Nmap Announce mailing list archives
Re: publicly available resources and the law
From: Brian Gosnell <brian-g () tamu edu>
Date: Tue, 23 Feb 1999 00:10:10 -0600
These laws are for the state of Texas. They were passed in 1985 and to my knowledge have not changed (my book is '97). Texas has some of the most relaxed laws have seen on the topic. (a) A person commits an offense if the person: (1) uses a computer without effective consent of the owner of the computer or a person authorized to license access to the computer and the actor knows that there exists a computer security system intended to prevent him from making that uses of a computer. Most port scanning does not seem to fall under this as there is no "computer security system intended to prevent" it. If there is such a system (i.e.. a firewall) then the packets are blocked and never reach their destination. If efforts are made to bypass the firewall, such as fragmented scans, then this could possibly be an offense. However, it could still be argued that opening the port is not use. (2) gains access to data stored or maintained by a computer without the effective consent of the owner or licensee of the data and the actor knows that there exists a computer security system intended to prevent him from gaining access to that data. This would seem to fit the accessing unpassworded NETBIOS shares, NFS exports, etc... As long as there is no "system intended to prevent him from gaining access to that data" then it is legal to do so. This is for a "Breach of Computer Security" without "intention to alter data" or "cause malfunction." The laws for harmful access say "if the person knowingly... alters, damages or destroys data." It does not however say anything about an attempt to breach security. Daemor rain.forest.puppy wrote:
This is a pretty interesting topic, so I just wanted to share some info I found RE: computer crime laws in Illinois, US: "Access" is defined as means to use, instruct, communicate with, store data in, retrieve or intercept data from, or otherwise utilize any services of a computer. (I think portscanning would fall in that) COMPUTER TAMPERING: A person commits the offense of computer tampering when he knowingly and without authorization of a computer's owner, or in excess of the authority granted to him, when he accesses or causes to be accessed a computer or any part thereof, or a program or data (and possibly obtains data or services). (There's also a mention of "accesses and alters computer program or data"...if you have a good prosecutor perhaps just the fact that the logs are altered (appended) could fall under this) (Now, of course, there's the issue of owner's authorization...but notice the clause 'in excess of the authority granted to him'. I like to believe use of of a SMTP service *NOT* defined as an MX entry and the use of a DNS service *NOT* listed as a NS in DNS is unauthorized--however, web services are a little more fuzzy...http://www.domain.com is an authorized webservice? What about http://domain.com? Or http://www1.domain.com? Perhaps 'authorization', as stated above, could mean by suppling authorization...if you don't need to supply authorization (web), does that imply authorization by owner? does anyone know of any precedence on this?) PENALTY OF COMPUTER TAMPERING: -Class B misdemeanor for just accessing. -Class A misdemeanor (1st)/ Class 4 felony (2nd+) for accessing and obtaining data. -Class 4 felony (1st)/ Class 3 felony (2nd+) for deleting/altering data, any physical or logical (<-programs) damage, or running any type of 'program' (set of instructions....including shell commands like 'ls', etc) -------------------------------------------------------------------- Now, from what nmap does, I'd consider it just accessing without obtaining data, and would peg it as a class B misdemeanor. Perhaps the fact that banners are sent by the system might upgrade it to class A misdemeanor. And of course, penalites differ per state. This is (old?) info from www.eff.org, found at: www.eff.org/pub/Legal/comp_crime_us_state.laws Cheers, .rain.forest.puppy.
Current thread:
- Re: publicly available resources and the law, (continued)
- Re: publicly available resources and the law Bennett Todd (Feb 23)
- Re: publicly available resources and the law Lamont Granquist (Feb 23)
- RE: legality of port-mapping Dragos Ruiu (Feb 23)
- RE: legality of port-mapping Lamont Granquist (Feb 24)
- Re: publicly available resources and the law Daemor (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law Erik Parker (Feb 23)
- RE: publicly available resources and the law Dragos Ruiu (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law rain.forest.puppy (Feb 23)
- Re: publicly available resources and the law Brian Gosnell (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- Re: publicly available resources and the law Bennett Todd (Feb 23)
- Re: publicly available resources and the law Ken Williams (Feb 24)
- Re: publicly available resources and the law Fyodor (Feb 24)
- Re: publicly available resources and the law Jesse Whyte (Feb 25)
- Re: publicly available resources and the law David Dennis (Feb 25)
- publicly available resources and the law System Administrator (Feb 25)
- Re: publicly available resources and the law vik bajaj (Feb 25)