RE: publicly available resources and the law

[Benjamin Smee <ben () itaudit com au>]

Hello,

I have often wondered the specifics of this myself. Here is my understanding:

One of the key things in relation to what Daemor is talking about is Warning. I
know that there was a case in the states where a 'hacker' was let off at court
as he pleaded he did not know that he not authorised to access a system. The
system had no legal banners in place. Having said that I know that in Australia
the aforesaid hacker would not have gotten off. The key.... WARNINGS on the
site about illegal access and use of the system.

The thing is that still doesnt clarify the problem. AFAIK in the western world
most computer crime laws are based on the ones from the USA. With this in mind
the problem seems somewhat Universal, in that almost all are worded so badly
that any Internet savvy person would cringe. In Australia the computer crime
laws are so badly written that I wouldn't be surprised to hear that someone
could be charge with "insertion or modification of data without authorisation"
just by sending an email with an attachment. 

Relating this specifically to port scanning though and at least in Autralia we
are safe :) There are no laws that could even be interpreted as considering
port scanning illegal. 

> > Daemor wrote:
> > > Communicate with?  Retrieve data from?  Who authorizes me to connect to
> > > port 80 at www.nsa.gov?  No one,  it is made publicly available.  No
> > > authorazation is required to access the data.  Port scanning simply asks
> > > which services are offered by a computer.  Unless measures have been
> > > taken to restrict access to the data and the individual has attempted to
> > > circumvent those measures then I see no crime.  Being charged with a
> > > misdemeanor simply for port scanning ALONE seems a bit rediculous to
> > > me.  I realize that scanning a host is often followed by an attack on a
> > > system or is part of a search for vulnerable systems but simply asking
> > > if the information is publicly available should not be a crime.
> >
> > Along these lines, I was wondering what the legal status of accessing
> > FTP servers with anonmyous logins, wide open NFS exports, or NetBIOS
> > shares.  There needs to be some clarification of what is considered
> > public access and what is simply misconfiguration.  Anyone have
> > something to contribute about what is actually legal to access and what
> > is invasion?  Is any resource that can be accessed without special
> > authorization considered public access in the terms of the law?


regards, 
Benjamin Smee
Senior Computer Security Consultant
Fingerprint: 4574 41AD D801 1533 455C  E5F8 79C4 CEF1 AED8 58C1

___________________________
IT Audit & Consulting (ITAC) Pty Ltd
                        ben () itaudit com au