Re: Netstumbling

From: Joseph W. Shaw II (jshawat_private)
Date: Wed Mar 05 2003 - 17:21:27 PST

Next message: Andrew Ruef: "RE: Netstumbling"

Previous message: stonewall: "Netstumbling - thanks for replies"
In reply to: stonewall: "Netstumbling"
Next in thread: PJD@portcullis-security.com: "RE: Netstumbling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 5 Mar 2003, stonewall wrote:

> I am interested in the reaction that list members have gotten from various
> government agencies while netstumbling.  Is there any clear guidance on the
> legality of 'stumbling?  I am talking here about just 'stumbling, not set to
> auto reconfigure the card, just assessment and locating WAPs.
>
> You cannot be in the security business without being able to assess threats.
> In this business, paranoia is not paranoia, it is due diligence.  I believe
> that anyone serious about security must be able to assess wireless zones,
> overlapping areas, buildings with multiple WAPs, etc.  But have you been
> threatened by LE personnel in the process?

Not personally, no, but I recently consulted for a case that was tried in
Federal Court that might be of interest.  The young man was talking with a
reporter from the local newspaper and was walking in downtown Houston with
a Netstumbler equipped laptop.  While walking, he happened to come accross
a network owned by a county government entity, which was noted in the
article that followed.  After the story was published in the local paper,
he was accused of hacking into their network, compromising a machine, and
loading pornography on it.  I'm happy to say he was aquited, but it cost
him a significant amount of time and money.

Personally, I've been party to reporting a very serious flaw, but chose to
do so anonymously through a third party.  While I could have used the
credibility that came with finding the flaw, especially in this job
market, I was hesitant to give them my name due to the fact that it
involved large amounts of money and confidential information.  I only
wanted them to know the flaw was there and for them to get it fixed, so I
chose to err on the side of caution.

Regards,
--
Joseph

----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html

Next message: Andrew Ruef: "RE: Netstumbling"
Previous message: stonewall: "Netstumbling - thanks for replies"
In reply to: stonewall: "Netstumbling"
Next in thread: PJD@portcullis-security.com: "RE: Netstumbling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 06 2003 - 09:55:25 PST