RE: Wireless Legality- Netstumbler and kin

["Everhart, Glenn (FUSA)" <GlennEverhart () FirstUSA com>]

The difficulty here is knowing whether signals are meant for you. That is
why technical protection is vital in wireless.

Common net practice for decades has been to offer free services at times to
the world. These can be web servers, anonymous ftp, gopher, icq, or Lord
knows
what. To find out if they are offered one must attempt a connection (and go
away quietly if it is refused). 

I don't think much of such a practice, but wonder how John Q Public is to
know
that an anonymous ftp service isn't being offered via wireless? The
etiquette of
this is not well established, and I could conceive of web servers and the
like
sitting at airports or convention centers doing exactly this, to advertise
and
possibly offer services to passers-by. The fact that network connections
happen
before one can know if such a service exists has been accepted for ages now,
and
it is generally understood that someone attaching to your ftp server and
attempting
to log in anonymous, for example, and leaving if there is no such account,
is not
harmful or even unusual.

That being the case, a passer-by would I think be hard to convict of
wrongdoing
for merely looking for places where such services might exist. Therefore if
you
set up a wireless network, you are being grossly negligent if you have no
technical
limits placed on what your gear will connect to, unless you truly want to
offer
services to the world.

This does not mean even public services cannot be abused. (Consider email
relays,
once common but made a scourge by spammers.) It does mean that if you set up
an open connection, you are exposing a network to access and possible abuse
and
should not expect the law to defend you from the consequences of your
actions. Remember
that local, state, and federal governments all operate free internet
services already
and do not expect people to be telepathic. On the internet, you have to turn
the knob
of the front door to get in (send syn). That it isn't locked (you get a
syn-ack) is your
first indication something might be offered you, and conversely. While the
protections available in 802.11 are not as strong as they should be, they
will at least
indicate the door isn't standing unlocked and thus that no public services
should be
expected. Otherwise, putting your net on broadcast radio without protections
might be
said to be giving up your expectation of privacy.



-----Original Message-----
From: Russell Handorf [mailto:rhandorf () mail russells-world com]
Sent: Friday, March 15, 2002 12:36 PM
To: vuln-dev () securityfocus com
Subject: Wireless Legality- Netstumbler and kin


Hey all- question for ya'll that I haven't found any firm evidence with 
that raises a question of legality which concerns me greatly.

Of course all those in the wireless community (WLANs) know of a program 
called netstumbler, and also that it has the capability to map networks on 
a large scale (city wide and all). Well, is this not illegal pertaining to 
the Electronic Communications Privacy Act from 1986?

I can certainly understand that it is illegal for Joe Schmoe hacker to sit 
outside a WLAN and to circumvent any protective measures taken by the 
administrator (defaults include MAC Address and the infamously poor WEP), 
however is it illegal for Joe Schmoe hacker to sit outside and use the WLAN 
of a company that doesn't have ANY protective measures set in place?

According to the ECPA, it's illegal to intercept any/all wireless signals 
that are not intended for you, so would the people who are involved with 
these wireless mapping projects criminals or does this Act not apply in 
this situation at all?

Russ
==================================
Russell Handorf
oooo, shiney ::Wanders after it::

www.russells-world.com
www.philly2600.net

"Computer games don't affect kids; I mean if Pac-Man affected us as kids, 
we'd all be running around in darkened rooms, munching magic pills and 
listening to repetitive electronic music."

Kristian Wilson
Nintendo Inc. 1989
==================================



**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format. Thank you
**********************************************************************