Nmap Announce mailing list archives
Re: publicly available resources and the law
From: "Benjamin Tomhave" <Falcon () CyberSecret com>
Date: Tue, 23 Feb 1999 10:56:36 -0600
As best as I know, this is the guideline, and the legal technicalities that answer the question of port scanning legality versus access a system. I definitely should not be considered an absolute authority on legality, so please put the flamethrowers aside for now. Let me preface my comments by saying that I am a firm believer in freedom of information and open systems, but I also am a firm believer in justice and fairness. It is a fine line to walk between security/paranoia/dictatorship and personal liberty. Comments are welcomed and encouraged! 1) When you go to a site such as www.nsa.gov, connecting via port 80 and using http, you have been authorized to access that site via the declared method (in this case, web browser). In fine, nit-picking terms, you are authorized by the NSA to connect to their web site via port 80, and nothing else. This would also be the case with anonymous FTP. Again, you have been granted specific permissions with a narrow scope. To do anything that does not fall within that scope can be construed as "unauthorized access" even if you are utilizing the port made available. Just because a port is open for a specific application does not mean that it is a "public" port. And even if it were public, there is a certain amount of responsibility that does along with have public assets available for use. 2) Port scanning can be deemed illegal, unauthorized access along the strictest of lines. If you have not been granted explicit access to a system, regardless of how the ports are assigned to applications, then port scanning violates those restrictions. However, along with this the owner of the machine must also have policies in place that can legally back up their description of "authorized access", etc. 3) Legality is a touchy issue right now and basically comes down to walking a fine line. On the one hand, it is the responsibility of the owner to thoroughly document usage policies and make the information widely available. If that is done, then most of the time that is enough legal precedence should a court case be opened. Negligence is not a viable defense. On the other hand, if there is no policy in place defining "authorized access" then there is less legal recourse for responding to an intrusion, whether or be a port scan or an actual root compromise. 4) Analogy: If you have a piece of land that you do not want people to hunt on (I'm from Minnesota, btw), you have to post "No Trespassing" signs all around the border of that property. If you do not make an effort to post your land, then you have no legal recourse should a hunter wander onto your land. Similar methods must be used for computer systems. Unfortunately, at least right now, there isn't any easy or nice way to post your system w/o allowing a person to access that system. Thus, the law loosens a bit in favour of the owner with the understanding that it is highly difficult, if not impossible, to thoroughly and effectively post your property. 5) On the flip side: A case was tried and won by a hacker (defendant) who broke into a site. The company had stated in the banner of the system "Welcome to <router name>". The court ruled that saying "Welcome" was the same as inviting someone to enter their system and play around. I believe that this ruling was overturned later by a higher court because adequate policy existed prohibiting certain kinds of access to the system. Regardless, seemingly trivial things like this can work against a site. Cheers, -ben At Tuesday 2/23/99 0217 AM , HD Moore wrote
Daemor wroteCommunicate with? Retrieve data from? Who authorizes me to connect
to
port 80 at www.nsa.gov? No one, it is made publicly available. No authorazation is required to access the data. Port scanning simply asks which services are offered by a computer. Unless measures have been taken to restrict access to the data and the individual has attempted to circumvent those measures then I see no crime. Being charged with a misdemeanor simply for port scanning ALONE seems a bit rediculous to me. I realize that scanning a host is often followed by an attack on a system or is part of a search for vulnerable systems but simply asking if the information is publicly available should not be a crime.Along these lines, I was wondering what the legal status of accessing FTP servers with anonmyous logins, wide open NFS exports, or NetBIOS shares. There needs to be some clarification of what is considered public access and what is simply misconfiguration. Anyone have something to contribute about what is actually legal to access and what is invasion? Is any resource that can be accessed without special authorization considered public access in the terms of the law?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Benjamin Tomhave Falcon () CyberSecret com http://falcon.cybersecret.com/default.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Here is where the road divides..." "...and a lifetime's not too long to live as friends." -Michael W. Smith (Pray For Me, Friends) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- RE: legality of port-mapping, (continued)
- RE: legality of port-mapping Dragos Ruiu (Feb 23)
- RE: legality of port-mapping Lamont Granquist (Feb 24)
- Re: publicly available resources and the law Daemor (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law Erik Parker (Feb 23)
- RE: publicly available resources and the law Dragos Ruiu (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law rain.forest.puppy (Feb 23)
- Re: publicly available resources and the law Brian Gosnell (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- Re: publicly available resources and the law Bennett Todd (Feb 23)
- Re: publicly available resources and the law Ken Williams (Feb 24)
- Re: publicly available resources and the law Fyodor (Feb 24)
- Re: publicly available resources and the law Jesse Whyte (Feb 25)
- Re: publicly available resources and the law David Dennis (Feb 25)
- publicly available resources and the law System Administrator (Feb 25)
- Re: publicly available resources and the law vik bajaj (Feb 25)