Re: publicly available resources and the law

[Brian Gosnell <brian-g () tamu edu>]

These laws are for the state of Texas. They were passed in 1985 and to my
knowledge have not changed (my book is '97).  Texas has some of the most relaxed
laws have seen on the topic.

(a) A person commits an offense if the person:

    (1) uses a computer without effective consent of the owner of the computer
or a person authorized to license access to the computer and the actor knows
that there exists a computer security system intended to prevent him from making
that uses of a computer.

Most port scanning does not seem to fall under this as there is no "computer
security system intended to prevent" it.  If there is such a system (i.e.. a
firewall) then the packets are blocked and never reach their destination.  If
efforts are made to bypass the firewall, such as fragmented scans, then this
could possibly be an offense.  However, it could still be argued that opening
the port is not use.

    (2) gains access to data stored or maintained by a computer without the
effective consent of the owner or licensee of the data and the actor knows that
there exists a computer security system intended to prevent him from gaining
access to that data.

This would seem to fit the accessing unpassworded NETBIOS shares, NFS exports,
etc...  As long as there is no "system intended to prevent him from gaining
access to that data" then it is legal to do so.  This is for a "Breach of
Computer Security" without "intention to alter data" or "cause malfunction."
The laws for harmful access say "if the person knowingly... alters, damages or
destroys data."  It does not however say anything about an attempt to breach
security.


Daemor


rain.forest.puppy wrote:

> This is a pretty interesting topic, so I just wanted to share some info I
> found RE: computer crime laws in Illinois, US:
>
> "Access" is defined as means to use, instruct, communicate with, store
> data in, retrieve or intercept data from, or otherwise utilize any
> services of a computer. (I think portscanning would fall in that)
>
> COMPUTER TAMPERING:
> A person commits the offense of computer tampering when he knowingly and
> without authorization of a computer's owner, or in excess of the authority
> granted to him, when he accesses or causes to be accessed a computer or
> any part thereof, or a program or data (and possibly obtains data or
> services).
>
> (There's also a mention of "accesses and alters computer program or
> data"...if you have a good prosecutor perhaps just the fact that the logs
> are altered (appended) could fall under this)
>
> (Now, of course, there's the issue of owner's authorization...but notice
> the clause 'in excess of the authority granted to him'.  I like to believe
> use of of a SMTP service *NOT* defined as an MX entry and the use of a DNS
> service *NOT* listed as a NS in DNS is unauthorized--however, web services
> are a little more fuzzy...http://www.domain.com is an authorized
> webservice? What about http://domain.com?  Or http://www1.domain.com?
> Perhaps 'authorization', as stated above, could mean by suppling
> authorization...if you don't need to supply authorization (web), does that
> imply authorization by owner?  does anyone know of any precedence on
> this?)
>
> PENALTY OF COMPUTER TAMPERING:
> -Class B misdemeanor for just accessing.
> -Class A misdemeanor (1st)/ Class 4 felony (2nd+) for accessing and
>         obtaining data.
> -Class 4 felony (1st)/ Class 3 felony (2nd+) for deleting/altering data,
>         any physical or logical (<-programs) damage, or running any type of
>         'program' (set of instructions....including shell commands like 'ls',
>         etc)
>
> --------------------------------------------------------------------
>
> Now, from what nmap does, I'd consider it just accessing without obtaining
> data, and would peg it as a class B misdemeanor.  Perhaps the fact that
> banners are sent by the system might upgrade it to class A misdemeanor.
>
> And of course, penalites differ per state.  This is (old?) info from
> www.eff.org, found at:
>
> www.eff.org/pub/Legal/comp_crime_us_state.laws
>
> Cheers,
> .rain.forest.puppy.