Re: publicly available resources and the law

["Benjamin Tomhave" <Falcon () CyberSecret com>]

As best as I know, this is the guideline, and the legal technicalities that 
answer the question of port scanning legality versus access a system.  I 
definitely should not be considered an absolute authority on legality, so 
please put the flamethrowers aside for now.  Let me preface my comments 
by saying that I am a firm believer in freedom of information and open 
systems, but I also am a firm believer in justice and fairness.  It is a fine line 
to walk between security/paranoia/dictatorship and personal liberty.  
Comments are welcomed and encouraged!

1)  When you go to a site such as www.nsa.gov, connecting via port 80 and 
using http, you have been authorized to access that site via the declared 
method (in this case, web browser).  In fine, nit-picking terms, you are 
authorized by the NSA to connect to their web site via port 80, and nothing 
else.  This would also be the case with anonymous FTP.  Again, you have 
been granted specific permissions with a narrow scope.  To do anything that 
does not fall within that scope can be construed as "unauthorized access" 
even if you are utilizing the port made available.  Just because a port is open 
for a specific application does not mean that it is a "public" port.  And even if 
it were public, there is a certain amount of responsibility that does along with 
have public assets available for use.

2)  Port scanning can be deemed illegal, unauthorized access along the 
strictest of lines.  If you have not been granted explicit access to a system, 
regardless of how the ports are assigned to applications, then port scanning 
violates those restrictions.  However, along with this the owner of the 
machine must also have policies in place that can legally back up their 
description of "authorized access", etc.

3)  Legality is a touchy issue right now and basically comes down to walking 
a fine line.  On the one hand, it is the responsibility of the owner to 
thoroughly document usage policies and make the information widely 
available.  If that is done, then most of the time that is enough legal 
precedence should a court case be opened.  Negligence is not a viable 
defense.  On the other hand, if there is no policy in place defining "authorized 
access" then there is less legal recourse for responding to an intrusion, 
whether or be a port scan or an actual root compromise.

4)  Analogy:  If you have a piece of land that you do not want people to hunt 
on (I'm from Minnesota, btw), you have to post "No Trespassing" signs all 
around the border of that property.  If you do not make an effort to post your 
land, then you have no legal recourse should a hunter wander onto your land. 
 Similar methods must be used for computer systems.  Unfortunately, at 
least right now, there isn't any easy or nice way to post your system w/o 
allowing a person to access that system.  Thus, the law loosens a bit in 
favour of the owner with the understanding that it is highly difficult, if not 
impossible, to thoroughly and effectively post your property.

5)  On the flip side:  A case was tried and won by a hacker (defendant) who 
broke into a site.  The company had stated in the banner of the system 
"Welcome to <router name>".  The court ruled that saying "Welcome" was 
the same as inviting someone to enter their system and play around.  I 
believe that this ruling was overturned later by a higher court because 
adequate policy existed prohibiting certain kinds of access to the system.  
Regardless, seemingly trivial things like this can work against a site.

Cheers,

-ben

At Tuesday 2/23/99 0217 AM , HD Moore wrote
> Daemor wrote
> > Communicate with?  Retrieve data from?  Who authorizes me to connect 
to
> > port 80 at www.nsa.gov?  No one,  it is made publicly available.  No
> > authorazation is required to access the data.  Port scanning simply asks
> > which services are offered by a computer.  Unless measures have been
> > taken to restrict access to the data and the individual has attempted to
> > circumvent those measures then I see no crime.  Being charged with a
> > misdemeanor simply for port scanning ALONE seems a bit rediculous to
> > me.  I realize that scanning a host is often followed by an attack on a
> > system or is part of a search for vulnerable systems but simply asking
> > if the information is publicly available should not be a crime.
>
> Along these lines, I was wondering what the legal status of accessing
> FTP servers with anonmyous logins, wide open NFS exports, or NetBIOS
> shares.  There needs to be some clarification of what is considered
> public access and what is simply misconfiguration.  Anyone have
> something to contribute about what is actually legal to access and what
> is invasion?  Is any resource that can be accessed without special
> authorization considered public access in the terms of the law?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Benjamin Tomhave    Falcon () CyberSecret com
     http://falcon.cybersecret.com/default.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     "Here is where the road divides..."
     "...and a lifetime's not too long to live as friends."
     -Michael W. Smith (Pray For Me, Friends)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~