In a court case some years ago, the federal government prosecuted a hacker
when they broke into a government computer. The case was through out because
the government agency did not post a banner page advising that it was a
government restricted use computer. The court said the banner said welcome
instead of warning do not enter. If you do not put in methods to restrict
access (ACL's, Firewall, Etc.) then any prosecutor would be on shaky ground
do to the president set by this prior case in federal court making attempted
penetration of a system not prosecutable in most courts. The moral to this
story is, Prosecution probably will not be brought by government unless
someone penetrates a system where the system was plainly posted as "Off
Limits Do Not Enter".
Renee Lee
-----Original Message-----
From: Eric [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 23, 1999 3:31 AM
To: Jeff Bachtel
Cc: [EMAIL PROTECTED]
Subject: Re: Legality of port scanning
Jeff Bachtel wrote:
>
> *sigh* Helping to propogate an already way too long thread...
Yeah, but I should have made this another thread. Then you
would be helping to propagate a thread that is not too long
yet.
> (IANAL. Neither are you. Thank goodness.)
>
> > <http://capitol.tlc.state.tx.us/statutes/codes/PE000021.html>
> >
> > Reading the Texas Penal Code, Chapter 33, Computer Crimes,
> > makes me think that port scanning is probably considered a
> > Class B Misdemeanor in Texas.
> >
> > Section 33.01 defines "Access" as:
> > (1) "Access" means to approach, instruct, communicate with,
> > store data in, retrieve or intercept data from, alter data or
> > computer software in, or otherwise make use of any resource
> > of a computer, computer network, computer program, or computer
> > system.
> >
> > Under this definition, a port scan is certainly an "access" of
> > a computer.
>
> So is a ping of a computer. So is trying to bring up a web page.
> "Approach" and "communicate with" and "make any use of resource" (of
> the ISP's network) are the only parts of this definition to which a
> portscan matches. However...
Note the word "or". The definition does not mean that "access" has
to match every single item, but only that it has to match at least
one. It would seem to be immaterial whether they actually were
able to break into the computer.
> > Then, in section 33.02, Breach of Computer Security, we find that
> >
> > (a) A person commits an offense if the person knowingly accesses
> > a computer, computer network, or computer system without the
> > effective consent of the owner.
>
> "effective consent" varies. If there is access control, then that
> grants effective consent to those whom are in such ACL's, and denies
> it to those who aren't.
Maybe in a technical sense, but I strongly doubt if that is so
in any legal sense. What access control does is help in stopping
someone from accessing something that you don't want them to. The
lack of such control is not blanket permission to attack your system.
> Impersonating another person or computer for
> the purposes of being granted consent is also considered "without the
> effective consent". A portscan, however, is only
> consent/nonconsentable via ip-based ACL's.
Not at all. There's a limit to how far ACLs can go. Remember, too,
that routers and firewalls are also computers. A port scan that dies
at the ACL is still an "access" under the definition if the person
performing the port scan does not have permission of the owner.
Also, How about all the people with computers on cable modems with no
firewalls or routers of their own or under their control? Do you imagine
that the fact that they do not have routers and firewalls implicitly grant
permission to any would-be hacker to try to break into their computer?
> There's no way for you to
> say "its ok for Bob in the office over to scan me to make sure I'm not
> running trojans or to see whether ssh is still up, but its not ok for
> John Doe to do so" WITHOUT explicitly creating an ACL that grants
> access to Bob's computer, but denies it to everyone else. If someone
> impersonated Bob's computer to _do_ the portscan, that would be access
> without effective consent.
Actually there is a way to say that. If you get scanned by Bob, you
can go over and ask him if he scanned you and why.
> > Thus, if a port scan is an "access" of a computer, the person
> > performing the port scan is committing an offense.
>
> No, if this was the case then pinging a host to see if it is alive is
> a misdemeanor. In an essientally anonymous protocol like tcp/ip
> (anonymous being that the packets themselves do not require
> authentification), you either grant access consent through ip-based
> ACL's or username-based authentification at the application layer.
That is why I was wondering about certain common computer services. I
would imagine for those services that are pretty much available to
everyone that there is some kind of consent normally given. However,
if those services are abused, such as a ping attack on a computer or
on a network, that it would pass the line beyound that consent. And
for things that are not a service such as BackOrifice, only scans made
by the explicit permission of the owner or other authorized person
should be made. Anyone else making such scans is clearly doing so without
the benefit of any permission of the owner of the computer.
> Excepting, of course, the person who mentioned a web-based tcpwrappers
> setup (kind of a keen idea).
>
> [snip penalties]
>
> > Thus, in a simple port scan with no subsequent break-in, the
> > scanner is guilty of a Class B misdemeanor (see section 12.03
> > for classification of misdemeanors).
>
> You wish. I'm not saying a lawyer couldn't get the conviction, but I
> doubt a DA will want to prosecute a portscan without subsequent
> attempt at breakin.
That's the big problem. But I think that's mostly due to the fact that
when someone tries to break in to your computer, they tend to do so from
quite a distance away. If you could tie the port scan down to someone
within a reasonable distance that could be more easily investigated, I
suspect it might be possible to get the DA to prosecute the person. Even
if it is from somewhere else within the state, if we can get the DA to
go after them, the DA can request assistance from the Attorney General's
office to help in the investigation.
I'd love to see this law tested to see whether it does in fact apply to
port scanners. The way I look at them is that they might have failed today
because they were trying to find a vulnerability that does not exist on
my system, but they might succeed tomorrow.
Eric Johnson
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
