| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Dec 2006 12:24:56 -0500 From: "Dude VanWinkle" <dudevanwinkle@...il.com> To: "Randal L. Schwartz" <merlyn@...nehenge.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Nmap Online On 01 Dec 2006 08:54:23 -0800, Randal L. Schwartz <merlyn@...nehenge.com> wrote: > >>>>> "Dude" == Dude VanWinkle <dudevanwinkle@...il.com> writes: > > Dude> Its obvious that anyone who hires Stonehenge Consulting services is > Dude> getting someone who cant read. I never said postscanning was illegal. > Dude> i said it "isnt illegal". > > And I'm disagreeing with this. Why? > Dude> I even provided a link to the case in > Dude> georgia that helped decide this. > > If there's caselaw in Georgia, that's useful for Georgia, but > certainly isn't referencable in the 49 other states. So you can't > generalize that. So, you are disagreeing with Kevin who states: http://www.securityfocus.com/news/126 "The ruling does not affect criminal applications of the anti-hacking law, but federal law enforcement officials are generally in agreement that port scanning is not a crime." Do you know of a case where someone was convicted due to a portscan? I can imagine that a portscan may be used in conjunction with other evidence to build a case for intent, but I have not heard of anyone being busted for an nmap scan. I was going to build the case, but it looks like someone has already done it for me: from:http://www.krcf.org/krcfhome/MINDS_NEWYORK/1MoC3e_d.htm <snip> Only one published opinion has considered the legality of port scans. That court held that such activity did not violate federal or state computer protection statues or other law. The federal district court for the Northern District of Georgia held that a party who conducted port scans of another party's computer systems did not violate the Computer Fraud and Abuse Act (18 U.S.C. s. 1030) [1], because he neither caused damaged nor gained access to the computers at issue. Moulton v. VC3, 2000 WL 3331091 at *6 (N.D. Ga., Nov. 7, 2000). Nor did the port scans violate state law, because they did not interfere with computer or network activity. References: [1] The Computer Fraud and Abuse Act: <http://www.usdoj.gov:80/criminal/cybercrime/1030_new.html> [2] Moulton v. VC3, 2000 WL 3331091 (N.D. Ga., Nov. 7, 2000) [3] Computer Crime and Intellectual Property Section, U.S. Department of Justice, Legislative Analysis of the 1996 National Information Infrastructure Protection Act: <http://www.usdoj.gov:80/criminal/cybercrime/1030_anal.html> [4] Computer Crime and Intellectual Property Section, U.S. Department of Justice, Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001<http://www.usdoj.gov:80/criminal/cybercrime/PatriotAct.htm> --------------------------- So back to my earlier statement, if you nessus someones machine, that would impact their performance and be illegal, a single nmap scan, not so much. Now I am not saying that some hot-shot lawyer wouldnt be able to convince a judge to imprison someone for an nmap scan but while you may be able to convince a judge that OJ didnt do it, murder is still illegal -JP <who has seen someone convicted of hacking from remote via "evidence" that was 192.168.x ip addresses in the logs> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists