RE: Netstumbling

["Klahn, Paul" <PKlahn () fishnetsecurity com>]

Disagreement.  Most state laws clearly define computer crime as
accessing or attempting to access resources you do not have permission
for.  Your legal obligation isn't changed by the data's transmission
medium.  The courts have said that scanning is not illegal, similar to
pulling on doors to see if they are locked.  However, when you connect
to their network, you have crossed the line.  There is no grey area.
Just because it's easier doesn't make it more legal.  

My 2 cents.

Paul Klahn
Kansas City, Missouri


> -----Original Message-----
> From: Freeland, Jim [mailto:jfreeland () Carlson com] 
> Sent: Wednesday, March 05, 2003 1:56 PM
> Subject: RE: Netstumbling
>
>
> Remember the GREY area..........
>
> Basically, you can stumble and identify other company 
> networks. Accessing their internet connection accidentally 
> and browsing the web will not land you in hot water.  
> Enumerating their systems, attempting to gain heightened 
> access levels, or attempting to view secured network objects 
> will land you in hot water.  Now you can probably get away 
> with the old 'I didn't see a warning banner' excuse, but that 
> doesn't hold much weight anymore.  
>
> I would say scan away because the wireless network you are 
> seeing falls into a grey area in the legal world.  Nobody has 
> defined what constitutes illegal activity.  I can't imagine a 
> judge would stick anyone with a charge for accidentally using 
> the company across the street's internet connection to surf 
> the web.  He/She would most likely tell them to turn down the 
> signal and lock down their connection!
>
> As with any wired network, hacking and enumeration occur 
> daily. Sometimes successful, sometimes not.  If I scan your 
> company's network over my cable modem connection I don't get 
> in trouble.  If I compromise a box and ignore a login banner 
> I for sure will.  If I compromise a box and didn't see a 
> login banner, I have about a 50/50 shot of not getting in 
> trouble.  I can only imagine the same 'rules of the game' 
> apply to wireless.  If I get a DHCP IP from your router, and 
> surf the web, then scan your IP range I probably won't get in 
> trouble.  If I find a vulnerability and expose it to access 
> secured systems, well, just like the wired world I may be punished.  
>
> Don't forget, it always depends on whose system you are 
> seeing, and what data they have.  If you are Stumbling in 
> Omaha and hit some little building with a nice database full 
> of credit card numbers, chances are they will use everything 
> they have to track you down.
>
> Don't do dumb things!  Use the tools to identify and secure.  
> Help, don't hurt.  Otherwise you might get yours.
>
> Jim
>
> -----Original Message-----
> From: Nick Jacobsen [mailto:nick () ethicsdesign com]
> Sent: Wednesday, March 05, 2003 11:12 AM
> To: stonewall; pen-test () securityfocus com
> Subject: Re: Netstumbling
>
>
> Just from my expirience, I have never had any problems, and 
> none of my friends have reported any problems either.  I will 
> walk around downtown with my laptop open, and an external 
> antenna on my back (looks funky, and I get some odd stares, 
> but it works), and the most I have ever had happen is a cop 
> ask me what I was doing...  I told hime I was using my laptop 
> to do a wireless security assesment...  he just sort of 
> looked at me oddly and walked off...  probably had no idea 
> what I was talking about...  I've done this in Portland, 
> Roseburg, Salem, Eugene (all in Oregon), as well as New 
> Orleans and Chicago.  Most of the time, the cops have no idea 
> what you are talking about...
>
>
> Anyway, my 2 cents,
>
> Nick Jacobsen
> Ethics Design
> nick () ethicsdesign com
>
> ----- Original Message -----
> From: "stonewall" <stonewall () cavtel net>
> To: <pen-test () securityfocus com>
> Sent: Wednesday, March 05, 2003 6:14 AM
> Subject: Netstumbling
>
>
> > HI, I need some advice.
> >
> > I am interested in the reaction that list members have gotten from
> various
> > government agencies while netstumbling.  Is there any clear guidance
> on
> the
> > legality of 'stumbling?  I am talking here about just 
> 'stumbling, not
> set
> to
> > auto reconfigure the card, just assessment and locating WAPs.
> >
> > You cannot be in the security business without being able to assess
> threats.
> > In this business, paranoia is not paranoia, it is due diligence.  I
> believe
> > that anyone serious about security must be able to assess wireless
> zones,
> > overlapping areas, buildings with multiple WAPs, etc.  But have you
> been
> > threatened by LE personnel in the process?
> >
> > Thanks in advance for your info.
> >
> > stonewall
> --------------------------------------------------------------
> ----------
> --
> --
> > Are your vulnerability scans producing just another report? 
> Manage the 
> > entire remediation process with StillSecure VAM's 
> Vulnerability Repair 
> > Workflow. Download a free 15-day trial:
> > http://www2.stillsecure.com/download/sf_vuln_list.html
>
>
> --------------------------------------------------------------
> ----------
> ----
>
> Are your vulnerability scans producing just another report? 
> Manage the entire remediation process with StillSecure VAM's 
> Vulnerability Repair Workflow. Download a free 15-day trial: 
> http://www2.stillsecure.com/download/sf_vuln_l> ist.html
>
>
>
> --------------------------------------------------------------
> --------------
>
> Are your vulnerability scans producing just another report? 
> Manage the entire remediation process with StillSecure VAM's 
> Vulnerability Repair Workflow. Download a free 15-day trial: 
> http://www2.stillsecure.com/download/sf_vuln_l> ist.html

----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html