Nmap Announce mailing list archives
RE: publicly available resources and the law
From: Erik Parker <netmask () 303 org>
Date: Tue, 23 Feb 1999 16:21:48 -0600 (CST)
I've heard alot of different opinions. And I think it is state laws that say wether or not port scanning is legal or illegal. Since most states are behind the times, they haven't made such laws. Kind of like back in the day of Bluebeep and other scanners, states made laws about calling people without the intent to communicate. Well, I guess port scanning is the same way.. Sorta of, your not looking for hosts, but your looking for ports, without the intent to communicate. As far as I have ever seen, there is no law even close to that. Washington seems to keep up on internet laws (atleast from what I see of their spam laws). Possibly they have made some kind of law like that. But as someone else said, port scanning is basically to see what services people are running. However, if it isn't in the RFC 1340 (assigned numbers), then maybe that is bad, since it isn't a registered port, and you couldn't possibly guess what is on it, without looking further into it. On Tue, 23 Feb 1999, Frank Miller wrote:
I didn't major in law (engineering), but I think that there is the 'word' of the law and then there is enforcement/interpretation. The two cases I'm aware are in Oregon are: 1) A major system was compromised, backdoors left, with the purpose of running a sniffer for data collection on a major WAN pipe. This resulted in felony charges when the 'hacker' was apprehended. The key was entry and modification. 2) A server was probed via ftpd for user/pass pairs, imapd holes, etc. Misdemenor charges were brought against the ftpd probe "Unauthorized" banners were generated. Another key is that the probed site has to be willing to bring charges within a police jurisdiction that is 'computer savy'. I'd think that most sites would not bring charges with local/state/federal police due to a probe, only if an exploit was determined that resulted in modification/damage. Frank-----Original Message----- From: root () gull prod itd earthlink net [mailto:root () gull prod itd earthlink net]On Behalf Of HD Moore Sent: Tuesday, February 23, 1999 12:18 AM To: nmap-hackers () insecure org Subject: publicly available resources and the law Daemor wrote:Communicate with? Retrieve data from? Who authorizes me to connect to port 80 at www.nsa.gov? No one, it is made publicly available. No authorazation is required to access the data. Port scanning simply asks which services are offered by a computer. Unless measures have been taken to restrict access to the data and the individual has attempted to circumvent those measures then I see no crime. Being charged with a misdemeanor simply for port scanning ALONE seems a bit rediculous to me. I realize that scanning a host is often followed by an attack on a system or is part of a search for vulnerable systems but simply asking if the information is publicly available should not be a crime.Along these lines, I was wondering what the legal status of accessing FTP servers with anonmyous logins, wide open NFS exports, or NetBIOS shares. There needs to be some clarification of what is considered public access and what is simply misconfiguration. Anyone have something to contribute about what is actually legal to access and what is invasion? Is any resource that can be accessed without special authorization considered public access in the terms of the law?
Cheers, Erik
Current thread:
- publicly available resources and the law HD Moore (Feb 23)
- Re: publicly available resources and the law Technical Incursion Countermeasures (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- Re: publicly available resources and the law Bennett Todd (Feb 23)
- Re: publicly available resources and the law Lamont Granquist (Feb 23)
- RE: legality of port-mapping Dragos Ruiu (Feb 23)
- RE: legality of port-mapping Lamont Granquist (Feb 24)
- Re: publicly available resources and the law Daemor (Feb 23)
- Re: publicly available resources and the law Technical Incursion Countermeasures (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law Erik Parker (Feb 23)
- RE: publicly available resources and the law Dragos Ruiu (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law rain.forest.puppy (Feb 23)
- Re: publicly available resources and the law Brian Gosnell (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- <Possible follow-ups>
- RE: publicly available resources and the law Meritt, Jim (Feb 23)
- Re: publicly available resources and the law Benjamin Tomhave (Feb 23)
- Re: publicly available resources and the law Bennett Todd (Feb 23)
- Re: publicly available resources and the law Ken Williams (Feb 24)
- Re: publicly available resources and the law Fyodor (Feb 24)
- Re: publicly available resources and the law Jesse Whyte (Feb 25)