Nmap Announce mailing list archives
Re: publicly available resources and the law
From: David Dennis <dennisd () best com>
Date: Thu, 25 Feb 1999 14:01:05 -0800 (PST)
My first-ever post to a hack list. fear and loathing ensue. if i look in an open window while not tresspassing, i am in legal rights, according to supreme court of US on subject of celebrity lawsuits and peeping tom laws. the responsibility is on the building owner to put up blinds or shut their window. if i walk past a building and put my hand on it and feel around, or try the front door, and the building falls over or the door breaks, i might be cited for property damage and i might be fined for trespassing, but i highly doubt i would be jailed. it is also highly likely the bonehead that put up the building would be fined or cited. Lets have a building code for systems administration. Or let's not :) if i cause a traffic jam on the highway with some reckless driving i might be cited or sent to traffic school or even jailed eventually, but i hardly think on the first offense unless someone were killed as a result. why is snooping a net application or host considered by some to be a higher threat to anything, and why would we want the laws to be more severe than they are (not) for the examples above ? also please consider this: a fairly significant count of those doing the snooping across networks onto hosts they do not have authority over are under 18, so penalties would need to reflect that, perhaps we could co-locate with singapore or some other penally frightening country and cause deterrence to be enhanced. David Dennis Seattle, Washington Systems Administrator < .sig under construction > On Thu, 25 Feb 1999, Jesse Whyte wrote:
Date: Thu, 25 Feb 1999 08:32:05 -0600 (EST) From: Jesse Whyte <jwhyte () mail state tn us> To: Fyodor <fyodor () dhp com> Cc: nmap-hackers () insecure org Subject: Re: publicly available resources and the law Fyodor and list, While I've never seen anyone arrested for portscans, I have accounts terminated with ISPs for this behavior on a regular basis, averaging somewhere around 5-10 accounts per month. (These are probably throw-away accounts similar to spammers accounts, but you have to take the small victories...) I'm not sure how the State of Tennessee would legally pursue a portscan if I attacked it in that manner, but being responsible for its network security definately means that I am concerned with each and every one of them. There is absolutely no valid reason for anyone but me to be scanning my class B's. Most ISPs also understand this, even UUnet seems to be acting appropriately on these issues. From a real working level perspective, there is no truly valid reason for someone else to be scanning my network. From a personal perspective, I view the Internet Operating System Counter Project in a similar vein to Dan Farmer's Internet security survey: it is a threat. Dan Farmer had no authorization to scan my network. IOSC has no authorization to scan my network. In either case, if they did cause damage in their scan, the "cause" would not be sufficient to deter legal action. I speak in a personal capacity on professional issues and do not represent the State of Tennessee in any manner. Jesse Whyte Network Security State of Tennessee On Wed, 24 Feb 1999, Fyodor wrote:I think this debate has brought forth some important issues. For example, it would be nice if something was done about some draconian state laws which, if applied literally, could make everything from pinging to port scanning to web browsing illegal unless you have explicit authorization from the destination host. But a more practical question than 'could port scanning be construed as illegal in some ass-backwards state' is 'will I get arrested for doing nothing but portscanning a system'. And the answer to that is almost always "no". Hundreds of thousands of people have downloaded nmap (and others have obtained it when they instaled FreeBSD, Debian Linux, Trinux, etc). Millions of IPs have been scanned (I alone scan class B's on a somewhat regular basis). To the best of my knowledge, nobody has ever been arrested for simply scanning another machine (if anyone knows of such a case, please send info to the list). Even though the worry of legal problems is extremely low, there is a very good chance that if you make a habit of scanning large numbers of hosts, you (or your ISP) will eventually get a complaint from some anal sysadmin. I had this happen to me once, but the guy cooled down when I explained that I was just testing out my new port scanner (and gave him an early release of nmap 2). The Internet Operating System Counter folks ( http://www.leb.net/hzo/ioscount/index.html ) estimate that they get about 1 query/complaint per 50,000 hosts. They apparently scanned (with queso) 1,191,755 hosts in January. So a good rule of thumb is: don't scan from anywhere that complaints about your actions can cause you trouble. If your job or your school accounts are critically important to you, don't risk them by engaging in anything at all controversial (viewing porn, port scanning, tracerouting, MP3 downloading, exportation of cryptography, etc). Spend the $20/month for a stupid ISP account and move all such activity there. And if they cancel your account for some stupid reason, switch to a better ISP (and if you have time, write the old ISP a letter explaining why you disagree with their policy). Cheers, Fyodor PS: Due to an overwhelming response on this topic, I had to skip a lot of messages. I tried to post the ones which were on topic and contained pertinant facts (ie useful research on state laws or actual case examples). I don't mind posting occasional opinionated rants, but I don't want to flod the list with dozens of them in one day. It is not personal. -- Fyodor 'finger pgp () www insecure org | pgp -fka' In a free and open marketplace, it would be surprising to have such an obviously flawed standard generate much enthusiasm outside of the criminal community. --Mitch Stone on Microsoft ActiveX
Current thread:
- RE: publicly available resources and the law, (continued)
- RE: publicly available resources and the law Dragos Ruiu (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law rain.forest.puppy (Feb 23)
- Re: publicly available resources and the law Brian Gosnell (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law Dragos Ruiu (Feb 23)
- RE: publicly available resources and the law Meritt, Jim (Feb 23)
- Re: publicly available resources and the law Benjamin Tomhave (Feb 23)
- Re: publicly available resources and the law Bennett Todd (Feb 23)
- Re: publicly available resources and the law Ken Williams (Feb 24)
- Re: publicly available resources and the law Fyodor (Feb 24)
- Re: publicly available resources and the law Jesse Whyte (Feb 25)
- Re: publicly available resources and the law David Dennis (Feb 25)
- publicly available resources and the law System Administrator (Feb 25)
- Re: publicly available resources and the law vik bajaj (Feb 25)
- Re: publicly available resources and the law Bennett Todd (Feb 26)