Nmap Announce mailing list archives
Re: nmap illegal to use?
From: Fyodor <fyodor () insecure org>
Date: Sun, 10 Jun 2001 20:12:48 -0700
On Mon, Jun 11, 2001 at 09:33:35AM +0800, Tom Brays wrote:
"The Journal of Technology Law and Policy has a good article on computer security and privacy.
I believe the URL for the article you are referring to is http://grove.ufl.edu/~techlaw/vol6/Preston.html . Yes, it is an interesting (but long) research paper.
expectations of privacy.) It's interesting to see the computer security from a lawyer's point of view. Especially interesting are his claims that using nmap is illegal, despite the VC3 v. Moulton case."
As a point of clarification, I think Ethan is arguing that Nmap port scans could be a violation of the computer "access" provisions of several STATE ( not Federal) laws. He (She?) also states that "access-based computer crime laws" can "implicate the most rudimentary network functions, like pinging an IP address to see if a network host is connected to the Internet, let alone initiating a TCP connection that would provide the basis for communicating that access is unauthorized." and "most current laws could be used to penalize any interactions on the Internet between networked computers." Scary! Here are a few quotes from the article that refer to port scanning and Nmap: In Moulton v. VC3, a federal court found that the costs incurred investigating a port scan did not constitute damages under the federal Computer Fraud and Abuse Act.[166] Moreover, the court found that a party's port scan did not access the other party's network.[167] Port scans elicit information from computers and computer networks; under many of the state statutory definitions above, port scans do access computers and probably would constitute computer crime. Certainly, the court could have found port scans to constitute access under the CFAA and found the party liable for the port scan. Moulton may signify that there is a threshold of network activity below which courts will not interfere.[168] [ ... ] The application of access-based computer crime laws could damage the digital commons as much as the current formulation of trespass on chattels. The efficiency of communication on the Internet stems from the implied consent to use the computer resources and information of others'. Legal rules that extend liability to any access whatsoever damage that efficiency. Consider how trespass to chattels and access-based computer crime laws would function on the Internet. These laws implicate the most rudimentary network functions, like pinging an IP address to see if a network host is connected to the Internet, let alone initiating a TCP connection that would provide the basis for communicating that access is unauthorized. [ ... ] The benefit of the fences in cyberspace metaphor is an enhanced capacity for precision. Application of the metaphor of fences in cyberspace could create a legal regime capable of much finer distinctions between liability and non-liability. Consider a situation where the law assigns a privacy right to the computer owner over the kind of operating system running on the computer. (This privacy right is, and should remain, a hypothetical situation. The overall utility of such a privacy right is questionable. While discovering the identity of a target's operating system is an integral step to breaking into the target, it is poor security to rely on the obscurity of the operating system?s identity.)[175] In cyberspace, information about the kind of operating system is an object. This hypothetical posits that the owner has the legal right to put a fence around this object. Individuals on the network can use techniques like banner grabbing, port scanning or nmap's OS fingerprinting to identify the owner's operating system.[176] Most "fences" would protect against banner-grabbing; banners must be either changed or eliminated.[177] Port scanning can be prevented by shutting down unnecessary applications and through using firewalls that filtered packets on the basis of port numbers.[178] These measures would create a fences that encompasses more of the information. Finally, preventing nmap-type OS fingerprinting requires using a firewall that filtered on a packet-by-packet basis or altering the TCP/IP stack of the computer.[179] These measures would enclose most of the remotely available information about a computer's operating system. A court deciding whether to assign liability would first inquire into what technical measures were used; the court must find the fences in cyberspace. Next, the court must decide whether the technical measures were reasonable. The computer owner who failed to protect against banner-grabbing should not have legal recourse when banner grabbing identifies his operating system. A computer owner who used a firewall that prevented port scans but not nmap-type OS fingerprinting might establish a strong case for liability against a nmap scanner. Then again, perhaps the cost of preventing nmap-type OS fingerprinting might be found minimal; the court might assign liability only where the defendant used other means to get the information. The point of the exercise above is that the metaphor allows courts to distinguish between relative degrees of care that the owner has taken to restrict information flows. Courts striving for equitable and predictable distinctions between liability and non-liability receive little help from the language of the law; most current laws could be used to penalize any interactions on the Internet between networked computers. To be efficient, the law must also be capable of precision and coherency, even more so because information flows on the Internet can be very complex. The cyberspace fences metaphor can help provide that precision. Cheers, Fyodor -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- nmap illegal to use? Tom Brays (Jun 10)
- Re: nmap illegal to use? Fyodor (Jun 10)
- Re: nmap illegal to use? Thomas Reinke (Jun 10)
- RE: nmap illegal to use? Jim (Jun 11)
- <Possible follow-ups>
- RE: nmap illegal to use? Scott Moulton (Jun 11)