What to do?

Fri Jan 10 20:47:15 CST 2003

Well, I think I can see both sides of this.  If you show someone how to
light a match here, there's a good chance they will use it to burn you at
the stake.  On the other hand, I would personally really like to let the
people know they were vulnerable, and most caring people would probably
feel the same way.

Here's an alternative.  In the interest of covering your own ass but still
letting the company know, I would alert the local authorities (or federal
ones for that matter) and leave informing the company up to them.  It is a
tip to help prevent a crime, just like There are pretty anonymous ways to
give tips to the FBI, and if you call them from the payphone at a
McDonald's 30 miles from your house, who's to know?  If you're particularly
careful/paranoid, you could wear gloves, buy one of those things to mask
your voice, and take advantage of the weather to give reason to keep your
face covered.

As another alternative, have someone else uninvolved tell the company, but
use someone that can legally keep you anonymous like your lawyer or a
member of the press.  They could pass on the information for you, but your
confidentiality is legally protected if they choose to honor it.

Just a few ideas.  Let me know if I can help.

- Kevin

                    Brad Crotchett                                                                  

                    <brad at ispn.net>              To:     kclug at kclug.org                            

                    Sent by:                     cc:                                                

                    owner-kclug at marauder.i       Subject:     What to do?                           

                    lliana.net                                                                      

                    01/10/2003 02:12 PM                                                             

I would leave it be.  In a perfect world you would be a good samaritan, but
it
obviously is not perfect.  If you had only found the network and not
downloaded
anything it might be different.  The IT person has to take some
responsibility.
If their network is that wide open then they must not care much about
security.
Even laymen have heard by now the security issues with wireless, and I am
sure
the instructions with the AP had more than enough warnings about WEP and
the
default password, etc.

I would definitely leave it alone.

My 2 cents,

Brad

> Hello:
>
> The other day I was war driving somewhere in KC and
> found 5 WLANs that I could take total control of. The
> owner left the configurations with all the default
> passwords... There was even one small company that had
> a wireless print server that was vulnerable, I could
> have used the printer if I wanted to. I also
> downloaded their client's database (in ms access);
> Now, my question is:
>
> Should I let them know their Network is vulnerable and
> offer to tweak it for a small fee or just let them
> find out the hard way?
>
> Thanks in advance for your inputs.
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>