[Full-disclosure] WEEPING FOR WEP

[Michael Holstein]

>    * Intent: This is a biggie. If someone trespassed on your
> private network through an open wireless access point, then proving
> digital trespassing can be very difficult. However, if the user
> must bypass your minimalist WEP security, then they clearly show
> intent to trespass.

Accessing it is different than listening to it. Assuming I don't do ARP 
replay or other L2 games because I'm impatient, I've never really 
"trespassed" since you were blasting your signal into a public area, and 
it's an unlicensed band.

(IANAL .. anyone have a case law link for the above conjecture?)

> Consider WEP like a low fence around a swimming pool. Without the
> fence, you are in trouble if a neighborhood kid drowns in the pool.
> It's an "attractive nuisance". However, with the fence, you should
> be covered if a kid climbs the fence and drowns. It's still bad,
> but you have a standing to refute blamed since you put up a
> barrier, even if the barrier was minimal.

Depends .. can they convince the jury that your fence wasn't *really* 
tall enough? Remember .. here in the US, store owners get sued because a 
burglar falls through the roof during the course of a break-in.

Put another way, if I use a system known to be ineffective (a twist-tie 
on a gate lock, to use the above "pool" example) it could be plausibly 
argued that you in effect made no effort at all.

Once someone writes a network widget that automates the (capture -> 
crack -> connect) process, it could probably argued the same way for WEP 
(again .. IANAL).

~Mike.