Jeff Bachtel wrote:
>
> *sigh* Helping to propogate an already way too long thread...
Yeah, but I should have made this another thread. Then you
would be helping to propagate a thread that is not too long
yet.
> (IANAL. Neither are you. Thank goodness.)
>
> > <http://capitol.tlc.state.tx.us/statutes/codes/PE000021.html>
> >
> > Reading the Texas Penal Code, Chapter 33, Computer Crimes,
> > makes me think that port scanning is probably considered a
> > Class B Misdemeanor in Texas.
> >
> > Section 33.01 defines "Access" as:
> > (1) "Access" means to approach, instruct, communicate with,
> > store data in, retrieve or intercept data from, alter data or
> > computer software in, or otherwise make use of any resource
> > of a computer, computer network, computer program, or computer
> > system.
> >
> > Under this definition, a port scan is certainly an "access" of
> > a computer.
>
> So is a ping of a computer. So is trying to bring up a web page.
> "Approach" and "communicate with" and "make any use of resource" (of
> the ISP's network) are the only parts of this definition to which a
> portscan matches. However...
Note the word "or". The definition does not mean that "access" has
to match every single item, but only that it has to match at least
one. It would seem to be immaterial whether they actually were
able to break into the computer.
> > Then, in section 33.02, Breach of Computer Security, we find that
> >
> > (a) A person commits an offense if the person knowingly accesses
> > a computer, computer network, or computer system without the
> > effective consent of the owner.
>
> "effective consent" varies. If there is access control, then that
> grants effective consent to those whom are in such ACL's, and denies
> it to those who aren't.
Maybe in a technical sense, but I strongly doubt if that is so
in any legal sense. What access control does is help in stopping
someone from accessing something that you don't want them to. The
lack of such control is not blanket permission to attack your system.
> Impersonating another person or computer for
> the purposes of being granted consent is also considered "without the
> effective consent". A portscan, however, is only
> consent/nonconsentable via ip-based ACL's.
Not at all. There's a limit to how far ACLs can go. Remember, too,
that routers and firewalls are also computers. A port scan that dies
at the ACL is still an "access" under the definition if the person
performing the port scan does not have permission of the owner.
Also, How about all the people with computers on cable modems with no
firewalls or routers of their own or under their control? Do you imagine
that the fact that they do not have routers and firewalls implicitly grant
permission to any would-be hacker to try to break into their computer?
> There's no way for you to
> say "its ok for Bob in the office over to scan me to make sure I'm not
> running trojans or to see whether ssh is still up, but its not ok for
> John Doe to do so" WITHOUT explicitly creating an ACL that grants
> access to Bob's computer, but denies it to everyone else. If someone
> impersonated Bob's computer to _do_ the portscan, that would be access
> without effective consent.
Actually there is a way to say that. If you get scanned by Bob, you
can go over and ask him if he scanned you and why.
> > Thus, if a port scan is an "access" of a computer, the person
> > performing the port scan is committing an offense.
>
> No, if this was the case then pinging a host to see if it is alive is
> a misdemeanor. In an essientally anonymous protocol like tcp/ip
> (anonymous being that the packets themselves do not require
> authentification), you either grant access consent through ip-based
> ACL's or username-based authentification at the application layer.
That is why I was wondering about certain common computer services. I
would imagine for those services that are pretty much available to
everyone that there is some kind of consent normally given. However,
if those services are abused, such as a ping attack on a computer or
on a network, that it would pass the line beyound that consent. And
for things that are not a service such as BackOrifice, only scans made
by the explicit permission of the owner or other authorized person
should be made. Anyone else making such scans is clearly doing so without
the benefit of any permission of the owner of the computer.
> Excepting, of course, the person who mentioned a web-based tcpwrappers
> setup (kind of a keen idea).
>
> [snip penalties]
>
> > Thus, in a simple port scan with no subsequent break-in, the
> > scanner is guilty of a Class B misdemeanor (see section 12.03
> > for classification of misdemeanors).
>
> You wish. I'm not saying a lawyer couldn't get the conviction, but I
> doubt a DA will want to prosecute a portscan without subsequent
> attempt at breakin.
That's the big problem. But I think that's mostly due to the fact that
when someone tries to break in to your computer, they tend to do so from
quite a distance away. If you could tie the port scan down to someone
within a reasonable distance that could be more easily investigated, I
suspect it might be possible to get the DA to prosecute the person. Even
if it is from somewhere else within the state, if we can get the DA to
go after them, the DA can request assistance from the Attorney General's
office to help in the investigation.
I'd love to see this law tested to see whether it does in fact apply to
port scanners. The way I look at them is that they might have failed today
because they were trying to find a vulnerability that does not exist on
my system, but they might succeed tomorrow.
Eric Johnson
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
