[Dshield] Question on appropriate university research

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Sep 19 18:26:57 GMT 2007


On Wed, 19 Sep 2007 10:14:01 EDT, "BOYD S.(SPENCE) MINER" said:
> US CERT ADVISED ME THAT WITH THIS NOTICE POSTED, IT WOULD BE ILLEGAL FOR ANYONE 
> TO PORT SCAN ANY OF MY SYSTEM.

And the portscanner actually *sees* this notice, how, exactly?

When exactly did US Cert give this advice, and did they specifically say it
would apply to portscanners, or was it for the *DIFFERENT* usage case of
notifying people who *logged in* that activity was monitored and abuse could
be prosecuted?

Were you perhaps thinking of their 1992 advice regarding login banners:

http://www.cert.org/advisories/CA-1992-19.html

> SITE POLICY IN ACCORDANCE WITH US-CERT AND DEPT OF HOMELAND SECURITY GUIDELINES
> 
> UNAUTHORIZED ATTEMPTED ACCESS WILL BE REPORTED TO US-CERT AS A VIOLATION OF US 
> FEDERAL GUIDELINES AND LAWS.

Note that for the Federal laws to apply, the system needs to meet certain
characteristics. 18 USC 1030 is the relevant statute law for the vast majority
of systems:

http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html

Hint - clause (e)(2)(B) is probably the best best for making it apply, but
you first have to show that the system is in fact used for interstate commerce,
and then you *still* have to meet the damage requirement in section (a)(5).

You'll have a *really* hard time making the case that a portscan qualifies
under 18 USC 1030.  And if you're a system doing classified work (so that the
relevant code is espionage over in 18 USC 793), you probably will have to have
a chat with your Facility Security Officer regarding why a portscan was even
able to happen....

> THIS APPLYS TO ALL COMPUTERS ON AND OFF LINE ASSOCIATED WITH US FEDERAL 
> OPERATIONS AT THIS SITE AND ALL EMAIL ADDRESSES ASSOCIATED DIRECTLY OR 
> INDIRECTLY WITH THIS SITE.

Again, "Federal operations".  

> PORTSCANNERS NOTICE!
> 
> THIS SITE MAY USE BOTH STATIC AND DYNAMIC IP'S AND IT IS THE RESPONSIBILITY OF 
> THE PORT SCANNER TO INSURE THAT THEY DO NOT ATTEMPT PORT SCANS OF ASSOCIATED 
> EQUIPMENT. TO FAIL TO DO SO IS A VIOLATION OF FEDERAL LAW AND MAY BE PROSECUTED 
> BY FEDERAL AUTHORITIES

Given that case law has clearly established that portscanning is not in and
of itself illegal, this has some very shaky legal grounds.  Also, without some
*clear* indication of what the site boundaries are, you're basically saying:

"No Tresspassing! Tresspassers will be shot! We're not telling you where
the property line is, so you may or may not be on our land!".

Defense lawyers would have a field day with *that* one...

> IN FIRST GRADE ENGLISH. IF YOU DO NOT HAVE AUTORIZATION FROM SITE ADMIN TO 
> PORTSCAN THIS SITE, DON'T DO IT. FOR YOU TO DO SO IS A VIOLATION OF FEDERAL LAW.

Moulton v. VC3 would be the defining case law here. There's a good overview
of the case at http://www.securityfocus.com/news/126

http://seclists.org/incidents/2000/Dec/0090.html mentions some other case and
statute law that may or may not be relevant *in a particular case*.   But I
don't see any way that since the Moulton decision over 7 years ago that you
can claim that portscanning is *by itself* illegal under Federal law.

I'm not a lawyer, etc etc.  Pay a real one if having the right answer *really*
matters.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20070919/bf2777ca/attachment.bin 


More information about the list mailing list