RE: publicly available resources and the law

[Erik Parker <netmask () 303 org>]

I've heard alot of different opinions. And I think it is state laws that
say wether or not port scanning is legal or illegal. Since most states are
behind the times, they haven't made such laws.

Kind of like back in the day of Bluebeep and other scanners, states made
laws about calling people without the intent to communicate. Well, I guess
port scanning is the same way.. Sorta of, your not looking for hosts, but
your looking for ports, without the intent to communicate. 

As far as I have ever seen, there is no law even close to that. Washington
seems to keep up on internet laws (atleast from what I see of their spam
laws). Possibly they have made some kind of law like that.

But as someone else said, port scanning is basically to see what services
people are running. However, if it isn't in the RFC 1340 (assigned
numbers), then maybe that is bad, since it isn't a registered port,
and you couldn't possibly guess what is on it, without looking further
into it.




On Tue, 23 Feb 1999, Frank Miller wrote:

> I didn't major in law (engineering), but I think that there is the 'word' of
> the law and then there is enforcement/interpretation.
>
> The two cases I'm aware are in Oregon are:
>
> 1) A major system was compromised, backdoors left, with the purpose of
> running a sniffer for data collection on a major WAN pipe.  This resulted in
> felony charges when the 'hacker' was apprehended.  The key was entry and
> modification.
>
> 2) A server was probed via ftpd for user/pass pairs, imapd holes, etc.
> Misdemenor charges were brought against the ftpd probe "Unauthorized"
> banners were generated.
>
> Another key is that the probed site has to be willing to bring charges
> within a
> police jurisdiction that is 'computer savy'.    I'd think that most sites
> would not bring charges with local/state/federal police due to a probe, only
> if an exploit was determined that resulted in modification/damage.
>
> Frank
>
>
>
> > -----Original Message-----
> > From: root () gull prod itd earthlink net
> > [mailto:root () gull prod itd earthlink net]On Behalf Of HD Moore
> > Sent: Tuesday, February 23, 1999 12:18 AM
> > To: nmap-hackers () insecure org
> > Subject: publicly available resources and the law
> >
> >
> > Daemor wrote:
> > > Communicate with?  Retrieve data from?  Who authorizes me to connect to
> > > port 80 at www.nsa.gov?  No one,  it is made publicly available.  No
> > > authorazation is required to access the data.  Port scanning simply asks
> > > which services are offered by a computer.  Unless measures have been
> > > taken to restrict access to the data and the individual has attempted to
> > > circumvent those measures then I see no crime.  Being charged with a
> > > misdemeanor simply for port scanning ALONE seems a bit rediculous to
> > > me.  I realize that scanning a host is often followed by an attack on a
> > > system or is part of a search for vulnerable systems but simply asking
> > > if the information is publicly available should not be a crime.
> >
> > Along these lines, I was wondering what the legal status of accessing
> > FTP servers with anonmyous logins, wide open NFS exports, or NetBIOS
> > shares.  There needs to be some clarification of what is considered
> > public access and what is simply misconfiguration.  Anyone have
> > something to contribute about what is actually legal to access and what
> > is invasion?  Is any resource that can be accessed without special
> > authorization considered public access in the terms of the law?


Cheers,
Erik