http://www.securityfocus.com/templates/article.html?id=126 A quick quote from the article: A tiff between two IT contractors that spiraled into federal court ended last month with a U.S. district court ruling in Georgia that port scanning a network does not damage it, under a section of the anti-hacking laws that allows victims of cyber attack to sue an attacker. Last week both sides agreed not to appeal the decision by judge Thomas Thrash, who found that the value of time spent investigating a port scan can not be considered damage. "The statute clearly states that the damage must be an impairment to the integrity and availability of the network," wrote the judge, who found that a port scan impaired neither. This may have ramifications for both security professionals and abuse desk personnel; this ruling would seem to make it clear that you cannot claim time spent investigating abuse issues as damage. The complete finding is here: http://pub.bna.com/eclr/00434.htm Any armchair lawyers on the list want to take a crack at this? -- Edward S. Marshall <emarshal@logic.net> http://www.nyx.net/~emarshal/ ------------------------------------------------------------------------------- [ Felix qui potuit rerum cognoscere causas. ]
Isn't that just sweet... So in a nutshell it is *not* illegal for kiddies to port scan a network looking for vulnerabilities. It would seem to me that such scans would impair the integrity of ones networks, or am I just smoking crack? Jeff CETLink.Net
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Edward S. Marshall Sent: Tuesday, December 19, 2000 10:43 AM To: nanog@merit.edu Subject: Port scanning legal
http://www.securityfocus.com/templates/article.html?id=126
A quick quote from the article:
A tiff between two IT contractors that spiraled into federal court ended last month with a U.S. district court ruling in Georgia that port scanning a network does not damage it, under a section of the anti-hacking laws that allows victims of cyber attack to sue an attacker.
Last week both sides agreed not to appeal the decision by judge Thomas Thrash, who found that the value of time spent investigating a port scan can not be considered damage. "The statute clearly states that the damage must be an impairment to the integrity and availability of the network," wrote the judge, who found that a port scan impaired neither.
This may have ramifications for both security professionals and abuse desk personnel; this ruling would seem to make it clear that you cannot claim time spent investigating abuse issues as damage. The complete finding is here:
http://pub.bna.com/eclr/00434.htm
Any armchair lawyers on the list want to take a crack at this?
-- Edward S. Marshall <emarshal@logic.net> http://www.nyx.net/~emarshal/ ------------------------------------------------------------------ ------------- [ Felix qui potuit rerum cognoscere causas. ]
On Tue, 19 Dec 2000, Jeff Wheat wrote:
Isn't that just sweet... So in a nutshell it is *not* illegal for kiddies to port scan a network looking for vulnerabilities. It would seem to me that such scans would impair the integrity of ones networks, or am I just smoking crack?
http://www.theregister.co.uk/content/6/15566.html Scott Moulton, president of Network Installation Computer Services (NICS), is still facing criminal charges of attempted computer trespass under Georgia's computer crime laws for port scanning a system owned by a competing contractor. The result of the case would appear to be that you can't expect to win a civil lawsuit claiming damages relating to time spent investigating a port scan. Nothing more. So yes, you're smoking crack :) -- Patrick Evans - Net bloke, indie kid and lemonade drinker pre at pre dot org www dot pre dot org
On Tue, 19 Dec 2000, Jeff Wheat wrote:
Isn't that just sweet... So in a nutshell it is *not* illegal for kiddies to port scan a network looking for vulnerabilities. It would seem to me that such scans would impair the integrity of ones networks, or am I just smoking crack?
Jeff CETLink.Net
The attorney for the plaintiff obviously didn't use the correct analogy when explaining this to the court. Had he likened portscanning someones network to walking into their back yard with a ladder, climbing up to the second floor and checking for open windows, perhaps the court would have found differently. --- John Fraizer EnterZone, Inc Port-scanners and window-checkers will be shot on site.
On Tue, Dec 19, 2000 at 11:59:23AM -0500, John Fraizer wrote:
Had he likened portscanning someones network to walking into their back yard with a ladder, climbing up to the second floor and checking for open windows, perhaps the court would have found differently.
I'm sure they would, but it's a deeply flawed analogy. How many ports must be scanned before you deem it an attack? Is one port enough? Five? 50? If you pick a number here, is that arbitrary, or do you have a valid logical (and legally-supportable) reason for the number? If one port is sufficient, then the act of typing an IP address into a web browser to see if there's a web server listening is a crime.
On Tue, 19 Dec 2000, Shawn McMahon wrote:
How many ports must be scanned before you deem it an attack? Is one port enough? Five? 50?
I don't deem a port scan as vicious or an attack.
If you pick a number here, is that arbitrary, or do you have a valid logical (and legally-supportable) reason for the number?
No.
If one port is sufficient, then the act of typing an IP address into a web browser to see if there's a web server listening is a crime.
Agreed, which is why I said the first.
On Tue, 19 Dec 2000, Alex Rubenstein wrote:
On Tue, 19 Dec 2000, Shawn McMahon wrote:
How many ports must be scanned before you deem it an attack? Is one port enough? Five? 50?
I don't deem a port scan as vicious or an attack.
Without muddying the issue, while a port scan might not be considered (legally or operationally) as vicious or an attack, one need not feel obligated to allow it (at a router/firewall level) or support it or ignore it for that matter. I don't support people screaming that someone's dial-up connection should be shut off for it, but that doesn't mean a thoughtful admin can't keep an eye on machines that have scanned his/her network. I liken it to driving into someone's driveway. They _might_ just be turning around, they _might_ just be lost, they _might_ be planning something nefarious. It doesn't make you call the cops instantly, but it doesn't stop you from taking note of their license plate, description or other vital details. Deepak Jain AiNET
On Tue, Dec 19, 2000 at 02:06:04PM -0500, Alex Rubenstein wrote:
On Tue, 19 Dec 2000, Shawn McMahon wrote:
How many ports must be scanned before you deem it an attack? Is one port enough? Five? 50?
I don't deem a port scan as vicious or an attack.
How about "scanning" 1 million ports per second, over and over again? :-) -- Leo Bicknell - bicknell@ufp.org Systems Engineer - Internetworking Engineer - CCIE 3440 Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On Tue, 19 Dec 2000 11:05:40 EST, Jeff Wheat <jeff@cetlink.net> said:
Isn't that just sweet... So in a nutshell it is *not* illegal for kiddies to port scan a network looking for vulnerabilities. It would seem to me that such scans would impair the integrity of ones networks, or am I just smoking crack?
1) It's only binding on the one US Circuit Court district. 2) It's narrowly written to only prohibit counting the time spent investigating a port scan as "damages". So if you're billable for $200/hour, and spend 1 hour checking the portscan and 10 hours fixing the hack-in they found, if you're computing damages for civil or criminal action, it's only $2,000, not $2,200. 3) Let's not forget that a *scan* only actually impairs the integrity of a network that hasn't been secured against scanning. You'll never have somebody walk up to you and say "Hey, your front door is unlocked" if you always lock your front door. The problem starts when somebody takes the information gathered from the scan and actually uses an exploit. And case law seems to be pretty clear in most jurisdictions that have computer crime laws - using an exploit is a no-no. And no, please don't go scanning our nets to find stuff for us - we're quite aware of exactly what shape our 2 /16's are in. ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Tue, 19 Dec 2000 Valdis.Kletnieks@vt.edu wrote:
3) Let's not forget that a *scan* only actually impairs the integrity of a network that hasn't been secured against scanning. You'll never have somebody walk up to you and say "Hey, your front door is unlocked" if you always lock your front door.
I do not understand why people get so uppity about a scan. Let's be real here, a simple portscan is about equivalent to walking along a sidewalk and checking out the houses for open windows and doors. And about as harmful. What is harmful is what sometimes comes after that. (Not always; not usually; not even half the time I'd bet.) But the only damage a portscan does is a few packets over your network and maybe 4M of logs (depending on how you're logging). When writing and enforcing laws, it's important to punish what's harmful, not what may be harmful. Or else looking at houses as you walk down the street may be illegal. Matthew Devney System Administrator Teamsphere Interactive
On Tue, Dec 19, 2000 at 04:26:33PM -0800, mdevney@teamsphere.com wrote:
I do not understand why people get so uppity about a scan. Let's be real here, a simple portscan is about equivalent to walking along a sidewalk and checking out the houses for open windows and doors. And about as harmful.
What is harmful is what sometimes comes after that. (Not always; not usually; not even half the time I'd bet.) But the only damage a portscan does is a few packets over your network and maybe 4M of logs (depending on how you're logging). When writing and enforcing laws, it's important to punish what's harmful, not what may be harmful. Or else looking at houses as you walk down the street may be illegal.
I do think there is a difference between looking at houses and windows from the street and walking up to them and rattling the door and windows to see if it they are locked or determining what model lock, door or window is used etc. -- Christian Kuhtz <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. "I speak for myself only.""
Walking down the street and checking for open doors and windows is called "attempted breaking and entering." I personally block anyone who comes knocking on my ports, I'm not running anything that anyone would be interested in, and there is no reason for them to be, as you say, knocking. If I want someone to come knocking, I'll ask them to, or give them an account. t On Tue, 19 Dec 2000 mdevney@teamsphere.com wrote:
On Tue, 19 Dec 2000 Valdis.Kletnieks@vt.edu wrote:
3) Let's not forget that a *scan* only actually impairs the integrity of a network that hasn't been secured against scanning. You'll never have somebody walk up to you and say "Hey, your front door is unlocked" if you always lock your front door.
I do not understand why people get so uppity about a scan. Let's be real here, a simple portscan is about equivalent to walking along a sidewalk and checking out the houses for open windows and doors. And about as harmful.
What is harmful is what sometimes comes after that. (Not always; not usually; not even half the time I'd bet.) But the only damage a portscan does is a few packets over your network and maybe 4M of logs (depending on how you're logging). When writing and enforcing laws, it's important to punish what's harmful, not what may be harmful. Or else looking at houses as you walk down the street may be illegal.
Matthew Devney System Administrator Teamsphere Interactive
Thus spake "Jeff Wheat" <jeff@cetlink.net>
Isn't that just sweet... So in a nutshell it is *not* illegal for kiddies to port scan a network looking for vulnerabilities. It would seem to me that such scans would impair the integrity of ones networks, or am I just smoking crack?
If the scans don't disrupt system operation (they're usually designed not to), how would it impair network integrity? To use (yet another) bad analogy, does a burglar walking through a parking lot checking for unlocked cars commit a crime? It's only a crime to steal/vandalize the cars.
Jeff CETLink.Net
S | | Stephen Sprunk, K5SSS, CCIE #3723 :|: :|: Network Design Consultant, GSOLE :|||: :|||: New office: RCDN2 in Richardson, TX .:|||||||:..:|||||||:. Email: ssprunk@cisco.com
On Tue, 19 Dec 2000, Jeff Wheat wrote:
Isn't that just sweet... So in a nutshell it is *not* illegal for kiddies to port scan a network looking for vulnerabilities. It would seem to me that such scans would impair the integrity of ones networks, or am I just smoking crack?
IIRC, CETLink used to run an IRC server, and currently hosts the UnderNET IRC Network mailing lists, there are IRC scripts that portscan for open ports on IRC servers for the purpose of finding a better (less busy) port to use. What it boils down to, is determining the intent of the person doing the scanning, which 99% of the time cannot be easily proved either way, like guns, it could be for hunting, or it could be for murder, but how do you write a law that says 'You can buy a gun for hunting and sport, but not for killing people'? -poptix
Jeff CETLink.Net
participants (14)
-
Alex Rubenstein -
Christian Kuhtz -
Deepak Jain -
Edward S. Marshall -
Jeff Wheat -
John Fraizer -
Leo Bicknell -
Matthew S. Hallacy -
mdevney@teamsphere.com -
Patrick Evans -
Shawn McMahon -
Stephen Sprunk -
Todd Suiter -
Valdis.Kletnieks@vt.edu