[ale] Port scans and the law

[Jonathan Rickman]

There has been alot of talk lately about portscanning and the Federal
Court decision last week regarding this type of activity. The text of the
court's decision is available here.

http://pub.bna.com/eclr/00434.htm

I've forwarded a message from the Incidents mailing list at SecurityFocus.
Christopher is right on target with his comments. I know that there are 
folks on the list who use nmap and other scanners to check their own
networks, including myself. However, sometimes the temptation to scan
other hosts can be great, especially when one has spotted suspicious
activity from the host in question. I know I've been tempted more than
once to perform a full blown audit on someone else's system after being
probed by them for days on end. If for no other reason than to just get an
idea of what I'm dealing with on the other end... My advice to everyone on
the list is simple, BE CAREFUL WHERE YOU POINT THAT THING!!! With all the
recent cyber attacks, many admins are operating in paranoid mode. The case
in question was very much the direct result of this. An authorized (good
guy) user let a scanner fire a wild "shot in the dark" and he ended up in
court.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

---------- Forwarded message ----------
Date: Mon, 18 Dec 2000 23:15:48 -0800
From: Christopher Byrne <chris at CHRISBYRNE.COM>
To: ale at ale.org
To: INCIDENTS at SECURITYFOCUS.COM
Subject: What is a crime, WAS RE: Port Scans are Legal

Crist,

An important aspect you may have missed here is that of intent. In US law,
intent has much to do with whether something is a crime or not (or if it is,
what the actual crime is). In fact under most criminal statutes, intent is
the primary deciding factor.

There are really only four ways for any action, no matter it's results, to
be a crime. And I do mean any action, from Stabbing someone in the face to
bending over to pick up a penny from the ground, to preforming a port scan.

I'm going to diverge from the main topic here for a bit just to make a very
clear example fo what I'm saying. I'll take the most serious example,
killing another human being. If you have no interest in this explanation,
just ignore the part between the lines

---------------------------------------------->

When you through action or inaction cause a death, there are several things
that can happen.

First the death could be ruled accidental, for example if your car suddenly
has a brake failure and you crash into someone killing them.

Second the death could be rules as intentional but justifiable. For example
if someone is trying to kill you, through no fault of your own, and you kill
them to prevent it.

Third, you could be charged with a crime.

Whether something is defined as a crime, and what that crime is are actually
extremely complicated subjects and no set rule can be made as to whether an
act is a crime or not. Basically some guidelines are set down based on what
your motive and intent were, and what the circumstances of the act were.

If you cause the death of another human being, in most states there are five
crimes that you might be charged with depending on your intent, the means,
and the circumstances of the act.

Murder (first or second degree)
Manslaughter (first or second degree)
Conspiracy to commit murder

The differences used to determine how you are charged are explained below.

1. Malice aforethought: What that means is if you preformed any action with
the deliberate intent to produce a result that was harmful to the victim,
and planned it before the action occured. This is the most serious class of
intent, and is the general standard applied for first degree murder.

If you intended to cause a harmful result without intending to kill, but the
victim died anyway, or if you kill someone unintentionally while commiting a
seperate felonious act, you may be charged with first degree manslaughter or
you may be charged with first degree murder depending on which state you are
in, and the facts, motive and means behind the crime.

For example, if you accidentally shoot and kill a clerk while robbing their
store, that's probably manslaughter one, however in New York state, if that
clerk is instead substituted with an on duty police officer that becomes
first degree murder. And if the prosecutor decides that the clerk was shot
to facilitate your escape, not beacuse of an accident, the becomes malicious
intent as explained below.

2. Malicious intent: When an action is preformed with malicious intent, the
intent to do harm is formed at the instance of the action. I.E. you shoot
someone because they insult your girlfriend. This constitutes a slightly
less serious offense, second degree murder.

If you intended to harm the victim without killing them, for example if you
were in a serious fight, and you beat someone so badly that they died, that
would be manslaughter two.

3. Gross negligence or indifference: If an act is preformed without regard
to the forseeable consequences of that act, that constitutes gross
negligence.

For example if you were to leave a large quantity of drugsout on a table
around a bunch of kids, and one of them died because they swallowed some,
that is a forseeable consequence, and you were grossly negligent in not
preventing it from occuring. There was no specific intent on your part to do
harm, but you didn't prevent something from occuring when you were
obgligated to do so therefore it was a crime.

What you are charged with in these circumstances once again depends on the
motive, means, and facts of the case. The primary deciding factors are the
results of your negligence, and the grossness of it. In the example of the
drugs I used above you would most likely be charged with manslaughter one.

On the other hand if you dumped a poisonous waste barrel onto a school
playground, you could be charge with murder one because there was a nearly
100% chance that your action would cause someone to die horribly, and you
knew it but didnt care.

4. Conspiracy: If an action or series of actions is preformed, furthered, or
supported with knowledge of the illegal or potentially illegal results of
these actions by more than one person, a conspiracy exists. This is the
broadest definition of a crime, and is often challenged successfully in
appeals. It is very difficult to prove a criminal conspiracy, and very
difficult to decide what to charge someone with associated with that
conspiracy.

As an example, if you were the lawyer of a mafia don, and heard him say "I'm
going to kill this man". You told your client "I didn't hear that", and you
got him out of jail. Then a few weeks later he kills that man. If someone
can prove you knew he said he was going to kill him, and you helped him by
getting him out of jail, you are guilty of conspircacy to commit mudrer. And
if you are convicted it will be a miracle, and if the convistion isn't
overturned on appeal it'll be an even bigger miracle etc... etc...

------------------------------------------------>

Okay now that I've gone throughly off topic lets bring it back in. The
examples I've illustrated above show that a single action, that of causing
the end of another humans life, can be interpreted in many different ways,
and result in many different crimes, if any at all.

Once it has been determined that a crime has occurred, and what exactly that
crime is, a case needs to be made that is valid on it's face (prima facie)

There are three factors necessary to make a prima facie criminal case

1. Motive, in which the reason for the act is made clear, and in which
intent is the primary part
2. Means, in which the defendant had the capability to preform the act
3. Opportunity, in which the defendant was in the right place, at the right
time to preform the act

If the motive, means, and opportunity are established, and consistent with
the facts of the case, then a crime can be proven.

Unforutnately case law is very iffy, and varies widely from state to state.
In some states intent standards are different, or made irrelevant by other
statutes. In others judges and prosecutors have so little knowledge of the
underlying technologies involved that they seemingly make ruling up out of
thin air.

Last year a district court in indiana held that any attempt to connect to to
a computer that wasn't specifically authorized by that systems owner was
illegal. Of course the judge didnt seem to understand that the whole purpose
of the machine (a web server) was to allow unknown people to connect to it
and get information, and his ruling defined web surfing as a crime, along
with broadcasts, email messages etc...

In the same year another court (I believe it was in Oregon but I'm not sure)
ruled that testing all of the defenses of a network,  right up to the point
just before unauthorized access was not criminal, and that unauthorized
access without any malicious intent was equivalent to trespassing.

If you extend that logic to other circumstances, basically the judge was
saying that you can pick the lock, and jimmy all of the windows of a house
as long as you dont go in, and even if you go in as long as you don't take
or break anything you're just gonna get a slap on the wrist.

Of course that would still leave someone open to negligence charges, and
various civil charges, but you see the kind of mess we are talking about.

Then there's the federal angle. The constitution prevents the federal
government from getting involved in what are supposed to be purely local
matters, unless interstate commerce, or international affairs are involved.

Because the FCC regulates the wires that carry data from state to state, and
you have no way of guaranteeing that your packets didn't pass through
another state, the feds look at that as an excuse to claim jusrisdiction in
almost any case they want. This is patently unconstitutional, however the
statutes underlying their jurisdictional claims have never really been
challeged, and cooperative federal judges have almost always ruled with the
federal law enforcement agencies whenever some hapless kid does something
stupid, but manages to get themselves a smart lawyer. Most lawyers don't
understand the actions well enough to defend them never mind the statutes
that exist, most of which go back to 1936 (or before) anyway and are related
to telephone fraud or mail tampering.

Add to that the fact that most localities don't have the resources necessary
to deal with electronic crime, and are only too glad to give it over to the
feds.

So you end up with many inconsistent local statutes, improperly applied
federal jusrisdiction, and a lot of judicial rosecutorial, and
representational ignorance all rolled into one tight little ball.

What a joy huh

Oh, BTW, I'm not a lawyer. I'm the son of a multiply convicted felon, and
the grandson of a lawyer and state representative. For those of us who are
lwayers out there feel free to correct my errors as I'm sure there are many.
The law is far too complex for a single individual to know it all, or for a
non-specialist to know more than it's fundamentals, but yet ignorance of the
law is no defense... what a world.

Christopher Byrne


-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS at SECURITYFOCUS.COM]On
To: ale at ale.org
Behalf Of Crist Clark
Sent: Monday, December 18, 2000 14:52
To: INCIDENTS at SECURITYFOCUS.COM
Subject: Port Scans are Legal


The question come up here every few weeks, and it looks like any doubt
has been erased for now. Port scanning is not illegal in the USA,


http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D
126

--
Crist J. Clark                                Network Security Engineer
crist.clark at globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.