Re: publicly available resources and the law

[Lamont Granquist <lamontg () raven genome washington edu>]

Alright, we just went through all this on comp.unix.security.  You can go
read that thread if you're interested in other opinions I have about it.

However, I think it is *very*, *very* sketchy legal grounds to say that
this is legal.  In the first place the door-rattling, etc analogies have
been done _to_death_ on comp.security.unix.  They're not useful.  For
every analogy there is a countery-analogy ad nauseum.

The fact, however, is that you are contacting services which you don't
have authorization for.  You *are* connecting to those services, and you
will cause the CPU in question to consume cycles dealing with you and
possibly even fork().  Under "normal" "bug-free" circumstances this does
not cause any harm, *however* you are using a resource on that machine.  I
think that legally the argument could very easily be made that you are
*using* resources that you have no rights to.

The "an open port is an invitation" argument has also been beat to death
on comp.security.unix.  It doesn't hold water, because some sites don't
have an option of putting up a firewall and some sites don't have an
option of what O/Ses they run.  We wind up having to deal with the reality
of having open services hanging out in the wind with no way to access
control and no way to packet filter.

As to intent, that is probably very easy to prove.  All they have to do is
find a bunch of phrack articles in your possession/on your account and
they'll have a good ways towards intent.  Having exploit code, even if its
not exploit code for what you're scanning for will look even worse.  Sure
*IF* you have a good lawyer, and have the money for a good lawyer you can
probably beat the charge.  I personally would not bet my liberty on this,
though.  People are very fond of getting into abstract arguments about the
letter of the law on the net, and I'm sure that anyone here could put up a
pretty convincing case in front of the already-converted that possession
does not equal intent.  However, I think that reality, where judges
"interpret" the laws, has a decent chance of being a little more arbitrary
and cruel.

And three words:  Steve Jackson Games.

They got off in the end, but they were put through hell and the abuses in
that case were really egregious.  Don't bet on being treated this well.

So, my advice really is to treat portscanning random machines as being
illegal.  All this discussion about putting nmap up on websites kinds of
makes me kind of nervous, I think it's probably a huge legal risk.  I
personally don't care about portscans.  I simply log them and send logs
off to our internal "CERT" which collects reports from all the
security-aware admins on campus.  Usually for the persistant ones there
are a few break-in attempts and they're tracked back down to the script
kiddie who did them and the person gets busted -- for breaking into the
machines.  I doubt that most security people have the resources to care
about portscans that aren't used to root machines, or launched from rooted
machines.  However, I am quite sure that once you've scanned enough of the
net you will come across the admin who hates his job and life and has
nothing better to do than try to fuck with people -- and a webserver
offering a scanning service is going to be a nice fat stationary target to
unload abuse, hostility and lawyers at.

Legally I actually do think that portscans 'should' be illegal.  I think
that there's no damn question about intent when my class C gets hit by SYN
scans for imapd or mountd.  Ethically, however, I have no problems with
people accepting their own level of risk and illegal behavior.  I also
have no ethical problems with helping Fyodor out with porting nmap.
Perhaps this is inconsistent or a hypocrite, but I really don't think so
(and I gave up on not being a hypocrite awhile back, that's a long
philosophical discussion though).  My basic take is personal in that if
I'm going to scan a machine that isn't mine that I really do expect it to
be perceived as a hostile act both by the admins of that box and the
authorities, and will take responsibility for that and won't try to claim
that I have the 'right' to scan a box.

Anyway, that's my say, and I am going to bow the hell out of the rest of
this discussion because I'm totally sick of the one that is currently on
comp.security.unix.  Feel free to trash me, but I'm really tired of this
flamewar...

On Tue, 23 Feb 1999, Technical Incursion Countermeasures wrote:
> ahh a good fun topic :}..
>
> ok AFAIK this is how it is interpreted normally..
>
> Port scanning is quite rightly not a crime - it equates to rattling door
> knobs and trying windows.. not a felony in itself - however it is
> suspicious activity. This is the key...
>
> Now if during our port scanning we happen to find a wide open NFS port and
> access it - then we have committed a crime - because by port scanning we
> have shown intent - it is no longer an accident that we just happened to
> push on the door and fall in.
>
> Now I know US law is different to Aust law  - but I'm guessing that the
> intent provision is still there - i.e that to be convicted of a deliberate
> act - the prosecution must show that you indented to commit the act.
>
> Cheers,
> Bret
>
> PS and just in case someone is stupid enough to take what I said as legal
> advise - its not :}
> Technical Incursion Countermeasures 
> consulting () TICM COM                      http://www.ticm.com/
> ph: (+61)(041) 4411 149(UTC+8 hrs)      fax: (+61)(08) 9454 6042
>
> The Insider - a e'zine on Computer security 
> http://www.ticm.com/info/insider/index.html

-- 
Lamont Granquist                       lamontg () raven genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka