York, is a technology attorney at the law firm of Lemery 
Greisler LLC. While Almas does not endorse the unauthorized use of open 
WAPs, he points out significant problems with New York's law when viewed 
against the practical reality of the proliferation of Open WAPs.

"I am particularly troubled," Almas said, "by how a user is supposed to 
know whether or not the owner of the Open WAP is authorizing use of the 
access point where the owner broadcasts to the world the presence of the 
access point and takes no steps to secure it. By the very nature of 
WAPs, there is no reasonable way to post or provide oral notice, and it 
can be difficult to interpret from the broadcasted name of the access 
point whether authorization is intended."

"In light of the fact that protecting the WAP is free, simple to do, and 
strongly recommended by the access point manufacturers during the set up 
process," Almas said, "I believe anyone who sets up a WAP and does not 
follow the advice to install even the most basic, minimal safeguards 
should be presumed to be providing authorization to access the Open AP 
for otherwise lawful Internet use."

"The presumption should not," adds Almas "extend to authority to access 
information on the WAP owner's LAN, or other illegal or harmful 
activities."

(whole thing: http://www.nickselby.com/articles/technology/?a=1805)

In trying to determine an interpretation of NY law, I came up with the 
analogy that an AP was like a hallway leading to the internet. Walking 
into the hallway and out to the internet on the other side was cool. 
Walking through and jiggling the handles of all the doors you passed in 
the hallway, and walking in to rooms that were unlocked along the way TO 
the internet was not cool.

For fun, let me introduce the unknown and probably unknowable impact of 
the USA PATRIOT act on the matter: we determined in talking the legal 
scholars and looking at case study (I am not a lawyer but worked with 
several in this research) that there could be a case for the USA PATRIOT 
act applying to those who leave their APs unprotected. Imagine, if you 
would, an open access point being detected by, say, Danish terrorists, 
who later use the AP to access an email account and send each other 
banned cookie recipes. Or other, perhaps worse, contraband. I can see 
that the label of having supplied 'material aid' to a terrorist 
organization could thereby be applied to a person failing to tighten 
access to the AP!

There's my two cents. I have absolutely no idea what it's like in other 
countries.

Nick

Richard Brinson wrote:
> That's a good idea about the war chalking Paul, although I haven't seen much
> evidence of it locally. As for the use of WEP, it is most definitely still
> in use by organisations of all sizes. Whilst parked up in a high street
> recently trying to connect to a hot spot, I picked up approx 20 wireless
> networks - only 2 were using WPA, the rest (including the council
> headquarters and 2 firms of solicitors!) were on WEP. This lack of education
> is obviously a huge problem.
>
> Regards
>
> Richard
>   


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------