Hacker News new | ask | show | jobs
by PureParadigm 1839 days ago
The key takeaway for me is how this decision affects port scanning. According to the article:

> Van Buren is really good news for port scanning, for example: so long as the computer is open to the public, you don’t have to worry about the conditions for use to scan the port.

As a frequent user of nmap, this is good to hear.
1 comments
chx 1839 days ago
OK that's good to hear yes.

But I am confused by the implications here.

How is port scanning different legally from brute forcing passwords? Iterating integers is fine, iterating the dictionary is not? What if there's an integer ID in the URL but it's MD5 hash'd and I recognize for what it is and iterate integers and MD5 them?

link
parsimo2010 1839 days ago
It’s not about the techniques used, it’s about the intent of the functions. Remember that we’re in the legal domain and sometimes a common sense argument prevails even if there are some potential holes (if a hole is discovered, a future court case can worry about it). Port scanning is like looking at the outside of a house and noting where the doors and windows are. Brute forcing a password is like picking a lock to gain access to something, or possibly identity theft to authenticate yourself as someone else. Judges can easily understand the difference even if the technical method might be similar. Nobody is going to believe you “port scanned” your way into someone’s online banking access and took money out of their account.
link
chx 1838 days ago
Ah yes, mens rea. "knowingly" "intentionally" "knowingly and with intent" are phrases used in the law text. Thanks for reminding me.
link
ncallaway 1839 days ago
> How is port scanning different legally from brute forcing passwords?

Because humans are trivially able to recognize the difference between those two activities. A judge that has that case in front of them can _really_ easily see the difference between those activities.

link
rocqua 1839 days ago
I think brute-forcing passwords offline isn't illegal under the CFAA. Using a password you got that way would be illegal.

Similarly, password stuffing (just trying many passwords on the login form) would be illegal, since you are trying to gain access. Not sure how that works if you are not successful though.

Port-scanning would be fine. Interesting edge case is, what happens if you port-scan, find an open telnet port, and use it to get a shell. There is no authentication, but does that mean you are authorized? My gut says that logging in to such a telnet port (when the device is not yours) is a CFAA violation. Just like walking in to a random house when the door is open is still illegal.

link
pbhjpbhj 1839 days ago
>There is no authentication, but does that mean you are authorized? //

Not being "not authorised" is not the same as being authorised. Authorisation is a positive action.

link
rocqua 1838 days ago
Not every action requires authorization though.
link
pbhjpbhj 1838 days ago
For sure, it's been a while but IIRC the CFAA (and UK's CMA) refer to use of certain legal classes of computer "without authorization" or "exceeding authorization". Legal authorisation is an active state rather than something that happens passively.
link
quickthrowman 1839 days ago
Brute forcing passwords is attempting to access a computer without authorization, port scanning.. is not
link