RE: legality of port-mapping

[Lamont Granquist <lamontg () raven genome washington edu>]

oops...  i'm making another response...  i really promise not to make any
more on this thread...

On Tue, 23 Feb 1999, Dragos Ruiu wrote:
> I'm afraid I have to take serious issue with anyone who tells me a port
> scan is illegal. Or who wants it to be.
>
> Let me describe a real world scenario that I was in yesterday:
[...snip...]

A lot of people, particularly the ones on the net who argue over
technicalities, seem to think that because the law sometimes mishandles
grey areas that there should never be any grey areas.  Unfortunately that
doesn't fly in reality.  It's perfectly acceptable, and usually works in
practice, for a law to have grey areas.  A lot of laws have loopholes in
that you must have violated them with intent, or out of negligence.  If
you didn't do that, then you've got a defense.  That's how the law often
works, and therefore the argument that some portscans can be either
legitimate or accidents and therefore all portscans should be legal just
doesn't fly.

> In this scenario, even if we turn up nasty banners, I don't think that
> there should be any grounds to call that wrong or illegal in any manner.

Of course not.

> Yet on the log files it could look like we port-mapped and then tried to
> break in to three machines.

Yes, and they have written evidence.

> I'll tell ya, if some overzealous sysadmin phoned "computer savvy" cops
> and wasted my time with them, they would have to get through our lawyers.
> And they -are- mean.
>
> My common sense says that any time you make typing in the wrong IP address
> and mistakenly scanning someone with "restrictive" system usage policy a
> crime, something is not right. As far as the Steve Jackson Games history,
> I think we all have to agree that was one of the most idiotic examples
> of miscarriages of law-enforcement and computer myopia.

I know.  That was the point.  That is why you need to CYA: Cover Your Ass.
If you're going to portscans machines that you don't own you need to
document it, you should attempt to get permission for it, or notify other
people.  There is a risk, you see, that you could have a SJG come down on
you and you want to be prepared for it -- because rightous indignation
about the fact that you did nothing wrong is much, much less effective
than documented evidence that you can wave in someone's face and make them
go away.
 
-- 
Lamont Granquist                       lamontg () raven genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka