RE: publicly available resources and the law

["Dragos Ruiu" <dr () v-wave com>]

Interestingly enough, that posting about Oregon
port-scanning laws led to a chat over coffee with
my lawyer about hacking. He pointed me to an
interesting case documented in the clipping below.

His opinion was that it would be very difficult
to make port-scanning stick in court, because you
have to prove that the computer time or other
"stolen" resources or information have value such
that damages were incurred by their loss.

I doubt that a few miliseconds of processing time
to respond to a few errant UDP packets can be proven
to have significant value.  So despite all the paranoid
IT guys that freak out when port-mapped, I don't think
I would worry about the legal system just yet. I think
that even if you made the remote box reboot accidentally
(or not), unless there was a pattern of systematic harrasment,
they would have a hard time with the law.

As you can see in the case below, you have to go through
a lot to get hacking to stick as a crime. So if you
are a script kiddie, the next time those Oregon cops
show up on your doorstep, tell them to piss off and call
your lawyer. But you better get the parental unit to
shell out for a good lawyer if they can...

just my two cents,
--dr

(p.s. if any of you are under non-compete agreements with
 your work, there is also interesting info in the case below.)

-----Original Message-----
From: root () gull prod itd earthlink net
[mailto:root () gull prod itd earthlink net]On Behalf Of HD Moore
Sent: Tuesday, February 23, 1999 12:18 AM
To: nmap-hackers () insecure org
Subject: publicly available resources and the law


Daemor wrote:
> Communicate with?  Retrieve data from?  Who authorizes me to connect to
> port 80 at www.nsa.gov?  No one,  it is made publicly available.  No
> authorazation is required to access the data.  Port scanning simply asks
> which services are offered by a computer.  Unless measures have been
> taken to restrict access to the data and the individual has attempted to
> circumvent those measures then I see no crime.  Being charged with a
> misdemeanor simply for port scanning ALONE seems a bit rediculous to
> me.  I realize that scanning a host is often followed by an attack on a
> system or is part of a search for vulnerable systems but simply asking
> if the information is publicly available should not be a crime.

Along these lines, I was wondering what the legal status of accessing
FTP servers with anonmyous logins, wide open NFS exports, or NetBIOS
shares.  There needs to be some clarification of what is considered
public access and what is simply misconfiguration.  Anyone have
something to contribute about what is actually legal to access and what
is invasion?  Is any resource that can be accessed without special
authorization considered public access in the terms of the law?


---
Injunction Issued for Hacking Away Competitor's Customer Base

Judge: Conduct violates federal Wiretap Act



By Shannon P. Duffy
The Legal Intelligencer
Monday, February 22, 1999



Hacking into a competing company's computers to get the names of its
customers from e-mail files violates the Federal Wiretap Act, a Pittsburgh
federal judge has ruled.


In her four-page order in Labwerks Inc. v. Sladekutter Ltd., U.S. District
Judge Donetta W. Ambrose enjoined an Internet Website development company
from making any future attempts to hack into its competitor's system and
ordered it to return the e-mails it stole.


Ambrose also ordered Sladekutter to contact the customers whose names it
accessed -- and whose business it tried to steal -- and inform them of the
court injunction.


The central figure in the case is Daniel Dehner, a former Sladekutter
employee who is now the vice president and chief technical officer at
Labwerks.


According to court papers, Dehner worked full-time at Sladekutter as a
multi-media developer from November 1997 to September 1988, and then
continued to work there part-time for two months as a consultant.


During his consulting phase, Dehner worked for both Sladekutter and
Labwerks. At times, he would use Sladekutter's computers to access Labwerks'
system in order to complete projects.


Judge Ambrose of the Western District found that Dehner informed Sladekutter
of his other work. And when he started full-time work with Labwerks in
November 1998, he never again accessed Sladekutter's computers. She also
found that Dehner never took any of Sladekutter's materials and had accessed
only those files that were pertinent to the projects he was working on.


But Ambrose found that Sladekutter mistakenly believed that Dehner was
violating a non-compete clause he had signed in December 1997. The
non-compete agreement was never valid, Ambrose found, since Dehner signed it
without receiving any additional compensation, benefits or title in
exchange.


On Nov. 13, 1998, Ambrose found that Sladekutter "gained unauthorized
access" to Labwerks computer system by using a combination of Dehner's name
and his social security number. Once he had successfully hacked his way in,
Ambrose said, Sladekutter copied Dehner's e-mails and the names of Labwerks'
customers.


Labwerks' attorney, Peter A. Santos of Dickie McCamey & Chilcote, said he
proved that Sladekutter was the hacker by presenting a detailed computer log
in court which showed that the unauthorized entry into its system came from
"sladekutter.com," and that the hacker made several unsuccessful attempts at
guessing Dehner's password before breaking in.


Soon after the hack job, Abrose found that Sladekutter wrote letters to two
of Labwerks clients and demanded that they stop doing business with Labwerks
based on the non-compete clause. Both clients soon informed Labwerks that
they would likely be withdrawing their business.


In her conclusions of law, Ambrose declared that the non-compete agreement
was invalid since it was presented to Dehner after he had agreed to the
terms of his employment, but added no new consideration.


Sladekutter's removal of Dehner's e-mails, she said, violated the Federal
Wiretap Act and its contacts with the two customers "constitute an
intentional interference with plaintiff's existing contractual relations."


Ambrose said Labwerks proved that it would suffer irreparable harm without a
court injunction "since it established through testimony that it will go out
of business if the two clients withdraw their business."


Santos hailed the decision as a significant victory that had rescued his
client from potential financial disaster.


"The court has said in no uncertain terms that it will not tolerate one
business breaking into another business's computer system. It's illegal and
it will be stopped," Santos said.


(Copies of the four-page opinion in Labwerks Inc. v. Sladekutter Ltd., PICS
NO. 99-0257, are available from The Legal Intelligencer.)