Valuable papers on the legality of port scanning and exploit code

[Fyodor <fyodor () insecure org>]

As part of the Nmap book, I am including a section on the legality of
port scanning.  In the process I came across a couple good papers that
I feel shed light on this important issue (at least for United States
residents):

The first paper is called "Port Scanning and its Legal Implications"
by Abhinav Bhatt and is available at
http://www.asianlaws.org/cyberlaw/library/cc/ptscanning.htm .  It is
short and insightful, and the author discusses the Scott Moultin case
in detail.  The civil court in that case ruled that the "act of
conducting an unauthorized port scan and throughput test of
defendant's servers does not constitute a violation of either the
Georgia Computer Systems Protection Act or the Computer Fraud and
Abuse Act."  I am still researching the full results of the criminal
charges, although my reading of the paper above is that he was fully
cleared.  Scott posted to Nmap-hackers about his case in 2001, saying:

  "I am proud that I could be of some benefit to the computer society
  in defending and protecting the rights of specialists in the
  computer field, however it is EXTREMELY costly to support such an
  effort, of which I am not happy about. But I will continue to fight
  and prove that there is nothing illegal about port scanning
  especially when I was just doing my job." 
  --http://seclists.org/lists/nmap-hackers/2001/Apr-Jun/0011.html

For further background on the Multon case, see:
http://www.phillipsnizer.com/library/cases/lib_case37.cfm
http://www.securityfocus.com/news/126 [ see feedback for VC3 replies ]

Another good article on the legality of port scanning is "Finding
Fences in Cyberspace: Privacy and Open Access on the Internet" by
Ethan Prestion.  It is available at
http://grove.ufl.edu/~techlaw/vol6/Preston.html .  I actually posted
this one to nmap-hackers in 2001, but it is worth re-reading.  My
summary (actually mostly just excerpts of the most nmap-relevant
portions) is at
http://seclists.org/lists/nmap-hackers/2001/Apr-Jun/0008.html .

The reason I am bringing this up is that Ethan has written another
excellent paper.  This one focuses more on the legality of publishing
sensitive security information, particularly exploit code.  However,
much of the analysis relates to security tools as well.  The curt
legalese style and extreme abundance (405!) of footnotes makes it
rather difficult to read, but it is worth the effort.  I found the
example cases in "Standards of Scrutiny For Computer Security
Publications" particularly informative.  The speculation on how the
DMCA (and European Cybercrime Treaty) could be applied to stifle
security publication was also insightful.  The emphasis in the legal
system on context and motive of expressive speech (as in the SOAP
case) is worrisome for dual-use technology such as Nmap.
SOAP was a bookmaking program for tracking sports wagering, and could
have been used for legal or illegal bookmaking purposes.  The court
ruled that it was "too instrumental in and intertwined with the
performance of criminal activity to retain first amendment
protection."  That decision seemed to be based on the context of how
it was marketed.

When I wrote Ethan regarding the applicability of the SOAP case's
context ruling to security tools and exploit code, he provided the
following advice:

"Yes, its rather surprising what you can get in trouble for. I think,
 though, that simply publishing on the Internet, without any feedback
 from the people involved, is the safest way to do things. Without any
 interaction with one's readers, the Internet makes speech virtually
 context-free. Literally anybody could be reading it, doing anything,
 and if you don't take steps to involve yourself, you have no reason to
 know who they are or what they are doing. (If, however, one archives
 several listservs on one's website, one probably has a better sense of
 who is reading one's site. A-hem.)"

The title of Ethan's new paper is "Computer Security Publications:
Information Economics, Shifting Liability and the First Amendment".
It is available from http://www.mcandl.com/computer-security.html .

And if you think comparing gambling software to exploits is strange,
just wait until you get to the section on autoerotic asphyxiation :).

And speaking of the legality of port scanning, I recently received a
box with an Nmap-themed t-shirt and bumper-stickers saying "port
scanning is not a crime".  They are apparently sold at
http://www.americansushi.com/ .  I have no affiliation with these
guys, but I do hope to create official Nmap T-shirts and maybe
polo-shirts in 2004.  Let me know if you have any great ideas.  I'll
probably hold a design contest.

Cheers,
Fyodor

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List archive: http://seclists.org