I am glad that the public has shown such an interest in my case. It is all
about what the future holds for the rights of computer people everywhere.
If they outlaw port scanning, what is next? Outlaw Pinging? They tried to
say that in this case also. I wish I could talk more about it, but as there
is a Criminal prosecution case pending and I am forbidden to disclose
material that is not already public. All depositions in the FEDERAL case,
including the depositions of two Georgia Bureau of Investigation detectives
are public, if you can figure out how to get them. Computer specialist
should really read the depositions of the GBI Computer guys and see what
kind of experience they have and how they investigate a case as well as what
they believe constitutes a crime. It may be helpful in the future to know
how to defend yourselves
You can also see another report by Kevin Poulsen at:
http://www.securityfocus.com/news/126
Kevin called me, but again I could not disclose information on this case
even though I would have enjoyed speaking with him.
I am proud that I could be of some benefit to the computer society in
defending and protecting the rights of specialists in the computer field,
however it is EXTREMELY costly to support such an effort, of which I am not
happy about. But I will continue to fight and prove that there is nothing
illegal about port scanning especially when I was just doing my job.
Thanks goes out those who have sent messages of support in the past year
that my company and I have been dragged through this mess.
Thanks again,
Scott Moulton
-----Original Message-----
From: Fyodor [mailto:fyodor_at_insecure.org]
Sent: Sunday, June 10, 2001 11:13 PM
To: nmap-hackers_at_insecure.org
Cc: Tom Brays
Subject: Re: nmap illegal to use?
On Mon, Jun 11, 2001 at 09:33:35AM +0800, Tom Brays wrote:
> "The Journal of Technology Law and Policy has a good article on
> computer security and privacy.
I believe the URL for the article you are referring to is
http://grove.ufl.edu/~techlaw/vol6/Preston.html . Yes, it is an
interesting (but long) research paper.
> expectations of privacy.) It's interesting to see the computer
> security from a lawyer's point of view. Especially interesting are
> his claims that using nmap is illegal, despite the VC3 v. Moulton
> case."
As a point of clarification, I think Ethan is arguing that Nmap port
scans could be a violation of the computer "access" provisions of
several STATE ( not Federal) laws. He (She?) also states that
"access-based computer crime laws" can "implicate the most rudimentary
network functions, like pinging an IP address to see if a network host
is connected to the Internet, let alone initiating a TCP connection
that would provide the basis for communicating that access is
unauthorized." and "most current laws could be used to penalize any
interactions on the Internet between networked computers." Scary!
Here are a few quotes from the article that refer to port scanning and
Nmap:
In Moulton v. VC3, a federal court found that the costs incurred
investigating a port scan did not constitute damages under the
federal Computer Fraud and Abuse Act.[166] Moreover, the court found
that a party's port scan did not access the other party's
network.[167] Port scans elicit information from computers and
computer networks; under many of the state statutory definitions
above, port scans do access computers and probably would constitute
computer crime. Certainly, the court could have found port scans to
constitute access under the CFAA and found the party liable for the
port scan. Moulton may signify that there is a threshold of network
activity below which courts will not interfere.[168]
[ ... ]
The application of access-based computer crime laws could damage the
digital commons as much as the current formulation of trespass on
chattels. The efficiency of communication on the Internet stems
from the implied consent to use the computer resources and
information of others'. Legal rules that extend liability to any
access whatsoever damage that efficiency. Consider how trespass to
chattels and access-based computer crime laws would function on the
Internet. These laws implicate the most rudimentary network
functions, like pinging an IP address to see if a network host is
connected to the Internet, let alone initiating a TCP connection
that would provide the basis for communicating that access is
unauthorized.
[ ... ]
The benefit of the fences in cyberspace metaphor is an enhanced
capacity for precision. Application of the metaphor of fences in
cyberspace could create a legal regime capable of much finer
distinctions between liability and non-liability. Consider a
situation where the law assigns a privacy right to the computer
owner over the kind of operating system running on the
computer. (This privacy right is, and should remain, a hypothetical
situation. The overall utility of such a privacy right is
questionable. While discovering the identity of a target's operating
system is an integral step to breaking into the target, it is poor
security to rely on the obscurity of the operating system?s
identity.)[175] In cyberspace, information about the kind of
operating system is an object. This hypothetical posits that the
owner has the legal right to put a fence around this
object. Individuals on the network can use techniques like banner
grabbing, port scanning or nmap's OS fingerprinting to identify the
owner's operating system.[176] Most "fences" would protect against
banner-grabbing; banners must be either changed or eliminated.[177]
Port scanning can be prevented by shutting down unnecessary
applications and through using firewalls that filtered packets on
the basis of port numbers.[178] These measures would create a fences
that encompasses more of the information. Finally, preventing
nmap-type OS fingerprinting requires using a firewall that filtered
on a packet-by-packet basis or altering the TCP/IP stack of the
computer.[179] These measures would enclose most of the remotely
available information about a computer's operating system. A court
deciding whether to assign liability would first inquire into what
technical measures were used; the court must find the fences in
cyberspace. Next, the court must decide whether the technical
measures were reasonable. The computer owner who failed to protect
against banner-grabbing should not have legal recourse when banner
grabbing identifies his operating system. A computer owner who used
a firewall that prevented port scans but not nmap-type OS
fingerprinting might establish a strong case for liability against a
nmap scanner. Then again, perhaps the cost of preventing nmap-type
OS fingerprinting might be found minimal; the court might assign
liability only where the defendant used other means to get the
information. The point of the exercise above is that the metaphor
allows courts to distinguish between relative degrees of care that
the owner has taken to restrict information flows.
Courts striving for equitable and predictable distinctions between
liability and non-liability receive little help from the language of
the law; most current laws could be used to penalize any
interactions on the Internet between networked computers. To be
efficient, the law must also be capable of precision and coherency,
even more so because information flows on the Internet can be very
complex. The cyberspace fences metaphor can help provide that
precision.
Cheers,
Fyodor
--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
************************************************************************
* Tracking #: 6F4653AC825AD511A9A200105A99BE81724ECEA8
*
************************************************************************
--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Jun 11 2001
Intro
