FC: Notes on federal indictment for "war dialing" offense

[Declan McCullagh <declan () well com>]

---

From: "Deviant" <brian () deviating net>
To: <declan () well com>
Subject: another case of criminal charges over disclosure of security hole
Date: Sat, 27 Jul 2002 18:11:35 -0400

Hi, Declan,

We met at this year's H2K2 (i was one of the blue-shirted volunteers
enjoying panels such as yours in between running water to speakers and
holding audience mics.  we actually spoke briefly and got a photo together
after the panel regarding the FBI.)

You are likely to have seen this already, but I would be remiss if i didn't
pass along what information I have along with some key points which I feel
are being drowned out among the squabbling slashdot.org posters.

http://www.theregister.co.uk/content/55/26397.html

http://www.chron.com/cs/CDA/story.hts/tech/news/1507766

[Summary]

Stefan Puffer, A 33-year-old Houston computer security analyst was indicted
by a Grand Jury on Wednesday with two counts of fraud.  What was his "crime"
you ask?  He demonstrated the insecurity of the Harris County (TX) district
court's wireless LAN to their staff and a reporter.

<quote>
On March 18, Puffer showed a county official and a Chronicle reporter how he
was able to use his laptop computer and a... wireless card to tap into the
clerk's system.  Puffer said he noticed he could access the county network
in early March, when he scanned for weaknesses throughout Houston.
</quote>


[Key Points]

* Puffer was employed briefly by the county's technology department in 1999.
The articles don't state whether or not he was involved with the deployment
or securing of the wireless LAN.

* Puffer could get five years in jail and faces a $250,000 fine on each
count if convicted.  What the specific counts are is not documented well in
either article.

* District Clerk Charles Bacarisse said no files were compromised.

* The county chose to shut down the wireless system due to this information,
as opposed to securing it properly.  They are claiming that this "forced
shutdown" is causing the damages being cited.  Damages at $5000, mind you.
(As a rather funny slashdot.org post by MrP stated... "where do they get
these numbers?? Someone ping me so I can sue you for $1,000,000 in
damages.")

* Any wireless LAN can be WEP-enabled - all systems support this and it is
TRIVIAL to configure.  (They could just RTFM)


[VERY IMPORTANT POINT]

War Driving (also known as NetStumbling) does NOT constitute intrusion on a
network by itself.  You're technical enough to understand this, so i'll
state it in total geek-speek here and let you translate for your readers.
(You're so very good at that. :-)

Using software such as NetStumbler for War Driving simply sets one's
wireless card into a continuous reset mode.  I.E. - the card constantly acts
as though it was just enabled and begins to listen for a network to which it
can connect.

The key phrase is "LISTEN FOR."  In War Driving, the insecure network is the
party contacting the card, not vice-versa.  The court's network contacted
Puffer's laptop.  Now, whether or not he chose to establish a network
session with them, well, that remains to be seen.  If Puffer did not attempt
to connect to the shared resources of the LAN but simply saw the insecure
access point appear in his NetStumbler logs, then he is ABSOLUTELY IN NO WAY
guilty of any crime according to any Texas state law or federal law of which
I or my associates are aware.


Thanks again for all you do... I appreciate your work very much and enjoy
sharing your pieces with my friends and family.

Regards,

- Brian Rea




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------