Jump to content

U.S. Senator Calls Wi-Fi Pineapple "Major Theft, Scary"


farfel
 Share

Recommended Posts



25 February 2015


Sen. Bill Nelson (D-FL):


"What about the device called the Pineapple? I had no idea this device existed. Here is what it does: If I go into a Starbucks and use their wireless Internet, someone could be sitting outside of that Starbucks in their car, or at one of the outside tables, with this device called a Pineapple, and instead of my wireless device using Starbucks' Internet system, it is on that Pineapple device and all of my communications are going directly to that person, and that person is able to steal all of my private information. That is a major theft. This is scary. Yet that device has been around for several years.


"We have major privacy questions. The Presiding Officer, who is a member of the commerce committee, knows that we are going to be grappling with these issues, along with other committees, such as judiciary, on the right to privacy.


"In the meantime, we have raised these issues with the FCC on this most recent detailed expose about this device called the stingray. If it is employed for our national security and our personal safety, which is the job of the government, then it is a good thing; however, if it is employed for other reasons, such as invading our constitutional right of privacy, that is another thing.


"It is time for us to stand up for the individual citizens in this country and their right to privacy. I yield the floor. I suggest the absence of a quorum."

Link to comment
Share on other sites

What they won't tell people is that penetration testing is a legitimate job occupation whereby tools like these are a necessity to securing corporate networks. Also, almost anything in IT can be used either for black or white hat purposes, programming, databases, google, etc. For instance I can use my programming skills to either create time-bombs that will empty the corporate database as soon as they fire me, or I can code legitimate apps for my customers. What matters is the moral fiber of the individual. As far as databases go, the NSA has databases I am sure, whether what they do is legitimate is up to interpretation, but they claim to have good intentions. How about google? I can use google to cyber stalk individuals, gathering information on them, or I can use it to help me find code for my next coding project. Many places have "hack tools" that are necessary to the smooth running of IT, for instance did you know that wireshark makes some wifi dongles that can decrypt WPA2 networks provided you have the password. They advertise it as an admin tool, but what if I collected the handshake of the wifi router, hacked it, and then used this sniffing tool? Another thing is generic networking switches and routers with mirroring ports. Is that not technically a form of hacking? Another thing, how is what the feds do not hacking? Have you ever used autopsy for recovering data on your hard disks? It could be used for ill intent, but many police digital forensics people use it all the time. You could grab that tool, and go to the local computer surplus store and "recover" anything that was not purged by them. Also we know that the NSA has used exploits on google, and other such companies, so why does he not speak of them? What hak 5 is doing is serving legitimate interests of pen testers, and getting the rest of the community interested in these toys so they can in turn enforce good security rules in their places of business. Ultimately the hacks that occur in the wild do drive change in the IT community. There's another thing, china gets a lot of it's intrusive infrastructure from legitimate companies in the US and Europe. Like I said earlier what matters is the intent behind the objects. I am not condoning black hat hacking, far from it (although I do sometimes play the devils advocate, don't take it too seriously). So how do we regulate who gets what hacking gear? I don't think that's a good route to go down for a couple of reasons. First, the government can't find it's butt with both hands, secondly I knew nothing about hacking before I met the hak 5 group, and now I know more about securing my network than I ever did. This is a learning experience for lots of interested hobbyists around the world. So if you see this senator kick him in the knees for me(but don't really I am sure he has security guards), or deauth him from the network.

Edited by overwraith
Link to comment
Share on other sites

Look if this thing goes any further the FCC will be called to a Congressional hearing as to why they have authorized these products for sale. And to respond they may withdraw the authorization and send a van over to Darren's garage to collect the stock.

This is not dissimilar to what happened to Bob Grove, who sold wideband scanners until he was grilled over an open flame before a Congressional committee. I was there. (His merchandise -- made by reputable manufacturers (aka Bearcat) were authorized under the rules at that time.)

I expect a fine fire sale before that happens. It is not unlawful to manufacture or sell products that have FCC authorization, but all it takes is a cease-and-desist letter to Darren to satisfy Congressional offices. Meanwhile 'pro' pen-test gear will continue on the market.

Link to comment
Share on other sites

I hope this doesn't mean I will have to get a hardware degree to go with my programming degree simply to fuel my obsession with hack tools. The amount of learning I have on my plate is just getting silly. argh.

Also if they loose the pineapple I won't have a forum to haunt any more. That is like their flagship.

Edited by overwraith
Link to comment
Share on other sites

That got me wondering... can they even do that??

No, they can't. That link is to the section in the FCC's rules (which aren't hosted by the FCC for some reason...) which apply to revocation.

When you read that, remember that A 1-4 and B are about denying the application before it's been granted and only C is about withdrawing a previously issued certification which explicitly allows a 'suitable amortization period for equipment in hands of users and in the manufacturing process' even when they change the certification rules such that wifi communications would be banned wholesale.

Link to comment
Share on other sites

Did they mention that you can make a something like the WiFi Pineapple out of a Raspberry Pi? Hak5 is only offering a service to people what people do with a WiFi Pineapple is out of darren's and hak5's hands. It's like trying to hold a company responsible for someone using a kitchen knife to murder people with.

You are responsible for your own actions when your using the WiFi Pineapple so they shouldn't try to shut down hak5 if they were planning it.

We can debate this all day but at the end of the day if i wanna use my WiFi Pineapple to steal millions of credit cards i can't hold hak5 responsible for me doing that.

Edited by ZaraByte
Link to comment
Share on other sites

Did they mention that you can make a something like the WiFi Pineapple out of a Raspberry Pi? Hak5 is only offering a service to people what people do with a WiFi Pineapple is out of darren's and hak5's hands. It's like trying to hold a company responsible for someone using a kitchen knife to murder people with.

You are responsible for your own actions when your using the WiFi Pineapple so they shouldn't try to shut down hak5 if they were planning it.

We can debate this all day but at the end of the day if i wanna use my WiFi Pineapple to steal millions of credit cards i can't hold hak5 responsible for me doing that.

Honestly it's a lot like the gun debates. I am all for buying dangerous things to protect one's self with, or just have some plain old fun at the shooting range. Pineapple is very similar, is used to test network settings, and have some fun with your users who signed a contract to test these types of things.Pineapple can also protect you indirectly by showing users how they can be exploited.

Edited by overwraith
Link to comment
Share on other sites

The Pineapple is hardware, a suite of software tools, and a custom web interface to bind it all together. The software tools are all freely available for (or included in) multiple operating systems, so that can't be the objection. So it must be either the hardware or the custom web interface. I wonder how the senator feels about the fonera, Pwnie Express products, or even laptops and WiFi dongles (and yes Raspberry Pis)?

One could even argue that a laptop would attract less attention at a coffee shop than a pieapple, and is therefore more easily concealed.

I'd like to think that organizations like the EFF are rationally educating politicians like the senator. But unfortunately there's no cure for ignorance driven by hubris.

ps: I realize that Version 2 is more than just the interface, but open source is open source.

Edited by fringes
Link to comment
Share on other sites

ps: I realize that Version 2 is more than just the interface, but open source is open source.

They can outlaw hack tools, but that doesn't mean people will stop making hack tools. ;)

It just means the law abiding citizens wont have access to them. :(

Edited by overwraith
Link to comment
Share on other sites

Also, I like the firearm analogy. Here in the US, the lower receiver is the part of the rifle that gets a serial number. If you want an AR-15 without a serial number (a shadow ghost rifle), you can buy the barrel, stock, upper, various assemblies, etc. and then buy a piece of blank stock for the lower receiver along with milling and drilling jigs. And if you're handy with a router and drill, Bob's youre uncle.

So what would Congress and this administration ban on the pineapple? Could they require Hak5 to only provide kits where you have some small aount of assembly, or would they define some class of devices includes the pineapple (and probably smartphones and laptops) and ban it's ownership or use?

I can say I don't believe this could ever go anywhere, but with some of the stupid technology legislation we've seen in the past decade or so, I'd likely be wrong.

Edited by fringes
Link to comment
Share on other sites

So I am wondering if the OS and tools (most of which is open source) were freely available they would really only be able to ban the hardware, but since it's just a router really they wouldn't have any ground to stand on. Computer software can fall under freedom of speech and or expression. The only part that really isn't open source is the OS (that and the hardware, but it's just hardware. ).

Link to comment
Share on other sites

And if you're not handy with a router and a drill, you buy a Ghost Gunner which does all the heavy lifting for you.

Plus, this senator is probably baffled by his bloody VCR... He only upgraded from betamax last month. (As that scetch we all know would put it, "He's a serious 12:00 flasher")

Link to comment
Share on other sites

Seriously, you can print pistols. (Not good ones.) But there is not a lot of rational thought going on in our government. It's mostly knee-jerk, based on some political ideology or world view, and ends up being bad for the country.

I wish we had more freedom loving thinkers.

Link to comment
Share on other sites

Seriously, you can print pistols. (Not good ones.) But there is not a lot of rational thought going on in our government. It's mostly knee-jerk, based on some political ideology or world view, and ends up being bad for the country.

I wish we had more freedom loving thinkers.

preservationdemotivator.jpg

Link to comment
Share on other sites

And if you're not handy with a router and a drill, you buy a Ghost Gunner which does all the heavy lifting for you.

Plus, this senator is probably baffled by his bloody VCR... He only upgraded from betamax last month. (As that scetch we all know would put it, "He's a serious 12:00 flasher")

Cooper, have you seen this? http://www.zazzle.com/your_congressman_may_be_a_12_00_flasher_bumper_sticker-128265038307565884

And the Ghost Gunner looks cool (even at $1500). BTW, I read somewhere that actually printing a firearm is illegal. Is that even possible?

Link to comment
Share on other sites

Cooper, have you seen this? http://www.zazzle.com/your_congressman_may_be_a_12_00_flasher_bumper_sticker-128265038307565884

And the Ghost Gunner looks cool (even at $1500). BTW, I read somewhere that actually printing a firearm is illegal. Is that even possible?

Depends on where you live. In the US you can manufacturer your own firearms. You can't make them full auto or suppressed. You also aren't supposed to make them where guns are banned.

Link to comment
Share on other sites

  • 4 months later...
Wow this conversation went off the reservation..... Let's not forget Ted Stevens and his "The internet is a bunch of tubes." comment.


The issue these folks have with the pineapple is not that it's being sold. The issue is that there aren't any hurdles in the way of someone installing something like SSLstrip. I have to admit I was in the same boat as this senator was until I got my own pineapple and found out how useful they are when you get past the cafe SSL senario. In point of fact the WiFi pineapple did what it was intended and made people aware of a major security issues with ssl and how wifi clients work. I chalk up the negative attention towards the pineapple as Darren just being a good showman. He did such a good job in his debut demo of the pineapple that he scared someone. Next time pretent to break a sweat, and make it look a little harder bro.


Just remember the opening of the declaration of independence blames King George for sending an army of Bureaucrats to eat out our substance. Sounds all to familiar today.


We really need an age limit on congress. If you're so old you can't drive a car you should not be allowed to drive a whole nation!


More strict language to reign in the courts is also needed. I'm all for a 5 year limit to all government positions unless you progress. And gov pensions should be no more than beer money because it's service to the public not to thy self. I've see too many worthless people that milk the system and I find it disgusting. Most people read the Constitution and stop after the first two articles, but if you pay attention to the size and scope of the first two Articles vs Article III - Article 3 basically says NOTHING! It amounts to something like "Judges have to be good boys and girls or they can't be a judge anymore and you can't dock them any pay." It also talks about Treason, but seriously glazes over the fact there is no control over the courts.... A POLICE state ensues as the result of a court system that has run a muck.. There is nothing in Article III saying Judges even need to side with the Constitution or Congress, or even need to keep the checks and balances. We have the secret courts to prove that fact.


All of your end points are belong to me :ph34r:

Link to comment
Share on other sites

what is needed is a background check before you can buy any tools such as the Pineapple. That will keep these devices out of the hands of those that cannot be trusted. I mean, look at it, it is tactical black! :ph34r:

Yea, that's all I need. Another damn background check...

Link to comment
Share on other sites

If they start requiring that Hak 5/ the devs should really consider open sourcing it, and dumping the designs on the internet. :grin: Just a suggestion. You know use an anonymous upload etc. That would put a fly in the ointment of any would-be politician! Of course then the devs would loose revenue, so I am only suggesting it as a last resort.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...