*sigh* Helping to propogate an already way too long thread...
(IANAL. Neither are you. Thank goodness.)
> <http://capitol.tlc.state.tx.us/statutes/codes/PE000021.html>
>
> Reading the Texas Penal Code, Chapter 33, Computer Crimes,
> makes me think that port scanning is probably considered a
> Class B Misdemeanor in Texas.
>
> Section 33.01 defines "Access" as:
> (1) "Access" means to approach, instruct, communicate with,
> store data in, retrieve or intercept data from, alter data or
> computer software in, or otherwise make use of any resource
> of a computer, computer network, computer program, or computer
> system.
>
> Under this definition, a port scan is certainly an "access" of
> a computer.
So is a ping of a computer. So is trying to bring up a web page.
"Approach" and "communicate with" and "make any use of resource" (of
the ISP's network) are the only parts of this definition to which a
portscan matches. However...
> Then, in section 33.02, Breach of Computer Security, we find that
>
> (a) A person commits an offense if the person knowingly accesses
> a computer, computer network, or computer system without the
> effective consent of the owner.
"effective consent" varies. If there is access control, then that
grants effective consent to those whom are in such ACL's, and denies
it to those who aren't. Impersonating another person or computer for
the purposes of being granted consent is also considered "without the
effective consent". A portscan, however, is only
consent/nonconsentable via ip-based ACL's. There's no way for you to
say "its ok for Bob in the office over to scan me to make sure I'm not
running trojans or to see whether ssh is still up, but its not ok for
John Doe to do so" WITHOUT explicitly creating an ACL that grants
access to Bob's computer, but denies it to everyone else. If someone
impersonated Bob's computer to _do_ the portscan, that would be access
without effective consent.
> Thus, if a port scan is an "access" of a computer, the person
> performing the port scan is committing an offense.
No, if this was the case then pinging a host to see if it is alive is
a misdemeanor. In an essientally anonymous protocol like tcp/ip
(anonymous being that the packets themselves do not require
authentification), you either grant access consent through ip-based
ACL's or username-based authentification at the application layer.
Excepting, of course, the person who mentioned a web-based tcpwrappers
setup (kind of a keen idea).
[snip penalties]
> Thus, in a simple port scan with no subsequent break-in, the
> scanner is guilty of a Class B misdemeanor (see section 12.03
> for classification of misdemeanors).
You wish. I'm not saying a lawyer couldn't get the conviction, but I
doubt a DA will want to prosecute a portscan without subsequent
attempt at breakin.
jeff
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
