RE: nmap..... via web

["Frank Miller" <frankm () bend or us>]

But, watch out for liability for scanning.  In the state of Oregon, for
instance, port scanning
can be (dependent upon interpretation of state/local police) a Computer
Crime.  An attempt to access, without authorization, any network/computer is
a misdemenor.  I have seen this stick to
script kiddies.

So ... what happens if a script kiddie scans the wrong network from your
site?  Look at section
4.

Frank

164.377 Computer crime. (1) As used in this section:

(a) To "access" means to instruct, communicate with, store data in, retrieve
data from or otherwise make use of any resources of a computer, computer
system or computer network.

(b) "Computer" means, but is not limited to, an electronic device which
performs logical, arithmetic or memory functions by the manipulations of
electronic, magnetic or optical signals or impulses, and includes all input,
output, processing, storage, software or communication facilities which are
connected or related to such a device in a system or network.

(c) "Computer network" means, but is not limited to, the interconnection of
communication lines, including microwave or other means of electronic
communication, with a computer through remote terminals or a complex
consisting of two or more interconnected computers.

(d) "Computer program" means, but is not limited to, a series of
instructions or statements, in a form acceptable to a computer, which
permits the functioning of a computer system in a manner designed to provide
appropriate products from or usage of such computer system.

(e) "Computer software" means, but is not limited to, computer programs,
procedures and associated documentation concerned with the operation of a
computer system.

(f) "Computer system" means, but is not limited to, a set of related,
connected or unconnected, computer equipment, devices and software.
"Computer system" also includes any computer, device or software owned or
operated by the Oregon State Lottery or rented, owned or operated by another
person or entity under contract to or at the direction of the Oregon State
Lottery.

(g) "Data" means a representation of information, knowledge, facts,
concepts, computer software, computer programs or instructions. "Data" may
be in any form, in storage media, or as stored in the memory of the
computer, or in transit, or presented on a display device. "Data" includes,
but is not limited to, computer or human readable forms of numbers, text,
stored voice, graphics and images.

(h) "Property" includes, but is not limited to, financial instruments,
information, including electronically produced data, and computer software
and programs in either computer or human readable form, intellectual
property and any other tangible or intangible item of value.

(i) "Proprietary information" includes any scientific, technical or
commercial information including any design, process, procedure, list of
customers, list of suppliers, customers' records or business code or
improvement thereof that is known only to limited individuals within an
organization and is used in a business that the organization conducts. The
information must have actual or potential commercial value and give the user
of the information an opportunity to obtain a business advantage over
competitors who do not know or use the information.

(j) "Services" include, but are not limited to, computer time, data
processing and storage functions.

(2) Any person commits computer crime who knowingly accesses, attempts to
access or uses, or attempts to use, any computer, computer system, computer
network or any part thereof for the purpose of:

(a) Devising or executing any scheme or artifice to defraud;

(b) Obtaining money, property or services by means of false or fraudulent
pretenses, representations or promises; or

(c) Committing theft, including, but not limited to, theft of proprietary
information.

(3) Any person who knowingly and without authorization alters, damages or
destroys any computer, computer system, computer network, or any computer
software, program, documentation or data contained in such computer,
computer system or computer network, commits computer crime.

(4) Any person who knowingly and without authorization uses, accesses or
attempts to access any computer, computer system, computer network, or any
computer software, program, documentation or data contained in such
computer, computer system or computer network, commits computer crime.

(5)(a) A violation of the provisions of subsection (2) or (3) of this
section shall be a Class C felony. Except as provided in paragraph (b) of
this subsection, a violation of the provisions of subsection (4) of this
section shall be a Class A misdemeanor.

(b) Any violation of this section relating to a computer, computer network,
computer program, computer software, computer system or data owned or
operated by the Oregon State Lottery or rented, owned or operated by another
person or entity under contract to or at the direction of the Oregon State
Lottery Commission shall be a Class C felony. [1985 c.537 s.8; 1989 c.737
s.1; 1991 c.962 s.17]






> -----Original Message-----
> From: Donald McLachlan [mailto:don () mars dgrc crc ca]
> Sent: Monday, February 22, 1999 11:21 AM
> To: nmap-hackers () insecure org
> Subject: Re: nmap..... via web
>
>
> > From: Lars Marowsky-Bree <lmb () teuto net>
> >
> > On 1999-02-19T12:13:31,
> >    Lamont Granquist <lamontg () raven genome washington edu> said:
> >
> > > since so many people seem to be trying to use nmap for these kinds of
> > > things maybe nmap needs these patches in the development tree...
> >
> > No. IMNSHO, these people need some common sense. Triggering an
> nmap scan via
> > WWW ? Hello? *knock knock* Can you say DoS ? Can you say "exploit" ?
>
> The legitimate use I can see is to test whether your firewall is really
> doing what you think.  The best way is to test fron a foreign
> source address
> (web server out on the Internet).
>
> If the web page would only scan the single host the http connection is
> from, and had "buttons" to select options for TCP/UDP/etc I think this
> should be a fairly safe and useful tool.
>
> Don