In message <Pine.LNX.4.30.0012190930530.27364-100000@labyrinth.local>, "Edward S. Marshall" writes:
http://www.securityfocus.com/templates/article.html?id=126
A quick quote from the article:
A tiff between two IT contractors that spiraled into federal court ended last month with a U.S. district court ruling in Georgia that port scanning a network does not damage it, under a section of the anti-hacking laws that allows victims of cyber attack to sue an attacker.
Last week both sides agreed not to appeal the decision by judge Thomas Thrash, who found that the value of time spent investigating a port scan can not be considered damage. "The statute clearly states that the damage must be an impairment to the integrity and availability of the network," wrote the judge, who found that a port scan impaired neither.
This may have ramifications for both security professionals and abuse desk personnel; this ruling would seem to make it clear that you cannot claim time spent investigating abuse issues as damage. The complete finding is here:
http://pub.bna.com/eclr/00434.htm
Any armchair lawyers on the list want to take a crack at this?
As always, your mileage may vary. California law specifically states that costs incurred by the victim include any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, deleted, damaged, or destroyed by the access. So checking out a scan might qualify. As for "access", it's defined as "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network Specific crimes include (6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section. (7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network. Does a port scan "communicate with" the specified part of a computer? FYI, these are from Section 502 of the California Penal Code, at http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&group=00001-01000&file=484-502.9
On Tue, Dec 19, 2000 at 05:23:27PM -0500, Steven M. Bellovin wrote:
As always, your mileage may vary. California law specifically states that costs incurred by the victim include
any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, deleted, damaged, or destroyed by the access.
So checking out a scan might qualify. As for "access", it's defined as
"Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network
In other words, as written, it means that if you pull up my web page, I can bill you for my time checking the apache logs to make sure you weren't doing anything wrong. And, if you send me email, I can bill you for my time spent making sure it didn't contain a virus. I'm thinking that law is easily challenged on the basis of vagueness.
participants (2)
-
Shawn McMahon
-
Steven M. Bellovin