[Owasp-Mumbai] Fwd: Legality of Port Scans

r4y secureas at gmail.com
Mon Oct 20 23:40:53 EDT 2008


Good to see the word "intent" peppered everywhere and this is going to be
very debatable as well.

Btw I object to section 66 and the use of the word "hacking". Soldering a
PCB can also be considered hacking. Its a very loose term and should never
be used in a legal document or a bill or Act !

2008/10/20 vaibhav aher <vaibhavaher at gmail.com>

>  Hello freinds,
> I just tried to justify the question.
> Amended IT ACT 2000 describes
> Section 43 1 (b) describes that port scanning is illegel as it does first
> stage of information gathering, also section 65, 66 and 72 can put a light
> on it.
>
> *43. **Penalty**  **Compensation** for damage to computer, computer system
> etc. 14C<http://mail.google.com/mail/?ui=2&view=js&name=js&ver=7rPL228lAkc&am=X_E4pcT3aCGBXoYK6A#_ftn1>
> *
>
> (1) If any person, without permission of the owner or *of* any other
> person who is incharge of a *computer resource* computer, computer or
> computer network,-
>
> (a) accesses or secures access to such  *computer resource*; computer,
> computer system or computer network;
>
> (b) downloads, copies or extracts any data computer data base or *information
> from such computer* *resource*, computer system or computer network including
> information or data held or stored in any removable storage medium;
>
> (c) introduces or causes to be introduced any computer contaminant or
> computer virus into any computer *resource*, computer system or computer
> network;
>
> (d) damages or causes to be damaged any computer *resource*, computer
> system or computer network, data, computer data base or other programmes
> residing in such computer *resource*, computer system or computer network;
>
> (e) disrupts or causes disruption or impairment of any computer resource; computer
> system or computer network;
>
> (f) denies or causes the denial of access to any person authorised to
> access any computer *resource*, computer system or computer network by any
> means ;
>
> (g) provides any assistance to any person to facilitate access to a
> computer *resource*, computer system or computer network in contravention
> of the provisions of this Act, rules or regulations made thereunder ;
>
> (h) charges the services availed of by a person to the account of another
> person by tampering with or manipulating any computer *resource*, computer
> system, or computer network,
>
>
> he shall be liable to pay damages by way of compensation not exceeding one
> crore rupees to the person so affected.
>
> *65.* *Tampering with computer source documents.*
> **
>
> Whoever knowingly or intentionally conceals, destroys or alters or
> intentionally or knowingly causes another to conceal, destroy or alter any
> computer source code used for a computer, computer programme, computer
> system or computer network, when the computer source code is required to be
> kept or maintained by law for the time being in force, shall be punishable
> with imprisonment up to three years, or with fine which may extend up to two
> lakh rupees, or with both.
>
> *Explanation.—*For the purposes of this section, "computer source code"
> means the listing of programmes, computer commands, design and layout and
> programme analysis of computer resource in any form.
> *
>
> 66. Hacking with computer system.
> *
>
> (1) Whoever with the intent to cause or knowing that he is likely to cause
> wrongful loss or damage to the public or any person destroys or deletes or
> alters any information residing in a computer resource or diminishes its
> value or utility or affects it injuriously by any means, commits hack:
>
> (2) Whoever commits hacking shall be punished with imprisonment up to three
> years, or with fine which may extend upto two lakh rupees, or with both.
> **
> * 72. Penalty for breach of confidentiality and privacy.*
>
> Save as otherwise provided in this Act or any other law for the time being
> in force, any person who, in pursuance of any of the powers conferred under
> this Act, rules or regulations made thereunder, has secured access to any
> electronic record, book, register, correspondence, information, document or
> other material without the consent of the person concerned discloses such
> electronic record, book. register, correspondence, information, document or
> other material to any other person shall be punished with imprisonment for a
> term which may extend to two years, or with fine which may extend to one
> lakh rupees, or with both.
>
> Regards
>
> --
> Vaibhav Aher
> ISO27001,C|EH
> Security Consultant
> +91 09225325661
>
> ------------------------------
>
>
>
>
>   On Sun, Oct 19, 2008 at 6:22 PM, Dipak Parmar <dipak at lawyer.com> wrote:
>
>>  Dear Yogesh/Yash
>>
>>
>>
>> As to usage of Port scanning…
>>
>>
>>
>> Section 43 of the IT Act, 2000 starts with "If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network…
>>
>>
>>
>> So, if you are using it as security personnel (certainly with appropriate authority - either as part of your employment or service contract)then it is legal not otherwise…
>>
>>
>>
>> What you are scanning is question of fact… your client is owner of that network or just another user?
>>
>>
>>
>> I trust I had answered your query…
>>
>>
>>
>> With regards
>>
>>
>>
>> Dipak Parmar
>>
>> 022 -22093564
>>
>> 09820196971
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Dinesh O'Bareja <dineshbareja at gmail.com>
>> Date: Sun, Oct 19, 2008 at 11:11 AM
>> Subject: Re: [Owasp-Mumbai] Legality of Port Scans
>> To: Yogesh Badwe <yogeshmb at gmail.com>
>> Cc: Yash Kadakia <teccoder at gmail.com>, "owasp-mumbai at lists.owasp.org" <
>> owasp-mumbai at lists.owasp.org>
>>
>>
>> Yash - simply put, this is a sticky area. Any scan must be done ONLY after
>> obtaining a clearly defined scope from the client. Having said that, the
>> investigator must also ensure that he / she is not being asked to scan any
>> networks which do not belong to the client.
>>
>> It will be good for the health :) to keep any such urges under strict
>> control which entice you to "go where no man has been nefore" !!
>>
>> This is regular common sense advice, and I shall try to get some legal
>> stuff out to the group in time.
>>
>> regards
>> Dinesh.
>>
>>
>> On Fri, Oct 17, 2008 at 9:45 AM, Yogesh Badwe <yogeshmb at gmail.com> wrote:
>>
>>> Yash,
>>>
>>> *IT Act 2000*
>>>
>>> *                          Definitions:* *
>>>
>>> Access: *"access" with its grammatical variations and cognate
>>> expressions means gaining entry into, instructing *or communicating*with the logical, arithmetical, or memory function resources of a computer,
>>> computer system or computer network;*
>>>
>>>                             Sections:*
>>> *
>>> Chapter IX - Penalties and Adjudication*
>>>
>>> *43: penalty for damage to computer* : Sets the penalty for damage to a
>>> computer or network at INR 10 million for any damage or *unauthorized
>>> access* to a computer system.
>>>
>>> Correlating the Definition and the Section --> implies "illegal"
>>>
>>> I am not a lawyer ...but hope it helps !!
>>>
>>> -Yogesh Badwe
>>>
>>>
>>>   On Thu, Oct 16, 2008 at 8:48 AM, Yash Kadakia <teccoder at gmail.com>wrote:
>>>
>>>>   Hey,
>>>>
>>>> I was having a discussion with someone the other day and we started
>>>> talking about whether Port Scanning is illegal in India or not. We couldn't
>>>> really come to any definite answer and even after going through the relevant
>>>> http://cybercellmumbai.com/cyber-laws/ <- Cyber Laws several times
>>>> there is no clear answer for the same.
>>>>
>>>> In my opinion, I do not think it is illegal since
>>>> http://www.cybercellmumbai.com/cyber-laws/chapter-9 really only talks
>>>> about post-data theft, network compromise, virus infection etc.
>>>>
>>>> I just wanted to throw this out there and see if any of you have any
>>>> ideas about the same.
>>>>
>>>> Yash Kadakia
>>>>
>>>> Co-Founder/ Chief Technology Officer
>>>> Security Brigade
>>>> Information Security Solutions
>>>>
>>>> Mobile: +91-09833375290
>>>> Fax: +91-651-2444545
>>>> E-mail: yash at securitybrigade.com
>>>> Web: http://www.securitybrigade.com/
>>>> Blog: http://www.yashkadakia.com/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Mumbai mailing list
>>>> OWASP-Mumbai at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>
>>>>
>>>
>>>
>>> --
>>>  Please consider your environmental responsibility.
>>>         Before printing this e-mail, ask yourself: "Do I need a hard
>>> copy?"
>>>
>>>
>>>
>>> Yogesh . M . Badwe
>>> Disclaimer - This email and any files transmitted with it are
>>> confidential and contain privileged or copyright information. You must not
>>> present this message to another party without gaining permission from the
>>> sender. If you are not the intended recipient you must not copy, distribute
>>> or use this email or the information contained in it for any purpose other
>>> than to notify us.
>>>
>>> If you have received this message in error, please notify the sender
>>> immediately, and delete this email from your system. I do not guarantee that
>>> this material is free from viruses or any other defects although due care
>>> has been taken to minimise the risk.
>>>
>>> _______________________________________________
>>> OWASP-Mumbai mailing list
>>> OWASP-Mumbai at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>
>>>
>>
>>
>>
>> With kind regards,
>>
>> DIPAK G. PARMAR
>> 13/A, Nalawala Building,
>> Ground Floor,
>> Bhaijivanji Lane,
>> Thakurdwar Road,
>> Mumbai - 400 002
>> India
>> (9122) 22093564
>>
>>
>> -- Be Yourself @ mail.com!
>> Choose From 200+ Email Addresses
>> Get a *Free* Account at www.mail.com <http://www.mail.com/Product.aspx>!
>>
>> _______________________________________________
>> OWASP-Mumbai mailing list
>> OWASP-Mumbai at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>
>>
>
>
>
> _______________________________________________
> OWASP-Mumbai mailing list
> OWASP-Mumbai at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20081021/3f23a069/attachment-0001.html 


More information about the OWASP-Mumbai mailing list