Legal & ethics — applies to every tool in this hub

These rules apply to all tools in Hack Tools/. Not legal advice. Re-read before any field work.

Standing rules

Owned hardware or written authorization. Every test target must either belong to tjscientist or be covered by explicit, written authorization from the owner with a defined scope.
Document the lab kit. Maintain a list of targets tjscientist owns, with photos and serial numbers if applicable. Keep authorization letters in Hack Tools/_shared/authorizations/ (gitignored if version-controlled).
Distinguish “lab” from “in the wild”. Replaying a captured signal back into the same controlled environment tjscientist owns is fine. Transmitting against neighbors’ equipment, public infrastructure, or vehicles is not.
No jamming. Continuous-wave jamming of any band is illegal under FCC and most equivalents regardless of intent. Don’t.
No unauthorized access. BadUSB, MouseJack, BLE injection, evil portals — all are unauthorized-access territory when used against equipment tjscientist doesn’t own and isn’t paid to test.

Power, frequency, and duty cycle are regulated. Aviation, public-safety, amateur (without a license), and licensed-commercial bands are off-limits.
Region restrictions vary. Custom firmwares (Momentum, Unleashed, etc.) remove the firmware-side guardrails — that shifts responsibility to the operator, it does not legalize anything.
Replay attacks against rolling-code remotes (KeeLoq variants) are usually bounded by the manufacturer key — capture and replay often fails by design. Even when it works, replay against a vehicle or door you don’t own is grand theft / breaking-and-entering territory.

Reading a card tjscientist carries: legal.
Reading a card found on the ground: murky.
Reading a card from someone else’s pocket without consent: depending on jurisdiction, somewhere between mischief and computer fraud.
Cloning building-access cards without explicit written authorization from the building owner: illegal under U.S. CFAA and equivalents.

Computer-attack territory. Connecting to or injecting into a machine tjscientist does not own, without written permission, is unauthorized access (CFAA in the U.S.).
“Awareness” payloads that just open a web page still count.

Deauthentication, evil-portal, EAPOL capture against networks tjscientist doesn’t own: illegal.
Beacon spam in public spaces: depending on jurisdiction, regulatory violation (interference) plus potentially unauthorized access.

If something tjscientist finds is novel and exploitable, prefer responsible disclosure. The vendor first; CERT/CC or a coordinated path second; public last.
Do not publicize specific keys, algorithms, or payloads that could be used to compromise third-party systems unless those have already been published by a primary research source.

Decline to write or document attacks targeted at third parties, named systems tjscientist doesn’t own, or specific public infrastructure.
Decline to research bypass techniques framed as “for a friend’s…” or “my client gave me permission” without that permission being verifiable.
When generating payloads, default to WAIT_FOR_BUTTON_PRESS first lines, narrow scope, and clear “lab use only” comments.
When in doubt, ask tjscientist to confirm the scope before producing.