Port scanning not illegal

Date view Thread view Subject view Author view

From: Carey Lening (carey@tstonramp.com)
Date: Tue Dec 19 2000 - 22:46:57 PST

Hash: SHA1

<Thank god at least some judges have a clue. I disagree on the judges'
dismissal of defamation though. If an anal company is going to do enough
damage to ultimately make you loose a job for a legal check on your own
network...pft. -Bb.


Port scans legal, judge says
Federal court finds that scanning a network doesn't cause damage, or
threaten public health and safety.
By Kevin Poulsen
December 18, 2000 9:05 AM PT

A tiff between two IT contractors that spiraled into federal court ended
last month with a U.S. district court ruling in Georgia that port scanning
a network does not damage it, under a section of the anti-hacking laws that
allows victims of cyber attack to sue an attacker.

Last week both sides agreed not to appeal the decision by judge Thomas
Thrash, who found that the value of time spent investigating a port scan
can not be considered damage. "The statute clearly states that the damage
must be an impairment to the integrity and availability of the network,"
wrote the judge, who found that a port scan impaired neither.

"It says you can't create your own damages by investigating something that
would not otherwise be a crime," says hacker defense attorney Jennifer
Granick. "It's a good decision for computer security researchers."

A port scan is a remote probe of the services a computer is running. While
it can be a precursor to an intrusion attempt, it does not in itself allow
access to a remote system. Port-scanning programs are found in the virtual
tool chests of both Internet outlaws and cyber security professionals.

Scott Moulton, president of Network Installation Computer Services (NICS),
is still facing criminal charges of attempted computer trespass under
Georgia's computer crime laws for port scanning a system owned by a
competing contractor.

Protecting 911?
According to court records, the case began last December, while Moulton was
under a continuing services contract with Cherokee County, Georgia to
maintain the county's emergency 911 system.

Moulton was tasked to install a connection between the 911 center and a
local police department, and he became concerned that the system might be
vulnerable to attack through the new link, or though other interconnections.

Apparently prompted by that concern, Moulton scanned the network on which
the 911 system resided, and in the process touched a Cherokee County web
server that was owned and maintained by VC3, a South Carolina-based IT
firm. "My client started investigating who was connected to the 911 center,
where he worked," says Erin Stone, Moulton's civil attorney. "He wound up
finding VC3's firewall."

When a VC3 network administrator asked Moulton in an email to explain the
scan, "Moulton terminated the port scan immediately and responded that he
worked for Cherokee County 911 Center and was testing security," according
to the federal court's finding of fact.

VC3 went on to report the "suspicious activity" to the police, and Moulton
soon lost his contract with Cherokee County. Several weeks later, the
Georgia Bureau of Investigation arrested him.

Suit, Counter-suit
While still facing state criminal charges, Moulton counter-attacked in
February by suing VC3 in federal court, accusing the company of making
false and defamatory criminal allegations against him. In deciding the case
last month, Judge Thrash rejected Moulton's claim, finding that VC3's
statements to the police were privileged. "We're the victim in a criminal
case that got sued for cooperating with police," says VC3 attorney Michael

The company filed a counter-claim under an increasingly popular provision
of the federal computer fraud and abuse act that allows victims to sue a
cyber-attacker if they've suffered damages of at least $5000.

While VC3 acknowledged that Moulton's port scan did no direct harm, the
company argued that the time spent investigating the event was a form of
damage. "If somebody does some type of attack, and you are a good service
provider, you spend all your time verifying that it did not cause a
significant problem," says Hogue. "The time that it takes to do all that
searching is the damage that we were claiming."

The judge rejected that claim, as well as an argument that the port scan,
and a throughput test Moulton allegedly aimed at the VC3 system, threatened
public health and safety. "[T]he tests run by Plaintiff Moulton did not
grant him access to Defendant's network," wrote the judge. "The public data
stored on Defendant's network was never in jeopardy."

The ruling does not affect criminal applications of the anti-hacking law,
but federal law enforcement officials are generally in agreement that port
scanning is not a crime.

The decision may help define the statute's civil boundaries at a time when
more companies are eyeing lawsuits against computer intruders as an
alternative to relying on government prosecution.

"This is probably the first of many decisions that will come out pertaining
to the civil component of the computer fraud and abuse act," says former
computer crime prosecutor David Schindler, now an attorney with the law
firm of Latham & Watkins. "If a client came to me and said that someone had
pinged on their network and nothing else, I probably would not advise them
to take civil action."

Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Tue Dec 19 2000 - 22:39:58 PST