Law Review Article Says Port Scanning Illegal

Anonymous Coward writes: "The Journal of Technology Law and Policy has a good article on computer security and privacy. If you ignore the more metaphorical crap at the beginning of the article, the author marches through some laws that apply to the Internet and shows how they apply and why his way of deciding what kind of access to a computer breaks the law and what kinds don't is better. (Its based on property and expectations of privacy.) It's interesting to see the computer security from a lawyer's point of view. Especially interesting are his claims that using nmap is illegal, despite the VC3 v. Moulton case. I'm not sure I agree with him, but he definitely makes a pretty sobering case." Actually, I think the metaphors throughout this piece (not just at the beginning) are what make it interesting, and a big component of law is dealing with metaphors. This piece also collects in one place a lot of the cases dealing with computer law.

This is a GOOD article

[Chris+Johnson]

"Technical measures implemented by the computer owner protect and control his property, while technical measures implemented by copyright owners provide control over their work at the expense of the computer owner."

This is a _good_ article. Law and justice that doesn't have two sides is no law at all... this article goes a long way towards presenting a concept of digital property rights that is _local_.

There is a lot of money and power behind content creators, copyright holders etc. saying "we own this, it is OUR property, therefore we get to scan your computer, send back information to the mothership, and if you are a criminal we get to delete stolen goods off your hard drive, you pirate you! You miscreant!"

The thing is, _law_ sees this and comes back with "If you're saying that is property, wouldn't the person's hard disk be property too? As in 'not yours', as in 'you are a guest but they bought it and own it and live in it'?"

That's the beauty of law and justice- it balances, in time. The inevitable result of pushing for extensive 'property' law regarding copyright etc. is to also cast light on the subject of what kind of property a person's datasphere is.

I even wrote an essay on this in November 1998: it's at http://www.airwindows.com/fiction/essays/Hotel.htm l. When you operate a computer it is like you are moving your stuff around on virtual property: you put something somewhere. Does a company have a right to move it to somewhere else? To pile stuff next to it obscuring it? To paint it a different color, or dust it off? To remove, discard it, set it on fire, impound it as evidence?

The fact that all of this seems totally permissible only shows that law hasn't begun thinking about these issues yet.

You can't have it both ways- if I am forbidden even to portscan a company, then the company is forbidden to go over _my_ computer either. It's analogous. If we're tightening the protections for company-owned 'cyberspace' we're also laying a precedent for tighter protections on privately owned cyberspace.

In the future it may be ILLEGAL for Microsoft to shut off the mp3 encoding in its software and force people to migrate to WMA- or more plausibly, it may be ILLEGAL for them to take a WMA file that was once functional and render it nonfunctional arbitrarily if you don't cough up a license fee. It may also be illegal for them to place restrictions on OEM desktops- on the basis that they make the building materials, the OEM builds the house, the customer buys it and moves in. There is no compelling argument that they must be able to prohibit the OEM from decorating the 'house' as they see fit.

Very interesting stuff in this article, and grounds for hope :)

Re:Why portscanning must be legal.

[dattaway]

The policy for specifying what is allowed and not allowed is simply closing the damn port in the first place.

Search Engines ?

[AftanGustur]

Does this mean that Google and company can now be found guilty when searching for open port 80 on networks ?

How about search engines that look for open 21(ftp) port ? , How about gopher ? CIFS (Common Internet filesystem) ? Hmmmm Interesting ..
--
echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D7272 C3AF4F2snlbxq'|dc

Re:Guh?

[Mike+Schiraldi]

It might seem that way to someone studying law at a school so prestigous and selective, where the current and former members of the student body are surely the most brilliant and ambitious of all academia, but if i may speak for the Slashdot crowd, it's a little boggling for us. Sure, i can't point to any one part and say, "Yeah, right here is where it's confusing." Any little part makes sense. But trying to swallow and digest it is rather difficult for someone not used to reading such documents.

It's kinda like showing a proof of Godel's Incompleteness Theory to someone not versed in math. Each step of the process is simple and straightforward, but as a whole it's tough for an untrained mind to grasp and follow along.

--

Guh?

[Mike+Schiraldi]

Anyone know when Babelfish's "Lawyer to English" translation will be available?

--

Why portscanning must be legal.

[Dwonis]

Let's say you're shopping around for a web hosting provider. A lot of them will say "secure and reliable", but you know that doesn't really mean anything. So, you decide to run a few trivial security checks on their servers, including running a port scan.

Should you be deprived of the right to examine the quality of a service before buying it, especially when it wouldn't fall under "theft of services"? I think not.
------

A law journal article on Slashdot?

[CaseStudy]

I predict that this could set the record for the highest percentage of replies from people who didn't read the article.

Only the article doesn't actually say that.

[CaseStudy]

Can someone point out to me where the article claims that nmap, or port scanning, is currently illegal? (Bonus points if you show evidence contrary to the claim. Hint: Moulton did not hold that port scanning was legal; it held that the claimant didn't show damages to the court's satisfaction, and specifically said that Moulton may be subject to criminal prosecution under the Georgia Computer Systems Protection Act.)

Wow

[bonzoesc]

Pretty soon, sending and recieving packets through ports will be illegal, too. Hopefully, we can call them sockets and evade the law.

Tell me what makes you so afraid
Of all those people you say you hate

Why portscanning must be illegal.

[beable]

Let's say you're shopping around for a web hosting provider. A lot of them will say "secure and reliable", but you know that doesn't really mean anything. So, you decide to run a few trivial security checks on their servers, including running a port scan.

Let's say I'm connecting my computer to the internet for private purposes. Why should I have to put up with repeated port scans? Those people aren't trying to connect to ports 111, 161, etc to do me a favour by testing my security. They're trying to break in! This would be obvious by examining what they had done, which would be to scan certain exploitable ports on a range of IP addresses. If you asked them, they would probably tell you why they did it: to find computers to break into. Let's not forget what happened to grc.com.

Portscanning should be considered a crime.

Port scan is checking doors/windows/air ducts/...

[SlushDot]

After reading through much of the article, I still fail to see how scanning a host's ports is any different from knocking on that host's various doors and windows, seeing if anybody's home, or giving that host's various telephone lines a ring.

I see port scanning as crawling around someone's house rattling doorknobs, windows, mailboxes, air ducts, rooftop hatches, basement doors, garage doors, electric panel doors, gas valves, water valves, sewer vent lines, outdoor outlets, chimney openings, stove vents. Trying all 256 codes on RF X-10 modules, using a frequency counter/scanner to check for and listen in on radio transmissions, ringing phone lines, ringing doorbells, seeing if you can turn on sprinklers/water faucets, etc.

Would you have no problem with someone doing all that? That's a port scan.

"Ringing a doorbell" is a single probe on port 80. "Ring a telephone" is a single probe on port 23. Don't bullshit yourself.

Re:this is true

[mikethegeek]

"Say you are a sysadmin. You run a mission-critical webserver. In the status quo, you receive around 40 portscans a minute. Hackers have been successful 3 times on your site. If portscans are outlawed, then the overall security of your site receives additional protection.
Practical benefits like this one should be MUCH more important than simply protecting 'liberty."

Please don't take this as a flame, but this is the same kind of flawed thinking that leads to things like anti-gun laws.

It is an extremely FALSE assumption that merly outlawing portscans will somehow reduce breaking into systems, DOS attacks, etc. Last time I checked, THOSE activities were already illegal.

To have any HOPE of effectiveness, you'd have to outlaw portscanning utilities. And give that law enough teeth to allow the stormtroopers (police) the ability to "find out who has them".

Portscanners have very PRACTICAL and good purposes you know, such as, me, as a sysadmin can use one to make sure the ports I wanted closed ARE closed... To ban portscans and portscanning means more systems will be left open and vulnerable!

Please think about the implications before so quickly giving up a liberty for the (false) promise of government guaranteed safety.

Here is the best quote on this subject:

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

Questions.....

[gooberguy]

Just wondering, what constitutes port scanning? How many TCP ports need to be probed in how much time to be defined as port scanning? Does a program have to used? If I send 50 http GET requests to a computer within one second, is that port scanning? What about 50 TCP requests to a computer to 50 different ports in one second? I want to know!

D/\ Gooberguy