nanog mailing list archives

Re: Port scanning legal

From: "Steven M. Bellovin" <smb () research att com>
Date: Tue, 19 Dec 2000 17:23:27 -0500


In message <Pine.LNX.4.30.0012190930530.27364-100000@labyrinth.local>, "Edward 
S. Marshall" writes:


http://www.securityfocus.com/templates/article.html?id=126

A quick quote from the article:

   A tiff between two IT contractors that spiraled into federal court
   ended last month with a U.S. district court ruling in Georgia that
   port scanning a network does not damage it, under a section of the
   anti-hacking laws that allows victims of cyber attack to sue an
   attacker.

   Last week both sides agreed not to appeal the decision by judge Thomas
   Thrash, who found that the value of time spent investigating a port
   scan can not be considered damage. "The statute clearly states that
   the damage must be an impairment to the integrity and availability of
   the network," wrote the judge, who found that a port scan impaired
   neither.

This may have ramifications for both security professionals and abuse desk
personnel; this ruling would seem to make it clear that you cannot claim
time spent investigating abuse issues as damage. The complete finding is
here:

   http://pub.bna.com/eclr/00434.htm

Any armchair lawyers on the list want to take a crack at this?


As always, your mileage may vary.  California law specifically
states that costs incurred by the victim include

        any expenditure reasonably and necessarily incurred by the
        owner or lessee to verify that a computer system, computer
        network, computer program, or data was or was not altered,
        deleted, damaged, or destroyed by the access.

So checking out a scan might qualify.  As for "access", it's defined as

        "Access" means to gain entry to, instruct, or communicate
        with the logical, arithmetical, or memory function resources
        of a computer, computer system, or computer network

Specific crimes include

        (6) Knowingly and without permission provides or assists
        in providing a means of accessing a computer, computer
        system, or computer network in violation of this section.
        (7) Knowingly and without permission accesses or causes to
        be accessed any computer, computer system, or computer
        network.

Does a port scan "communicate with" the specified part of a computer?

FYI, these are from Section 502 of the California Penal Code, at
http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&group=00001-01000&file=484-502.9

Current thread:

Re: Port scanning legal, (continued)
- - - Re: Port scanning legal L. Sassaman (Dec 19)
    - Re: Port scanning legal Majdi S. Abbas (Dec 19)
- RE: Port scanning legal Roeland Meyer (Dec 19)
  - RE: Port scanning legal Dan Hollis (Dec 19)
    - RE: Port scanning legal Steven J. Sobol (Dec 19)
    - RE: Port scanning legal Patrick Evans (Dec 19)
    - Re: Port scanning legal Andrew Brown (Dec 20)
- RE: Port scanning legal Roeland Meyer (Dec 19)
- RE: Port scanning legal Mathew Butler (Dec 19)
- RE: Port scanning legal Jade E. Deane (Dec 19)
- Re: Port scanning legal Steven M. Bellovin (Dec 19)
  - Re: Port scanning legal Shawn McMahon (Dec 19)
- RE: Port scanning legal Roeland Meyer (Dec 19)
- Re: Port scanning legal Marius Strom (Dec 19)
- RE: Port scanning legal Mathew Butler (Dec 19)
  - RE: Port scanning legal Larry Sheldon (Dec 19)
  - Re: Port scanning legal J.D. Falk (Dec 19)
    - Re: Port scanning legal Steve Sobol (Dec 19)
    - Re: Port scanning legal jlewis (Dec 19)
- RE: Port scanning legal Christian Kuhtz (Dec 19)
- RE: Port scanning legal Larry Sheldon (Dec 19)

(Thread continues...)