found a bank using unsecure wireless

[nihil]

Welcome to AO

Front page
Left Hand side
"Edit Site Options"
Check the little green dot into the "no" hole

Cheers

[Acidloop]

Thanks for the greets guys, alrighty thanks.

Are we allowed to talk about wardriving in here and other things?

[foxyloxley]

Last time Acidloop :
Delete this post, re-post in GCC............

[RoadClosed]

Thars a varmit loose in the dungeon.

[kruptos]

I was in a situation very close to your just this year. I worked for a small medical clearing hose in town and someone found a hole while trying to script into our system. They contacted us and let us know if the hole, he was about as nervous as you are right now.

We invited him into the facility to talk about what he found, he met with us.
We agreed that we would listen to what he had to say, and signed a Non Disclosure Agreement with him.

Bottom line, he found the hole, we did not have him replicate it, but I got enough information from him for me to try and recreate it. I was sucessful and broke in the same way he did. I then located the source of the problem, recreated it, fixed it, and am forever greatfull that he did find it and inform us. Otherwise it still may of been open today.

The person that informed us was a CISSP and I belive that he did the right thing by letting us know, as Ms. Mittens will probably let you knoe, when you do get your CISSP and you have studied to get there, that you are also bound by the CISSP code that pretty much stated taht you are obligated to report such an incident if you know about it...its your duty.

Just my 2 cents.

Hope this help with your choice.

[poohsuntzu]

Last time Acidloop :
Delete this post, re-post in GCC............

Sounds like this topic is in full swing again, no need to go around deleting things.

I never knew about this topic until it was brought up again, and it's been a very interesting read. What other experiences have people had in regards to similar wardriving ethical situations?

[Acidloop]

See, new members can make a differece hehe.

[nihil]

Acidloop,

I am being very serious now, so please read this more than once and THINK about it?

I am forty years older than you............... ...........In fact I could probably beat you in a Zimmer Frame race

OK the serious bit:

What do you think the probability of being convicted in a court is if you and I appeared charged with the same thing?

Errrr..........I am an adult, have a career, qualifications............etc..........? do you see what I am getting at?

My "ethical problem" is that you may get into trouble, and this could impact on the rest of your life?

Please be careful.......

[kruptos]

Good call nihil, wasent thinking about that when I posted above.

If you want to make a differance, please be careful.

but it is still good that you got advice first, an I hoped it helped.

As for closing the thread, I think it is good that it was revitalized, no use being harsh about closing a thread if it still has great feedback.

[Tiger Shark]

Kruptos:

If you want to make people aware of their security holes I offered in another thread to be a go between for anyone not in the SE Michigan area to pass that information back to the owner of the network _if_ you can positively identify them for me.

I'm not interested on Joe Public's WAP in his front room, I can find a million of those just round here. But if you found a bank, medical facility, law enforcement agency who are passing confidential information in clear.... Don't go cracking their WEP to show me how 1337 you are.... then just give me a PM with the business name, address, phone, date/time of capture, SSID and a sanitized packet capture of what you can see so I can make a case for you. Sanitized means leave in the first name and initial of the last name of a capture of client data, if it's CC information just leave in the last 4 digits of the CC - same with an SSN. If it's medical or law enforcement then leave the diagnosis or other info in but make sure the name is sanitized.

I will be happy to make contact with the owner and pass the information on while keeping you out of the picture. You will need to be contactable by me but _only_ for further verification of data. You can do that through a throwaway account at Yahoo or whatever which puts a further layer between you and me which would considerably up the costs of anyone who choses to be really stupid - but i don't think they will.... They have to go through me first..... and I can be a tad feisty when you rattle my cage....

Please note: I will not do this for anyone who locates an insecure WAP within 100 miles of my locaton at the time of the capture. eg: If I fly to Ft. Lauderdale on my way to the Keys and you send me a packet dump from Miami on the day I passed through Ft. Lauderdale then it's a "no-go". But I do have one other volunteer who lives a long way away that I could put you on to to do the same thing if he is still willing.

Maybe we could create a network of third parties to maintain a buffer between those who want to do the right thing and those who may turn "nasty" because they are incompetent..... With a network several people could all pass the same information at the same time with only one person knowing the actual email address of the sender.... The more we put up the investigative costs for someone who doesn't appreciate the "intrusion on their happy little world" the less likely they are to pursue and the more likely they are to accept the issue and hopefully fix it...... Anyone interested? It'd be really nice to have an "international" group.... That would screw them right up....