Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Re: Legality of WEP Cracking
From: cwright () bdosyd com au
Date: 28 May 2007 00:09:23 -0000

Also regarding the legality issue, if it has not >been done to death, 
the issue - when I researched this last year - might >not be as simple 
as Craig suggested. He speaks accurately about >prior permission. But I 
am not sure the 'your state my state' issue should >be dismissed out of 
hand for that very reason: one problem seems to be >that states seem to 
control how such authorization itself is >expressed, and lawyers and 
legislators are unclear about how one can >reasonably assume authorization.

The problem of successfully prosecuting someone >who accesses an AP 
without permission - even though arrests have >been made - seems fairly 

Access and authorisation are not the issue. The law is well developed in terms of property, license and authorisation. 
When you claim that it may be difficult to prosecute, this is a function of evidence.

In the respect of the law, rules of evidence are also well defined. The issue is that of collecting evidence. Being a 
matter of fact, the nature of the evidence is not one that requires a large amount of legal dispute. It does however 
require more than the word of the accuser.

In civil cases, the requirements are lower. In criminal, there is a higher hurdle. Either way, there is a duty to 
collect evidence if you want to persue this. The difficultly is that it is not likely that a system running an open WEP 
gateway will have detailed logging and monitoring enabled. You do not need to notify the user that they are accessing 
the system without authority; they are not licensed to do so by the nature of the communications.

The law of license is a subset of property and requires a legal technical background that I can not extrapolate 
adequately on this list. 

If you read [1], this case covered many of these issues including some examples of limitations. In this case, a 
“blanket authorisation” was supplied to investigators as the woman involved was actively sharing files and setup as a 
peer to peer hub for mp3 distribution. Cases such as this are the exception.

There is a legal maxim “difficult cases make bad laws”. The drive to make more and more legislation to cover IT and 
Telecoms is making the Internet more difficult to enforce, not less as some presume.

A few examples are included below. One thing to remember also is that in the US, Federal; law owns telecoms and 
wireless, not state. They can also charge, but the US Fed has priority.

[1} United States: C.T.L.R. 2006, 12(3), N60 [Computer and Telecommunications Law Review] Publication Date: 2006

[2] Future regulation of the communications industry still in the balance.
Nick Pimlott.
Comms. L. 2003, 8(2), 247-249
[Communications Law]
Publication Date: 2003

[3] ECJ - judgment on Canal Satelite Digital.
Sebastian Pooschke.
Legal I.E.I. 2003, 30(3), 267-277
[Legal Issues of Economic Integration]
Publication Date: 2003

[4] Computer crime - UK/Singapore: unauthorized access to computer data.
Ter Kah Leng.
C.L.S.R. 2000, 16(3), 187-189
[Computer Law & Security Report]
Publication Date: 2000 “UK and Singapore cases on meaning of unauthorized access and use of computer data.”


This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]