Nmap Announce mailing list archives

RE: publicly available resources and the law

From: "Frank Miller" <frankm () bend or us>
Date: Tue, 23 Feb 1999 07:54:41 -0800

I didn't major in law (engineering), but I think that there is the 'word' of
the law and then there is enforcement/interpretation.

The two cases I'm aware are in Oregon are:

1) A major system was compromised, backdoors left, with the purpose of
running a sniffer for data collection on a major WAN pipe.  This resulted in
felony charges when the 'hacker' was apprehended.  The key was entry and
modification.

2) A server was probed via ftpd for user/pass pairs, imapd holes, etc.
Misdemenor charges were brought against the ftpd probe "Unauthorized"
banners were generated.

Another key is that the probed site has to be willing to bring charges
within a
police jurisdiction that is 'computer savy'.    I'd think that most sites
would not bring charges with local/state/federal police due to a probe, only
if an exploit was determined that resulted in modification/damage.

Frank

-----Original Message-----
From: root () gull prod itd earthlink net
[mailto:root () gull prod itd earthlink net]On Behalf Of HD Moore
Sent: Tuesday, February 23, 1999 12:18 AM
To: nmap-hackers () insecure org
Subject: publicly available resources and the law


Daemor wrote:


Communicate with?  Retrieve data from?  Who authorizes me to connect to
port 80 at www.nsa.gov?  No one,  it is made publicly available.  No
authorazation is required to access the data.  Port scanning simply asks
which services are offered by a computer.  Unless measures have been
taken to restrict access to the data and the individual has attempted to
circumvent those measures then I see no crime.  Being charged with a
misdemeanor simply for port scanning ALONE seems a bit rediculous to
me.  I realize that scanning a host is often followed by an attack on a
system or is part of a search for vulnerable systems but simply asking
if the information is publicly available should not be a crime.


Along these lines, I was wondering what the legal status of accessing
FTP servers with anonmyous logins, wide open NFS exports, or NetBIOS
shares.  There needs to be some clarification of what is considered
public access and what is simply misconfiguration.  Anyone have
something to contribute about what is actually legal to access and what
is invasion?  Is any resource that can be accessed without special
authorization considered public access in the terms of the law?

Current thread:

publicly available resources and the law HD Moore (Feb 23)
- Re: publicly available resources and the law Technical Incursion Countermeasures (Feb 23)
  - RE: publicly available resources and the law Frank Miller (Feb 23)
  - Re: publicly available resources and the law Bennett Todd (Feb 23)
  - Re: publicly available resources and the law Lamont Granquist (Feb 23)
    - RE: legality of port-mapping Dragos Ruiu (Feb 23)
    - RE: legality of port-mapping Lamont Granquist (Feb 24)
  - Re: publicly available resources and the law Daemor (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
  - RE: publicly available resources and the law Erik Parker (Feb 23)
- RE: publicly available resources and the law Dragos Ruiu (Feb 23)
  - RE: publicly available resources and the law Frank Miller (Feb 23)
    - RE: publicly available resources and the law rain.forest.puppy (Feb 23)
    - Re: publicly available resources and the law Brian Gosnell (Feb 23)
- <Possible follow-ups>
- RE: publicly available resources and the law Meritt, Jim (Feb 23)
- Re: publicly available resources and the law Benjamin Tomhave (Feb 23)
  - Re: publicly available resources and the law Bennett Todd (Feb 23)
  - Re: publicly available resources and the law Ken Williams (Feb 24)
    - Re: publicly available resources and the law Fyodor (Feb 24)

(Thread continues...)