mailing list archives
Re: Legality of WEP Cracking
From: Nick Selby <nick.selby () the451group com>
Date: Sun, 27 May 2007 14:06:13 +0200
Sorry to pick this up late in the game, but some of my research prior to
joining my current firm agrees with Richard's, below (a friend and I
detected WEP-'protected' or wide open access points whose ESSIDs
indicated that they belonged to lawyers, doctors, banks and a state
senator's offices after a four mile drive in Albany, NY - makes one
wonder about compliance with things like, say, HIPAA and SOX).
Also regarding the legality issue, if it has not been done to death, the
issue - when I researched this last year - might not be as simple as
Craig suggested. He speaks accurately about prior permission. But I am
not sure the 'your state my state' issue should be dismissed out of hand
for that very reason: one problem seems to be that states seem to
control how such authorization itself is expressed, and lawyers and
legislators are unclear about how one can reasonably assume authorization.
The problem of successfully prosecuting someone who accesses an AP
without permission - even though arrests have been made - seems fairly
From a report I wrote on the problem of protecting AP's at the offices
of lawyers in New York State:
* *You cannot rely on existing laws to prosecute "unauthorized" WAP
access. It is difficult to determine how a user becomes authorized
to access a WAP, and there's no common mechanism by which to post
a notice that he is not. *
In early July, 2005, police in St Petersburg, FL, arrested Benjamin
Smith III for accessing a residential WAP and connecting to the Internet
- from his car. Smith was charged with unauthorized access to a computer
He might get off. Who's to say it was unreasonable for Smith to assume
what he did was Kosher? The WAP he used was wide open. With the
proliferation of public Hotspots, who can say whether a person can
reasonably infer an Open WAP is /intended/ for public use?
Under current New York law, it is illegal to intentionally access
someone else's computer, computer network or equipment without
authorization to do so where such computer or equipment, "...is equipped
or programmed with any device or coding system, a function of which is
to prevent the unauthorized use of said computer or computer system.
The New York Penal Law also attempts to define "authorization" by
providing that to establish authorization, one must be either
(i) give actual notice in writing or orally to the user;
(ii) prominently post written notice adjacent to the computer being
(iii) a notice that is displayed on, printed out on or announced by the
computer being utilized by the user
Significantly, the Penal Law also provides for a presumption that notice
of such authorization is given where, "the computer is programmed to
automatically display, print or announce such notice ...."
Scott R. Almas, who was instrumental in developing the business and
technology model to implement many of the Hotspots throughout downtown
Albany, New York, is a technology attorney at the law firm of Lemery
Greisler LLC. While Almas does not endorse the unauthorized use of open
WAPs, he points out significant problems with New York's law when viewed
against the practical reality of the proliferation of Open WAPs.
"I am particularly troubled," Almas said, "by how a user is supposed to
know whether or not the owner of the Open WAP is authorizing use of the
access point where the owner broadcasts to the world the presence of the
access point and takes no steps to secure it. By the very nature of
WAPs, there is no reasonable way to post or provide oral notice, and it
can be difficult to interpret from the broadcasted name of the access
point whether authorization is intended."
"In light of the fact that protecting the WAP is free, simple to do, and
strongly recommended by the access point manufacturers during the set up
process," Almas said, "I believe anyone who sets up a WAP and does not
follow the advice to install even the most basic, minimal safeguards
should be presumed to be providing authorization to access the Open AP
for otherwise lawful Internet use."
"The presumption should not," adds Almas "extend to authority to access
information on the WAP owner's LAN, or other illegal or harmful
(whole thing: http://www.nickselby.com/articles/technology/?a=1805)
In trying to determine an interpretation of NY law, I came up with the
analogy that an AP was like a hallway leading to the internet. Walking
into the hallway and out to the internet on the other side was cool.
Walking through and jiggling the handles of all the doors you passed in
the hallway, and walking in to rooms that were unlocked along the way TO
the internet was not cool.
For fun, let me introduce the unknown and probably unknowable impact of
the USA PATRIOT act on the matter: we determined in talking the legal
scholars and looking at case study (I am not a lawyer but worked with
several in this research) that there could be a case for the USA PATRIOT
act applying to those who leave their APs unprotected. Imagine, if you
would, an open access point being detected by, say, Danish terrorists,
who later use the AP to access an email account and send each other
banned cookie recipes. Or other, perhaps worse, contraband. I can see
that the label of having supplied 'material aid' to a terrorist
organization could thereby be applied to a person failing to tighten
access to the AP!
There's my two cents. I have absolutely no idea what it's like in other
Richard Brinson wrote:
That's a good idea about the war chalking Paul, although I haven't seen much
evidence of it locally. As for the use of WEP, it is most definitely still
in use by organisations of all sizes. Whilst parked up in a high street
recently trying to connect to a hot spot, I picked up approx 20 wireless
networks - only 2 were using WPA, the rest (including the council
headquarters and 2 firms of solicitors!) were on WEP. This lack of education
is obviously a huge problem.
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
Re: Legality of WEP Cracking George Dragusin (May 19)
Re: Legality of WEP Cracking Chris Travers (May 19)
Re: Legality of WEP Cracking John Mason Jr (May 22)
Re: Legality of WEP Cracking Paul Dickens (May 23)
Re: RE: Legality of WEP Cracking ebk_lists (May 18)
RE:Legality of WEP cracking scott (May 18)
Re: Legality of WEP Cracking Matthew Webster (May 18)
Re: Re: Legality of WEP Cracking cwright (May 19)
Re: Legality of WEP Cracking Bob Radvanovsky (May 19)
Re: Re: Legality of WEP Cracking Matthew Webster (May 19)
- Re: Legality of WEP Cracking, (continued)