http://www.nytimes.com/2008/08/12/technology/12theft.html?pagewanted=all
-------------------------
As an international ring of thieves plundered the credit card numbers of
millions of Americans, investigators struggled to figure out who was
orchestrating the crimes in the United States.
When prosecutors unveiled indictments last week, they made a stunning
admission: the culprit was, they said, their very own informant.
Albert Gonzalez, 27, appeared to be a reformed hacker. To avoid prison time
after being arrested in 2003, he had been helping federal agents identify
his former cohorts in the online underworld where credit and debit card
numbers are stolen, bought and sold.
But on the sly, federal officials now say, Mr. Gonzalez was connecting with
those same cohorts and continuing to ply his trade, using online pseudonyms
- including "soupnazi" - that would be his undoing. As they tell it, Mr.
Gonzalez had a central role in a loosely organized online crime syndicate
that obtained tens of millions of credit and debit card numbers from nine of
the biggest retailers in the United States.
[...]
The story begins five years ago in Miami, along the stretch of Route 1
called the South Dixie Highway. Starting in 2003, national retailers with
outlets there, including BJ's Wholesale Club, the Sports Authority,
OfficeMax, DSW and Barnes & Noble, began falling victim to "war-drivers" -
drive-by hackers who searched for holes in the security of wireless
networks.
According to last week's indictments, those hackers were Mr. Gonzalez and
two Miami accomplices, Christopher Scott, 25, and Damon Patrick Toey, 23.
Investigators say the conspirators began their largest theft in July 2005,
when they identified a vulnerable network at a Marshall's department store
in Miami and used it to place a so-called sniffer program on the computers
of the chain's parent company, TJX, in Framingham, Mass. The program pulled
out data like credit card numbers from the network traffic.
...
http://www.nytimes.com/2008/08/12/technology/12theft.html?pagewanted=all
Before anyone jumps up and says "oh no3s they will 0utl@w W@rDr1vi1ng
and wirelezz nets", I would like to state that they are in clear
violation of PCI Data Security Standards. Processing credit card data
over a wireless network is allowed, provided that security best
practices are followed. I don't think I need to enumerate what those are :)
Also Wardriving and port scanning etc isn't illegal. If it's made
illegal then following the PCI standard (which requires regular audits
of wired and wireless networks using war driving and port
scanning/vulnerability assessment techniques ) would break the law.
Somehow I think that Visa/mastercard etc making a lot of money, paying a
lot of tax on that money and contributing to campaign funds will make
sure the law remains the same for quite some time. :)
--
Charles Wyble (818) 280 - 7059
http://charlesnw.blogspot.com
CTO Known Element Enterprises / SoCal WiFI project
For what it's worth, port scanning over Wi-Fi may or may not be illegal.
It's in what we wardrivers call, "a gray area."
Passively sniffing RF out of thin air is allowed on a federal level (i.e.
Kismet). Actively using a network without permission may not be. Some argue
even getting a DHCP address from the host might be illegal. Is permission
granted if the server just GIVES it to you? Or does permission require a
human? There is much debate. It hasn't been hashed out in the courts. It
too, is "a gray area."
-Mike
Well sure. An exploit takes multiple levels, from passive scanning to
active exploitation.
> For what it's worth, port scanning over Wi-Fi may or may not be illegal.
> It's in what we wardrivers call, "a gray area."
>
Well against your own network it is clearly legal. Against others, talk
to your lawyer.
> Passively sniffing RF out of thin air is allowed on a federal level (i.e.
> Kismet).
Correct.
> Actively using a network without permission may not be. Some argue
> even getting a DHCP address from the host might be illegal. Is permission
> granted if the server just GIVES it to you?
I imagine since most AP sites are backhauled over the local telco DSL
that prohibits sharing bandwidth,
it's "illegal" with whatever ramifications violation of contract law bring.
Sure but the wardriver has no contract with the telco. Would they prosecute
the victim of the exploit?
Oh of course. The contract says you are responsible for all usage.
That's the beauty of it all. :)
They might, or they'll charge them for extra use, disconnect them or just send a nasty letter explaing that giving
away their network is against the TOS and to lock it down or else, they have compliance vans that drive around
checking for open networks.
There have been people taken in for stealing wifi. Benjamin smith was one of the guys that was caught in a local
state law ( which most states have against unauthorised use) 3rd degree felony.
http://arstechnica.com/news.ars/post/20050707-5068.html dunno what happened to him though though reports say he was
convicted.
$250 fine, one year court supervision
http://arstechnica.com/news.ars/post/20060323-6447.html
dunno the outcome
http://arstechnica.com/news.ars/post/20070522-michigan-man-arrested-for-using-cafes-free-wifi-from-his-car.html
law, which you can probably find in most states.
http://www.legislature.mi.gov/(S(vvvcdnbgtoxnew553f55rr55))/mileg.aspx?page=getObject&objectName=mcl-752-795
arrested, charged with theft of services
http://arstechnica.com/news.ars/post/20060622-7111.html
alaska, arrested, confiscated computer temporarily for investigation, told off, don't know the outcome.
http://www.engadget.com/2007/02/25/gamer-busted-for-borrowing-library-wifi-after-hours/
Not aware of criminal charges, but certainly fines and other such smaller penalties.
Arguing that the network is open will only work in internet court.
> There have been people taken in for stealing wifi.
Hrmph. Reading thru these, they mostly make clear that cops are just
dicks. How the hell do you get arrested for using free WiFi just 'cause
you're in your car nearby and not in the building?
-Kenny
--
Kenneth R. Crudup Sr. SW Engineer, Scott County Consulting, Los Angeles
O: 3630 S. Sepulveda Blvd. #138, L.A., CA 90034-6809 (888) 454-8181
None of them were listed as free access they're mostly listed as services provided for the usage of patrons, which
includes coffee shops and libraries, they're free as in beer not as in speech, libre vs gratis.
But i'd agree that mostly they're just doing something since someone somewhere made a complaint, its mostly
harmless, just like the human race... But someone , somewhere has to foot the bandwidth bill and those single
instances of people just popping on a unprotected access point are happening all over the place, people use them for
spamming, porn, torrents as well as just checking email or web. But opportunity is not an excuse that i'm aware of
working as a legal defence.
I'd lay more fault with the paranoids/busybodies calling it in and not so much the cops, since these days the cops
often have to be seen to do something about it once its been made official, not so much of a slap around the head
and on your way mentality these days, which is something i'm sure a lot of cops would prefer, less paperwork.
Depends on the state and country. In Georgia, USA, port scanning
is a mandatory jail sentence.
Piggy backing on wifi base stations made it through the
USA court system and the judge's decision was existing
laws covered stealing CPU cycles from a base station.
So, wardriving in the USA is illegal.
Hmmmm. Well then any company in that state can't be PCI compliant.
Probably not SAS70 compliant either, so
I find it hard to believe that is the case.
> Piggy backing on wifi base stations made it through the
> USA court system and the judge's decision was existing
> laws covered stealing CPU cycles from a base station.
> So, wardriving in the USA is illegal.
>
>
>
No. You are wrong.
Wardriving isn't illegal.
However using the access points you find may or may not be illegal.
Don't spread inaccurate data.
See my posts to UUASC.org about 8 years ago, when it made the news
when a security consultant was jailed for scanning a firm's
computers from outside their firewall. He worked for the
firm, but was not authorized, in writing, to do an audit
at that level. The owner of the firm owned him money
and fired him over this. They had a prior disagreement
already.
PCI was just being invented then.
The judge agreed with the law that port scanning, knocking
on the door, was stealing cpu cycles (and bandwidth). Now,
the key point was is there a "No solicitors" sign hanging
on all computers on the network? The judge in Georgia
decided "yes", for his state of the USA.
>> Piggy backing on wifi base stations made it through the
>> USA court system and the judge's decision was existing
>> laws covered stealing CPU cycles from a base station.
>> So, wardriving in the USA is illegal.
>>
>>
>>
>No. You are wrong.
>Wardriving isn't illegal.
>However using the access points you find may or may not be illegal.
>
>Don't spread inaccurate data.
Hmm, it's off topic to describe how the USA justice system works,
so I will not. But it's "accurate data," given the justice system
methodology. The precedent has been set, and can be used by
other states, though most states' judges prefer to set their
own state's precedent, and not rely upon another state. Again
I go off topic, but it's enough for one to google on.
The federal law I quoted from, "stealing cpu cycles," is at the
federal level, not the state level. To me, it's not arguable
that using access points does 'not' use cpu cycles. It does.
What you likely are referring to is that wardriving has yet
to have a federal judge make a decision on it. While wardriving
has gotten into many state courts, it has always been settled
before the full judgement process reached a "verdict", that
gets published, most times as a precedent.
Thus, I believe you wish to "step on the fine line of the law".
While I prefer to white hat it.
Well duh. That's obvious. If you are a PCI or SAS70 auditor you have
authorization 5 ways
from Sunday. Saying that someone got arrested and jailed for port
scanning without authorization, that's
not news, or relevant to my point. My point was that if it's illegal and
if there isn't a provision for authorized
scanning/auditing (in writing/bonded yadda yadda yadda) then it would be
a very business unfriendly law.
> Hmm, it's off topic to describe how the USA justice system works,
> so I will not. But it's "accurate data," given the justice system
> methodology. The precedent has been set, and can be used by
> other states, though most states' judges prefer to set their
> own state's precedent, and not rely upon another state. Again
> I go off topic, but it's enough for one to google on.
>
> The federal law I quoted from, "stealing cpu cycles," is at the
> federal level, not the state level. To me, it's not arguable
> that using access points does 'not' use cpu cycles. It does.
>
You are missing my point. War driving is not equal to using the access
point.
You are passively monitoring RF emissions which the AP was putting out
anyway.
No need for the legal segway, and the last time I checked you weren't a
lawyer. :)
Now I'm not arguing that using the AP is probably illegal. Just that
WarDriving
isn't.
> What you likely are referring to is that wardriving has yet
> to have a federal judge make a decision on it.
I don't believe that decision is needed, as from what I understand
passive monitoring of RF is allowed under the existing law.
> While wardriving
> has gotten into many state courts, it has always been settled
> before the full judgement process reached a "verdict", that
> gets published, most times as a precedent.
>
Has WarDriving gotten into the courts? Or WarDriving and then accessing
the access points discovered without explicit authorization
gotten into the courts?
> Thus, I believe you wish to "step on the fine line of the law".
>
Not sure what the quoted term means, but based on the below line I'm
presuming you
are referring to it being a "gray area".
> While I prefer to white hat it.
>
>
Hmmmm. Calling me a black hat? I hope not. :)
At 10:03 AM 8/13/2008, you wrote:
>from Sunday. Saying that someone got arrested and jailed for port
>scanning without authorization, that's
>not news, or relevant to my point.
Hmm, back then it was news, as he was the first person in the USA
to be jailed for port scanning. I'm not meaning arrested, I mean
convicted and serving time. Regarding written authorization...
he had verbal approval, and having in writing... this legal case
is when everyone started saying "get it in writing". Before this
lawsuit, port scanning was a non issue (meaning likely legal).
> My point was that if it's illegal and
>if there isn't a provision for authorized
>scanning/auditing (in writing/bonded yadda yadda yadda) then it would be
>a very business unfriendly law.
When is port scanning friendly? I know of no business that would
think it was friendly. Black hats consider it a prelude to
attack. Ditto most white hats.
>> The federal law I quoted from, "stealing cpu cycles," is at the
>> federal level, not the state level. To me, it's not arguable
>> that using access points does 'not' use cpu cycles. It does.
>>
>You are missing my point. War driving is not equal to using the access
>point.
>You are passively monitoring RF emissions which the AP was putting out
>anyway.
You make your point.
http://en.wikipedia.org/wiki/Wardriving Excerpt:
In the United States, the case that is usually referenced in determining whether a network has been "accessed" is State v. Allen. In this case, Allen had been wardialing in an attempt to get free long distance calling through Southwestern Bell's computer systems. When presented with a password protection screen, however, he did not attempt to bypass it. The court ruled that although he had "contacted" or "approached" the computer system, this did not constitute "access" of the company's network.
There are other paragraphs that pertain to wardriving.
The point is there is a fine line, and port scanning
steps over it (in most states under existing law),
while "approaching" does not include port scanning,
at least in Georgia and a few other states (more states
are adopting the Georgia stance, but without the mandatory
jail time), approaching wireless access points has yet
to be "determined". Is does not steal CPU cycles, that's
for sure. Is it a prelude to stealing cycles? Not a firm
one. Can I decide? Can any member? Can this list? No.
Only a judge can, and only for his state. Federal judges
decide for the entire country, though to be sure, appeal
to and decision by the federal USA Supreme Court is needed.
>I don't believe that decision is needed, as from what I understand
>passive monitoring of RF is allowed under the existing law.
Nope. Well, generally no. Selected bands are very off limits
for scanning or passive monitoring. Like police bands.
And cell phone bands. And military bands. And ... and...
most bands. CB, AM, FM, and Ham bands are legal to scan.
Most others are illegal.
Making overly broad statements without explicit knowledge? ;)
Trolling for an education? ;;*)
>Has WarDriving gotten into the courts? Or WarDriving and then accessing
>the access points discovered without explicit authorization
>gotten into the courts?
Charles, mistaking my "point" as "your" point, just to post?
My point was stealing CPU cycles, so your extension to wardriving
is not applicable, and almost edging into trolling, imho.
My personal view is that anyone's RF coming into my brain, becomes
my property, just like putting something into my snail mail box.
Therefore, police band RF "is" my property when it's in my brain.
The legal opposing viewpoint is my brain can not 'make sense'
of that RF. However, dental work has been known to make audible
RF... so... if my brain could make sense of it, if I trained it
to, then it would be legal. Right? :^)
Yeah. I made sure to say arrested and jailed. :) I didn't explicitly say
convicted as I meant
to imply it but thank you for clarifying. :)
> Regarding written authorization...
> he had verbal approval, and having in writing... this legal case
> is when everyone started saying "get it in writing". Before this
> lawsuit, po
Fair enough.
>
>> My point was that if it's illegal and
>> if there isn't a provision for authorized
>> scanning/auditing (in writing/bonded yadda yadda yadda) then it would be
>> a very business unfriendly law.
>>
>
> When is port scanning friendly? I know of no business that would
> think it was friendly. Black hats consider it a prelude to
> attack. Ditto most white hats.
>
Um.... you are missing my point. I was saying that if you are an auditor
you would have written
authorization from the organization to audit them including port
scan/war drive/war walk etc.
I never said that unauthorized black hat port scanning was friendly. I
said that if the law forbidding
port scanning didn't have an authorized/auditor exemption the LAW wasn't
business friendly.
Try to pay attention please. :)
>
>> You are missing my point. War driving is not equal to using the access
>> point.
>> You are passively monitoring RF emissions which the AP was putting out
>> anyway.
>>
>
> You make your point.
>
> http://en.wikipedia.org/wiki/Wardriving Excerpt:
>
> In the United States, the case that is usually referenced in determining whether a network has been "accessed" is State v. Allen. In this case, Allen had been wardialing in an attempt to get free long distance calling through Southwestern Bell's computer systems. When presented with a password protection screen, however, he did not attempt to bypass it. The court ruled that although he had "contacted" or "approached" the computer system, this did not constitute "access" of the company's network.
>
> There are other paragraphs that pertain to wardriving.
> The point is there is a fine line, and port scanning
> steps over it (in most states under existing law),
>
As I have said a few times now, I am NOT talking about port scanning
(without explicit written authorization). You keep going back to port
scanning. I'm referring to WarDriving.
> while "approaching" does not include port scanning,
> at least in Georgia and a few other states (more states
> are adopting the Georgia stance, but without the mandatory
> jail time), approaching wireless access points has yet
> to be "determined". Is does not steal CPU cycles, that's
> for sure. Is it a prelude to stealing cycles? Not a firm
> one. Can I decide? Can any member? Can this list? No.
> Only a judge can, and only for his state. Federal judges
> decide for the entire country, though to be sure, appeal
> to and decision by the federal USA Supreme Court is needed.
>
Fair enough. I think we both agree that a clear legal decision regarding
war driving
hasn't been made, and that we aren't the ones to make it.
>
>> I don't believe that decision is needed, as from what I understand
>> passive monitoring of RF is allowed under the existing law.
>>
>
> Nope. Well, generally no. Selected bands are very off limits
> for scanning or passive monitoring. Like police bands.
> And cell phone bands.
Cell phone bands can't be monitored due to wiretap laws. However police
bands are quite legal to monitor. Any RadioShack sells a scanner, and
the frequencies the police use are published. So it's not illegal to
monitor them.
> And military bands.
I don't know either way about these.
> And ... and...
> most bands. CB, AM, FM, and Ham bands are legal to scan.
> Most others are illegal.
>
Hmmmm. I don't have time to do the research into this, and don't have
any info either way. As always talk to a lawyer.
> Making overly broad statements without explicit knowledge? ;)
> Trolling for an education? ;;*)
>
>
>> Has WarDriving gotten into the courts? Or WarDriving and then accessing
>> the access points discovered without explicit authorization
>> gotten into the courts?
>>
>
> Charles, mistaking my "point" as "your" point, just to post?
>
> My point was stealing CPU cycles, so your extension to wardriving
> is not applicable, and almost edging into trolling, imho.
>
Huh?
Your point was a bit murky and I took it to include WarDriving based on
what you said.
However it's been clarified now. Which is why I explicitly asked the
question about
WarDriving having made the courts, or access the access points without
explicit
authorization made the courts.
Depends what they define as war driving and what you can prove, if you mean passively scanning networks for SSID's
then thats one thing and probably would likely only get you into trouble on a really bad day, buy you might at the
least be detained and have your equipment temporarily confiscated (better make sure its absolutely clean and
contains no pen tests etc, and good luck getting it back before its obsolete), a copy of it made for investigative
purposes (which is then deleted after of course, right?) , however if you connect to the network and it gives an IP
etc, then it is clearly against California 502.
But even scanning could be interpreted as using cpu/network resources as stated in 502, like the other poster says,
ity just depends who you come up against and what they're after. Like that celebrity judge in los angeles all those
years ago that seemed to be more interested in being famous, than justice.
Good luck proving though you're just out being curious about the location or names of other peoples SSID's and had
no intent to do any wrong, that ones a blinder.
Especially when one of the local rags gets hold of the story and someone's looking for their 15 minutes, and they
happen to drop in the old 'people who do this sort of thing are normally trafficking kiddy porn'. (see the links I
posted yesterday for clarification) regardless of what you were doing. You don't need to be convicted of anything to
suffer any negative effects, but these cases are usually based on opinion and political climate, not facts or
intent.
Cops say that if they want to pull you over, they just have to follow you for 10 minutes you'll do something wrong
somewhere thats enough for them to have probable cause, and thats just the way it is, there are so many laws few
know them all, and even fewer understand them all, i've talked to many a cop who doesn't know the law and writes
tickets for it, and the guy getting the ticket might not know either and just pays the fine ( this is to do with
cars, specifically if an exhaust system is an emissions component or not, it isn't ) but its no different on other
stuff like war driving, especially since its relatively new and the laws are changing, or being dragged out from
some all encompassing telecommunications laws passed in the 70's, you're just doing something odd, expect to be
treated as such.
Personal views are fine of course, especially in our community, however they're normally based on what end result we
want out of it as an individual, not what's right ,wrong or law.
We know that popping on an open AP to just check that email because tmobile isn't covering or there's some network
issue isn't in the grand scheme of things really going to harm anyone, even though its against the ISP's TOS, unless
of course we're all doing it at the same time and some chump is footing the bandwidth bills.
Police band RF is not your property regardless of where its located, its a federal offense to even be in possession
of certain types of equipment these days, good luck getting caught with something that can decode digital cellular
for instance.
Even thought crimes are possible these days and yes they can own the thoughts in your head and make you spill them,
civilly and criminally.
Open access does not give you the right to make use of it, passively or otherwise, again gratis vs libre, its a
common misconception, but it just doesn't work in a court of law, you can certainly use it as 'well your honour the
gate was open and unlocked so i took a stroll through the area' and they might take it into account, but they'll
base it on reasonable knowledge and whether or not common sense tells you that you're doing something you shouldn't.
There are some instances where being out in public view is ok, this is what cops use to look through the windows of
your car when they pull you over and notice something that gives them further entry rights, or gets them to ask you
to give them permission to search, even though its usually done in a deceiving manner, its perfectly legal for cops
to lie to you during investigations etc and get you to self incriminate, which you'll probably end up doing since
they're professionals and trained to do it, and I'd imagine they are capable of the same thing if you're war
driving, chalking or ballooning.
Anyway after all that, i'm going to go and finish up my version of etherpeg using my airpcap, enjoy the 5th of
november.
And other law. In the USA, the airwaves are literally
owned by the USA government and they never "give it away",
but they do allocate it, and lease it, and other things
with it. Any airwave usage, transmitting or receiving,
is strictly illegal, unless expressly found in the written
law of the federal government. States have no say. However,
state courts are the first place that these federal laws
are typical to find enforcement at that level.
This ownership includes light frequencies and any form
of communications or non communication purposes.
It includes IR, UV, xrays and gamma rays.
"Ignorance is no excuse."
>However police
>bands are quite legal to monitor.
I'm not going to dispute your opinion, but I will
ask you to back it up, by finding the written
law that disproves your position. ;]
>Any RadioShack sells a scanner,
Selling scanners is not the same as the "act."
You will not find a single scanner that is only
able to scan police frequencies, as that is illegal
to make, sell, own, or use.
All scanners are multiple band devices, making them legal to sell,
own and operate, until you switch to bands that are not legal.
Ask about it at ITC, Sandy's or other high end electronics store.
>and
>the frequencies the police use are published.
So you know what bands not to scan. :)
>So it's not illegal to
>monitor them.
That's 'funny' logic. I can, therefore it's not illegal.
Read the written law as that is what determines legality, almost (get a judgement is better).
>Hmmmm. I don't have time to do the research into this, and don't have
>any info either way. As always talk to a lawyer.
Or most Ham radio operators, as it was part of the training, when I took it.
Or a police officer. Call the local "front desk" in your neighbor now.
Do not call the dispatcher or 911 to get this non emergency information.
Or call any store that sells scanners. Radio Shack YMMV based on sales person
knowledge level. Plus, they want to make a sale, and earn the commission.