What if you saw someone using a pineapple in public, clearly using it illegally? Would you kung-fu them?

[eddiek85]

So, here's a fun hypothetical scenario for you:

You're at a busy cafe on your computer when you notice a guy across the room has a pineapple on, poking out of his backpack. Now, a number of things could be going on. Maybe he's fiddling with some settings and doing something non threatening. There is no real way to tell though, so let's assume that we're quite certain that he is up to no good...

What would you do?

That brings me to a second question: What could you do? Could you just grab his arms, "Gotcha b!*7ch! You're not going anywhere!" Then call the cops on him? I mean... Really, that'd be extreme- something I'd never do. There are some paranoid people out there though who might have a vague idea of what a pineapple has the potential to be used for. It also wouldn't be unreasonable to assume that the guy is stealing personal information like credit card info, passwords, etc.. The funny thing is, if someone went into a wallet I dropped and copied all the card numbers and id, then I would definitely give him the one two combo to the nut sack.

Just an entertaining question. What would you do? How far could someone go if they caught you using one in public? Can they legally beat you down just as you'd legally be able to beat someone down for stealing your wallet?

Thanks guys.

Edited July 22, 2014 by eddiek85

[no42]

depends on the version of the pineapple ;)

[overwraith]

If they are transmitting the information in a way in which the pineapple can read it, then I don't think it is illegal (don't quote me on this, but we might want to read up on wiretap laws). I could be wrong, but it would pretty much have to be on a clear text network in order to do this. In which case you would probably be charged with assault for grabbing him, and he could have deniability if he was encrypting his SD card with that new infusion. If you see somebody doing this pineapple thing, then probably best not to do business at the store in question (if they can exploit it, then they are not protecting their customers). I suppose the pineapple owner could crack through the encryption by grabbing the network's handshake and come back to the store, in which case it would be illegal to pineapple the place. If anybody else has links to the relevant laws please link us to them.

You also don't know if they are a legitimate pen tester, these are toys, not guns!

Some day when we all have Aiden Pearce phones it won't matter anyway, cuz it won't be that obvious.

Edited July 22, 2014 by overwraith

[Hamclock]

It also wouldn't be unreasonable to assume that the guy is stealing personal information like credit card info, passwords, etc..

It wouldn't be? I disagree. Just because the Pineapple is capable of bad things doesn't mean that's all it does. I saw a question on the Information Security SE site a while back where the OP suspected someone was hiding a Pineapple, and wanted to know how to find it so they could have the person arrested.

I whip out my Pineapple in public all the time. I've got a battery it can run off of, and I'll sometimes turn it on when I'm on a city bus or in a restaurant. I connect it to a public WiFi access point, and it broadcasts a WPA2 network I can connect my devices to that adds some protections and conveniences I like to have. It routes all my traffic through a secure VPN, adds some custom DNS entries and blocks, and facilitates direct connections between my own devices (many public networks don't allow this between 2 devices on their network in my experience). Setting that all up within iOS or Android is a pain, but the Pineapple can do it with ease.

Sure, I could click a couple buttons in the web UI and start intercepting text messages and stuff (did you know some carriers send SMS messages over WiFi when they can? Without even trying to use SSL? I know!), but that doesn't mean I actually do. It's for this reason that I wouldn't make the same assumption about someone else.

To answer your question directly: What would I do? I'd probably walk over to them and say "hi." They're probably an interesting person to talk to, and I'm always interested to network with other hackers in my area.

[Computer_Security]

I dont know about you but I would go over to the guy and give him a pat on the back and start up a conversation with him....

I think that it would be great to find a fellow hacker thats just me though

[overwraith]

My thoughts exactly, you can't just assume somebody is black hat just because they invest in things that could be used for black hat things. There are plenty of things in life that could be used as weapons or things of that nature, but are necessary or fun. Most things in IT in general could be misused, are all programmers then malicious? Programmers are makers of tools, and tools just like a hammer can build or destroy.

I might peel my sticker off my model for fear of being kung-fo'd.

Edited July 23, 2014 by overwraith

[cooper]

Yeah, have a chat or just pack up and leave.

Interesting aside: My ex-gf used to go to these seminar type things all the time given at the homes of friends and acquaintences. I'd drive her over, send her on her way, park nearby, whip out my laptop and try to spend my time productively. About 50% of the time someone would walk up to the car and ask, often times quite aggressively, wtf I was doing. I'd calmly explain the situation and people were always fine with that, but apparently tapping away at your laptop from within a parked car is quite suspect to a lot of people.

[bytedeez]

I think I would whip out my pineapple and let the games begin. Deauth what?

Edited July 23, 2014 by damavox

[overwraith]

I did not know that people would do that to a person who merely has a laptop. So apparently now playing candy crush is illegal or something. We're in 'merica people! Free country.

[barry99705]

I did not know that people would do that to a person who merely has a laptop. So apparently now playing candy crush is illegal or something. We're in 'merica people! Free country.

Cooper's not though.

One of my coworkers actually had the police called on him once for working on his laptop in his company car. Depending on who you ask, he either looks like a white Amish dude, or a white Jewish dude. White guy, big bushy beard. Now at the time our cars has a big company logo on the back window, something your average terrorist isn't going to have. He happened to be in the territory of one of our police clients, so when they rolled up on him they had a pretty good laugh.

[cooper]

I did not know that people would do that to a person who merely has a laptop. So apparently now playing candy crush is illegal or something. We're in 'merica people! Free country.

I was mostly coding and occasionally watching some movie or series when I couldn't be arsed. And I'm very much not in Hamurrca - people didn't call the cops on me or chase me away with guns drawn.

I've had people come up and ask if I might be the reason their Wifi was behaving spotty, asking about my car (like they really give a shit...), complaining about the engine running every 30 minutes or so (I had a Prius at the time with one of those 220v adapter things in the cigarette lighter to power the laptop which would drain the battery causing the car to start to recharge. You want to save the world? Stop breathing our precious oxygen) but mostly it was a knock on the car window followed by the dutch equivalent of "What the hell do you think you're doing?"

This was invariably in residential areas and typically from around 7:30pm to 10-ish. It wouldn't be uncommon for kids to still be out at the beginning of this. I'd normally try to park on the lot of a supermarket or fast food joint or whatever, not in the least because I'd be able to get out and get something to drink or have access to a toilet, but here people were also a bit less bothered. You'd get looks, but that would pretty much be it. But oftentimes something like that just wasn't sufficiently nearby. I was never asked or made to leave.

[Sitwon]

1. Collect as much evidence as you can without alerting them.

2. Inform the owner of the establishment, or whoever is in charge.

3. Inform the police (and follow their instructions.)

There is an interesting philosophical question of whether you should disclose first to the patrons who may be getting pwned, and in so doing alert that attacker that they have been busted. Alternatively, you could discretely inform the relevant authorities and ensure the attacker gets caught and prosecuted, but in the interval you are putting the patrons at risk.

In my opinion, it is better to see the criminal go to jail and be punished in this case, as their ability to do harm in the interval is fairly constrained, and once charged they can be held accountable for what harm they may have caused.

Conversely, if I noticed someone with weapon who clearly intends to cause violence, I would warn people first, even at the risk of the criminal escaping.

Edited July 24, 2014 by Sitwon

[jmelody]

TIL using my MKV in public (for my own safety), and being a young looking white male with hair on my face, will be the cause of the police shooting me and my dog.

I have to agree with some of the other posters here.

1. Go talk to someone with a similar interest as you

2. Leave because you feel unsafe

3. Deauth what?

Your title says "clearly using it illegally". Your post says you see an antenna sticking out of a backpack. I live in the bible belt, and come across people with FOX News knowledge daily. Don't be that guy/gal who causes a fellow human more stress than they already have to deal with because you "know" their up to no good. When the fact is you're jumping to conclusions. Did you ever think that this person was keeping their pineapple in a backpack so people like you wouldn't point the righteous finger at them and proclaim "1337 H4x0r!!!"?

As Sitwon posted, Collect as much evidence as you can. When I first got my pineapple, I was ecstatic when the smallest thing went right. I'm sure I did the Mr. Burns "Excellent" move countless times. Was I up to no good? Not in the slightest. Could I have been seen as doing something illegal to someone with your knowlage? Apparently.

[Sitwon]

Yes. I should have clarified that my post was based on the assumption that you had already positively established that they were intent on committing a crime. If there is any ambiguity, please avoid jumping to conclusions.

Someone having a WiFi pineapple sticking out of their bag, or even sitting on the table next to their laptop is not proof of illegal activity. That has been me and the other members of the Project Byzantium team on more occasions than I can count. We weren't doing anything illegal, just meeting up at a cafe to hack together on mesh networking for emergency response.

@jmelody, if you think you need to be worried, I'm brown and commonly mistaken for middle eastern.

[newbi3]

Just to clearify here:

Having a pineapple is not illegal, having someone connect to your pineapple is not illegal, changing you ssid to something that people might want to connect to is not illegal, using karma to get someone to connect to you thinking they are connected to something else IS illegal. And after someone connects to you running SSL Strip to collect personal data IS definitely illegal unless you have the users consent to it first.

[cooper]

Using karma to get someone to connect to you thinking they are connected to something else IS illegal.

I'll believe that when I get a reference to the law that specifies it. To the best of my knowledge there's absolutely NOTHING illegal about lying to someone.

Hell, the police are themselves explicitly allowed to lie to you during questioning. Case in point, a large group of street racers were apprehended, hauled off to the police station and told the police had them on video doing their race so they should just sign this confession and get it over with. Except for 1 person, all of them signed. The signed people got a stiff sentence. The guy that didn't sign walked because there was no video.

This was in The Netherlands but it works out the same way in the US and, I'm quite certain, other contries aswell.

I think using SSL Strip to remove encryption is gray area.

Using the information you've uncovered via this spying for anything that the sending individual did not intend is illegal (or at least ought to be).

Edited July 28, 2014 by Cooper

[barry99705]

I'll believe that when I get a reference to the law that specifies it. To the best of my knowledge there's absolutely NOTHING illegal about lying to someone.

Hell, the police are themselves explicitly allowed to lie to you during questioning. Case in point, a large group of street racers were apprehended, hauled off to the police station and told the police had them on video doing their race so they should just sign this confession and get it over with. Except for 1 person, all of them signed. The signed people got a stiff sentence. The guy that didn't sign walked because there was no video.

This was in The Netherlands but it works out the same way in the US and, I'm quite certain, other contries aswell.

I think using SSL Strip to remove encryption is gray area.

Using the information you've uncovered via this spying for anything that the sending individual did not intend is illegal (or at least ought to be).

This falls under the wiretapping laws.

[overwraith]

He is in the Netherlands though, so don't know what his laws would be called.

[barry99705]

He is in the Netherlands though, so don't know what his laws would be called.

aftappen wetten

[cooper]

How are you tapping anything? The problem is that YOU CHOSE TO CONNECT TO ME.

To make things simpler. You're in a hardihar mood and name your AP "starbucks" because you're into Battlestar Galactica or whatever. Some commerce junkie walks past your home and his phone connects to your AP because, hey, it's a starbucks... right? And now YOU'RE in the wrong?

There's a law out there that says doing this is illegal? Wiretapping even!? I find this VERY hard to believe. How the hell are you supposed to know what combination of letters and numbers make an SSID that you place trust into?

Things might get murkier when you've got Jasager/Karma basically inticing your wireless device to connect to it because you're willfully impersonating an otherwise unknown device, but seriously, when you're having a drink on a terrace and you see your home AP appear, with decent signal even, shouldn't you stop and wonder how the hell your house tagged along for the trip downtown without you noticing?

An argument can be made for wiretapping when (and ONLY when) you've setup an AP identical to the real one on a different channel and then proceed to jam, deauth or otherwise incapacitate the real one. In this case a connection that a person can reasonably expect to exist and be secure is 'rerouted' in such a way that an unauthorized person can listen in. That this falls under wiretapping laws makes sense. The rest... not so much.

[jmelody]

Though I'm no practitioner of law, but I believe Cooper is right. When someone "willingly" connects to you, they give "consent". Using Jasager/Karma to get a target to connect to you might be something difficult to defend in court. Naming your AP something that others have theirs named (even starbucks) should not be illegal. Just as I've talked to others about in person; Many people drive cars but don't know how to change their oil or a flat tire. They know that the key/button makes the car start, and they know how to make it go where they want. The same goes for wireless; They connect to one of those names on the wireless list, and they can type example.com to make it go where they want it. If you're not able to click the box that says "Auto connect to this network when in range", I see it being no different from ignoring the light that says "check engine".

[Sitwon]

The application of the law has much less to do with what might actually be happening, and more to do with the judge's impressions of people's likely intentions and common sense.

For example, the whole "reasonable expectation of privacy". What is "reasonable" is entirely up to the judge's discretion. If the judge thinks you've violated a persons "reasonable expectations" then you're guilty.

It's unsafe to make assumptions about what is or isn't legal under the law based on an informed and rational understanding of the technology. The prosecutors, judge, and jury will not have such luxuries, and their resulting decisions may seem arbitrary.

Edited July 29, 2014 by Sitwon

[barry99705]

I was talking about karma. Also your comment about ssl strip is wrong. And yes, this could fall under wiretapping laws, just ask Google. They got their ass handed to them for keeping shit that was transmitted in the clear. Now imagine if they were actively pretending to be legitimate wireless networks.

Edited July 30, 2014 by barry99705

[cooper]

The Google situation is WILDLY different:

Google scanned for unencrypted wireless networks as broadcast by their APs, connected to them and performed some sort of scanning of that home network to determine what was there. They 'hacked' the AP and/or its hosted network.

The Pineapple pretends to be the unencrypted AP you occasionally connect to and then simply MITMs anything that connects to it. It's a honeypot AP that can be used to hack any client that connects to it, but until you hack the client I don't see the harm.

When questioned you could simply say that you're using the pineapple to provide (to yourself) legitimate wireless access at your current location using some remote wireless access point that you're authorised to use since the wifi in your own device is so piss-poor it can't get a decent signal from it. It shouldn't be your problem that other people in that same location can tag along on your connection. Hell, you're providing a SERVICE here!

Edited July 30, 2014 by Cooper

[barry99705]

The Google situation is WILDLY different:

Google scanned for unencrypted wireless networks as broadcast by their APs, connected to them and performed some sort of scanning of that home network to determine what was there. They 'hacked' the AP and/or its hosted network.

The Pineapple pretends to be the unencrypted AP you occasionally connect to and then simply MITMs anything that connects to it. It's a honeypot AP that can be used to hack any client that connects to it, but until you hack the client I don't see the harm.

When questioned you could simply say that you're using the pineapple to provide (to yourself) legitimate wireless access at your current location using some remote wireless access point that you're authorised to use since the wifi in your own device is so piss-poor it can't get a decent signal from it. It shouldn't be your problem that other people in that same location can tag along on your connection. Hell, you're providing a SERVICE here!

No, that's not what they did at all! They were logging access points for their location tracking software. The software was keeping all the traffic it saw while they were driving around instead of just the location info. The did no scanning of the internal networks. Technically all they were doing was wardriving with the streetview cars.