|
In case anyone is wondering, no, since some replies kinda seem like as to have that conclusion; I am not asking with any intent to actually do this in the slightest. And I wouldn't even know how to do it. It came up during a lunch conversation at work and none of us were sure. I'm aware of the CFAA but I'm not sure if it applies to passive data collection. Also I'm purely curious about the case law, not whether it's moral, I assume it's generally not but I'm not a white hat hacker and don't really know what it entails either way except in the broadest sense.. taqueso posted:I thought we were talking about an open wifi. I reread and yeah that's illegal. Does the legality change if it is an open wifi?
|
#
?
Aug 2, 2019 02:43
|
|
|
|
| # ? May 31, 2024 10:25 |
|
|
Raenir Salazar posted:Is decrypting incidental internet communications illegal in US law? How would anyone even know you've done it to prosecute you?
|
|
#
?
Aug 2, 2019 02:43
|
|
|
Volmarias posted:How would anyone even know you've done it to prosecute you? I dunno, but that's also not really the point of the question. I'm not interested in whether such a law is practical, I just curious if it exists. My understanding is if you open a pcap file in wireshark it'll show the payload if it isn't encrypted. I'm curious to know if there's liability if you tried to crack open said encrypted payload; the origin of it I guess only matters if the legality is in some way contingent on it.
|
|
#
?
Aug 2, 2019 02:48
|
|
|
If I recall, there's laws about decrypting transmissions you don't have permission to (mainly for things like pay satellite TV or satellite radio), but they could probably be bludgeoned into here. Just capturing the transmission is perfectly legal, however, so the open WiFi example is probably kosher.
|
|
#
?
Aug 2, 2019 03:08
|
|
|
The way to look at radio is this way: you can capture all the radio data you want, but you cannot interfere with it and whatever you do record you cannot do anything with except solely for yourself. In theory, this means that there is nothing anyone can do to stop you from trying to decode the radio transmissions let alone record it, but if you start to disseminate the information you've acquired or use it to get leverage then you're running the risk of breaking the law.
|
|
#
?
Aug 2, 2019 03:55
|
|
|
taqueso posted:I thought you had to circumvent some kind of security measure.
|
|
#
?
Aug 2, 2019 09:53
|
|
|
Redteaming is fun as heck, but implicit in it is that it's approved by someone within the organization. Lain Iwakura posted:The way to look at radio is this way: you can capture all the radio data you want, but you cannot interfere with it and whatever you do record you cannot do anything with except solely for yourself. In theory, this means that there is nothing anyone can do to stop you from trying to decode the radio transmissions let alone record it, but if you start to disseminate the information you've acquired or use it to get leverage then you're running the risk of breaking the law.
|
|
#
?
Aug 2, 2019 14:44
|
|
|
taqueso posted:I thought we were talking about an open wifi. I reread and yeah that's illegal. I still don't think legally you can snoop on traffic on an open network if you don't have permission
|
|
#
?
Aug 2, 2019 15:15
|
|
|
Thanks Ants posted:I still don't think legally you can snoop on traffic on an open network if you don't have permission What does “snoop” mean? Receive? Store in memory? Process statistically? Store durably?
|
|
#
?
Aug 2, 2019 16:28
|
|
|
Subjunctive posted:What does “snoop” mean? Receive? Store in memory? Process statistically? Store durably? The line is generally that if you have an incidental capture and you learn you have that data you should purge it. Everything beyond that is asking for trouble. Always have permission or do it with your own data/devices.
|
|
#
?
Aug 2, 2019 16:37
|
|
|
Sickening posted:Intercepting private traffic to look at it on a network you don’t administrate is definitely breaking some kind of law. Thanks Ants posted:I still don't think legally you can snoop on traffic on an open network if you don't have permission BangersInMyKnickers posted:Always have permission or do it with your own data/devices. True, but I don't think just having rights to the local network is a legal panacea either. If I open PD's Coffee Shop and provide free wi-fi to my customers, am I in the clear legally if I capture and decrypt all traffic going by? It's my network, after all. Or (since it turns out it's actually pretty hard to decrypt traffic like that), make it PD's Internet Cafe, where I also provide the workstations. That way I can run an internal CA, push out my own root cert, and extremely effectively MITM every bit of everyone's communications. Is it legally fine for me to do this? Can I, for my own amusement, peruse the transaction history that was displayed to you when you logged into your bank account? What about if I publish it? Or publish everything I've captured, credentials, passwords and all? At some point in this scenario (and I freely admit I'm not sure exactly where), it must have started running afoul of the law, and I don't get a free pass just because I'm the legal admin of the local network.
|
|
#
?
Aug 2, 2019 16:44
|
|
|
Powered Descent posted:Or (since it turns out it's actually pretty hard to decrypt traffic like that), make it PD's Internet Cafe, where I also provide the workstations. That way I can run an internal CA, push out my own root cert, and extremely effectively MITM every bit of everyone's communications. Is it legally fine for me to do this? Can I, for my own amusement, peruse the transaction history that was displayed to you when you logged into your bank account? What about if I publish it? Or publish everything I've captured, credentials, passwords and all? Did you have the customer sign something before they used your service which included telling them this would happen?
|
|
#
?
Aug 2, 2019 17:36
|
|
|
Ranter posted:Did you have the customer sign something before they used your service which included telling them this would happen? Don't you do that by requiring them to check the "I agree with bla bla bla" checkbox when they sign in? And in that "bla bla bla" you simply state that you now own them, and they owe you their first born? True, it may or may not hold up in court, but it's easy to make customers sign anything.
|
|
#
?
Aug 2, 2019 17:51
|
|
|
D. Ebdrup posted:Redteaming is fun as heck, but implicit in it is that it's approved by someone within the organization. Yeah, I'm a red-team guy, and its always good to get your engagement scope approved beforehand, even if its an inhouse target. Volguus posted:Don't you do that by requiring them to check the "I agree with bla bla bla" checkbox when they sign in? And in that "bla bla bla" you simply state that you now own them, and they owe you their first born? True, it may or may not hold up in court, but it's easy to make customers sign anything. We have a similar warning, that is basically "If you approve us to audit a production system, it may result in it being taken offline for undetermined periods" I've had to reject Pen Tests in the past for basically telling us that they wanted us to Pen Test, but we couldn't actually do any social or technical pen testing. CommieGIR fucked around with this message at 18:39 on Aug 2, 2019 |
|
#
?
Aug 2, 2019 18:05
|
|
|
CommieGIR posted:I've had to reject Pen Tests in the past for basically telling us that they wanted us to Pen Test, but we couldn't actually do any social or technical pen testing.
|
|
#
?
Aug 2, 2019 18:24
|
|
|
D. Ebdrup posted:Sounds like they wanted to check a box on some paper handed down from the PR department, rather than try and not be as insecure as possible. Pretty much, and I know some guys who will do just that, because it largely doesn't come back on the Audit firm.
|
|
#
?
Aug 2, 2019 18:39
|
|
|
CommieGIR posted:Pretty much, and I know some guys who will do just that, because it largely doesn't come back on the Audit firm.
|
|
#
?
Aug 2, 2019 18:44
|
|
|
D. Ebdrup posted:Just one more reason for the pile as to why IT should have liability insurance like any critical infrastructure employment. Yup. And the trick is that most insurance companies won't just accept check box audits as collateral, they want full reports proving you are doing your due diligence with your audits.
|
|
#
?
Aug 2, 2019 18:51
|
|
|
When thinking about infosec and the law, remember that people have been prosecuted for downloading data that was available on a zero-security webserver which they didn't have permission to download. The legal world is not like the technical world. Judges and lawyers are comfortable with shades of grey and interpreting the letter of the law. You absolutely could get in legal trouble for snooping on open wifi, while you never would from listening to someone talk on CB radio despite the fact that these are technically both unencrypted radio traffic. Any reasonable person who uses a CB radio knows they're not private. Most people think wifi is.
|
|
#
?
Aug 3, 2019 03:54
|
|
|
https://twitter.com/Gaohmee/status/1157505368383082498 ESA apparently leaks personal information of more than 2,000 E3 attendees
|
|
#
?
Aug 3, 2019 05:47
|
|
|
Klyith posted:When thinking about infosec and the law, remember that people have been prosecuted for downloading data that was available on a zero-security webserver which they didn't have permission to download. Yup. Most hacking, even ethical hacking, is a very grey area legally.
|
|
#
?
Aug 3, 2019 12:12
|
|
|
Guess we're going to find out how grey: https://twitter.com/NSQE/status/1157440172759216128
|
|
#
?
Aug 3, 2019 17:17
|
|
|
Absurd Alhazred posted:Guess we're going to find out how grey: But now they have to deal with Microsoft lawyers as github is now by m dollar sign.
|
|
#
?
Aug 3, 2019 22:22
|
|
|
Raenir Salazar posted:decrypt some of them without acting maliciously this bit is the inconsistency
|
|
#
?
Aug 4, 2019 04:49
|
|
|
https://twitter.com/whid_injector/status/1157976716196941824?s=21 This is how you get on a list somewhere.
|
|
#
?
Aug 4, 2019 15:56
|
|
|
Klyith posted:The legal world is not like the technical world. Judges and lawyers are comfortable with shades of grey and interpreting the letter of the law. You absolutely could get in legal trouble for snooping on open wifi, while you never would from listening to someone talk on CB radio despite the fact that these are technically both unencrypted radio traffic. Any reasonable person who uses a CB radio knows they're not private. Most people think wifi is. For a great example, remember that Google lost their case about their Street View cars capturing WiFi signals. Not hacking networks, just capturing traffic that has been broadcast openly on public radio spectrum for anyone to see. If an org with an army of lawyers like Google lost what should have been an open and shut case from a technical perspective, that should tell you how fucktarded the courts are on this topic.
|
|
#
?
Aug 5, 2019 14:42
|
|
|
wolrah posted:For a great example, remember that Google lost their case about their Street View cars capturing WiFi signals. Not hacking networks, just capturing traffic that has been broadcast openly on public radio spectrum for anyone to see. I'd have to look it up, but wasn't the issue more that they archived all the traffic they captured?
|
|
#
?
Aug 5, 2019 15:24
|
|
|
wolrah posted:For a great example, remember that Google lost their case about their Street View cars capturing WiFi signals. Not hacking networks, just capturing traffic that has been broadcast openly on public radio spectrum for anyone to see. Jurisdiction is very relevant here.
|
|
#
?
Aug 5, 2019 15:25
|
|
|
Proteus Jones posted:I'd have to look it up, but wasn't the issue more that they archived all the traffic they captured?
|
|
#
?
Aug 5, 2019 15:28
|
|
|
Indeed. quote:The company admitted publicly in May 2010 that it had collected the data, which the FCC said was not a breach of US laws. The fine was for obstructing the investigation, not the collection, and it was trivial.
|
|
#
?
Aug 5, 2019 15:30
|
|
|
Subjunctive posted:The fine was for obstructing the investigation and it was trivial. 
|
|
#
?
Aug 5, 2019 15:37
|
|
|
Subjunctive posted:Indeed. Imagine fining google 25k.
|
|
#
?
Aug 5, 2019 15:39
|
|
|
Proteus Jones posted:I'd have to look it up, but wasn't the issue more that they archived all the traffic they captured? Changing frequency over to the analog cordless/cellular or WiFi bands shouldn't change anything. Obviously it does legally in some places, but that was the point of the discussion. I was replying to Klyith's post to support it with what I thought was a good example. I apparently wasn't paying enough attention when that fine came down, I didn't realize it was for not cooperating with the investigation, apparently the law in that case went the right way. Subjunctive posted:Jurisdiction is very relevant here. I'd be interested to see the affects on wardriver stats when this case hit the news too, how much of an impact did it have on the number of open vs. encrypted APs out there...
|
|
#
?
Aug 5, 2019 19:30
|
|
|
It's all radio waves, but it's not ridiculous to expect that point-to-point communications are going to stay that way. That's far more of an important factor than the exact frequencies used. It's also reasonable to expect that a very short range signal like wifi isn't being captured.
|
|
#
?
Aug 5, 2019 19:55
|
|
|
All of this is more an argument about the legal system being dumb tbh
|
|
#
?
Aug 5, 2019 20:04
|
|
|
Dylan16807 posted:It's all radio waves, but it's not ridiculous to expect that point-to-point communications are going to stay that way. That's far more of an important factor than the exact frequencies used. Given that virtually all urban dwellers can see someone else’s wifi from wherever they are, I think it might be hard to claim an expectation that the range of wifi will protect it. Also, modern OSes often warn that open networks are insecure.
|
|
#
?
Aug 5, 2019 21:56
|
|
|
Security alert: Your WiFi is currently broadcasting an ssid. With this ssid, someone can immediately begin attacking your WiFi!
|
|
#
?
Aug 5, 2019 23:40
|
|
|
Not My Wi-Fi!
|
|
#
?
Aug 5, 2019 23:59
|
|
|
Dylan16807 posted:It's all radio waves, but it's not ridiculous to expect that point-to-point communications are going to stay that way. That's far more of an important factor than the exact frequencies used. quote:It's also reasonable to expect that a very short range signal like wifi isn't being captured.
|
|
#
?
Aug 6, 2019 15:45
|
|
|
|
| # ? May 31, 2024 10:25 |
|
|
Anyone out in Vegas for hacker summer camp this week?
|
|
#
?
Aug 7, 2019 08:50
|
|
