Nmap Announce mailing list archives
Valuable papers on the legality of port scanning and exploit code
From: Fyodor <fyodor () insecure org>
Date: Sat, 27 Dec 2003 03:15:04 -0800
As part of the Nmap book, I am including a section on the legality of port scanning. In the process I came across a couple good papers that I feel shed light on this important issue (at least for United States residents): The first paper is called "Port Scanning and its Legal Implications" by Abhinav Bhatt and is available at http://www.asianlaws.org/cyberlaw/library/cc/ptscanning.htm . It is short and insightful, and the author discusses the Scott Moultin case in detail. The civil court in that case ruled that the "act of conducting an unauthorized port scan and throughput test of defendant's servers does not constitute a violation of either the Georgia Computer Systems Protection Act or the Computer Fraud and Abuse Act." I am still researching the full results of the criminal charges, although my reading of the paper above is that he was fully cleared. Scott posted to Nmap-hackers about his case in 2001, saying: "I am proud that I could be of some benefit to the computer society in defending and protecting the rights of specialists in the computer field, however it is EXTREMELY costly to support such an effort, of which I am not happy about. But I will continue to fight and prove that there is nothing illegal about port scanning especially when I was just doing my job." --http://seclists.org/lists/nmap-hackers/2001/Apr-Jun/0011.html For further background on the Multon case, see: http://www.phillipsnizer.com/library/cases/lib_case37.cfm http://www.securityfocus.com/news/126 [ see feedback for VC3 replies ] Another good article on the legality of port scanning is "Finding Fences in Cyberspace: Privacy and Open Access on the Internet" by Ethan Prestion. It is available at http://grove.ufl.edu/~techlaw/vol6/Preston.html . I actually posted this one to nmap-hackers in 2001, but it is worth re-reading. My summary (actually mostly just excerpts of the most nmap-relevant portions) is at http://seclists.org/lists/nmap-hackers/2001/Apr-Jun/0008.html . The reason I am bringing this up is that Ethan has written another excellent paper. This one focuses more on the legality of publishing sensitive security information, particularly exploit code. However, much of the analysis relates to security tools as well. The curt legalese style and extreme abundance (405!) of footnotes makes it rather difficult to read, but it is worth the effort. I found the example cases in "Standards of Scrutiny For Computer Security Publications" particularly informative. The speculation on how the DMCA (and European Cybercrime Treaty) could be applied to stifle security publication was also insightful. The emphasis in the legal system on context and motive of expressive speech (as in the SOAP case) is worrisome for dual-use technology such as Nmap. SOAP was a bookmaking program for tracking sports wagering, and could have been used for legal or illegal bookmaking purposes. The court ruled that it was "too instrumental in and intertwined with the performance of criminal activity to retain first amendment protection." That decision seemed to be based on the context of how it was marketed. When I wrote Ethan regarding the applicability of the SOAP case's context ruling to security tools and exploit code, he provided the following advice: "Yes, its rather surprising what you can get in trouble for. I think, though, that simply publishing on the Internet, without any feedback from the people involved, is the safest way to do things. Without any interaction with one's readers, the Internet makes speech virtually context-free. Literally anybody could be reading it, doing anything, and if you don't take steps to involve yourself, you have no reason to know who they are or what they are doing. (If, however, one archives several listservs on one's website, one probably has a better sense of who is reading one's site. A-hem.)" The title of Ethan's new paper is "Computer Security Publications: Information Economics, Shifting Liability and the First Amendment". It is available from http://www.mcandl.com/computer-security.html . And if you think comparing gambling software to exploits is strange, just wait until you get to the section on autoerotic asphyxiation :). And speaking of the legality of port scanning, I recently received a box with an Nmap-themed t-shirt and bumper-stickers saying "port scanning is not a crime". They are apparently sold at http://www.americansushi.com/ . I have no affiliation with these guys, but I do hope to create official Nmap T-shirts and maybe polo-shirts in 2004. Let me know if you have any great ideas. I'll probably hold a design contest. Cheers, Fyodor -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List archive: http://seclists.org
Current thread:
- Valuable papers on the legality of port scanning and exploit code Fyodor (Dec 27)
- Re: Valuable papers on the legality of port scanning and exploit code Javier Fernandez-Sanguino (Dec 29)
- <Possible follow-ups>
- RE: Valuable papers on the legality of port scanning and exploit code Henrik Huhtinen (Dec 29)