[Owasp-Mumbai] Fwd: Legality of Port Scans

Dipak Parmar dipak at lawyer.com
Tue Oct 21 01:12:47 EDT 2008


Dear All It is very tricky situation... Lets break it into smaller parts
and deal with them individually.... 1. IT ACT A. Section 43 "Unauthorised
access" & def "Access":  and

Definitions:

Access: *"access" with its grammatical variations and cognate expressions

means gaining entry into, instructing *or communicating* with the logical,

arithmetical, or memory function resources of a computer, computer system or

computer network;*

 

 *43: If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network,

(a) accesses or secures access to such  computer, computer system or computer network;

... he shall be liable to pay damages by way of compensation  not exceeding (means maximum) one crore rupees to the person so affect. 

So, if you are not causing any damage then you are not liable to pay any compensation. 

Now it is question of fact... are you causing any damage?  

"damage" means to destroy, alter, delete, add, modifty or rearrange any
computer resource by any means. I don't think so...it is prepartory work
and will not cause any damage... Word of caution: But these data will
help hackers also (although it may be your intention) B. Section 66
"hacking" Whoever with a. the intent to cause or b. knowing (mind you
knowledge of it being possible misuse will attract section 66... ) that
he is likely to cause wrongful loss or damage to the public or any person
i. desteroys or deletes or alters any information residing in a computer 
resource, or ii. diminishes its value or utility, or iii. affects it
injuriously by any means (very vague and can cover indirect damage )
Please note that section 72 is not applicable to private individual...
Privacy Issue: You may doing great work for society.... but do you have
necessary authority from individuals or state to do the same.

With regards

Dipak Parmar

022 -22093564

09820196971


  ----- Original Message -----
  From: r4y
  To: "vaibhav aher"
  Subject: Re: [Owasp-Mumbai] Fwd: Legality of Port Scans
  Date: Tue, 21 Oct 2008 09:10:53 +0530

  Good to see the word "intent" peppered everywhere and this is going
  to be very debatable as well. Btw I object to section 66 and the use
  of the word "hacking". Soldering a PCB can also be considered
  hacking. Its a very loose term and should never be used in a legal
  document or a bill or Act !

  2008/10/20 vaibhav aher <vaibhavaher at gmail.com>

    Hello freinds,I just tried to justify the question. Amended IT
    ACT 2000 describesSection 43 1 (b) describes that port scanning
    is illegel as it does first stage of information gathering, also
    section 65, 66 and 72 can put a light on it. 43. Penalty
    Compensation for damage to computer, computer system etc. 14C

    (1) If any person, without permission of the owner or of any
    other person who is incharge of a computer resource computer,
    computer or computer network,-

    (a) accesses or secures access to such computer resource;
    computer, computer system or computer network;

    (b) downloads, copies or extracts any data computer data base or
    information from such computer resource, computer system or
    computer network including information or data held or stored in
    any removable storage medium;

    (c) introduces or causes to be introduced any computer
    contaminant or computer virus into any computer resource,
    computer system or computer network;

    (d) damages or causes to be damaged any computer resource,
    computer system or computer network, data, computer data base or
    other programmes residing in such computer resource, computer
    system or computer network;

    (e) disrupts or causes disruption or impairment of any computer
    resource; computer system or computer network;

    (f) denies or causes the denial of access to any person
    authorised to access any computer resource, computer system or
    computer network by any means ; 

    (g) provides any assistance to any person to facilitate access to
    a computer resource, computer system or computer network in
    contravention of the provisions of this Act, rules or regulations
    made thereunder ;

    (h) charges the services availed of by a person to the account of
    another person by tampering with or manipulating any computer
    resource, computer system, or computer network, 

    he shall be liable to pay damages by way of compensation not
    exceeding one crore rupees to the person so affected. 65.
    Tampering with computer source documents.

    Whoever knowingly or intentionally conceals, destroys or alters
    or intentionally or knowingly causes another to conceal, destroy
    or alter any computer source code used for a computer, computer
    programme, computer system or computer network, when the computer
    source code is required to be kept or maintained by law for the
    time being in force, shall be punishable with imprisonment up to
    three years, or with fine which may extend up to two lakh rupees,
    or with both.

    Explanation.—For the purposes of this section, "computer source
    code" means the listing of programmes, computer commands, design
    and layout and programme analysis of computer resource in any
    form.

    66. Hacking with computer system.

    (1) Whoever with the intent to cause or knowing that he is likely
    to cause wrongful loss or damage to the public or any person
    destroys or deletes or alters any information residing in a
    computer resource or diminishes its value or utility or affects
    it injuriously by any means, commits hack:

    (2) Whoever commits hacking shall be punished with imprisonment
    up to three years, or with fine which may extend upto two lakh
    rupees, or with both.

     72. Penalty for breach of confidentiality and privacy.

    Save as otherwise provided in this Act or any other law for the
    time being in force, any person who, in pursuance of any of the
    powers conferred under this Act, rules or regulations made
    thereunder, has secured access to any electronic record, book,
    register, correspondence, information, document or other material
    without the consent of the person concerned discloses such
    electronic record, book. register, correspondence, information,
    document or other material to any other person shall be punished
    with imprisonment for a term which may extend to two years, or
    with fine which may extend to one lakh rupees, or with both.

    Regards

    --
    Vaibhav Aher
    ISO27001,C|EH
    Security Consultant
    +91 09225325661

    ----------------------------------------------------------------



    On Sun, Oct 19, 2008 at 6:22 PM, Dipak Parmar <dipak at lawyer.com>
    wrote:

        Dear Yogesh/Yash

         

        As to usage of Port scanning…

         

        Section 43 of the IT Act, 2000 starts with "If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network…

         

        So, if you are using it as security personnel (certainly with appropriate authority - either as part of your employment or service contract)then it is legal not otherwise…

         

        What you are scanning is question of fact… your client is owner of that network or just another user?

         

        I trust I had answered your query… 

        With regards

        Dipak Parmar

        022 -22093564

        09820196971



        ---------- Forwarded message ----------
        From: Dinesh O'Bareja <dineshbareja at gmail.com>
        Date: Sun, Oct 19, 2008 at 11:11 AM
        Subject: Re: [Owasp-Mumbai] Legality of Port Scans
        To: Yogesh Badwe <yogeshmb at gmail.com>
        Cc: Yash Kadakia <teccoder at gmail.com>, "owasp-mumbai at lists.owasp.org"
        <owasp-mumbai at lists.owasp.org>


        Yash - simply put, this is a sticky area. Any scan must
        be done ONLY after obtaining a clearly defined scope from
        the client. Having said that, the investigator must also
        ensure that he / she is not being asked to scan any
        networks which do not belong to the client.

        It will be good for the health :) to keep any such urges
        under strict control which entice you to "go where no man
        has been nefore" !!

        This is regular common sense advice, and I shall try to
        get some legal stuff out to the group in time.

        regards
        Dinesh.


        On Fri, Oct 17, 2008 at 9:45 AM, Yogesh Badwe <yogeshmb at gmail.com>
        wrote:

          Yash,

          IT Act 2000

          Definitions:

          Access: "access" with its grammatical variations and
          cognate expressions means gaining entry into,
          instructing or communicating with the logical,
          arithmetical, or memory function resources of a
          computer, computer system or computer network;

          Sections:

          Chapter IX - Penalties and Adjudication

          43: penalty for damage to computer : Sets the penalty
          for damage to a computer or network at INR 10 million
          for any damage or unauthorized access to a computer
          system.

          Correlating the Definition and the Section -->
          implies "illegal"

          I am not a lawyer ...but hope it helps !!

          -Yogesh Badwe


          On Thu, Oct 16, 2008 at 8:48 AM, Yash Kadakia <teccoder at gmail.com>
          wrote:

            Hey,

            I was having a discussion with someone the other
            day and we started talking about whether Port
            Scanning is illegal in India or not. We couldn't
            really come to any definite answer and even after
            going through the relevant
            http://cybercellmumbai.com/cyber-laws/ <- Cyber
            Laws several times there is no clear answer for
            the same.

            In my opinion, I do not think it is illegal since
            http://www.cybercellmumbai.com/cyber-laws/chapter-9
            really only talks about post-data theft, network
            compromise, virus infection etc.

            I just wanted to throw this out there and see if
            any of you have any ideas about the same.

            Yash Kadakia

            Co-Founder/ Chief Technology Officer
            Security Brigade
            Information Security Solutions

            Mobile: +91-09833375290
            Fax: +91-651-2444545
            E-mail: yash at securitybrigade.com
            Web: http://www.securitybrigade.com/
            Blog: http://www.yashkadakia.com/






            _______________________________________________
            OWASP-Mumbai mailing list
            OWASP-Mumbai at lists.owasp.org
            https://lists.owasp.org/mailman/listinfo/owasp-mumbai




          --
           Please consider your environmental responsibility.
          Before printing this e-mail, ask yourself: "Do I need
          a hard copy?"



          Yogesh . M . Badwe
          Disclaimer - This email and any files transmitted
          with it are confidential and contain privileged or
          copyright information. You must not present this
          message to another party without gaining permission
          from the sender. If you are not the intended
          recipient you must not copy, distribute or use this
          email or the information contained in it for any
          purpose other than to notify us.

          If you have received this message in error, please
          notify the sender immediately, and delete this email
          from your system. I do not guarantee that this
          material is free from viruses or any other defects
          although due care has been taken to minimise the
          risk.

          _______________________________________________
          OWASP-Mumbai mailing list
          OWASP-Mumbai at lists.owasp.org
          https://lists.owasp.org/mailman/listinfo/owasp-mumbai





      With kind regards,
      
      DIPAK G. PARMAR
      13/A, Nalawala Building,
      Ground Floor,
      Bhaijivanji Lane,
      Thakurdwar Road,
      Mumbai - 400 002
      India
      (9122) 22093564


      -- Be Yourself @ mail.com!
      Choose From 200+ Email Addresses
      Get a Free Account at www.mail.com!
      _______________________________________________
      OWASP-Mumbai mailing list
      OWASP-Mumbai at lists.owasp.org
      https://lists.owasp.org/mailman/listinfo/owasp-mumbai





    _______________________________________________
    OWASP-Mumbai mailing list
    OWASP-Mumbai at lists.owasp.org
    https://lists.owasp.org/mailman/listinfo/owasp-mumbai




With kind regards,

DIPAK G. PARMAR
13/A, Nalawala Building,
Ground Floor,
Bhaijivanji Lane,
Thakurdwar Road,
Mumbai - 400 002
India
(9122) 22093564

-- 
See Exclusive Video: Hollywood Life's 5th Annual Style Awards
http://www.hollywoodlife.net/Awards.aspx?AwardsID=style2008

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20081021/dd2a29a9/attachment-0001.html 


More information about the OWASP-Mumbai mailing list