By Bill Reilly
One of the most common questions I get from crackers, hackers,
network security specialists and law enforcement agents is whether
port scanning is illegal. As of November 2001, there has only been
on federal court to issue a ruling on this point.
In Moulton v. VC3, Scott Moulton, a network security consultant,
was arrested and charged with violating the Computer Fraud and Abuse
Act after he port scanned a network where he had a service contract
to perform computer-related work for the a county 911 center. Moulton
had become concerned with the vulnerability of the network link
between the sheriff's office and the 911 center and performed a
series of remote port scans on the system. The system's network
administrator noticed the port scanning activity and e-mailed Moulton
questioning his reason for scanning the ports. Moulton quit scanning
immediately and informed the administrator that he had a service
contract with the county and he was concerned about the network's
security. The administrator contacted the sheriff, who in turn arrested
Moulton on state and federal computer crime charges. Specifically,
Moulton was charged with violating 18 USC Sec. 1030(a)(5)(B), which
prohibits the "intentional accessing [of] a protected computer
without authorization, [that] as a result of such conduct, recklessly
causes damage." (He was also charged with a state computer
crime which is beyond the scope of this article.)
The county denied that they gave him access to conduct port scans
on the system and argued that he "accessed" the computer
without authorization. This subsection essentially has four elements
that the prosecution must prove: 1. The defendant intentionally
accessed a protected computer, 2. the defendant did not have authorization
to access the computer and 3. as a result of the access, the defendant
recklessly caused damage 4. and the damage impaired the integrity
or availability of data, a program, a system, or information that
caused a "loss aggregating at least $ 5000...or threatened
public health or safety." The court didn't need to address
the first three elements because the county couldn't meet the "damage"
threshold. The county claimed that it had to spend time and money
to research the scanning and determine whether there were any penetrations
of the system. But they admitted that Moulton caused no structural
damage.
While port scanning is a useful reconnaissance technique used by
crackers to locate vulnerabilities in systems that are running buggy
services on certain computer ports, it is essentially a passive
query that works within the architecture of TCP/IP. Without the
ability to query remote computer ports to determine the service
that is running and its compatibility with other computers, the
Internet would cease to function. The county argued that port scanning
for malicious purposes brings in the element of criminal intent.
For example, many states have laws that outlaw the criminal use
of lockpicking sets. The sets themselves are not illegal, but the
use of the sets to pick locks that you are not authorized to pick
is a crime. Much in the same way, it is often argued, non-malicious
port scanning should be allowed. However, when the cracker uses
this "tool" to commit a crime, then such port scanning
should be illegal. But as with the lock picking laws, the "criminal
intent" of the person is what turns a "good" tool
"bad." But since people can't read minds, "intent"
is usually proven by the criminal act itself. Since there are legitimate
uses for port scanning, it is impossible to determine the intent
of the scanner unless he goes on to penetrate the system, which
is likely a criminal act already.
In this case, the county argued that the act of port scanning itself
was a crime. And the judge did not buy that argument. The court
said the statute "clearly states that the damage must be an
impairment to the integrity and availability of the network."
But the judge went on to conclude that the county's "network
security was never actually compromised and no program or information
was ever unavailable as a result of
Moulton's activities."
If there was no impairment from the scanning or the scans weren't
so voluminous that the network's availability was interrupted, then
there was no "damage." Without damage, there is no crime.
The recently passed USA Patriot Act dramatically changes the Computer
Fraud and Abuse Act. However, it does not change the requirement
that there must be damage and loss. "Damage" still requires
impairment to the integrity or availability of data, a program,
a system or information. Normal port scanning is not likely to cause
such impairments. However, the USA Patriot Act does make it much
easier to meet the definition of "loss," which must exceed
$5,000. Victims can now add nearly every conceivable expense associated
with the incident to arrive at the $5,000 threshold.
The court in Moulton arrived at a logical conclusion to anyone
even remotely familiar with network technology. However, the fact
that the country decided to even prosecute under this obvious mistake
of fact should be a word of caution to network security consultants
and others involved in penetration testing. Many clients are unfamiliar
with the details of the technology and can misinterpret passive
measures as criminal acts. It is highly recommended that the initial
service or consulting contract with the client should grant enough
leeway to ensure that they are "authorized" to conduct
the tests and the scope of the access is essentially open-ended.
If the consultant has such authorization, the only Section 1030(a)(5)
computer crime that the consultant can be liable for causing intentional
damage to the system. That is why the definition of "damage"
is so important. If there is no impairment to the integrity and
availability of the network, then there is no crime.
|