The gray area of port-scanning legality came up at Usenix's conference earlier this month. I believe the consensus was that you are on firmer ground when organizations who own machines that attackers might perform port scans FROM have AUP's that prohibit such activity. Nothing in this court case would seem to prevent an organization from disciplining individuals for using a system for an administratively prohibited purpose.

-----Original Message----- From: Edward S. Marshall [mailto:emarshal@logic.net] Sent: Tuesday, December 19, 2000 9:43 AM To: nanog@merit.edu Subject: Port scanning legal

http://www.securityfocus.com/templates/article.html?id=126

A quick quote from the article:

A tiff between two IT contractors that spiraled into federal court ended last month with a U.S. district court ruling in Georgia that port scanning a network does not damage it, under a section of the anti-hacking laws that allows victims of cyber attack to sue an attacker.