RE: nmap illegal to use?

[Scott Moulton <smoulton () nicservices com>]

I am glad that the public has shown such an interest in my case. It is all
about what the future holds for the rights of computer people everywhere.
If they outlaw port scanning, what is next? Outlaw Pinging?  They tried to
say that in this case also.  I wish I could talk more about it, but as there
is a Criminal prosecution case pending and I am forbidden to disclose
material that is not already public.  All depositions in the FEDERAL case,
including the depositions of two Georgia Bureau of Investigation detectives
are public, if you can figure out how to get them. Computer specialist
should really read the depositions of the GBI Computer guys and see what
kind of experience they have and how they investigate a case as well as what
they believe constitutes a crime. It may be helpful in the future to know
how to defend yourselves

You can also see another report by Kevin Poulsen at:
http://www.securityfocus.com/news/126

Kevin called me, but again I could not disclose information on this case
even though I would have enjoyed speaking with him.

I am proud that I could be of some benefit to the computer society in
defending and protecting the rights of specialists in the computer field,
however it is EXTREMELY costly to support such an effort, of which I am not
happy about.  But I will continue to fight and prove that there is nothing
illegal about port scanning especially when I was just doing my job.

Thanks goes out those who have sent messages of support in the past year
that my company and I have been dragged through this mess.

Thanks again,
Scott Moulton
 
-----Original Message-----
From: Fyodor [mailto:fyodor () insecure org] 
Sent: Sunday, June 10, 2001 11:13 PM
To: nmap-hackers () insecure org
Cc: Tom Brays
Subject: Re: nmap illegal to use?

On Mon, Jun 11, 2001 at 09:33:35AM +0800, Tom Brays wrote:

> "The Journal of Technology Law and Policy has a good article on
>  computer security and privacy.

I believe the URL for the article you are referring to is
http://grove.ufl.edu/~techlaw/vol6/Preston.html .  Yes, it is an
interesting (but long) research paper.

>  expectations of privacy.) It's interesting to see the computer
>  security from a lawyer's point of view. Especially interesting are
>  his claims that using nmap is illegal, despite the VC3 v. Moulton
>  case."

As a point of clarification, I think Ethan is arguing that Nmap port
scans could be a violation of the computer "access" provisions of
several STATE ( not Federal) laws.  He (She?) also states that
"access-based computer crime laws" can "implicate the most rudimentary
network functions, like pinging an IP address to see if a network host
is connected to the Internet, let alone initiating a TCP connection
that would provide the basis for communicating that access is
unauthorized." and "most current laws could be used to penalize any
interactions on the Internet between networked computers."  Scary!

Here are a few quotes from the article that refer to port scanning and
Nmap:

  In Moulton v. VC3, a federal court found that the costs incurred
  investigating a port scan did not constitute damages under the
  federal Computer Fraud and Abuse Act.[166] Moreover, the court found
  that a party's port scan did not access the other party's
  network.[167] Port scans elicit information from computers and
  computer networks; under many of the state statutory definitions
  above, port scans do access computers and probably would constitute
  computer crime. Certainly, the court could have found port scans to
  constitute access under the CFAA and found the party liable for the
  port scan. Moulton may signify that there is a threshold of network
  activity below which courts will not interfere.[168]

  [ ... ]

  The application of access-based computer crime laws could damage the
  digital commons as much as the current formulation of trespass on
  chattels.  The efficiency of communication on the Internet stems
  from the implied consent to use the computer resources and
  information of others'. Legal rules that extend liability to any
  access whatsoever damage that efficiency. Consider how trespass to
  chattels and access-based computer crime laws would function on the
  Internet. These laws implicate the most rudimentary network
  functions, like pinging an IP address to see if a network host is
  connected to the Internet, let alone initiating a TCP connection
  that would provide the basis for communicating that access is
  unauthorized.

  [ ... ]

  The benefit of the fences in cyberspace metaphor is an enhanced
  capacity for precision. Application of the metaphor of fences in
  cyberspace could create a legal regime capable of much finer
  distinctions between liability and non-liability. Consider a
  situation where the law assigns a privacy right to the computer
  owner over the kind of operating system running on the
  computer. (This privacy right is, and should remain, a hypothetical
  situation.  The overall utility of such a privacy right is
  questionable. While discovering the identity of a target's operating
  system is an integral step to breaking into the target, it is poor
  security to rely on the obscurity of the operating system?s
  identity.)[175] In cyberspace, information about the kind of
  operating system is an object. This hypothetical posits that the
  owner has the legal right to put a fence around this
  object. Individuals on the network can use techniques like banner
  grabbing, port scanning or nmap's OS fingerprinting to identify the
  owner's operating system.[176] Most "fences" would protect against
  banner-grabbing; banners must be either changed or eliminated.[177]
  Port scanning can be prevented by shutting down unnecessary
  applications and through using firewalls that filtered packets on
  the basis of port numbers.[178] These measures would create a fences
  that encompasses more of the information. Finally, preventing
  nmap-type OS fingerprinting requires using a firewall that filtered
  on a packet-by-packet basis or altering the TCP/IP stack of the
  computer.[179] These measures would enclose most of the remotely
  available information about a computer's operating system. A court
  deciding whether to assign liability would first inquire into what
  technical measures were used; the court must find the fences in
  cyberspace. Next, the court must decide whether the technical
  measures were reasonable. The computer owner who failed to protect
  against banner-grabbing should not have legal recourse when banner
  grabbing identifies his operating system. A computer owner who used
  a firewall that prevented port scans but not nmap-type OS
  fingerprinting might establish a strong case for liability against a
  nmap scanner. Then again, perhaps the cost of preventing nmap-type
  OS fingerprinting might be found minimal; the court might assign
  liability only where the defendant used other means to get the
  information. The point of the exercise above is that the metaphor
  allows courts to distinguish between relative degrees of care that
  the owner has taken to restrict information flows.

  Courts striving for equitable and predictable distinctions between
  liability and non-liability receive little help from the language of
  the law; most current laws could be used to penalize any
  interactions on the Internet between networked computers. To be
  efficient, the law must also be capable of precision and coherency,
  even more so because information flows on the Internet can be very
  complex. The cyberspace fences metaphor can help provide that
  precision.

Cheers,
Fyodor

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).


************************************************************************
* Tracking #: 6F4653AC825AD511A9A200105A99BE81724ECEA8
*
************************************************************************

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).