Re: [Full-disclosure] Wi-fi. Approaching customers
From: Matthew Sabin (matthew_at_sabin.com)
To: "Wade Woolwine" <firstname.lastname@example.org>, Gregh <email@example.com> Date: Tue, 15 Mar 2005 16:07:00 -0500
I'm not sure I can help you on the contacting process, but question you assumptions.
My company has made a conscious decision to leave our WiFi open to visitors, while our internal machines connect via IPSec on the open airwaves.
A drive-by would show the open nature of our WiFi, but wouldn't immediately tell you that we've secured our business fairly well.
----- Original Message -----
From: "Wade Woolwine" <firstname.lastname@example.org>
To: Gregh <email@example.com>
Subject: Re: [Full-disclosure] Wi-fi. Approaching customers
Date: Tue, 15 Mar 2005 15:55:22 -0500 (EST)
> IMO, you're covered legally. I know it sounds fishy to approach a
> potential client already knowing they're insecure...but don't all of us to
> that on a regular basis? I mean I will hit google with a vengence before I
> go into the kick-off meeting...I want to know what I'm up against.
> I would respectfully request some time from a technical manager to present
> your findings (show a kismet/netstumbler scan) and explain the dangers
> (not the solutions of course). Hopefully, this will rattle the manager
> enough to get the word up to upper management, and if you've left some
> marketing material for them to look at, they can contact you for your
> Good luck!
> > I have asked this on another list and there has been discussion but
> > nothing that really seems like an answer so I am asking for help in here.
> > I did a war drive (and in MY terms that means just driving along
> > gathering SSID data showing open and closed and nothing else BUT that)
> > and found one HELL of a lot more wi-fi in my area than I had previously
> > been aware existed. Most of the SSIDs broadcasted didn't openly identify
> > the company involved though most of them were open. The idea in doing
> > this was that I could note an area where wi-fi is and approach the
> > company (or individual) and offer my services to LEGALLY lock their open
> > wi-fi down. I realise that with open wi-fi, I could be doing anything I
> > wanted to or with their systems but that isn't the point. I work in the
> > area doing I.T. related work and so far have a very good reputation for
> > an inexpensive service and I am self employed so doing the wrong thing
> > would quickly kill all that.
> > My question is, then, how to approach someone to legally get work from
> > them fixing their badly installed wi-fi and ensuring it is all locked
> > down. If I turn up saying "Your wireless networking is open to hacking
> > and I can fix it" that sounds somewhat suspicious to me if you look at it
> > from the point of view of a user who knows nothing much about it all. Eg,
> > I am telling them something they don't want to hear, for a start and then
> > telling them that if they pay me, they can have it fixed on the spot. I
> > already know how strange it can sound. I happened to pick up the SSID
> > ToysRus which was open and realising they would have their own company
> > employed I.T. people, I just rang them to do them a favour and wasn't I
> > met with suspicion? Yep! All I did was say "You know you have wireless
> > networking?" and they answered "yes...." and I added "It's open and
> > unsecured. You better fix it before someone else finds it" and then got
> > asked 100 questions including "How do YOU know?" blah blah by someone you
> > would think KNOWS the game.
> > How do YOU approach prospective new customers to tell them their wi-fi is
> > unsecured and needs attention and that you can fix it for a fee?
> > Any help appreciated.
> > Greg.
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://www.secunia.com/
> "The reason why you have people breaking into your software is because
> your software sucks."
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://www.secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://www.secunia.com/