Help with legality of certain things?

[AtariJaguar]

1 - Is it LEGAL to set your wifi receiver to monitor mode, and collect packets in the open air? I've heard that this is legal SO LONG as you don't attempt to decrypt (or crack) any traffic that is encrypted. Can you guys confirm? There seems to be a court ruling in 2012 that confirms this, but I don't really see anything after that, so is that the final word, essentially?

2 - Is it legal to (when staying at a hotel) packet sniff the hotel wifi, or wired network? Technically, most hotels have "open" WiFi, but it requires registration before you'll be given a DNS connection that will allow you to access the internet.

3 - Adding on to #2, can you connect to one of these networks that are technically "open" at the association point, and once on, run discovery tools like NET DISCOVER (ARP responses), and run NMAP? I mean, as long as I'm not altering anything, or attempting to change anything, is there anything wrong with this?

4 - I totally understand that using a Pineapple in pretty much any perspective, other than within your own home is totally illegal; however, is there any way to use it in the wild, but make it legal? Like... is there a way that perhaps you can use it, but have it not connect back to the internet (provide no connection back out obviously) and have a relay page that says... "NOT A VALID NETWORK, PLEASE DISCONNECT?"

5 - Is it legal to send "De-authorization" packets to devices that are connected to a private wireless network, and then sniff their reconnection traffic? EVEN IF... I have no intention of using that data or attempting to connect to the AP for which I sent those de-auth packets?

6 - Finally, totally hypothetical question here... let's say I had a friend (haha) that accidentally ran a tool that attempts to brute-force an AP using the 4-digit pin attack on the WPS feature... ok, let's say this friend accidentally did it to some random neighbor's Wifi AP, but didn't realize it until a few minutes later that he wasn't actually doing it to the one that he had set up purposely for the point of doing this. And, let's say that it only ran for a few minutes and never got through anyway? What laws were broken, if any?

Thanks guys, I appreciate it.

[Roark]

For number six, while I seriously doubt that was completely legal, the chances of the neighbour being smart enough to figure out that "your friend" did anything are so small that it doesn't matter. In other words, as long as you don't get caught and no one gets hurt, it's ok. As for everything else, as far as I understand it, monitoring a network that you don't own is illegal. However, I could definitely be wrong about that, and it would be interesting to find the legal loopholes. Good luck in your search for a legal grey area, keep us updated.

[phpsystems]

First off, what country are you in? Secondly, I'm not a lawyer and this shouldn't be taken as gospel.

In general, sniffing is usually legal, but local laws may apply.

When you start probing or send packets, depending on country, you may have committed an offence.

4 depends on what you do with the pineapple.

6 probably depending on country, but to be honest, most people won't notice / care / do anything.

[AtariJaguar]

Thanks guys, I appreciate it. I'm in the US. I just want to make sure that I (and my friend) stay legitimate. It's not that I'm concerned with people finding out, it's just that I don't actually want to skirt the law. The only thing is... looking at stuff on my own network is basically totally lame. It's so much more educational when I'm able to look at stuff from an outside perspective.

There seems to be a lot of grey area, I guess that's why the Hak5 people say... "Hack responsibly." Sort of a YMMV...

[i8igmac]

http://www.npr.org/sections/money/2014/05/30/317074394/drone-wars-who-owns-the-air

I don't mean to hijack a post but.

"he who owns the soil owns up to the heavens "

This rule can win a disputed in court about a persons tree growing over your property and damage done to your landscape...

So, what about other people's wifi signal reaching my airspace? I do own proprty and feel if its invading my property, I can crack it all day long?

[Mr-Protocol]

1 - Is it LEGAL to set your wifi receiver to monitor mode, and collect packets in the open air? I've heard that this is legal SO LONG as you don't attempt to decrypt (or crack) any traffic that is encrypted. Can you guys confirm? There seems to be a court ruling in 2012 that confirms this, but I don't really see anything after that, so is that the final word, essentially?

2 - Is it legal to (when staying at a hotel) packet sniff the hotel wifi, or wired network? Technically, most hotels have "open" WiFi, but it requires registration before you'll be given a DNS connection that will allow you to access the internet.

3 - Adding on to #2, can you connect to one of these networks that are technically "open" at the association point, and once on, run discovery tools like NET DISCOVER (ARP responses), and run NMAP? I mean, as long as I'm not altering anything, or attempting to change anything, is there anything wrong with this?

4 - I totally understand that using a Pineapple in pretty much any perspective, other than within your own home is totally illegal; however, is there any way to use it in the wild, but make it legal? Like... is there a way that perhaps you can use it, but have it not connect back to the internet (provide no connection back out obviously) and have a relay page that says... "NOT A VALID NETWORK, PLEASE DISCONNECT?"

5 - Is it legal to send "De-authorization" packets to devices that are connected to a private wireless network, and then sniff their reconnection traffic? EVEN IF... I have no intention of using that data or attempting to connect to the AP for which I sent those de-auth packets?

6 - Finally, totally hypothetical question here... let's say I had a friend (haha) that accidentally ran a tool that attempts to brute-force an AP using the 4-digit pin attack on the WPS feature... ok, let's say this friend accidentally did it to some random neighbor's Wifi AP, but didn't realize it until a few minutes later that he wasn't actually doing it to the one that he had set up purposely for the point of doing this. And, let's say that it only ran for a few minutes and never got through anyway? What laws were broken, if any?

Thanks guys, I appreciate it.

1) Eh, kind of a gray area

2) Going to say no

3) No

4) I would say that depends if you are running Karma to get clients to associate.

5) No

6) Don't do that.

I am not a lawyer. Also read the computer fraud and abuse act.

https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

[cooper]

My take on this:

1. Yes it is. You're picking up a radio signal - nothing more. If someone sends out data you're legally allowed to receive it. Note that a special case exists for speed camera detectors, which detect the presence of the radio signal. These devices have been banned in quite a few countries and this is based on them not actually interpreting the signal but only signifying that the signal is there. I.e. by banning them the government isn't limiting your access to data (which in most civilized countries the government is barred from doing).

2. Yes it is. Without being allowed to do this you wouldn't be able to connect to the network in the first place since you can't discover that it's there.

3. This is the legal equivalent of walking through a street and trying all the doors to see if anything is open. While I believe you should be in the clear from a legal standpoint on the act in and of itself I'm pretty sure it'll be against the terms of service of the hotel. When your NMAP run discovers services on a machine I'm fairly confident what you've done can be legally construed as trespassing.

4. You can set up your Pineapple to simply act as any other router. It's not your fault your last name is MacDonalds and thus chose to give your open access AP that name, and it's not an unsuspecting user's fault to connect to you because you're an open access AP. Everything up to this point is completely legal I would say. If however the service you provide is counter to what a person would reasonably expect (password stealing, hacking of the connected device, rickrolling, etc) you're almost certainly breaking a law.

5. The first part is a clear "NO" based on the intent you have. You're tampering with the communications of 2 other parties and that's certainly illegal. Sniffing the connection attempts of users, on the other hand, is, I believe, completely legal.

6. Can't tell you which laws, but it's the digital form of attempted breaking and entering. It's like having a lock picker working on your front door - if you suddenly come home and catch him in the act, the police can't get him for full-on burglary because he didn't (yet) get in, but it's obvious from the context that the guy was doing what he was doing to gain unlawful entry to your home and since that is illegal, trying to do this, even if unsuccessful, is illegal.

This is my coffee table legal advice which, since I'm not a lawyer, carries 0 weight in court. But the gist of it all is this:

You know what you're doing/trying to do. If someone did this against you(r stuff), would you (or any other reasonable person) disapprove of it? If yes, it's almost certainly illegal.