"Bayard G. Bell" wrote:
>
> Hold on, Tex -- all this depends on the definition of "effective
> consent".
>
> Clearly this definition has to be able to cover standard Internet http
> traffic to a public web server since the definition of access you
> provided does not have any reference to the intent other than the use of
> the term consent of the resource owner/provider and a requirement that
> the party attempting access know of the access attempt. Does effective
> consent have any reference to measures such as firewalls or TCP wrappers
> designed to restrict Internet access or otherwise exclude on a host or
> party basis?
>
> On what basis is effective consent applicable? Being that this is
> defined in the cited section on a system or network level, would it be
> acceptable to port scan a publicly accessible web server and/or its
> network? Could you provide a little more information on this point?
>From Texas Penal Code, Chapter 33, Computer Crimes, Section 33.01,
Definitions:
(12) "Effective consent" includes consent by a person legally
authorized to act for the owner. Consent is not effective if:
(A) induced by deception, as defined by Section 31.01,
or induced by coercion;
(B) given by a person the actor knows is not legally
authorized to act for the owner;
(C) given by a person who by reason of youth, mental
disease or defect, or intoxication is known by the actor to
be unable to make reasonable property dispositions;
(D) given solely to detect the commission of an offense;
or
(E) used for a purpose other than that for which the
consent was given.
Notice that part E of the definition goes into the purpose for which
the consent is used. So consent to connect to a computer on certain
ports (for example, http) should not extend to people scanning for
open ports commonly used by exploits.
As far as SMTP port 25, you may give your consent for people to
connect to your machine for sending mail to your own users. But
it doesn't follow that that consent is necessarily extended to
spammers searching for open ports. Up until now, I thought that
the big question was
How do we express to someone that we do not grant them
permission to access our computers in certain ways?
But now it seems that we may not have to give them that notice
at all -- that without expressed permission to access a computer
(at least in Texas) that the access is then illegal.
It seems logical, though, that certain standard services should
be considered implied. For example, it would seem logical that
permission to access port 80 of a machine named www.example.com
would be pretty much implied. Similarly, if the dns contains
MX records for a machine, then I assume that implicit consent
has been given to use that machine to send e-mail to people
having that address. But is there any implicit consent to use
that machine to send e-mail to other domains for which that
machine is not listed in a mail exchange record.
I wonder how easy it would be to get a prosecutor to have someone
arrested and tried for scanning for BackOrifice or Netbus.
By the way, I'm not a lawyer, so this is clearly not the final
word on any of this. If I'm ever able to get something like this
prosecuted, I'll post the results here.
Eric Johnson
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
