Slashdot Mirror

← Back to Stories (view on slashdot.org)

Judge Says Port Scanning Is Legal

Posted by ryuzaki0 on from the thousands-of-lines-of-log-files dept.

cvbear0 writes: "SecurityFocus has an article explaining a ruling from a U.S. district court ruling in Georgia about port scanning. The judge ruled that that port scanning tools neither "impair the integrity nor availability of the network." Both parties agreed not to appeal the judge's ruling."

6 of 210 comments (clear)

  1. Intelligence Finally. by --delphi-- · · Score: 5

    Finally we see a little intelligence from our court systems. I mean, I do not do any sort of cracking, but I love to know what people are doing with their boxes. I have port scanned many of the servers around my university just to see what they're running. Port scanning does not hurt the network at all, it just throws a few packets at each port trying to establish a connection and then moves on. When can we schedule this judge to hear the decss case??

    1. Re:Intelligence Finally. by Jawbox · · Score: 5

      That analogy works for me. It isn't against the law to look at windows, determine their type and make estimates of their security. It enables you to do things like say, "Wow those are gee-golly neat windows I should get some of those for my house." or "What an idiot, I can't believe that house only is using the XJy9 style of windows, my 10 year old could break into their house and rob them blind."

      None of this is a crime! And a homeowner that watches someone scanning their windows can't sue for damages because they suddenly realize that the security of their windows stinks either. All this ruling does is apply some real world sense to a computer security case.

      Now the earlier post about walking around inside your apartment and looking at all the cool stuff is a false analogy in my eyes. To me that is the equivalent of breaking into a system(or being invited in depending on circumstances) and scanning the filesystem.

  2. The Judge.. by seanmeister · · Score: 5

    Gotta love the judge's name 'Thomas Thrash' - clearly, his h0n0r is a l33t h4x0r.
    Sean

  3. Re:The legal system still doesn't get it... by Shotgun · · Score: 5

    Port scanning a system is directly analogous to trying the locks on someones home.
    It is not free speech, it's a violation of property rights.
    You do not have the right to use anyone elses computer hardware for any purpose without permission.

    Yes, but you do have the right to walk down the street and peer into windows. You have the right to walk up to their door and even try the lock. You can even carry a crowbar while doing it if you wish. The police don't have anything against you until you enter the premises and leave with something. If you just enter and leave, they still don't have anything on you unless there were no tresspassing signs up. There are 'breaking and entering violations', but no 'entering' violations that I know of.

    If a policeman notices you acting suspiciously and want to catch you (as opposed to just stopping you), he will watch you and catch you with the good after you left the premises. Notice, that store security doesn't stop shoplifters until after they've left the store. Until they cross the threshold, they are not shoplifting. They may have the intent, but they haven't yet committed the crime.

    Servers on the public network are like window displays. You can't set up a server for everyone to see and then sue people for looking at it, just like you can't sue people for crossing your yard and looking in the window.

    Course, I did hear of one case where a man looks through a window from the street and sees a woman dressing. She sues him for being a peeping tom, and he countered sued her for public exposure. They both won...

    The contractor was in the wrong and deserved to be fired. If he had recieved permission to scan the network, it would have been another matter entirely, but acting on his own was wrong and should have been illegal.

    The man was installing a network component. Are security tests not to be included as part of a system test? If the network was later successfully attacked and it was disclosed that the installation contractor hadn't done the barest minimum security checks, wouln't he be held liable for negligence? In my view, not only were his actions ethical, they were prudent.

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
  4. Just to clarify by Alien54 · · Score: 5
    Just to clarify the issue slightly:
    While VC3 acknowledged that Moulton's port scan did no direct harm, the company argued that the time spent investigating the event was a form of damage. "If somebody does some type of attack, and you are a good service provider, you spend all your time verifying that it did not cause a significant problem," says Hogue. "The time that it takes to do all that searching is the damage that we were claiming."
    But it pays to know that while they lost on this particular point, harrassing someone by multiple ports scans probably is not a good idea.
    --
    "It is a greater offense to steal men's labor, than their clothes"
  5. Re:The legal system still doesn't get it... by BeBoxer · · Score: 5

    I would not consider port scanning to be like actually trying locks. It is in fact the least intrusive method possible to determine whether or not a machine is offering services to the public. In this way, it's more like walking down a street looking to see which buildings have open doors and welcome mats.

    Here's a real world example I just came across at work. Part of our address range is in use by a high school. It seems that one of their computers decided to scan for FTP ports on a whole lot of addresses. I don't know if it was a student doing it or if the machine was hacked first. But, do you think this is "a violation of property rights"? For someone to go out and ask machines on the internet if they allow anonymous FTP access?

    I agree completely that if someone is doing things which can only be viewed as a hacking attempt such as scanning for ports with commonly known vulnerabilities which are not used for public services, that's a problem. But, if someone is just looking for machines which are allowing anonymous FTP, who cares? This isn't like "trying the locks" at all.

    It seems like you have a pretty extreme view of what it means to "use" someone elses computer. Is trying to FTP to a machine something which deserves a stiff penalty? What about a ping? What if I happen to get an arp sent down your DSL line? What about when IIS tries to connect back to web clients to get name information? Is this a criminal act on the part of Microsoft to engage in illegal tresspass? Did Cable and Wireless give me implicit authorization to send packets thru their router when they connected it to the internet? Did you give me implicit authorization to send packets to your host when you connected it to the internet? Is it my responsibility to intuit that you don't want FTP sessions? Or is it your responsibility to block FTP packets if they are unwelcome?