Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: Re: Valuable papers on the legality of port scanning and exploit code

Re: Valuable papers on the legality of port scanning and exploit code

From: Javier Fernandez-Sanguino <jfernandez_at_germinus.com>
Date: Mon, 29 Dec 2003 10:03:10 +0100

Fyodor wrote:
> As part of the Nmap book, I am including a section on the legality of
> port scanning. In the process I came across a couple good papers that
> I feel shed light on this important issue (at least for United States
> residents):

Just for what it's worth, I don't know the exact differences between
US and Europe legislations, but the fact that port scanning is legal
is, as far as I know, yet to be proven in a court of law in a European
country.

As a matter of fact the "cybercrime" laws in Europe are not very
detailed yet, the recent Convention on Cybercrime [1] describes
illegall access as:

"44. "Illegal access" covers the basic offence of dangerous threats to
and attacks against the security (i.e. the confidentiality, integrity
and availability) of computer systems and data. The need for
protection reflects the interests of organisations and individuals to
manage, operate and control their systems in an undisturbed and
uninhibited manner. The mere unauthorised intrusion, i.e. "hacking",
"cracking" or "computer trespass" should in principle be illegal in
itself. It may lead to impediments to legitimate users of systems and
data and may cause alteration or destruction with high costs for
reconstruction. Such intrusions may give access to confidential data
(including passwords, information about the targeted system) and
secrets, to the use of the system without payment or even encourage
hackers to commit more dangerous forms of computer-related offences,
like computer-related fraud or forgery."

It does say further on that these does not include sending a file or
an e-mail. Now, this convention has been signed by all European member
states (even by the US [2]) but has yet to be transposed to law in
the member countries.

For example, the current spanish law only punishes damage done to
private property if the damage is over 300 EUR. The "private property"
definition includes "electronic data, programs, and documents
contained in network, media or information technology sistems" (CÓDIGO
PENAL, organic law 10/1995, article 263-264). This is not going to be
expanded in the review of the criminal law.

Having in mind that, in order to be illegal under spanish law, port
scanning would need to generate damage to private property (in excess
of that quantity), and, also, needs to be done "with the intention to
harm" I thing that current law would not rule port scanning illegal
unless unrightfully done by someone against a system that is
vulnerable to "dying" from a port scan, and that system in fact dies
and causes damages over 300 EUR to its owners.

Just my 2c.

Regards

Javi

[1] http://conventions.coe.int/Treaty/EN/WhatYouWant.asp?NT=185
[2] http://www.usdoj.gov/criminal/cybercrime/COEFAQs.htm

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help@insecure.org . List archive: http://seclists.org
Received on Dec 29 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]