[rocqua]

I think brute-forcing passwords offline isn't illegal under the CFAA. Using a password you got that way would be illegal.

Similarly, password stuffing (just trying many passwords on the login form) would be illegal, since you are trying to gain access. Not sure how that works if you are not successful though.

Port-scanning would be fine. Interesting edge case is, what happens if you port-scan, find an open telnet port, and use it to get a shell. There is no authentication, but does that mean you are authorized? My gut says that logging in to such a telnet port (when the device is not yours) is a CFAA violation. Just like walking in to a random house when the door is open is still illegal.

[pbhjpbhj]

>There is no authentication, but does that mean you are authorized? //

Not being "not authorised" is not the same as being authorised. Authorisation is a positive action.

[rocqua]

Not every action requires authorization though.

[pbhjpbhj]

For sure, it's been a while but IIRC the CFAA (and UK's CMA) refer to use of certain legal classes of computer "without authorization" or "exceeding authorization". Legal authorisation is an active state rather than something that happens passively.