[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nmap-hackers
Subject:    SecurityFocus: Port scans legal, judge says
From:       Fyodor <fyodor () insecure ! org>
Date:       2000-12-20 0:58:45
[Download RAW message or body]


Since this Securityfocus article (appended) relates directly to issues
that have been debated (ad nauseum) on the list, I thought I would forward
it.  The legal importance of this district court decision is rather
limited, but it is still nice to be able to point to articles like this
when someone gets on your case for port scanning.  I have heard from
dozens of people who have been kicked off ISPs for scanning their own
machines and even for mere "posession" of a port scanner for Nmap.  This
article states that "federal law enforcement officials are generally in
agreement that port scanning is not a crime."  And the author (Kevin
Poulsen) is all too aware about how the feds view computer crime :)!

Nevertheless, it is ALWAYS a nice courtesy to request permission before
you scan someone's network.  That way they aren't left wondering about
your intentions if they notice the scan.  Also, try to avoid scanning (or
any other potentially controversial network activity) from extremely
important accounts (like work or school accounts/machines).  Losing a $20
dialup is far better than being fired or expelled because you accidently
pissed off someone important.

[ From http://www.securityfocus.com/news/126 ]

Port scans legal, judge says

Federal court finds that scanning a network doesn't cause damage, or
threaten public health and safety.  
By Kevin Poulsen 
December 18, 2000 9:05 AM PT

A tiff between two IT contractors that spiraled into federal court
ended last month with a U.S.  district court ruling in Georgia that
port scanning a network does not damage it, under a section of the
anti-hacking laws that allows victims of cyber attack to sue an
attacker.

Last week both sides agreed not to appeal the decision by judge Thomas
Thrash, who found that the value of time spent investigating a port
scan can not be considered damage. "The statute clearly states that
the damage must be an impairment to the integrity and availability of
the network," wrote the judge, who found that a port scan impaired
neither.

"It says you can't create your own damages by investigating something
that would not otherwise be a crime," says hacker defense attorney
Jennifer Granick. "It's a good decision for computer security
researchers."

A port scan is a remote probe of the services a computer is
running. While it can be a precursor to an intrusion attempt, it does
not in itself allow access to a remote system. Port-scanning programs
are found in the virtual tool chests of both Internet outlaws and
cyber security professionals.

Scott Moulton, president of Network Installation Computer Services
(NICS), is still facing criminal charges of attempted computer
trespass under Georgia's computer crime laws for port scanning a
system owned by a competing contractor.

Protecting 911?  According to court records, the case began last
December, while Moulton was under a continuing services contract with
Cherokee County, Georgia to maintain the county's emergency 911
system.

Moulton was tasked to install a connection between the 911 center and
a local police department, and he became concerned that the system
might be vulnerable to attack through the new link, or though other
interconnections.

Apparently prompted by that concern, Moulton scanned the network on
which the 911 system resided, and in the process touched a Cherokee
County web server that was owned and maintained by VC3, a South
Carolina-based IT firm. "My client started investigating who was
connected to the 911 center, where he worked," says Erin Stone,
Moulton's civil attorney. "He wound up finding VC3's firewall."

When a VC3 network administrator asked Moulton in an email to explain
the scan, "Moulton terminated the port scan immediately and responded
that he worked for Cherokee County 911 Center and was testing
security," according to the federal court's finding of fact.

VC3 went on to report the "suspicious activity" to the police, and
Moulton soon lost his contract with Cherokee County. Several weeks
later, the Georgia Bureau of Investigation arrested him.

Suit, Counter-suit While still facing state criminal charges, Moulton
counter-attacked in February by suing VC3 in federal court, accusing
the company of making false and defamatory criminal allegations
against him. In deciding the case last month, Judge Thrash rejected
Moulton's claim, finding that VC3's statements to the police were
privileged. "We're the victim in a criminal case that got sued for
cooperating with police," says VC3 attorney Michael Hogue.

The company filed a counter-claim under an increasingly popular
provision of the federal computer fraud and abuse act that allows
victims to sue a cyber-attacker if they've suffered damages of at
least $5000.

While VC3 acknowledged that Moulton's port scan did no direct harm,
the company argued that the time spent investigating the event was a
form of damage. "If somebody does some type of attack, and you are a
good service provider, you spend all your time verifying that it did
not cause a significant problem," says Hogue. "The time that it takes
to do all that searching is the damage that we were claiming."

The judge rejected that claim, as well as an argument that the port
scan, and a throughput test Moulton allegedly aimed at the VC3 system,
threatened public health and safety. "[T]he tests run by Plaintiff
Moulton did not grant him access to Defendant's network," wrote the
judge. "The public data stored on Defendant's network was never in
jeopardy."

The ruling does not affect criminal applications of the anti-hacking
law, but federal law enforcement officials are generally in agreement
that port scanning is not a crime.

The decision may help define the statute's civil boundaries at a time
when more companies are eyeing lawsuits against computer intruders as
an alternative to relying on government prosecution.

"This is probably the first of many decisions that will come out
pertaining to the civil component of the computer fraud and abuse
act," says former computer crime prosecutor David Schindler, now an
attorney with the law firm of Latham & Watkins. "If a client came to
me and said that someone had pinged on their network and nothing else,
I probably would not advise them to take civil action."


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).

[prev in list] [next in list] [prev in thread] [next in thread]