Re: publicly available resources and the law

[Fyodor <fyodor () dhp com>]

I think this debate has brought forth some important issues.  For
example, it would be nice if something was done about some draconian
state laws which, if applied literally, could make everything from
pinging to port scanning to web browsing illegal unless you have
explicit authorization from the destination host.

But a more practical question than 'could port scanning be construed
as illegal in some ass-backwards state' is 'will I get arrested for
doing nothing but portscanning a system'.  And the answer to that is
almost always "no".  Hundreds of thousands of people have downloaded
nmap (and others have obtained it when they instaled FreeBSD, Debian
Linux, Trinux, etc).  Millions of IPs have been scanned (I alone scan
class B's on a somewhat regular basis).  To the best of my knowledge,
nobody has ever been arrested for simply scanning another machine (if
anyone knows of such a case, please send info to the list).

Even though the worry of legal problems is extremely low, there is a very
good chance that if you make a habit of scanning large numbers of hosts,
you (or your ISP) will eventually get a complaint from some anal sysadmin.  
I had this happen to me once, but the guy cooled down when I explained
that I was just testing out my new port scanner (and gave him an early
release of nmap 2).  The Internet Operating System Counter folks (
http://www.leb.net/hzo/ioscount/index.html ) estimate that they get about
1 query/complaint per 50,000 hosts.  They apparently scanned (with queso)
1,191,755 hosts in January.

So a good rule of thumb is: don't scan from anywhere that complaints
about your actions can cause you trouble.  If your job or your school
accounts are critically important to you, don't risk them by engaging
in anything at all controversial (viewing porn, port scanning,
tracerouting, MP3 downloading, exportation of cryptography, etc).
Spend the $20/month for a stupid ISP account and move all such
activity there.  And if they cancel your account for some stupid
reason, switch to a better ISP (and if you have time, write the old
ISP a letter explaining why you disagree with their policy).

Cheers,
Fyodor

PS: Due to an overwhelming response on this topic, I had to skip a lot
of messages.  I tried to post the ones which were on topic and
contained pertinant facts (ie useful research on state laws or actual
case examples).  I don't mind posting occasional opinionated rants, but
I don't want to flod the list with dozens of them in one day.  It is
not personal.


--
Fyodor                            'finger pgp () www insecure org | pgp -fka'
In a free and open marketplace, it would be surprising to have such an
obviously flawed standard generate much enthusiasm outside of the criminal
community.  --Mitch Stone on Microsoft ActiveX