On 20 Jul 99, at 17:13, P L STEINBRUCH wrote:
> Comments imbedded:
>
> >> Last time I checked, scanning or probing a system for security flaws,
> >> isn't illegal (at least in this state it isn't).
>
> > As I recall, Randall Schwartz got in trouble for "scanning or probing" his
> >then-employer's "system for security flaws" WITHOUT AUTHORIZATION....
>
>
> This is not quite correct. Randal was convicted on three counts, all of
> which involved his having actually _accessed_ a system and/or made
> changes to them. There was nothing in the Oregon statute regarding
> "scanning" a system. Most of the verbage of the statute focuses on
> "access and use". It's highly doubtful that port scanning could be
> stretched to fit the definition of "access and use" used in the Oregon
> statute.
So I went and looked up the details, and find that his convictions were
for 1 count of "access and alteration" for installing a .forward on an email
account, and 2 counts of data theft for copying password files to run CRACK
against.
And several very good essays, written at the time, pointing out that under
the Oregon statute, leaving a message on a telephone answering machine could,
at the discretion of the DA, be construed as "access and alteration of a
computer".
And another strongly making the sort of point I was looking for: a port
scan, by its nature, queries a remote system and elicits a response from it.
ANY response (except NO response) can be argued to constitute, at some
minimal level, "access", and I seriously doubt that there is any way to craft
a reasonable statute that forbids intrusion without implicitly including port
scans and DoS attacks.
To substantiate the claim that "scanning or probing a system ... isn't
illegal", is (I believe) to claim one of three things:
1. There is no system-intrusion legislation in this jurisdiction. (A less
and less common situation.)
2. The system-intrusion legislation in this jurisdiction explicitly makes an
exception for such cases. (A pretty unlikely situation.)
3. The highest court with local jurisdiction has ruled that the system-
intrusion legislation in this jurisdiction does not include such cases. (I
believe this may be true in Norway.)
I do not believe that the absence of a statute that says "it is illegal to
port-scan systems" constitutes a legal blessing upon such activities.
As a *practical* matter, in the US an intrusion attempt is unlikely to
attract federal prosecution unless damages of at least $1000 can be claimed,
and a target faces certain difficulties in establishing that a port scan
meets that criterion. [The creative substantiation of damages attributed to
hacker activity, such as the famous 911 document (and alleged in the Mitnick
case as well), is really a separate topic....] AGain, though, this doesn't
constitute a legal blessing.
To me, the chant of "port scanning isn't illegal" sounds like irresponsible
incitement of delinquent juveniles. [I've tried, in several threads, to make
clear that my priority is in keeping systems secure and NOT in jailing teen
hackers. A kid in jail (after damage has been done) is a loss, not a win, as
far as I'm concerned, and a script kiddie persuaded to some other choice of
recreation or career is much to be preferred.]
> I don't see how it can be relevant what your intentions were. If I
> stand on the street and examine your house looking for ways to break in,
> it's not illegal.
If I stand on the street and use some kind of remote-manipulator hardware to
try an assortment of skeleton keys to see if any fit your lock, the fact that
I'm standing on the sidewalk may make me harder to *catch*, but won't help me
any in court. [And I agree that intentions are not likely to be considered
relevant....]
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
