On 22 Jul 99, at 16:53, Matthew G . Harrigan wrote:
> I also believe I addressed that in my last email by saying:
>
> >"I would find it hard to believe that someone could be prosecuted based on
> >something like an nmap scan."
>
> And since usage of a sweeping tool is merely an information gathering tool,
> and not an actual breakin, there is no law that could possibly convict
> someone of this type of activity.
In the course of this thread, there has been reference to several
jurisdictions (Sweden, Oregon) where the laws currently in force do not
embody any distinction between "sweeping" and "breaking in". Whether you
find this hard to believe is really not very relevant.
Now, it *could* be useful to consider the nature of the distinction you're
making. On the one hand, it could be an inherent implication of networking
technology that politicians and judges have simply failed to grasp, an error
that we can expect will correct itself almost automatically as more and more
judges and politicians learn about networking. Perhaps you believe that this
is so.
Or perhaps this oh-so-obvious distinction is in fact largely one of
*intent* (which we've been told again and again is irrelevant), that the
reason that legislation rarely distinguishes between [tools that elicit a
response from a remote host in order to tell what's running there] and [tools
that elicit a response from a remote host in order to locate a target for
some exploit or DoS attack] is because the objective difference is largely in
the head of the user and difficult/impossible to codify into legislation.
> Tell me you've never used the command telnet host.com 80 to find out if the
> webserver was in fact up, when you're crappy bloated browser reported that
> it wasn't. Have you just committed a crime? I think not. So what if it was
> a load balancing webserver farm, and you checked every machine on the
> subnet for port 80. Have you commited a crime yet? I think not. I perform
> network mapping which involves port scanning for tcp based services on
> hundreds of managed machines,and the shackles are still not on.
I admit it: I have never done a telnet to port 80 of a web server of
which I was not currently an admin. I have never done a telnet to port
80 of a machine that was not a web server, just because it was in the same
address block as one I was interested in. Are these really things that you
routinely do???? Does your corporate legal department know you do?
Could I go to jail if I had done this? Apparently, the answer is "yes" in
Sweden, "the law appears to be susceptible to that interpretation" in Oregon,
and "maybe" in an unknown number of other jurisdictions.
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
