Educause Security Discussion mailing list archives
Re: SANS Post about EDU vulnerability scanning assignment
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 2 Mar 2006 08:43:30 -0500
Michael Sinatra wrote:
I admit to having been out of the loop when it comes to the legal side of these things, but the last I remember (around 2000-01) there had been at least one or two federal court decisions that found port scanning, without other substantive damage, and without intent to defraud, not to violate any US federal code. My understanding is that the USA PATRIOT act did NOT substantially change the port scanning aspect of cyber-law, although it did lower damage thresholds (which could be used against a port scanner). My last check of California law showed it to be pretty ambiguous on the subject--at best. Have there been recent decisions or laws that unambiguously indicate that port scanning--without other damage or intent to defraud--is inherently illegal? I am particularly interested in the US, but other countries' laws would be of some interest as well. Mind you, I agree that this is a really bad idea, but I'd like to understand the legal issues a bit more.
Who knows what the assignment actually was, but the SANS post makes it sound like they were to do "vulnerability scanning" which is a step above port scanning. Had they used Nessus, Metasploit, and John the Ripper to "test a site's security", I think there are few organizations who would view that as inappropriate and a few that would likely react the same way as a publicly made threat to the president's life. I seem to remember someone being charged and convicted recently for modifying a URL to access something on a web site that, had the web application been designed properly, would not have been accessible. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- SANS Post about EDU vulnerability scanning assignment Gary Flynn (Feb 28)
- <Possible follow-ups>
- Re: SANS Post about EDU vulnerability scanning assignment Jeni Li (Feb 28)
- Re: SANS Post about EDU vulnerability scanning assignment charlie derr (Feb 28)
- Re: SANS Post about EDU vulnerability scanning assignment Jeni Li (Feb 28)
- Re: SANS Post about EDU vulnerability scanning assignment Michael Sinatra (Mar 01)
- Re: SANS Post about EDU vulnerability scanning assignment Gary Flynn (Mar 02)
- Re: SANS Post about EDU vulnerability scanning assignment Randy Marchany (Mar 02)
- Re: SANS Post about EDU vulnerability scanning assignment John Bambenek (Mar 02)
- Re: SANS Post about EDU vulnerability scanning assignment Alec Yasinsac (Mar 03)
- Re: SANS Post about EDU vulnerability scanning assignment Randy Marchany (Mar 03)