Home page logo

Nmap Announce mailing list archives

RE: Draft Convention on Cybercrime
From: Marjorie Simmons <lawyer () usit net>
Date: Sat, 3 Jun 2000 17:16:21 -0400

With my lawyer's hat on (I am a lawyer), I agree with Dale. 
It bears pointing out also that, as some of the posts in this 
thread are from US citizens, the US is not a member of the 
Council whose draft of a proposed legal-consortium this is, 
and this type of attempt at sweeping, all-inclusive legislative 
one-size-fits-all action is one reason. (Nor, for that matter, 
are Canada or Japan members, amongst others.)

The focus of criminal law, in most countries, is based on 
conceptions of what constitutes an intentional, wrongful 
act that surpasses mere negligence (a tort).  Inadvertent 
actions lack the requisite and primary factor of intent. Some 
acts may be adjudged criminal while lacking actual intent, 
as intent may be inferred given an individual set of facts & 
circumstances.  Therefore, in any discussion of the proposed 
criminalization of scanning tools, one must look to (1) the 
tool's designed purpose -- for which Fyodor must be consulted, 
(2) to the reasonability of its use for that purpose given the 
tool's stated design purpose, which may be inferred from the 
tool's contemporary employment by systems people the 
world 'round, and (3) the tool's actual use within the scope 
of a wrongful act.

In the US, Nmap as it stands now, is as any tool which has a 
useful, non-criminal purpose, which yet may be employed as 
a tool within the array of tools used by someone who commits 
a criminal act.  I could kill someone with a toaster as well as 
with a knife, but the character of neither item bears an outright 
ban on its use, possession, or transfer.  A gun, on the other hand, 
is designed for the primary purpose of killing, and as such, is 
subject to rather stringent governmental controls in most 
countries.  Nmap is a tool that is in between knives and guns: 
it has the capacity to be used in an active fashion that may 
injure, and the designed purpose for use in a passive fashion 
that simply identifies and logs activity at the doors of a given 
system in order to alert and provide data for strengthening a 
vulnerable system.

I expect when the dust settles, the Council's efforts will, after 
much revision and some partially successful implementation & 
litigation, effect controls on such tools that are more stringent 
in some European countries than in others, but that does not 
ultimately ban them outright in all cases.

As far as Nmap is concerned, what is needed is a PR campaign 
that substantiates its rightful place amongst the respected 
toolbox items in general use of any competent systems person 
or security organization. Taking a proactive stance in this way 
now will go a long way toward staving off governmental attempts 
to criminalize it conceptually by those who lack the technical 
ability to differentiate it from "guns". 

Just my .02.


Marjorie Simmons, Esq.
lawyer () usit net

The Act

On Saturday, June 03, 2000 10:45 am, dhaag [SMTP:dhaag () net-defender net] wrote:
I have watched this thread and have to interject in order to make a few
points clear to everyone.

All of us that use nmap would NOT be in trouble...only the author, the
web/ftp site and possibly this mailing list.

Dead Wrong.  No more then a library is guilty of terrorism because it has
books on terrorism.  The Constitution and its Amendments supercede and apply
here. The author is not, and could not be found to be, guilty of anything,
as long as the program or software was not "specifically" designed to be
used in a criminal activity as defined in the act.

a device, including a computer program, designed or adapted [specifically]
[primarily] [particularly] for the purpose of committing any of the
established in accordance with Article 2 - 5;

The above offense and the definition below would say that making nmap and
putting on a website for download would fit under the definition of "dolus
eventualis" -- also know in Homer Simpson terms as "Doh!".  There's no way
that an author or web/ftp site could say "well gee, we didn't think it
be used for bad purposes".  It's only a little bit of a stretch to say
a mailing list is a "piece of software" that educates users how to do bad
things (note -- I'm not talking about majordomo here...but the specific
mailing list).  Hacker websites would most certainly be targeted.

Wrong again.  NMap, to the best of my knowledge, is not [specifically]
[primarily][particularly] designed or intended to commit any of the offences
listed.  It is a security review tool for legal use by authorized
individuals in the maintenance and upkeep of their network and systems.  The
same as other products that assist in network tuning, such as NetXray,
Openview, ISS Security Scanner, and a plethora of others. List groups that
discuss the software or technology, as well as "hacker sites" that do not
promote the software for illegal purposes would not be effected. This is
covered under the 1st amendment.

(6) In the understanding of certain members of the Drafting Group,
may also cover "dolus eventualis". For common law countries, this notion
would be similar to "recklessness", i.e. that a person is aware of the
risk that a certain result may occur and knowingly accepts it. The
Group agreed that the interpretation of "intent" should be left to
laws, but it should not, where possible, exclude "dolus eventualis".

Whether or not this ever makes it into the act is totally irrelevant. The
courts would not allow it to be used in a prosecution due to "breadth of
scope" and vagueness.  "Dolus Eventualis" would never fly, if it did, one
could also apply Dolus Eventualis in across the board litigation. As an
example. you buy a new car - you drive the new car - you have an accident in
the new car and are injured severely - you cannot sue the manufacturer using
Dolus Eventualis as a basis, even though the manufacturer was aware of the
high risk that a certain result ( injurous accidents ) would occur, and
knowingly accepted the risk by continuing to manufacture automobiles. Just
imagine the class actions that could by pursued on something so broad and
vague as Dolus Eventualis.

As in any "Draft" there is much to be hashed out.  And, just because it may
or may not become Law, it still has to stand the test before the courts.
Which, in its present state, it would not do.

Just my two cents worth.

Dale Haag
Seabrook, TX 77586
(281) 532-1488 voice
(877)733-5451 fax

For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]