Internet Port scanning - next

["Craig Wright" <cwright () bdosyd com au>]

        -----Original Message----- 
        From: Craig Wright 
        Sent: Fri 7/04/2006 6:41 PM 
        To: security-basics () securityfocus com 
        Cc: 
        Subject: 
        
        
        Hello, 

        Last post I issued was on how the courts determined access. Port scanning may be construed as access to a 
computer system. Seeing as I have to spell this out word by word.

        Next see the Convention on Cybercrime, "Each Party shall adopt such legislative and other measures as may be 
necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the 
whole or any part of a computer system without right.".

        Intentionally first. This relates to the port scanner being run intentionally. Not as has been suggested 
intention to do damage. Not Intention for malicious action. Just intention to have run the port scan.

        Without right. I would agree that access that merely breaches a contractual terms and conditioning access 
should not suffice to trigger criminal liability. It does suffice for civil liability as was stated in earlier posts. 
In the US - scanning a "protected computer", which includes all University hosts, is a federal offence. 

        To nick a quote from the UD DOJ:

        Subsection 1030(a)(3)

        Three substantive changes were made to § 1030(a)(3). First, the word "adversely" has been deleted because 
including this term suggests, inappropriately, that trespassing in a government computer may be benign. 

        Second, for clarity, the term "the use of the Government's operation of such computer" has been replaced with 
the term "that use by or for the Government of the United States." When a computer is used for the government, the 
government is not necessarily the operator, and the old term may have led to confusion. Consistent with this change, a 
similar change was made to the definition of "federal interest computer" (redesignated as "protected computer") in § 
1030(e)(2)(A). Third, Congress inserted "non-public" to modify "computer of a department or agency of the United 
States." This change is intended to reflect the growing use of the Internet by government agencies and, in particular, 
the establishment of World Wide Web home pages and other public services. Arguably, a person charged under the old 
subsection (a)(3) might have asserted as a defense that he was not "without authorization to access any computer of a 
department or agency of the United States," because he was authorized to access some publicly available computer of 
that department or agency, such as a Web site. While this defense would almost have negated the law and thus defied a 
common-sense interpretation of the former law, Congress added the word "non-public" to make it perfectly clear that a 
person who has no authority to access any non-public computer of a department or agency may be convicted under (a)(3) 
even though permitted to access publicly available computers.

        Subsection 1030(a)(4)

        Subsection 1030(a)(4) has been amended to insure that felony level sanctions apply when unauthorized use of the 
computer (or use exceeding authorization) is significant. At the time the "computer use" exception was originally 
crafted, the Senate Judiciary Committee noted that: 

        [T]he mere use of a computer or computer service has a value all its own. Mere trespasses onto someone else's 
computer system can cost the system provider a "port" or access channel that he might otherwise be making available for 
a fee to an authorized user. At the same time, the Committee believes it is important to distinguish clearly between 
acts of fraud under (a)(4), punishable as felonies, and acts of simple trespass, punishable in the first instance as 
misdemeanors. That distinction would be wiped out were the Committee to treat every trespass as an attempt to defraud a 
service provider of computer time.

        S. Rep. No. 99-432, 99th Cong., 2d Sess. 10 (1986). See also H.R. Rep. No. 99-612, 99th Cong., 2d Sess. 12 
(1986). 

        Again. Port scanning = illegal. It is a misdemeanor in the US. The act is not criminal by itself. This does not 
make it legal.

        MATRIX 3: 18 U.S.C. § 1030(a)(5) [THE NEW LAW] [2]

        [Based on the defendant's authority to access the computer and criminal intent to damage]

        Trespassers

        Intentional Damage        - Felony 

        Reckless Damage          -  Felony 

        Negligent Damage          - Misdemeanor 

        Essentially, this new statute provides that individuals who access protected computers without authority are 
responsible for the consequences of their actions.

        Regards, 

        Craig 

        

        [1] Convention on Cybercrime, Nov. 23, 2001, art. 2, Europ. T.S. No. 185

        [2] THE NATIONAL INFORMATION INFRASTRUCTURE PROTECTION ACT OF 1996, 2 Electronic Info. Pol'y & L. Rep. 240, 240 
(1997).

        US Congress - intentional damage statute  - designed to complement the federal unauthorized access statute in 
1986.277 

        Codified at 18 U.S.C. § 1030(a)(5), this statute in its current form states that whoever “knowingly causes the 
transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage 
without authorization, to a protected computer”

         


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.