[Dshield] Port 135

Jon R. Kibler Jon.Kibler at aset.com
Sat Oct 19 00:16:02 GMT 2002

Kenton Smith wrote:
> I'm thinking we need to get a couple of lawyers to sit in on this list.

I wish we could -- anyone know any? Also, please keep in mind that there is enough difference between each state's legal framework, that the assumptions behind one state's laws may be different from other states.


> Do understand this correctly? Say my web server is compromised through port
> 80 by (we'll say) an undocumented vulnerability and it causes me more than
> $5000 in actual losses. What you're saying is that even if I can lead them
> to the cracker, I'm SOL because I didn't have a banner saying you can't hack
> my system? There has to be line somewhere, otherwise there's no way of
> prosecuting anyone unless they come into our data centre.
> Am I overreacting or missing something? Maybe this law is really specific
> about what it covers and there are other laws that would cover what I'm
> talking about.
> Kenton Smith

The problem here is that we are talking apples and oranges.

If someone uses port 135 to post a pop-up message, then they are using that port for its intended / stated purpose -- using an RPC service to display a message. By making the port public, then you are 'authorizing' its use. Thus, the pop-up spammer is making authorized use of a port for its stated purpose. 

By making port 80 a public port, you are also 'authorizing' its use. The intended use of this port is to retrieve web pages from a web server. Thus, anyone can legally use port 80 to contact its web server for the purpose of retrieving web pages. 

Now the purpose of port 80 is to ONLY provide web services. Use of the port to break into a system in NOT the intended use of the port; this would constitute 'unauthorized use' or a similar offense. Thus, the use of a port for other than its intended purpose is clearly illegal, as is any act that results in damage to a system (at least in most states). 

For example, in SC: 
   Use for other than intended purpose: (16-16-10.m.iii) ’Unauthorized use’ means... the authorized use of a computer, computer system, computer network, or computer software in a manner not explicitly or implicitly authorized... (That is, it is implied that you can use port 80 to retrieve web pages, but you cannot use port 80 for other purposes.)
   Damaging a system: (16-16-20.1.b) It is unlawful for a person to wilfully, knowingly, maliciously, and without authorization or for an unauthorized purpose to... alter, damage, destroy, or modify a computer, computer system, computer network, computer software, computer program, or data contained in that computer... (That is, even if you are authorized to access a system, that does not give you permission to maliciously alter or damage the system.)

Bottom line: Using port 135 for pop-up messages (provided it is not done as a DOS attack or something similar) is a annoyance and does not cause damages, and is thus probably not a crime in most jurisdictions. Using port 80 for other than its intended purpose, if it causes damages, would be a crime in most jurisdictions.

Hope this helps! (It should at least help you understand why you do not want to become a lawyer!)

Jon Kibler

(Please note, my comments are based upon my experiences working with various lawyers in developing the changes to SC Computer Crime Statutes. I am NOT a lawyer. My comments should NOT be construed as legal advice!)

More information about the list mailing list