lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 06 Apr 2007 16:07:53 -0400
From: Michael Holstein <michael.holstein@...ohio.edu>
To: neal.krawetz@....hush.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: WEEPING FOR WEP

>    * Intent: This is a biggie. If someone trespassed on your
> private network through an open wireless access point, then proving
> digital trespassing can be very difficult. However, if the user
> must bypass your minimalist WEP security, then they clearly show
> intent to trespass.

Accessing it is different than listening to it. Assuming I don't do ARP 
replay or other L2 games because I'm impatient, I've never really 
"trespassed" since you were blasting your signal into a public area, and 
it's an unlicensed band.

(IANAL .. anyone have a case law link for the above conjecture?)

> Consider WEP like a low fence around a swimming pool. Without the
> fence, you are in trouble if a neighborhood kid drowns in the pool.
> It's an "attractive nuisance". However, with the fence, you should
> be covered if a kid climbs the fence and drowns. It's still bad,
> but you have a standing to refute blamed since you put up a
> barrier, even if the barrier was minimal.

Depends .. can they convince the jury that your fence wasn't *really* 
tall enough? Remember .. here in the US, store owners get sued because a 
burglar falls through the roof during the course of a break-in.

Put another way, if I use a system known to be ineffective (a twist-tie 
on a gate lock, to use the above "pool" example) it could be plausibly 
argued that you in effect made no effort at all.

Once someone writes a network widget that automates the (capture -> 
crack -> connect) process, it could probably argued the same way for WEP 
(again .. IANAL).

~Mike.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ