Comments imbedded:
>> Last time I checked, scanning or probing a system for security flaws,
>> isn't illegal (at least in this state it isn't).
> As I recall, Randall Schwartz got in trouble for "scanning or
probing" his
>then-employer's "system for security flaws" WITHOUT AUTHORIZATION....
This is not quite correct. Randal was convicted on three counts,
all of which involved his having actually _accessed_ a system and/or
made changes to them. There was nothing in the Oregon statute regarding
"scanning" a system. Most of the verbage of the statute focuses on
"access and use". It's highly doubtful that port scanning could be
stretched to fit the definition of "access and use" used in the Oregon
statute.
> While one may argue that it is not illegal to "rattle a doornknob
to
>determine whether it is locked", in practice it could very well be
illegal
>to *open that door* -- and I wouldn't give odds on convincing a court
that
>that wasn't what you were trying to do.
This is, IMHO, irrelevant. If an action is not illegal, you cannot
be prosecuted for it. Period. I don't see how it can be relevant
what your intentions were. If I stand on the street and examine your
house looking for ways to break in, it's not illegal. It's simply
not relevant what I intend to do, only what I have actually done,
provided the action is not illegal. If I do commit an illegal act,
intentions may play a roll in the severity of the charges, but again this
is irrelevant if no charges can be brought.
> To the extent that the claim "it isn't illegal" is true, I don't believe
>it's useful, and I kind of wish people would stop repeating it.
On what grounds do you feel its not useful? Most people that ask
this question are looking for recourse they can take. I think it's
relevant to say that legal action is not one of their recourses.
>> So the only thing you can do is let the ISP know that the activity
is
>> going on.
> Regardless of any criminal legality, such activity is a violation
of most
>ISPs' Terms of Service. I figure that most script kiddies will
decide it's
>not much fun after the third or fourth time explaining to their parents
why
>the family needs a new ISP again -- and so will never become a more
serious
>threat. We can discourage a whole lot of wannabe's for a fraction
of what
>has been spent so far on catching and incarcerating Kevin Mitnick.
> So notifying the ISP isn't some last resort that we should be turning
to in
>reluctant desperation -- it's our most readily available mechanism
for
>discouraging wannabes before they do much damage.
With the proliferation of scanning tools that allow you to send packets claiming to be from multiple IP addresses, I think that ISP's are going to become more wary of simply disconnecting someone for a scan. Most ISP's don't keep traces of the traffic that passes through their POP's. If someone can provide "plausible deniability" and the ISP disconnects them anyway, they may suffer legal action of their own. Seems unlikely, granted. But all it takes is one test case. A skilled attacker could craft packets that seemed to come from IP addresses that seemed in all respects to come from machines that were active at the same time as the "real" attackers machine. Distinguishing what the real machine is could be all but impossible without actual sniffer traces by the ISP.
One option would be if ISP's implemented technology to block incoming
packets from their users that claimed to be from false IP addresses.
This could be done, they simply aren't doing it.
-Kent
-- ****************************************************************************************** Kent Hundley Network Systems Consultant International Network Services Co-author of "Cisco Security Architectures" http://www.amazon.com/exec/obidos/ASIN/0071347089/qid=931982651/sr=1-3/002-7481492-7385613 ******************************************************************************************
