Re: Valuable papers on the legality of port scanning and exploit code

[Javier Fernandez-Sanguino <jfernandez () germinus com>]

Fyodor wrote:
> As part of the Nmap book, I am including a section on the legality of
> port scanning.  In the process I came across a couple good papers that
> I feel shed light on this important issue (at least for United States
> residents):

Just for what it's worth, I don't know the exact differences between 
US and Europe legislations, but the fact that port scanning is legal 
is, as far as I know, yet to be proven in a court of law in a European 
country.

As a matter of fact the "cybercrime" laws in Europe are not very 
detailed yet, the recent Convention on Cybercrime [1] describes 
illegall access as:

"44. "Illegal access" covers the basic offence of dangerous threats to 
and attacks against the security (i.e. the confidentiality, integrity 
and availability) of computer systems and data. The need for 
protection reflects the interests of organisations and individuals to 
manage, operate and control their systems in an undisturbed and 
uninhibited manner. The mere unauthorised intrusion, i.e. "hacking", 
"cracking" or "computer trespass" should in principle be illegal in 
itself. It may lead to impediments to legitimate users of systems and 
data and may cause alteration or destruction with high costs for 
reconstruction. Such intrusions may give access to confidential data 
(including passwords, information about the targeted system) and 
secrets, to the use of the system without payment or even encourage 
hackers to commit more dangerous forms of computer-related offences, 
like computer-related fraud or forgery."

It does say further on that these does not include sending a file or 
an e-mail. Now, this convention has been signed by all European member 
states (even by the US  [2]) but has yet to be transposed to law in 
the member countries.

For example, the current spanish law only punishes damage done to 
private property if the damage is over 300 EUR. The "private property" 
definition includes "electronic data, programs, and documents 
contained in network, media or information technology sistems" (CÓDIGO 
PENAL, organic law 10/1995, article 263-264). This is not going to be 
expanded in the review of the criminal law.

Having in mind that, in order to be illegal under spanish law, port 
scanning would need to generate damage to private property (in excess 
of that quantity), and, also, needs to be done "with the intention to 
harm" I thing that current law would not rule port scanning illegal 
unless unrightfully done by someone against a system that is 
vulnerable to "dying" from a port scan, and that system in fact dies 
and causes damages over 300 EUR to its owners.

Just my 2c.

Regards

Javi


[1] http://conventions.coe.int/Treaty/EN/WhatYouWant.asp?NT=185
[2] http://www.usdoj.gov/criminal/cybercrime/COEFAQs.htm

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List archive: http://seclists.org