On Apr 7, 2016, at 07:41 , William Herrin <bill@herrin.us> wrote:
On Thu, Mar 31, 2016 at 5:36 AM, Bacon Zombie <baconzombie@gmail.com> wrote:
I would ignore the portscans since there is nothing wrong with portscanning the Internet.
You might want to check with your lawyer on that. If you _intentionally_ port-scan a computer located in Virginia without the owner's permission (and do nothing else, just port-scan it) it's a class 3 misdemeanor under 18.2-152.1, et seq. That's up to a $500 fine for each computer you scan. By comparison, shoplifting is a class 1 misdemeanor while possession of a schedule V narcotic is another class 3.
I think you’re on shaky ground here. 18.2-152.3 reads: Any person who uses a computer or computer network, without authority and: 1. Obtains property or services by false pretenses; 2. Embezzles or commits larceny; or 3. Converts the property of another; is guilty of the crime of computer fraud. If the value of the property or services obtained is $200 or more, the crime of computer fraud shall be punishable as a Class 5 felony. Where the value of the property or services obtained is less than $200, the crime of computer fraud shall be punishable as a Class 1 misdemeanor. The requirements here are to meet at least one of the 3 tests listed. I think it’s rather hard to claim that a portscan by itself “obtained property or services by false pretenses”. I think it’s even harder to claim that it constitutes “embezzling” or “larceny”. I also think you’d have a tough time arguing that eliciting a response packet to one or more packets actually constitutes conversion of property. So I don’t see how you’d make much of a case for a port-scan being a violation of 18.2-152.1 et. seq. I think the argument, rather easily, could be made that a port-scan is the internet equivalent of a door-knock. By itself, it doesn’t constitute unlawful entry. Now, a persistent door-knock might constitute some form of harassment and frequent or continuous port-scans could be argued to be a form of denial of service (which would constitute conversion), but the odd port-scan is unlikely to meet the tests under the law you cited.
A key word here is "intentionally." Poking at it by mistake (e.g. you thought it was a different computer which you had the authority to scan) is not a crime. Nor, most likely, is less aggressive behavior which would not ordinarily be part of gaining unauthorized access, such as pinging or tracerouting.
I could be wrong, IANAL, but I’d be surprised if a mere portscan would actually be treated as a violation for the reasons cited above.
Not that I've ever heard of someone being fined but you're definitely in to "something wrong" territory.
I don’t think you’ve made your case for “definite” so far. I agree you might be at risk from an overzealous prosecutor and an activist judge that hates hackers for some reason, but short of that, I think you’re unlikely to run afoul of this statute just on a port scan. Owen