Nmap Announce mailing list archives
RE: publicly available resources and the law
From: "Dragos Ruiu" <dr () v-wave com>
Date: Tue, 23 Feb 1999 07:49:46 -0800
Interestingly enough, that posting about Oregon port-scanning laws led to a chat over coffee with my lawyer about hacking. He pointed me to an interesting case documented in the clipping below. His opinion was that it would be very difficult to make port-scanning stick in court, because you have to prove that the computer time or other "stolen" resources or information have value such that damages were incurred by their loss. I doubt that a few miliseconds of processing time to respond to a few errant UDP packets can be proven to have significant value. So despite all the paranoid IT guys that freak out when port-mapped, I don't think I would worry about the legal system just yet. I think that even if you made the remote box reboot accidentally (or not), unless there was a pattern of systematic harrasment, they would have a hard time with the law. As you can see in the case below, you have to go through a lot to get hacking to stick as a crime. So if you are a script kiddie, the next time those Oregon cops show up on your doorstep, tell them to piss off and call your lawyer. But you better get the parental unit to shell out for a good lawyer if they can... just my two cents, --dr (p.s. if any of you are under non-compete agreements with your work, there is also interesting info in the case below.) -----Original Message----- From: root () gull prod itd earthlink net [mailto:root () gull prod itd earthlink net]On Behalf Of HD Moore Sent: Tuesday, February 23, 1999 12:18 AM To: nmap-hackers () insecure org Subject: publicly available resources and the law Daemor wrote:
Communicate with? Retrieve data from? Who authorizes me to connect to port 80 at www.nsa.gov? No one, it is made publicly available. No authorazation is required to access the data. Port scanning simply asks which services are offered by a computer. Unless measures have been taken to restrict access to the data and the individual has attempted to circumvent those measures then I see no crime. Being charged with a misdemeanor simply for port scanning ALONE seems a bit rediculous to me. I realize that scanning a host is often followed by an attack on a system or is part of a search for vulnerable systems but simply asking if the information is publicly available should not be a crime.
Along these lines, I was wondering what the legal status of accessing FTP servers with anonmyous logins, wide open NFS exports, or NetBIOS shares. There needs to be some clarification of what is considered public access and what is simply misconfiguration. Anyone have something to contribute about what is actually legal to access and what is invasion? Is any resource that can be accessed without special authorization considered public access in the terms of the law? --- Injunction Issued for Hacking Away Competitor's Customer Base Judge: Conduct violates federal Wiretap Act By Shannon P. Duffy The Legal Intelligencer Monday, February 22, 1999 Hacking into a competing company's computers to get the names of its customers from e-mail files violates the Federal Wiretap Act, a Pittsburgh federal judge has ruled. In her four-page order in Labwerks Inc. v. Sladekutter Ltd., U.S. District Judge Donetta W. Ambrose enjoined an Internet Website development company from making any future attempts to hack into its competitor's system and ordered it to return the e-mails it stole. Ambrose also ordered Sladekutter to contact the customers whose names it accessed -- and whose business it tried to steal -- and inform them of the court injunction. The central figure in the case is Daniel Dehner, a former Sladekutter employee who is now the vice president and chief technical officer at Labwerks. According to court papers, Dehner worked full-time at Sladekutter as a multi-media developer from November 1997 to September 1988, and then continued to work there part-time for two months as a consultant. During his consulting phase, Dehner worked for both Sladekutter and Labwerks. At times, he would use Sladekutter's computers to access Labwerks' system in order to complete projects. Judge Ambrose of the Western District found that Dehner informed Sladekutter of his other work. And when he started full-time work with Labwerks in November 1998, he never again accessed Sladekutter's computers. She also found that Dehner never took any of Sladekutter's materials and had accessed only those files that were pertinent to the projects he was working on. But Ambrose found that Sladekutter mistakenly believed that Dehner was violating a non-compete clause he had signed in December 1997. The non-compete agreement was never valid, Ambrose found, since Dehner signed it without receiving any additional compensation, benefits or title in exchange. On Nov. 13, 1998, Ambrose found that Sladekutter "gained unauthorized access" to Labwerks computer system by using a combination of Dehner's name and his social security number. Once he had successfully hacked his way in, Ambrose said, Sladekutter copied Dehner's e-mails and the names of Labwerks' customers. Labwerks' attorney, Peter A. Santos of Dickie McCamey & Chilcote, said he proved that Sladekutter was the hacker by presenting a detailed computer log in court which showed that the unauthorized entry into its system came from "sladekutter.com," and that the hacker made several unsuccessful attempts at guessing Dehner's password before breaking in. Soon after the hack job, Abrose found that Sladekutter wrote letters to two of Labwerks clients and demanded that they stop doing business with Labwerks based on the non-compete clause. Both clients soon informed Labwerks that they would likely be withdrawing their business. In her conclusions of law, Ambrose declared that the non-compete agreement was invalid since it was presented to Dehner after he had agreed to the terms of his employment, but added no new consideration. Sladekutter's removal of Dehner's e-mails, she said, violated the Federal Wiretap Act and its contacts with the two customers "constitute an intentional interference with plaintiff's existing contractual relations." Ambrose said Labwerks proved that it would suffer irreparable harm without a court injunction "since it established through testimony that it will go out of business if the two clients withdraw their business." Santos hailed the decision as a significant victory that had rescued his client from potential financial disaster. "The court has said in no uncertain terms that it will not tolerate one business breaking into another business's computer system. It's illegal and it will be stopped," Santos said. (Copies of the four-page opinion in Labwerks Inc. v. Sladekutter Ltd., PICS NO. 99-0257, are available from The Legal Intelligencer.)
Current thread:
- publicly available resources and the law HD Moore (Feb 23)
- Re: publicly available resources and the law Technical Incursion Countermeasures (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- Re: publicly available resources and the law Bennett Todd (Feb 23)
- Re: publicly available resources and the law Lamont Granquist (Feb 23)
- RE: legality of port-mapping Dragos Ruiu (Feb 23)
- RE: legality of port-mapping Lamont Granquist (Feb 24)
- Re: publicly available resources and the law Daemor (Feb 23)
- Re: publicly available resources and the law Technical Incursion Countermeasures (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law Erik Parker (Feb 23)
- RE: publicly available resources and the law Dragos Ruiu (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law rain.forest.puppy (Feb 23)
- Re: publicly available resources and the law Brian Gosnell (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- <Possible follow-ups>
- RE: publicly available resources and the law Meritt, Jim (Feb 23)
- Re: publicly available resources and the law Benjamin Tomhave (Feb 23)
- Re: publicly available resources and the law Bennett Todd (Feb 23)
- Re: publicly available resources and the law Ken Williams (Feb 24)
- Re: publicly available resources and the law Fyodor (Feb 24)
- Re: publicly available resources and the law Jesse Whyte (Feb 25)
- Re: publicly available resources and the law David Dennis (Feb 25)