[chx]

OK that's good to hear yes.

But I am confused by the implications here.

How is port scanning different legally from brute forcing passwords? Iterating integers is fine, iterating the dictionary is not? What if there's an integer ID in the URL but it's MD5 hash'd and I recognize for what it is and iterate integers and MD5 them?

[parsimo2010]

It’s not about the techniques used, it’s about the intent of the functions. Remember that we’re in the legal domain and sometimes a common sense argument prevails even if there are some potential holes (if a hole is discovered, a future court case can worry about it). Port scanning is like looking at the outside of a house and noting where the doors and windows are. Brute forcing a password is like picking a lock to gain access to something, or possibly identity theft to authenticate yourself as someone else. Judges can easily understand the difference even if the technical method might be similar. Nobody is going to believe you “port scanned” your way into someone’s online banking access and took money out of their account.

[chx]

Ah yes, mens rea. "knowingly" "intentionally" "knowingly and with intent" are phrases used in the law text. Thanks for reminding me.

[ncallaway]

> How is port scanning different legally from brute forcing passwords?

Because humans are trivially able to recognize the difference between those two activities. A judge that has that case in front of them can _really_ easily see the difference between those activities.

[rocqua]

I think brute-forcing passwords offline isn't illegal under the CFAA. Using a password you got that way would be illegal.

Similarly, password stuffing (just trying many passwords on the login form) would be illegal, since you are trying to gain access. Not sure how that works if you are not successful though.

Port-scanning would be fine. Interesting edge case is, what happens if you port-scan, find an open telnet port, and use it to get a shell. There is no authentication, but does that mean you are authorized? My gut says that logging in to such a telnet port (when the device is not yours) is a CFAA violation. Just like walking in to a random house when the door is open is still illegal.

[pbhjpbhj]

>There is no authentication, but does that mean you are authorized? //

Not being "not authorised" is not the same as being authorised. Authorisation is a positive action.

[rocqua]

Not every action requires authorization though.

[pbhjpbhj]

For sure, it's been a while but IIRC the CFAA (and UK's CMA) refer to use of certain legal classes of computer "without authorization" or "exceeding authorization". Legal authorisation is an active state rather than something that happens passively.

[quickthrowman]

Brute forcing passwords is attempting to access a computer without authorization, port scanning.. is not