Slashdot Mirror

← Back to Stories (view on slashdot.org)

Law Review Article Says Port Scanning Illegal

Posted by timothy on from the spicy-bedtime-reading dept.

Anonymous Coward writes: "The Journal of Technology Law and Policy has a good article on computer security and privacy. If you ignore the more metaphorical crap at the beginning of the article, the author marches through some laws that apply to the Internet and shows how they apply and why his way of deciding what kind of access to a computer breaks the law and what kinds don't is better. (Its based on property and expectations of privacy.) It's interesting to see the computer security from a lawyer's point of view. Especially interesting are his claims that using nmap is illegal, despite the VC3 v. Moulton case. I'm not sure I agree with him, but he definitely makes a pretty sobering case." Actually, I think the metaphors throughout this piece (not just at the beginning) are what make it interesting, and a big component of law is dealing with metaphors. This piece also collects in one place a lot of the cases dealing with computer law.

8 of 373 comments (clear)

  1. This is a GOOD article by Chris+Johnson · · Score: 5
    "Technical measures implemented by the computer owner protect and control his property, while technical measures implemented by copyright owners provide control over their work at the expense of the computer owner."

    This is a _good_ article. Law and justice that doesn't have two sides is no law at all... this article goes a long way towards presenting a concept of digital property rights that is _local_.

    There is a lot of money and power behind content creators, copyright holders etc. saying "we own this, it is OUR property, therefore we get to scan your computer, send back information to the mothership, and if you are a criminal we get to delete stolen goods off your hard drive, you pirate you! You miscreant!"

    The thing is, _law_ sees this and comes back with "If you're saying that is property, wouldn't the person's hard disk be property too? As in 'not yours', as in 'you are a guest but they bought it and own it and live in it'?"

    That's the beauty of law and justice- it balances, in time. The inevitable result of pushing for extensive 'property' law regarding copyright etc. is to also cast light on the subject of what kind of property a person's datasphere is.

    I even wrote an essay on this in November 1998: it's at http://www.airwindows.com/fiction/essays/Hotel.htm l. When you operate a computer it is like you are moving your stuff around on virtual property: you put something somewhere. Does a company have a right to move it to somewhere else? To pile stuff next to it obscuring it? To paint it a different color, or dust it off? To remove, discard it, set it on fire, impound it as evidence?

    The fact that all of this seems totally permissible only shows that law hasn't begun thinking about these issues yet.

    You can't have it both ways- if I am forbidden even to portscan a company, then the company is forbidden to go over _my_ computer either. It's analogous. If we're tightening the protections for company-owned 'cyberspace' we're also laying a precedent for tighter protections on privately owned cyberspace.

    In the future it may be ILLEGAL for Microsoft to shut off the mp3 encoding in its software and force people to migrate to WMA- or more plausibly, it may be ILLEGAL for them to take a WMA file that was once functional and render it nonfunctional arbitrarily if you don't cough up a license fee. It may also be illegal for them to place restrictions on OEM desktops- on the basis that they make the building materials, the OEM builds the house, the customer buys it and moves in. There is no compelling argument that they must be able to prohibit the OEM from decorating the 'house' as they see fit.

    Very interesting stuff in this article, and grounds for hope :)

  2. Re:Why portscanning must be legal. by dattaway · · Score: 5

    The policy for specifying what is allowed and not allowed is simply closing the damn port in the first place.

  3. Search Engines ? by AftanGustur · · Score: 5

    Does this mean that Google and company can now be found guilty when searching for open port 80 on networks ?

    How about search engines that look for open 21(ftp) port ? , How about gopher ? CIFS (Common Internet filesystem) ? Hmmmm Interesting ..
    --
    echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D7272 C3AF4F2snlbxq'|dc

    --
    echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
  4. Guh? by Mike+Schiraldi · · Score: 5
    Anyone know when Babelfish's "Lawyer to English" translation will be available?

    --

    --

    --
    Mod up a post Rob doesn't like and you'll never mod again

  5. Why portscanning must be legal. by Dwonis · · Score: 5
    Let's say you're shopping around for a web hosting provider. A lot of them will say "secure and reliable", but you know that doesn't really mean anything. So, you decide to run a few trivial security checks on their servers, including running a port scan.

    Should you be deprived of the right to examine the quality of a service before buying it, especially when it wouldn't fall under "theft of services"? I think not.
    ------

  6. Why portscanning must be illegal. by beable · · Score: 5
    Let's say you're shopping around for a web hosting provider. A lot of them will say "secure and reliable", but you know that doesn't really mean anything. So, you decide to run a few trivial security checks on their servers, including running a port scan.
    Let's say I'm connecting my computer to the internet for private purposes. Why should I have to put up with repeated port scans? Those people aren't trying to connect to ports 111, 161, etc to do me a favour by testing my security. They're trying to break in! This would be obvious by examining what they had done, which would be to scan certain exploitable ports on a range of IP addresses. If you asked them, they would probably tell you why they did it: to find computers to break into. Let's not forget what happened to grc.com.

    Portscanning should be considered a crime.
    --
    ...
  7. Port scan is checking doors/windows/air ducts/... by SlushDot · · Score: 5
    After reading through much of the article, I still fail to see how scanning a host's ports is any different from knocking on that host's various doors and windows, seeing if anybody's home, or giving that host's various telephone lines a ring.

    I see port scanning as crawling around someone's house rattling doorknobs, windows, mailboxes, air ducts, rooftop hatches, basement doors, garage doors, electric panel doors, gas valves, water valves, sewer vent lines, outdoor outlets, chimney openings, stove vents. Trying all 256 codes on RF X-10 modules, using a frequency counter/scanner to check for and listen in on radio transmissions, ringing phone lines, ringing doorbells, seeing if you can turn on sprinklers/water faucets, etc.

    Would you have no problem with someone doing all that? That's a port scan.

    "Ringing a doorbell" is a single probe on port 80. "Ring a telephone" is a single probe on port 23. Don't bullshit yourself.

    --

  8. Questions..... by gooberguy · · Score: 5

    Just wondering, what constitutes port scanning? How many TCP ports need to be probed in how much time to be defined as port scanning? Does a program have to used? If I send 50 http GET requests to a computer within one second, is that port scanning? What about 50 TCP requests to a computer to 50 different ports in one second? I want to know!

    D/\ Gooberguy

    --


    Karma: Meh (Mostly from meh.)