Re: publicly available resources and the law

[David Dennis <dennisd () best com>]

My first-ever post to a hack list.  fear and loathing ensue.

if i look in an open window while not tresspassing, i am in legal rights,
according to supreme court of US on subject of celebrity lawsuits and
peeping tom laws.  the responsibility is on the building owner to put up
blinds or shut their window.

if i walk past a building and put my hand on it and feel around, or try
the front door, and the building falls over or the door breaks, i might be
cited for property damage and i might be fined for trespassing, but i
highly doubt i would be jailed.  it is also highly likely the bonehead
that put up the building would be fined or cited.  Lets have a building
code for systems administration.  Or let's not   :)

if i cause a traffic jam on the highway with some reckless driving i might
be cited or sent to traffic school or even jailed eventually, but i hardly
think on the first offense unless someone were killed as a result.  

why is snooping a net application or host considered by some to be a
higher threat to anything, and why would we want the laws to be more
severe than they are (not) for the examples above ?

also please consider this: a fairly significant count of those doing the
snooping across networks onto hosts they do not have authority over are
under 18, so penalties would need to reflect that, perhaps we could
co-locate with singapore or some other penally frightening country and
cause deterrence to be enhanced.


David Dennis            Seattle, Washington
Systems Administrator   < .sig under construction >


On Thu, 25 Feb 1999, Jesse Whyte wrote:

> Date: Thu, 25 Feb 1999 08:32:05 -0600 (EST)
> From: Jesse Whyte <jwhyte () mail state tn us>
> To: Fyodor <fyodor () dhp com>
> Cc: nmap-hackers () insecure org
> Subject: Re: publicly available resources and the law
>
> Fyodor and list,
>
> While I've never seen anyone arrested for portscans, I have accounts
> terminated with ISPs for this behavior on a regular basis, averaging
> somewhere around 5-10 accounts per month.  (These are probably throw-away
> accounts similar to spammers accounts, but you have to take the small
> victories...)
>
> I'm not sure how the State of Tennessee would legally pursue a portscan if
> I attacked it in that manner, but being responsible for its network
> security definately means that I am concerned with each and every one of
> them.  There is absolutely no valid reason for anyone but me to be
> scanning my class B's.  Most ISPs also understand this, even UUnet seems
> to be acting appropriately on these issues.  From a real working level
> perspective, there is no truly valid reason for someone else to be
> scanning my network.  From a personal perspective, I view the Internet
> Operating System Counter Project in a similar vein to Dan Farmer's
> Internet security survey: it is a threat.  Dan Farmer had no authorization
> to scan my network.  IOSC has no authorization to scan my network.  In
> either case, if they did cause damage in their scan, the "cause" would not
> be sufficient to deter legal action.
>
> I speak in a personal capacity on professional issues and do not represent
> the State of Tennessee in any manner.
>
> Jesse Whyte
> Network Security
> State of Tennessee
>
> On Wed, 24 Feb 1999, Fyodor wrote:
>
> > I think this debate has brought forth some important issues.  For
> > example, it would be nice if something was done about some draconian
> > state laws which, if applied literally, could make everything from
> > pinging to port scanning to web browsing illegal unless you have
> > explicit authorization from the destination host.
> >
> > But a more practical question than 'could port scanning be construed
> > as illegal in some ass-backwards state' is 'will I get arrested for
> > doing nothing but portscanning a system'.  And the answer to that is
> > almost always "no".  Hundreds of thousands of people have downloaded
> > nmap (and others have obtained it when they instaled FreeBSD, Debian
> > Linux, Trinux, etc).  Millions of IPs have been scanned (I alone scan
> > class B's on a somewhat regular basis).  To the best of my knowledge,
> > nobody has ever been arrested for simply scanning another machine (if
> > anyone knows of such a case, please send info to the list).
> >
> > Even though the worry of legal problems is extremely low, there is a very
> > good chance that if you make a habit of scanning large numbers of hosts,
> > you (or your ISP) will eventually get a complaint from some anal sysadmin.  
> > I had this happen to me once, but the guy cooled down when I explained
> > that I was just testing out my new port scanner (and gave him an early
> > release of nmap 2).  The Internet Operating System Counter folks (
> > http://www.leb.net/hzo/ioscount/index.html ) estimate that they get about
> > 1 query/complaint per 50,000 hosts.  They apparently scanned (with queso)
> > 1,191,755 hosts in January.
> >
> > So a good rule of thumb is: don't scan from anywhere that complaints
> > about your actions can cause you trouble.  If your job or your school
> > accounts are critically important to you, don't risk them by engaging
> > in anything at all controversial (viewing porn, port scanning,
> > tracerouting, MP3 downloading, exportation of cryptography, etc).
> > Spend the $20/month for a stupid ISP account and move all such
> > activity there.  And if they cancel your account for some stupid
> > reason, switch to a better ISP (and if you have time, write the old
> > ISP a letter explaining why you disagree with their policy).
> >
> > Cheers,
> > Fyodor
> >
> > PS: Due to an overwhelming response on this topic, I had to skip a lot
> > of messages.  I tried to post the ones which were on topic and
> > contained pertinant facts (ie useful research on state laws or actual
> > case examples).  I don't mind posting occasional opinionated rants, but
> > I don't want to flod the list with dozens of them in one day.  It is
> > not personal.
> >
> >
> > --
> > Fyodor                            'finger pgp () www insecure org | pgp -fka'
> > In a free and open marketplace, it would be surprising to have such an
> > obviously flawed standard generate much enthusiasm outside of the criminal
> > community.  --Mitch Stone on Microsoft ActiveX