Penetration Testing mailing list archives

Re: Netstumbling

From: "Joseph W. Shaw II" <jshaw () vortex org>
Date: Wed, 5 Mar 2003 19:21:27 -0600 (CST)


On Wed, 5 Mar 2003, stonewall wrote:

I am interested in the reaction that list members have gotten from various
government agencies while netstumbling.  Is there any clear guidance on the
legality of 'stumbling?  I am talking here about just 'stumbling, not set to
auto reconfigure the card, just assessment and locating WAPs.

You cannot be in the security business without being able to assess threats.
In this business, paranoia is not paranoia, it is due diligence.  I believe
that anyone serious about security must be able to assess wireless zones,
overlapping areas, buildings with multiple WAPs, etc.  But have you been
threatened by LE personnel in the process?


Not personally, no, but I recently consulted for a case that was tried in
Federal Court that might be of interest.  The young man was talking with a
reporter from the local newspaper and was walking in downtown Houston with
a Netstumbler equipped laptop.  While walking, he happened to come accross
a network owned by a county government entity, which was noted in the
article that followed.  After the story was published in the local paper,
he was accused of hacking into their network, compromising a machine, and
loading pornography on it.  I'm happy to say he was aquited, but it cost
him a significant amount of time and money.

Personally, I've been party to reporting a very serious flaw, but chose to
do so anonymously through a third party.  While I could have used the
credibility that came with finding the flaw, especially in this job
market, I was hesitant to give them my name due to the fact that it
involved large amounts of money and confidential information.  I only
wanted them to know the flaw was there and for them to get it fixed, so I
chose to err on the side of caution.

Regards,
--
Joseph


----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html

Current thread:

Netstumbling stonewall (Mar 05)
- Re: Netstumbling IndianZ (Mar 05)
- RE: Netstumbling Ken Kousky (Mar 05)
- Re: Netstumbling Nick Jacobsen (Mar 05)
  - RE: Netstumbling Andrew Ruef (Mar 06)
- Re: Netstumbling Joseph W. Shaw II (Mar 06)
- Program for automatic attack replay LordEidi (Mar 06)
  - RE: Program for automatic attack replay Rob Shein (Mar 06)
  - Re: Program for automatic attack replay Andreas Östling (Mar 06)
- <Possible follow-ups>
- RE: Netstumbling Freeland, Jim (Mar 06)
- RE: Netstumbling PJD (Mar 06)
- RE: Netstumbling Klahn, Paul (Mar 06)