Security News > 2000 > December > Re: FC: It's OK to do port scans of networks, federal district judge says
Since this has hit Security Focus and other sites, I figured I'd toss my two cents in on this decision... Specifically, I think that the most important point in this opinion was not about the portscanning, but about damage, as outlined by Granick: "It says you can't create your own damages by investigating something that would not otherwise be a crime." (http://www.securityfocus.com/news/126) There are too many damn cases where the only "damage" was time and money spent determining if anything was broke. In a couple, this was the ultimately the sole reason for prosecution. Most kids plea out because a deal sounds good, or because they have less competent lawyers. When the amount of calculated "damage" approaches $5000 it seems easy to convince the judge that there was a crime committed. I know for a fact that, in a least one case, the "damage" was regular hourly wages during regular scheduled work that involved only looking for backdoors and assessing the breach. Additionally, I wonder about the applicability of 18 U.S.C. Sec 1030 to most hosts, where the whole damn section covers "protected computer" and: (e)(2) the term ''protected computer'' means a computer - (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in interstate or foreign commerce or communication; Would a firewall protecting an e-commerce web server be considered a "protected computer," or just the web server itself? If the firewall is not consider protected, I would probably conclude VC3's use of this section was inappropriate. For those that haven't read the decision linked below, the firewalled company, VC3, urged prosecution for the "crime" of scanning their ports. The defendant, Moulton, then sued VC3 for defamation. VC3, now the defendant in the civil case, claimed that Moulton also defamed their company (whine and counter whine?). This brings us to my favorite part of the judge's decision: The statement allegedly made by Plaintiff Moulton that Defendant's employees were "stupid" falls into this category of nonactionable opinion or hyperbole. This statement reflects Plaintiff Moulton's subjective opinion of the relative intelligence of Defendant's employees. Reasonable people could differ as to whether or not these employees were intelligent. Therefore, this statement is not actionable defamation. .nhoJ |---------- Forwarded message ---------- |Date: Thu, 14 Dec 2000 17:04:59 -0500 |From: Declan McCullagh |To: politech () politechbot com |Cc: Michael () eMcGuire com |Subject: FC: It's OK to do port scans of networks, federal district judge says | [...] | |Unauthorized remote testing of a computer network using techniques |such as a port scan and a throughput test did not result in "damage" |to the network within the meaning of the federal computer crime |statute or the civil recovery provisions of Georgia's computer crime |law, a federal district court in Georgia holds. The court concluded |that an imperceptible slowdown in performance was not damage under the |Georgia law. With respect to the federal statute, the court holds |that--without an impairment to the integrity of the network--money |spent investigating the defendant's activities could not be considered |"damage." | |Moulton v. VC3, N.D. Ga., Civil Action File No. 1:00-CV-434-TWT, 11/7/00 | |The text of the court's opinion is available at |http://pub.bna.com/eclr/00434.htm>. | |Michael McGuire ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".