Re: SANS Post about EDU vulnerability scanning assignment

[Gary Flynn <flynngn () JMU EDU>]

Michael Sinatra wrote:

> I admit to having been out of the loop when it comes to the legal side
> of these things, but the last I remember (around 2000-01) there had been
> at least one or two federal court decisions that found port scanning,
> without other substantive damage, and without intent to defraud, not to
> violate any US federal code.  My understanding is that the USA PATRIOT
> act did NOT substantially change the port scanning aspect of cyber-law,
> although it did lower damage thresholds (which could be used against a
> port scanner).
>
> My last check of California law showed it to be pretty ambiguous on the
> subject--at best.  Have there been recent decisions or laws that
> unambiguously indicate that port scanning--without other damage or
> intent to defraud--is inherently illegal?  I am particularly interested
> in the US, but other countries' laws would be of some interest as well.
>
> Mind you, I agree that this is a really bad idea, but I'd like to
> understand the legal issues a bit more.


Who knows what the assignment actually was, but the SANS post makes
it sound like they were to do "vulnerability scanning" which is
a step above port scanning.

Had they used Nessus, Metasploit, and John the Ripper to "test a
site's security", I think there are few organizations who would
view that as inappropriate and a few that would likely react the
same way as a publicly made threat to the president's life.

I seem to remember someone being charged and convicted recently
for modifying a URL to access something on a web site that, had
the web application been designed properly, would not have been
accessible.



--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security